Hacking WFS USB Block Injector

Valery0p

Valery0p

Well-Known Member
Member
Level 9
Joined
Jan 16, 2017
Messages
560
Trophies
0
XP
1,646
Country
Italy
Corredor

Corredor

Well-Known Member
Member
Level 2
Joined
Sep 16, 2016
Messages
122
Trophies
0
Age
33
XP
225
Country
Brazil
@Valery0p and I have observed that there are not common bytes in (three) different USB seeds. But, I noticed that all the three SEEPROMs had also different SEEPROM version codes. Maybe the last 12 bytes of the USB seeds are just random numbers, unique per console (worst case)... Or there is only one number for each SEEPROM version (best case). It may be interesting to compare many USB seeds (last 12 bytes) and SEEPROM version codes. Does anyone have a SEEPROM with version code 00 03, 00 15 or 00 08? If you have it or don't mind to share the last 12 bytes of your USB seed (without the Console ID) with us, please send me a PM.
 
  • Like
Reactions: Valery0p
tomcaliser

tomcaliser

Member
Newcomer
Level 1
Joined
Aug 8, 2017
Messages
17
Trophies
0
Location
Jupiter,3th right door and you can see me
XP
63
Country
Madagascar
Corredor said:
@Valery0p and I have observed that there are not common bytes in (three) different USB seeds. But, I noticed that all the three SEEPROMs had also different SEEPROM version codes. Maybe the last 12 bytes of the USB seeds are just random numbers, unique per console (worst case)... Or there is only one number for each SEEPROM version (best case). It may be interesting to compare many USB seeds (last 12 bytes) and SEEPROM version codes. Does anyone have a SEEPROM with version code 00 03, 00 15 or 00 08? If you have it or don't mind to share the last 12 bytes of your USB seed (without the Console ID) with us, please send me a PM.
Click to expand...

Okay but what is the usb seed?
 
Last edited by tomcaliser,
C0mm4nd_

C0mm4nd_

Aspirant Wii U homebrew dev :P
Member
Level 5
Joined
Oct 9, 2016
Messages
697
Trophies
0
Website
127.0.0.1
XP
540
Country
Italy
tomcaliser said:
Like?" i won't give my seeprom away like that, it contains pretty sensible stuff" but i have make a backup what is the problem?
What do you mean?
Click to expand...
It contains some stuff that could ban your wii u (i could just pick some stuff from it, inject into my wii u, use some hacks and ban you)
 
tomcaliser

tomcaliser

Member
Newcomer
Level 1
Joined
Aug 8, 2017
Messages
17
Trophies
0
Location
Jupiter,3th right door and you can see me
XP
63
Country
Madagascar
OK that coold....Thank to answer

--------------------- MERGED ---------------------------

tomcaliser said:
Help please,when i try this,Cmd say wrong usb key size...So please tell me what i have to do?...
Click to expand...
Anyone have solution please?
If someone can make a video tutorial step by step...it could be very helpful
 
Last edited by tomcaliser,
Valery0p

Valery0p

Well-Known Member
Member
Level 9
Joined
Jan 16, 2017
Messages
560
Trophies
0
XP
1,646
Country
Italy
C0mm4nd_ said:
It contains some stuff that could ban your wii u (i could just pick some stuff from it, inject into my wii u, use some hacks and ban you)
Click to expand...
If you inject only a random and incomplete usb seed you can only ban your hard hard drive :P
I'm not like someone that screenshots his entire dump...
 
W

wiiupoo

Member
Newcomer
Level 1
Joined
Jul 25, 2016
Messages
20
Trophies
0
Age
30
XP
102
Country
United States
If it is possible to derive the 4byte NGID, since it possbily is related to the serial or maybe the wiiu leaks it through network packets, bruteforcing the other 6bytes wouldn't be too farfetched.

2^48 combinations = 281 trillion = ~5 days to bruteforce the remaining 6 bytes since plain-text and AES ciphers are known.
GPU's can produce GPU's ~0.5-1 billion AES hashes a second.

Not the most elegant solution but within reach.

Not knowing the NGID bumps it up to 2^80 = two magnitudes higher than exa-combination prefix = 65,000 years
 
Last edited by wiiupoo,
Corredor

Corredor

Well-Known Member
Member
Level 2
Joined
Sep 16, 2016
Messages
122
Trophies
0
Age
33
XP
225
Country
Brazil
wiiupoo said:
If it is possible to derive the 4byte NGID, since it possbily is related to the serial or maybe the wiiu leaks it through network packets, bruteforcing the other 6bytes wouldn't be too farfetched.

2^48 combinations = 281 trillion = ~5 days to bruteforce the remaining 6 bytes since plain-text and AES ciphers are known.
GPU's can produce GPU's ~0.5-1 billion AES hashes a second.

Not the most elegant solution but within reach.

Not knowing the NGID bumps it up to 2^80 = two magnitudes higher than exa-combination prefix = 65,000 years
Click to expand...
The best we can do right now is to analyze some Wii U seeds (last 12 bytes) and SEEPROM version codes. Should I make a thread asking for collaboration?

Enviado de meu 6039J usando Tapatalk
 
W

wiiupoo

Member
Newcomer
Level 1
Joined
Jul 25, 2016
Messages
20
Trophies
0
Age
30
XP
102
Country
United States
Actually, more interesting would be to check out how the wiiu "system transfer" works.

The "source" console formats an SD card meant for the "dest" console.

While it doesn't transfer content hax, the save game exploits look to be fairgame. The payloads within the save games will then be encrypted on the virgin console without a known encryption key during the transfer.

It should be possible to indentify where these payloads start and end even though they are encrypted. In essence it may be a way to use the encryption key to create valid files without actually knowing what it is.
 
Last edited by wiiupoo,
Valery0p

Valery0p

Well-Known Member
Member
Level 9
Joined
Jan 16, 2017
Messages
560
Trophies
0
XP
1,646
Country
Italy
wiiupoo said:
Actually, more interesting would be to check out how the wiiu "system transfer" works.

The "source" console formats an SD card meant for the "dest" console.

While it doesn't transfer content hax, the save game exploits look to be fairgame. The payloads within the save games will then be encrypted on the virgin console without a known encryption key during the transfer.

It should be possible to indentify where these payloads start and end even though they are encrypted. In essence it may be a way to use the encryption key to create valid files without actually knowing what it is.
Click to expand...
Afaik the seeprom usb seed is used only with...the usb encryption system.
How a sys transfer can help with that? Also, existing save exploits on wiiu are no functional for now (because: normal apps=no codegen=no kexploit=no HBL)...maybe you want to leak the plaintext, using the systransfer? Wiping a console only for that? Dx Dx Dx

Also, is pretty sure we can dump the NG ID from an hacked vWii, since wii and wii u ones are the same except for the first half byte (2 on wii, 4 on wiiu, see page 3 for more info); maybe there are better ways to obtain it, but sadly without the others 12 bytes it's useless...

Stupid question about plaintext: two wiiu formatted usb drives, of the same dimension, both empty/with the same continent, from two different consoles, don't generate the same/pretty similar plaintext after proper decryption?
 
Last edited by Valery0p,
Glix

Glix

Well-Known Member
Member
Level 2
Joined
Jan 11, 2016
Messages
102
Trophies
0
XP
166
Country
Valery0p said:
Afaik the seeprom usb seed is used only with...the usb encryption system.
How a sys transfer can help with that?
Click to expand...

When you do a system transfer, can you reuse usb sticks/hdd's from the source Wii U without formatting the drive?
If yes, then that is what he is talking about... the seeprom info has to be sent to the new Wii U to use the old drive without formatting it. And if that info is stored on the sd card, we can easily rip that info out and digest if we know what it is encrypted with which has to be something common between Wii U's.
 
Last edited by Glix,

Site & Scene News

Go to forum More news

Popular threads in this forum

Gaming  Online services for the 3DS and Wii U have been shutdown. Here is how to get back online!

Hacking Hardware  Wii U No Display (Logs dumped)

Hacking Gaming  Xenoblade Chronicles X - Lifeline and Enhancement Mod

Super Mario Maker Save Collection (All Event and Staff Courses Preserved, 3DS Mario Challenge Port, and More)

Watch videos on Wii U, offline, saved on SD?

Can you hack your wii u with something other than sd card

Pretendo not working with updated games?!

Hacking Hardware  Broken WII U, MLC replaced with an SD card De_fuse 0.8 not working

General chit-chat
Help Users
    BigOnYa @ BigOnYa: Ok good chatting, I'm off to the bar, to shoot some pool, nighty night. +1