Idea for possibly getting the per console key of a bricked wii

Discussion in 'Wii - Hacking' started by Tom191, Aug 9, 2010.

  1. Tom191
    OP

    Banned Tom191 Banned

    Joined:
    Jul 19, 2010
    Messages:
    76
    Country:
    Canada
    Ok, as most of us know, the reason for trying to crack an encryption key is because someone wants to know the information on the other end. Well, with wii's, the common key (i think, correct me if I'm wrong) is what encrypts the directory structure for the file system of the wii's internal flash memory. The data of each file is encrypted with the per console key.

    Well, Being for many common files like EULA, and I'm sure many more, we can know what the end result of the unencrypted should look like. And we know hoe to pull out a file from a wii nand even if we dont have the per console keys, we can at least extract the encrypted file. So with that we have the unencrypted version, and then also and encrypted version then it should be easier to attack this algorithm from both sides.

    I know I'm probably not explaining my exact thoughts the way I want to, but hopefully a few of the smarter people around here can key in and say what the chance might be to do this.

    Please give any and all input you might have without flaming.
     
  2. giantpune

    Member giantpune GBAtemp Addict

    Joined:
    Apr 10, 2009
    Messages:
    2,860
    Country:
    United States
    ok, so you have a 512MB block of data. and you know somewhere in that is 500KB of data that is the eula. how do you think you wll determine where in the nand that eula is stored?
     
  3. Tom191
    OP

    Banned Tom191 Banned

    Joined:
    Jul 19, 2010
    Messages:
    76
    Country:
    Canada
    Please correct me if I'm wrong, but since we already have the common key and we can decrypt the directory structure and extract out the encrypted file (I believe wiinand can do this (correct me if I'm wrong again)). But I believe since we can decrypt the directory structure then we can tell exactly where certain encrypted data is sitting. So with theat, we extract the encrypted file and use that.

    I know you have a LOT of knowledge so I will respect any input you have towards this, giantpune.
     
  4. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    The directory structure isn't encrypted at all in a nand dump, you can tell exactly where each file is. Doesn't have anything to do with the common key though.
     
  5. Tom191
    OP

    Banned Tom191 Banned

    Joined:
    Jul 19, 2010
    Messages:
    76
    Country:
    Canada
    Ok, so even better. So is this a possibility to do? I spoke to someone who is taking cryptology in college and said although he does not know anything about the wii, the way that I explained it to him he said it sounds like it is very likely possible to do and sounds like it would be efficient. He also said that the more files that we can positively identify and know what the unencrypted contents should be, then the more easier it will be to do this.

    For example, if you have a 003 wii, well then you can still pull up the recovery mode and see that it either has system menu 4.2 or 4.3 for a specific region. So that is another group of files that can be used to do this attack. I'm sure that there are many files that can be used for this in the wii nand. There is also the case that some might be patched IOS's, so those we'd probably have to ignore.

    Please discuss.
     
  6. tueidj

    Member tueidj I R Expert

    Joined:
    Jan 8, 2009
    Messages:
    2,569
    Country:
    You're basically talking about brute-forcing AES. Good luck achieving that for a single wii before we're all dead, let alone all the bricked wiis out there.
     
  7. svpe

    Newcomer svpe Member

    Joined:
    Mar 15, 2007
    Messages:
    44
    Country:
    Germany
    What you're talking about is a know-plaintext attack. AES - which is used to encrypt the NAND - and every modern crypto algorithm are usually not vulnerable against those attacks.
     
  8. bwillb

    Member bwillb GBAtemp Advanced Fan

    Joined:
    Jul 2, 2009
    Messages:
    620
    Country:
    United States
    maybe the passkey is 1 2 3 4 5
     

Share This Page