Idea for possibly getting the per console key of a bricked wii

Discussion in 'Wii - Hacking' started by Tom191, Aug 9, 2010.

  1. Tom191
    OP

    Tom191 Banned

    Banned
    76
    0
    Jul 19, 2010
    Canada
    Ok, as most of us know, the reason for trying to crack an encryption key is because someone wants to know the information on the other end. Well, with wii's, the common key (i think, correct me if I'm wrong) is what encrypts the directory structure for the file system of the wii's internal flash memory. The data of each file is encrypted with the per console key.

    Well, Being for many common files like EULA, and I'm sure many more, we can know what the end result of the unencrypted should look like. And we know hoe to pull out a file from a wii nand even if we dont have the per console keys, we can at least extract the encrypted file. So with that we have the unencrypted version, and then also and encrypted version then it should be easier to attack this algorithm from both sides.

    I know I'm probably not explaining my exact thoughts the way I want to, but hopefully a few of the smarter people around here can key in and say what the chance might be to do this.

    Please give any and all input you might have without flaming.
     
  2. giantpune

    giantpune GBAtemp Addict

    Member
    2,860
    122
    Apr 10, 2009
    United States
    ok, so you have a 512MB block of data. and you know somewhere in that is 500KB of data that is the eula. how do you think you wll determine where in the nand that eula is stored?
     
  3. Tom191
    OP

    Tom191 Banned

    Banned
    76
    0
    Jul 19, 2010
    Canada
    Please correct me if I'm wrong, but since we already have the common key and we can decrypt the directory structure and extract out the encrypted file (I believe wiinand can do this (correct me if I'm wrong again)). But I believe since we can decrypt the directory structure then we can tell exactly where certain encrypted data is sitting. So with theat, we extract the encrypted file and use that.

    I know you have a LOT of knowledge so I will respect any input you have towards this, giantpune.
     
  4. tueidj

    tueidj I R Expert

    Member
    2,569
    820
    Jan 8, 2009
    The directory structure isn't encrypted at all in a nand dump, you can tell exactly where each file is. Doesn't have anything to do with the common key though.
     
  5. Tom191
    OP

    Tom191 Banned

    Banned
    76
    0
    Jul 19, 2010
    Canada
    Ok, so even better. So is this a possibility to do? I spoke to someone who is taking cryptology in college and said although he does not know anything about the wii, the way that I explained it to him he said it sounds like it is very likely possible to do and sounds like it would be efficient. He also said that the more files that we can positively identify and know what the unencrypted contents should be, then the more easier it will be to do this.

    For example, if you have a 003 wii, well then you can still pull up the recovery mode and see that it either has system menu 4.2 or 4.3 for a specific region. So that is another group of files that can be used to do this attack. I'm sure that there are many files that can be used for this in the wii nand. There is also the case that some might be patched IOS's, so those we'd probably have to ignore.

    Please discuss.
     
  6. tueidj

    tueidj I R Expert

    Member
    2,569
    820
    Jan 8, 2009
    You're basically talking about brute-forcing AES. Good luck achieving that for a single wii before we're all dead, let alone all the bricked wiis out there.
     
  7. svpe

    svpe Member

    Newcomer
    44
    0
    Mar 15, 2007
    Gambia, The
    What you're talking about is a know-plaintext attack. AES - which is used to encrypt the NAND - and every modern crypto algorithm are usually not vulnerable against those attacks.
     
  8. bwillb

    bwillb GBAtemp Advanced Fan

    Member
    620
    0
    Jul 2, 2009
    United States
    maybe the passkey is 1 2 3 4 5