Wii U HDD observation

Discussion in 'Wii U - Hacking & Backup Loaders' started by miked63017, Jan 30, 2015.

Thread Status:
Not open for further replies.
  1. miked63017
    OP

    miked63017 Newbie

    Newcomer
    7
    7
    Jan 30, 2015
    United States
    St Louis MO
    I decided to do a little probing today of a Wii u formatted USB drive with one game installed on it. First of all I noticed it doesn't actually overwrite everything on the drive, I found traces of a lost+found dir from the ext4 fs that was previously on there. My methods are simple take USB flash drive 8gb let Wii u format it and install a game. Use dd to copy the drive to an image file and then inspect it with a hex editor. First thing I noticed, aside from seeing mention of the lost and found dir and a few files, was that there was a lot of padded spaces with zeros, and the file was obviously huge. So I decided to focus on the first 1mb, there was no strings that I could find that stood out so I assumed what everyone was saying is true that its encrypted. So here is where it gets interesting, using a y cable I tried to hotswap the USB drive. I plugged the power only part to my laptop and the power+data to a Wii u front USB port. I turned on the Wii u and started the game that is on the USB drive. Once started I unplugged the USB y cable that was plugged into the front port and plugged it into my laptop, then dd'd it again. The first chunk of data was the same as the first image, but the second part of the data had changed significantly. That is after the first set of zeros where the second chunk of data began it was completely different than that of the image I took without hotswapping. I tried this several times to make sure it wasn't a fluke and without fail the data always remained the same without hot swapping and it was completely different when I did hotswap. Every time I hotswapped it was always the same as the last time I hotswapped.

    So I have a question: did the data get decrypted?

    Now I only looked at the first 1mb, I plan on zeroing out the drive and doing more research tomorrow but I am wondering if a softmod may be completely unneeded if we are able to inject dumps right into the USB drive by hotswapping.

    I know I am a new member here and might get flamed for posting this, but I need some insight from those with more console hacking experience than me. Tell me what I am missing and maybe what is actually going here?
     


  2. jammybudga777

    jammybudga777 GBAtemp Advanced Maniac

    Member
    1,673
    561
    Aug 23, 2013
    i doubt its decrypted it but it still sounds like an interesting find :)
     
  3. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    If you modify a block of encrypted data, it'll encrypt completely differently. Nothing surprising there.

    There's nothing useful we can do with USB storage until the console is properly hacked and has keys, etc dumped.
     
  4. miked63017
    OP

    miked63017 Newbie

    Newcomer
    7
    7
    Jan 30, 2015
    United States
    St Louis MO

    But unplugging it and rechecking without the hotswap puts it back exactly as it was prior to the hotswap, and then doing the hotswap again it changes back to exactly the same way as the previous hotswap attempt. So basically its like two sets of data, that are always the same on each attempt. I agree with what your saying but it doesn't seem right that the system would modify this data, after all if it were on disc it would not be able to be written to to be modified.

    Anyway, anybody have any suggestions for what to look at? Do we have any idea what a wii u filesystem should look like, is it similar to wbfs just encrypted?

    I got a beagleboard that would be able to MITM the usb connection, could we get any useful data out of there?
     
    TeamScriptKiddies likes this.
  5. miked63017
    OP

    miked63017 Newbie

    Newcomer
    7
    7
    Jan 30, 2015
    United States
    St Louis MO
    One more question comes to mind too.

    If you format and put a game on USB, then plug it into another Wii u exactly what happens?

    I know it doesn't let you play it, but does it prompt you to format or is there some other message about being from a different console?
     
  6. miked63017
    This message by miked63017 has been removed from public view by Cyan, Feb 1, 2015, Reason: double post.
    Jan 30, 2015
  7. gunner007

    gunner007 GBAtemp Advanced Maniac

    Member
    1,506
    368
    Dec 31, 2013
    United States

    Assuming you're talking about a Wii U formatted HDD - it will prompt you to format. It's unable to decrypt the HDD and fails. (just as if you put a regular HDD you use in vWII - it will ask to format)

    Just like the PS3
     
    JVC2 likes this.
  8. TeamScriptKiddies

    TeamScriptKiddies Licensed Nintendo (indie) Game Developer

    Member
    1,904
    1,321
    Apr 3, 2014
    United States
    Planet Earth :P

    While you maybe a newbie in this community, you might be on to something. This is certainly interesting to say the least :P. Even if nothing ends up coming of this, I think it would be worth it to look into. Why is the data being modified but only when the drive is hotswapped, otherwise it remains unchanged. Could just be some weird bug, I have NO IDEA if its exploitable though. The fact that we have no way to get the console specific keys for storage at this time, makes things even more difficult, but I wonder what would happen if we were to modify just a small portion of that string (1st mb) that's changing itself. There's a good chance we could "break" the signature for the game by even changing so much as a byte (that's how the disc drive works, hence why there are no actual 'on-the-fly' patching drivechips for the Wii U). But if the its changing during the hotswap, perhaps if we make a similar change using a hex editor, it would go unnoticed hmmmm........

    If that can be pulled off, we might be able to trigger a kernel panic or something to give us the ability to write to RAM and gain code execution, but that's being really optimistic :P. Definitely worth looking into, keep up your investigation and see what you can do.

    As for "injecting" custom games and what not, that's NOT going to happen without the console specific keys to properly resign the drive image (except for maybe with an already existing kernel exploit, which would defeat the purpose.... :P)
     
    Tomato Hentai likes this.
  9. Mr. Mysterio

    Mr. Mysterio Super Genius

    Member
    661
    856
    Sep 16, 2014
    United States
    Rosalina's Comet Observatory
    The game data may be processed with multiple layers of encryption. The hotswapped data may not be completely unencrypted, but it may only be partially encrypted.
    My theory is as follows:

    - The game uses a two pass encryption system.
    - While the game is running, it uses a high-speed encryption system that allows fast access to the data while the game is running. This system is not dependent on unique console keys.
    - When the game exits properly, it encrypts the data on the hard disk using a complex algorithm dependent on some of the unique console keys. (Making this data unreadable to another Wii U.)

    I suggest that someone who owns the same game try the same procedure of hotswapping on their Wii U and collect both the normal save data and the hotswapped data. If the normal data from both Wii Us do not match (and they shouldn't), but the hotswapped data does then my theory may be correct.

    If I am correct, then it may be possible reconstruct the console key used to encrypt the data.

    Please note that I may be totally wrong about all of this. :lol:

    BTW what game are you using?
     
    TeamScriptKiddies likes this.
  10. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    The encryption method (it's just one) used is both fast and secure. We're talking about a modern system here, not one from 1996 where you'd have to sacrifice speed for security. This talk of hotswapping is nonsense, honestly.
    Also, I feel like this doesn't need telling but being able to see an unencrypted and encrypted version of a chunk of data does not allow one to instantly determine the key used for that data. This is a pretty common belief about many types of encryption, but it's simply never the case.
     
    TeamScriptKiddies likes this.
  11. SirByte

    SirByte GBAtemp Fan

    Member
    494
    191
    Dec 30, 2012
    Canada
    The only way to make progress with this is to disassemble the binaries that deal with the external storage. Maybe there's a way that we can derive the key, if it's based on e.g. the common key being secret, so if it would take the Wii U serial number, then use the common key and some function to derive the external drive key (assuming it's all AES). Anything that can be obtained with either the userland exploit or the much talked about kernel exploit would then work. But first we need to know how it's done.

    Edit: it might be worth the time and effort if this can be used to further open up the system, giving full read/write capabilities on the external storage device on PC.

    Edit 2: anyone hear stories about someone's Wii U optical drive being replaced, then suddenly their external drive no longer being readable (or that it still WAS readable)? That would rule out the optical drive key being involved.
     
    TeamScriptKiddies likes this.
  12. Mr. Mysterio

    Mr. Mysterio Super Genius

    Member
    661
    856
    Sep 16, 2014
    United States
    Rosalina's Comet Observatory
    Thank you WulfyStylez.
    I was hoping that someone more knowledgeable would post reliable information (instead of speculation).
     
  13. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    You can literally pull all of the system binaries from Nintendo's servers right now and decrypt them since the common key leaked. Have a blast. Keys obviously aren't part of that, though.
     
    TeamScriptKiddies likes this.
  14. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,274
    8,748
    Oct 27, 2002
    France
    Engine room, learning
    it makes me think of the way PS3 HDD could be decrypted.
    not a full decrypt, but part of it, block by block.
    http://www.ps3hax.net/2009/03/ps3-hdd-decrypted-tutorial/

    unfortunately, WiiU doesn't allow user's files to be written to or extracted from WiiU HDD to external storage, only transfer between HDD and the console is possible, so the PS3 method can't be applied here.
    unless you know how to write external content to HDD (like save data transfer from 3DS (one piece red) but there's probably a checksum on it before transferring the content)
     
    TeamScriptKiddies likes this.
  15. FaTaL_ErRoR

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    It's encrypted the same as the internal storage is.

    And if you guys can't get behind the wii u os then you might as well call it a loss. As all your work will just be blocked/patched out or even worse you'll get a whole bunch of consoles banned online. #LOLBrowserExploit.
    Peace Team_Fatal........
     
  16. miked63017
    OP

    miked63017 Newbie

    Newcomer
    7
    7
    Jan 30, 2015
    United States
    St Louis MO
    Thanks for all the replies, puts things into perspective. While I havent replied for a while I was still messing with a few things in my free time. The case is the same with multiple games, although by some peoples replies that may be a moot point. I was thinking about trying to inject a game I downloaded, but havent gotten that far yet, I might still try it when I get a bigger HDD for S + G's even though the general consensus seems to be that my efforts will be fruitless.

    Can anybody chime in with info on what if any benefit might be gained by doing a MITM attack on the USB HDD? I got my beagleboard Xm all setup but havent had the time to dive in. Do you guys think there would be key transfers of any kind during formatting, game installation or any part of the communication process between the console and the HDD?
     
  17. FaTaL_ErRoR

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    The only thing you are doing is viewing it go from storage to live media. MITM attacking it will reveal nothing. Well other than encrypted data. But, it is formatted behind the wii u OS you see on screen. One thing to remember is the beagleboard was out and known about long before the wii u was completed. So probably not a whole lot of ground to gain through this avenue. Though I could stand to be corrected. I mean they quickly dismissed us (TeAm_FaTaL) and were completely wrong in doing so. (TeAm_FaTaL: the rose that grew from the crack in the concrete) So keep up attempting things, you never know you may find a pretty huge hole.
     
  18. miked63017
    OP

    miked63017 Newbie

    Newcomer
    7
    7
    Jan 30, 2015
    United States
    St Louis MO

    So...sorry for being basically clueless but I know your team has done something to decrypt games? Is there anyway I could get some insight on how this is done, via pm, irc or whatever means you would prefer? I would just like to try to decrypt some of the blocks of data I have off my HDD and compare it against a known decrypted game from a disc. More or less I want to take stabs at what portion or portions of data actually are the game, vs what are certs, tickets or whatever else is on the HDD. I can return the favor with some testing or whatever other grunt work you may need, I don't consider myself a console hacker but I am pretty handy on the computer and have a good amount of hardware. I am a decent coder in a few languages too so you never know we may be able to come to a mutual agreement.
     
  19. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    MITM attacks on storage are useless, end of story.
     
  20. miked63017
    OP

    miked63017 Newbie

    Newcomer
    7
    7
    Jan 30, 2015
    United States
    St Louis MO
    Since you seem to be a good source of knowledge, maybe you can answer me another question. Do you think it might be possible that the reason the data is changing because the unique per console encryption has been removed?

    For example if I too an image of a hotswapped drive from 2 different Wii u consoles, those images would be able to be played on either Wii?

    I do get what your saying about keys and the mitm, but I can't help but thinking because of how the data changed we might be seeing at least one layer of encryption removed.

    Anybody willing to help me test this theory by hotswapping a USB drive with a single game on it, and trading me images?
     
  21. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    You're likely looking at misc data related to partition status or similar. That'll likely change just about every time you mount or access the drive, and a single bit of that changing will make an entire block (and probably a few after) change. Writing to storage is literally the last step in saving data. You're not going to capture some sort of decrypted data simply because that never leaves the console - the HDD isn't used for some sort of in-progress caching.
     
    TeamScriptKiddies likes this.
  22. TeamScriptKiddies

    TeamScriptKiddies Licensed Nintendo (indie) Game Developer

    Member
    1,904
    1,321
    Apr 3, 2014
    United States
    Planet Earth :P
    miked63017 as far was what Team Fatal is saying, he's made a lot of claims around here about various "things" he's done to "hack" the Wii U, but has not provided any proof of said "hacks." Unless he puts forth some proof of his "achievements" I wouldn't count him as being reliable....
     
Thread Status:
Not open for further replies.