Hacking Wii U Hacking & Homebrew Discussion

[zecoxao]

keine, don't use openssl, use python instead with crypto plus:
https://github.com/doegox/python-cryptoplus

import sys, os, hashlib
 
from Crypto.Cipher import AES
from CryptoPlus.Util import util
 
def sha1(data):
return hashlib.sha1(data).digest()
 
def aes_ctr(key, iv, input):
ctr = util.Counter(iv)
aes = AES.new(key, AES.MODE_CTR, counter=ctr)
output = aes.encrypt(input)
return output
 
def aes_decrypt_cbc(key, iv, input):
aes = AES.new(key, AES.MODE_CBC, iv)
output = aes.decrypt(input)
return output
 
key = 'keyhere'.decode('hex')
iv  = 'ivhere'.decode('hex')
 
# put kernel.img from offset 0x100, not from 0x0
 
with open(sys.argv[1], 'rb') as f:
data = f.read()
data = aes_decrypt_cbc(key, iv, data)
with open(sys.argv[1] + '.out', 'wb') as f:
f.write(data)

 

[Bug_Checker_]

keine, don't use openssl, use python instead with crypto plus:
https://github.com/doegox/python-cryptoplus

import sys, os, hashlib
 
from Crypto.Cipher import AES
from CryptoPlus.Util import util
 
def sha1(data):
return hashlib.sha1(data).digest()
 
def aes_ctr(key, iv, input):
ctr = util.Counter(iv)
aes = AES.new(key, AES.MODE_CTR, counter=ctr)
output = aes.encrypt(input)
return output
 
def aes_decrypt_cbc(key, iv, input):
aes = AES.new(key, AES.MODE_CBC, iv)
output = aes.decrypt(input)
return output
 
key = 'keyhere'.decode('hex')
iv  = 'ivhere'.decode('hex')
 
# put kernel.img from offset 0x100, not from 0x0
 
with open(sys.argv[1], 'rb') as f:
data = f.read()
data = aes_decrypt_cbc(key, iv, data)
with open(sys.argv[1] + '.out', 'wb') as f:
f.write(data)

Not every ancast image begins at 0x100. Some start at 0x200

Here are examples of 0x200 offsets
https://www.gbatemp.net/threads/wii-u-hacking-discussion.367489/page-163#post-5319436

Oh, I do not know if this got lost in all the off topic stuff but I don't think anyone responded to

Has anyone seen or know anything about a header similar to the ancast header but is?:
EFA082D9 = 0xEFA082D9 instead of Magicbytes or magic
EFA082D9 = 0xEFA082D9

EFA282D9 = 0xEFA282D9
EFA282D9 = 0xEFA282D9

 

[zecoxao]

Bug_Checker_, i've noticed that also, but i kinda forgot about it (i use OSv9 1006 as base )

 

[PhyChris]

A newbee question: from a hacking/modding perspective would there be any advantage from a 'hot' disc swap with modified game data? I know it would mean an opened wiiu and disc drive.

 

[NWPlayer123]

A newbee question: from a hacking/modding perspective would there be any advantage from a 'hot' disc swap with modified game data? I know it would mean an opened wiiu and disc drive.

At this point it's probably not worth the effort, not to mention it probably won't accept the new disc since you can't re-encrypt it.

 

[PhyChris]

just wondering because almost every optical disc based console has some sort of weakness for a hot swap

 

[TeamScriptKiddies]

just wondering because almost every optical disc based console has some sort of weakness for a hot swap

In theory, it MIGHT work similar to how it works on the 360. You can only swap for the exact same game (ie a modded iso of a game that you have the original copy of). Problem is as NWPlayer123 has already stated, once the data is decrypted from the iso and the necessary data is changed, there's no way to re-encrypt the image. Not to mention the Wii U uses a propietary disc format that's similar to blu-ray but not exactly the same (Big N didn't want to pay royalties to sony for using official blu-ray) so I don't even know how someone would go about burning a Wii U iso, hence why most people who are interested in backup loading are looking at straight up iso loading instead of discs (that and its more convenient to throw all your backups on one external hdd and just select the game you want from some sort of menu).

Sadly the common key and game-specific title key's only decrypt isos, they can't be used to re-encrypt them. There's a separate private key used for the encryption that only Ninty has . Also even such a hot swap method would likely be stuffed up by the starbuck/IOSU anyways as there would be byte changes which would effectively "break" the game's signature as its running. The 360 was vulnerable to this type of attack but I doubt Nintendo left it wide open on the Wii U.

Also due to the nature of the design of the Wii U optical drive, it would be super easy to damage it via a hot swap (more so than an ordinary drive) so it begs the question, is anyone willing to go through all that and risk trashing their drive without a way to dump the drive keys, meaning the drive is irreplaceable at this point in time. No drive=bricked console essentially.

Here's a video of the hotswapping process on the 360:



I used to use this technique before I had all the necessary stuff to flash my 360's drive. However that's NOT me in the video lmao, just some random video I found on youtube .

If you look at the the Wii U drive, you'll see what I mean by its super easy to damage trying something like that:

http://www.westingames.com/productPic/20140623/font201406230613144197.jpg


So in a nutshell, theoretically something like this is possible, but it would likely require an IOSU exploit, which at that point, someone could likely develop a software based usbloader for Wii U isos leaving hotswapping completely irrelevant lol.

It was a nice thought though

 

[PhyChris]

I did not specifically mean modifying the game content but add files to the end of the image. the browser cant normally access the sd slot but the disc drive MAY still be enabled?
and before someone says 'but its encrypted' remember the wii u does not read the whole disc at once when you put it in the drive 'it would take forever' it decrepits on the fly

just making conversation

 

[narutopet112]

I recall someone saying that relys had something running on the wii u but never saw anyproof

 

[FusionGamer]

Question I just thought of: Since these guys have "morals", will they even create apps that extract the filesystem of games?

 

[yahoo]

Question I just thought of: Since these guys have "morals", will they even create apps that extract the filesystem of games?

This has already been done and is public.

 

[NWPlayer123]

I recall someone saying that relys had something running on the wii u but never saw anyproof

Because it's not finished yet and once it is then he'll probably release it to get things going. He's really only posted it in the Skype group. Basically you use (deprecated) OSRestartGame to clean everything up and then you're in control of the entire program. He's working on porting Pong.

 

[Sephirosu]

So pretty much what you're saying is that you're just putting the finishing touches before showing off anything then?

 

[NWPlayer123]

So pretty much what you're saying is that you're just putting the finishing touches before showing off anything then?

I'm not the one working on it so I have no idea on ETA. It could be finished in a week or a month or a year, don't really know.

 

[TeamScriptKiddies]

I'm not the one working on it so I have no idea on ETA. It could be finished in a week or a month or a year, don't really know.

I think Sephirosu (btw I love your avatar XD) may have been referring to the kernel exploit, not quite sure.

 

[IbbyPlays]

Just wondering.
Could someone use the current use-after-free bug to load the Java Virtual Machine for PPC into executable memory and then run a Java program?

 

[TotalInsanity4]

Just wondering.
Could someone use the current use-after-free bug to load the Java Virtual Machine for PPC into executable memory and then run a Java program?

For that matter, what about something like Google Chrome? If we can get Chrome running with the browser exploit, we INSTANTANEOUSLY have literally THOUSANDS of apps at our disposal that don't need to be ported, unless they need to be optimized for the Wii U

 

[IbbyPlays]

For that matter, what about something like Google Chrome? If we can get Chrome running with the browser exploit, we INSTANTANEOUSLY have literally THOUSANDS of apps at our disposal that don't need to be ported, unless they need to be optimized for the Wii U

Chrome can't run off of PPC assembly, it has only been built for the big three operating systems.

 

[TotalInsanity4]

Chrome can't run off of PPC assembly, it has only been built for the big three operating systems.

Not even in VM format?

 

[Onion_Knight]

Without further ado, I present a new improved version of nuspy.py, basically a complete re-write

Big Changes:

** Parse my information directly from the TMD now so I'm no longer scraping the Wii Impersonator. Credit for the structure is from Wiibrew, fail0verflow, and from Crediar.
Sadly, since i'm no longer using Wii Impersonator I cannot give you by country breakdown's. If you know where in the TMD it identifies the country, let me know and i'll add it back.

** Completely will decrypt from within python, no longer using CDecrypt. Again Credit goes to Crediar for releasing his tool. I've learned so much from re-implementing this tool so thank your for the opportunity

#Extra Note on this: I don't completely just blindly copy his way of doing things and it shows up here. My directory structure is a little different than his, and some files are in different locations. Interestingly enough, I have more directories and files are located in different place. I may have more so I don't know if i did something right or wrong here. Honestly, I spent the better portion of two days writing the directory build different ways. I finally settled on using relative locality plus a directory register that maintained state of what directories were where. I don't like my directory recursion and if anyone wants to improve on it and make it more please give me some advice with some good psuedo code.

Changes on the horizon for anyone that cares:
- Command line flag options for download and decrypt. Currently everytime you run it, it downloads all titles, tmd and cetk from the NUS server. I want to implement an option to disable the autodownload and instead have it decrypt using previously downloaded titles
- Decrypt is also right now automatic. The thought was that anybody who wanted this would also want it decrypted on the fly.
- Detect what other keys are in the directory, such as ancast keys, and have them also auto decrypted.
- Big one here: RPL to ELF on the fly. This one will take a bit. Currently I can completely parse out the RPL header, but haven't started writing it into the elf header format. Why do this? IDA Pro!
- SHA1, will add that definitely in a day or two, probably with a better args piece.

Bottom Line:
This tool was a lot of fun to write and I've learned a ton doing it. That makes it worth it to me even if no one uses it. However, if you do use it and would like some features added, please ask.

CREDITS:
- Crediar for releasing CDecrypt. Simply Thank You!
- WulfyStylez and Bug_Checker_ helped me figure out how to even download and decrypt these initally.
- zecoxao for throwing some Pycrpto Knowledge out there. I was initially using a piss poor slow implementation of aes that I've left included in here. If you don't have Pycrypto installed as a package for python, it will use this. Its pretty darn slow

EDIT:

Added a screen capture to show some diffferences. My is on the left and you can see I have some extra directories. The files themselves are present in their proper directories.