HackMii

Notes from inside your Wii

HackMii header image 2

Modchips + homebrew – free + illegal = ArgonChannel

January 9th, 2009 by marcan · 44 Comments

The Argon modchip guys have been trumping up this new cool thing they call the Argon Channel. At first details were sketchy, but as time passed what it was started to become obvious: some homebrew launching or installing “solution”, locked to a modchip.

Update: Their solution seems to be to install homebrew packaged as channels, complete with stolen banners and probably using my nandloader without permission. Scroll down for more details.

Recently, the Argon guys showed up on IRC and had an interesting conversation with me, where they tried to get me to help them get the channel to work on System Menu 3.4 by convincing me of the wonderful world of modchip software. The conversation was somewhere along the lines of this, excluding the broken English: “By bundling it with our modchip we make homebrew more popular”. “But it’s locked to your modchip, how will that make it more popular?” “Yes, that makes it even more popular because it’s exclusive and people will want it.”

The response, obviously, was no.

Now the channel has showed up and gasp, it’s compatible with 3.4. Wait, did they find an exploit?

Of course they didn’t.

By watching the video you’ll see that it consists of a two-stage process. This should start ringing alarm bells: why on earth would they have to install two things to install the channel? You’ll also notice that before installing the second half, they do some sort of serial number verification. This seems to be their way of locking it to the chip.

Download their package. First alarm bell. They’re bundling the Twilight Hack, which they’re not authorized to do. Hmm.

Let’s look inside the first DOL file – which turns out to be the one labeled part2. They’re backwards. Shows how much time they spent preparing this package. This file looks suspiciously like a Waninkoko product – same banner and console style. Let’s look inside.

0004e980  00 00 00 20 49 73 00 00  00 00 0a 00 00 00 00 00  |... Is..........|
0004e990  00 00 02 a4 00 00 02 2c  00 18 8c 00 00 00 00 40  |.......,.......@|
0004e9a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0004e9b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0004e9c0  00 01 00 00 b3 ad b3 22  6b 3c 3d ff 1b 4b 40 77  |......."k<=..K@w|

That looks like a WAD header. Interestingly, `strings’ didn’t show any readable four-letter Title ID among the Root-CA strings from the certs, TMD, and ticket. Let’s run it through a WAD extraction tool that I have, which prints out information:

Wii Wad:
 Header 0x20 Type 'Is' Certs 0xa00 Tik 0x2a4 TMD 0x22c Data 0x188c00 @ 0xf40 Footer 0x40
 ETicket:
  Title ID: '\x00\x00\x00\x01\x00\x00\x00\x10'
  Title key IV: 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 00
  Title key (encrypted): 52 6b 1a 2a d0 db 6a 80 c2 95 25 63 80 98 f8 82
  Common key index: 0
  Title key (decrypted): 34 9e 8a c5 ed 3c e1 51 72 f2 b9 3e 1b cb 06 3b
 ETicket signed by Root-CA00000001-XS00000003 using RSA-2048: ec f8... [OK]
 TMD:
  Versions: 0, CA CRL 0, Signer CRL 0, System 0-0
  Title ID: 00000001-00000010 ('\x00\x00\x00\x01'-'\x00\x00\x00\x10')
  Title Type: 1
  Group ID: '\x00\x01'
  Access Rights: 0x00000000
  Title Version: 0x101
  Boot Index: 1
  Contents:
   ID       Index Type    Size         Hash
   00000000 0     0x1     0x40         ca 2e 8c 59 e9 7e e9 fe...
   00000001 1     0x1     0x188b81     65 3e 5e 0f 1d ea 72 f2...
 TMD signed by Root-CA00000001-CP00000004 using RSA-2048: 8b 1a... [OK]
 Certificates:
  - CA00000001 (RSA-2048)
     Certificate signed by Root using RSA-4096: 6f 47... [OK]
  - CP00000004 (RSA-2048)
     Certificate signed by Root-CA00000001 using RSA-2048: 8d 4f... [OK]
  - XS00000003 (RSA-2048)
     Certificate signed by Root-CA00000001 using RSA-2048: d7 0a... [OK]

Title ID 00000001-00000010 is IOS16. So this is how they get it to work on 3.4. And this is also why there’s a two-stage process. They’re bundling a private, repair center only, leaked IOS from nintendo.

Ladies and gentlemen, epic fail.

There’s another WAD in the DOL. I’ll spare you the boring WAD infodumps and just say that it’s some version of cIOS. So their first stage “installer” just installs IOS16, then uses that to install cIOS. A waninkoko-worthy product indeed. I seem to recall him saying he’d never use IOS16, some time ago in the EOL forums. How quaint.

00000000  66 69 72 6d 77 61 72 65  2e 36 34 2e 30 38 30 38  |firmware.64.0808|
00000010  32 39 31 36 30 30 00 00  00 00 00 00 00 00 00 00  |291600..........|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 01 02 00 00  |................|
00000030  77 61 6e 69 6e 6b 6f 6b  6f 40 43 49 4f 53 00 00  |waninkoko@CIOS..|

Their part21 “installer” is just a standard game DVD launcher that launches it using cIOS.

Let’s look at their install DVD, shall we?

This is a standard Wii ISO. You can tell it has been fakesigned with Trucha Signer. This is evident because you can, you know, read my name and xt5’s on the signature:

502c0  00 01 00 01 a5 ce b8 bc  99 b7 e9 a0 c1 ff 14 78  |...............x|
502d0  5c 22 66 85 51 a0 44 0c  70 3e 16 34 9a 1c a6 74  |\"f.Q.D.p>.4...t|
502e0  74 47 56 46 4e 1c 56 b3  dd bc 76 f4 6b 64 ce 35  |tGVFN.V...v.kd.5|
502f0  40 72 c6 cf 53 9b 64 38  36 30 15 dc 4f 0d 6d 26  |@r..S.d860..O.m&|
50300  41 38 55 4b 67 d8 54 68  45 66 49 53 68 e9 61 78  |A8UKg.ThEfISh.ax|
50310  b1 30 c5 63 00 d9 69 de  93 d8 4f c8 69 ed 52 12  |.0.c..i...O.i.R.|
50320  96 35 28 45 48 e2 70 e2  4b 01 53 7d 53 e3 43 13  |.5(EH.p.K.S}S.C.|
50330  8b 30 77 6a 58 41 6f 6c  54 72 61 4c 61 4c 61 05  |.0wjXAolTraLaLa.|
50340  6d 64 8a 62 bd b8 53 98  b3 9c 55 df 4c 10 4e c2  |md.b..S...U.L.N.|
50350  4d 33 77 87 e0 a8 61 69  85 3b 4a 64 69 7a 37 f7  |M3w...ai.;Jdiz7.|
50360  fe 4b 84 42 d2 37 6c 48  67 c6 75 ec 45 8d 9e fd  |.K.B.7lHg.u.E...|
50370  db 63 43 41 30 6a 4d 6d  42 4e 73 55 21 d5 da 32  |.cCA0jMmBNsU!..2|
50380  23 34 d2 64 f6 e3 4f 3c  43 ab 65 ec ea 1e a7 92  |#4.d..O<C.e.....|
50390  6f 68 70 54 68 49 6e 47  53 52 eb 52 96 a2 03 43  |ohpThInGSR.R...C|
503a0  8e 33 fb 73 be f8 67 72  49 6e 64 45 45 64 3f 3f  |.3.s..grIndEEd??|
503b0  77 53 d8 89 28 a8 bf a4  aa e8 ef 83 ff 56 9a e3  |wS..(........V..|

For fun, try finding other interesting strings 😉

Let’s try running it through an information tool.

Game ARGO, maker NC, magic 5d1c9ea3: Argon Channel Installer
1 partitions in ISO:
 [ 0] 0x0000050000 (00000000)
Wii Partition at 0x0000050000:
 TMD @ 0x2c0 [0x208], Certs @ 0x4e0 [0xa00], H3 @ 0x8000, Data @ 0x20000 [0x1f0000]
 ETicket:
  Title ID: '\x00\x01\x00\x01ARGN'
  Title key IV: 00 01 00 01 41 52 47 4e 00 00 00 00 00 00 00 00
  Title key (encrypted): 21 21 41 52 47 4e 43 48 4e 4c 46 4b 4b 59 23 23
  Common key index: 1
  Title key (decrypted): 5a de 4a 66 32 0d c1 56 05 3e e3 64 c3 c0 d3 5b
 ETicket signed by Root-CA00000001-XS00000003 using RSA-2048: d2 a8.... [FAIL]
    Signature hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 TMD:
  Versions: 0, CA CRL 0, Signer CRL 0, System 1-21
  Title ID: 00010001-4152474e ('\x00\x01\x00\x01'-'ARGN')
  Title Type: 0
  Group ID: 'HB'
  Access Rights: 0x00000000
  Title Version: 0x1
  Boot Index: 0
  Contents:
   ID       Index Type    Size         Hash
   00000000 0     0x1     0x3e0000     aa b4 a7 dc 21 48 0d e9...
 TMD signed by Root-CA00000001-CP00000004 using RSA-2048: 00 ea... [BUG]
    Signature hash: 00 6f...
 H4 hash check passed
 Data:
  Blocks:    62
  Subgroups: 7 (plus 6 blocks)
  Groups:    0 (plus 62 blocks)
 Certificates:
  - CA00000001 (RSA-2048)
     Certificate signed by Root using RSA-4096: 6f 47... [OK]
  - CP00000004 (RSA-2048)
     Certificate signed by Root-CA00000001 using RSA-2048: 8d 4f... [OK]
  - XS00000003 (RSA-2048)
     Certificate signed by Root-CA00000001 using RSA-2048: d7 0a... [OK]
pywii.wii.HashError: Failed to verify data chunk 0 against H0:
        expected 82254908e26f42fe903d5bcf3f95f2acfa110e4d,


        got 8b7219c81d0a4e985c65edd9de2c0b943520f8c6

So their ticket is signed wrong and the data doesn’t verify. Attempting to extract it yields garbage. This means their modchip patches the Title Key to something else. Because, you know, just in case you couldn’t figure it out yourself, they tell you. Their fake key is “!!ARGNCHNLFKKY##”.

I tried all single or double byte patches in case they were using a really lame patch, but it appears they’re not that stupid. I’m currently waiting for a way of getting the Title Key, probably from someone with an Argon2. Expect an update once that happens. I can practically guarantee that their channel banner will also be stolen from a Nintendo channel, though – it looks just like all those other stolen banners, in the video (same animation). Beyond that, who knows – maybe there’s even more things to laugh about.

Update: more details have emerged on their site. They’re installing apps as channels, complete with stolen banners. Here’s the list of apps, and here’s a handy WAD upload form in case you want to upload your application to their shady service and also give them your personal information while you’re at it.

In short, if you want a channel that:

  • Is vendor locked to a modchip
  • Is way more annoying to install than The Homebrew Channel
  • Consists of a bunch of jury-rigged tools to install and was clearly made by not very competent people
  • Is illegal twice
  • Is probably illegal a couple more times
  • Is based around distributing homebrew in a questionable format and packaged with illegal Nintendo resources
  • Just rips off apps without waiting for their authors to submit them
  • Requires the installation of homebrew into the Wii’s internal memory, wasting space
  • Is a lot less practical than just copying files to an SD card
  • Requires you to submit your e-mail address just to use it
  • Lets them track exactly what homebrew you download and use
  • Requires you to submit your detailed personal information to add apps
  • Also rips off the Twilight Hack
  • More to come once I get their key

Then, by all means, get the ArgonChannel. Otherwise, stay very very far away.

Bonus content: Apparently argon have never heard of fonts. Those were inside their modchip updater DOL file.
Bonus content 2: An HMAC password involved in the update process of the Argon chip is RobinsodAndWaninkoko1. Just in case anyone had any doubts that he’s involved in all this.

Tags: Wii

44 responses so far ↓

  • 1 noir // Jan 9, 2009 at 9:54 pm

    So far they have nothing available on argonchannel.com except some empty forums. I thought I’d contribute to their community by making the first post over there!

    Why not flag the YouTube video to be removed for violating your copyright (i.e. – Using the Twilight Hack in a video without your permission)?

  • 2 wiisixtyfour // Jan 9, 2009 at 11:34 pm

    if they’re going to copy it at least do it well…
    that is just horrible

  • 3 roboprez // Jan 10, 2009 at 12:15 am

    hmm interesting so is Waninkoko actually working on this or did Argon just forget to ediet him out of stolen source files?

  • 4 tech3475 // Jan 10, 2009 at 1:08 am

    Sounds like the Microsoft of the modbrew world.

    I wonder how long it will be before someone reverse engineers this anyway.

    Also it does make homebrew more popular, but its restricted to their investors.

  • 5 zetetic // Jan 10, 2009 at 1:42 am

    What was Waninkoko response when you asked him about the Argon Channel?

  • 6 Muzer // Jan 10, 2009 at 1:50 am

    Screenshots, marcan?

  • 7 http://maikelsteneker.blogspot.com/ // Jan 10, 2009 at 2:55 am

    I don’t think it’s that bad, it shows some decent stuff. The thing is, the homebrew channel can do all of this in a better way, so it’s really pointless.

    The worst thing is that they need the Twilight Hack to get paid software to work… It shows they’re just amateurs. If Team Twiizers could force them to link to hackmii or wiibrew that would be great though. Everyone would see a completely free alternative that’s much better!

  • 8 Maltek // Jan 10, 2009 at 5:00 am

    I lol’d at all of this XD

    thks marcan !

    BTW, as for me “!!ARGNCHNLFKKY##” stands for ArgonChannelf*ck***Key …

    As wiisixtyfour said “that is just horrible”…

  • 9 liteon // Jan 10, 2009 at 6:28 am

    As you said, epic fail.
    Also, that’s a great password: RobinsodAndWaninkoko1
    I’ve learned an important fact: if I ever commit a crime, I will password-protect all the files that could incriminate me with “Iamdefinitelythemurderer.”, xD

  • 10 marcan // Jan 10, 2009 at 7:28 am

    @zetetic:

    I didn’t ask him about it now, but the last news I got from him was that he stopped working for these guys (that was when he made the warezlauncher). Obviously that is no longer the case and he’s working for them again.

  • 11 qiantpune // Jan 10, 2009 at 7:52 am

    The makers of this obviously can’t be too smart. Who in their right mind would try to rip anything off from the guys that kicked such epic amounts of butt and 25C3? I mean, this isn’t quite the same thing as stealing a little old lady’s credit card info to subscribe to internet porn. These guys aren’t in the same league as the HackMii guys. It’s not even close to being the same sport.

  • 12 DtD // Jan 10, 2009 at 11:21 am

    Wow, there’s just no counmting for the number of stupid people in this world.

    ~DtD

  • 13 noir // Jan 10, 2009 at 11:55 am

    They seem to keep repeating this everywhere: “Our objective is to promote the use of FREE software on the Nintendo WII.”

    If that were true, they wouldn’t require that you have an Argon chip to use it. To me it looks like their objective is to use other people’s work to try and increase their profits and further their own business.

  • 14 Zim // Jan 10, 2009 at 12:14 pm

    This is quite sad.
    So sad, in fact, that I have made it a personal goal to never do anything near this level of stupidity.

  • 15 marcan // Jan 10, 2009 at 12:14 pm

    @noir:

    Their objective is to boost sales of their modchip by claiming it comes with “exclusive” homebrew no doubt. It’s also a rather lame attempt to legitimize their modchip in the wake of possible lawsuits, because they know that laws about copyright are getting tighter – modchips are illegal in the US and probably in the EU too as a result of the EUCD. They want to claim that their chip has something to do with homebrew, even though it doesn’t.

  • 16 creativeprocrastinators.blogspot.com/ // Jan 10, 2009 at 12:59 pm

    Can’t you guys sue or something?

    Not to say I’d want it to go there, but you’ve got to do something (though it’s more or less guaranteed that Nintendo will take legal action once they find out).

  • 17 Alec // Jan 10, 2009 at 1:41 pm

    There is only one thing about this that is appealing to me (which is probably appealing to ONLY me): The ability to install homebrew to the memory as a channel.

    The reason this is useful to me is because my SD slot on my Wii is wonky. Every time I run a new executable (whether it be a game, homebrew channel, anything), I have to eject and reinsert my SD card in order to get the system to recognize that it’s there. I have tested this *very* extensively, and I know for a fact that it has something to do with every time a new executable is run.

    For those who can imagine, clicking on the Homebrew Channel and then perfectly timing an eject\reinsert in order for it to read my homebrew properly can be a real pain. A “refresh list” option in the HBC that reinitializes my SD slot would fix this right up, though. =)

  • 18 Arm the Homeless // Jan 10, 2009 at 2:02 pm

    Woah. That xt5 and Marcan thing is genius IMO.

  • 19 Dunsay // Jan 10, 2009 at 2:57 pm

    A shame they disabled both comments and ratings on their instructional video on youtube…

  • 20 HyperHacker // Jan 10, 2009 at 3:21 pm

    What does IOS16 do, then?

  • 21 Deozaan // Jan 10, 2009 at 3:28 pm

    I didn’t know that modchips were illegal in the USA. When/how did that happen?

    I’m not defending or promoting them. I’m just asking because I didn’t know.

  • 22 zetetic // Jan 10, 2009 at 3:57 pm

    @Marcan

    Do the date stamps on the files attest to that?

  • 23 marcan // Jan 10, 2009 at 4:16 pm

    @Deozaaan:
    The DMCA forbids trafficking in circumvention devices (devices used to bypass copy protection, effectively).

    @zetetic:
    I didn’t see any specific timestamps, but it’s pretty obvious that he didn’t do this when he was there and then quit. For starters, I don’t even think 3.4 or the IOS16 workaround existed back then. Either way, if waninkoko _is_ working for them then Argon is to be considered responsible for this, since they’re the ones employing him.

  • 24 noir // Jan 10, 2009 at 6:04 pm

    ThEfISh iS a LiE
    SalMOn ThInGS IndEEd

    I wish you’d just tell us what else is in there before I drive myself nuts trying to figure out what things are supposed to say. Looking at the hex dump again reminded me that it was in my dream last night. I figured it out in my dream…I wish I could remember what exactly I figured out.

  • 25 w11h4x0r // Jan 10, 2009 at 6:18 pm

    what if someone uploaded a wad file that causes a banner brick to their server? think they would test it lol?
    what advantage is there to this other than the possiblity of getting opentyrian to run again (doesn’t work on new hbc or homebrew launcher)?

  • 26 linkinworm-c98 // Jan 10, 2009 at 7:40 pm

    @ w11h4x0r
    well the modchip works on the new D3 boards(so i was told),the boards with one chip on them) but i guess the point in the download option is because it makes things easier if you do it all straight from your wii.

  • 27 ChuckBartowski // Jan 10, 2009 at 7:42 pm

    After this, i think it is time to sue. This is the second thing that has ripped off team twiizers and its going to keep getting worse. If you sue, it would be a major wake-up call to all those even thinking about doing this. Just saying…

  • 28 wiisixtyfour // Jan 10, 2009 at 11:23 pm

    They left the readme intact which has links to WiiBrew and HackMii and even the Homebrew Channel haha

  • 29 bob // Jan 11, 2009 at 6:31 am

    It would be so easy for a dev to sabotage this by having an app check for the modifications the argon crap makes to the wii’s nand. Once detected, it could either disable the softmod and/or simply refuse to work.

  • 30 Ryan Leach // Jan 11, 2009 at 8:20 am

    hey twiizer someone claimed this wad is legal,

    that is doesn’t use a propriety nand loader and no stolen banner, could you check it?

    http://qoid.us/bbc.wad

  • 31 marcan // Jan 11, 2009 at 8:41 am

    That looks right. One of the few legal ones I’ve seen.

  • 32 icefire // Jan 11, 2009 at 9:02 am

    A LEGAL wad? Then we get your NANDloader, right?

    🙂

  • 33 marcan // Jan 11, 2009 at 9:04 am

    I don’t know whose NANDloader that is but it’s definitely not mine.

  • 34 icefire // Jan 11, 2009 at 9:34 am

    Pretty sure comex is responsible :).

  • 35 DanielHueho // Jan 11, 2009 at 10:53 am

    Well, this is starting to become repetitive. First the “guide”, now this. Wii is becoming popular on this “almost-scam” business…

    @Ryan Leach

    What exactly is this channel? I don’t feel like installing on Wii to discover =P

  • 36 no-substitute.blogspot.com/ // Jan 11, 2009 at 1:05 pm

    @ DanielHueho and everyone else

    comex’ bbc.wad is a channel for ftpii

    Nohing more, but also, nothing less! 🙂

  • 37 Blue-K // Jan 12, 2009 at 12:58 am

    Hey…I think I’ve got a new Bonus content for you, marcan…It does more than just rips off apps without waiting for their authors to submit them…

    They also rip whole Channels from various sites. Ex: The WAD-Manager Channel have I created, it is stolen from me, no one asked me if they can use it…I gave no permission. One more thing to laugh about…

  • 38 NewsInside - Noticias e tutoriais da cena homebrew handheld e console // Jan 12, 2009 at 4:53 am

    Marcan se pronuncia a propôs do ArgonChannel…

    A algum tempo atrás o pessoal responsável pelo modchip Argon anunciou que iria criar um canal específico para a execução de homebrews em seu modchip. Apesar da notícia ter "morrido" por um tempo, o pessoal do HackMii resolveu analisar o…

  • 39 Wack0 // Jan 12, 2009 at 9:53 am

    urgh. first nintendo hurts homebrew a bit (3.3/3.4 anyone ?) and now guys are hosting it (Argon, Homebreware for a time, some other site) without permission. This hurts homebrew even more than buggily fixing the Twilight Hack.

    And also, how’d they get that private, repair center only IOS16 to bundle leak it ? Nintendo definitely won’t like it. 🙂

  • 40 Marcan se pronuncia a propôs do ArgonChannel // Jan 12, 2009 at 11:01 am

    […] Para maiores informações e o log completo das análises de Marcan, de uma olhada nesse post. […]

  • 41 qiantpune // Jan 12, 2009 at 3:11 pm

    Ok. I just checked out the argon2 channel installation tutorial on youtube. I can tell everybody, just from seeing the video, that I am 100% sure that Waninkoko had his hand in writing the installation application. I have used his wad manager and Game dumper, and they look WAY too similar in both appearance and the way they run. Also, the text on their website page describing the available homebrew applications looks surprisingly familiar to the application descriptions on wiibrew.org and in the applications’ readme files.

    Would you really want to install software on your system that was created by people that can’t even write simple text themselves?

  • 42 Android17 // Jan 13, 2009 at 11:00 am

    One of the saddest attempts yet…

  • 43 SkippyElectrochomp // Jan 19, 2009 at 8:59 am

    Wow. Whoever made that modchip with that software are crazy people who don’t look for the same “solution” that doesen’t take two installations and is completely free.

  • 44 toloratedmeat // Jan 21, 2009 at 2:40 am

    LOL why do you think that blonde hair guy from Rules of Engagement isnt popular

You must log in to post a comment.