Hacking Have the wii u debug ancast keys been released?

[zecoxao]

So far, all i've seen on the web are the retail ancast keys. And in the retail kernel there are no symbols whatsoever. So i was wondering if there have been released the debug ancast keys (and ivs) so that it's possible to decrypt the debug kernels in the sdks

 

[Hykem]

No need to open up a new thread just for asking this.

The keys haven't been released yet, probably due to lack of interest? I doubt we would find any relevant additional symbols in the debug versions, but, from a documentation perspective, I do think we should try to grab them as well.
All that's necessary is for someone with a devkit to attempt the already public method to dump the Espresso's OTP.

 

[palantine]

No need to open up a new thread just for asking this.

The keys haven't been released yet, probably due to lack of interest? I doubt we would find any relevant additional symbols in the debug versions, but, from a documentation perspective, I do think we should try to grab them as well.
All that's necessary is for someone with a devkit to attempt the already public method to dump the Espresso's OTP.

If anyone on here has a devkit, I'd be interested in buying it. Also if anyone has a shop unit, those are also very interesting as well.

-palantine

 

[Onion_Knight]

-snip-

 

[Marionumber1]

I don't think devkits can actually run vWii mode, which is the only way to reset the PPC until we have IOSU kernel code execution.

 

[palantine]

Sorry I changed my post because I realized that I misread it originally. My bad!

-palantine

 

[Hykem]

I don't think devkits can actually run vWii mode, which is the only way to reset the PPC until we have IOSU kernel code execution.

Hm, didn't know that. Well, that explains why no one has done it then.
In fact, it doesn't seem logical for a devkit to support vWii mode since the goal is to develop Wii U applications (and not backwards compatibility, which sole responsible is Nintendo itself).

 

[palantine]

Hm, didn't know that. Well, that explains why no one has done it then.
In fact, it doesn't seem logical for a devkit to support vWii mode since the goal is to develop Wii U applications (and not backwards compatibility, which sole responsible is Nintendo itself).

If we have kernel PPC access via the browser exploit, what's preventing us from leveraging that to dump the key? Sure it would require some actual thought rather than reusing the retail exploit exactly but I don't see what else is in the way.

-palantine

 

[Marionumber1]

If we have kernel PPC access via the browser exploit, what's preventing us from leveraging that to dump the key? Sure it would require some actual thought rather than reusing the retail exploit exactly but I don't see what else is in the way.

-palantine

The boot ROM, which runs on PPC reset, disables the keys once it's done using them, and they can only be reenabled through a PPC reset. We don't have the ability to do that - only the ARM does - and even if we could do that, we'd lose code execution.

 

[palantine]

The boot ROM, which runs on PPC reset, disables the keys once it's done using them, and they can only be reenabled through a PPC reset. We don't have the ability to do that - only the ARM does - and even if we could do that, we'd lose code execution.

Hypothetical way to do it:

1. Perform browser kexploit to own the PPC in wiiu mode
2. execute the retail rpl that launches vWii mode, patch as necessary
3. perform vWii exploit

I seem to remember f0f mentioning there is a certain code sequence used to change between vWii and wiiu modes and vice versa. On vWii its the new title that lets you switch back to WiiU mode.

Basically, if we have full PPC control on a devkit, I'm pretty sure we should be able to boot into vWii. Perhaps Nintendo actually did go the extra mile and disable it in IOSU but its at least worth trying.

-palantine

 

[Marionumber1]

Hypothetical way to do it:

1. Perform browser kexploit to own the PPC in wiiu mode
2. execute the retail rpl that launches vWii mode, patch as necessary
3. perform vWii exploit

I seem to remember f0f mentioning there is a certain code sequence used to change between vWii and wiiu modes and vice versa. On vWii its the new title that lets you switch back to WiiU mode.

Basically, if we have full PPC control on a devkit, I'm pretty sure we should be able to boot into vWii. Perhaps Nintendo actually did go the extra mile and disable it in IOSU but its at least worth trying.

-palantine

The code to switch into vWii mode is ARM code (cafe2wii). That being said, devkits have the ability to install titles, so cafe2wii and the vWii titles might be possible to install. I'm not sure how strictly signatures are checked.

 

[gamesquest1]

I don't think devkits can actually run vWii mode, which is the only way to reset the PPC until we have IOSU kernel code execution.

wouldn't the 3.1 iosu exploit be enough then? if you have a dev kit on 3.1

 

[palantine]

I think you can downgrade devkits to any version. Are there any details about this IOSU exploit?

-palantine

 

[gamesquest1]

I think you can downgrade devkits to any version. Are there any details about this IOSU exploit?

-palantine

nope, afaik the iosu stuff is all very closely guarded by a small handful of dev's, (only one of which has any interest in eventually sharing his results afaik).....tbh idk how useful it would be in this regard as there is very little info about what is done or not regarding iosu...looking into installing cafe2wii might be a more immediate plan as i doubt any iosu stuff will be getting shared for a while

 

[I pwned U!]

I hope that something becomes of this. It would be interesting to decrypt dev titles and projects compiled with the SDK, extract their files, and see if they can boot on 5.3.2 retail units with Loadiine.

This could then lead to a way for licensed developers to test their projects on retail Wii U consoles instead of feeling so pressured to spend lots of money on dev units.

 

[palantine]

I hope that something becomes of this. It would be interesting to decrypt dev titles and projects compiled with the SDK, extract their files, and see if they can boot on 5.3.2 retail units with Loadiine.

This could then lead to a way for licensed developers to test their projects on retail Wii U consoles instead of feeling so pressured to spend lots of money on dev units.

Pretty sure you can do this now as Loadiine will boot any rpl/rpx, not just signed ones. Of course you wouldn't be able to use the debugging tools with it, but its a solid start.

-palantine

 

[I pwned U!]

Pretty sure you can do this now as Loadiine will boot any rpl/rpx, not just signed ones. Of course you wouldn't be able to use the debugging tools with it, but its a solid start.

-palantine

According to @VinsCool, it seems that you can use debugging tools! (at least ones that come decompiled as .rpx files in the SDK)