Hacking WFS USB Block Injector

[dimok]

So, you're saying that the others bytes are the same between WiiU/vWii NG ID?

And nah, IMHO the only sensitive informations is the NG ID in the first 4 bytes; I'll send my 12 bytes to you tomorrow, when I can access my PC .

Also, I don't know if vWii use the same chip of WiiU mode, but even if this is the case, maybe you need to call the seeprom with raw read calls...It's gonna be complex...

Well. Of course you have to toggle the GPIO lines directly and bitbang the SPI data at a precise clock. That is as low level as it can get with software on the Wii U. But the code is already available to the public here:
https://github.com/dimok789/seeprom2sd/blob/master/arm_kernel/source/main.c#L54

You can basically use the exact same code on the Wii U and Wii as the IC is of the same type just of a different size. The HW registers got even the same address and the processor clock is equal on both systems. It's 1:1 usable.

Bad news: https://gbatemp.net/threads/dump-mi...umper-for-vwii-wii.358977/page-2#post-4853842
Read the next post...

Hmm I see. So Maxternal already tried dumping the seeprom from vWii. Since he got an empty file this must mean the SPI pins are locked out for the vWii. That's too bad

 

[Valery0p]

Well. Of course you have to toggle the GPIO lines directly and bitbang the SPI data at a precise clock. That is as low level as it can get with software on the Wii U. But the code is already available to the public here:
https://github.com/dimok789/seeprom2sd/blob/master/arm_kernel/source/main.c#L54

You can basically use the exact same code on the Wii U and Wii as the IC is of the same type just of a different size. The HW registers got even the same address and the processor clock is equal on both systems. It's 1:1 usable.


Hmm I see. So Maxternal already tried dumping the seeprom from vWii. Since he got an empty file this must mean the SPI pins are locked out for the vWii. That's too bad

So, it isn't worth the try? Maybe his code was wrong... I don't think there a lot of people experienced enough to do that...
Also, we can't/don't know how to reactivate the pin after we switch to vWii mode, right?
...but if we can write?

 

[Corredor]

So, it isn't worth the try? Maybe his code was wrong... I don't think there a lot of people experienced enough to do that...
Also, we can't/don't know how to reactivate the pin after we switch to vWii mode, right?
...but if we can write?

If you dump SEEPROM in the Wii U with the same code used for Wii and if vWii can access the SEEPROM, Xyzzy should work, right?

Enviado de meu 6039J usando Tapatalk

 

[wiiupoo]

No it doesn't transfer the seeprom.

It formats the console (increment seeprom key), redownloads content and transfers save game data from the old console which stored on a flash card. It will encrypt this save game data as it is reading it from flash card.

I was thinking to do a system transfer of an exploit encapsulated within a save game, have the virgin wii encrypted this exploit, identify the exploit in raw USB data, move the raw data on the USB to overwrite the content portion of the haxchi title.

This may have been possible if the drive was encrypted using AES-ECB as I initially thought.


This isn't possible since as these two talented devs pointed out, the drive is encrypted with CBC. Pattern identification is impossible CBC as is moving around data.

 

[Corredor]

If you have a SEEPROM dump and don't mind to share the last 12 bytes of your Wii U USB key seed (without console ID) and the SEEPROM version code, download this very simple parser (put in the same folder where is seeprom.bin, run it and just open the file "values.txt") or find those numbers with a hex editor (2A:2B and B4:BF) and send me a PM. Maybe the seeds are not completely random and we can do something for some 5.5.2 users.

 

[jbuck1975]

Thanks for the tip dimok, I really hope that what you're saying is true (even if I've read somewhere that the chips used on vwii are different) ...
Anyway, I've found something interesting, while reading trough my otp and seeprom dumps:
http://imgur.com/a/fUh2q

View attachment 94967

It may be only a random thing, but the wii NG ID (actually dumpable from an hacked vWii) and the wii U NG ID are almost the same!

If this is true, we found a way to dump at least 3 bytes of the wiiu usb seed!
Can anyone with an OTP dump confirm this?

Mine is the same except the first number (on wii it's 2, on wii u it's 4).

 

[jbuck1975]

I've got a "keys.bin" file that I don't know where I got it. but it's got my Wii NG ID in the hex file. Also in the Hex file it has YAWMM_DE. was this file possibly dumped with YAWMM program when i hack the vwii?

 

[Corredor]

I've got a "keys.bin" file that I don't know where I got it. but it's got my Wii NG ID in the hex file. Also in the Hex file it has YAWMM_DE. was this file possibly dumped with YAWMM program when i hack the vwii?

These are your vWii keys, probably you got them when you did Nand backup or you run Xyzzy.

Enviado de meu 6039J usando Tapatalk

 

[Corredor]

Double post

 

[jbuck1975]

What information from the seeprom does the usb block injector use?

 

[Corredor]

What information from the seeprom does the usb block injector use?

Wii U USB seed key (bytes from B0 to C0). The first four bytes are your Wii U NG, which is similar to the Wii NG. But the last 12 bytes can't be known except by SEEPROM dump. I'm trying to figure out if these numbers are somehow shared by SEEPROMs with the same version code.

Enviado de meu 6039J usando Tapatalk

 

[sp3off]

Nevermind, my HDD just died at my hands...

 

[Corredor]

It doesn't matter right now, because we already have an entry point for 5.5.2 systems. Anyway, just for information sake, the last 12 bytes of the Wii U key seed are random. I've compared SEEPROMs with the same version codes and they have completely different Wii U key seeds. I think the Wii U key seeds are randomly generated in manufacturing process. Maybe even Nintendo doesn't have a record of the numbers.