as the title says when hex editing my wii browser and wii sonici noticed



Root-CA00000001-MS00000002........................................ ..NG041b320c...................................... ................j.Ya..'L..^......4....L.P....g.g.. ...2..Ua.a.)....9.HNI.;..T)....................... ................................................yP ..3.66...|..6...6.z.......u7^..tp.....|o..V]..N<...<w................................................. ................Root-CA00000001-MS00000002-NG041b320c...............................AP0000000 100000002..........



while a downloaded version of f-zero from a different console has this



........Root-CA00000001-MS00000002........................................ ..NG020c8d87...................................... ................j..!....'......PdUp7.8..[..e....]i...A..P..E....>...C...Fr......................................... ..............................[IH....>)8$y..f...AF.l|y.:=......r@..$.#.e....'.8...r..>.................................................. .................Root-CA00000001-MS00000002-NG020c8d87...............................AP0000000 100000002..



notice the difference in the ng number

sonic and browser from my console NG041b320c

f-zero has a different code from mine NG020c8d87



i changed the code for F-zero and noticed the console no longer said this item cannot be soppied to this console, but it will start to copy and then say thats the data was not copied i suggest this is to region differences

nice to hear.
then its only find the part in a hex edit that the region part is.

y don't you try to change to code of F-Zero to the code you get from you wii and then try it on your wii
if this works all you need is a sd card and a hex editor and VC games are hacked!!

sorry did not see the last part:D :D :D

try to get another VC from you Region and could you tell me where to get VC from (not download with wii points)

soon as i get someone to test it with me i will do so

guess, you found the data, which holds the unique code for wii.

i can confim.

tried my version of Bomberman'93 - it's PAL Version.

Root-CA00000001-CP00000004 Root-CA00000001-MS00000002 NGxxxxxxxx Root-CA00000001-MS00000002-NGxxxxxxxx AP0000000100000002

NGxxxxxxxx (8times the x) shows the unique code.
mine is different to yours, but i'm not posting the string :)

this also shows, that three times the ROOT phrase is used.
first time - no code (-> perhaps init string?!?)
second time - with code
third time - with code and an appendix

i'm still working.

next guess. i figured out, that the wii does a check of this NG........ phrase.

first thing:
NG yy zzzzzz

yy = 04 (PAL), 02 (US)
zzzzzz = console ID which is checked with an algorithm, which returns a true or false
Why is that so: i only changed one letter. Tried in the Wii - and the channel doesn't appear in sd card menu!


@ nickjaco
I also have PAL system.
I tried your "1b320c" - the channel is displayed in the sd card menu.
But when i want to copy - it says sth. like...
"The file was not copied possibly." And for sure, it wasn't copied with your code.

when i change back to my normal "code" it is working and copied!

so if you need your ID code you can get it from something like ur Opra browser right or could there be a formula or something from your ID number. ??? can could you tell me where you get your VC and Hex editer?? i could try but i need VC
:D :D :D :D :cool:

Hey,

@GalaxyFraulein:

Nice to hear someone makes any progress on the Wii and I'm really glad you (obviously) found the unique Wii-Code.

My guess why the simple exchange of the unique codes won't work is that I guess there is a, more or less, simple CRC Check in / at the end of the VC-File, that will give the Wii an error when you want to copy that game. I think this CRC check is the output of the mathematical combination of the unique code and some lines of the VC game, so I myself think it would be hard to modify the CRC data in a way that the game would run. (Additionally we don't even know where in the file that data is stored, prolly at the end, but who knows.)

Just my 2 cents, let me hear your thoughts about it.


LilaQ

P.S. I think it would really help if we could compare as many VC games as possible, from different users, different countries etc. so we can guess a little bit more about the single meanings in this code. Unluckily I don't own any,..

@ LilaQ
lets hope, that there is no more crc check ;)
i hope so :D

@ pro2oman
hex editor from the net
vc game original download :D

changed my id code to id code from another wii but the other wii didnt recognize my vc game.
both wiis have same region

changed my id code to id code from another wii but the other wii didnt recognize my vc game.
both wiis have same region

the game must be visible in the card menu, otherwise i guess you've made a mistake

i tried with my modified games with nickjaco numbers and also with another ntsc game. the ntsc game also shows up - but can't be copied!

Could anyone here send me a VC game so I could take a closer look at it?
Please send me a PM if you can, TIA.

this is old when the 1st time vc games was released to the net i tried takin my wii code from when i dled a game to the ones released to the net it will show up but u cant play or do anything

hmmm, am friend of mine and I have tried to check this.

i injected his code (extrated from opera browser) into my vc bomberman data.
he tried - checked the channel menu - he saw the game.
but when "Copy" was clicked, the standard message pops up.

"The file was not copied possibly." And it wasn't at all copied.

So, there must be more in the file to analyse.

I call it a day... and go to bed.
Tomorrow a new chance.... ;)

At the risk of being called arrogant I'll label this thread as amateur hacking. I'm not saying I could do better but I know this:
If it was just a matter of some trivial hex editing the VC would have been hacked a few days after launch. However, Nintendo isn't that stupid. I'm pretty sure the system uses some kind of encryption using a key that you won't find on the memory card.
For example: each Wii has a unique ID, transmits it to the server at purchase, server adds it to the game, encrypts or signs it using the private Nintendo key. When launched, the console checks if the file signed properly and refused to launch it otherwise.

Obviously this is not more than a wide guess but given that Nintendo encrypts even the content on the discs I'd be very surprised if they wouldn't encrypt the VC games.

Maybe I totally misunderstand this thread and its a huge breakthrough after all. In that case I'd gladly eat a Wiimote :D

as the title says when hex editing my wii browser and wii sonici noticed



Root-CA00000001-MS00000002........................................ ..NG041b320c...................................... ................j.Ya..'L..^......4....L.P....g.g.. ...2..Ua.a.)....9.HNI.;..T)....................... ................................................yP ..3.66...|..6...6.z.......u7^..tp.....|o..V]..N<...<w................................................. ................Root-CA00000001-MS00000002-NG041b320c...............................AP0000000 100000002..........



while a downloaded version of f-zero from a different console has this



........Root-CA00000001-MS00000002........................................ ..NG020c8d87...................................... ................j..!....'......PdUp7.8..[..e....]i...A..P..E....>...C...Fr......................................... ..............................[IH....>)8$y..f...AF.l|y.:=......r@..$.#.e....'.8...r..>.................................................. .................Root-CA00000001-MS00000002-NG020c8d87...............................AP0000000 100000002..



notice the difference in the ng number

sonic and browser from my console NG041b320c

f-zero has a different code from mine NG020c8d87



i changed the code for F-zero and noticed the console no longer said this item cannot be soppied to this console, but it will start to copy and then say thats the data was not copied i suggest this is to region differences

We already know that since... there is Virtual Console games... nothing new ...

At the risk of being called arrogant I'll label this thread as amateur hacking. I'm not saying I could do better but I know this:
If it was just a matter of some trivial hex editing the VC would have been hacked a few days after launch. However, Nintendo isn't that stupid. I'm pretty sure the system uses some kind of encryption using a key that you won't find on the memory card.
For example: each Wii has a unique ID, transmits it to the server at purchase, server adds it to the game, encrypts or signs it using the private Nintendo key. When launched, the console checks if the file signed properly and refused to launch it otherwise.

Obviously this is not more than a wide guess but given that Nintendo encrypts even the content on the discs I'd be very surprised if they wouldn't encrypt the VC games.

Maybe I totally misunderstand this thread and its a huge breakthrough after all. In that case I'd gladly eat a Wiimote :D
I echo this sentiment. One important thing to note is that the SD card contains the data portion only for freeing up internal memory. The purchased license and executable are stored on the Wii and do not copy to the SD card. This is why Nintendo has to "recover" your stuff should you need a new Wii (all they do is confirm your purchase history if possible and attach that to your new Wii). It's much like iTunes. You can throw 'em on your iPod, but the data that shows that you own it stays with iTunes... though iTunes has a way to allow the portable device to play it. ;)

I don't get it, there are keygens for new software just days after the release, but noone manged to somehow get the key of the xbox/xbox360/wii etc. Is it THAT different? I don't think there are much more complex algorithms used than on 'simple' software or games.

LilaQ

I don't get it, there are keygens for new software just days after the release, but noone manged to somehow get the key of the xbox/xbox360/wii etc. Is it THAT different? I don't think there are much more complex algorithms used than on 'simple' software or games.

LilaQ
We can run debuggers on PC's. We can't on consoles.
That's the difference.

I made a comparison with WinDiff (yeah thats "Diff" for Windows-n00bs ... )

of my BombermanVC and the original Bomberman rom (PC-Engine/ TG-16)

The original Rom is parted into 4 , but can´t remember the exact adresses and since I don´t know enough to interpret more on that things,.. I´m screwed :p

!! Maybe some could try to inject another PC-Engine/TG16 rom !!
(anyone ever tried it ?)

We can run debuggers on PC's. We can't on consoles.
That's the difference.

That is A difference, not "the".

Keygen is something really simple

A program do :

"Enter a name" (for exemple)
"Enter a key"
> compare the key generate by the name with the key

a keygen almost copy/paste that but instead of "compare" it's "print the key"... not really hard (almost...)

Here, with the wii, we don't talk about a simple key, but encryption !
it's like hacking the CSS protection of DVD or those from Blueray / HD-DVD or even DRM from MP3...

It can be done, BUT it take a long time and you have to know what you do...

We can run debuggers on PC's. We can't on consoles.
That's the difference.

No, that's not THE difference. The point is: the private key is never on the console. Read up on how RSA works and you'll understand.

I can give you a small hint at how it works:
The manufacturer (Nintendo) makes a key pair, a private and a public key that belong together. The private key never leaves the company and is heavily protected.
It gets used to sign or encrypt the stuff that gets released (Xbox executeable, Wii disc, VC game). The console only knows the public key which is no secret, thus the name. When it runs the game/disk it used the public key to verify that the content is signed (or uses it do decrypt if it was encrypted with the private key).

To crack this you have three options (I can think of):
1) Find they private key by brute force, that is trying all possible combinations which can take hundrets of years
2) Steal the private key
3) Modify the public key that is stored somewhere on the console. You could then change it to a public key of your choise, for example one that you know the private key to. Obviously you'd first have to get access to that part of the system via a modchip (or similar).

This is why its so hard to crack a properly done protection like XBE signing or (probably) VC games. If you have full access to the console, its possible to work around it.

A keygen for software is something completely different. When you enter the key into the software, it has to check if its correct. This check can be "watched" by a cracker who can then reverse it to create a correct key that passes this check. This is how you make a keygen. Or the cracker could change the programms code to simply skip the check, which is called a crack.

And while we're on the topic, many people wonder why you can't make a "keygen for online play". The answer is simple: there's no check in the software if a key is valid for online play. That check is only done on the company's authentication server that nobody has access to. I could go into further detail but you get the picture...

EDIT: Disclaimer: I wrote this while phantomdjp answered. The stuff I wrote is not Wii related, I did not do any Wii VC research before posting this, in fact I don't even own a Wii. This is console protection 101 and I just assume that Nintendo uses this for the Wii (and VC).

attempted this with a mate of mine just him to ring me

okay, fine - lets call this amateur hacking.
but it is better to do sth. than not to do sth. (but posting here negative flames) :)

And i haven't known that this method was already tried.
Then i'll quit searching ;)

Surely you don't honestly believe this is "NEWS" check some Wii hacking forums, people figured this out just after vc dumps showed up on the net, however the NG number isn't the only variable and what you didn't think to compare was two of the same game from different people. Go download r-type from one of the places offering the .bin files on the net and stick you NG number in there and see if it works. All it does is change the error msg.

okay, fine - lets call this amateur hacking.
but it is better to do sth. than not to do sth. (but posting here negative flames) :)

And i haven't known that this method was already tried.
Then i'll quit searching ;)

If you're refering to my post, it wasn't mean to be a flame. I tried to explain thoroughly why this approach is very naive. The problem here was not the amateur hacking but whoever mod thought this was first page material. Go ahead and hex edit away, I'm just saying that you're very unlikely to succeed.

No, that's not THE difference. The point is: the private key is never on the console. Read up on how RSA works and you'll understand.

Exactly. Not to mention that digital signatures are invalid once the data is modified in ANY way.

There's no doubt that the values being referenced are related to your system id. Further, because the images are different, the signature is different (but valid) for all downloads. It seems everyone is only getting past one simplistic error check to keep users from wasting time copying files to a Wii that it won't work on. They probably don't care to do a full key check until you copy the file because it will take longer to execute.

These images most likely use RSA 128bit or even 256bit keys. It would take an eternity to brute force the keys. The only way VC is getting hacked is by hacking the console, not the image.

No, that's not THE difference. The point is: the private key is never on the console. Read up on how RSA works and you'll understand.
He didn't say it was THE difference, but that it was the difference. There's a difference imho.
And not being able to run a debugger is as much a valid difference as it being PKI-based. A lot of PKI-based software/hardware is still being comprimised just because some secret information got out or some foreign code got it (a 'patch').
In the end, proprietary hardware is the real difference. Software is a piece of cake compared to that.

And I agree this thread is bullshit. Every single guy that thinks he has a clue creates one. Sad.

darkfader,
STFU, u mucked up the ds scene nd now ur doing it to the wii scene. ur a loser.
U nd to gt a lyf and a gf.
:mad: :mad:

I don't mean to be the annoying guy who registers just to make a post flaming a valid idea, but i think you're going to run into some trouble, nickjaco. This has been explored in the past to some extent, without any real results. I haven't looked at the compiled .bin's of the vc games yet, so I can't say whether what you've found with the NG* reference relates to the consel the game belongs to, but I think it's kind of a moot point; the vc games are encrypted in a way that you aren't going to be able to make any usable changes via hex editing.

The CA references you found refers to "certificate authority". I'm by no means an expert on cryptography, so I won't even try to butcher an explanation of what this means, but you can read about it here: http://en.wikipedia.org/wiki/Certificate_authority and here: http://en.wikipedia.org/wiki/Root_certificate if you're interested.

As I understand it, by the time the vc games get to your wii, it's pretty much the end of the line. When you download from nintendo's servers, your game gets downloaded in parts: a tmd file (which contains info on the certificate authority among other things), and additional data files (you can check these files out for yourself here: http://darkfader.net/wii/vc/ ). Once your wii recieves these files, it combines them into a .bin file (likely encrypting it using some sort of key on your wii). So, once it's in a .bin file, i think it's pretty much locked to your counsel, possibily even encrypted with some sort of key specific to your counsel, thus changing that one string in a hex editor wouldn't do much. I'm guessing that NG* stuff could possibly relate to the CA certificate?

So yeah, i don't mean to discourage you from trying, espeicially as you're actually trying and experimenting with your theory as opposed to just creating something ridiculous and expecting other people to do the work, but just wanted to share as much as i know (though i don't think i stated it very well...). Anyway, happy hacking, and good luck.

Oh, and Mephanis: there probably wouldn't be a ds scene without darkfader. I don't think the fact that a few over eager pirates messed up their ds's is enough to flame darkfader and write him off as detrimental to the wii scene... though, i really don't think he cares what you, or i or anyone else thinks about his reputation, so, whatev...

How the hell is this progress?

The NG code in the games is a console identifier for which game came from which console. If you own the game, the NG code doesn't matter.

I figured that out months ago..

The Wii archives the VC games and puts it on SD card. The game is then extracted with the help of a file checklist which is permanently stored on the Wii's memory to the directory, Root-CA00000001-MS00000002. If the game's directory and file table isn't in there, the games wont copy across.. Those files are only created through the TMD files when downloading the game, but you also need Nintendo's key to install them in the first place.

On top of all of that, the NG code has a checksum, which, if it isn't correct, the Wii will reject flat out.

The only way to circumvent all of this is to set up a private server and send the TMD files through the shop to your Wii, but Nintendo locked that exploit out. Hacking VC games isn't possible, and you are in NO way any closer because you discovered your console has an NG code.

That doesn't defeat the checksum, and that doesn't defeat the Wii's file list.

darkfader,
STFU, u mucked up the ds scene nd now ur doing it to the wii scene. ur a loser.
U nd to gt a lyf and a gf.
:mad: :mad:

I'm sure darkfader has done significantly more to the scene to be considered a part of it more than you could be.

..........

has anyone tried anything with mynintendo screen names? i know that when you go on to the VC shop for the first time it asks you to put in your screen name and password to link your account up with the online one at nintendo.com.

has anyone tried having the same screen name on two wii's?

or if that doesn't work, maybe you could log out of the account on one wii and then log in one the other one.
(get a friend you'd trust your password with)

another idea i had was:
what if you had to have the save data AND the actual bin file or whatever in order to copy it correctly. (in the certain path)