“Brazilian USB Loader”: The hack that sets the Wii U scene on fire again
A few days ago, the Wii U scene was set on fire over some videos shared by an obscure Brazilian group, showcasing them loading “backup” games directly from a USB hard drive directly onto their Wii.
Although some of the early videos and “proof” was quickly made private, it took less than a day for the WiiU scene to confirm the hack was legit.
Piracy on the Wii U has been a possibility for quite some time now, but people have been reporting that this new technique goes way beyond what was possible until then. Technically, no loader is required with this new method, and the games just appeared in the Wii U’s main menu as if they had been installed in a legit way.
Because piracy was already there on the Wii U, this is probably not going to impact Nintendo’s bottom line much more than it already was. People have been fast to report the benefits of this method though: games run and load faster, online play and updates are apparently possible*, and there is no need for an external loader as the games just appear directly in the menu.
The hack seems to all boil down to some mistake on how Nintendo are handling the security of their games. A few minor changes to some files (tickets, or .tik files) extracted from the games lets an unofficial tool install the game as a “regular” game on the usb hard drive. The technique was understood by the scene pretty quickly and has triggered hundreds of pages of discussions from people loading their “backups” on the console.
What’s still not fully explained at this point is how and why the technique actually works, in other words where Nintendo made a security mistake.
(Apologies, no source link given the sensitive nature of this topic)
* It doesn’t sound like a brilliant idea to play online with a “backup” game. Just a thought
I have Japan Wii U, so this hack is useless to me
only work for brazil Wii U???
only play game with the same region with the console
How exactly is it useless? It was discovered by a Brazilian group, but presumably it works on Wii Us of all regions. It doesn’t let you launch games from other regions, but you should still be able to use it for Japanese games.
that’s the problem, there is no single japanese game that I played, even if there is, the language will keep me from playing it, better stay with loadiine, I still hope there will be workaround that will make it play another region though
Why did you get a Japanese Wii lol
^ This. Taiko would be an easy pick for me.
https://www.amazon.com/Taiko-No-Tatsujin-Wii-U-Version/dp/B00F5VG4L8/ref=pd_sbs_63_t_2?ie=UTF8&tag=wagic-20&psc=1&refRID=EWCCT48X8BW40GCBM9N5
Although that requires an extra peripheral (at least the way it’s intended to be played).
A few other games without language dependency:
Super Smash Bros. for Wii U
Splatoon
Super Mario 3D World
Super Mario Maker
Captain Toad Treasure Tracker
Nintendoland
Yoshi’s Woolly World
Sonic Lost World
Mario Kart 8
All the Just Dance games
Terraria
…In fact, now that I think about it, MOST Nintendo games (and a lot of the 3rd party games on Wii U) are not text-heavy. They’re typically driven by visuals, and if you just aren’t getting something about a game and need to watch a youtube video for a couple minutes to learn how to play, that’s really not so bad compared to trying to make your way through a 50+ hour RPG in a foreign language.
Especially if you are getting your “backups” for free, and thus do not have to invest money in a game that you may or may not be able to play easily…
lemme correct that sentence for you then,
“I have Japan Wii U, so my console is useless to me.”
What file system would the drive have to be?
The file system the wiiu will format the drive to
You have to use the Wii U’s proprietary format. E.G. Plug it in and let the Wii U format it. This will erase all data and you cannot partition the drive.
well shoot… the only way i get a WII U is if can play back ups online.
You can.
“much more than it already was”
Correction: much more than it already has
“The hack seems to all boil down to some mistake on how Nintendo are handling the security of their games.” awkward phrasing.
Incorrect: The technique was understood by the scene pretty quickly and has triggered hundreds of pages of discussions from people loading their “backups” on the console. Passive voice, always use active–this one is a bit awkward as well.
Incorrect: (Apologies, no source link given the sensitive nature of this topic)
Correction: (Apologies, no source link is given due to the sensitive nature of this topic.)
– This in itself is a fragment, and there were a few words missing prior to the above correction.
Incorrect: * It doesn’t sound like a brilliant idea to play online with a “backup” game. Just a thought
Correction: * It doesn’t sound like a brilliant idea to play online with a “backup” game. Just a thought.
– Using a period works.
Correction: * It doesn’t sound like a brilliant idea to play online with a “backup” game, just a thought.
– Using a comma works as well.
It’s just a guess but, it’s probably not a weakness in the tickets. Why?
Nintendo uses the same ticket system from the Wii on the 3DS. The tickets for those systems have a field to determine which system the ticket is for, so it’s possible that they just reused the same ticket structure for the Wii U. As for why that would make it easy to pirate games, all content on those systems are encrypted with a content unique title key. That key is stored encrypted in the ticket structure, along with the console ID that the ticket is for, and is signed by Nintendo. (Assuming it’s a valid ticket.) That title key must be decrypted before the content itself can be decrypted and used by the system. So in theory it’s secure, but in reality, once the title key is known the content can be decrypted at any time. In the case of the 3DS, the encrypted title key is protected by a key X (loaded by the bootrom) and a key Y. (derived from the ticket and title headers.). Neither of these is console or NNID account unique so the key is decryptable by any 3DS by default once you get kernel access to the the 3DS’s AES engine. The only thing that “protects” it is the signature on the ticket that authenticates the ticket data to a 3DS, and the Console ID field that says which 3DS is authorized to use it. Even if however, there was console specific protections on the title key, it would still be useless as the content data could be decrypted once the key was known. (The 3DS / eShop Account that bought has to be able to decrypt it.)
So it’s not really a weakness in the ticket system. It’s a weakness that you can’t protect the title key easily. The whole reason that the games use a CONTENT unique title key instead of a per system or NNID account title key, is because of Nintendo’s reliance on CDNs, (Content Distribution Networks.) as a cost saving measure. (They don’t want to provide the infrastructure themselves. It’s too expensive, and is easier to DDoS.) All of the data you download from the eShop (doesn’t matter what it is), is stored on a CDN somewhere. (That is supposedly near you physically, and thus gives you faster download speeds.) The only thing you download from Nintendo when you get something from the eShop, is the ticket authorized for your Console ID and signed by Nintendo for the data you downloaded. (They sign it when you hit the last download button after any required purchase is complete.) That’s the reason they cannot protect the content with per-console / account keys, the data is not encrypted by them in real time when the purchase / download is made. It’s encrypted once prior to being made available on the eShop and stored on the CDN. The CDNs don’t support doing real time encryption of the data that they hold for others. Nor would Nintendo want them to as that would give them leverage over their content sales, and could lead to a leak. (Extra party in the trust chain.)
Also, on the 3DS they made it so that a single bit in the exheader of a game controls where the system looks for the content data. (Game Card or SD Card.) Changing the bit changes where the system loads the data from, and the games themselves are required to use the system’s SDK for accessing their content data to facilitate this. (This allows them to offer any game in both physical and digital form without changing the game’s code. Only the exheader must be changed and the ticket must be resigned.) So the current methods for running backups on the 3DS are just using the same method that Nintendo would use to do the same thing. The only difference is we just disable the signature checks prior to installing or running the games, where as Nintendo simply resigns them.
The reason I say all of this is three reasons: 1. The mechanism for loading the games is BUILT IN by default for that exact purpose. 2. The ticket mechanism used by the Wii U is very likely to re use it. 3. The ticket system is not the real issue. It’s the fact that the users got access to the system kernel and now own it.
This was a great explanation. As this whole wiiu usb installation “fiasco” basically boils down to using a tool to grab the CDN files, then using a title.tik file from an original disc title for the same region and version you grabbed from the CDN. Then looking at the title.tik file in a hex editor, and changing 2 bytes. First removing a 0x02 binary value from a byte, then xor-ing an other one with the same 0x02 byte. Offsets can be easily found by comparing an unmodified and a modified one. It apparently seems that no resigning is necessary to change where the game loads its data from (disc or system memory).
We finaly have the IOSU expoit too! We can execute code with IOSU permission, is there a .ELF for dump the OTP keys.
Its not a “obscure group”
It was guys from our group.
Proud of you guys.
Qual o nome grupo amigo?
My SD card slot has broken can someone confirm you don’t need Homebrew or a SD to use this
You need an sd card and homebrew to install the games.
You will have to use an SD card only to transfer the games into external HD..
I’d like to have this hack please? lol
It’s a wonder Nintendo didn’t sue for this.