Announcement

Collapse
No announcement yet.

Wii U Bootrom Dumped

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wii U Bootrom Dumped

    By Gary OPA

    Seems that the Wii U scene has just started...

    Looks like the guys over at WiiUHax managed to dump the Wii U's bootrom with a exploit, and its hashes match the ones published by team fail0verfl0w.



    MarioNumber1 and the guys from Wii U Hax have found an exploit to access the Wii U hardware, and they were able to dump the "bootrom.bin", the first file the console access to boot.

    Apparently, the hashes match the ones published by team fail0verfl0w (but, as you may know, they never shared their exploit to public due to "lack of interest" in the Wii U).

    Also, seems that the exploit works in Wii mode (vWii), and supposedly can't be patched by Nintendo through updates...

    Info from Wii U Hax:

    It’s one small step for man , one giant leap for the wii-u scene.

    I Can Exclusively reveal that the first step to a wii-u hack has been completed & tested & working

    I have personally tested the exploit and it is 100% REAL.

    Here Are The Hashes of My Bootrom.bin

    sha-256 (B3DEDC6CA2C411F54F1BFEAC07D6F57DBB06D3CB7AB9A331C F5A7CBF2A50AF69)

    sha1 (3D331B3165F9638C6CD6221702B2F736F7FCF931)

    MD5 (388726887621220A888E9F22E6DB1788)

    They match Failoverflows

    Many people have worked on bringing this to you, so please give all credit to Bubba, MarioNum1, Hatax2, Odcd007, Joostinonline, Maxternal, Crower & Marcan

    FILESIZE is 16,384 Bytes



    Info from MarioNumber1:

    As the person behind this, I should point out that Nintendo can't patch this exploit through firmware updates. What I (and fail0verflow before me) did was take advantage of a design flaw in the Boot ROM, and the Boot ROM can never be updated. Nintendo could change the Boot ROM with newer Wii U's, but all current Wii U's are vulnerable.

    Dumping the Boot ROM is the first step of reproducing what fail0verflow did to hack the Wii U.

    Yes, all you need to do is run a DOL in vWii mode with AHBPROT access.

    So, it looks like the Wii U scene has just started. More info on the links below!

    NEWS SOURCE #1: Wii U bootrom dumped welcome to the scene (via) WiiUHAX

    NEWS SOURCE #2: Wii U bootrom dumped (via) GBATemp

    Our thanks to 'Gauss' for this news item!
    The Hackmaster

  • #2
    Hmm, still seems Nintendo isn't that serious about protection on it's console. That's how the original Wii was hacked because even though the exploit was in GC mode part of the Wii bootrom (security key) was still in memory and wasn't cleared out fully.
    Last edited by 47iscool; 02-24-2014, 06:14:13 AM.

    Comment


    • #3
      AES obfuscation on the Wii U bootrom

      By admin

      I’ve read the whole bootrom code and i have to admit, that big N has done a good job on hiding where and how it calls the AES code.

      Finding the AES implementation is easy, it’s just before the ancast header check function and after the most useless function.

      Finding how the AES implementation is called, is a little bit hard, for two reasons:

      there are no cross references in the text segment; This means
      you will not see something like:

      bl AES_Decrypt

      there are no addresses saved in the data segment:

      AES_offset: .long AES_Decrypt

      So how to find it? you have to read the code, because the value is hardcoded and saved into a memory on an unknown address (like 0xE0000000); then a function will load that addresses to the count (CTR) register and jumps there.

      I’ll make an example:

      How it normally should be:



      How it is obfuscated on the Wii U:



      Deroad Said
      The last thing:
      I had a lot of fun on reverse the whole bootrom. You’ll find interesting stuff, there (but not keys :P).
      Source
      The Hackmaster

      Comment

      Working...
      X