Hacking WFS USB Block Injector

dimok

Well-Known Member
Member
Joined
Jan 11, 2009
Messages
728
Trophies
0
XP
2,583
Country
United States
Hey everyone,

long time no see. I came by to drop a small thing. I saw on my Wii U that my kids updated it and, well, I didn't have haxchi or dns blocks :). Since I had my SPI eeprom dump of the Wii U and I knew how to decrypt the USB from before (I've posted it somewhere on here), I though I could simply get back access to the HBL by replacing a few files. Well it was way more complex than I though as the freaken WFS filesystem has hashs and checks everywhere, different IVs for different blocks and so on. After a bit I figured out what the IV is for my block I wanted to replace and where to change the hashs. So I wrote myself a quick tool to inject a block and tested it with the https://github.com/Kinnay/DKCTF-Save-Exploit from Kinnay and it worked. A few days later @EyeKey released his tools for WFS which are really great btw. With those tools it would have been way easier for me...oh well. Anyway since I don't have the time to finish the ROP for DKCTF I bought myself an eshop card now and got this Kawashima game and injected the rom.zip. That worked too. So I have my access to HBL back (if I ever need it :P).

Since the tools of Eyekey are available now (too bad it's read only) and I though probably more people like me would want to inject haxchi to their system, I added a few printfs to EyeKeys lib to print the necessary stuff for my injector tool. With that it is actually also usable for an enduser. So here is the injector tool I wrote (attached). Its actually a quick hack together of a few encryptions/decryptions and not the best example but it does what I needed it for. I also attached a patch with the changes I made to EyeKeys lib. If I had his sources a bit earlier, I probably would have done my injector stuff inside his lib. You are welcome to do something like that.

Here is how you use it:
Code:
wiiu_usb_inject PATH_TO_IMG USB_KEY PATH_TO_DATA_BLOCK META_SECTOR META_IV DATA_SECTOR DATA_IV

Example:
wiiu_usb_inject wiiu_usb.img 12345678901234567890123456789012 ./haxchi/installer/data/brainage.zip 00009320 00002000923D0340003BB80000000200 00015400 00010000923DC420003BB80000000200

Where wiiu_usb.img can also be /dev/sdb for example for direct drive modification (don't forget sudo). As you can see you need the USB key and the wfsdumper will print it for you with my prints in it. Of course the minimum requirement is a seeprom dump (the OTP usb key is actually equal on all consoles as far as i know and you could probably use a dummy file with the correct key at the korret position).

To get the necessary keys, sectors and ivs for my tool you just run EyeKeys tool with my modifications.
For example:
Code:
./wfsdumper --otp ../otp.bin --seeprom ../seeprom.bin --input ../wiiu_usb.img --output ../dump/ --dump-path /usr/title/00050000/10179c00/content/0010

And you look in the prints for the block you want to modify which in my case was this:
Code:
...
rom.zip
IV 00002000923D0340003BB80000000200 MetadataBlock at 00009320
IV 00010000923DC420003BB80000000200 DataBlock at 00015400
...

You just copy those data and use them with my tool.

I attached the two binaries I used, both compiled on a 32 Bit Ubuntu 16.04 LTS. I am not going to port it for Windows. You will have to do that on your own.

To compile my tool you can do this:
gcc -O3 wiiu_usb_inject.c -o wiiu_usb_inject -lcrypto -lssl

Have fun with it.

This does not mean I am "back". I am looking into the forums from time to time but don't expect me to contribute to the Wii U scene very much, at least not very soon. I am still very low on time I could invest into the Wii U. I learned from my mistake and set up the blocking DNS stuff up now, so I wont have to do something like that again.

As said above, @EyeKey's tool does most of the hard work which I had to do manually before and therefore big credits go to him. Really awesome work there.
 

Attachments

  • wfsdumper.zip
    101.4 KB · Views: 508
  • wiiu_usb_inject.zip
    4.4 KB · Views: 469
  • wiiu_usb_inject_src.zip
    3.6 KB · Views: 420

bostonBC

Well-Known Member
Member
Joined
Aug 17, 2011
Messages
1,285
Trophies
0
XP
1,220
Country
United States
So if I understand this correctly even if someone has updated to 5.5.2 they can now download BrainAge to USB, use these tools to inject HAXCHI.

Absolutely beautiful!
 

dimok

Well-Known Member
Member
Joined
Jan 11, 2009
Messages
728
Trophies
0
XP
2,583
Country
United States
Nice job!

As first step toward write I am planning to implement the write function for replacing existing content, and write up to size_on_disk. It shouldn't be too hard and make doing such things simpler.

Yeah you did find out quite a lot there about that fs. It's a very good starting point as it is for others already. If you add a content replacement, then this tool will be obsolete quite quick hehe. I saw your write function being there ready to be implemented (a return -1 in there :)). Though as I said I didn't want to spend more time so I just added those prints, made the hard coded parameters in the injector as argv and put it on here.

Ok nuts, so it is still a case of the chicken or the egg.

Until a new hack into 5.5.2 there's no way to get Haxchi installed on 5.5.2.

Correct. This tool is only useful to people on 5.5.2 that have their seeprom dump (from previous runs of exploits) and want to quickly get an entry point with haxchi or maybe another contenthax exploit.
 

Masterwin

Well-Known Member
Member
Joined
Jan 7, 2016
Messages
382
Trophies
0
XP
569
Country
Spain
Yeah you did find out quite a lot there about that fs. It's a very good starting point as it is for others already. If you add a content replacement, then this tool will be obsolete quite quick hehe. I saw your write function being there ready to be implemented (a return -1 in there :)). Though as I said I didn't want to spend more time so I just added those prints, made the hard coded parameters in the injector as argv and put it on here.



Correct. This tool is only useful to people on 5.5.2 that have their seeprom dump (from previous runs of exploits) and want to quickly get an entry point with haxchi or maybe another contenthax exploit.

Many are going to be excited, but it is a good point to find other options for 5.5.2 that have no copy of otp and nand saved.
 
  • Like
Reactions: bostonBC

ruiner9

Active Member
Newcomer
Joined
Nov 14, 2012
Messages
31
Trophies
0
Age
42
XP
156
Country
United States
Fantastic! Since my Wii U accidentally got updated and I do have my seeprom, this will come in handy. I'm going to have to wait until maybe a step-by-step guide is released, though. Some of this is a little over my head.
 

Corredor

Well-Known Member
Member
Joined
Sep 16, 2016
Messages
122
Trophies
0
Age
30
XP
195
Country
Brazil
Stupid question: is it not possible to guess the relevant parts of SEEPROM (by trial and error or something like that)?

Enviado de meu 6039J usando Tapatalk
 

EyeKey

Well-Known Member
Member
Joined
Feb 10, 2017
Messages
234
Trophies
0
XP
675
Country
Israel
Yeah you did find out quite a lot there about that fs. It's a very good starting point as it is for others already. If you add a content replacement, then this tool will be obsolete quite quick hehe. I saw your write function being there ready to be implemented (a return -1 in there :)). Though as I said I didn't want to spend more time so I just added those prints, made the hard coded parameters in the injector as argv and put it on here.
OK, I implemented it
https://github.com/koolkdev/wfslib/commit/618e55ee479bde3c146037db8984a298107bed0e
It may be still buggy (it is a bit tricky and I didn't test enough cases). I just need to wrap it with some simple cmd tool and it will be able to inject any file (as long it is smaller than the current allocated size)
 
Last edited by EyeKey,

jbuck1975

Well-Known Member
Member
Joined
Dec 28, 2015
Messages
952
Trophies
0
Age
45
XP
581
Country
United States
can you do it with the mlc command ?


Usage: wfsdump --input <input file> --output <output directory> --otp <opt path> [--seeprom <seeprom path>] [--mlc] [--usb] [--dump-path <directory to dump>] [--verbos]
Allowed options:
--help produce help message
--input arg input file
--output arg ouput directory
--otp arg otp file
--seeprom arg seeprom file (required if usb)
--dump-path arg (=/) directory to dump (default: "/")
--mlc device is mlc (default: device is usb)
--usb device is usb
--verbos verbos output
 
General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: What we have accomplished in 20,000 years they may have had billions