Hacking Betwiin v.10

[HiBit]

Update: I got ultraedit and punched ctrl f to find $21000144 and it says not found...

You must go to this address with strg+g and if you use an hex address you must begin them with 0x.
For the HMAC key it's 0x21000144.


Than select the 20 bytes, copy and paste this code to the hmac-key:


Do the same for the NAND key but use the other address and only 16 bytes.


To remove the last 1024 bytes simply select all from $21000000 to the end and cut what you select(ultraedit should show you that you select
1024 bytes).


If all is correct the output window from betwiin should show you the files from the NAND dump:



You can also select and copy the 1024 bytes from the dump of the target NAND(bootmii need this to restore the NAND) if it's converted. Open
the dump from the target Wii, copy the last 1024 bytes and paste this bytes at the end of the new file output\flash.bin.

 

[HiBit]

Sorry, double post.

 

[pika9323]

Thanks for the explanation.

I hope a infectus reach me this week and than i try all this an two bricked Wii that i bought @ ebay.

As i heared it isnt possible to dump the keys with an infectus?
So your idea:
Hopefully the Wii has a boot which allows bootmii to be installed as Boot2.
Flash the 6 first blocks to install bootmii as boot on the Wii.
Then dump nand and get the keys?

Or am i wrong?

 

[HiBit]

I hope you are right.

You can't dump the NAND/HMAC key from U1 aka hollywood, but - and thanks for WiiCrazy for the info - you can install bootmii on every old Wii and dump the keys.

I verified it by converting a NAND from one to another Wii, and the bootmii code is the same so i hope the NAND/HMAC key is not used to start bootmii.

So i hope it work, but if i get the infectus i try it and report.

 

[Hicksy]

well i hope all this work aint for nothin, because i found out my other broken wii's nand has no bad blocks at all. now how can i use my good wiis dump when i know it has bad blocks. hopefully that made sense. still havent completed my hex editing and now wondering if this is gonna be worth the trouble.


couldn't i just use the keys.txt file to get the keys i need? i'm using xvi32 now as my hex editor. So what i'm saying is... can i use a hex editor on the keys.txt file from xyzzy to extract the keys i need?

 

[pika9323]

Hmm maybe i found something interesting.
I dumped my Nand with a FS dumper.

In shared2\test2\ is nanderr.log.
It says:
1 2007/08/30 22:01:36 00000001-00000002 Created log file.

Maybe so you can see how old the wii is?
I bought my Wii in feb 2007.

Or you could just look up the serial...

 

[HiBit]

couldn't i just use the keys.txt file to get the keys i need? i'm using xvi32 now as my hex editor. So what i'm saying is... can i use a hex editor on the keys.txt file from xyzzy to extract the keys i need?

I don't know xvi32, but i'm sure you can use this editor.

In another editor you must enter the hex code from the txt file to an - as binary opened - file(e.g. hmac-key).

Tomorrow i try this editor in a sandbox and make a screenshot how you can use the keys from the keys.txt file.

 

[pembo]

well i hope all this work aint for nothin, because i found out my other broken wii's nand has no bad blocks at all. now how can i use my good wiis dump when i know it has bad blocks. hopefully that made sense. still havent completed my hex editing and now wondering if this is gonna be worth the trouble.

The bad block problems will be more to do with if the target (bricked) wii has bad blocks where on the working (source) wii, there is a critical system file.

So in your case, I wouldn't anticipate a problem as your broken wii doesn't have any bad blocks.
I guess after a restore of a nand with bad blocks marked, then your broken wii will probably have these same blocks marked as bad unless they are done at some hardware level I don't understand... even though in reality they are not

This is all just my opinion and an educated guess though so don't hold me to it

 

[HiBit]

I hope if an backup didn't work because there are bad sectors on the target Wii that make the sysmenu/IOS unusable, another backup work fine.

I think it's possible that another Wii use an other place for these files.


Bts, know everyone if it is possible to check the boot* version from a bricked Wii?
Board version?
Serial number?
?

 

[SifJar]

If the bricked wii has no bad blocks, and the working one has bad blocks, you're fine. The problem comes if the bricked one has bad blocks in the location of crucial parts on the working wii.

 

[Hicksy]

Well got the keys....Now i'm on the part where i remove the last 1024 bytes.If i simply select all from $21000000 to the end, I believe that will come to way more than 1024 bytes. There's gotta be an easier way cus right now i'm thinking of counting from 21000000 to the 1024th block. For the fun of it i tried running betwiin.py again with my new keys and i get a value error cannot be divisible by 2112 or something like that. i would've posted what it said in quote but it would'n't let me copy. Well i made some more progress today thanks to Sifjar and HiBit, I am just so damn eager to boot up bootmii with this reencrypted nand file. I will give updates as to how far along i am. Sifjar i'm waiting to ask u about your calculator method, Hopefully i can install this newly created nand.bin tonight!

 

[Thomas83Lin]

Well cool i got everything working, just followed everything hibit said worked like a charm so Thanks, even though right now i dont have a use for it, you never know one day i might.

Well got the keys....Now i'm on the part where i remove the last 1024 bytes.If i simply select all from $21000000 to the end, I believe that will come to way more than 1024 bytes. There's gotta be an easier way cus right now i'm thinking of counting from 21000000 to the 1024th block. For the fun of it i tried running betwiin.py again with my new keys and i get a value error cannot be divisible by 2112 or something like that. i would've posted what it said in quote but it would'n't let me copy. Well i made some more progress today thanks to Sifjar and HiBit, I am just so damn eager to boot up bootmii with this reencrypted nand file. I will give updates as to how far along i am. Sifjar i'm waiting to ask u about your calculator method, Hopefully i can install this newly created nand.bin tonight!

When i did mine, when i removed 0x21000000 to the end it was exactly 1024 bits so no clue

 

[Hicksy]

So I goto address 21000000 and then hit ctrl shift to the right until the end of what? How many blocks is it from the start?

 

[Thomas83Lin]

i used 010 editior and used goto address 0x21000000 on my bootmii nand dump and just highlighted everything from there on down to the bottom, mine did equal 1024bits
maybe best for hibit to help you more sense thats were i got my info.

 

[Hicksy]

How long did it take to do that ? Cus there's a crapload of blocks

 

[Thomas83Lin]

How long did it take to do that ? Cus there's a crapload of blocks

heres a couple of pics

heres were to start 0x21000000 and just highlight everything downward and delete, but copy and backup this data if your using bootmii

http://img268.imageshack.us/img268/9931/bootmiif1.jpg

and heres the end showing its a 1024bits

http://img38.imageshack.us/img38/8547/bootmiiff2.jpg

sorry if i can't explain it any better its not that long either

 

[Hicksy]

So now I just paste this at the end of the new flash.bin right?
And how long does bewiin.py take to run? I'm waiting on the second set of cluster updates and no dice. I'll give some results tomorrow, just curious If there's something else I need to run before betwiin. Py is able to finish. Ttyl


Another question: are the keys in the last 1024 bytes of the NAND as well? If so I may have f'ed up my keys, still stuck on updating cluster f where I got a little input line blinking like it's telling me I'm missing something. Hopefully u guys can help, once I get the NAND file from betwiin and readd the last 1024 bytes I can proceed to the boot mii restore session I work weekends but I will try to update my progress and hopefully fix some wii consoles

 

[HiBit]

Little Update:
The new bootmii v0.3 use a new way to save the nand and the keys.
The new version save only the nand without the keys, these are now in a 1024 byte short keyfile.

Now it's easier to use betwiin because we must only open the keyfile and not the large nand.bin.


Btw, up to this day i wait for the infectus. *grrrr*

 

[HiBit]

Wow, the infectus is here and four bricked Wii wait for the new NAND.

But i solder and flash it tomorrow and than i report. Today i'm angry because i spend 3 hours to install this damn infectus to my pc and install the NAND flash soft. to the Actel.

First my PC hangs at the POST(need to switch of usb legacy support in my bios), than windows hangs if i try to install the driver, than ...

Now it work fine, after i updated the infectus my pc work also with USB legacy support and the connected infectus, but this

 

[Maisto]

Can you mount a Infectus in a bricked wii's NAND without soldering?

And if you can not then it is something of a work to produce NAND flash

Sorry for my bad english.