Modchips + homebrew - free + illegal = ArgonChannel

Discussion in 'Wii - Hacking' started by djdynamite123, Jan 10, 2009.

  1. djdynamite123
    OP

    Banned djdynamite123 Master Of Hardcore!

    Joined:
    Sep 21, 2008
    Messages:
    3,791
    Location:
    Redcar, England UK
    Country:
    United Kingdom
    <a href="http://hackmii.com/" target="_blank">http://hackmii.com/</a>

    <object width="425" height="355"><param name="movie" value="http://www.youtube.com/v/<object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/EEaJNfnrJFw&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/EEaJNfnrJFw&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object>&rel=1"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/<object width="480" height="295"><param name="movie" value="http://www.youtube.com/v/EEaJNfnrJFw&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/EEaJNfnrJFw&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed></object>&rel=1" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object>

    <b>The Argon modchip guys have been trumping up this new cool thing they call the Argon Channel. At first details were sketchy, but as time passed what it was started to become obvious: some homebrew launching or installing “solution”, locked to a modchip.

    Recently, the Argon guys showed up on IRC and had an interesting conversation with me, where they tried to get me to help them get the channel to work on System Menu 3.4 by convincing me of the wonderful world of modchip software. The conversation was somewhere along the lines of this, excluding the broken English: “By bundling it with our modchip we make homebrew more popular”. “But it’s locked to your modchip, how will that make it more popular?” “Yes, that makes it even more popular because it’s exclusive and people will want it.”

    The response, obviously, was no.

    Now the channel has showed up and gasp, it’s compatible with 3.4. Wait, did they find an exploit?


    Of course they didn’t.

    By watching the video you’ll see that it consists of a two-stage process. This should start ringing alarm bells: why on earth would they have to install two things to install the channel? You’ll also notice that before installing the second half, they do some sort of serial number verification. This seems to be their way of locking it to the chip.

    Download their package. First alarm bell. They’re bundling the Twilight Hack, which they’re not authorized to do. Hmm.

    Let’s look inside the first DOL file - which turns out to be the one labeled part2. They’re backwards. Shows how much time they spent preparing this package. This file looks suspiciously like a Waninkoko product - same banner and console style. Let’s look inside.</b>


    0004e980 00 00 00 20 49 73 00 00 00 00 0a 00 00 00 00 00 |... Is..........|
    0004e990 00 00 02 a4 00 00 02 2c 00 18 8c 00 00 00 00 40 |.......,.......@|
    0004e9a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    0004e9b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    0004e9c0 00 01 00 00 b3 ad b3 22 6b 3c 3d ff 1b 4b 40 77 |......."k<=..K@w|
    That looks like a WAD header. Interestingly, `strings’ didn’t show any readable four-letter Title ID among the Root-CA strings from the certs, TMD, and ticket. Let’s run it through a WAD extraction tool that I have, which prints out information:

    Wii Wad:
    Header 0x20 Type 'Is' Certs 0xa00 Tik 0x2a4 TMD 0x22c Data 0x188c00 @ 0xf40 Footer 0x40
    ETicket:
    Title ID: '\x00\x00\x00\x01\x00\x00\x00\x10'
    Title key IV: 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 00
    Title key (encrypted): 52 6b 1a 2a d0 db 6a 80 c2 95 25 63 80 98 f8 82
    Common key index: 0
    Title key (decrypted): 34 9e 8a c5 ed 3c e1 51 72 f2 b9 3e 1b cb 06 3b
    ETicket signed by Root-CA00000001-XS00000003 using RSA-2048: ec f8... [OK]
    TMD:
    Versions: 0, CA CRL 0, Signer CRL 0, System 0-0
    Title ID: 00000001-00000010 ('\x00\x00\x00\x01'-'\x00\x00\x00\x10')
    Title Type: 1
    Group ID: '\x00\x01'
    Access Rights: 0x00000000
    Title Version: 0x101
    Boot Index: 1
    Contents:
    ID Index Type Size Hash
    00000000 0 0x1 0x40 ca 2e 8c 59 e9 7e e9 fe...
    00000001 1 0x1 0x188b81 65 3e 5e 0f 1d ea 72 f2...
    TMD signed by Root-CA00000001-CP00000004 using RSA-2048: 8b 1a... [OK]
    Certificates:
    - CA00000001 (RSA-2048)
    Certificate signed by Root using RSA-4096: 6f 47... [OK]
    - CP00000004 (RSA-2048)
    Certificate signed by Root-CA00000001 using RSA-2048: 8d 4f... [OK]
    - XS00000003 (RSA-2048)
    Certificate signed by Root-CA00000001 using RSA-2048: d7 0a... [OK]
    Title ID 00000001-00000010 is IOS16. So this is how they get it to work on 3.4. And this is also why there’s a two-stage process. They’re bundling a private, repair center only, leaked IOS from nintendo.

    Ladies and gentlemen, epic fail.

    There’s another WAD in the DOL. I’ll spare you the boring WAD infodumps and just say that it’s some version of cIOS. So their first stage “installer” just installs IOS16, then uses that to install cIOS. A waninkoko-worthy product indeed. I seem to recall him saying he’d never use IOS16, some time ago in the EOL forums. How quaint.

    00000000 66 69 72 6d 77 61 72 65 2e 36 34 2e 30 38 30 38 |firmware.64.0808|
    00000010 32 39 31 36 30 30 00 00 00 00 00 00 00 00 00 00 |291600..........|
    00000020 00 00 00 00 00 00 00 00 00 00 00 00 01 02 00 00 |................|
    00000030 77 61 6e 69 6e 6b 6f 6b 6f 40 43 49 4f 53 00 00 |waninkoko@CIOS..|
    Their part21 “installer” is just a standard game DVD launcher that launches it using cIOS.

    Let’s look at their install DVD, shall we?

    This is a standard Wii ISO. You can tell it has been fakesigned with Trucha Signer. This is evident because you can, you know, read my name and xt5’s on the signature:

    502c0 00 01 00 01 a5 ce b8 bc 99 b7 e9 a0 c1 ff 14 78 |...............x|
    502d0 5c 22 66 85 51 a0 44 0c 70 3e 16 34 9a 1c a6 74 |\"f.Q.D.p>.4...t|
    502e0 74 47 56 46 4e 1c 56 b3 dd bc 76 f4 6b 64 ce 35 |tGVFN.V...v.kd.5|
    502f0 40 72 c6 cf 53 9b 64 38 36 30 15 dc 4f 0d 6d 26 |@r..S.d860..O.m&|
    50300 41 38 55 4b 67 d8 54 68 45 66 49 53 68 e9 61 78 |A8UKg.ThEfISh.ax|
    50310 b1 30 c5 63 00 d9 69 de 93 d8 4f c8 69 ed 52 12 |.0.c..i...O.i.R.|
    50320 96 35 28 45 48 e2 70 e2 4b 01 53 7d 53 e3 43 13 |.5(EH.p.K.S}S.C.|
    50330 8b 30 77 6a 58 41 6f 6c 54 72 61 4c 61 4c 61 05 |.0wjXAolTraLaLa.|
    50340 6d 64 8a 62 bd b8 53 98 b3 9c 55 df 4c 10 4e c2 |md.b..S...U.L.N.|
    50350 4d 33 77 87 e0 a8 61 69 85 3b 4a 64 69 7a 37 f7 |M3w...ai.;Jdiz7.|
    50360 fe 4b 84 42 d2 37 6c 48 67 c6 75 ec 45 8d 9e fd |.K.B.7lHg.u.E...|
    50370 db 63 43 41 30 6a 4d 6d 42 4e 73 55 21 d5 da 32 |.cCA0jMmBNsU!..2|
    50380 23 34 d2 64 f6 e3 4f 3c 43 ab 65 ec ea 1e a7 92 |#4.d..O<C.e.....|
    50390 6f 68 70 54 68 49 6e 47 53 52 eb 52 96 a2 03 43 |ohpThInGSR.R...C|
    503a0 8e 33 fb 73 be f8 67 72 49 6e 64 45 45 64 3f 3f |.3.s..grIndEEd??|
    503b0 77 53 d8 89 28 a8 bf a4 aa e8 ef 83 ff 56 9a e3 |wS..(........V..|
    For fun, try finding other interesting strings

    Let’s try running it through an information tool.

    Game ARGO, maker NC, magic 5d1c9ea3: Argon Channel Installer
    1 partitions in ISO:
    [ 0] 0x0000050000 (00000000)
    Wii Partition at 0x0000050000:
    TMD @ 0x2c0 [0x208], Certs @ 0x4e0 [0xa00], H3 @ 0x8000, Data @ 0x20000 [0x1f0000]
    ETicket:
    Title ID: '\x00\x01\x00\x01ARGN'
    Title key IV: 00 01 00 01 41 52 47 4e 00 00 00 00 00 00 00 00
    Title key (encrypted): 21 21 41 52 47 4e 43 48 4e 4c 46 4b 4b 59 23 23
    Common key index: 1
    Title key (decrypted): 5a de 4a 66 32 0d c1 56 05 3e e3 64 c3 c0 d3 5b
    ETicket signed by Root-CA00000001-XS00000003 using RSA-2048: d2 a8.... [FAIL]
    Signature hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    TMD:
    Versions: 0, CA CRL 0, Signer CRL 0, System 1-21
    Title ID: 00010001-4152474e ('\x00\x01\x00\x01'-'ARGN')
    Title Type: 0
    Group ID: 'HB'
    Access Rights: 0x00000000
    Title Version: 0x1
    Boot Index: 0
    Contents:
    ID Index Type Size Hash
    00000000 0 0x1 0x3e0000 aa b4 a7 dc 21 48 0d e9...
    TMD signed by Root-CA00000001-CP00000004 using RSA-2048: 00 ea... [BUG]
    Signature hash: 00 6f...
    H4 hash check passed
    Data:
    Blocks: 62
    Subgroups: 7 (plus 6 blocks)
    Groups: 0 (plus 62 blocks)
    Certificates:
    - CA00000001 (RSA-2048)
    Certificate signed by Root using RSA-4096: 6f 47... [OK]
    - CP00000004 (RSA-2048)
    Certificate signed by Root-CA00000001 using RSA-2048: 8d 4f... [OK]
    - XS00000003 (RSA-2048)
    Certificate signed by Root-CA00000001 using RSA-2048: d7 0a... [OK]
    pywii.wii.HashError: Failed to verify data chunk 0 against H0:
    expected 82254908e26f42fe903d5bcf3f95f2acfa110e4d,
    got 8b7219c81d0a4e985c65edd9de2c0b943520f8c6
    So their ticket is signed wrong and the data doesn’t verify. Attempting to extract it yields garbage. This means their modchip patches the Title Key to something else. Because, you know, just in case you couldn’t figure it out yourself, they tell you. Their fake key is “!!ARGNCHNLFKKY##”.

    I tried all single or double byte patches in case they were using a really lame patch, but it appears they’re not that stupid. I’m currently waiting for a way of getting the Title Key, probably from someone with an Argon2. Expect an update once that happens. I can practically guarantee that their channel banner will also be stolen from a Nintendo channel, though - it looks just like all those other stolen banners, in the video (same animation). Beyond that, who knows - maybe there’s even more things to laugh about.

    In short, if you want a channel that:

    Is vendor locked to a modchip
    Is way more annoying to install than The Homebrew Channel
    Consists of a bunch of jury-rigged tools to install and was clearly made by not very competent people
    Is illegal twice
    Is probably illegal a couple more times
    Also rips off the Twilight Hack
    More to come once I get their key
    Then, by all means, get the ArgonChannel. Otherwise, stay very very far away.

    Bonus content: Apparently argon have never heard of fonts. Those were inside their modchip updater DOL file.
    Bonus content 2: An HMAC password involved in the update process of the Argon chip is RobinsodAndWaninkoko1. Just in case anyone had any doubts that he’s involved in all this.
     


  2. afif95

    Member afif95 I own a bungalow on Mars, and booked 4 corner lots

    Joined:
    Nov 24, 2008
    Messages:
    1,805
    Location:
    Malaysia!
    Country:
    Malaysia
    And I thought Argon were good people
     
  3. Wiisel

    Member Wiisel GBAtemp Maniac

    Joined:
    Dec 4, 2008
    Messages:
    1,182
    Country:
    United Kingdom
    atleast they asked before stealing [​IMG]

    all seems too much hassle to install with the crappy key thing and who wants to buy a chip to access homebrew?

    nice to have another homebrew launcher tho if it uses anything new.
     
  4. afif95

    Member afif95 I own a bungalow on Mars, and booked 4 corner lots

    Joined:
    Nov 24, 2008
    Messages:
    1,805
    Location:
    Malaysia!
    Country:
    Malaysia
    I'm sticking with my still-to-be-known-the-brand chip [​IMG].
     
  5. zetetic

    Newcomer zetetic Member

    Joined:
    Sep 28, 2008
    Messages:
    20
    Location:
    Scotland
    Country:
    United Kingdom
    I posted on hackmii asking what Waninkoko response was, but it was deleted...
     
  6. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,674
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    I'm glad marcan exposed them.

    That modchip is three times illegal [​IMG]
     
  7. Blue-K

    Member Blue-K No right of appeal.

    Joined:
    Jun 21, 2008
    Messages:
    2,572
    Location:
    Helvetica
    Country:
    Switzerland
    You're getting slow, djdynamite123...I've read this 30 Minutes ago (or more)... [​IMG]

    Anyways...again I don't get it..is this simply a Homebrew-Channel from Argon? Not more? Why should someone be so dumb and use this s***, since the original from TeamTwiizers is and will always be the best?

    EPIC FAIL...realy.. [​IMG]
     
  8. CasperH

    CasperH Newbie

    What was it?
     
  9. Wiisel

    Member Wiisel GBAtemp Maniac

    Joined:
    Dec 4, 2008
    Messages:
    1,182
    Country:
    United Kingdom
    because the original has those waves and horrible sound [​IMG]
     
  10. dread123

    Member dread123 GBAtemp Regular

    Joined:
    Dec 9, 2006
    Messages:
    130
    Location:
    manchester uk
    Country:
    United Kingdom
    ...please!!!

    Does it really matter that it is illegal? only to Marcan and rest of the team. To everyday users like myself and other people, it makes no difference.
    We will still use most apps wether legal or illegal. i say fair play to them..they are keeping things fresh, whereby others seem to keep any info to themselves untill it has been revealed by others!
    I am a pirate and not really concerned what the general public think about my downloading habits, it s the inertnet shit happens ,people get ripped off.. there is not alot that Marcan and his team can do to stop people ripping off their warez!

    Rant over- flame on
     
  11. zetetic

    Newcomer zetetic Member

    Joined:
    Sep 28, 2008
    Messages:
    20
    Location:
    Scotland
    Country:
    United Kingdom
    The question was deleted, never got a answer.
     
  12. Arm the Homeless

    Member Arm the Homeless Custom Title

    Joined:
    May 26, 2008
    Messages:
    1,762
    Location:
    /home/andy/
    Country:
    United States
    Could we ban him?
     
  13. dread123

    Member dread123 GBAtemp Regular

    Joined:
    Dec 9, 2006
    Messages:
    130
    Location:
    manchester uk
    Country:
    United Kingdom
    ban me...for having an opinion?? lol
     
  14. IOwnAndPwnU

    Member IOwnAndPwnU GBAtemp Maniac

    Joined:
    Jul 31, 2008
    Messages:
    1,123
    Country:
    Canada
    By the way, seems like you're too addicted to the virtual world.
    ...
    Good job!
     
  15. Jdbye

    Suspended Jdbye Always Remember 30/07/08

    Joined:
    May 10, 2006
    Messages:
    1,071
    Location:
    Norway
    Country:
    Norway
    I hope nintendo sues them [​IMG]
     
  16. Phratt

    Member Phratt GBAtemp Advanced Fan

    Joined:
    Nov 12, 2008
    Messages:
    541
    Country:
    United States
    People need to stop making money off of homebrew, even if its original work, itys just very sleezy IMO.

    If they weren't selling then I'd say that marcan should just let them live, because TPhack is like one of the few ways to do homebrew now days. Thats like Benjimen franklin sueing everyone who doesn't credit him when making electrical products, franklin was the poineer theres no other alternative than to use his discovery.
     
  17. denzil

    Newcomer denzil Advanced Member

    Joined:
    Jun 11, 2008
    Messages:
    88
    Country:
    United States
    marcan put it into other words, but that's exactly the point: all aspects of legality aside, by selling this channel and its installer as "feature" of their modchip, they make money off other people's work, namely Team Twiizer's work, and by including their code, Nintendo's. That's just about the same as selling warez.
     
  18. Lazycus

    Member Lazycus Rotten

    Joined:
    Jul 22, 2006
    Messages:
    871
    Country:
    United States
    Yawn. Who would buy an Argon chip because of this "feature"? What a waste of time and effort. Waninkoko will get paid but I doubt the Argon folks will see a return on their investment.
     
  19. FRanatic

    Member FRanatic GBAtemp Regular

    Joined:
    Nov 1, 2008
    Messages:
    277
    Country:
    Netherlands
    People don't buy modchips for homebrew.
    To the new users it's just a modchip. If the price of this one exceeds the others, just because it's 'homebrew capable', the new customer will buy one of the cheaper other chips.

    And the people familiar with the scene know about TP and HBC, so they'll drop it like a bad habit.

    This chip will not sell for the above reasons. Also, once they start taking orders nintendo will shut them down. See what happend to the Datel Lite Blue Battery for the psp.
     
  20. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    Well but people want to use emulators... and there are lots of them... so it makes a choice when average joe mods his wii...

    The thing is lame... yet they don't think it being lame or not, they just care about the profit at the end of the day...

    What's much more lame is they need to resort to the twilight hack to install this... guess there is a scarcity for talented hackers (even not self motivated) around the globe...
     

Share This Page