I've got haxchi, but i want to downgrade my browser just in case something goes wrong.
There is already a guide to downgrade the browser if you have haxchi
Quiet, this is going to explode at any moment XD
Last edited by Masterwin,
Ftpiiu can do some stuff but the current filesystem handling is pretty incomplete.
We can add new files but applications can't use them (most likely because of invalid permissions/owners) and if we replace executables the application won't run outside of a CFW.
Here compiled for windows! Thanks Rodrigo Piratte for doing this job!
wiiu_usb_inject.exe:
https://mega.nz/#!oqBQyQiD!M3oin4i_KXR-AtHu_GVh7NPyPPH_TcFmOsSOT8SnIGU
wiiu_usb_inject.exe:
https://mega.nz/#!oqBQyQiD!M3oin4i_KXR-AtHu_GVh7NPyPPH_TcFmOsSOT8SnIGU
Last edited by Masterwin,
Hey everyone,
long time no see. I came by to drop a small thing. I saw on my Wii U that my kids updated it and, well, I didn't have haxchi or dns blocks. Since I had my SPI eeprom dump of the Wii U and I knew how to decrypt the USB from before (I've posted it somewhere on here), I though I could simply get back access to the HBL by replacing a few files. Well it was way more complex than I though as the freaken WFS filesystem has hashs and checks everywhere, different IVs for different blocks and so on. After a bit I figured out what the IV is for my block I wanted to replace and where to change the hashs. So I wrote myself a quick tool to inject a block and tested it with the https://github.com/Kinnay/DKCTF-Save-Exploit from Kinnay and it worked. A few days later @EyeKey released his tools for WFS which are really great btw. With those tools it would have been way easier for me...oh well. Anyway since I don't have the time to finish the ROP for DKCTF I bought myself an eshop card now and got this Kawashima game and injected the rom.zip. That worked too. So I have my access to HBL back (if I ever need it
Since the tools of Eyekey are available now (too bad it's read only) and I though probably more people like me would want to inject haxchi to their system, I added a few printfs to EyeKeys lib to print the necessary stuff for my injector tool. With that it is actually also usable for an enduser. So here is the injector tool I wrote (attached). Its actually a quick hack together of a few encryptions/decryptions and not the best example but it does what I needed it for. I also attached a patch with the changes I made to EyeKeys lib. If I had his sources a bit earlier, I probably would have done my injector stuff inside his lib. You are welcome to do something like that.
Here is how you use it:
Code:wiiu_usb_inject PATH_TO_IMG USB_KEY PATH_TO_DATA_BLOCK META_SECTOR META_IV DATA_SECTOR DATA_IV Example: wiiu_usb_inject wiiu_usb.img 12345678901234567890123456789012 ./haxchi/installer/data/brainage.zip 00009320 00002000923D0340003BB80000000200 00015400 00010000923DC420003BB80000000200
Where wiiu_usb.img can also be /dev/sdb for example for direct drive modification (don't forget sudo). As you can see you need the USB key and the wfsdumper will print it for you with my prints in it. Of course the minimum requirement is a seeprom dump (the OTP usb key is actually equal on all consoles as far as i know and you could probably use a dummy file with the correct key at the korret position).
To get the necessary keys, sectors and ivs for my tool you just run EyeKeys tool with my modifications.
For example:
Code:./wfsdumper --otp ../otp.bin --seeprom ../seeprom.bin --input ../wiiu_usb.img --output ../dump/ --dump-path /usr/title/00050000/10179c00/content/0010
And you look in the prints for the block you want to modify which in my case was this:
Code:... rom.zip IV 00002000923D0340003BB80000000200 MetadataBlock at 00009320 IV 00010000923DC420003BB80000000200 DataBlock at 00015400 ...
You just copy those data and use them with my tool.
I attached the two binaries I used, both compiled on a 32 Bit Ubuntu 16.04 LTS. I am not going to port it for Windows. You will have to do that on your own.
To compile my tool you can do this:
gcc -O3 wiiu_usb_inject.c -o wiiu_usb_inject -lcrypto -lssl
Have fun with it.
This does not mean I am "back". I am looking into the forums from time to time but don't expect me to contribute to the Wii U scene very much, at least not very soon. I am still very low on time I could invest into the Wii U. I learned from my mistake and set up the blocking DNS stuff up now, so I wont have to do something like that again.
As said above, @EyeKey's tool does most of the hard work which I had to do manually before and therefore big credits go to him. Really awesome work there.
Thanks,
Massimiliano (alias Marlboro)
Well the first 4 bytes of the usb seed in the seeprom is always the console id. So you basically have that part. I am not sure about the rest, I only know that the last part is incremented on each console reset to factory setting. Maybe a lot of it is equal on every console but I never actually looked at it. Assuming you have to find out all of the remaining 12 bytes thats 2^96 = 79228162514264337593543950336. Thats still quite a lot of possible combinations.
Very nice work.
Who knows what else they decide to patch
.
I think it's very unlikely.
Nintendo has given up on the Wii U. They're not gonna invest on its security anymore. Their focus now is the Switch.
They could very well just patch the flaws in the OS and it would halt all exploits but they waited all these months and all they released was a patch for the web browser.
Nintendo has given up on the Wii U. They're not gonna invest on its security anymore. Their focus now is the Switch.
They could very well just patch the flaws in the OS and it would halt all exploits but they waited all these months and all they released was a patch for the web browser.
Last edited by piratesephiroth,
I have an old FSTOOLBOX backup of my console from 2013 when none of these things existed, and unbricking wasn't more than a dream. In those files I have a keys.txt with my console ID among other things. So my question is, the Wii U and the vWii console ID is the same? (This because I made this dump from the vWii). And is it possible to build the SEEPROM from such files? Anyone with the possibility would be so kind to dump his SEEPROM and make a backup with FSTOOLBOX in order to compare its contents? Thank you in advance.
Nope, seeprom is a little memory chip inside the GPU package and could only be accessed after the release of IOSUHAX. There's nothing stored on the filesystem.
Awesome @dimok & @EyeKey. 5.5.2 users can now have some hope (at least if they dumped seeprom but it's better than nothing).
Really sad, I first tough Dimok was back to the scene and was dreaming about more WiiU hack stuff. But anyway, we can only be happy he already released this ! And wish him the best !
Really sad, I first tough Dimok was back to the scene and was dreaming about more WiiU hack stuff. But anyway, we can only be happy he already released this ! And wish him the best !
Last edited by Kleyon,
Thanks for your reply, @dimok. I didn't know the last part was related to factory settings reset. Of course, there are a LOT of combinations. If I had some USB seed samples, I'd definitely take a look.
Probably a stupid question but what's happen if we try this trick on a 5.5.2 using the seeprom of someone else ?
Similar threads
-
- Article
-
Veho
-
The Real Jdbye
*is birb*
-
-
-
@
BigOnYa:
Anybody here have a Xbox series S and a series X, is the performance difference noticeable? Not worried about 4k. I have a series X but not a series S and was curious. (Reason- I was thinking of buying a series S for a second tv, for when grandkids come over, to keep them off my X) -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
Veho:
It's not like they're complaining that their Slurpee is 99% ice or something, but if the cocktail calls for "shot of vodka, shot of vermouth, shot of gin, shot of Campari, three shots of juice, squirt of lemon" and ends up being a thimbleful of booze, that's a problem.
-
@
The Real Jdbye:
the funny thing is cocktails in norway are only allowed to have 1 20ml shot of booze
-
-
-
