Hacking Betwiin v.10

[longtom1]

Oh, so it lets you flash the Wii's NAND?

you can use any Wii nand chip you want so you can change the nand from say 3.2e to 4.0j or u with the change of a nand chip seen a video on-line of someone doing this looks really cool

 

[pspmte]

Yes with the infectus and bushing amoxy program u can dump nands and reflash

I have 2 wiis bricked on 3.4 will go into the recovery buts that it

only way I can see me fixing this is making a new NAND from another wii
so I need to install bootmii with a hex editor onto the bricked nands
then use bootmii to dump the NAND.bin then hex the keys and the use betwiin

 

[HiBit]

Yes with the infectus and bushing amoxy program u can dump nands and reflash

I have 2 wiis bricked on 3.4 will go into the recovery buts that it

only way I can see me fixing this is making a new NAND from another wii
so I need to install bootmii with a hex editor onto the bricked nands
then use bootmii to dump the NAND.bin then hex the keys and the use betwiin

The problem is you can only fix the bricked Wii if you have the NAND-Key and the HMAC-Key.

Without that you can't add working code, and if you have the keys you can make a full backup
from another Wii and there is no need to add bootmii with an hex editor.

 

[WiiCrazy]

Yes with the infectus and bushing amoxy program u can dump nands and reflash

I have 2 wiis bricked on 3.4 will go into the recovery buts that it

only way I can see me fixing this is making a new NAND from another wii
so I need to install bootmii with a hex editor onto the bricked nands
then use bootmii to dump the NAND.bin then hex the keys and the use betwiin

The problem is you can only fix the bricked Wii if you have the NAND-Key and the HMAC-Key.

Without that you can't add working code, and if you have the keys you can make a full backup
from another Wii and there is no need to add bootmii with an hex editor.

Well, you can find the keys of the broken wii by just flashing bootmii into it and taking a nand dump. Of course applicable only to those wiis that bootmii can be installed as boot2...

 

[HiBit]

Well, you can find the keys of the broken wii by just flashing bootmii into it and taking a nand dump. Of course applicable only to those wiis that bootmii can be installed as boot2...
You are sure the boot1/2 part is not encrypted by the NAND/HMAC key?

I read this on hackmii:

This AES key is used to encrypt the filesystem data on the actual NAND chip itself
..
..
This key is used to prevent the contents of the NAND filesystem from being read using a flash chip reader.

Also tmbinc write:
QUOTE

We didn’t knew how boot1 is encrypted
..
..
Once we re-coded the algorithm, it was clear that this in fact decrypts boot2. Encrypting a new boot2 requires signing the new hash.

http://debugmo.de/?p=59%29

And much more ppl say the full code is encryptet.


Is that wrong?


Edit
It seems you are right and boot1/2 can be used onto another Wii if boot* has the same version.

At this moment i compare a original and a converted dump and something more and the bootcode is the same.

 

[pspmte]

Just to add to this

I had 2 wiis both leh13xxxxx serial number

one worked and i installed bootmii
the other bricked no recovery ect
so i took the bricked wiis nand flash off and swapped it with the working wiis nand flash
The bricked wii booted into bootmii and i could do a dump of the nand with keys (so the nand dump was from the working wii but the keys where from the bricked wii)
So now i know that bootmii has the keys at the end, thats how you get keys from a bricked wii
We really should put all this info together and make an unbricking guide

 

[HiBit]

We really should put all this info together and make an unbricking guide

Thats a good idea, there is something to know.

Started with python, pycrypto and numpy.
Than how to edit the NAND(for me the last 1kb must be removed before i could convert a dump).
Followed by how to insert the last 1kb that bootmii accept the converted dump and something more.

 

[WiiCrazy]

Well everything is right there

If only I had good soldering skills, the exploration stops there for me..
besides I educated people here in Turkey against bricks very well, even if I was able to unbrick people this way possibly I'll have no customers at all..

 

[Swizler]

We really should put all this info together and make an unbricking guide

Thats a good idea, there is something to know.

Started with python, pycrypto and numpy.
Than how to edit the NAND(for me the last 1kb must be removed before i could convert a dump).
Followed by how to insert the last 1kb that bootmii accept the converted dump and something more.

then why not make said thread and sticky it?

 

[Swizler]

We really should put all this info together and make an unbricking guide

Thats a good idea, there is something to know.

Started with python, pycrypto and numpy.
Than how to edit the NAND(for me the last 1kb must be removed before i could convert a dump).
Followed by how to insert the last 1kb that bootmii accept the converted dump and something more.

then why not make said thread and sticky it?

 

[pspmte]

Yes they should

 

[superbob]

3) No handling of bad blocks is performed; if your target NAND chip
has a bad block that hits an important file required for system
startup, I suggest you find a differente donor dump to start from.

As for me it's a major concern, and a sufficent reason not to use it. Too risky.

 

[Hicksy]

Is there any easy way to get betwiin.py to run? i'm a noob to python and cant seem to get betwiin running. Or could someone convert this to a .exe? any help would be appreciated..... what i have so far is: xyzzy keys.txt from good wii in the input folder, then i renamed my nand.bin to flash.bin and put in input folder, then i put the bad wii's keys.txt file from xyzzy into the output folder. Now all i need to do is run betwiin.py but can't, so is there a program that'll run this for me quickly or am i screwed?

 

[HiBit]

Is there any easy way to get betwiin.py to run?
Yes, it's no problem and if you use Windows try this:

1. Install python -> http://python.org/ftp/python/2.6.2/python-2.6.2.msi
2. Install PyCrypto into the same folder-> http://www.voidspace.org.uk/downloads/pycr...win32-py2.6.exe
3. Install numpy into the same folder -> http://sourceforge.net/projects/numpy/file....6.exe/download
4. Restart your computer(possible it work without restart)
5. Now you can start betwiin.py

If you use another OS visit python.org and download what you need. Also google for PyCrypto and numpy for your OS and install it.


Edit:
Btw, you can't use the keys.txt file from xyzzy, it's required that you edit the nand-hmac and the nand-key with an hex editor and you must use binary code. If you didn't have a NAND dump you can take the keys from the key.txt and enter this code in binary format to the *-key files.

Also you must remove the last 1024 bytes from a bootmii backup because that's no data from the NAND and betwiin didn't work if you didn't remove the 1024 bytes.

From the target Wii you should save this kilobyte because it's required to add this data to the converted flash.bin if you try to restore it with bootmii.



If you have a bootmii dump:
QUOTEI think the easiest way is to use a hex editor and copy>paste the keys direct from a bootmii NAND dump to the files nand-hmac and nand-key.

The hmac-key is 20 bytes long and you find it on $21000144
The nand-key is 16 bytes long and you find it on $21000158

And ... and ... and.


Good luck and sorry for my bad english, but i hope you understand what i mean(it's a problem for me to take all this in correct words).

This is the reason why i didn't write a FAQ and also i didn't have a infectus at this time(i have a galep4, but it didn't support the NAND

). I hope a infectus reach me this week and than i try all this an two bricked Wii that i bought @ ebay.

 

[Maisto]

Ok if i get this right i need to do following.

1. Install python -> http://python.org/ftp/python/2.6.2/python-2.6.2.msi
2. Install PyCrypto into the same folder-> http://www.voidspace.org.uk/downloads/pycr...win32-py2.6.exe
3. Install numpy into the same folder -> http://sourceforge.net/projects/numpy/file....6.exe/download
4. copy my NAND.BIN to input folder and rename to flash.bin (from the working wii)
5. find the nand and hmac keys ind nand.bin whit at hex editor
6. copy the keys (from the working wii) (nand-key and hmac-key) to input folder (what file type do it need?) just file format?
6. copy the nand-key and hamc-key to output folder (from the bricked wii)
7. and then run betwiin.py whit python.

Is that right or am i totally wrong?

 

[HiBit]

Ok if i get this right i need to do following.

1. Install python -> http://python.org/ftp/python/2.6.2/python-2.6.2.msi
2. Install PyCrypto into the same folder-> http://www.voidspace.org.uk/downloads/pycr...win32-py2.6.exe
3. Install numpy into the same folder -> http://sourceforge.net/projects/numpy/file....6.exe/download
4. copy my NAND.BIN to input folder and rename to flash.bin (from the working wii)
5. find the nand and hmac keys ind nand.bin whit at hex editor
6. copy the keys (from the working wii) (nand-key and hmac-key) to input folder (what file type do it need?) just file format?
6. copy the nand-key and hamc-key to output folder (from the bricked wii)
7. and then run betwiin.py whit python.

Is that right or am i totally wrong?

Thats right, but also you must remove the last 1024 bytes from the flash.bin @ the input folder if you use a bootmii NAND dump.

 

[Maisto]

can you explain me how i do that, how do i save the keys fr0m the hex editor?

the keys i need to save from the nand dump is that only the 20 and the 16 bytes?

and the 1024 bytes i need to remote is that from the flash.bin in the input folder and do i need to do it before running betwiin.py?

 

[Hicksy]

ok i got python working. now i need an idea on a hex editor. which do u recommend being the easiest and could u walk me thru the keys process slowly. and also how do i get rid of the last 1024 bytes ? i did get betwiin.py running tho. and it gave me some error,but it also gave me a nand file in the output folder. the normal nand.bin from boot mii is 540,673kb this file is 540,672kb any ideas? i'm afraid to try using this cus i didn't do all the hex editing and that.

 

[HiBit]

@Maisto
Yes, thats right and of cause you must do it before you run betwiin.

@Hicksy
I think ultra edit is a great editor because you can see the adresse where you are, you can see how much bytes you select(e.g. go to the last byte and if you hold ctrl and go down/up you see when you have 1024 bytes selected) and much more.
http://www.ultraedit.com/downloads/ultraedit_download.html

I can make some screenshots later if i'm back at home.

 

[Hicksy]

So how do we re - add the 1024 bytes back into the output folder's newly created flash.bin ? i'm going to use the hex editor later today and gonna retry all of this step by step. and thanks you've been very helpful HiBit!!


Update: I got ultraedit and punched ctrl f to find $21000144 and it says not found, ok i feel pretty dumb now....lol but being this is the first time i'm using a hex editor i hope i can be forgiven, i am going to step away from my keyboard and await assistance before i f@*! something up.....lol