Hacking WFS USB Block Injector

[Corredor]

Probably a stupid question but what's happen if we try this trick on a 5.5.2 using the seeprom of someone else ?

I think you can't decrypt the USB HDD, so you can't inject anything.

It would be very interesting if we could compare different USB seeds (from SEEPROM) to figure out what is shared by them (if there is anything).

Enviado de meu 6039J usando Tapatalk

 

[macphistoo]

Yes, maybe there is a master key or someting to decrypt any USB HDD... I wish there was a trick get the seeprom (or just the relevent info) from a "stock" 5.5.2.

 

[Corredor]

Yes, maybe there is a master key or someting to decrypt any USB HDD... I wish there was a trick get the seeprom (or just the relevent info) from a "stock" 5.5.2.

We need only the USB seed from SEEPROM, which is 16 bytes long. Maybe there are many common bytes shared by all SEEPROMs (4 bytes can be predicted, as @dimok pointed out). If we have just a few bytes to guess by trial and error, we can find out the right code. We can't share publicly SEEPROM information, but maybe some users can borrow their USB seeds for analysis purpose. It could solve the 5.5.2 problem for everyone.

Enviado de meu 6039J usando Tapatalk

 

[Valery0p]

We need only the USB seed from SEEPROM, which is 16 bytes long. Maybe there are many common bytes shared by all SEEPROMs (4 bytes can be predicted, as @dimok pointed out). If we have just a few bytes to guess by trial and error, we can find out the right code. We can't share publicly SEEPROM information, but maybe some users can borrow their USB seeds for analysis purpose. It could solve the 5.5.2 problem for everyone.

Enviado de meu 6039J usando Tapatalk

On wiiubrew it says that the first 4 bytes correspond to the wiiu NG ID...I don't know what "NG" it means, but I've taken my seeprom backup and I can't find any
similitude with the console serial (the bar code printed under your wiiu)...do you know if we can find this ID outsude of the otp and seeprom memories?

 

[C0mm4nd_]

Yes, maybe there is a master key or someting to decrypt any USB HDD... I wish there was a trick get the seeprom (or just the relevent info) from a "stock" 5.5.2.

no, there isn't a master key, you NEED a seeprom dump

 

[Valery0p]

Well the first 4 bytes of the usb seed in the seeprom is always the console id. So you basically have that part. I am not sure about the rest, I only know that the last part is incremented on each console reset to factory setting. Maybe a lot of it is equal on every console but I never actually looked at it. Assuming you have to find out all of the remaining 12 bytes thats 2^96 = 79228162514264337593543950336. Thats still quite a lot of possible combinations.

Sorry for bothering you, but were we can find our console (NG) ID, if our system is unmodified? There is a special label somewhere on the motherboard were we can read it?

 

[Flypop]

Sorry for bothering you, but were we can find our console (NG) ID, if our system is unmodified? There is a special label somewhere on the motherboard were we can read it?

I don't think it could be found that easily on a sticker, but there's something you can do. Even when the Wii U entry exploit has been blocked, the vWii is still fully hackable, so why not using FSTOOLBOX in order to get your keys? There is where I found my console ID without even done a proper NAND backup. The question now is if the vWii console ID is the same as the one from the Wii U. But I have an idea, a friend of mine has haxchi installed, I will ask if I can borrow his and get his keys with FSTOOLBOX and his seeprom and compare it. Any results I will update in here.

 

[C0mm4nd_]

I don't think it could be found that easily on a sticker, but there's something you can do. Even when the Wii U entry exploit has been blocked, the vWii is still fully hackable, so why not using FSTOOLBOX in order to get your keys? There is where I found my console ID without even done a proper NAND backup. The question now is if the vWii console ID is the same as the one from the Wii U. But I have an idea, a friend of mine has haxchi installed, I will ask if I can borrow his and get his keys with FSTOOLBOX and his seeprom and compare it. Any results I will update in here.

Wii NG ID != Wii U NG ID

 

[Corredor]

On wiiubrew it says that the first 4 bytes correspond to the wiiu NG ID...I don't know what "NG" it means, but I've taken my seeprom backup and I can't find any
similitude with the console serial (the bar code printed under your wiiu)...do you know if we can find this ID outsude of the otp and seeprom memories?

Well, tickets also have the Console ID number, but I think it doesn't help much.

Could someone who has access to at least two different SEEPROM files verify if there is any common hex digit on USB seeds?

Enviado de meu 6039J usando Tapatalk

 

[dimok]

Hey guys, just an idea but this might be a solution to you seeprom problem.

The Wii has also a seeprom (it's half the size though). It is accessable through the GPIOs of the Wii. Now the vWii is "fully" hacked as said above. I don't know much about the vWii mode as I literally never even started it on my WiiU since I still got a real Wii right beside my WiiU but if the vWii mode has access to the GPIO HW registers (at least partially it must have access), which are very alike on Wii and WiiU, specifically to the MOSI, MISO, CS and CLK pins, then you could go ahead and dump the seeprom from the ARM side of vWii. Though this might be a dead end and those pins might be locked out for the vWii mode, I really don't know. Sorry I don't have time to check it out myself but if someone wants to try it, good luck .

 

[Masterwin]

Hey guys, just an idea but this might be a solution to you seeprom problem.

The Wii has also a seeprom (it's half the size though). It is accessable through the GPIOs of the Wii. Now the vWii is "fully" hacked as said above. I don't know much about the vWii mode as I literally never even started it on my WiiU since I still got a real Wii right beside my WiiU but if the vWii mode has access to the GPIO HW registers (at least partially it must have access), which are very alike on Wii and WiiU, specifically to the MOSI, MISO, CS and CLK pins, then you could go ahead and dump the seeprom from the ARM side of vWii. Though this might be a dead end and those pins might be locked out for the vWii mode, I really don't know. Sorry I don't have time to check it out myself but if someone wants to try it, good luck .

This sounds great for the 5.5.2 that have not seeprom, we will have to invest some time in vwii again, thanks again dimok!

 

[Valery0p]

Hey guys, just an idea but this might be a solution to you seeprom problem.

The Wii has also a seeprom (it's half the size though). It is accessable through the GPIOs of the Wii. Now the vWii is "fully" hacked as said above. I don't know much about the vWii mode as I literally never even started it on my WiiU since I still got a real Wii right beside my WiiU but if the vWii mode has access to the GPIO HW registers (at least partially it must have access), which are very alike on Wii and WiiU, specifically to the MOSI, MISO, CS and CLK pins, then you could go ahead and dump the seeprom from the ARM side of vWii. Though this might be a dead end and those pins might be locked out for the vWii mode, I really don't know. Sorry I don't have time to check it out myself but if someone wants to try it, good luck .

Thanks for the tip dimok, I really hope that what you're saying is true (even if I've read somewhere that the chips used on vwii are different) ...
Anyway, I've found something interesting, while reading trough my otp and seeprom dumps:
http://imgur.com/a/fUh2q

View attachment 94967

It may be only a random thing, but the wii NG ID (actually dumpable from an hacked vWii) and the wii U NG ID are almost the same!

If this is true, we found a way to dump at least 3 bytes of the wiiu usb seed!
Can anyone with an OTP dump confirm this?

 

[C0mm4nd_]

Thanks for the tip dimok, I really hope that what you're saying is true (even if I've read somewhere that the chips used on vwii are different) ...
Anyway, I've found something interesting, while reading trough my otp and seeprom dumps:
http://imgur.com/a/fUh2q

It may be only a random thing, but the wii NG ID (actually dumpable from an hacked vWii) and the wii U NG ID are almost the same!

If this is true, we found a way to dump at least 3 bytes of the wiiu usb seed!
Can anyone with an OTP dump confirm this?

for me they're basically the same except for the first half byte (2 in the Wii NG, 4 in the Wii U NG)

 

[Valery0p]

for me they're basically the same except for the first half byte (2 in the Wii NG, 4 in the Wii U NG)

If you see my screenshot (who for some reason I can't find a way to integrate in the post) it is the same thing for me!!!
Maybe because our console are both EUR? We need more conformations...

EDIT: also, minor thing, I've searched for the WiiU NG ID inside my 32 gb wiiu formatted pendrive, and I've found it like 3 times, but since the memory is full of games, this may be random for real...

 

[Flypop]

If you see my screenshot (who for some reason I can't find a way to integrate in the post) it is the same thing for me!!!
Maybe because our console are both EUR? We need more conformations...

EDIT: also, minor thing, I've searched for the WiiU NG ID inside my 32 gb wiiu formatted pendrive, and I've found it like 3 times, but since the memory is full of games, this may be random for real...

Let's check it out! Send me the hex positions where you found such coincidences and tomorrow or during the weekend I'll check if I can find the same three coincidences in the same positions of my friend's Wii U. Who knows!

 

[Valery0p]

Let's check it out! Send me the hex positions where you found such coincidences and tomorrow or during the weekend I'll check if I can find the same three coincidences in the same positions of my friend's Wii U. Who knows!

About the otp, you can find them on wiiubrew;
About the HDD offsets, they are pretty random,usually at the end of sectors, but anyways:

777E3167-777E316A

2B30005FA-2B30005FD

422CD1F77-422CD1F7A

-snip-

-snip-

Why you removed them ?

 

[C0mm4nd_]

About the otp, you can find them on wiiubrew;
About the HDD offsets, they are pretty random,usually at the end of sectors, but anyways:

777E3167-777E316A

2B30005FA-2B30005FD

422CD1F77-422CD1F7A

Why you removed them ?

did like a quadruple-post

 

[EyeKey]

If you see my screenshot (who for some reason I can't find a way to integrate in the post) it is the same thing for me!!!
Maybe because our console are both EUR? We need more conformations...

EDIT: also, minor thing, I've searched for the WiiU NG ID inside my 32 gb wiiu formatted pendrive, and I've found it like 3 times, but since the memory is full of games, this may be random for real...

All the things that wfs write to the usb are encrypted. It is just coincidence. On average you will find it once for every 4gb of encrypted data.

 

[Corredor]

My Wii NG (US console, serial GW40003XXXX) also starts with 2... Interesting...

Maybe the members who have SEEPROM dumps could compare their USB seeds through a simple program which finds the matches between a stored USB seed (only the last 12 bytes) and the USB seed given by the user. So, it reports the positions where the matches were found. This way, nobody would need to share her/his USB with anyone. If there are some common bytes, well, everbody will be happy.

Xyzzy can dump some part of OTP (VWii has access to its own part only), but it can't dump SEEPROM. Why? Is it calling the SEEPROM wrongly (as it was a Real Wii SEEPROM)?

Enviado de meu 6039J usando Tapatalk

 

[Valery0p]

My Wii NG (US console, serial GW40003XXXX) also starts with 2... Interesting...

Maybe the members who have SEEPROM dumps could compare their USB seeds through a simple program which finds the matches between a stored USB seed (only the last 12 bytes) and the USB seed given by the user. So, it reports the positions where the matches were found. This way, nobody would need to share her/his USB with anyone. If there are some common bytes, well, everbody will be happy.

Xyzzy can dump some part of OTP (VWii has access to its own part only), but it can't dump SEEPROM. Why? Is it calling the SEEPROM wrongly (as it was a Real Wii SEEPROM)?

Enviado de meu 6039J usando Tapatalk

So, you're saying that the others bytes are the same between WiiU/vWii NG ID?

And nah, IMHO the only sensitive informations is the NG ID in the first 4 bytes; I'll send my 12 bytes to you tomorrow, when I can access my PC .

Also, I don't know if vWii use the same chip of WiiU mode, but even if this is the case, maybe you need to call the seeprom with raw read calls...It's gonna be complex...

 

[Corredor]

So, you're saying that the others bytes are the same between WiiU/vWii NG ID?

And nah, IMHO the only sensitive informations is the NG ID in the first 4 bytes; I'll send my 12 bytes to you tomorrow, when I can access my PC .

Also, I don't know if vWii use the same chip of WiiU mode, but even if this is the case, maybe you need to call the seeprom with raw read calls...It's gonna be complex...

Yes, they are.

Thank you so much. If more people could send me the last 12 bytes (or I can make that simple program), it would be very nice.

I agree with you, dumping SEEPROM from vWii side (if it's possible) doesn't seem so easy.

Enviado de meu 6039J usando Tapatalk