Have the wii u debug ancast keys been released?

Discussion in 'Wii U - Hacking & Backup Loaders' started by zecoxao, Oct 11, 2015.

  1. zecoxao
    OP

    zecoxao GBAtemp Fan

    Member
    338
    734
    Dec 25, 2013
    So far, all i've seen on the web are the retail ancast keys. And in the retail kernel there are no symbols whatsoever. So i was wondering if there have been released the debug ancast keys (and ivs) so that it's possible to decrypt the debug kernels in the sdks :)
     
    Simonwayneee likes this.
  2. Hykem

    Hykem GBAtemp Regular

    Member
    109
    1,965
    May 22, 2014
    No need to open up a new thread just for asking this. :P

    The keys haven't been released yet, probably due to lack of interest? I doubt we would find any relevant additional symbols in the debug versions, but, from a documentation perspective, I do think we should try to grab them as well.
    All that's necessary is for someone with a devkit to attempt the already public method to dump the Espresso's OTP.
     
    zecoxao and moops44 like this.
  3. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    If anyone on here has a devkit, I'd be interested in buying it. Also if anyone has a shop unit, those are also very interesting as well.

    -palantine
     
    zecoxao likes this.
  4. Onion_Knight

    Onion_Knight GBAtemp Advanced Fan

    Member
    878
    832
    Feb 6, 2014
    -snip-
     
    Last edited by Onion_Knight, Oct 11, 2015
  5. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    I don't think devkits can actually run vWii mode, which is the only way to reset the PPC until we have IOSU kernel code execution.
     
    Hykem likes this.
  6. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    Sorry I changed my post because I realized that I misread it originally. My bad!

    -palantine
     
  7. Hykem

    Hykem GBAtemp Regular

    Member
    109
    1,965
    May 22, 2014
    Hm, didn't know that. Well, that explains why no one has done it then.
    In fact, it doesn't seem logical for a devkit to support vWii mode since the goal is to develop Wii U applications (and not backwards compatibility, which sole responsible is Nintendo itself).
     
  8. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    If we have kernel PPC access via the browser exploit, what's preventing us from leveraging that to dump the key? Sure it would require some actual thought rather than reusing the retail exploit exactly but I don't see what else is in the way.

    -palantine
     
  9. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    The boot ROM, which runs on PPC reset, disables the keys once it's done using them, and they can only be reenabled through a PPC reset. We don't have the ability to do that - only the ARM does - and even if we could do that, we'd lose code execution.
     
  10. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    Hypothetical way to do it:

    1. Perform browser kexploit to own the PPC in wiiu mode
    2. execute the retail rpl that launches vWii mode, patch as necessary
    3. perform vWii exploit

    I seem to remember f0f mentioning there is a certain code sequence used to change between vWii and wiiu modes and vice versa. On vWii its the new title that lets you switch back to WiiU mode.

    Basically, if we have full PPC control on a devkit, I'm pretty sure we should be able to boot into vWii. Perhaps Nintendo actually did go the extra mile and disable it in IOSU but its at least worth trying.

    -palantine
     
  11. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    The code to switch into vWii mode is ARM code (cafe2wii). That being said, devkits have the ability to install titles, so cafe2wii and the vWii titles might be possible to install. I'm not sure how strictly signatures are checked.
     
  12. gamesquest1

    gamesquest1 Nabnut

    Member
    14,120
    9,456
    Sep 23, 2013
    wouldn't the 3.1 iosu exploit be enough then? if you have a dev kit on 3.1
     
  13. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    I think you can downgrade devkits to any version. Are there any details about this IOSU exploit?

    -palantine
     
  14. gamesquest1

    gamesquest1 Nabnut

    Member
    14,120
    9,456
    Sep 23, 2013
    nope, afaik the iosu stuff is all very closely guarded by a small handful of dev's, (only one of which has any interest in eventually sharing his results afaik).....tbh idk how useful it would be in this regard as there is very little info about what is done or not regarding iosu...looking into installing cafe2wii might be a more immediate plan as i doubt any iosu stuff will be getting shared for a while
     
  15. I pwned U!

    I pwned U! GBAtemp Advanced Fan

    Member
    833
    1,117
    Jun 14, 2013
    United States
    I hope that something becomes of this. It would be interesting to decrypt dev titles and projects compiled with the SDK, extract their files, and see if they can boot on 5.3.2 retail units with Loadiine.

    This could then lead to a way for licensed developers to test their projects on retail Wii U consoles instead of feeling so pressured to spend lots of money on dev units.
     
    The Cringe and ModderFokker619 like this.
  16. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    Pretty sure you can do this now as Loadiine will boot any rpl/rpx, not just signed ones. Of course you wouldn't be able to use the debugging tools with it, but its a solid start.

    -palantine
     
    I pwned U! likes this.
  17. I pwned U!

    I pwned U! GBAtemp Advanced Fan

    Member
    833
    1,117
    Jun 14, 2013
    United States
    According to @VinsCool, it seems that you can use debugging tools! (at least ones that come decompiled as .rpx files in the SDK)