Hacking Idea for possibly getting the per console key of a bricked wii

[Tom191]

Ok, as most of us know, the reason for trying to crack an encryption key is because someone wants to know the information on the other end. Well, with wii's, the common key (i think, correct me if I'm wrong) is what encrypts the directory structure for the file system of the wii's internal flash memory. The data of each file is encrypted with the per console key.

Well, Being for many common files like EULA, and I'm sure many more, we can know what the end result of the unencrypted should look like. And we know hoe to pull out a file from a wii nand even if we dont have the per console keys, we can at least extract the encrypted file. So with that we have the unencrypted version, and then also and encrypted version then it should be easier to attack this algorithm from both sides.

I know I'm probably not explaining my exact thoughts the way I want to, but hopefully a few of the smarter people around here can key in and say what the chance might be to do this.

Please give any and all input you might have without flaming.

 

[giantpune]

ok, so you have a 512MB block of data. and you know somewhere in that is 500KB of data that is the eula. how do you think you wll determine where in the nand that eula is stored?

 

[Tom191]

ok, so you have a 512MB block of data. and you know somewhere in that is 500KB of data that is the eula. how do you think you wll determine where in the nand that eula is stored?

Please correct me if I'm wrong, but since we already have the common key and we can decrypt the directory structure and extract out the encrypted file (I believe wiinand can do this (correct me if I'm wrong again)). But I believe since we can decrypt the directory structure then we can tell exactly where certain encrypted data is sitting. So with theat, we extract the encrypted file and use that.

I know you have a LOT of knowledge so I will respect any input you have towards this, giantpune.

 

[tueidj]

The directory structure isn't encrypted at all in a nand dump, you can tell exactly where each file is. Doesn't have anything to do with the common key though.

 

[Tom191]

Ok, so even better. So is this a possibility to do? I spoke to someone who is taking cryptology in college and said although he does not know anything about the wii, the way that I explained it to him he said it sounds like it is very likely possible to do and sounds like it would be efficient. He also said that the more files that we can positively identify and know what the unencrypted contents should be, then the more easier it will be to do this.

For example, if you have a 003 wii, well then you can still pull up the recovery mode and see that it either has system menu 4.2 or 4.3 for a specific region. So that is another group of files that can be used to do this attack. I'm sure that there are many files that can be used for this in the wii nand. There is also the case that some might be patched IOS's, so those we'd probably have to ignore.

Please discuss.

 

[tueidj]

You're basically talking about brute-forcing AES. Good luck achieving that for a single wii before we're all dead, let alone all the bricked wiis out there.

 

[svpe]

What you're talking about is a know-plaintext attack. AES - which is used to encrypt the NAND - and every modern crypto algorithm are usually not vulnerable against those attacks.

 

[bwillb]

maybe the passkey is 1 2 3 4 5