Hacking Wii U Hacking & Homebrew Discussion

[FusionGamer]

Wow, thanks for keeping the E3 release Sorry I doubted you all.

Too bad my modem reset caused a IP reset thus my Wii U auto-updated. Hopefully by the time a 5.4.0 exploit is found and exploited, filesystem dumping will exist.

 

[Twili]

I'm making my own tool for DECRYPTING Wii U ISO's, since I'm not happy with crediar's closed-source tool that only spits out decrypted files from the ISO.

It will be 2 separate tools, actually. One for key expansion, and one for decryption using expanded keys.

This is the key expansion tool:

#include <stdio.h>

unsigned int rotate(char round),rcon(FILE *fp, char num);
void sub(FILE *fp, char round);
unsigned int ek[44];

unsigned int rotate(char round)
{
    printf("rot word %d\n",round);
    unsigned int returnme=(unsigned int)(ek[round]<<8)|(ek[round]>>24);
    return returnme;
}

void sub(FILE *fp, char round)
{
    unsigned char loop,byte[4];
    for(loop=0;loop<4;loop+=1)
    {
        byte[loop]=(ek[round]>>(24-8*loop))&0xff;
        printf("sbox (%02X) ",byte[loop]);
        fseek(fp,byte[loop],SEEK_SET);
        byte[loop]=fgetc(fp);
        printf("%02X\n",byte[loop]);
    }
    ek[round]=(unsigned int)((byte[0]<<24)|(byte[1]<<16)|(byte[2]<<8)|byte[3]);
}

unsigned int rcon(FILE *fp, char num)
{
    unsigned int returnme;
    fseek(fp,0x100+4*num,SEEK_SET);
    returnme=(unsigned int)((fgetc(fp)<<24)|(fgetc(fp)<<16)|(fgetc(fp)<<8)|fgetc(fp));
    printf("rcon (%d) %08X\n",num,returnme);
    return returnme;
}

int main(int argc, char **argv)
{
    FILE *data, *k;
    char x,val;
    data=fopen("static.bin","rb");
    k=fopen(argv[1],"rb");
    for(x=0;x<44;x+=1)
    {
        if(x<4)
        {
            ek[x]=(unsigned int)((fgetc(k)<<24)|(fgetc(k)<<16)|(fgetc(k)<<8)|fgetc(k));
        }
        else
        {
            if(x&3)
            {
                ek[x]=ek[x-1]^ek[x-4];
                if(x==9){ek[x]=ek[7]^ek[x-4];}
            }
            else
            {
                val=x-4;
                if(x==4){val=3;}
                ek[x]=rotate(val);
                sub(data, x);
                ek[x]=ek[x]^rcon(data, (x/4)-1)^ek[x-4];
            }
        }
        printf("%08X",ek[x]);
        if((x+1)%4==0){printf("\nRound Key %08X%08X%08X%08X",ek[x-3],ek[x-2],ek[x-1],ek[x]);}
        if(x<43){getchar();}
    }
    getchar();
    return 0;
}

Which needs a "static.bin" containing the sbox and rcon values:

63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
01 00 00 00 02 00 00 00 04 00 00 00 08 00 00 00
10 00 00 00 20 00 00 00 40 00 00 00 80 00 00 00
1B 00 00 00 36 00 00 00 6C 00 00 00 D8 00 00 00
AB 00 00 00 4D 00 00 00 9A 00 00 00

Then you click and drag into the tool a file you also make with a hex editor containing the key to expand, and it will show you the formation of the round keys that make up the expanded key. You hit enter after each step, and would have to paste the round keys and save them with your hex editor as the expanded key.

-snip-
-snip-
-snip-
-snip-
Round Key -snip, first one is the original key -
rot word 3
sbox (A2) 3A
sbox (B6) 4E
sbox (56) B1
sbox (7F) D2
rcon (0) 01000000
ECFEB5D0
8965177B
5BAE1AC9
240CAC9F
Round Key ECFEB5D08965177B5BAE1AC9240CAC9F
rot word 4
sbox (FE) BB
sbox (B5) D5
sbox (D0) 70
sbox (EC) CE
rcon (1) 02000000
552BC51E
AD69BBE4
F6C7A12D
D2CB0DB2
Round Key 552BC51EAD69BBE4F6C7A12DD2CB0DB2
rot word 8
sbox (2B) F1
sbox (C5) A6
sbox (1E) 72
sbox (55) FC
rcon (2) 04000000
A08DB7E2
0DE40C06
FB23AD2B
29E8A099
Round Key A08DB7E20DE40C06FB23AD2B29E8A099
rot word 12
sbox (8D) 5D
sbox (B7) A9
sbox (E2) 98
sbox (A0) E0
rcon (3) 08000000
F5242F02
F8C02304
03E38E2F
2A0B2EB6
Round Key F5242F02F8C0230403E38E2F2A0B2EB6
rot word 16
sbox (24) 36
sbox (2F) 15
sbox (02) 77
sbox (F5) E6
rcon (4) 10000000
D33158E4
2BF17BE0
2812F5CF
0219DB79
Round Key D33158E42BF17BE02812F5CF0219DB79
rot word 20
sbox (31) C7
sbox (58) 6A
sbox (E4) 69
sbox (D3) 66
rcon (5) 20000000
345B3182
1FAA4A62
37B8BFAD
35A164D4
Round Key 345B31821FAA4A6237B8BFAD35A164D4
rot word 24
sbox (5B) 39
sbox (31) C7
sbox (82) 13
sbox (34) 18
rcon (6) 40000000
4D9C229A
523668F8
658ED755
502FB381
Round Key 4D9C229A523668F8658ED755502FB381
rot word 28
sbox (9C) DE
sbox (22) 93
sbox (9A) B8
sbox (4D) E3
rcon (7) 80000000
130F9A79
4139F281
24B725D4
74989655
Round Key 130F9A794139F28124B725D474989655
rot word 32
sbox (0F) 76
sbox (9A) B8
sbox (79) B6
sbox (13) 7D
rcon (8) 1B000000
7EB72C04
3F8EDE85
1B39FB51
6FA16D04
Round Key 7EB72C043F8EDE851B39FB516FA16D04
rot word 36
sbox (B7) A9
sbox (2C) 71
sbox (04) F2
sbox (7E) F3
rcon (9) 36000000
E1C6DEF7
DE480072
C571FB23
AAD09627
Round Key E1C6DEF7DE480072C571FB23AAD09627

 

[ShadowOne333]

@Twili, all hail open source!

 

[crediar]

Though I have clue what the hell Twili is doing there, he's too late.
There already is an opensource program that can handle Wii U ISOs: http://sourceforge.net/projects/vgmtoolbox/?source=recommended

 

[fatsquirrel]

bah crediar party pooper

 

[Twili]

Though I have clue what the hell Twili is doing there, he's too late.
There already is an opensource program that can handle Wii U ISOs: http://sourceforge.net/projects/vgmtoolbox/?source=recommended

Still gonna do it for practice and fun.

 

[the_randomizer]

Though I have clue what the hell Twili is doing there, he's too late.
There already is an opensource program that can handle Wii U ISOs: http://sourceforge.net/projects/vgmtoolbox/?source=recommended

Then why has no one else mentioned that app till or posted it on the Temp before you did?

 

[crediar]

Someone mentioned it before when someone else was also planning to do an open source version.

 

[the_randomizer]

Someone mentioned it before when someone else was also planning to do an open source version.

Well, with over 7100 posts, it'd be one helluva task to track down who said that, and when it was said. Just saying. It should have been stickied or a thread made sooner, many of of us, myself included, didn't even know it was out truth be told. I thought such an app would be forever closed source. Better late than never

Someone should make a thread about it. It happens XD

 

[NWPlayer123]

http://gbatemp.net/threads/crediar-...tract-wii-u-images.378864/page-3#post-5514225 Someone just necrobumped a thread and said they were going to nothing too relevant.

 

[the_randomizer]

http://gbatemp.net/threads/crediar-...tract-wii-u-images.378864/page-3#post-5514225 Someone just necrobumped a thread and said they were going to nothing too relevant.

With all due respect, many of us don't even remember that post, and with all the goings on, it's kinda hard to keep track of every single piece of news, just sayin'. E3, etc, the site bustling with activities, how were we to recall one post from nearly a month ago? It should have been stickied, announced, etc instead of being buried.

 

[OncleJulien]

its hard to imagine just how much father along the scene would be right now if he had only known that app existed sooner...

 

[NWPlayer123]

With all due respect, many of us don't even remember that post, and with all the goings on, it's kinda hard to keep track of every single piece of news, just sayin'. E3, etc, the site bustling with activities, how were we to recall one post from nearly a month ago? It should have been stickied, announced, etc instead of being buried.

"news"

 

[the_randomizer]

"news"

What @OncleJulien said above couldn't be more true. This should have been stickied, or made known sooner instead of being buried. What, may I ask, is wrong with questioning the fact that this app was "open source" for so long and hasn't been known until nearly a month later after that post?

Methinks it wasn't until Twili decided to work on an ISO extractor/decrypter of his own.

 

[NWPlayer123]

There isn't really a need for a sticky since disc images are hard enough to obtain as it is, as well as the selection you have. TCPGecko makes it easy, it's 10x more deserving of a sticky. Just load up a game and dump the files, tada you're done.

 

[the_randomizer]

There isn't really a need for a sticky since disc images are hard enough to obtain as it is, as well as the selection you have. TCPGecko makes it easy, it's 10x more deserving of a sticky. Just load up a game and dump the files, tada you're done.

And nothing's been done to get it stickied? I'm just trying to point out why no one linked that app till now is all. Is there a link to TCPGecko or will there be one sometime? I'm just saying is all. Just trying to figure it out.

 

[NWPlayer123]

And nothing's been done to get it stickied? I'm just trying to point out why no one linked that app till now is all. Is there a link to TCPGecko or will there be one sometime? I'm just saying is all.

Once it's cleaned up, verified working on the latest versions, and the kernel exploit is out, yes. Even on 5.0.0 it's messy, chadderz had to disable memory protection because it was doing weird stuff.
I'm just saying that we have more important things to worry about.

 

[AboodXD]

Not yet, we still need to make the exploit more reliable and port the PPC kernel exploit.

That being said, wasn't the kernel exploit planned to be released with webkit one? Does that mean we might get in a day or two?

 

[Adr990]

(Gecko ftw)

I've added another update on wiiulib.arndroid.nl.
We now have a little gear wheel on the bottom right, like on the photoshop by Arkhandar, on which the whole design is based.
There is just some additional text in the popup, containing: About, Updates, Credits and the F.A.Q from deformeyer.

This update doesn't contain any LibWiiU updates, just an additional website feature.

Edit: added a new picture on the site, to view on the PC (or other devices).

 

[mary1517]

I have a different question. I don't know if it was answered somewhere or not but, just for my curiosity. Is the webkit exploit somehow related to the kernel or iosu exploits? or are those a totally separate thing? I guess you have to perform the webkit exploit to gain access to the kernel one or thats not the case?
Or you don't want to tell such details by now