1. A breve aggiorneremo la piattaforma di Reboot per risolvere alcuni problemi con i plug-in, quindi chiediamo ancora un po' di pazienza, Lo staff di Reboot

WiiU Derrek tweet explained: What BOOT1_FAIL means?

Discussione in 'English Forums' iniziata da StandardBus, 20 Giu 2016.

  1. StandardBus

    StandardBus Staff Alan Staff

    Iscritto:
    15 Dic 2014
    Messaggi:
    4.091
    Like ricevuti:
    5.308
    [​IMG]


    Derrek sent this tweet only hours ago, generating some interest/enthusiasm inside Reddit and many console hacking forums, especially after Smea retweeted the news.
    What this means? Wii U is finally hacked?

    Let's clarify some points:

    Derrek published a SHA-1 hash, not a key

    Derrek in his tweet wanted to make the world aware of the fact that he own the Wii U Boot1 key, also tagging Nintendo (which of course owns the key) and the Fail0verlow team (whose members have already hacked the entire Wii U safety system long ago, but releasing very little relevant information).
    The SHA-1 hash should prove that he really holds the key.

    The string "56DD59752E6AF1E55FC2EE7074ABE2D2C9E70A10" is nothing but the unique fingerprint of the key that allows you to decrypt the boot1 stage of the console boot sequence, but it's not the key itself. The SHA1 haven't enough informations to rebuild the key from it.
    The SHA1 is useless, and for this reason he published it.
    To benefit from their discovery, the Wii U scene should obtain the key in plaintext, and not in the form of Sha-1. On the other hand, Derrek, Plutoo and Smea are not new to releases that allowed us to run homebrew on consoles, as we have seen from both their intervention at the 32nd Chaos Communication Congress and from all the releases that have taken place in recent months.

    What's the OTP, Boot1 and how they managed to obtain the key

    Wii U has a safety system very similar to ones used on other game consoles, in which a very small non-writable memory (OTP - 1KB splitted across 8 banks of 128 bytes each) contains the information you need to encrypt, decrypt and validate all processes, until you have the console operating system fully launched.
    This technique to check offline file validity is called "chain of trust".

    On the 3DS the bug which allowed users to read the OTP memory content via software was present on the 2.1 system. On newer releases Nintendo made inaccessible the OTP memory after the first boot sequences, and this is the reason why we should downgrade to 2.1 in order to dump it.

    The extraction of the OTP on Wii U allowed hackers to become aware of several essential information to let him closer to a permanent hack rather than having to manually start an exploit after each bootup.
    The OTP contains also the key to decrypt the Wii U Boot1 stage.
    For those wishing to learn, on this page are given full details of the Wii U OTP memory

    The Boot1 has an essential role in powering up the console: it is part of the chain of trust and starts the IOSU image (the native operating system of the console).

    What's the Boot1 key

    The Boot1 key is used by the Boot0 stage to decrypt them, therefore it is possible for anyone who owns it to analyze the software looking for bugs. Rewriting the Boot1 could not have much sense, since its purpose is to start the Iosu.

    Anyway, the fact that Derrek gone so deep in the exploration of the console system is still a positive indication that works are in progress, so hopefully the scene will receive some user-friendly methods in order to launch homebrews.
     
    #1
Sto caricando...

Condividi questa Pagina