4.0 Tweezer Attack

Discussion in 'Wii - Hacking' started by pspmte, Apr 28, 2009.

Apr 28, 2009

4.0 Tweezer Attack by pspmte at 8:46 AM (3,529 Views / 0 Likes) 7 replies

  1. pspmte
    OP

    Member pspmte GBAtemp Regular

    Joined:
    Oct 23, 2008
    Messages:
    243
    Country:
    United Kingdom
    Does anybody know where i can get the circuit diagram and software for the tweezer attack

    As i said a few days ago the wii will boots in the game cube made on a mod chip, so i have an idea of dumping my keys from wii 4.0 in game cube mode, which really was the first hack team tweezers did

    So if anybody can help me with the release diagrams ect


    Cheers Mat


    Mods can we have a Wiidev forum ?
     
  2. Helsionium

    Member Helsionium Alpha and Omega

    Joined:
    Jul 18, 2008
    Messages:
    348
    Location:
    Innsbruck, Austria
    Country:
    Austria
    I thought Nintendo patched either BC or MIOS long before 4.0 which made the tweezer attack in GC mode impossible?
     
  3. pspmte
    OP

    Member pspmte GBAtemp Regular

    Joined:
    Oct 23, 2008
    Messages:
    243
    Country:
    United Kingdom
    Wii you can boot into game cube mode on Yasom mod chip config 1.3 with a mod chip

    So i guess not
     
  4. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,697
    Country:
    United Kingdom
    Tweezer attack:
    Got the common key for all wii (an AES key), this was changed for the Korean wii but other than that all wiis use it and still use it to this day. It relied on the upper areas of the memory not being wiped/scrambled upon launch of the GC hypervisor (we could run gamecube code quite happily at this point), Nintendo had assumed the memory would not be viewable and the tweezer attack allowed people to shift this memory which led to people finding the common key (although it is a rookie mistake to leave your keys in the memory). They did however fix this bug with a new mIOS (mIOS = the GC hypervisor), not that there was any point and at the same time blocked the datel GC discs and GCOS by way of the header values (which could be easily changed in the case of GCOS but as datel had burned discs...).

    Getting this key ultimately allowed decryption of the various parts of the wii including the IOS modules where it was discovered that Nintendo has messed up the signing of games in a big way (the trucha bug). Signing is asymmetric based on RSA with a large key (it was over 1000 bits which is way outside any capability for brute force).
    More
    http://hackmii.com/2008/04/keys-keys-keys/
    http://debugmo.de/?p=61
    Ignore the wikipedia links and do a real search.
     
  5. pspmte
    OP

    Member pspmte GBAtemp Regular

    Joined:
    Oct 23, 2008
    Messages:
    243
    Country:
    United Kingdom
    That was a great bit of info thank you so much
     
  6. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    http://www.wiire.org/Wii/console/motherboard

    Short various lines under U3 to shift the area of memory used in GameCube mode.

    However as FAST6191 mentioned, Nintendo patched MIOS to prevent the attack anyway:

    http://hackmii.com/2008/06/genie-into-bottle-mios/

    Even so I believe the Tweezer attack only revealed the common key, which we all know already anyway.
     
  7. joda

    Member joda GBAtemp Fan

    Joined:
    Jul 12, 2007
    Messages:
    436
    Location:
    UmeƄ
    Country:
    Sweden
    With xuzzy, which relies on the Tweezer attack, you can see your NAND-key as well.
     
  8. fogbank

    Member fogbank GBAtemp Fan

    Joined:
    Oct 28, 2008
    Messages:
    413
    Country:
    United States
    Xyzzy is a homebrew app that has very little to do with the Tweezer attack.
     

Share This Page