certificate chain (cert.bin)

Discussion in 'Wii - Hacking' started by Wiimm, Nov 3, 2010.

Nov 3, 2010

certificate chain (cert.bin) by Wiimm at 3:03 PM (1,695 Views / 0 Likes) 10 replies

  1. Wiimm
    OP

    Member Wiimm Developer

    Joined:
    Aug 11, 2009
    Messages:
    2,051
    Location:
    Germany
    Country:
    Germany
    I have 2 questions about Nintendo certificate chain ("cert.bin" if extracted from ISO):

    1.) Is the cert.bin the same for all games?
    (My about 60 games share identical certificates)

    2.) What happens if I generate a self signed certificate chain and use it instead of the Nintendoa chain? Does the Wii confirm the certificates by using any other source? If the Wii accept a self signed chain, it is possible to create a well signed ISO (and other well signed stuff) with self made keys.
     
  2. smf

    Member smf GBAtemp Advanced Fan

    Joined:
    Feb 23, 2009
    Messages:
    838
    Country:
    United Kingdom
    The root key which signs the certificate chain is stored inside your wii.
    You can't easily replace it & you can't have two.

    Trucha signing and patching your IOS is much much easier.
     
  3. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    Well you can easily replace root - it's hardcoded in IOS. But then normal stuff would break.
    The reason they're on every disc is because technically they could make new certs - I believe it's even possible for a disc to contain a revocation list of old certs.
     
  4. Wiimm
    OP

    Member Wiimm Developer

    Joined:
    Aug 11, 2009
    Messages:
    2,051
    Location:
    Germany
    Country:
    Germany
  5. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    Yes. It's not really needed in that example since the certs are also hardcoded into the sample app (no need to always verify static data, it's not going to change), I just left the entire chain checking in for demonstration purposes. Doing the final verify against Root takes much longer than the rest because it's 4096 bits instead of 2048.

    (Look for "// remove this if statement if you don't want to check the whole chain" if you want to speed up the sample code.)
     
  6. Wiimm
    OP

    Member Wiimm Developer

    Joined:
    Aug 11, 2009
    Messages:
    2,051
    Location:
    Germany
    Country:
    Germany
    I have already noticed that, but I like to understand all. I will implement that code into wit (both are GPL2).
     
  7. smf

    Member smf GBAtemp Advanced Fan

    Joined:
    Feb 23, 2009
    Messages:
    838
    Country:
    United Kingdom
    Good luck with bricking your wii.
     
  8. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    It's not going to brick just by installing one patched IOS.
     
  9. smf

    Member smf GBAtemp Advanced Fan

    Joined:
    Feb 23, 2009
    Messages:
    838
    Country:
    United Kingdom
    It's the system menu one, so if you do screw up with your editing then it won't end good.
    Where trucha patching has already been automated so the chances of getting it wrong are much lower.

    I guess you could test it safely with SNEEK.

    However you slice it, it's not as easy or as convenient as trucha. Which will just work if your wii is running an old enough system menu.
     
  10. Wiimm
    OP

    Member Wiimm Developer

    Joined:
    Aug 11, 2009
    Messages:
    2,051
    Location:
    Germany
    Country:
    Germany
    This question is open until now:
    But I have to more questions:
    2.) Is is legal to distribute the cert chain (all so called public keys) together with the wit distribution?
    3.) Is it legal to distribute the root cert together with the wit distribution?
     
  11. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    I don't think anyone can confirm if every game uses the same certs unless they own them all, but I would say it's very likely.

    As for distributing the certs, I'm advised it's legal since it's not possible to copyright keys or signatures.
     

Share This Page