Hacking Wii Mode Keys!!! Thanks crediar.

JoostinOnline · Nov 22, 2012

techboy said:
Having the same question.

I tried making one as well, but the unpacker either crashes or complains of an invalid or unsupported dump. I tried unpacking with NANDExtract and ShowMiiWads.

It's not a bootmii dump.

angelXwind · Nov 22, 2012

http://hackmii.com/2008/04/keys-keys-keys/ Reading up on this.

NAND key (varies): This AES key is used to encrypt the filesystem data on the actual NAND chip itself; it is probably randomly generated during manufacturing and is also stored in the OTP area of the Starlet. This key is used to prevent the contents of the NAND filesystem from being read using a flash chip reader. Nintendo may or may not actually record this key anywhere, since they (theoretically) don’t need to ever use it. In fact, in some similar systems, keys like this are generated automatically by the device itself and (theoretically) never leave it — the Wii shares some design prinicples with HSMs, but it certainly doesn’t manage to be one. This is another OTP key.

Problem is, the AES key that's used in DeadlyFoez's dump is significantly shorter than anything I can find in my keys.bin.

DeadlyFoez · Nov 22, 2012

techboy said:
Having the same question.

I tried making one as well, but the unpacker either crashes or complains of an invalid or unsupported dump. I tried unpacking with NANDExtract and ShowMiiWads.

it appears that my nand dump may be corrupt. I'll have to try dumping it again.

angelXwind · Nov 22, 2012

JoostinOnline said:
It's not a bootmii dump.

Yes, that would be apparent. However, we just need to construct a keys.bin that uses the NAND keys that DeadlyFoez (crediar?)'s tool dumped. No matter if it's dumped with BootMii or not, the NAND dump will be encrypted in the same way. Hence why all those tools need "keys.bin" to decrypt the contents of the NAND dump.

techboy · Nov 22, 2012

JoostinOnline said:
It's not a bootmii dump.

NANDExtract says "Can't find superblock. Are you sure this is a full (with ecc) or bootmii nand dump?", then crashes when I hit OK. I assumed this dump was the former it has the 16MB extra size for ECC data, and bootmii doesn't run on vWii (yet).

I tried entering the key manually (there's a menu option in NANDExtract for this) and using a keys.bin (which may or may not have been made correctly, but I based it on the offsets shown on Wiibrew's Bootmii page and a good keys.bin).

angelXwind · Nov 22, 2012

techboy said:
NANDExtract says "Can't find superblock. Are you sure this is a full (with ecc) or bootmii nand dump?", then crashes when I hit OK. I assumed this dump was the former it has the 16MB extra size for ECC data, and bootmii doesn't run on vWii (yet).

I tried entering the key manually (there's a menu option in NANDExtract for this) and using a keys.bin (which may or may not have been made correctly, but I based it on the offsets shown on Wiibrew's Bootmii page and a good keys.bin).

Yeah, did the same thing with the keys.bin. Didn't work.

We need the 60-byte ng_sig.

ECC Private Key: 0x128 (30 bytes)
Console ID : 0x124 (4 bytes)
NAND AES key: 0x158 (16 bytes)
NAND HMAC: 0x144 (20 bytes)
Common key (AES): 0x114 (16 bytes)
PRNG seed (AES): 0x168 (16 bytes)
boot1 hash: 0x100 (20 bytes)
ng_key_id: 0x208 (4 bytes)
ng_sig: 0x20c (60 bytes)

ECC Private Key appears to be "NG Private Key"
Console ID is presumably (probably wrong) "NG ID"
PRNG seed is presumably "RNG key"
ng_key_id is probably "NG ID"
ng_sig ... is something the tool didn't appear to dump.

megazig · Nov 23, 2012

DeadlyFoez said:
It has been assumed by many, including TT members, that N most likely does not keep a list of the per console keys for the Wii. If that is really the case then I doubt that they would start keeping a list of the Wii U's Wii Mode per console keys at this moment.

your console id is there. they don't need a database of your wii

HorreC · Nov 23, 2012

Thats what I thought too. But they were very quick to call me down for it...

DeadlyFoez · Nov 23, 2012

I was able to dump the NAND without it going corrupt on me. *snip*

techboy · Nov 23, 2012

DeadlyFoez said:
I was able to dump the NAND without it going corrupt on me.

Nice

You might want to remove the link though...mods removed your old ones and said you can't link to dumps.

In other news, I'm downloading as fast as you're uploading

I keep refreshing and watching more rar parts show up

EDIT: Extracted beautifully in NANDEXtract. Not corrupt this time

The homemade keys.bin works fine. Thanks Deadly! Let the exploration and experimentation begin!

EDIT2: Here's a shot of a vWii NAND as seen in ShowMiiWads:

HCTE is a new channel we haven't seen yet, either in impersonator or on WiiUBrew. It's the system transfer tool

SifJar · Nov 23, 2012

Wait, almost all IOS are stubs? That seems weird...

EDIT: And System Menu has 75 contents? I thought it had ~10 before?

EDIT: Wait, does this have correction for the new title IDs of NAND titles, or does that not matter?

the_randomizer · Nov 23, 2012

So....what will this mean in the long run?

techboy · Nov 23, 2012

SifJar said:
Wait, almost all IOS are stubs? That seems weird...

EDIT: And System Menu has 75 contents? I thought it had ~10 before?

IOSes that have all of their contents marked as "shared" show as 0MB. They pack just fine into the 1.xMB IOSes we're all used to seeing.

The SM needs to be looked into. Something funky there. It's the only thing I can't make a wad of...ShowMii gives an error.

EDIT: Wads of vWii titles! http://i.imgur.com/0ryUK.png
EDIT2: The SM is strange. TMD lists 9 contents if examined in hex editor, but there's only 2 in the title folder. Shared SM contents maybe? Not sure why showmii says 75, but still no wonder why it won't pack.

angelXwind · Nov 23, 2012

I've been playing around with the NAND dump.
The vWii's system menu "v513" crashes on both SNEEK and Dolphin. Apparently, it's encrypted. Installing a regular SystemMenu v513 over it makes it work.
"Wii U Menu" will reboot the Wii.
The vWii's Wii Shop Channel functions perfectly.
The vWii's Wii System Transfer sends you to a download page on the Shop Channel. The channel it downloads will not function, spitting out an error message.
All vWii IOSes will not function on a regular Wii (but do in Dolphin) for some reason. Please do not attempt installing any.
IOS512 and IOS513 are mysteries.

techboy · Nov 23, 2012

SifJar said:
Wait, almost all IOS are stubs? That seems weird...

EDIT: And System Menu has 75 contents? I thought it had ~10 before?

EDIT: Wait, does this have correction for the new title IDs of NAND titles, or does that not matter?

When I unpacked it, the title IDs *came out of extraction* correct (as "00000001" instead of "00000007"). I didn't change anything.

And the SM has 9 contents according to its TMD.

EDIT: Also, regarding the question that's been asked several times around here about settings changes from the Wii U side, there is a SYSCONF in the normal place on the vWii (/shared2/sys/)...whether it's being used is beyond me though.

EDIT2: Channels...

Wii Menu Manual works fine.
Transfer channel runs but is just a "Download assistant" of sorts that takes me to the shop entry for the vWii version of the transfer app. I'm trying to download it...
Wii U Menu channel reboots the wii.
Wii Shop that comes with the vWii does not work on Wii ("You cannot use the Wii Shop Channel. See the Wii Menu electronic manual for more information", and a button to open the Wii Menu Manual channel).

JoostinOnline · Nov 23, 2012

What's up with IOS512 and IOS513?

techboy · Nov 23, 2012

JoostinOnline said:
What's up with IOS512 and IOS513?

Wondering the same thing. They're a few hundred KB, about the size of a MIOS, and don't work if reloaded to.

Also, anyone notice something missing in the ShowMiiWads picture? The stubs are missing.

UPDATE: Some more on this stuff...

The SM is a big mess that someone needs to figure out how to reassemble properly. Most of the contents are marked as type 0x8001, which I think is "shared" (not sure though, Wiibrew makes no mention of what the type field values mean). The corresponding app files from shared1 make no sense (several are IOS modules). If I just copy the contents referenced in the TMD and make a wad, I brick the SNEEK NAND.

I succeeded in downloading the "vWii half" of the Wii U Transfer Tool (the one you use on your Wii U before going to the Wii) using the Wii Shop. Title ID is same as the one that comes on the vWii, but the beginning 4 bytes are 00010001 instead of 00010002. Didn't try running it.

Also, vWii IOSes do not appear to work on Wii (or at least on SNEEK).

Bent · Nov 23, 2012

Viewing the ticket for some (maybe all) of the IOS's in a hex editor shows the string "GottaGetSomeBeer".

techboy · Nov 23, 2012

Bent said:
Viewing the ticket for some (maybe all) of the IOS's in a hex editor shows the string "GottaGetSomeBeer".

I think the wad packer did that.

Look in the file system of the extracted nand: /ticket/00000001/ The tickets are proper there.

Here's a side-by-side: http://i.imgur.com/3K6Ym.png One on the left is from vWii IOS9 after it was WAD'd then unpacked again. Right side is the ticket as seen in the /ticket/00000001/ folder.

the_randomizer · Nov 23, 2012

Anyone?

Hacking Wii Mode Keys!!! Thanks crediar.

Certified Crash Test Dummy

-angelXwind sinks back into her hiding hole-

XFlak Fanboy

-angelXwind sinks back into her hiding hole-

Well-Known Member

-angelXwind sinks back into her hiding hole-

SU

Well-Known Member

XFlak Fanboy

Well-Known Member

Not a pirate

The Temp's official fox whisperer

Well-Known Member

-angelXwind sinks back into her hiding hole-

Well-Known Member

Certified Crash Test Dummy

Well-Known Member

Well-Known Member

Well-Known Member

The Temp's official fox whisperer

Similar threads

Popular threads in this forum