wraggster
June 23rd, 2008, 00:47
More wii hacking news from Sven:
You've probably already heard about segher's public wii tools and you maybe even used them if you had the right keys.
While most of them (i.e. the shared keys) are floating around somewhere on the internet the NG- 'keys' needed to create a savegame that you can copy to your sdcard then are really hard to get.
Bushing already explained that these 'keys' are console-specific, stored in the OTP area and that they can only be dumped with access to the Starlet.
Getting code running on the Starlet is currently very dangerous since there are no public exploits that allows injecting code at run time and you would have to modify the IOS stored on the NAND to be able to get all those keys. This is a really dangerous process when you have no way of backing up and restoring your NAND and can easily result in bricks.
However, the IOS does not contain any functions to create the file which will be copied to the SD - it doesn't even contain the IV and the MD5 blanker needed to encrypt and sign it. The system menu itself takes care of this and the system menu is running on the PowerPC. We have access to the PowerPC and we can gain System Menu privileges if we want to.
You can probably image where this is going to lead to, can't you? ;)
If the System Menu is able to sign those files why can't we just also do it? Bushing already reversed all the required functions the System Menu uses and segher has written twintig which is able to create those savefiles and sign them when you know your keys.
You need the following five components in order to create such a savefile from scratch by using it:
NG-id This file just contains a unique id for each Wii. It isn't secret at all and can be retrieved using the ES_GetDeviceID() function.
NG-mac This is the MAC address of your Wii which is stored in the header of the savefile. You can either create a NG-mac file with the address you can get from the sysmenu settings or you can just leave it blank and hope that it works.
NG-sig, NG-priv and NG-key-id are the three files used to create the signature of the savefile. The System Menu doesn't know about any of those files and just lets the IOS do everything needed: It uses the ES_GetDeviceCert() and ES_Sign() functions to create the whole signature and just stores it at the right place in the savefile.
If we want to create our own savefile now, we basically have the following two possibilities:
We could either port twintig to the Wii and would just need to call the ES_* functions there to generate the whole signature. The data you would like to add to the savefile would then be transferred by either using a USB Gecko or a TCP connection or just be read from the SD card or a USB mass storage device. A small GUI would however be needed to select the folder you want to create the savegame from and a PC application to send the savedata over a gecko or the tcp connection to the Wii.
But I'm a bit lazy and didn't want to write all this stuff and decided to use the second solution:
I just created a small Wii server that can be reached by using a USB gecko and allows you to use the required ES_* function with the data you provide. I just needed to do some small modifications to twintig and find some USB Gecko code. The server itself also wasn't really hard to write since it's just some gecko code (again) and a few calls to the ES functions.
After thinking about releasing this for about three hours now I think that I can't do much things wrong here: Nearly the same things are already possible with wanin's savegame installer and with dhewg's wiifuse_server. It's probably even easier to use one of those two solution to achieve your goals. However, you can still grab the results here.
The current version doesn't get the MAC address from the Wii so you either have to create NG-mac yourself or just hope that an empty address also works.
Please note that I did just verify that this tool works by using tachtig to check the signature and tried only one savegame on my Wii.
I have not tested this on Win but the gecko stuff will probably work if I didn't do something really wrong as I'm using dhewg's code from wiiload.
To compile mkwiisave just type make like you did with the previous versions of segher's tools. Compiling the wii-server works the same: Change to its root directory and run make there.
You still need the sd-key, sd-iv and the md5-blanker and also some more files because the ES_Sign requests only works with certain privileges: root-tik, root-tmd and root-certs. Those three files are the Tik, TMD and certificate chain for a title that is allowed to run certain ES functions - find out yourself where to get them and don't bug anyone about them. They're still much easier to get than the NG keys.
The usage of twintigmkwiisave has not changed at all. You just need to make sure that you have the WIIESSERVER environment variable set to your USB Gecko device (e.g. /dev/ttyUSB0) and you'll need to run the es-server.dol on your wii before starting it.
All this would not have been possible without the reversing of the /dev/es functions by bushing and marcan, segher's great (public) wii tools and dhewg's wiiload code I borrowed.
I just did some small modifications to those tools so thank and/or donate to them if you like this ;)
However, this is not the original twintig but 'just' based on it so don't bug segher or anyone else (this includes me :P) with questions about this!
I originally also wanted to add TCP support to this but removed it again after hunting a stupid bug for about two hours.
http://svenpeter.blogspot.com/2008/06/mkwiisave-using-ios-calls-instead-of-ng.html
You've probably already heard about segher's public wii tools and you maybe even used them if you had the right keys.
While most of them (i.e. the shared keys) are floating around somewhere on the internet the NG- 'keys' needed to create a savegame that you can copy to your sdcard then are really hard to get.
Bushing already explained that these 'keys' are console-specific, stored in the OTP area and that they can only be dumped with access to the Starlet.
Getting code running on the Starlet is currently very dangerous since there are no public exploits that allows injecting code at run time and you would have to modify the IOS stored on the NAND to be able to get all those keys. This is a really dangerous process when you have no way of backing up and restoring your NAND and can easily result in bricks.
However, the IOS does not contain any functions to create the file which will be copied to the SD - it doesn't even contain the IV and the MD5 blanker needed to encrypt and sign it. The system menu itself takes care of this and the system menu is running on the PowerPC. We have access to the PowerPC and we can gain System Menu privileges if we want to.
You can probably image where this is going to lead to, can't you? ;)
If the System Menu is able to sign those files why can't we just also do it? Bushing already reversed all the required functions the System Menu uses and segher has written twintig which is able to create those savefiles and sign them when you know your keys.
You need the following five components in order to create such a savefile from scratch by using it:
NG-id This file just contains a unique id for each Wii. It isn't secret at all and can be retrieved using the ES_GetDeviceID() function.
NG-mac This is the MAC address of your Wii which is stored in the header of the savefile. You can either create a NG-mac file with the address you can get from the sysmenu settings or you can just leave it blank and hope that it works.
NG-sig, NG-priv and NG-key-id are the three files used to create the signature of the savefile. The System Menu doesn't know about any of those files and just lets the IOS do everything needed: It uses the ES_GetDeviceCert() and ES_Sign() functions to create the whole signature and just stores it at the right place in the savefile.
If we want to create our own savefile now, we basically have the following two possibilities:
We could either port twintig to the Wii and would just need to call the ES_* functions there to generate the whole signature. The data you would like to add to the savefile would then be transferred by either using a USB Gecko or a TCP connection or just be read from the SD card or a USB mass storage device. A small GUI would however be needed to select the folder you want to create the savegame from and a PC application to send the savedata over a gecko or the tcp connection to the Wii.
But I'm a bit lazy and didn't want to write all this stuff and decided to use the second solution:
I just created a small Wii server that can be reached by using a USB gecko and allows you to use the required ES_* function with the data you provide. I just needed to do some small modifications to twintig and find some USB Gecko code. The server itself also wasn't really hard to write since it's just some gecko code (again) and a few calls to the ES functions.
After thinking about releasing this for about three hours now I think that I can't do much things wrong here: Nearly the same things are already possible with wanin's savegame installer and with dhewg's wiifuse_server. It's probably even easier to use one of those two solution to achieve your goals. However, you can still grab the results here.
The current version doesn't get the MAC address from the Wii so you either have to create NG-mac yourself or just hope that an empty address also works.
Please note that I did just verify that this tool works by using tachtig to check the signature and tried only one savegame on my Wii.
I have not tested this on Win but the gecko stuff will probably work if I didn't do something really wrong as I'm using dhewg's code from wiiload.
To compile mkwiisave just type make like you did with the previous versions of segher's tools. Compiling the wii-server works the same: Change to its root directory and run make there.
You still need the sd-key, sd-iv and the md5-blanker and also some more files because the ES_Sign requests only works with certain privileges: root-tik, root-tmd and root-certs. Those three files are the Tik, TMD and certificate chain for a title that is allowed to run certain ES functions - find out yourself where to get them and don't bug anyone about them. They're still much easier to get than the NG keys.
The usage of twintigmkwiisave has not changed at all. You just need to make sure that you have the WIIESSERVER environment variable set to your USB Gecko device (e.g. /dev/ttyUSB0) and you'll need to run the es-server.dol on your wii before starting it.
All this would not have been possible without the reversing of the /dev/es functions by bushing and marcan, segher's great (public) wii tools and dhewg's wiiload code I borrowed.
I just did some small modifications to those tools so thank and/or donate to them if you like this ;)
However, this is not the original twintig but 'just' based on it so don't bug segher or anyone else (this includes me :P) with questions about this!
I originally also wanted to add TCP support to this but removed it again after hunting a stupid bug for about two hours.
http://svenpeter.blogspot.com/2008/06/mkwiisave-using-ios-calls-instead-of-ng.html