xyzzy.c

xyzzy is a program for the Nintendo Wii which will read a console s OTP key storage and dump out the

/*  xyzzy -- keydumper for Wii

    Copyright (C) 2008 bushing

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, version 2.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <ogcsys.h>
#include <gccore.h>
#include <fat.h>

static void *xfb = NULL;
static GXRModeObj *rmode = NULL;
typedef void (*Loader_Entry)(void);

Loader_Entry loader = (Loader_Entry)0x80001800;
int hid = 0;

signed_blob *ios_tmd = NULL;
signed_blob *ios_tik = NULL;

u8 *ios_buffer = NULL;

typedef struct {
  u8 in_use;
  u16 data[16];
  u8 pad[3];
} __attribute__((packed)) keystore_t;

typedef struct {
  u8 in_use;
  u8 type;
  u16 pad0;
  u32 permission_mask;
  u32 unk0;
  u32 keyid;
  s16 index;
  u16 pad1;
} __attribute__((packed)) keyring_t;

#define KEYSTORE_SIZE 0x40
#define KEYRING_SIZE 0x20
#define KEYSTORE_ADDR 0x936496f4
#define KEYRING_ADDR  0x93649ff4

static keystore_t keystore[KEYSTORE_SIZE];
static keyring_t keyring[KEYRING_SIZE];

int validate_keystore(keystore_t *ks);
int validate_keyring(keyring_t *kr);
void print_key(FILE *fp, u32 k);

void print_all_keys(void) {
  int i;
  FILE *fp = NULL;
  if (fatInitDefault()) {
	chdir ("fat:/");
	fp = fopen("keys.txt", "w");
	if (!fp) perror("Unable to open keys.txt for writing\n");
  } else {
  	printf ("fatInitDefault failed (no card inserted?), not writing keys to card\n");
  }

  //  printf("Console ID: %08x\n", keyring[1].keyid);
  for (i = 0; i < KEYRING_SIZE; i++) {
    if (validate_keyring(&keyring[i])) {
		print_key(stdout, i);
		if (fp) print_key(fp, i);
    }
  }
  if (fp) {
	char devcert[0x200];
	memset(devcert, 42, 0x200);
	i = ES_GetDeviceCert(devcert);
	if (i) printf("ES_GetDeviceCert returned %d\n", i);
	else {
		fprintf(fp, "\n\nDevice cert:\n");
		hexdump(fp, devcert, 0x180);
	}
	fclose(fp);
	//	fatUnmount(PI_DEFAULT);
  }
}

char *key_names[] = {
  "ECC Priv Key",
  "Console ID  ",
  "NAND AES key",
  "NAND HMAC   ",
  "Common key  ",
  "PRNG seed ",
  "SD key      ",
  "Unk key 1   ",
  "Unk key 2   ",
  "Unk key 3   ",
  "Unk key 4  ",
  NULL};

void print_key(FILE *fp, u32 k) {
  	int i;
	if (k > sizeof(key_names)/sizeof(char *)) {
		printf("Error: invalid key index %d\n", k);
		return;
	}
	
	if (keyring[k].type == 0x36) return;   // dont print unknown keys
  	fprintf(fp, "\n[%d] %s:\t", k, key_names[k]);

    keystore_t ks = keystore[keyring[k].index];

	for (i=0; i<16; i++) {
      	if (ks.data[i] == 0) break;
  		switch (keyring[k].type) {
			case 0x35: fprintf(fp, "%08x\n", keyring[1].keyid); return;
			case 4:
				fprintf(fp, "%04x ", ks.data[i]);
				if ((i%6) == 5) fprintf(fp,"\n\t\t\t\t  ");
			break;
  			case 1:
				fprintf(fp,"%04x ", ks.data[i]);
				if (i == 4) fprintf(fp,"\n\t\t\t\t  ");
			break;
			case 0:
				fprintf(fp, "%04x ", ks.data[i]);
				break;
    	}
	}
  fprintf(fp, "\n");
}

int validate_keystore(keystore_t *ks) {
  //  printf("validate_keystore(%d)\n",i);
  if (ks->in_use == 1 &&
      ks->pad[0] == 0 &&
      ks->pad[1] == 0 &&
      ks->pad[2] == 0) return 1;
  return 0;
}

int validate_keyring(keyring_t *kr) {
  if (kr->in_use == 1 &&
      kr->type != 0xFF &&
      kr->pad0 == 0 &&
      kr->pad1 == 0) return 1;
  return 0;
}

int check_hack_success(void) {
  int r=0, s=0, i;

  for (i = 0; i < KEYSTORE_SIZE; i++) 
    if (validate_keystore(&keystore[i])) s++;

  for (i = 0; i < KEYRING_SIZE; i++) 
    if (validate_keyring(&keyring[i])) r++;

  printf("Found %d valid keystore entries and %d valid keyring entries.\n",
	 s, r);

  if (r > 3 && s > 3) // arbitrary
    return 1;
  else return 0;
}

#define ALIGN(a,b) ((((a)+(b)-1)/(b))*(b))


void copy_keys(void) {
  void *starlet_keystore = (void *) KEYSTORE_ADDR;
  void *starlet_keyring = (void *) KEYRING_ADDR;

  memcpy(keystore, starlet_keystore, sizeof(keystore));
  memcpy(keyring, starlet_keyring, sizeof(keyring));
}

int main(int argc, char **argv) {

	VIDEO_Init();
	PAD_Init();
	
    rmode = VIDEO_GetPreferredMode(NULL);

	xfb = MEM_K0_TO_K1(SYS_AllocateFramebuffer(rmode));
	console_init(xfb,20,20,rmode->fbWidth,rmode->xfbHeight,rmode->fbWidth*VI_DISPLAY_PIX_SZ);
	
	VIDEO_Configure(rmode);
	VIDEO_SetNextFramebuffer(xfb);
	VIDEO_SetBlack(FALSE);
	VIDEO_Flush();
	VIDEO_WaitVSync();
	if(rmode->viTVMode&VI_NON_INTERLACE) VIDEO_WaitVSync();

	int ret;
	
	ISFS_Initialize ();
	printf("\n\n\n\n");
	patchmii_network_init();
	
//	printf("Loading keyhack IOS: \n");

//		ret = get_title_version((1ULL << 32) | 253); 
//printf("Version number of title is %d\n", ret);
//	ret = IOS_ReloadIOS(253);
	ret = install_temporary_ios(11);
	if (ret) printf("Warning, error installing keyripper IOS\n");
	ret = load_temporary_ios();
	if(ret) printf("Warning, error loading keyripper IOS: %d\n", ret);
	printf("\nLoaded IOS: %d.%d.%d\n", 
		IOS_GetVersion(),
		IOS_GetRevisionMajor(),
		IOS_GetRevisionMinor());

	copy_keys();
	check_hack_success();

	printf("\b .... Keys!\n");
	sleep(2);
	print_all_keys();

	cleanup_temporary_ios();	 
	printf("Enjoy! (c) 2008 bushing / hackmii.com\n");

	sleep(60);
	return 0;
}