HRESET hack

From WiiUBrew
Revision as of 04:05, 25 August 2021 by Hallowizer2 (talk | contribs) (Created)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The HRESET hack was the Wii U equivalent of the Tweezer Attack in the fact that it dumped the WiiMode Espresso keys. Despite this, it did not require hardware modification. It was performed due to the SRESET hack only working after the keys are locked away.

Procedure

  1. Fill ALL free memory with jumps to dumping code.
  2. Load some reset-timing Starbuck code through a serial interface.
  3. Bootstrap the Espresso, then HRESET it while the boot ROM is still running.
  4. Try different HRESET widths, a couple specific widths should leave the Espresso in a glitched state.
  5. Hope something blows up somewhere and the dumping code is jumped to.
  6. Write each OTP key to memory 4 times.
  7. Output these values through the serial interface from the Starbuck, and piece together the different results to find the real key.