Hacking [TUTORIAL] Trucha Signer Tutorial

[IBNobody]

Here is a tutorial on how to use the Trucha Signer. It is a work in progress.

I am in no way responsible for the work that has gone into this hack.

Trucha signer requires the ubiquitous key.bin. It can also use other keys, but I was able to sign an ISO using only the common key. I believe this is because the keys are just used for decryption, and only the common key is needed to decrypt ISO files. The other keys, I assume, are for decrypting other file types like VC channels and such. The true hack, if I've read things right, is totally separate from the keys and involves a bug in the Wii RSA signature engine.

Nevertheless, I included a section on how to obtain the other keys. I did this mainly because of how difficult it was for me to get everything working.

Trucha Signer works on Wii Firmware US 3.2

THIS WILL NOT LET YOU PLAY BURNED ISO'S ON AN UNMODDED WII!

I WILL NOT GIVE OUT KEY.BIN TO ANYONE, NOT EVEN THROUGH PMs!

*** PRE REQS ***

1. Get the required files:

* Trucha Signer:
http://gbatemp.net/index.php?download=1909

* Keysearch 1.2:
http://gbatemp.net/index.php?download=1945

* DesWaD 0.1:
http://gbatemp.net/index.php?download=1944

NOTE: There is a newer version of DesWaD out, but the version I linked to is easier to use for key searching purposes.

* key.bin
Google it! It will have an MD5 of 8D1A2EBCD82A3469B77FACF15D9C8E50

I WILL NOT GIVE OUT KEY.BIN TO ANYONE, NOT EVEN THROUGH PMs!

* UltraEdit, or some form of hex editor
http://www.ultraedit.com/

* An ISO. You may need multiple ISOs...

2. Unzip everything and put them into a central directory.

Note: Some users report that DesWaD.exe will only work in their root directory. I did not run into this.

3. Open up the "wiikeyset.reg" that came with the Trucha Signer in UltraEdit and find the section:

[HKEY_CURRENT_USER\Software\Wii\KeySet\2]

"name"="Custom KeySet 1"
"boot1 key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"common key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"sd key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"sd iv"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"md5 blanker"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

4. Open the key.bin file in UltraEdit and make sure you are in hex mode (Ctrl-H).

5. Replace the "common key" line...

"common key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

...with the contents from key.bin. For example, if key.bin contained AABBCCDDEEFFAABBCCDDEEFF11223344, you'd enter...

"common key"=hex:AA,BB,CC,DD,EE,FF,AA,BB,CC,DD,EE,FF,11,22,33,44

6. Save the "wiikeyset.reg" file and activate it by double clicking on it. Click "Yes" to add it to the registry.

*** OBTAINING OTHER KEYS - OPTIONAL? ***

7. Run trucha.exe and select "Select Keyset/Custom Keyset 1" from the menu bar.

8. Select "Image/Open ISO" from the Trucha menu bar and open your ISO.

If your ISO does not open, make sure you have a CLEAN (not scrubbed) ISO. If you get a decryption error, verify that you correctly added the key information to your registry (steps 3-6).

9. Double-click on the "DISC" icon.

10. Double-Click on the "PARTITION (RELSAB)" icon, under the "DISC" header. If this partition does not exist, look for the first partition.

11. Double-Click on the "ROOT" icon under the "PARTITION (RELSAB)" header.

12. Double-Click on the "_SYS" icon under the "ROOT" header.

13. There should be two or more .wad files under the "_SYS" header. Look for the following files:

RVL-WiiSystemmenu-v???.wad (??? can be any number. Some recommend v226, but I used v193)
IOS21-64-v???.wad (??? can be any number. Some recommend v514.)

Here are the MD5 sums for the two wad files I used. You can use these to verify your files.

File: IOS21-64-v514.wad
MD5: DE6D068FEB5CD09C9D74E1CC344433E5

File: RVL-WiiSystemmenu-v193.wad
MD5: 945378F722B53913BC2B391D5A9BA3EB

Note: This image shows RVL-WiiSystemmenu-v162.wad. I did not use this one but am showing it as an example.

If these do not exist, repeat steps 8-12 with a DIFFERENT ISO.

14. Assuming you found your files, you need to extract them. Right-click on one of the wads, select "Extract to File", and point to a folder where you want the wad to be saved to.

15. Take your extracted wads and move them to a folder that contains key.bin.

16. Launch DesWaD.EXE.

17. Click the only button on the DesWaD interface and select the WaD file you want to convert to Des. Repeat for the other WaD file. If you get an error 103, your folder with your wads does not contain a copy of key.bin.

18. You should now have 2 Des files.

RVL-WiiSystemmenu-v???.des
IOS21-64-v???.des

Here are the MD5 sums for the two des files I used.

File: IOS21-64-v514.des
MD5: A334D53748B83DD8E22F0756E41CED32

File: RVL-WiiSystemmenu-v193.des
MD5: 06771D6B4A7D3AF3F6FD62B5F3DB250C

19. Run KeyFinder.exe

20. In key-finder, copy & paste the following MD5 sum into the TOP textbox

EF33E224E45C8D8C35CE32D8A810B603

21. Click the only button in KeyFinder.exe and select your "IOS21-64-v???.des" file. DO NOT SELECT YOUR WAD FILE!

22. Wait for the program to finish. For some of the keyfinds, it will take awhile. The Keyfinder program may appear to lock up, but it will complete eventually.

The bottom window will eventually display:

23. KeyFinder creates a folder with the same name as the MD5 sum of the key. Inside it is a new key.bin. THIS IS NOT THE SUPER KEY.BIN! THIS IS JUST A CONTAINER FOR OTHER KEYS!

In my example, KeyFinder created...
T:\ROM Tools\WiiGC Tools\WiiTools\KeyFinder\EF33E224E45C8D8C35CE32D8A810B603\key.bin

24. Open this key-bin and perform steps 3-6, except instead of replacing the common key, you replace the SD Key.

"sd key"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

25. Repeat steps 19-24 using the following file:

File: RVL-WiiSystemmenu-v???.des
MD5 of Key: 4582417D623C81FCA07A46A570C8969E
wiikeyset.reg Value to Edit:
"md5 blanker"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

26. Repeat steps 19-24 using the following file:

File: RVL-WiiSystemmenu-v???.des
MD5 of Key: D9F2B2E045D22D3805A67FE0C340CCD2
wiikeyset.reg Value to Edit:
"sd iv"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

*** REPLACING FILES ON ISO ***

This section assumes you now know how to navigate through Trucha Signer.

27. Create a backup copy of the ISO you want to edit.

28. Navigate to the file you want to replace.

29. Right-click on the file and select "Replace".

30. In the popup window, select a file that is EQUAL IN SIZE OR SMALLER.

31. If the replacement was successful, you will see a popup message. (Trucha v0.2 had a bug that wouldn't replace the file and wouldn't pop up a message.)

32. After you have replaced all the files you want, right click on the PARTITION that you edited.

33. Select "Trucha Sign".

34. Your edited ISO has now been signed and is now ready to burn!

 

[ilostmyshoes]

Nice work on the tutorial.

One thing I would suggest adding between steps 7 and 8 is after you open the program
to use Select KeySet and change it to custom KeySet 1.

At least I had to do that for it to actually open the iso.

Edit: Nevermind, you beat me to it!

 

[JPH]

Nice guide, thanks a lot man

 

[IBNobody]

Nice work on the tutorial.

One thing I would suggest adding between steps 7 and 8 is after you open the program
to use Select KeySet and change it to custom KeySet 1.

At least I had to do that for it to actually open the iso.

Edit: Nevermind, you beat me to it!

Yeah... I realized that when I read through the thing again... I'm an editing NINJA!

 

[ProdigySim]

22. WALK AWAY! Don't touch your PC. The KeyFinder has a GUI bug that causes it to lock up if you operate your PC. Wait for the program to finish.

I've found that while the GUI will lockup, the program continues to operate. If you wait until it finishes checking, the GUI will unfreeze and work normally.

Edit: Does anyone know about the use of the boot1 key?

 

[coolbho3000]

Eh, the keys are already freely available...

 

[bailli]

on some systems - like mine - deswad only works if it runs in root of the drive...

 

[IBNobody]

22. WALK AWAY! Don't touch your PC. The KeyFinder has a GUI bug that causes it to lock up if you operate your PC. Wait for the program to finish.
I've found that while the GUI will lockup, the program continues to operate. If you wait until it finishes checking, the GUI will unfreeze and work normally.



Thanks for the tip.

QUOTE(coolbho3000 @ Feb 27 2008, 09:21 AM)Eh, the keys are already freely available...

That may be true, but they are still illegal. This method gives people who only have the common key a way to obtain the other keys.

---

Also... How do you use GBATemp to host images? I guess I never ran across the need to do that yet. I'd rather not use Imageshack.

 

[aligborat69]

Excellent Tutorial, i managed to figure it all about previously, using bits of info from all over the place! Ive made the changed to my Manhunt.2 iso and will test it when i get home tonight. Ahhh the joys of remote controlling your home server / adding latest downlaods, LOL :-)

One thing i still dont understand.

With regards to putting the Keys into the registry etc.... is it basically not the same for everyone? Couldnt those keys have been in that regfile from the beginning?

Or is it PC or game specific?

So for example, now that i have loaded manhunt 2 reg details and made the changes to the game, would i need to do the same for the next game and replace the registry entries?

 

[IBNobody]

Excellent Tutorial, i managed to figure it all about previously, using bits of info from all over the place! Ive made the changed to my Manhunt.2 iso and will test it when i get home tonight. Ahhh the joys of remote controlling your home server / adding latest downlaods, LOL :-)

One thing i still dont understand.

With regards to putting the Keys into the registry etc.... is it basically not the same for everyone? Couldnt those keys have been in that regfile from the beginning?

Or is it PC or game specific?

So for example, now that i have loaded manhunt 2 reg details and made the changes to the game, would i need to do the same for the next game and replace the registry entries?

Those keys are protected by the DMCA. They are illegal. You can't distribute them with the Trucha Signer or post them on a message board.

---

And I don't know what the boot key was... I was just using the common key. It appeared to work, apparently. I was able to resign an ISO, burn it, and boot it.

 

[berlinka]

Is it possible make an ISO from an existing DVD? Because I do have Manhunt 2 but only burned on DVD.

 

[aligborat69]

Aha! So it makes sense now, i wondered why everyone was going about it the super long way. Anyway, im happy i got it working and made the changes.

Im hoping this helps with the region problem of some games not working on different regions and others do...

Would be so cool.

 

[jelbo]

Keys are the same for everyone, but they're illegal to share. So with the pretty easy to find common key around people can follow the tutorial to obtain the other keys. You could search the keys themselves, but I'm pretty much looking forward to try the Deswad method out myself.

No idea how it works exactly though, I mean, finding keys using MD5 hashes and decrypted Wii system files? Intersting stuff

 

[IBNobody]

Is it possible make an ISO from an existing DVD? Because I do have Manhunt 2 but only burned on DVD.

The hacker responsible for this program (xt5) is working on a version that will let you do just that. It currently doesn't work for me, and I have one of those special Wii reading drives.

EDIT:

Jelbo,

The KeySearcher just continually scoops up 16 bytes and runs an MD5 check on them. If MD5 sums match, it spits the key out. If not, it moves 1 byte down the file and scoops up another 16 bytes. It's a VERY simple program, aside from the whole MD5 thing. Great idea, too!

 

[CockroachMan]

Thanks! Nice work!

 

[shiftyraccoon]

I don't understand the KEY business?
Do I run a keyfinder - enter the common key (which is the same for all games)

And then enter the individual game keys?
Sorry for the n00bosity, I just wanna play No More Heroes with BLOOD NOW!

 

[berlinka]

Is it possible make an ISO from an existing DVD? Because I do have Manhunt 2 but only burned on DVD.


The hacker responsible for this program (xt5) is working on a version that will let you do just that. It currently doesn't work for me, and I have one of those special Wii reading drives.

EDIT:

Jelbo,

The KeySearcher just continually scoops up 16 bytes and runs an MD5 check on them. If MD5 sums match, it spits the key out. If not, it moves 1 byte down the file and scoops up another 16 bytes. It's a VERY simple program, aside from the whole MD5 thing. Great idea, too!

Thanks, I'm waiting with staggering anticipation

 

[coolbho3000]

Is it possible make an ISO from an existing DVD? Because I do have Manhunt 2 but only burned on DVD.

Sure. Simply use "Read" mode in IMGBurn to rip an ISO from the disc.

Unless it is a legit copy of Manhunt 2 - then you need the LG drive or use the Wiikey SD ripper.

 

[MSW0]

Nice tutorial. Got me ready for GH3 Customs once I figure it out, and GH3 is done DLing.

Only part that requires a decent amount of thinking is obtaining the key, but even then it should be easy.

 

[DjoeN]

Thanks this was just what i needed

up and running!