Hacking ROP from within IOS_USB (5.5.1)

asper · Oct 18, 2016

Maybe you are moving the names in the wrong column... Anyway the WiFi otp dumper works great. You need loadiine-compiled udp server and you need to modify the ip of your pc IP in the WiFi otp tool sources (or hex edit the compiled elf at offset 0x00008A2C, 4 bytes starting with C0; do it at your own risk!!).

Launch the server on your pc and press " f " to start logging; go to wiiu and execute the WiFi otp tool and wait for the on screen dump; go back to your pc, you should see data streamed via udp; press " f " again to save the log.

thisisallowed · Oct 18, 2016

asper said:
Maybe you are moving the names in the wrong column... Anyway the WiFi otp dumper works great. You need loadiine-compiled udp server and you need to modify the ip of your pc IP in the WiFi otp tool sources (or hex edit the compiled elf at offset 0x00008A2C, 4 bytes starting with C0).

Launch the server on your pc and press " f " to start logging; go to wiiu and execute the WiFi otp tool and wait for the on screen dump; go back to your pc, you should see data streamed via udp; press " f " again to save the log.

Can you post the compiled elf here? Can't seem to compile it...

asper · Oct 18, 2016

thisisallowed said:
Can you post the compiled elf here? Can't seem to compile it...

No, if you are not able to compile you should not play with that stuff.

iAqua · Oct 18, 2016

asper said:
No, if you are not able to compile you should not play with that stuff.

it's just a file dumper... @thisisallowed i'll compile it for you.

thisisallowed · Oct 18, 2016

asper said:
No, if you are not able to compile you should not play with that stuff.

I dunno, keep getting a curl error even tho it's installed... I'm on Arch if that matters. Tried to include /usr, and it seems it's the wrong curl...

iAqua · Oct 18, 2016

thisisallowed said:
I dunno, keep getting a curl error even tho it's installed... I'm on Arch if that matters. Tried to include /usr, and it seems it's the wrong curl...

Yeah, sorry, but my linux won't compile this. Annoying command error missing stuff...

thisisallowed · Oct 18, 2016

iAqua said:
Yeah, sorry, but my linux won't compile this. Annoying command error missing stuff...

I used some old libs from loadiine and that worked.

iAqua · Oct 18, 2016

thisisallowed said:
I used some old libs from loadiine and that worked.

Oh, that's good then!

.

TheZander · Oct 19, 2016

out of curiosity since it was stressed not to share the key with anyone. What could someone do with it to screw them over? Console ID kind of stuff, for online ban evasion or something?

Conn0r · Oct 19, 2016

TheZander said:
out of curiosity since it was stressed not to share the key with anyone. What could someone do with it to screw them over? Console ID kind of stuff, for online ban evasion or something?

You shouldn't share it because it is copyrighted data. Not because it's Personally Identifiable.

TheZander · Oct 19, 2016

Conn0r said:
You shouldn't share it because it is copyrighted data. Not because it's Personally Identifiable.

that's it? I was guessing there was some unique part of it that could be duped on another console or something. How would Nintendo even recognize the millions of crazy long keys. I understand that they wouldn't without proper context, but even then I don't get how it's enough.

Conn0r · Oct 19, 2016

TheZander said:
that's it? I was guessing there was some unique part of it that could be duped on another console or something. How would Nintendo even recognize the millions of crazy long keys. I understand that they wouldn't without proper context, but even then I don't get how it's enough.

If it was possible to overwrite a ONE TIME PROGRAMMABLE rom, the console would most likely not boot because some of the keys in the otp are required to properly decrypt data on the nananannand.

Pachee · Oct 20, 2016

Abusive request: Could somebody make a version of Trump's dumper that dumps the SEEPROM instead?

zoogie · Oct 20, 2016

thisisallowed said:
I dunno, keep getting a curl error even tho it's installed... I'm on Arch if that matters. Tried to include /usr, and it seems it's the wrong curl...

Delete curl_functions.c and curl_functions.h and it should compile.

sdtg34520 · Oct 20, 2016

-deleted-

Pachee · Oct 20, 2016

Sans-Serif said:
quick thing:
I'm Trump, and I didn't work on it at all. That's dimok, Maschell, QuarkTheAwesome, and kanye_west's work, among others.

I believe IOS-KERNEL has all the permissions needed to dump it, but it's down to actually implementing it, and not much is documented about the SEEPROM from what I know.

First, thanks everyone for the dumper.
I was reading on wiibrew, not even the wii seeprom has information about reading it. Maybe tueidj knows something about it on the Wii U? He wrote the seeprom.c used in this tool https://gbatemp.net/threads/koreankii-add-or-remove-the-korean-key.336940/

Mario10095 · Oct 20, 2016

EclipseSin said:
Use a toothpick and a pair of tweezer. Use the tooth pick to try and release the push latch in the back by pushing in (it should feel springy, dont force it), then use the tweezers to pull it out, alternatively use two toothpicks.

if you cant, try to remove the piece without undoing the latch. If you can get the piece out, carefully force a good sd card in, then remove like normal.

Where is the springy thing?

hippy dave · Nov 11, 2016

hacker124 said:
iosu is very cool right now

But Hillary isn't.

proflayton123 · Nov 11, 2016

hippy dave said:
But Hillary isn't.

Ouch

Hacking ROP from within IOS_USB (5.5.1)

Well-Known Member

中国御宅族

Well-Known Member

ㅤ

中国御宅族

ㅤ

中国御宅族

ㅤ

1337

Well-Known Member

1337

Well-Known Member

Well-Known Member

playing around in the end of life

GURU MEDITATION ERROR

Well-Known Member

Well-Known Member

BBMB

The Temp Loaf'

Similar threads

Popular threads in this forum