Hacking Wii nand boot C

[bushing]

Can anyone tell me where this crap came from, originally? This is probably the fourth time I've seen this ("Team Twiizers has Nintendo's private key but they won't use it to because they're against piracy"). Last time, someone came on IRC and started spamming everyone about how sven was the "Hitler of optical media" and that our refusal to use Nintendo's private key was the only thing keeping some random USB loader from running on "LU64+ Wiis" -- now we're holding bricked Wiis hostage? Sheesh. Why do people think we have this key? The only case where someone hacked a device by getting ahold of a private RSA(-like) key was the Atari 7800, and that only happened 15 years after the console was released.

I'm fairly sure there will never be a hard drive with the Wii's private keys lying around in some dumpster for 2021's console hackers to find, and I don't think anyone could leak a key if they wanted to -- DRM keys these days are locked up in tamper-proof Hardware Security Modules.

TT can make the installation of bootmii on boot2 even if it has a fixed boot1.
if they want to?!
but
they will violate the "TT No to "PIRACY""
No, really, we can't. Nobody can, unless they get access to Nintendo's 2048-bit private RSA key, or they find an exploit in boot1 or boot2 that we've missed (and I fully hope that somebody will -- but I'm not going to hold my breath.)

I've alluded to the theory that there is some factory boot2 version that is used as part of the manufacturing process on my blog several times, but nobody's ever seen any proof of that. Even if someone found it, it would probably be boot2v0, and it would be impossible to install it on a normal Wii because you can't downgrade boot2 without running your own ARM code.

QUOTE(wes11ph @ Sep 27 2010, 08:11 AM) yes they have listed wii keys in their blog, but.
did they say that "we use ninty keys to make our app run like official"

don't you wonder why they always run application under an exploit?
what do you think? "cboot2"
does it have a ninty's code on it?

Huh? Can someone translate this for me?

 

[mike333]

TT can make the installation of bootmii on boot2 even if it has a fixed boot1.
if they want to?!
but
they will violate the "TT No to "PIRACY""

No, really, we can't. Nobody can, unless they get access to Nintendo's 2048-bit private RSA key, or they find an exploit in boot1 or boot2 that we've missed (and I fully hope that somebody will -- but I'm not going to hold my breath.)

sha1sum collision made easy... maybe someday...

 

[bushing]

No, really, we can't. Nobody can, unless they get access to Nintendo's 2048-bit private RSA key, or they find an exploit in boot1 or boot2 that we've missed (and I fully hope that somebody will -- but I'm not going to hold my breath.)

sha1sum collision made easy... maybe someday...

Perhaps, just make sure it's a first preimage attack and not merely a random hash collision attack!

 

[Jacobeian]

Can anyone tell me where this crap came from, originally?

paranoia and stupidity often come in pairs, the less they know, the more they speculate
... and it's also very contagious

 

[mike333]

Perhaps, just make sure it's a first preimage attack and not merely a random hash collision attack!

https://tech.slashdot.org/story/17/...d-a-successful-practical-attack-against-sha-1
Time moves so fast.

 

[mike333]

https://it.slashdot.org/story/19/05...1-collision-attack-make-it-actually-dangerous
Bootmii@boot2 for everyone. We are getting there.

 

[mike333]

https://it.slashdot.org/story/20/01/18/1656244/exploit-fully-breaks-sha-1-lowers-the-attack-bar

 

[KleinesSinchen]

https://it.slashdot.org/story/20/01/18/1656244/exploit-fully-breaks-sha-1-lowers-the-attack-bar

Very interesting. I've seen this before https://sha-mbles.github.io/ and thought the very same thing: Maybe it can be used to manipulate boot1 and boot2 on newer Wii consoles.

However it is still a bit expensive to do at the moment.

 

[FancyNintendoGamer567]

Does boot1 and boot2 use SHA1 encryption for something?

 

[KleinesSinchen]

Does boot1 and boot2 use SHA1 encryption for something?

As I understand this, a SHA1 hash collision would allow modifying boot1… Modifying boot1 into something that accepts a modified boot2 which would ultimately allow BootMii@boot2 for all Wii consoles. Could be wrong though.

https://wiibrew.org/wiki/Boot1

Boot1
Jump to navigation Jump to search
boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside the first block of NAND flash and encrypted with a key stored in the Mask ROM as part of boot0. As part of the boot process, boot0 will decrypt and hash boot1, and then compare it to a SHA1 hash stored in on-die OTP memory; if they do not match, then boot1 will not be executed. This means that any attempt to modify boot1 on a Wii will cause it to fail to boot.

 

[mike333]

Does boot1 and boot2 use SHA1 encryption for something?

https://mirror.eu.oneandone.net/pro...5c3-2799-en-console_hacking_2008_wii_fail.mp4

 

[mike333]

https://yro.slashdot.org/story/19/0...guilty-to-hacking-into-microsoft-and-nintendo
I wonder if he was able to obtain private keys used for software signing.