Hacking New leak - Source code, some private keys, and more

Weissnix4711 · May 2, 2020

I'm not sure how far this news has already spread, but people over on Discord are getting really hyped up about it. Also, mods, I'm sorry if this is the wrong forum to post in.

Anyway, the source of the leak is still unknown, but there's rumours that it came from BroadOn. As the title suggests, there's some source code for the boot sequence, and some private keys, and more. There's a lot of stuff, and much still has to be looked through. There's supposedly also a zip bomb, so be careful, although I personally haven't found anything yet.

Because this will definitely count as piracy, and Nintendo won't be too happy, I will not link anything. Not even the discord server, although that's easily googled. Again, if mods want to take this down, please do.

FAST6191 · May 2, 2020

More stuff is cool but is it likely to lead to much of great interest? From where I sit every half functioning useful (so not mini) wii on latest updates can have hacks installed from the firmware level (no need for a game or booting one), and we have long since had total control of the hardware.

Might be nice to have boot2 bootmii or equivalent on later models but if we have to go to that level to see any use then eh.

Hopefully we see an analysis of any such files before long.

Ryccardo · May 2, 2020

FAST6191 said:
every half functioning useful (so not mini) wii

Where were you last autumn when BlueBomb became a thing?

FAST6191 said:
More stuff is cool but is it likely to lead to much of great interest?

Some interesting facts:

No, there are no signing keys (for consumer models that is) - but there's a signed boot2 that boots from SD (only, and with further restrictions) - practical applications still unclear
We all know, or at least benefit from, the fact the Wii only verifies titles on installation and not at runtime - it wasn't this way at first but a smart person decided to improve performance by skipping this check shortly before the console's launch
IOS4, a known stub on retail consoles, is used by factory setup (indeed by the "insert startup disc" too)
AHBPROT (or ACRBUSPROT as it's officially called) was deliberate all along
IOS3, another stub that can't be downloaded, used to be known as IOS0 and is the collective name for all prerelease versions of the kernel
MIOS, the GC-mode kernel, means "Mini IOS" (no relationship to bootmii)
Stub IOSes were officially made to get space back on the nand - annoying modders was Just A Nice Side Effect™
There's a decent number of disc LED animations preprogrammed in IOS, most of the nontrivial ones are inspired by Japanese insects

FAST6191 · May 2, 2020

Ryccardo said:
Where were you last autumn when BlueBomb became a thing?

I was around.
Still does not make a GC port less wii a useful thing.

Ryccardo · May 2, 2020

FAST6191 said:
I was around.
Still does not make a GC port less wii a useful thing.

You can most likely add #1 and 4

To be fair, I had an horizontal Wii for a year and didn't miss them

niuus · May 3, 2020

Some other interesting tidbits about the leak:

– Source code for boot0/1/2
– Block diagram/datasheets for every system component & Verilog for AES/SHA The biggest and craziest thing in this leak is the datasheets, block diagram and Verilog files for every component (Verilog is a hardware description language; is used to describe circuits via code, so with this we can learn how every single piece of the Wii was made)
– Documents from BroadOn describing feature planning and implementation + APIs + docs for internal software
– Full IOS SDK
– Source code for IOS (IOS is the Wii Operating System)
– Planning docs for implementation of the system from 2004-2006
– Some Wii SDK library source code (DVD, EXI)
– Source code and info on manufacturing and publishing systems
– Some miscellaneous Nintendo content (internal WPAD SDK from 2005, Wii Overview from RVL_SDK 1.0)
– “sdboot”, a special manufacturing version of boot2 which loads data from the SD card; is very buggy and likely exploitable for boot2 code execution on all Wiis (it is retail signed)
– GameCube and iQue content (internal GameCube docs including physical disc layout, massive 2GB+ iQue dump including full CVS for that as well)

Other things for Pokémon fans that were already leaked weeks prior:
- Debug Builds of Blue and Yellow
- Source code for Blue and Yellow
- Japanese Debug Builds of G/S
- Symbol Map for Crystal.
- G/S Source code
- Spaceworld '99 demos
- Official GameBoy emulator
- Internal lists that list everything released (including unreleased ones) for all Nintendo systems up to the DS
- Gen 7 debug builds, official 3DS legality checkers, a O-Power distribution CIA and a VC Mew distribution CIA

And some early N64 demos videos surfaced as well:

AManOfThings123456789 · May 3, 2020

"easily googled" is proving to not be true. If anyone could DM me that'd be great, thanks

Kurusutaru · May 3, 2020

Can someone dm me as well I can't even find anything

FAST6191 · May 3, 2020

Guys that still falls under the banner of ROM request.

Anyway

This IOS source code has me interested actually.

I know for most purposes most people don't care any more but it could be nice to have some custom stuff for older IOS modules rather than hoping it fits, and maybe do some control redirection.
Might even revisit the every IOS is a hacked IOS concept.

Might give a boost to some emulation as well, though Dolphin is pretty sensitive to such things so eh.

Weissnix4711 · May 3, 2020

FAST6191 said:
Guys that still falls under the banner of ROM request.

Definately.

I'm not going to be PMing people. Sorry. All I am saying, is there is some hype on a few discord servers. They're all public, and they are all related to Nintendo homebrew in some way. I respect the moderator's wishes. I might have a different stance on piracy, but the rules are clear. And I've also been asked not to link to discord servers, so I am not going to.

I am personally interested in the source code of the boot sequence. Maybe we'll find some sort of exploit / security loophole. Who knows? The idea of BootMii on all Wiis is definitely a cool one.

WiiCurious · May 3, 2020

Ensure to only execute trusted code
Multi-stage booting
BOOT0 (from ROM)
BOOT1 (from 1st block of Flash)
BOOT2 (from SYS area of Flash)
BOOT3 - IOPOS (from FS area of Flash)

So can we start calling the system menu Boot 3?

niuus · May 3, 2020

FAST6191 said:
This IOS source code has me interested actually.

I know for most purposes most people don't care any more but it could be nice to have some custom stuff for older IOS modules rather than hoping it fits, and maybe do some control redirection.
Might even revisit the every IOS is a hacked IOS concept.

That source will probably pave the way to a home menu with Gamecube and Wii U Pro Controller support for the pointer, as you already could with the Wii Classic Controller only. Also, better brick protection with a more solid Bootmii, probably

FAST6191 said:
Might give a boost to some emulation as well, though Dolphin is pretty sensitive to such things so eh.

They definitely won't touch that even with a 1000 miles pole. It would put the whole project at risk.

Rioluwott · May 3, 2020

im surprised that there wasn't a thread for this before this one
there was a tech demo of diddy kong racing for the xbox leaked too along with a garfield kart demo for 3ds
i found a 2016 video about that the diddy kong racing demo but im not sure if the rom was leaked too but yesterday i found it(it runs really bad on an emulator)

WiiCurious · May 3, 2020

From a powerpoint made in October 2005:

Evaluation of new interfaces
– USB : 2 external & 1 internal
• 1 internal port has a USB connector to attach bus analyzer.
• BT microcontroller connects internal USB.
– SDIO : 2 external & 1 internal
• Production system has only one external port.
• WLAN microcontroller connects internal SDIO.

This clear up why early news on the Revolution talked about 2 SD card ports. This was never a planned feature for production systems.

Also:

Barnacle2
– Emulation device of GC’s boot ROM (2MB)
• EXI 0-1 device
• NDEV has a connector to put barnacle2.
– Mask ROM is replaced by Flash ROM or SRAM w/ battery
– Boot image is programmed using Barnacle writer or USB
• Program speed: 42sec / 2MB
– PC interface is RS232C or USB (FS)
• DIAG log output
• Automatic control by terminal software
– Available in now

...
It's possible the Wii was initially supposed to be compatible with Wavebirds without an adapter.

justjack · May 3, 2020

Is it true that the N64 source code was also leaked?

WiiCurious · May 3, 2020

Wii U gamepad was planned to be an accessory for the wii.
From a document dated 2005:

1-4. Touchpad Type Controller attachment (Future)

Special user interface port: 24-pin connector
Touchpad: 2 devices, I2C 100kHz, Data 4 Byte x 2 = 8 Byte. Must specify that I2C addresses for the 2 devices are unique, and also that they do not overlap with addresses used for typical EEPROM devices. The Touchpad ICs will likely require 1 or 2 strap pins to select an address.(I must check address used for typical EEPROM devices)

3. Digital input: A, B, X, L, R, menu

4. Controller type ID: Analog @ 8bit

---------------------------

Lol. The Wiimote LED gets dimmer as the battery dies by design.

If Battery remainder is low, BCM2042 makes LED to be looked dark gradually as the amount of the battery remainder decreases. It achieves it by blinking LED at high speed by using PWM etc. The pulse pattern is below.

zecoxao · May 3, 2020

are the keys used for retail consoles or are they for debug consoles only? did anyone check yet?

WiiCurious · May 3, 2020

zecoxao said:
are the keys used for retail consoles or are they for debug consoles only? did anyone check yet?

Haven't found many keys yet. I did find the decryption key for boot1 (9258a75264960d82676f904456882a73), which bushing talks about here: https://hackmii.com/2008/06/boot1/
He never mentions how he got that key, meaning it's possible he had access to some internal files.

WiiCurious · May 3, 2020

Ryccardo said:
No, there are no signing keys (for consumer models that is) - but there's a signed boot2 that boots from SD (only, and with further restrictions) - practical applications still unclear

I found the source for that version of boot2, but I don't see the compiled version. What's it called/what file is it in?

FAST6191 · May 3, 2020

WiiCurious said:
Lol. The Wiimote LED gets dimmer as the battery dies by design.

If Battery remainder is low, BCM2042 makes LED to be looked dark gradually as the amount of the battery remainder decreases. It achieves it by blinking LED at high speed by using PWM etc. The pulse pattern is below.

At first I wondered if someone was going to claim I R genius engineer by not putting it next to a regulated voltage so as the batteries ran down then so did their driven voltage (or possibly current).
That however seems far worse as for the expected life of such things I don't know if anybody would notice (fractional steps over hours...). Indeed I can't think of a single other thing that uses a continuous decreasing dimmer, never mind one that takes active control, as a human monitored signal, and don't expect to ever find another. Change colours, blink, put more lights one, cycle between two different patterns...

Hacking New leak - Source code, some private keys, and more

Member

Techromancer

Penguin accelerator

Techromancer

Penguin accelerator

Well-Known Member

Well-Known Member

New Member

Techromancer

Member

Banned!

Well-Known Member

Well-Known Member

Banned!

Well-Known Member

Banned!

Well-Known Member

Banned!

Banned!

Techromancer

Similar threads

Popular threads in this forum