Update to v1.2.8.

* Dumps SD Key from the ES module from the running IOS (loaded from NAND). * Dumps SD IV and MD5 Blanker from the System Menu binary. * Saves the raw device.cert to the SD card root. * Replaced tabs with spaces in the output keys.txt file. * Improvements to the OTP/SEEPROM read functions. Unaligned reads are now handled more efficiently. * Fixed an issue where trying to read SEEPROM data starting from an offset higher than zero would return garbage data. * Added an unused SEEPROM write function capable of handling unaligned writes. Might be useful for someone else.
DarkMatterCore · May 21, 2020 · 5c04b77 · 5c04b77
1 parent f9cabca
commit 5c04b77
Show file tree

Hide file tree

Showing 16 changed files with 1,279 additions and 115 deletions.
diff --git a/HBC/boot.dol b/HBC/boot.dol
diff --git a/HBC/boot.elf b/HBC/boot.elf
diff --git a/HBC/meta.xml b/HBC/meta.xml
@@ -1,17 +1,23 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <app version="1.1">
 	<name>Xyzzy</name>
-	<version>1.2.7</version>
-        <release_date>20200508000000</release_date>
+	<version>1.2.8</version>
+        <release_date>20200521000000</release_date>
 	<coder>Bushing, DarkMatterCore</coder>
 	<short_description>Extract your Wii console keys!</short_description>
 	<long_description>Xyzzy is a homebrew application that allows the extraction of the OTP and SEEPROM Encryption Keys.
 
-This modified version uses full hardware access through the HW_AHBPROT flag to read the both OTP and SEEPROM chips, copy their data to a memory buffer and retrieve the console keys. Thus, it no longer installs a modified IOS11 nor uses PatchMii.
+This modified version uses full hardware access through the HW_AHBPROT flag to read the OTP and SEEPROM chips, the System Menu binary and the ES module from the current IOS, in order to retrieve the console keys. Thus, it no longer installs a modified IOS11 nor uses PatchMii.
 
 Other changes include:
 
-* Compatibility with USB devices.
-* Support for GCN controllers and newer WiiMotes.</long_description>
+* Compatibility with USB mass storage devices.
+* Support for GCN controllers and newer WiiMotes.
+* Retrieves SD IV, MD5 Blanker and MAC address.
+* Besides generating a "keys.txt" file with a hexdump of every dumped key, these files are also created:
+    * "bootmii_keys.bin" (follows the BootMii keys.bin format).
+    * "device.cert" (raw device certificate dump).
+    * "otp.bin" (raw OTP memory dump).
+    * "seeprom.bin" (raw SEEPROM memory dump) (Wii only).</long_description>
 	<ahb_access/>
 </app>
diff --git a/Makefile b/Makefile
@@ -25,21 +25,21 @@ INCLUDES	:=
 # options for code generation
 #---------------------------------------------------------------------------------
 
-CFLAGS	= -g -O2 -Wall $(MACHDEP) $(INCLUDE)
+CFLAGS	= -g -O2 -Wall -Wno-unused-variable $(MACHDEP) $(INCLUDE)
 CXXFLAGS	=	$(CFLAGS)
 
 LDFLAGS =	-g $(MACHDEP) -Wl,-Map,$(notdir $@).map
 
 #---------------------------------------------------------------------------------
 # any extra libraries we wish to link with the project
 #---------------------------------------------------------------------------------
-LIBS	:=	 -lfat -lwiiuse -lbte -logc -lm
+LIBS	:=	 -lfat -lwiiuse -lbte -lm -logc -lruntimeiospatch
 
 #---------------------------------------------------------------------------------
 # list of directories containing libraries, this must be the top level containing
 # include and lib
 #---------------------------------------------------------------------------------
-LIBDIRS	:= 
+LIBDIRS	:= $(CURDIR)/portlibs
 
 #---------------------------------------------------------------------------------
 # no real need to edit anything past this point unless you need to add additional

diff --git a/portlibs/include/runtimeiospatch.h b/portlibs/include/runtimeiospatch.h
@@ -0,0 +1,143 @@
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, version 2.0.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License 2.0 for more details.
+
+// Copyright (C) 2010		Joseph Jordan <joe.ftpii@psychlaw.com.au>
+// Copyright (C) 2012-2013	damysteryman
+// Copyright (C) 2012-2015	Christopher Bratusek <nano@jpberlin.de>
+// Copyright (C) 2013		DarkMatterCore
+// Copyright (C) 2014		megazig
+// Copyright (C) 2015		FIX94
+
+#ifndef __RUNTIMEIOSPATCH_H__
+#define __RUNTIMEIOSPATCH_H__
+
+/**
+ * Version information for Libruntimeiospatch.
+ */
+#define LIB_RUNTIMEIOSPATCH_VERSION "1.5.4"
+
+//==============================================================================
+// HW_RVL header
+//==============================================================================
+#if defined(HW_RVL) /* defined(HW_RVL) */
+
+/**
+ *Returns true when HW_AHBPROT access can be applied
+ */
+#define AHBPROT_DISABLED (*(vu32*)0xcd800064 == 0xFFFFFFFF)
+
+//==============================================================================
+// Error code definitions:
+//==============================================================================
+#define ERROR_AHBPROT       -5
+#define ERROR_PATCH         -7
+
+//==============================================================================
+// C++ header
+//==============================================================================
+#ifdef __cplusplus
+extern "C" {
+#endif
+/* __cplusplus */
+
+//==============================================================================
+// Patchsets:
+//==============================================================================
+/*
+Wii:
+    * DI Readlimit
+    * ISFS Permissions
+    * ES SetUID
+    * ES SetIdentify
+    * Hash Check (aka Trucha)
+    * New Hash Check (aka New Trucha)
+    * SSL patches
+
+Sciifii:
+    * MEM2 Prot
+    * ES OpenTitleContent 1 & 2
+    * ES ReadContent Prot
+    * ES CloseContent
+    * ES TitleVersionCheck
+    * ES TitleDeleteCheck
+
+vWii:
+   * Kill Anti-SystemTitle-Install 1, 2, 3, 4 & 5
+*/
+
+
+//==============================================================================
+// Functions:
+//==============================================================================
+
+/**
+ * This function can be used to keep HW_AHBPROT access when going to reload IOS
+ * @param verbose Flag determing whether or not to print messages on-screen
+ * @example 
+ *      if(AHBPROT_DISABLED) {
+ *          s32 ret;
+ *          ret = IosPatch_AHBPROT(false);
+ *          if (ret) {
+ *              IOS_ReloadIOS(36);
+ *          } else {
+ *              printf("IosPatch_AHBPROT failed.");
+ *          }
+ *      }
+ * @return Signed 32bit integer representing code
+ *      > 0             : Success   - return equals to number of applied patches
+ *      ERROR_AHBPROT   : Error     - No HW_AHBPROT access
+ */
+s32 IosPatch_AHBPROT(bool verbose);
+
+
+/**
+ * This function applies patches on current IOS
+ * @see Patchsets
+ * @param wii Flag determing whether or not to apply Wii patches.
+ * @param sciifii Flag determing whether or not to apply extra Sciifii patches.
+ * @param vwii Flag determing whether or not to apply extra vWii patches.
+ * @param verbose Flag determing whether or not to print messages on-screen.
+ * @example if(AHBPROT_DISABLED) IosPatch_FULL(true, false, false, false);
+ * @return Signed 32bit integer representing code
+ *      > 0             : Success   - return equals to number of applied patches
+ *      ERROR_AHBPROT   : Error     - No HW_AHBPROT access
+ *      ERROR_PATCH     : Error     - Patching HW_AHBPROT access failed
+ */
+s32 IosPatch_RUNTIME(bool wii, bool sciifii, bool vwii, bool verbose);
+
+
+/**
+ * This function combines IosPatch_AHBPROT + IOS_ReloadIOS + IosPatch_RUNTIME
+ * @see Patchsets
+ * @param wii Flag determing whether or not to apply Wii patches.
+ * @param sciifii Flag determing whether or not to apply extra Sciifii patches.
+ * @param vwii Flag determing whether or not to apply extra vWii patches.
+ * @param verbose Flag determing whether or not to print messages on-screen.
+ * @param IOS Which IOS to reload into.
+ * @example if(AHBPROT_DISABLED) IosPatch_FULL(true, false, false, false, 58);
+ * @return Signed 32bit integer representing code
+ *      > 0             : Success   - return equals to number of applied patches
+ *      ERROR_AHBPROT   : Error     - No HW_AHBPROT access
+ *      ERROR_PATCH     : Error     - Patching HW_AHBPROT access failed
+ */
+s32 IosPatch_FULL(bool wii, bool sciifii, bool vwii, bool verbose, int IOS);
+
+//==============================================================================
+// C++ footer
+//==============================================================================
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+//==============================================================================
+// HW_RVL footer
+//==============================================================================
+#endif /* defined(HW_RVL) */
+
+#endif
diff --git a/portlibs/lib/libruntimeiospatch.a b/portlibs/lib/libruntimeiospatch.a
diff --git a/source/main.c b/source/main.c
@@ -2,6 +2,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <gccore.h>
+#include <runtimeiospatch.h>
 
 #include "tools.h"
 
@@ -26,8 +27,15 @@ int main(int argc, char **argv)
     if (AHBPROT_DISABLED)
     {
         /* HW_AHBPROT flag is disabled */
-        ret = XyzzyGetKeys(vWii);
-        if (ret != -2) printf("\nPress any button to exit.");
+        printf("Applying runtime IOS patches, please wait...\n\n");
+        ret = IosPatch_RUNTIME(true, false, false, false);
+        if (ret > 0)
+        {
+            ret = XyzzyGetKeys(vWii);
+            if (ret != -2) printf("\nPress any button to exit.");
+        } else {
+            printf("Failed to apply runtime IOS patches! Press any button to exit.");
+        }
     } else {
         /* HW_AHBPROT flag is enabled */
         printf("The HW_AHBPROT hardware register is not disabled.\n");