WFS USB Block Injector

Discussion in 'Wii U - Hacking & Backup Loaders' started by dimok, Aug 5, 2017.

  1. dimok
    OP

    dimok GBAtemp Advanced Fan

    Member
    728
    2,174
    Jan 11, 2009
    United States
    Hey everyone,

    long time no see. I came by to drop a small thing. I saw on my Wii U that my kids updated it and, well, I didn't have haxchi or dns blocks :). Since I had my SPI eeprom dump of the Wii U and I knew how to decrypt the USB from before (I've posted it somewhere on here), I though I could simply get back access to the HBL by replacing a few files. Well it was way more complex than I though as the freaken WFS filesystem has hashs and checks everywhere, different IVs for different blocks and so on. After a bit I figured out what the IV is for my block I wanted to replace and where to change the hashs. So I wrote myself a quick tool to inject a block and tested it with the https://github.com/Kinnay/DKCTF-Save-Exploit from Kinnay and it worked. A few days later @EyeKey released his tools for WFS which are really great btw. With those tools it would have been way easier for me...oh well. Anyway since I don't have the time to finish the ROP for DKCTF I bought myself an eshop card now and got this Kawashima game and injected the rom.zip. That worked too. So I have my access to HBL back (if I ever need it :P).

    Since the tools of Eyekey are available now (too bad it's read only) and I though probably more people like me would want to inject haxchi to their system, I added a few printfs to EyeKeys lib to print the necessary stuff for my injector tool. With that it is actually also usable for an enduser. So here is the injector tool I wrote (attached). Its actually a quick hack together of a few encryptions/decryptions and not the best example but it does what I needed it for. I also attached a patch with the changes I made to EyeKeys lib. If I had his sources a bit earlier, I probably would have done my injector stuff inside his lib. You are welcome to do something like that.

    Here is how you use it:
    Code:
    wiiu_usb_inject PATH_TO_IMG USB_KEY PATH_TO_DATA_BLOCK META_SECTOR META_IV DATA_SECTOR DATA_IV
    
    Example:
    wiiu_usb_inject wiiu_usb.img 12345678901234567890123456789012 ./haxchi/installer/data/brainage.zip 00009320 00002000923D0340003BB80000000200 00015400 00010000923DC420003BB80000000200
    
    Where wiiu_usb.img can also be /dev/sdb for example for direct drive modification (don't forget sudo). As you can see you need the USB key and the wfsdumper will print it for you with my prints in it. Of course the minimum requirement is a seeprom dump (the OTP usb key is actually equal on all consoles as far as i know and you could probably use a dummy file with the correct key at the korret position).

    To get the necessary keys, sectors and ivs for my tool you just run EyeKeys tool with my modifications.
    For example:
    Code:
    ./wfsdumper --otp ../otp.bin --seeprom ../seeprom.bin --input ../wiiu_usb.img --output ../dump/ --dump-path /usr/title/00050000/10179c00/content/0010
    
    And you look in the prints for the block you want to modify which in my case was this:
    Code:
    ...
    rom.zip
    IV 00002000923D0340003BB80000000200 MetadataBlock at 00009320
    IV 00010000923DC420003BB80000000200 DataBlock at 00015400
    ...
    
    You just copy those data and use them with my tool.

    I attached the two binaries I used, both compiled on a 32 Bit Ubuntu 16.04 LTS. I am not going to port it for Windows. You will have to do that on your own.

    To compile my tool you can do this:
    gcc -O3 wiiu_usb_inject.c -o wiiu_usb_inject -lcrypto -lssl

    Have fun with it.

    This does not mean I am "back". I am looking into the forums from time to time but don't expect me to contribute to the Wii U scene very much, at least not very soon. I am still very low on time I could invest into the Wii U. I learned from my mistake and set up the blocking DNS stuff up now, so I wont have to do something like that again.

    As said above, @EyeKey's tool does most of the hard work which I had to do manually before and therefore big credits go to him. Really awesome work there.
     

    Attached Files:

  2. C0mm4nd_
    This message by C0mm4nd_ has been removed from public view by porkiewpyne, Aug 6, 2017.
    Aug 5, 2017


  3. Whovian NineThreeSixNine

    Whovian NineThreeSixNine Advanced Member

    Newcomer
    74
    41
    May 3, 2016
    United States
    Amazing as always, Dimok!

    (Good luck with everything in your real life, too!)
     
  4. peteruk

    peteruk GBAtemp Maniac

    Member
    1,429
    683
    Jun 26, 2015
    This is seriously cool, you didn't have to post this but this will be very useful to many so very glad you did !

    Thank you
     
    Columbo2811 and KiiWii like this.
  5. EyeKey

    EyeKey GBAtemp Regular

    Member
    196
    428
    Feb 10, 2017
    Israel
    Nice job!

    As first step toward write I am planning to implement the write function for replacing existing content, and write up to size_on_disk. It shouldn't be too hard and make doing such things simpler.
     
    asper, Marblboro, rw-r-r_0644 and 3 others like this.
  6. Masterwin

    Masterwin GBAtemp Regular

    Member
    281
    184
    Jan 7, 2016
    As always, fantastic! THX @dimok

    Spanish explanation!
     
    Last edited by Masterwin, Aug 5, 2017
    soterman and Marblboro like this.
  7. Kafluke

    Kafluke GBAtemp Psycho!

    Member
    3,692
    1,821
    May 6, 2006
    United States
    Dimok! Dimok! Dimok!
     
    vgmoose and peteruk like this.
  8. bostonBC

    bostonBC GBAtemp Maniac

    Member
    1,158
    290
    Aug 17, 2011
    United States
    So if I understand this correctly even if someone has updated to 5.5.2 they can now download BrainAge to USB, use these tools to inject HAXCHI.

    Absolutely beautiful!
     
  9. Masterwin

    Masterwin GBAtemp Regular

    Member
    281
    184
    Jan 7, 2016
    Correct, and something else
     
    Last edited by Masterwin, Aug 5, 2017
  10. C0mm4nd_

    C0mm4nd_ Aspirant Wii U homebrew dev :P

    Member
    697
    337
    Oct 9, 2016
    Italy
    you still need a seeprom dump
     
    Masterwin likes this.
  11. bostonBC

    bostonBC GBAtemp Maniac

    Member
    1,158
    290
    Aug 17, 2011
    United States
    Which I understand you can get from wfsdump. Is that not correct?
     
    Masterwin likes this.
  12. C0mm4nd_

    C0mm4nd_ Aspirant Wii U homebrew dev :P

    Member
    697
    337
    Oct 9, 2016
    Italy
    nope, you need the hbl to run seeprom2sd
     
    Masterwin likes this.
  13. bostonBC

    bostonBC GBAtemp Maniac

    Member
    1,158
    290
    Aug 17, 2011
    United States
    Ok nuts, so it is still a case of the chicken or the egg.

    Until a new hack into 5.5.2 there's no way to get Haxchi installed on 5.5.2.
     
  14. dimok
    OP

    dimok GBAtemp Advanced Fan

    Member
    728
    2,174
    Jan 11, 2009
    United States
    Yeah you did find out quite a lot there about that fs. It's a very good starting point as it is for others already. If you add a content replacement, then this tool will be obsolete quite quick hehe. I saw your write function being there ready to be implemented (a return -1 in there :)). Though as I said I didn't want to spend more time so I just added those prints, made the hard coded parameters in the injector as argv and put it on here.

    Correct. This tool is only useful to people on 5.5.2 that have their seeprom dump (from previous runs of exploits) and want to quickly get an entry point with haxchi or maybe another contenthax exploit.
     
    Marblboro, VinsCool, KiiWii and 4 others like this.
  15. Masterwin

    Masterwin GBAtemp Regular

    Member
    281
    184
    Jan 7, 2016
    Many are going to be excited, but it is a good point to find other options for 5.5.2 that have no copy of otp and nand saved.
     
    bostonBC likes this.
  16. ruiner9

    ruiner9 Member

    Newcomer
    31
    20
    Nov 14, 2012
    United States
    Fantastic! Since my Wii U accidentally got updated and I do have my seeprom, this will come in handy. I'm going to have to wait until maybe a step-by-step guide is released, though. Some of this is a little over my head.
     
  17. Corredor

    Corredor GBAtemp Regular

    Member
    122
    48
    Sep 16, 2016
    Brazil
    Stupid question: is it not possible to guess the relevant parts of SEEPROM (by trial and error or something like that)?

    Enviado de meu 6039J usando Tapatalk
     
  18. EyeKey

    EyeKey GBAtemp Regular

    Member
    196
    428
    Feb 10, 2017
    Israel
    OK, I implemented it
    https://github.com/koolkdev/wfslib/commit/618e55ee479bde3c146037db8984a298107bed0e
    It may be still buggy (it is a bit tricky and I didn't test enough cases). I just need to wrap it with some simple cmd tool and it will be able to inject any file (as long it is smaller than the current allocated size)
     
    Last edited by EyeKey, Aug 5, 2017
  19. jbuck1975

    jbuck1975 GBAtemp Advanced Fan

    Member
    875
    186
    Dec 28, 2015
    United States
    can this be used to inject the old browser back into 5.5.2
     
    Masterwin likes this.
  20. Masterwin

    Masterwin GBAtemp Regular

    Member
    281
    184
    Jan 7, 2016
    The browser is not in the usb, kawashima yes, but I do not rule out the possibility
     
  21. jbuck1975

    jbuck1975 GBAtemp Advanced Fan

    Member
    875
    186
    Dec 28, 2015
    United States
    can you do it with the mlc command ?


    Usage: wfsdump --input <input file> --output <output directory> --otp <opt path> [--seeprom <seeprom path>] [--mlc] [--usb] [--dump-path <directory to dump>] [--verbos]
    Allowed options:
    --help produce help message
    --input arg input file
    --output arg ouput directory
    --otp arg otp file
    --seeprom arg seeprom file (required if usb)
    --dump-path arg (=/) directory to dump (default: "/")
    --mlc device is mlc (default: device is usb)
    --usb device is usb
    --verbos verbos output