Hacking ROP from within IOS_USB (5.5.1)

A

asper

Well-Known Member
Member
Level 10
Joined
May 14, 2010
Messages
942
Trophies
1
XP
2,030
Country
United States
Maybe you are moving the names in the wrong column... Anyway the WiFi otp dumper works great. You need loadiine-compiled udp server and you need to modify the ip of your pc IP in the WiFi otp tool sources (or hex edit the compiled elf at offset 0x00008A2C, 4 bytes starting with C0; do it at your own risk!!).

Launch the server on your pc and press " f " to start logging; go to wiiu and execute the WiFi otp tool and wait for the on screen dump; go back to your pc, you should see data streamed via udp; press " f " again to save the log.
 
Last edited by asper,
thisisallowed

thisisallowed

中国御宅族
Member
Level 3
Joined
Oct 8, 2015
Messages
621
Trophies
0
Age
114
Location
Jinan, Shandong
XP
371
Country
China
asper said:
Maybe you are moving the names in the wrong column... Anyway the WiFi otp dumper works great. You need loadiine-compiled udp server and you need to modify the ip of your pc IP in the WiFi otp tool sources (or hex edit the compiled elf at offset 0x00008A2C, 4 bytes starting with C0).

Launch the server on your pc and press " f " to start logging; go to wiiu and execute the WiFi otp tool and wait for the on screen dump; go back to your pc, you should see data streamed via udp; press " f " again to save the log.
Click to expand...
Can you post the compiled elf here? Can't seem to compile it...
 
TheZander

TheZander

1337
Member
Level 13
Joined
Feb 1, 2008
Messages
2,137
Trophies
2
Location
Level 7
XP
3,882
Country
United States
out of curiosity since it was stressed not to share the key with anyone. What could someone do with it to screw them over? Console ID kind of stuff, for online ban evasion or something?
 
Conn0r

Conn0r

Well-Known Member
Member
Level 5
Joined
Jan 10, 2016
Messages
355
Trophies
0
Age
27
XP
718
Country
United States
TheZander said:
out of curiosity since it was stressed not to share the key with anyone. What could someone do with it to screw them over? Console ID kind of stuff, for online ban evasion or something?
Click to expand...
You shouldn't share it because it is copyrighted data. Not because it's Personally Identifiable.
 
TheZander

TheZander

1337
Member
Level 13
Joined
Feb 1, 2008
Messages
2,137
Trophies
2
Location
Level 7
XP
3,882
Country
United States
Conn0r said:
You shouldn't share it because it is copyrighted data. Not because it's Personally Identifiable.
Click to expand...
that's it? I was guessing there was some unique part of it that could be duped on another console or something. How would Nintendo even recognize the millions of crazy long keys. I understand that they wouldn't without proper context, but even then I don't get how it's enough.
 
Conn0r

Conn0r

Well-Known Member
Member
Level 5
Joined
Jan 10, 2016
Messages
355
Trophies
0
Age
27
XP
718
Country
United States
TheZander said:
that's it? I was guessing there was some unique part of it that could be duped on another console or something. How would Nintendo even recognize the millions of crazy long keys. I understand that they wouldn't without proper context, but even then I don't get how it's enough.
Click to expand...
If it was possible to overwrite a ONE TIME PROGRAMMABLE rom, the console would most likely not boot because some of the keys in the otp are required to properly decrypt data on the nananannand.
 
Pachee

Pachee

Well-Known Member
Member
Level 5
Joined
Nov 3, 2015
Messages
480
Trophies
0
XP
562
Country
United States
Sans-Serif said:
quick thing:
I'm Trump, and I didn't work on it at all. That's dimok, Maschell, QuarkTheAwesome, and kanye_west's work, among others.

I believe IOS-KERNEL has all the permissions needed to dump it, but it's down to actually implementing it, and not much is documented about the SEEPROM from what I know.
Click to expand...
First, thanks everyone for the dumper.
I was reading on wiibrew, not even the wii seeprom has information about reading it. Maybe tueidj knows something about it on the Wii U? He wrote the seeprom.c used in this tool https://gbatemp.net/threads/koreankii-add-or-remove-the-korean-key.336940/
 
M

Mario10095

Well-Known Member
Newcomer
Level 1
Joined
Apr 25, 2016
Messages
67
Trophies
0
Age
30
XP
93
Country
United States
EclipseSin said:
Use a toothpick and a pair of tweezer. Use the tooth pick to try and release the push latch in the back by pushing in (it should feel springy, dont force it), then use the tweezers to pull it out, alternatively use two toothpicks.

if you cant, try to remove the piece without undoing the latch. If you can get the piece out, carefully force a good sd card in, then remove like normal.
Click to expand...
Where is the springy thing?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  SDUSB - The modern way to play Wii U games from SD - at full speed

Unable to dump OTP.bin

Very annoying that Nintendo never fixed this bug

Hacking Homebrew Tutorial  How to get Nintendo TVii icon back without downgrading + extras

Hacking Emulation Homebrew  Could you explain to me why there are no standalone emulators on Wiiu using aroma?

Wii U (bricked) Mii Maker

A Tale of Two vWii Systems

De_Fuse: Unable to Dump OTP.bin: Firmware Mismatch

General chit-chat
Help Users
  • No one is chatting at the moment.
  • K3Nv2 @ K3Nv2:
    https://www.newegg.com/p/0D9-002V-0...=snc-social-_-sr-_-0D9-002V-00AA1R-_-05202024
  • SylverReZ @ SylverReZ:
    @mthrnite, Cheetah Girls, the sequel to Action 52's Cheetah Men.
     +2
  • Psionic Roshambo @ Psionic Roshambo:
    Pokemon Black I played that one a lot
  • K3Nv2 @ K3Nv2:
    Honestly never messed with Pokémon on ds much
  • mthrnite @ mthrnite:
    I played pokemon once, was bored, never tried again
  • Psionic Roshambo @ Psionic Roshambo:
    Oh Dragon Quest IX
  • K3Nv2 @ K3Nv2:
    Spent like 5 hours on switch one never touched it again
  • Psionic Roshambo @ Psionic Roshambo:
    Sentinel of the stary skies
  • K3Nv2 @ K3Nv2:
    Ds is 20 years old this year
  • Psionic Roshambo @ Psionic Roshambo:
    So MJ no longer wants to play with it?
  • K3Nv2 @ K3Nv2:
    He put it down when the 3ds came out
  • K3Nv2 @ K3Nv2:
    https://youtube.com/shorts/eTlZ0qcSZf4?si=0vpkdIWplaLMFVqv
  • K3Nv2 @ K3Nv2:
    https://youtu.be/40XQ8L9wsCA?si=GzpPBaHQQLU0plt_ Neat
  • SylverReZ @ SylverReZ:
    @K3Nv2, RIP Felix does great videos on the PS3 yellow-light-of-death.
  • Jayro @ Jayro:
    Eventhough the New 3DS XL is more powerful, I still feel like the DS Lite was a more polished system. It's a real shame that it never got an XL variant keeping the GBA slot. You'd have to go on AliExpress and buy an ML shell to give a DS phat the unofficial "DS Lite" treatment, and that's the best we'll ever get I'm afraid.
     +1
  • Jayro @ Jayro:
    The phat model had amazingly loud speakers tho.
     +1
  • SylverReZ @ SylverReZ:
    @Jayro, I don't see whats so special about the DS ML, its just a DS lite in a phat shell. At least the phat model had louder speakers, whereas the lite has a much better screen.
     +1
  • SylverReZ @ SylverReZ:
    They probably said "Hey, why not we combine the two together and make a 'new' DS to sell".
  • Veho @ Veho:
    It's a DS Lite in a slightly bigger DS Lite shell.
     +1
  • Veho @ Veho:
    It's not a Nintendo / iQue official product, it's a 3rd party custom.
     +1
  • Veho @ Veho:
    Nothing special about it other than it's more comfortable than the Lite
    for people with beefy hands.
     +1
  • Jayro @ Jayro:
    I have yaoi anime hands, very lorge but slender.
  • Jayro @ Jayro:
    I'm Slenderman.
  • Veho @ Veho:
    I have hands.
  • Veho @ Veho:
    king-shark-hand.gif
    +1
    Veho @ Veho: +1