Hacking Wii U Hacking & Homebrew Discussion

[KungFuzion]

I'm not up to date on how emuNANDs work, I assume it uses files from an external device and does read/write to it.
Based on how everything works, I'd say emuNAND has an IOSU exploit minimum, not only to access external devices, but also because otherwise I'm not sure how possible it would be to hook all processes up to it.
We'd need to do a lot more research to make it happen regardless.

So, the way it'd probably work is you plug in a big enough hard drive to put the NAND and eMMC data on, "reboot" everything clean which you should be able to do with an IOSU exploit, then redirect all calls to storage to the hard drive.
If they try to ban you, I'm not sure how exactly it works but it seems it's tied to your NNID and stored on the console, same as all other NNID data.

I'm also not sure how exactly the storage key stuff works so I'm not going to go in detail on that because I'm probably wrong.

Here's a little bit of info on the first stage of gateway's payload & take a look at their code http://yifan.lu/2015/01/10/reversing-gateway-ultra-first-stage-part-1/

 

[st4rk]

I'm not up to date on how emuNANDs work, I assume it uses files from an external device and does read/write to it.
Based on how everything works, I'd say emuNAND has an IOSU exploit minimum, not only to access external devices, but also because otherwise I'm not sure how possible it would be to hook all processes up to it.
We'd need to do a lot more research to make it happen regardless.

So, the way it'd probably work is you plug in a big enough hard drive to put the NAND and eMMC data on, "reboot" everything clean which you should be able to do with an IOSU exploit, then redirect all calls to storage to the hard drive.
If they try to ban you, I'm not sure how exactly it works but it seems it's tied to your NNID and stored on the console, same as all other NNID data.

I'm also not sure how exactly the storage key stuff works so I'm not going to go in detail on that because I'm probably wrong.

(redNAND/vNAND) -> Change NAND Read Sector to SDMC Read Sector.

 

[keine]

Did this already get mentioned? Maybe I was using the non latest nuspy.py. Now to take another crack at the ancast image.

subprocess.call(['CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

to this.

subprocess.call(['../../../CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

 

[NWPlayer123]

Did this already get mentioned? Maybe I was using the non latest nuspy.py. Now to take another crack at the ancast image.

subprocess.call(['CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

to this.

subprocess.call(['../../../CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

You're supposed to add the folder with NUSD/CDecrypt to the path so that should be unnecessary.

 

[keine]

What is the -iv for the ancast image? What is the difference between fw.img and kernel.img?
I've tried the magic bytes and the sha1 for the iv.

 

[NWPlayer123]

What is the -iv for the ancast image? What is the difference between fw.img and kernel.img?
I've tried the magic bytes and the sha1 for the iv.

Initial Value, should be easy enough to understand with a Google Search (not saying you're not doing your homework). fw.img requires the Starbuck Ancast Key (which we don't have) and kernel.img requires the Espresso Ancast Key (which we do). Just decrypt the entire binary with the key and an IV of 0, should work fine.

Also, I got bored and did a thing. It isn't finished yet but it at the very least reads files correctly. Now to get saving working. It even has a GUI
PyMSBT v0.1 Source Code
PyMSBT v0.1 32-Bit EXE

 

[keine]

I see ASCII! It worked! Thanks for the pointer.
openssl still throws a bad decrypt at me.....but it appears to have at least partially worked.

 

[Bug_Checker_]

I see ASCII! It worked! Thanks for the pointer.
openssl still throws a bad decrypt at me.....but it appears to have at least partially worked.

what is the error?

Initial Value, should be easy enough to understand with a Google Search (not saying you're not doing your homework).

Spoiler

fw.img requires the Starbuck Ancast Key (which we don't have) and kernel.img requires the Espresso Ancast Key (which we do). Just decrypt the entire binary with the key and an IV of 0, should work fine.

Also, I got bored and did a thing. It isn't finished yet but it at the very least reads files correctly. Now to get saving working. It even has a GUI
PyMSBT v0.1 Source Code
PyMSBT v0.1 32-Bit EXE

Do you mean initialization vector?

 

[Onion_Knight]

Did this already get mentioned? Maybe I was using the non latest nuspy.py. Now to take another crack at the ancast image.

subprocess.call(['CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

to this.

subprocess.call(['../../../CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

It requires the ckey.bin and CDecrypt to be at the root of your NUS download since I wrote it to start from there. It doesn't assume any of the directories are present and will overwrite directories if they are there.

 

[keine]

openssl enc -d -aes-128-cbc -in kernel.img -out kernel_dec.img -K ancast_wii_u_espresso -iv 0
bad decrypt
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:544:

 

[NWPlayer123]

You need to actually put the key in plaintext - "-K D7B0..." or whatever.

 

[Bug_Checker_]

openssl enc -d -aes-128-cbc -in kernel.img -out kernel_dec.img -K ancast_wii_u_espresso -iv 0
bad decrypt
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:544:

try -nopad option if you are on windows.

See:
https://gbatemp.net/threads/bug-in-openssl.359826/

 

[FusionGamer]

So, you guys are just error checking, and would I be good staying on the latest 5.3.2?

 

[zecoxao]

i keep seeing this kernel.img mention everywhere, and i have no idea how that concept exists, since when i run wii u nus downloader, the parts don't have a specific name lol

 

[Marionumber1]

i keep seeing this kernel.img mention everywhere, and i have no idea how that concept exists, since when i run wii u nus downloader, the parts don't have a specific name lol

NUS Downloader followed by CDecrypt is required to get the filenames.

 

[Onion_Knight]

i keep seeing this kernel.img mention everywhere, and i have no idea how that concept exists, since when i run wii u nus downloader, the parts don't have a specific name lol

use my nuspy.py with the commonkey and crediar's CDecrypt in the root directory.

 

[zecoxao]

Onion_Knight, nice idea, but it'd be easier to specify CDecrypt and common key as variables on the program instead of hardcoding them. and thanks for the help

 

[Onion_Knight]

Onion_Knight, nice idea, but it'd be easier to specify CDecrypt and common key as variables on the program instead of hardcoding them. and thanks for the help

I'm almost done implementing the whole program in python which will remove the Cdecrypt requirement and just add it as a flag option at the command line.

 

[keine]

Very cool. It had crossed my mind that the CDecrypt source would be awesome in your script. Great job! Original props to crediar of course.

 

[fiveighteen]

Well, since I'm already on 5.2 to play SSB4, today's the day I jump to 5.3.2 and finally check out MK8 and SSB4 online.