Homebrew 3DS/Wii U titlekey generation algorithm leaked

Josephvb10

Well-Known Member
OP
Member
Joined
Aug 26, 2009
Messages
652
Trophies
0
XP
1,206
Country
Costa Rica
https://pastebin.com/DUe6KMXZ

This is crazy. As part of the leaks in 4chan related to Nintendo's old source code, looks like someone has posted the algorithm that generates the title key for 3DS and Wii U titles.

IMPORTANT: The script doesn't contain any Nintendo specific keys or any potential "illegal numbers". Thanks to Nintendo for using common words for their passwords.

The only parameter for the algorithm is the title ID. Turns out the "password" Nintendo decided to use for the algorithm is either:
  • nintendo
  • mypass
The password and the title ID are passed to a pbkdf2 hash function and with some other modifications that generates the title key. It's hilariously bad.
 
Last edited by Josephvb10,

EduAAA

Well-Known Member
Newcomer
Joined
Sep 3, 2017
Messages
67
Trophies
0
Age
36
XP
162
Country
Spain
Cool, does this mean that we can download all their upcoming releases for free? I think I saw a new indie slot machine game the other day, can't wait to play it.

This is big business, big business man.
 
  • Like
Reactions: yuyuyup

lone_wolf323

Well-Known Member
Member
Joined
May 27, 2011
Messages
4,521
Trophies
1
XP
3,563
Country
Canada
Cool, does this mean that we can download all their upcoming releases for free? I think I saw a new indie slot machine game the other day, can't wait to play it.

This is big business, big business man.
Freeshop was screwed years ago. This aint gonna replace nothing of it. This is merely title keys, NOT the tickets needed to actually download the games.
 
Joined
Nov 8, 2018
Messages
13,842
Trophies
3
Age
51
Location
Austria
XP
2,642
Country
Austria

Brawl345

Well-Known Member
Member
Joined
Jan 14, 2012
Messages
710
Trophies
0
Website
wiidatabase.de
XP
2,210
Country
Germany
*text in fields can't be quoted*
I now have confirmation that this also works with DSi titles. I made a wrong assumption based on a few system titles.

This means that it will not be necessary to download a DS game from the eshop to hack the WiiU?
No.
What this means is that one can decrypt the contents of a title without having a ticket or the key. Imagine Nintendo would release a new Wii U or 3DS game, then you could create a fake ticket and/or decrypt the contents of the game before release. This might also be useful for titles that were never dumped or have wrong tickets (looking at you Wii scene!).

This DOES NOT allow you to
  1. Magically hack your console
  2. Pirate games without modding your console
  3. Pirate games without signature patches
For these things you would need to have a valid ticket which MUST BE signed by Nintendo with their private key.
 

Magnus87

Well-Known Member
Member
Joined
Apr 28, 2013
Messages
348
Trophies
0
XP
1,057
Country
Argentina
Ok, so we are still in the same state as before, We need to buy a DS game for the eshop so we can use Haxchi later :unsure:
It is incredible that not even the modders want the Wii U, however for Wii and Switch there are a lot of possibilities and methods.
 

botik

Well-Known Member
Member
Joined
Sep 22, 2017
Messages
104
Trophies
0
XP
1,382
Country
Russia
To find privatekey Nintendo you need find two multiplier (P*Q) to number
2187885289287672884801780556325407757063965220780239
3500918957064652210370675188834218865357870966263111
8705775643498977435242140288865478394358161248284050
7077824108614332554753234765314855149801891676503831
7175858727677962403697921714489863389704366824869223
0428081666796590205681464095805529744660804105863762
3022890081953976738518393427517527316072978945485418
2429822686960776288262456266175659743055582109767159
1559382948249863268657501517649205662519191745040833
1683729241314724615617709793002903610025427098360979
6049063200861227604723342012621723963530424850244362
852041768390661387795732715997007947611055653
 

asper

Well-Known Member
Member
Joined
May 14, 2010
Messages
925
Trophies
0
XP
1,594
Country
United States
NUSgrabber, NUS downloader, etc... I see "mods" coming :)

Can someone explain me the difference of a title ID4 and other Nintendo IDs ?
 

Lacius

Well-Known Member
Member
Joined
May 11, 2008
Messages
17,290
Trophies
2
XP
16,503
Country
United States
Ok, so we are still in the same state as before, We need to buy a DS game for the eshop so we can use Haxchi later :unsure:
It is incredible that not even the modders want the Wii U, however for Wii and Switch there are a lot of possibilities and methods.
There are other options on the Wii U. Using Mocha with the internet browser is as easy as using Haxchi now. We also have a boot1 exploit that just hasn't been implemented in any meaningful way.
 

V10lator

Well-Known Member
Member
Joined
Apr 21, 2019
Messages
486
Trophies
0
Age
34
XP
1,364
Country
Germany
We also have a boot1 exploit that just hasn't been implemented in any meaningful way.
I'm not sure if this boot one exploit is helpfull at all. We still need a prior exploit to be able to use it and as no boot0 exploit exists that means booting the console, using a exploit like Mocha, warmrebooting the console... That's a slow process and I fail to see a need to exploit an already cracked console... Anyway, we'll see what @Maschell does with it / how it will be integrated into wiiu-env. He's not talking much about it (but I also didn't ask). Wasn't Maschell. Sry for mixing that up.

//EDIT:
NUSgrabber, NUS downloader, etc... I see "mods" coming :)
NUSspli already uses this: https://github.com/V10lator/NUSspli/blob/master/src/keygen.c
USB Helpers[ developer is working on integrating it while we speak... Not sure what tool works on integrating it tbh. There was just one developer contacting me after I implemented this into NUSspli.
 
Last edited by V10lator,

Lacius

Well-Known Member
Member
Joined
May 11, 2008
Messages
17,290
Trophies
2
XP
16,503
Country
United States
I'm not sure if this boot one exploit is helpfull at all. We still need a prior exploit to be able to use it and as no boot0 exploit exists that means booting the console, using a exploit like Mocha, warmrebooting the console... That's a slow process...Anyway, we'll see what @Maschell does with it / how it will be integrated into wiiu-env. He's not taliking much about it (but I also didn't ask)
From the write-up:
However... There's one plausible vector that could be used to create a much safer alternative to current methods.
Leveraging this bug from the vWii environment, for example, could grant a nice boot(ish) time CFW by combining some form of contenthax in a way that entering vWii mode would launch the boot1hax payload, reset the console and send you right into a CFW. The total time spent on this would be minimal and it would create a dual-boot environment where you could hold down the "B" button on boot to jump into CFW or do nothing to land on the vanilla OS. That is, of course, if you wouldn't mind sacrificing your vWii channel for a while (it would then be possible to restore it from within the CFW environment, so that's not really an issue).
 

V10lator

Well-Known Member
Member
Joined
Apr 21, 2019
Messages
486
Trophies
0
Age
34
XP
1,364
Country
Germany
From the write-up:
Thanks for this. Just one thing:
The total time spent on this would be minimal and it would create a dual-boot environment where you could hold down the "B" button on boot to jump into CFW or do nothing to land on the vanilla OS.
How should that work? At boot time no CFW is loaded and nothing is exploitet, again: We need a boot 0 exploit for such nice things. In the current situation one would have to boot a CFW (CBHC) to get that dual-boot menu working. Booting into CBHC to reboot into hacked vWii doesn't sound fast to me [EDIT]and it is also pretty useless. When CBHC is already bootet, why reboot into another CFW?[/EDIT]
 
Last edited by V10lator,

Lacius

Well-Known Member
Member
Joined
May 11, 2008
Messages
17,290
Trophies
2
XP
16,503
Country
United States
Thanks for this. Just one thing:

How should that work? At boot time no CFW is loaded and nothing is exploitet, again: We need a boot 0 exploit for such nice things. In the current situation one would have to boot a CFW (CBHC) to get that dual-boot menu working.
It would work analogously to CBHC, except instead of a DS game launching contenthax at boot, vWii launches this boot1 exploit at boot.
 

V10lator

Well-Known Member
Member
Joined
Apr 21, 2019
Messages
486
Trophies
0
Age
34
XP
1,364
Country
Germany
It would work analogously to CBHC, except instead of a DS game launching contenthax at boot, vWii launches this boot1 exploit at boot.
So you're telling me the Wii U is already booting into vWii when pressing B (can't test this right now as a friend is gaming) ? If so that would ofc be great. :)
 

Lacius

Well-Known Member
Member
Joined
May 11, 2008
Messages
17,290
Trophies
2
XP
16,503
Country
United States
So you're telling me the Wii U is already booting into vWii when pressing B (can't test this right now as a friend is gaming) ? If so that would ofc be great. :)
Yes, sort of.
https://en-americas-support.nintend...w-to-boot-the-wii-u-console-into-the-wii-menu

Power on the Wii U console and then press and hold down the B Button on the Wii U GamePad, Wii Remote, or Wii U Pro Controller when you see the Wii U logo splash screen. If this does not work, you may need to wait a few seconds after seeing the Wii U logo screen before hitting the button on a Wii Remote.
 
Last edited by Lacius,
  • Like
Reactions: V10lator
General chit-chat
Help Users
    KennieDaMeanie @ KennieDaMeanie: https://youtube.com/shorts/T_iZeCxXM-c?feature=share