Homebrew 3DS/Wii U titlekey generation algorithm leaked

[Astoria]

https://pastebin.com/DUe6KMXZ

This is crazy. As part of the leaks in 4chan related to Nintendo's old source code, looks like someone has posted the algorithm that generates the title key for 3DS and Wii U titles.

IMPORTANT: The script doesn't contain any Nintendo specific keys or any potential "illegal numbers". Thanks to Nintendo for using common words for their passwords.

The only parameter for the algorithm is the title ID. Turns out the "password" Nintendo decided to use for the algorithm is either:

• nintendo
• mypass

The password and the title ID are passed to a pbkdf2 hash function and with some other modifications that generates the title key. It's hilariously bad.

 

[Brawl345]

(this also works for Wii titles)

 

[EduAAA]

Cool, does this mean that we can download all their upcoming releases for free? I think I saw a new indie slot machine game the other day, can't wait to play it.

This is big business, big business man.

 

[lone_wolf323]

Cool, does this mean that we can download all their upcoming releases for free? I think I saw a new indie slot machine game the other day, can't wait to play it.

This is big business, big business man.

Freeshop was screwed years ago. This aint gonna replace nothing of it. This is merely title keys, NOT the tickets needed to actually download the games.

 

[V10lator]

Seems like the passwords don't apply to the Wii U. Does anyone know the pasword for the Wii U?

 

[Kiiro_Yakumo]

As far as I remember that's not first data leak from Nintendo so that's not helping the case that they get yet another leak and who knows if it's the last one...

Called it~!

 

[Alexander1970]

Seems like the passwords don't apply to the Wii U. Does anyone know the pasword for the Wii U?

It also seems not ALL Titles works..

This doesn't seem to work for DSi and a few other titles, most likely a different password is required here.

https://wiidatabase.de/wii-3ds-und-wii-u-title-key-generierung-geleaked/
(German Page).

Thank you.

 

[Magnus87]

This means that it will not be necessary to download a DS game from the eshop to hack the WiiU?

 

[V10lator]

Seems like the passwords don't apply to the Wii U. Does anyone know the pasword for the Wii U?

NVM, got it to work with mypass.

It also seems not ALL Titles works..

I don't plan to generate keys for DSI games, only Wii ones. Don't worry.

 

[Brawl345]

*text in fields can't be quoted*

I now have confirmation that this also works with DSi titles. I made a wrong assumption based on a few system titles.

This means that it will not be necessary to download a DS game from the eshop to hack the WiiU?

No.
What this means is that one can decrypt the contents of a title without having a ticket or the key. Imagine Nintendo would release a new Wii U or 3DS game, then you could create a fake ticket and/or decrypt the contents of the game before release. This might also be useful for titles that were never dumped or have wrong tickets (looking at you Wii scene!).

This DOES NOT allow you to

1. Magically hack your console
2. Pirate games without modding your console
3. Pirate games without signature patches

For these things you would need to have a valid ticket which MUST BE signed by Nintendo with their private key.

 

[Magnus87]

Ok, so we are still in the same state as before, We need to buy a DS game for the eshop so we can use Haxchi later
It is incredible that not even the modders want the Wii U, however for Wii and Switch there are a lot of possibilities and methods.

 

[botik]

To find privatekey Nintendo you need find two multiplier (P*Q) to number

2187885289287672884801780556325407757063965220780239
3500918957064652210370675188834218865357870966263111
8705775643498977435242140288865478394358161248284050
7077824108614332554753234765314855149801891676503831
7175858727677962403697921714489863389704366824869223
0428081666796590205681464095805529744660804105863762
3022890081953976738518393427517527316072978945485418
2429822686960776288262456266175659743055582109767159
1559382948249863268657501517649205662519191745040833
1683729241314724615617709793002903610025427098360979
6049063200861227604723342012621723963530424850244362
852041768390661387795732715997007947611055653

 

[asper]

NUSgrabber, NUS downloader, etc... I see "mods" coming

Can someone explain me the difference of a title ID4 and other Nintendo IDs ?

 

[Lacius]

Ok, so we are still in the same state as before, We need to buy a DS game for the eshop so we can use Haxchi later
It is incredible that not even the modders want the Wii U, however for Wii and Switch there are a lot of possibilities and methods.

There are other options on the Wii U. Using Mocha with the internet browser is as easy as using Haxchi now. We also have a boot1 exploit that just hasn't been implemented in any meaningful way.

 

[V10lator]

We also have a boot1 exploit that just hasn't been implemented in any meaningful way.

I'm not sure if this boot one exploit is helpfull at all. We still need a prior exploit to be able to use it and as no boot0 exploit exists that means booting the console, using a exploit like Mocha, warmrebooting the console... That's a slow process and I fail to see a need to exploit an already cracked console... Anyway, we'll see what @Maschell does with it / how it will be integrated into wiiu-env. He's not talking much about it (but I also didn't ask). Wasn't Maschell. Sry for mixing that up.

//EDIT:

NUSgrabber, NUS downloader, etc... I see "mods" coming

NUSspli already uses this: https://github.com/V10lator/NUSspli/blob/master/src/keygen.c
USB Helpers[ developer is working on integrating it while we speak... Not sure what tool works on integrating it tbh. There was just one developer contacting me after I implemented this into NUSspli.

 

[Lacius]

I'm not sure if this boot one exploit is helpfull at all. We still need a prior exploit to be able to use it and as no boot0 exploit exists that means booting the console, using a exploit like Mocha, warmrebooting the console... That's a slow process...Anyway, we'll see what @Maschell does with it / how it will be integrated into wiiu-env. He's not taliking much about it (but I also didn't ask)

From the write-up:

However... There's one plausible vector that could be used to create a much safer alternative to current methods.
Leveraging this bug from the vWii environment, for example, could grant a nice boot(ish) time CFW by combining some form of contenthax in a way that entering vWii mode would launch the boot1hax payload, reset the console and send you right into a CFW. The total time spent on this would be minimal and it would create a dual-boot environment where you could hold down the "B" button on boot to jump into CFW or do nothing to land on the vanilla OS. That is, of course, if you wouldn't mind sacrificing your vWii channel for a while (it would then be possible to restore it from within the CFW environment, so that's not really an issue).

 

[V10lator]

From the write-up:

Thanks for this. Just one thing:

The total time spent on this would be minimal and it would create a dual-boot environment where you could hold down the "B" button on boot to jump into CFW or do nothing to land on the vanilla OS.

How should that work? At boot time no CFW is loaded and nothing is exploitet, again: We need a boot 0 exploit for such nice things. In the current situation one would have to boot a CFW (CBHC) to get that dual-boot menu working. Booting into CBHC to reboot into hacked vWii doesn't sound fast to me [EDIT]and it is also pretty useless. When CBHC is already bootet, why reboot into another CFW?[/EDIT]

 

[Lacius]

Thanks for this. Just one thing:

How should that work? At boot time no CFW is loaded and nothing is exploitet, again: We need a boot 0 exploit for such nice things. In the current situation one would have to boot a CFW (CBHC) to get that dual-boot menu working.

It would work analogously to CBHC, except instead of a DS game launching contenthax at boot, vWii launches this boot1 exploit at boot.

 

[V10lator]

It would work analogously to CBHC, except instead of a DS game launching contenthax at boot, vWii launches this boot1 exploit at boot.

So you're telling me the Wii U is already booting into vWii when pressing B (can't test this right now as a friend is gaming) ? If so that would ofc be great.

 

[Lacius]

So you're telling me the Wii U is already booting into vWii when pressing B (can't test this right now as a friend is gaming) ? If so that would ofc be great.

Yes, sort of.
https://en-americas-support.nintend...w-to-boot-the-wii-u-console-into-the-wii-menu

Power on the Wii U console and then press and hold down the B Button on the Wii U GamePad, Wii Remote, or Wii U Pro Controller when you see the Wii U logo splash screen. If this does not work, you may need to wait a few seconds after seeing the Wii U logo screen before hitting the button on a Wii Remote.