Regarding the tweezer attack and the found keys... January 03, 2009 12:39PM | Registered: 15 years ago Posts: 19 |
Re: Regarding the tweezer attack and the found keys... January 03, 2009 01:08PM | Registered: 15 years ago Posts: 443 |
Because we only have one set of keys.Quote
ShovAge
Why these keys don't allow to sign content ?
Why do we have to fakesign homebrews if we have all the keys ?
To read from specific memory, there are address lines going to the memory chips. These can either have a voltage on or off (usually 3V (or might be 5V, but I'll use 3V for this case) for Hi and 0.5V for Lo) Setting them Hi indicates the address. However, with physical intervention, you can arbitrarily change the address by applying a Hi voltage or grounding the line (~0V). This way, the Wii still sends the address lines as what it thinks is one address, however, the physical manipulation means the memory chip reads from a different address than requested.Quote
ShovAge
But I still do not understand how the attach worked. Is there somewhere a good documentation about the process used ?
CPU Address Line 0 | --------------------------------------- | Memory Address Line 0 CPU Address Line 1 | --------------------------------------- | Memory Address Line 1 CPU Address Line 2 | --------------------------------------- | Memory Address Line 2 ... ... CPU Address Line A | --------------------------------------- | Memory Address Line A CPU Address Line B | --------------------------------------- | Memory Address Line B CPU Address Line C | --------------------------------------- | Memory Address Line C CPU Address Line D | --------------------------------------- | Memory Address Line D CPU Address Line E | --------------------------------------- | Memory Address Line E CPU Address Line F | --------------------------------------- | Memory Address Line FOkay, this is a basic diagram where what comes out of the CPU matches the memory chip. In our restricted mode, lines C, D, E, and F will always be forced to 0 (Lo, ~0.5V) meaning the memory will never read from anything higher than 0x0FFF.
Re: Regarding the tweezer attack and the found keys... January 03, 2009 03:01PM | Registered: 15 years ago Posts: 19 |
Quote
whodares
Because we only have one set of keys.
Quote
whodares
Does that help?
Re: Regarding the tweezer attack and the found keys... January 03, 2009 03:11PM | Registered: 15 years ago Posts: 443 |
Yes, we have the Wii's private key, however for code to validate we need to sign our it. The signitures are generated from Nintendo's private key, and not the Wii's. Therefore to duplicate a valid signing, you would need Nin's private key.Quote
ShovAgeQuote
whodares
Because we only have one set of keys.
I thought that the common key was an RSA private one or somrthing like that.
I re-red it : [wiibrew.org]
In fact, the extracted common key is an AES one. So It do not allow to sign any content.
Asking questions like this is good! It's how you learn.Quote
ShovAge
Sorry for this question. I'll try to do not again.
If you download xyzzy [hackmii.com] (also on WiiBrew.org if you search), this will allow you to read all the keys on your WiiQuote
ShovAge
Is there somewhere a common private/public RSA or ECC key ?
Re: Regarding the tweezer attack and the found keys... January 03, 2009 03:41PM | Registered: 15 years ago Posts: 19 |
Yeah, you're right !Quote
Therefore to duplicate a valid signing, you would need Nin's private key.
Re: Regarding the tweezer attack and the found keys... January 05, 2009 04:46PM | Registered: 15 years ago Posts: 920 |