Toggle sidebar

Hacking WFS USB Block Injector

  • Thread starter Thread starter dimok
  • Start date Start date
  • Views Views 27,684
  • Replies Replies 92
  • Likes Likes 52
EyeKey said:
Maybe, but you will need hardmod and it is much more risky and you may need to replace multiple big files, why not just install haxchi?
Click to expand...
I've got haxchi, but i want to downgrade my browser just in case something goes wrong.
 
Last edited by Masterwin,
  • Like
Reactions: Kleyon, KevinLSX and Marblboro
EyeKey said:
If you already have haxchi, you can just replace the files on the Wii U.
Click to expand...
Ftpiiu can do some stuff but the current filesystem handling is pretty incomplete.
We can add new files but applications can't use them (most likely because of invalid permissions/owners) and if we replace executables the application won't run outside of a CFW.
 
dimok said:
Hey everyone,

long time no see. I came by to drop a small thing. I saw on my Wii U that my kids updated it and, well, I didn't have haxchi or dns blocks :). Since I had my SPI eeprom dump of the Wii U and I knew how to decrypt the USB from before (I've posted it somewhere on here), I though I could simply get back access to the HBL by replacing a few files. Well it was way more complex than I though as the freaken WFS filesystem has hashs and checks everywhere, different IVs for different blocks and so on. After a bit I figured out what the IV is for my block I wanted to replace and where to change the hashs. So I wrote myself a quick tool to inject a block and tested it with the https://github.com/Kinnay/DKCTF-Save-Exploit from Kinnay and it worked. A few days later @EyeKey released his tools for WFS which are really great btw. With those tools it would have been way easier for me...oh well. Anyway since I don't have the time to finish the ROP for DKCTF I bought myself an eshop card now and got this Kawashima game and injected the rom.zip. That worked too. So I have my access to HBL back (if I ever need it :P).

Since the tools of Eyekey are available now (too bad it's read only) and I though probably more people like me would want to inject haxchi to their system, I added a few printfs to EyeKeys lib to print the necessary stuff for my injector tool. With that it is actually also usable for an enduser. So here is the injector tool I wrote (attached). Its actually a quick hack together of a few encryptions/decryptions and not the best example but it does what I needed it for. I also attached a patch with the changes I made to EyeKeys lib. If I had his sources a bit earlier, I probably would have done my injector stuff inside his lib. You are welcome to do something like that.

Here is how you use it:
Code: 
wiiu_usb_inject PATH_TO_IMG USB_KEY PATH_TO_DATA_BLOCK META_SECTOR META_IV DATA_SECTOR DATA_IV

Example:
wiiu_usb_inject wiiu_usb.img 12345678901234567890123456789012 ./haxchi/installer/data/brainage.zip 00009320 00002000923D0340003BB80000000200 00015400 00010000923DC420003BB80000000200

Where wiiu_usb.img can also be /dev/sdb for example for direct drive modification (don't forget sudo). As you can see you need the USB key and the wfsdumper will print it for you with my prints in it. Of course the minimum requirement is a seeprom dump (the OTP usb key is actually equal on all consoles as far as i know and you could probably use a dummy file with the correct key at the korret position).

To get the necessary keys, sectors and ivs for my tool you just run EyeKeys tool with my modifications.
For example:
Code: 
./wfsdumper --otp ../otp.bin --seeprom ../seeprom.bin --input ../wiiu_usb.img --output ../dump/ --dump-path /usr/title/00050000/10179c00/content/0010

And you look in the prints for the block you want to modify which in my case was this:
Code: 
...
rom.zip
IV 00002000923D0340003BB80000000200 MetadataBlock at 00009320
IV 00010000923DC420003BB80000000200 DataBlock at 00015400
...

You just copy those data and use them with my tool.

I attached the two binaries I used, both compiled on a 32 Bit Ubuntu 16.04 LTS. I am not going to port it for Windows. You will have to do that on your own.

To compile my tool you can do this:
gcc -O3 wiiu_usb_inject.c -o wiiu_usb_inject -lcrypto -lssl

Have fun with it.

This does not mean I am "back". I am looking into the forums from time to time but don't expect me to contribute to the Wii U scene very much, at least not very soon. I am still very low on time I could invest into the Wii U. I learned from my mistake and set up the blocking DNS stuff up now, so I wont have to do something like that again.

As said above, @EyeKey's tool does most of the hard work which I had to do manually before and therefore big credits go to him. Really awesome work there.
Click to expand...


Thanks,
Massimiliano (alias Marlboro)
 
Corredor said:
Stupid question: is it not possible to guess the relevant parts of SEEPROM (by trial and error or something like that)?

Enviado de meu 6039J usando Tapatalk
Click to expand...
Well the first 4 bytes of the usb seed in the seeprom is always the console id. So you basically have that part. I am not sure about the rest, I only know that the last part is incremented on each console reset to factory setting. Maybe a lot of it is equal on every console but I never actually looked at it. Assuming you have to find out all of the remaining 12 bytes thats 2^96 = 79228162514264337593543950336. Thats still quite a lot of possible combinations.

EyeKey said:
OK, I implemented it
https://github.com/koolkdev/wfslib/commit/618e55ee479bde3c146037db8984a298107bed0e
It may be still buggy (it is a bit tricky and I didn't test enough cases). I just need to wrap it with some simple cmd tool and it will be able to inject any file (as long it is smaller than the current allocated size)
Click to expand...
Very nice work.

TheZander said:
why are you going to block dns now? since you have haxchi it doesn't matter right?
Click to expand...
Who knows what else they decide to patch ;).
 
  • Like
Reactions: Valery0p, Masterwin, peteruk and 1 other person
I think it's very unlikely.
Nintendo has given up on the Wii U. They're not gonna invest on its security anymore. Their focus now is the Switch.
They could very well just patch the flaws in the OS and it would halt all exploits but they waited all these months and all they released was a patch for the web browser.
 
Last edited by piratesephiroth,
  • Like
Reactions: Marblboro
I have an old FSTOOLBOX backup of my console from 2013 when none of these things existed, and unbricking wasn't more than a dream. In those files I have a keys.txt with my console ID among other things. So my question is, the Wii U and the vWii console ID is the same? (This because I made this dump from the vWii). And is it possible to build the SEEPROM from such files? Anyone with the possibility would be so kind to dump his SEEPROM and make a backup with FSTOOLBOX in order to compare its contents? Thank you in advance.
 
Flypop said:
I have an old FSTOOLBOX backup of my console from 2013 when none of these things existed, and unbricking wasn't more than a dream. In those files I have a keys.txt with my console ID among other things. So my question is, the Wii U and the vWii console ID is the same? (This because I made this dump from the vWii). And is it possible to build the SEEPROM from such files? Anyone with the possibility would be so kind to dump his SEEPROM and make a backup with FSTOOLBOX in order to compare its contents? Thank you in advance.
Click to expand...
Nope, seeprom is a little memory chip inside the GPU package and could only be accessed after the release of IOSUHAX. There's nothing stored on the filesystem.
 
  • Like
Reactions: Flypop
Awesome @dimok & @EyeKey. 5.5.2 users can now have some hope (at least if they dumped seeprom but it's better than nothing).

Really sad, I first tough Dimok was back to the scene and was dreaming about more WiiU hack stuff. But anyway, we can only be happy he already released this ! And wish him the best !
 
Last edited by Kleyon,
  • Like
Reactions: Masterwin
dimok said:
Well the first 4 bytes of the usb seed in the seeprom is always the console id. So you basically have that part. I am not sure about the rest, I only know that the last part is incremented on each console reset to factory setting. Maybe a lot of it is equal on every console but I never actually looked at it. Assuming you have to find out all of the remaining 12 bytes thats 2^96 = 79228162514264337593543950336. Thats still quite a lot of possible combinations.
Click to expand...

Thanks for your reply, @dimok. I didn't know the last part was related to factory settings reset. Of course, there are a LOT of combinations. If I had some USB seed samples, I'd definitely take a look.
 
Probably a stupid question but what's happen if we try this trick on a 5.5.2 using the seeprom of someone else ?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Strange Blue Blinking Wii U

Hacking Homebrew Project  Modernized YouTube for Wii U

Feedback  Community Overclock Stats: A5X vs B1X Motherboards

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

[discussion] Paper Mario Wii U or Mario Kart 64 wii u?

Gaming Homebrew Misc Project  Roséverse - a 1:1 Miiverse revival by Project Rosé!

Can the Wii u pro controller works for Wii games ?

My dad's Wii U cannot install Aroma. HELP!!