Hacking Wii U Hacking & Homebrew Discussion

KungFuzion

KungFuzion

Well-Known Member
Member
Level 7
Joined
Feb 5, 2015
Messages
364
Trophies
0
Age
40
XP
1,154
Country
NWPlayer123 said:
I'm not up to date on how emuNANDs work, I assume it uses files from an external device and does read/write to it.
Based on how everything works, I'd say emuNAND has an IOSU exploit minimum, not only to access external devices, but also because otherwise I'm not sure how possible it would be to hook all processes up to it.
We'd need to do a lot more research to make it happen regardless.

So, the way it'd probably work is you plug in a big enough hard drive to put the NAND and eMMC data on, "reboot" everything clean which you should be able to do with an IOSU exploit, then redirect all calls to storage to the hard drive.
If they try to ban you, I'm not sure how exactly it works but it seems it's tied to your NNID and stored on the console, same as all other NNID data.

I'm also not sure how exactly the storage key stuff works so I'm not going to go in detail on that because I'm probably wrong.
Click to expand...

Here's a little bit of info on the first stage of gateway's payload & take a look at their code http://yifan.lu/2015/01/10/reversing-gateway-ultra-first-stage-part-1/
 
st4rk

st4rk

nah
Member
Level 6
Joined
Feb 11, 2014
Messages
542
Trophies
0
Website
st4rk.net
XP
815
Country
Brazil
NWPlayer123 said:
I'm not up to date on how emuNANDs work, I assume it uses files from an external device and does read/write to it.
Based on how everything works, I'd say emuNAND has an IOSU exploit minimum, not only to access external devices, but also because otherwise I'm not sure how possible it would be to hook all processes up to it.
We'd need to do a lot more research to make it happen regardless.

So, the way it'd probably work is you plug in a big enough hard drive to put the NAND and eMMC data on, "reboot" everything clean which you should be able to do with an IOSU exploit, then redirect all calls to storage to the hard drive.
If they try to ban you, I'm not sure how exactly it works but it seems it's tied to your NNID and stored on the console, same as all other NNID data.

I'm also not sure how exactly the storage key stuff works so I'm not going to go in detail on that because I'm probably wrong.
Click to expand...


(redNAND/vNAND) -> Change NAND Read Sector to SDMC Read Sector.
 
  • Like
Reactions: NWPlayer123
keine

keine

Well-Known Member
Member
Level 8
Joined
Aug 29, 2010
Messages
431
Trophies
1
Website
Visit site
XP
1,466
Country
United States
Did this already get mentioned? Maybe I was using the non latest nuspy.py. Now to take another crack at the ancast image.

subprocess.call(['CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

to this.

subprocess.call(['../../../CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])
 
NWPlayer123

NWPlayer123

Well-Known Member
Member
Level 17
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
keine said:
Did this already get mentioned? Maybe I was using the non latest nuspy.py. Now to take another crack at the ancast image.

subprocess.call(['CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

to this.

subprocess.call(['../../../CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])
Click to expand...

You're supposed to add the folder with NUSD/CDecrypt to the path so that should be unnecessary.
 
  • Like
Reactions: keine
NWPlayer123

NWPlayer123

Well-Known Member
Member
Level 17
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
keine said:
What is the -iv for the ancast image? What is the difference between fw.img and kernel.img?
I've tried the magic bytes and the sha1 for the iv.
Click to expand...

Initial Value, should be easy enough to understand with a Google Search (not saying you're not doing your homework). fw.img requires the Starbuck Ancast Key (which we don't have) and kernel.img requires the Espresso Ancast Key (which we do). Just decrypt the entire binary with the key and an IV of 0, should work fine.

Also, I got bored and did a thing. It isn't finished yet but it at the very least reads files correctly. Now to get saving working. It even has a GUI :P
PyMSBT v0.1 Source Code
PyMSBT v0.1 32-Bit EXE
 
  • Like
Reactions: TeamScriptKiddies, keine and VinsCool
B

Bug_Checker_

Well-Known Member
Member
Level 5
Joined
Jun 10, 2006
Messages
950
Trophies
0
XP
664
Country
United States
keine said:
I see ASCII! It worked! Thanks for the pointer.
openssl still throws a bad decrypt at me.....but it appears to have at least partially worked.
Click to expand...

what is the error?

NWPlayer123 said:
Initial Value, should be easy enough to understand with a Google Search (not saying you're not doing your homework).
fw.img requires the Starbuck Ancast Key (which we don't have) and kernel.img requires the Espresso Ancast Key (which we do). Just decrypt the entire binary with the key and an IV of 0, should work fine.

Also, I got bored and did a thing. It isn't finished yet but it at the very least reads files correctly. Now to get saving working. It even has a GUI :P
PyMSBT v0.1 Source Code
PyMSBT v0.1 32-Bit EXE
Click to expand...

Do you mean initialization vector?
 
  • Like
Reactions: zecoxao, NWPlayer123 and Gruntzer
O

Onion_Knight

Well-Known Member
Member
Level 6
Joined
Feb 6, 2014
Messages
878
Trophies
0
Age
45
XP
997
Country
keine said:
Did this already get mentioned? Maybe I was using the non latest nuspy.py. Now to take another crack at the ancast image.

subprocess.call(['CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])

to this.

subprocess.call(['../../../CDecrypt.exe', 'tmd', 'cetk', '../../../ckey.bin'])
Click to expand...

It requires the ckey.bin and CDecrypt to be at the root of your NUS download since I wrote it to start from there. It doesn't assume any of the directories are present and will overwrite directories if they are there.
 
  • Like
Reactions: TeamScriptKiddies
keine

keine

Well-Known Member
Member
Level 8
Joined
Aug 29, 2010
Messages
431
Trophies
1
Website
Visit site
XP
1,466
Country
United States
openssl enc -d -aes-128-cbc -in kernel.img -out kernel_dec.img -K ancast_wii_u_espresso -iv 0
bad decrypt
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:544:
 
zecoxao

zecoxao

Well-Known Member
Member
Level 9
Joined
Dec 25, 2013
Messages
379
Trophies
1
Age
33
XP
1,703
Country
i keep seeing this kernel.img mention everywhere, and i have no idea how that concept exists, since when i run wii u nus downloader, the parts don't have a specific name lol
 
O

Onion_Knight

Well-Known Member
Member
Level 6
Joined
Feb 6, 2014
Messages
878
Trophies
0
Age
45
XP
997
Country
zecoxao said:
Onion_Knight, nice idea, but it'd be easier to specify CDecrypt and common key as variables on the program instead of hardcoding them. and thanks for the help :)
Click to expand...

I'm almost done implementing the whole program in python which will remove the Cdecrypt requirement and just add it as a flag option at the command line.
 
  • Like
Reactions: fiveighteen, ddrrmm, dojafoja and 2 others

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  SDUSB - The modern way to play Wii U games from SD - at full speed

Unable to dump OTP.bin

Very annoying that Nintendo never fixed this bug

Pretendo not working with updated games?!

Hacking Homebrew Tutorial  How to get Nintendo TVii icon back without downgrading + extras

Hacking Emulation Homebrew  Could you explain to me why there are no standalone emulators on Wiiu using aroma?

Wii U (bricked) Mii Maker

Installing a dumped Disc Title as digital on Wii U?

General chit-chat
Help Users
  • BakerMan
    I rather enjoy a life of taking it easy. I haven't reached that life yet though.
    BakerMan @ BakerMan: and the lightning is frequent, so my power will most likely go out