Hacking SPECULATION: A strategy to load games off USB! (No loader)

Status
Not open for further replies.
TheZander

TheZander

1337
Member
Level 13
Joined
Feb 1, 2008
Messages
2,137
Trophies
2
Location
Level 7
XP
3,883
Country
United States
wolf-snake said:
We kinda knew it never had something to do with IOSU since day one.
Click to expand...
Yeah, I recall people saying that from the beginning. But it was posted in one of those threads. Kind of takes the majority of the interest out of this though. I mean all of these things have been available since forever. I doubt the people who just want to install games could care less about this, if they are capable of figuring whatever this is when it comes out. They had to be using loading already.

meh, it's something I suppose. but title patch I don't get. If it was a good patch couldn't one just install the title file and eshop would recognize it, and offer a download? can one rip there own title file from their console with that gecko dump program?
 
Cyan

Cyan

GBATemp's lurking knight
Former Staff
Level 25
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
46
Location
Engine room, learning
XP
15,662
Country
France
Voxel said:
I think it knows when the ticket is tampered with; in this instance, a replaced title key
Click to expand...
the ticket is signed too, and you can't sign it back after tempering with it.

replacing the ticket with the correct key to use with Cdecrypt worked because Cdecrypt only needed the key. it is just a shortcut to always read the key at the same position.
You can make an empty dummy file with the key at the correct position and it will work.
Cdecrypt could have read the NUS key from a simple binary file or even a text file, it would have work too. it's just for convenience that it's using the real position.

The console is checking if the ticket has been modified or not before validating or using the key.
that's why Signature check needs to be disabled (with IOSU kernel hack) to install anything not properly signed.
 
  • Like
Reactions: Gpaludeto, Deleted User and peteruk
K

Kohmei

Well-Known Member
Member
Level 7
Joined
Feb 17, 2013
Messages
824
Trophies
0
XP
1,039
Country
United States
Voxel said:
This doesn't work unfortunately; I just tried with Pikmin 3 (replaced correct Title Key in title.tik, got it to extract with NUSGrabber, used Ryanrocks' WUP Installer mod, and everything). I think it knows when the ticket is tampered with; in this instance, a replaced title key. Hopefully the new modified tool bypasses this, or perhaps the tools he talked about generate legitimate tickets.
Click to expand...
At the very least you need to change more than the key, the title ID needs to be changed too as does possibly the version and others. Luckily the structure of a Wii U ticket is mostly the same as that of the Wii ticket, which is already documented here: http://wiibrew.org/wiki/Ticket

note: these are from public game update tickets
fEI7Bfl.png

The main problem is the signature which is what the Wii U checks before it allows you to install the packages. There is an initialization vector within the ticket files, so I can't help but wonder if changing this can make the RSA signature somehow predictable
 
  • Like
Reactions: xstationbr
K

Kohmei

Well-Known Member
Member
Level 7
Joined
Feb 17, 2013
Messages
824
Trophies
0
XP
1,039
Country
United States
I think I figured it out:

What if instead of modifying the ticket, you used an unmodified existing ticket for the title ID you wanted: say, a game update. This would leave the ticket legitimately signed.

Then, you take the unencrypted game files and encrypt them such that they will decrypt with the target title key. Can we reencrypt things with any title key? Or is that not possible
 
  • Like
Reactions: Zurifury
ScienceBETCH

ScienceBETCH

GBATemp's probably not Official Tom-Zero™ Main
Member
Level 6
Joined
Oct 15, 2016
Messages
288
Trophies
0
Location
idk
XP
820
Country
Turkey
SomeGamer said:
Absolutely nothing.
Click to expand...
Thank

--------------------- MERGED ---------------------------

Kohmei said:
I think I figured it out:

What if instead of modifying the ticket, you used an unmodified existing ticket for the title ID you wanted: say, a game update. This would leave the ticket legitimately signed.

Then, you take the unencrypted game files and encrypt them such that they will decrypt with the target title key. Can we reencrypt things with any title key? Or is that not possible
Click to expand...
Yeah nice job on doing that.

Srsly tho noice job
 
Patxinco

Patxinco

Riding a Shooting Star
Member
Level 10
Joined
Apr 18, 2011
Messages
851
Trophies
1
XP
2,263
Country
Spain
Kohmei said:
I think I figured it out:

What if instead of modifying the ticket, you used an unmodified existing ticket for the title ID you wanted: say, a game update. This would leave the ticket legitimately signed.

Then, you take the unencrypted game files and encrypt them such that they will decrypt with the target title key. Can we reencrypt things with any title key? Or is that not possible
Click to expand...
Phineas and ferb doesn' have an update, at last as i can see in wiiubrew, so how can he install it then?
That's not the way he does it, it probably uses the iOSU OTP keys for revalidate the tempered tickets.
 
K

Kohmei

Well-Known Member
Member
Level 7
Joined
Feb 17, 2013
Messages
824
Trophies
0
XP
1,039
Country
United States
Patxinco said:
Phineas and ferb doesn' have an update, at last as i can see in wiiubrew, so how can he install it then?
That's not the way he does it, it probably uses the iOSU OTP keys for revalidate the tempered tickets.
Click to expand...
Well the first screenshots we saw of Phineas had a red (!) by the title which could possibly mean they installed Phineas data under a different title ID (such as another game's update)
 
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Kohmei said:
I think I figured it out:

What if instead of modifying the ticket, you used an unmodified existing ticket for the title ID you wanted: say, a game update. This would leave the ticket legitimately signed.

Then, you take the unencrypted game files and encrypt them such that they will decrypt with the target title key. Can we reencrypt things with any title key? Or is that not possible
Click to expand...
Pretty sure that would break signatures because the TMD has SHA hashes of each .app and the TMD is signed.
 
  • Like
Reactions: DeslotlCL and Rohul1997
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  SDUSB - The modern way to play Wii U games from SD - at full speed

Unable to dump OTP.bin

Hacking Homebrew Tutorial  How to get Nintendo TVii icon back without downgrading + extras

Very annoying that Nintendo never fixed this bug

Hacking Emulation Homebrew  Could you explain to me why there are no standalone emulators on Wiiu using aroma?

Tutorial Homebrew app  USB Partition - Use partitioned USB HDDs with the Wii U

Wii U (bricked) Mii Maker

De_Fuse: Unable to Dump OTP.bin: Firmware Mismatch

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: im back