Regarding the tweezer attack and the found keys...

Hello all,

First, sorry for my poor English.I'm french, you know.
I'm new in the Wii hacking so my questions could be boring for the wii gurus.

I watched with much interest the 25c3 videos.
I understood that the tweeser attack has allowed to access to the common keys and all other intersting keys.

Why these keys don't allow to sign content ?
Why do we have to fakesign homebrews if we have all the keys ?

Then regarding the attack itself. I know that you explained how it worked in the video.
However, my understanding of english is quite limited. And bushing do not speak particulary slow.

So, I understood that the Brodway is restarted to use GameCube Mode and that the mem2 (private mem?) is not cleaned at this time.
But I still do not understand how the attach worked. Is there somewhere a good documentation about the process used ?

Thanks in advance for your help.
Regards,
ShovAge

Quote
ShovAge
Why these keys don't allow to sign content ?
Why do we have to fakesign homebrews if we have all the keys ?

Because we only have one set of keys.
[en.wikipedia.org]

Quote
ShovAge
But I still do not understand how the attach worked. Is there somewhere a good documentation about the process used ?

To read from specific memory, there are address lines going to the memory chips. These can either have a voltage on or off (usually 3V (or might be 5V, but I'll use 3V for this case) for Hi and 0.5V for Lo) Setting them Hi indicates the address. However, with physical intervention, you can arbitrarily change the address by applying a Hi voltage or grounding the line (~0V). This way, the Wii still sends the address lines as what it thinks is one address, however, the physical manipulation means the memory chip reads from a different address than requested.

Edit: Lets add an example:

Say we have 16 address lines. Memory range is 0x0000 to 0xFFFF (64KB). Now say the lockdown limits to 12 address lines (0x0000 to 0x0FFF), you lose the top end

  CPU Address Line 0 | --------------------------------------- | Memory Address Line 0
  CPU Address Line 1 | --------------------------------------- | Memory Address Line 1
  CPU Address Line 2 | --------------------------------------- | Memory Address Line 2
  ... ...
  CPU Address Line A | --------------------------------------- | Memory Address Line A
  CPU Address Line B | --------------------------------------- | Memory Address Line B
  CPU Address Line C | --------------------------------------- | Memory Address Line C
  CPU Address Line D | --------------------------------------- | Memory Address Line D
  CPU Address Line E | --------------------------------------- | Memory Address Line E
  CPU Address Line F | --------------------------------------- | Memory Address Line F

Okay, this is a basic diagram where what comes out of the CPU matches the memory chip. In our restricted mode, lines C, D, E, and F will always be forced to 0 (Lo, ~0.5V) meaning the memory will never read from anything higher than 0x0FFF.

Let's say we connect +3V to the Memory Address line F, which sets it to +3V (Hi, bit=1). The processor still requests address line F as 0, but because we've physically altered the address lines, the data at 0x8FFF will be returned, despite a limit at 0x0FFF


Does that help?



Edited 2 time(s). Last edit at 01/03/2009 01:16PM by whodares.

Quote
whodares
Because we only have one set of keys.

I thought that the common key was an RSA private one or somrthing like that.
I re-red it : [wiibrew.org]
In fact, the extracted common key is an AES one. So It do not allow to sign any content.
Sorry for this question. I'll try to do not again.

Quote
whodares
Does that help?

Thank you so much for your example. I watched the video another time and this time I understood bushing's words.
What a great job they done !



Edited 1 time(s). Last edit at 01/03/2009 03:32PM by ShovAge.

Quote
ShovAge

Quote
whodares
Because we only have one set of keys.

I thought that the common key was an RSA private one or somrthing like that.
I re-red it : [wiibrew.org]
In fact, the extracted common key is an AES one. So It do not allow to sign any content.

Yes, we have the Wii's private key, however for code to validate we need to sign our it. The signitures are generated from Nintendo's private key, and not the Wii's. Therefore to duplicate a valid signing, you would need Nin's private key.

Quote
ShovAge
Sorry for this question. I'll try to do not again.

Asking questions like this is good! It's how you learn.

Quote
ShovAge
Is there somewhere a common private/public RSA or ECC key ?

If you download xyzzy [hackmii.com] (also on WiiBrew.org if you search), this will allow you to read all the keys on your Wii



Edited 1 time(s). Last edit at 01/03/2009 03:11PM by whodares.

Hi,

Quote

Therefore to duplicate a valid signing, you would need Nin's private key.

Yeah, you're right !
I think it's a really well guarded secret.

I'm currently reading this :
[hackmii.com]

It answers to my questions. But I think that I will have many others when I'll finish...

Thanks for your help.

here, read my new idea here

[forum.wiibrew.org]