Home > Hacks, Homebrew, Wii > FE100 0.22 with updated keygrabber

FE100 0.22 with updated keygrabber

June 10th, 2009

I’ve seen the below forum thread and thought it would be a nice addition to add an alternative to ecc key extraction in the FE100’s keygrabber tool.

Extracting the ECC Key without xyzzy

quoting bushing from there…
>Um… the entire contents of OTP (including all keys) are tacked on the end of the nand.bin dump that BootMii
>creates. Xyzzy is officially obsolete.

>The last 1K of the file contains both the OTP and SEEPROM; you can find the structure definitions here:

>[snipped link to the header file]

Having learned this, I added ecc key extraction from bootmii nand dump into the keygrabber tool (third button in the keygrabber to get the keys)

Enough crap, here is the new keygrabber & bugfixed FE100 : FE100 V0.22

ps: By the way, if you are reading this and you are a member of wiibrew forums : could you pm an admin there and notify them that “forgot my password” feature there doesn’t seem to work for quite a long time… That’s why I didn’t reply to the original topic mentioned at the top of the post.

Below key stuff is just for the first button (Get stuff from Interwebz) to work correctly…

Here are the shared keys (the first two actually) that are necessary to unpack a wii savefile.

SD key (ab01b9d8e1622b08afbad84dbfc2a55d)
SD IV (216712e6aa1f689f95c5a22324dc6a98)
MD5 blanker (0e65378199be4517ab06ec22451a5793)

More information about these and other keys can be found on hackmii,
here : http://hackmii.com/2008/04/keys-keys-keys/

Only reason I included them here is because the previous version of keygrabber was leeching those keys from hackmii blog. Now it will leech them from here… The reason I didn’t bundle this stuff into the FE100 package is to folow the common practice…

Hacks, Homebrew, Wii , , , , , ,

  1. Andrew Certain
    | #1

    First, a huge thanks for adding this extractor. I’ve been trying for a few days to get my ECC key and finding up-to-date information has been a bit trying.

    One question I have about the packer is how it works without the Wii’s certificate. According to http://wiibrew.org/wiki/Wii_Security#Savegames_on_SD_cards, it uses the certificate to verify that you have a real ECC key. How does FE100 work without the certificate? Conversely, if it doesn’t need the certificate, why does it need a real ECC key?

    Thanks.

    Andrew

  2. | #2

    Well I didn’t rewrote the packer&unpacker actually, it’s segher’s code. Lurking through it, signature creation needs these… also certificate can be created using only these..
    it needs
    1. your private ecc key (NG-priv)
    2. NG-key-id (dunno what’s this is for)
    3. NG-sig (public portion of your private ecc key)

    It does need the real ECC key to pack savefiles so that any wii can verify that against the public part of the key… But I guess any key pair could be used thinking you can use someone else’s saves. Maybe could be a difference for protected saves if they are bound to one specific wii… so there they might be checking the cert if it matches to the wii savefile is being copied…

  3. pec
    | #3

    Hi, I landed here after looking for a way to obtain the MAC address from my semi-bricked Wii (to use letterbomb). I thought it would be a lot more common problem.. apparently it isn’t. I won’t bore all of you with the pathetic story of how I bricked my wii (simply forgetting it had hard-mod after not using it for 3 years). The tool you developed seems perfect, however I can’t make it work. I guess it might be because I try to run it from parallels on Mac? (of course I have no access to a Windows machine..). I un-rar the folder but it gives me error everytime I try to open the application. Any idea? Would anybody go the extra mile and find out my MAC address from the savefile I can send them?! I’ve ran out of ideas here.

  1. No trackbacks yet.