WFS USB Block Injector

Discussion in 'Wii U - Hacking & Backup Loaders' started by dimok, Aug 5, 2017.

  1. dimok
    OP

    dimok GBAtemp Advanced Fan

    Member
    728
    2,172
    Jan 11, 2009
    United States
    Well. Of course you have to toggle the GPIO lines directly and bitbang the SPI data at a precise clock. That is as low level as it can get with software on the Wii U. But the code is already available to the public here:
    https://github.com/dimok789/seeprom2sd/blob/master/arm_kernel/source/main.c#L54

    You can basically use the exact same code on the Wii U and Wii as the IC is of the same type just of a different size. The HW registers got even the same address and the processor clock is equal on both systems. It's 1:1 usable.

    Hmm I see. So Maxternal already tried dumping the seeprom from vWii. Since he got an empty file this must mean the SPI pins are locked out for the vWii. That's too bad
     
    Last edited by dimok, Aug 10, 2017
    Valery0p and Masterwin like this.


  2. Valery0p

    Valery0p GBAtemp Regular

    Member
    248
    101
    Jan 16, 2017
    Italy
    So, it isn't worth the try? Maybe his code was wrong... I don't think there a lot of people experienced enough to do that...
    Also, we can't/don't know how to reactivate the pin after we switch to vWii mode, right?
    ...but if we can write?
     
    Last edited by Valery0p, Aug 10, 2017
  3. Corredor

    Corredor GBAtemp Regular

    Member
    109
    41
    Sep 16, 2016
    Brazil
    If you dump SEEPROM in the Wii U with the same code used for Wii and if vWii can access the SEEPROM, Xyzzy should work, right?

    Enviado de meu 6039J usando Tapatalk
     
  4. wiiupoo

    wiiupoo Member

    Newcomer
    18
    6
    Jul 25, 2016
    United States
    No it doesn't transfer the seeprom.

    It formats the console (increment seeprom key), redownloads content and transfers save game data from the old console which stored on a flash card. It will encrypt this save game data as it is reading it from flash card.

    I was thinking to do a system transfer of an exploit encapsulated within a save game, have the virgin wii encrypted this exploit, identify the exploit in raw USB data, move the raw data on the USB to overwrite the content portion of the haxchi title.

    This may have been possible if the drive was encrypted using AES-ECB as I initially thought.


    This isn't possible since as these two talented devs pointed out, the drive is encrypted with CBC. Pattern identification is impossible CBC as is moving around data.
     
    Last edited by wiiupoo, Aug 10, 2017
    Valery0p likes this.
  5. Corredor

    Corredor GBAtemp Regular

    Member
    109
    41
    Sep 16, 2016
    Brazil
    If you have a SEEPROM dump and don't mind to share the last 12 bytes of your Wii U USB key seed (without console ID) and the SEEPROM version code, download this very simple parser (put in the same folder where is seeprom.bin, run it and just open the file "values.txt") or find those numbers with a hex editor (2A:2B and B4:BF) and send me a PM. Maybe the seeds are not completely random and we can do something for some 5.5.2 users.
     
    Last edited by Corredor, Aug 12, 2017
    Masterwin likes this.
  6. jbuck1975

    jbuck1975 GBAtemp Advanced Fan

    Member
    804
    173
    Dec 28, 2015
    United States
    Mine is the same except the first number (on wii it's 2, on wii u it's 4).
     
    Valery0p likes this.
  7. jbuck1975

    jbuck1975 GBAtemp Advanced Fan

    Member
    804
    173
    Dec 28, 2015
    United States
    I've got a "keys.bin" file that I don't know where I got it. but it's got my Wii NG ID in the hex file. Also in the Hex file it has YAWMM_DE. was this file possibly dumped with YAWMM program when i hack the vwii?
     
  8. Corredor

    Corredor GBAtemp Regular

    Member
    109
    41
    Sep 16, 2016
    Brazil
    These are your vWii keys, probably you got them when you did Nand backup or you run Xyzzy.

    Enviado de meu 6039J usando Tapatalk
     
  9. Corredor

    Corredor GBAtemp Regular

    Member
    109
    41
    Sep 16, 2016
    Brazil
    Double post
     
    Last edited by Corredor, Aug 12, 2017
  10. jbuck1975

    jbuck1975 GBAtemp Advanced Fan

    Member
    804
    173
    Dec 28, 2015
    United States
    What information from the seeprom does the usb block injector use?
     
  11. Corredor

    Corredor GBAtemp Regular

    Member
    109
    41
    Sep 16, 2016
    Brazil
    Wii U USB seed key (bytes from B0 to C0). The first four bytes are your Wii U NG, which is similar to the Wii NG. But the last 12 bytes can't be known except by SEEPROM dump. I'm trying to figure out if these numbers are somehow shared by SEEPROMs with the same version code.

    Enviado de meu 6039J usando Tapatalk
     
    Last edited by Corredor, Aug 13, 2017
  12. sp3off

    sp3off One male shadow.

    Member
    347
    74
    Apr 17, 2013
    France
    Hell's Lair
    Nevermind, my HDD just died at my hands...
     
    Last edited by sp3off, Aug 15, 2017 - Reason: derp.
  13. Corredor

    Corredor GBAtemp Regular

    Member
    109
    41
    Sep 16, 2016
    Brazil
    It doesn't matter right now, because we already have an entry point for 5.5.2 systems. Anyway, just for information sake, the last 12 bytes of the Wii U key seed are random. I've compared SEEPROMs with the same version codes and they have completely different Wii U key seeds. I think the Wii U key seeds are randomly generated in manufacturing process. Maybe even Nintendo doesn't have a record of the numbers.