Xyzzy
From WiiBrew
| xyzzy | |
 | |
| General | |
|---|---|
| Author(s) | Bushing |
| Type | System tool |
| Links | |
| Download | |
xyzzy is a homebrew application which uses patchmii to download, patch, and use a version of IOS to extract the OTP Encryption keys.
Extracted Keys/Data
For a full description of the purpose of each key, see this writeup on HackMii.
xyzzy extracts the following data and writes them to keys.txt on any inserted SD card:
- ECC Private Key
- Used for signatures in various places
- Console ID
- The unique identifier for your Wii
- NAND AES key
- Used to encrypt and decrypt the Wii's NAND
- NAND HMAC
- Used to generate/verify a hash of the NAND, and therefore judge its integrity
- Common key (AES)
- Used to decrypt encrypted keys found on items distributed from Nintendo
- PRNG seed (AES)
- A random seed - Also used to encrypt and decrypt content.bin and pay&play data.bin stored on the SD card.
- SD key (AES)
- Used to encrypt and decrypt anything being written to/read from the SD card
- Device cert
- Your Wii's personal cert
ReadMe Text
This isn’t the prettiest code I’ve ever written — it doesn’t have much of an interface, and I just threw this release together in a few minutes. However, it’s been exceedingly useful to me, and hopefully some of you will find it useful, too. I’ll quote the README here:
This program will do the following, automatically:
- Download IOS11 from the Nintendo Update Server
- Patch it to remove the MEM2 protection (so the PPC can access all 64MB of it)
- Patch it to allow it to delete itself later using
ES_DeleteTitle() - Find an unused IOS slot (counting downward from IOS255)
- Install the hacked IOS11 there
- Reboot into the hacked IOS
- Copy the private key structure from the IOS address space into MEM1
- Reboot back into a sane IOS
- Delete the temporary, hacked IOS
- Display the keys on screen
- Try to write them to a file on the SD card — keys.txt
- Pause for 60 seconds to allow you to copy the keys down using pen and paper,if necessary
I wrote this a week or two after I killed a Wii trying to reproduce tmbinc’s original Tweezer Hack. May it rest in peace.
The first version of this code just used a patched version of IOS, which was an ugly hack. It’s still an ugly hack, but at least it no longer contains copyrighted code. You should only really need to run it once on any given Wii, but it should be safe to run as much as you want. If nothing else, it demonstrates the kinds of ways you can use PatchMii_core to do something useful (as opposed to just running it and then packaging the result up as cIOS).
Troubleshooting
xyzzy v1.0, powered by PatchMii Sending things to Earth........ -Error making http request Bad tik signature!
Try again tomorrow, it will eventually work. Nintendo's servers may be busy.
