Wii homebrew – Xyzzy v1.1

Wii homebrew - Image 1Wii homebrew devs, check it out. It’s Xyzzy v1.1, which you’d find extremely using when extracting OTP encryption keys. It doesn’t provide us a changelog, but Wii homebrew dev bushing provides a list of the data it extracts and writes them to keys.txt on any inserted SD. Details in the full article.

Download: Xyzzy v1.1

xyzzy - Image 1

Bushing is back, and he brings the very useful Xyzzy v1.1 with him. Wii homebrew devs out there may want to give this thing a shot, ’cause it’s very useful in extracting OTP encryption keys. It should automatically save the keys to a text file on your SD, but it also displays them on-screen if ever you need to write them down by hand.

xyzzy extracts the following data:

  • ECC Private Key – used for signatures in various places
  • Console ID – the unique identifier for your Wii
  • NAND AES key – used to encrypt and decrypt the Wii’s NAND
  • NAND HMAC – used to generate or verify a hash of the NAND, and therefore judge its integrity
  • Common key (AES) – used to decrypt keys found on items distributed from Nintendo
  • PRNG seed – a random seed
  • SD key (AES) – used to encrypt and decrypt anything being written to/read from the SD card
  • Device cert – you Wii’s personal cert

You’ve probably seen this before, but for information’s sake, I’ll put it here. This is what xyzzy does automatically.

  • Download IOS11 from the Nintendo Update Server
  • Patch it to remove the MEM2 protection (so the PPC can access all 64MB of it)
  • Patch it to allow it to delete itself later using ES_DeleteTitle()
  • Find an unused IOS slot (counting downward from IOS255)
  • Install the hacked IOS11 there
  • Reboot into the hacked IOS
  • Copy the private key structure from the IOS address space into MEM1
  • Reboot back into a sane IOS
  • Delete the temporary, hacked IOS
  • Display the keys on screen
  • Try to write them to a file on the SD card — keys.txt
  • Pause for 60 seconds to allow you to copy the keys down using pen and paper,if necessary

One last thing. It ain’t pretty, but at least it no longer contains copyrighted code. Bushing reckons you only need to run this once on any given Wii, but it should be safe to run multiple times.

Download: Xyzzy v1.1



More on xyzzy:

Add a Comment

Your email address will not be published. Required fields are marked *