[TUTORIAL] Trucha Signer Tutorial

Discussion in 'Wii - Hacking' started by IBNobody, Feb 27, 2008.

Thread Status:
Not open for further replies.
  1. IBNobody
    OP

    IBNobody I try to keep myself amused.

    Member
    1,127
    189
    Nov 16, 2006
    United States
    Texas, Hang 'Em High
    Here is a tutorial on how to use the Trucha Signer. It is a work in progress.

    I am in no way responsible for the work that has gone into this hack.

    Trucha signer requires the ubiquitous key.bin. It can also use other keys, but I was able to sign an ISO using only the common key. I believe this is because the keys are just used for decryption, and only the common key is needed to decrypt ISO files. The other keys, I assume, are for decrypting other file types like VC channels and such. The true hack, if I've read things right, is totally separate from the keys and involves a bug in the Wii RSA signature engine.

    Nevertheless, I included a section on how to obtain the other keys. I did this mainly because of how difficult it was for me to get everything working.

    Trucha Signer works on Wii Firmware US 3.2

    THIS WILL NOT LET YOU PLAY BURNED ISO'S ON AN UNMODDED WII!

    I WILL NOT GIVE OUT KEY.BIN TO ANYONE, NOT EVEN THROUGH PMs!

    *** PRE REQS ***

    1. Get the required files:

    * Trucha Signer:
    http://gbatemp.net/index.php?download=1909

    * Keysearch 1.2:
    http://gbatemp.net/index.php?download=1945

    * DesWaD 0.1:
    http://gbatemp.net/index.php?download=1944

    NOTE: There is a newer version of DesWaD out, but the version I linked to is easier to use for key searching purposes.

    * key.bin
    Google it! It will have an MD5 of 8D1A2EBCD82A3469B77FACF15D9C8E50

    I WILL NOT GIVE OUT KEY.BIN TO ANYONE, NOT EVEN THROUGH PMs!

    * UltraEdit, or some form of hex editor
    http://www.ultraedit.com/

    * An ISO. You may need multiple ISOs...

    2. Unzip everything and put them into a central directory.

    Note: Some users report that DesWaD.exe will only work in their root directory. I did not run into this.

    3. Open up the "wiikeyset.reg" that came with the Trucha Signer in UltraEdit and find the section:

    Code:
    [HKEY_CURRENT_USER\Software\Wii\KeySet\2]
    
    "name"="Custom KeySet 1"
    "boot1 key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "common key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "sd key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "sd iv"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "md5 blanker"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    4. Open the key.bin file in UltraEdit and make sure you are in hex mode (Ctrl-H).

    5. Replace the "common key" line...

    Code:
    "common key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    ...with the contents from key.bin. For example, if key.bin contained AABBCCDDEEFFAABBCCDDEEFF11223344, you'd enter...

    Code:
    "common key"=hex:AA,BB,CC,DD,EE,FF,AA,BB,CC,DD,EE,FF,11,22,33,44
    6. Save the "wiikeyset.reg" file and activate it by double clicking on it. Click "Yes" to add it to the registry.

    *** OBTAINING OTHER KEYS - OPTIONAL? ***

    7. Run trucha.exe and select "Select Keyset/Custom Keyset 1" from the menu bar.

    8. Select "Image/Open ISO" from the Trucha menu bar and open your ISO.

    If your ISO does not open, make sure you have a CLEAN (not scrubbed) ISO. If you get a decryption error, verify that you correctly added the key information to your registry (steps 3-6).

    9. Double-click on the "DISC" icon.

    10. Double-Click on the "PARTITION (RELSAB)" icon, under the "DISC" header. If this partition does not exist, look for the first partition.

    11. Double-Click on the "ROOT" icon under the "PARTITION (RELSAB)" header.

    12. Double-Click on the "_SYS" icon under the "ROOT" header.

    13. There should be two or more .wad files under the "_SYS" header. Look for the following files:

    RVL-WiiSystemmenu-v???.wad (??? can be any number. Some recommend v226, but I used v193)
    IOS21-64-v???.wad (??? can be any number. Some recommend v514.)

    Here are the MD5 sums for the two wad files I used. You can use these to verify your files.

    File: IOS21-64-v514.wad
    MD5: DE6D068FEB5CD09C9D74E1CC344433E5

    File: RVL-WiiSystemmenu-v193.wad
    MD5: 945378F722B53913BC2B391D5A9BA3EB

    [​IMG]

    Note: This image shows RVL-WiiSystemmenu-v162.wad. I did not use this one but am showing it as an example.

    If these do not exist, repeat steps 8-12 with a DIFFERENT ISO.

    14. Assuming you found your files, you need to extract them. Right-click on one of the wads, select "Extract to File", and point to a folder where you want the wad to be saved to.

    15. Take your extracted wads and move them to a folder that contains key.bin.

    16. Launch DesWaD.EXE.

    17. Click the only button on the DesWaD interface and select the WaD file you want to convert to Des. Repeat for the other WaD file. If you get an error 103, your folder with your wads does not contain a copy of key.bin.

    [​IMG]

    18. You should now have 2 Des files.

    RVL-WiiSystemmenu-v???.des
    IOS21-64-v???.des

    Here are the MD5 sums for the two des files I used.

    File: IOS21-64-v514.des
    MD5: A334D53748B83DD8E22F0756E41CED32

    File: RVL-WiiSystemmenu-v193.des
    MD5: 06771D6B4A7D3AF3F6FD62B5F3DB250C

    19. Run KeyFinder.exe

    20. In key-finder, copy & paste the following MD5 sum into the TOP textbox

    EF33E224E45C8D8C35CE32D8A810B603

    21. Click the only button in KeyFinder.exe and select your "IOS21-64-v???.des" file. DO NOT SELECT YOUR WAD FILE!

    22. Wait for the program to finish. For some of the keyfinds, it will take awhile. The Keyfinder program may appear to lock up, but it will complete eventually.

    The bottom window will eventually display:

    [​IMG]

    23. KeyFinder creates a folder with the same name as the MD5 sum of the key. Inside it is a new key.bin. THIS IS NOT THE SUPER KEY.BIN! THIS IS JUST A CONTAINER FOR OTHER KEYS!

    In my example, KeyFinder created...
    T:\ROM Tools\WiiGC Tools\WiiTools\KeyFinder\EF33E224E45C8D8C35CE32D8A810B603\key.bin

    24. Open this key-bin and perform steps 3-6, except instead of replacing the common key, you replace the SD Key.

    Code:
    "sd key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    25. Repeat steps 19-24 using the following file:

    Code:
    File: RVL-WiiSystemmenu-v???.des
    MD5 of Key: 4582417D623C81FCA07A46A570C8969E
    wiikeyset.reg Value to Edit:
    "md5 blanker"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    26. Repeat steps 19-24 using the following file:

    Code:
    File: RVL-WiiSystemmenu-v???.des
    MD5 of Key: D9F2B2E045D22D3805A67FE0C340CCD2
    wiikeyset.reg Value to Edit:
    "sd iv"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    *** REPLACING FILES ON ISO ***

    This section assumes you now know how to navigate through Trucha Signer.

    27. Create a backup copy of the ISO you want to edit.

    28. Navigate to the file you want to replace.

    29. Right-click on the file and select "Replace".

    30. In the popup window, select a file that is EQUAL IN SIZE OR SMALLER.

    31. If the replacement was successful, you will see a popup message. (Trucha v0.2 had a bug that wouldn't replace the file and wouldn't pop up a message.)

    32. After you have replaced all the files you want, right click on the PARTITION that you edited.

    33. Select "Trucha Sign".

    34. Your edited ISO has now been signed and is now ready to burn!
     
  2. ilostmyshoes

    ilostmyshoes Member

    Newcomer
    45
    0
    Feb 13, 2007
    Canada
    Nice work on the tutorial.

    One thing I would suggest adding between steps 7 and 8 is after you open the program
    to use Select KeySet and change it to custom KeySet 1.

    At least I had to do that for it to actually open the iso.

    Edit: Nevermind, you beat me to it! [​IMG]
     
  3. JPH

    JPH Banned

    Banned
    6,892
    11
    Jul 11, 2006
    United States
    Nice guide, thanks a lot man [​IMG]
     
  4. IBNobody
    OP

    IBNobody I try to keep myself amused.

    Member
    1,127
    189
    Nov 16, 2006
    United States
    Texas, Hang 'Em High
    Yeah... I realized that when I read through the thing again... I'm an editing NINJA!
     
  5. ProdigySim

    ProdigySim GBAtemp Regular

    Member
    191
    0
    Nov 23, 2005
    United States
    I've found that while the GUI will lockup, the program continues to operate. If you wait until it finishes checking, the GUI will unfreeze and work normally.

    Edit: Does anyone know about the use of the boot1 key?
     
  6. coolbho3000

    coolbho3000 GBATemp Kikkoman Naturally Brewed SoySauce Fanatic

    Member
    2,095
    32
    Apr 29, 2007
    Kikkoman Factory
    Eh, the keys are already freely available...
     
  7. bailli

    bailli GBAtemp Regular

    Member
    187
    21
    Oct 16, 2006
    Gambia, The
    on some systems - like mine - deswad only works if it runs in root of the drive...
     
  8. IBNobody
    OP

    IBNobody I try to keep myself amused.

    Member
    1,127
    189
    Nov 16, 2006
    United States
    Texas, Hang 'Em High
    That may be true, but they are still illegal. This method gives people who only have the common key a way to obtain the other keys.

    ---

    Also... How do you use GBATemp to host images? I guess I never ran across the need to do that yet. I'd rather not use Imageshack.
     
  9. aligborat69

    aligborat69 GBAtemp Fan

    Member
    498
    0
    Nov 15, 2006
    Excellent Tutorial, i managed to figure it all about previously, using bits of info from all over the place! Ive made the changed to my Manhunt.2 iso and will test it when i get home tonight. Ahhh the joys of remote controlling your home server / adding latest downlaods, LOL :-)

    One thing i still dont understand.

    With regards to putting the Keys into the registry etc.... is it basically not the same for everyone? Couldnt those keys have been in that regfile from the beginning?

    Or is it PC or game specific?

    So for example, now that i have loaded manhunt 2 reg details and made the changes to the game, would i need to do the same for the next game and replace the registry entries?
     
  10. IBNobody
    OP

    IBNobody I try to keep myself amused.

    Member
    1,127
    189
    Nov 16, 2006
    United States
    Texas, Hang 'Em High
    Those keys are protected by the DMCA. They are illegal. You can't distribute them with the Trucha Signer or post them on a message board.

    ---

    And I don't know what the boot key was... I was just using the common key. It appeared to work, apparently. I was able to resign an ISO, burn it, and boot it.
     
  11. berlinka

    berlinka You have sustained a lethal injury.

    Member
    3,147
    3
    Jul 31, 2003
    Netherlands
    Harderwijk, Netherlands
    Is it possible make an ISO from an existing DVD? Because I do have Manhunt 2 but only burned on DVD.
     
  12. aligborat69

    aligborat69 GBAtemp Fan

    Member
    498
    0
    Nov 15, 2006
    Aha! So it makes sense now, i wondered why everyone was going about it the super long way. Anyway, im happy i got it working and made the changes.

    Im hoping this helps with the region problem of some games not working on different regions and others do...

    Would be so cool.
     
  13. jelbo

    jelbo Ōkami!

    Member
    807
    0
    Sep 12, 2003
    Netherlands
    Netherlands
    Keys are the same for everyone, but they're illegal to share. So with the pretty easy to find common key around people can follow the tutorial to obtain the other keys. You could search the keys themselves, but I'm pretty much looking forward to try the Deswad method out myself.

    No idea how it works exactly though, I mean, finding keys using MD5 hashes and decrypted Wii system files? Intersting stuff [​IMG]
     
  14. IBNobody
    OP

    IBNobody I try to keep myself amused.

    Member
    1,127
    189
    Nov 16, 2006
    United States
    Texas, Hang 'Em High
    The hacker responsible for this program (xt5) is working on a version that will let you do just that. It currently doesn't work for me, and I have one of those special Wii reading drives.

    EDIT:

    Jelbo,

    The KeySearcher just continually scoops up 16 bytes and runs an MD5 check on them. If MD5 sums match, it spits the key out. If not, it moves 1 byte down the file and scoops up another 16 bytes. It's a VERY simple program, aside from the whole MD5 thing. Great idea, too!
     
  15. CockroachMan

    CockroachMan Scribbling around GBATemp's kitchen.

    Member
    3,889
    5
    Jan 14, 2006
    Brazil
    Brazil
    Thanks! Nice work! [​IMG]
     
  16. shiftyraccoon

    shiftyraccoon Member

    Newcomer
    24
    0
    May 8, 2007
    Birmingham, UK
    I don't understand the KEY business?
    Do I run a keyfinder - enter the common key (which is the same for all games)

    And then enter the individual game keys?
    Sorry for the n00bosity, I just wanna play No More Heroes with BLOOD NOW!
     
  17. berlinka

    berlinka You have sustained a lethal injury.

    Member
    3,147
    3
    Jul 31, 2003
    Netherlands
    Harderwijk, Netherlands
    Thanks, I'm waiting with staggering anticipation [​IMG]
     
  18. coolbho3000

    coolbho3000 GBATemp Kikkoman Naturally Brewed SoySauce Fanatic

    Member
    2,095
    32
    Apr 29, 2007
    Kikkoman Factory
    Sure. Simply use "Read" mode in IMGBurn to rip an ISO from the disc.

    Unless it is a legit copy of Manhunt 2 - then you need the LG drive or use the Wiikey SD ripper.
     
  19. MSW0

    MSW0 Advanced Member

    Newcomer
    79
    0
    Jan 22, 2008
    United States
    Nice tutorial. Got me ready for GH3 Customs once I figure it out, and GH3 is done DLing.

    Only part that requires a decent amount of thinking is obtaining the key, but even then it should be easy.
     
  20. DjoeN

    DjoeN Captain Haddock!

    Member
    5,190
    1,496
    Oct 21, 2005
    Belgium
    Somewhere in this potatoland!
    Thanks this was just what i needed [​IMG]

    up and running!
     
Thread Status:
Not open for further replies.