????kashi777 said:I found this here:
Heres a quote from your link
QUOTETo fix the Korean 4.2 error: 003 unauthorized device has been detected, you will need to reinstall your cios38r14, and install cIOS70 (from cIOSCORP 3.5) to fix 4.2 system menu. Or you may downgrade to an unaffected system menu.
yea you are right since you can't run any homebrew application to install this wads so forget about it.BlackAce83 said:????kashi777 said:I found this here:
Heres a quote from your link
QUOTETo fix the Korean 4.2 error: 003 unauthorized device has been detected, you will need to reinstall your cios38r14, and install cIOS70 (from cIOSCORP 3.5) to fix 4.2 system menu. Or you may downgrade to an unaffected system menu.
you can't believe everything you read on net
Abkarino said:yea you are right since you can't run any homebrew application to install this wads so forget about it.BlackAce83 said:????kashi777 said:I found this here:
Heres a quote from your link
QUOTETo fix the Korean 4.2 error: 003 unauthorized device has been detected, you will need to reinstall your cios38r14, and install cIOS70 (from cIOSCORP 3.5) to fix 4.2 system menu. Or you may downgrade to an unaffected system menu.
you can't believe everything you read on net
this solution will work only if we found a working way to launch our home made application such WAD Manager or HackMii
lord_lufias said:if you can autoboot SSBB, then you should able to run an exploit like smashstack and run a wad manager in 4.2K (bricked error:003).
only then you can reinstall or downgrade the IOS or whatever from the link above. it's already explained in the link.
that's sound good so i hope that the drivekey team can help us to bypass SSBB NTSC-U protection to let us fix our broken Korean Wii consoleslord_lufias said:yup.. i've already contact drivekey team to see if it can be done. waiting for their reply...
QUOTE said:Hiding Keys
There are two places inside the Hollywood package that contain programmable bits — a bank of OTP memory (One-Time Programmable, AKA fuses), and a serial EEPROM (which is actually reprogrammable).
The OTP area is 32 words x 32 bits = 1024 bits, total. This is actually quite a bit for an embedded OTP area — I’ve never seen another chip with that many fuses. (Most chips have more like 16.) The 32 words are organized like so:
5x32: boot1 SHA1 hash
4x32: common AES key
1x32: NG ID
7x32: NG Private Key
5x32: NAND HMAC
4x32: NAND AES key
4x32: RNG key
2x32: Unknown
32x32: Total
Whoops, looks like we’re out of room to stash keys in OTP. Even though there are 2 unknown words, we’d need 4 to store a second common key.
What about the sEEPROM? It stores a couple of flags that indicate whether this is a retail or development console (and therefore which set of public keys should be used), and then the certificate issued by Nintendo that is tacked onto your savegames. There are a couple more flags and counters stored there, but still — that’s less than half of the size of the smallest chip they could buy.
Sure enough, some digging reveals:
Code:get_korean_keyÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; CODE XREF: load_all_keys+7C ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; DATA XREF: load_all_keys:off_13A7976C ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂPUSHÂÂÂÂ{R4,R5,LR} ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR4, R0, #0 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂdisable_interrupts ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR5, R0, #0 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂis_otp_programmed ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂCMPÂÂÂÂ R0, #0 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBEQÂÂÂÂ loc_FFFF1D48 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂMOVSÂÂÂÂR0, #0x3AÂÂÂÂÂÂ; offset ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR1, R4, #0ÂÂÂÂ ; dest ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂMOVSÂÂÂÂR2, #0x10ÂÂÂÂÂÂ; len ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂseeprom_read loc_FFFF1D3CÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; CODE XREF: get_korean_key+32 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR0, R5, #0 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂenable_interrupts ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂPOPÂÂÂÂ {R4,R5} ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂPOPÂÂÂÂ {R0} ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBXÂÂÂÂÂÂR0 ; --------------------------------------------------------------------------- loc_FFFF1D48ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; CODE XREF: get_korean_key+10 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR0, R4, #0 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂLDRÂÂÂÂ R1, =default_korean_key ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂMOVSÂÂÂÂR2, #0x10 ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂmemcpy ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBÂÂÂÂÂÂ loc_FFFF1D3C ; --------------------------------------------------------------------------- off_FFFF1D54ÂÂÂÂDCD default_korean_key ; DATA XREF: get_korean_key+2A ; End of function get_korean_key
This code checks to see if the OTP area is programmed; if not, it assumes it is in the factory and uses the default key (all zeroes). If it is, it reads 0×10 bytes from offset 0×3a of the sEEPROM, and uses those.
63 b8 2b b4 f4 61 4e 2e 13 f2 fe fb ba 4c 9b 7e
SanGor said:you see the sEEPROM on the GPU, how the hell are you going to write something to that?
Wiiwu said:Thanks for the finding Abkarino.
So we now know quite a bit:
- korean common key location
- SEEPROM is a 93C56
- easy to program, 4 pin CS, CLK, MOSI MISO
I bet these pins are routed to the mainboard too, maybe amongst the many test point?
DeadlyFoez said:Good luck finding them, and finding the right protocall to get the info. Team twiizers already has tried many hardware things to the wii and they never found anything close to it. After my talks with marcan, I believe that we find anything new about the wii. You almost have to disassemble the whole wii to find it. You will have to remove the hollywood chip and run continuity tests to find where each lead goes to.
The way that I bet it works is that once nintendo writes the data into the OTP and they blow the fuses, that only the hollywood chip itself will be able to see the keys and that data doesn't go outside of hollywood and that there is no way of getting it otherwise.
Hey, I could be wrong. But goodluck to whoever wants to kill their wii to find this info.
If someone sends me a test wii then I can remove the hollywood and start running tests. My wife wont let me do it to our wii because she loves the NSMBW too much.