102-2160 on MLC rebuilt systems due to mismatched IOSU and System versions

[WizardNight7718]

I have tried to use Pretendo, but it seems to not be working correctly.

102-2160 (Wii U) Wii U support code detected Information is WIP and may be missing/incorrect Module Name ACT ​ Module Description Accounts

Error Name HTTP_SSL_CACERT ​ ​Error Description Missing description

Fix Missing fix

Console dialog message Missing message

[ashquarky]

When does that happen? When logging in or creating an account on the menu? Or opening the Miiverse applet? Are you using Inkay from the releases tab or the bleeding edge build? Which commit (if you know)?

[WizardNight7718]

I was trying to create a PNID on the Wii U, and could not get any farther than "Do you want to link your existing ID to this Wii U?" I am using Inkay bleeding edge build (https://github.com/PretendoNetwork/Inkay/actions/runs/4635811241)

[WizardNight7718]

I have a video of the error. https://drive.google.com/file/d/1WCr-sR9rF8-vtaFbq49RifCyIljOAOyh/view?usp=sharing

[WizardNight7718]

Still doesn't work 5/13/2023 1/07/2024 4/08/2024

[theDSi2homebrewGuy]

same issue for me

[jack4455667788]

It's bloopair.

The two aren't playing nice together.

Same thing happens in tiramisu using nimble.

EDIT- this was entirely wrong. Another user had reported this and I mistakenly thought i had confirmed their finding.

[WizardNight7718]

I'll test it out when I get home 👍

[jonbarrow]

Same thing happens in tiramisu using nimble.

It should be noted that Tiramisu and the legacy Nimble HB are no longer supported by us

[WizardNight7718]

It's bloopair.

The two aren't playing nice together.

Same thing happens in tiramisu using nimble.

Error still occurs even with removal of bloopair

[jack4455667788]

It's bloopair. The two aren't playing nice together. Same thing happens in tiramisu using nimble.

Error still occurs even with removal of bloopair

Apologies for the red herring. I had read a report where a user found they couldn't use pretendo when bloopair was enabled and had convinced myself of the same thing (i didn't realize that the nintendo login servers for wiiu were still up - so when I thought pretendo was working it was really just connecting me to the nintendo servers which are still online. In fact, pretendo never worked - in tiramisu with nimble, where it did nothing or in aroma with the latest inkay where it causes the 2160 error)

I tried causing the 2160 in tiramisu and was unsuccessful (with or without bloopair). It seems no servers are being changed by nimble. I also tried removing every plugin except inkay in aroma - which still caused the 2160.

[jack4455667788]

Same thing happens in tiramisu using nimble.

It should be noted that Tiramisu and the legacy Nimble HB are no longer supported by us

That's too bad. Tiramisu is required for a lot of good stuff, including MK8 Ultimate. A working CTGP-U would be a fantastic thing to have.

Sorry for the bad lead. Nimble does not function (except to cause wups, and hence MK8 Ultimate, to blackscreen) in tiramisu, and inkay causes 2160 for me as well as the OP. Bloopair and/or other plugins seem to have no impact on it.

Are we really the only ones affected? If so I suspect there is something in common about our system setups which is non-standard...

[jack4455667788]

When does that happen? When logging in or creating an account on the menu? Or opening the Miiverse applet? Are you using Inkay from the releases tab or the bleeding edge build? Which commit (if you know)?

Using both the latest release (crc32 = A75067AC) and the nightly (https://nightly.link/PretendoNetwork/Inkay/actions/runs/8714756349/inkay.zip - crc32 = A475D88D).

This is whenever account login or game server access/connection is requested. I presume Miiverse applet as well - although I have not tested that.

Interestingly enough, using SSSL also causes the same error (internet connection test succeeds).

Could this be a legitimate CACERT SSL error? Your servers refusing an ssl connection from our consoles or vice versa?

[ashquarky]

Sorry for the bad lead. Nimble does not function (except to cause wups, and hence MK8 Ultimate, to blackscreen) in tiramisu,

That's the problem with Tiramisu - we can't run several homebrew apps at once, thus we can't run Nimble and another homebrew at once - and if you're not going to run another homebrew, why use Tiramisu? So we just gave up on supporting it

Could this be a legitimate CACERT SSL error? Your servers refusing an ssl connection from our consoles or vice versa?

My understanding of the CACERT error is that the console is rejecting our certs, which is weird because Inkay is supposed to disable verification entirely.

Hunch - do you know if you've rebuilt your NAND at all? NAND-AID or redNAND or usata or the like?

[jack4455667788]

That's the problem with Tiramisu - we can't run several homebrew apps at once, thus we can't run Nimble and another homebrew at once - and if you're not going to run another homebrew, why use Tiramisu? So we just gave up on supporting it

True, but you can use wups (https://github.com/Maschell/WiiUPluginLoader) to do that in tiramisu. I get that it is a pain to support/develop both, and perhaps one day everything will be ported over to aroma - but also, perhaps not :(

In my experience, wiimmfi was all about ctgp, and the only available (yet, admittedly buggy and closed+lost source) ctgp for the wii-u (mk8 ultimate) only works in tiramisu (relies on a wups plugin).

My understanding of the CACERT error is that the console is rejecting our certs, which is weird because Inkay is supposed to disable verification entirely.

Something very weird is going on.

Hunch - do you know if you've rebuilt your NAND at all? NAND-AID or redNAND or usata or the like?

I MAY have experimented with redNAND back in the day, as a lark. I can't remember now, it's been so long. I've never rebuilt the nand or cracked open the case.

It is my understanding that the system cacerts are responsible for such ssl rejection/support. If this is the case, could you please provide the crc/checksum of the cacerts from a wiiu that works with pretendo so I can check them against mine?

They can be found in storage_mlc\sys\title\0005001b\10054000\content. My guess is the ccerts and scerts folders being the likely most relevant.

My other hunch is this is somehow related to the dual boot setup (which only allows use of the second to latest aroma), or the system ios version spoof. Are the inkay/nimble patches ios version specific (i.e. patch specific addresses that change over ios revisions)?

Thanks for your help with this! I'd like to assist in any way i can to help get it sorted if possible.

[WizardNight7718]

That's the problem with Tiramisu - we can't run several homebrew apps at once, thus we can't run Nimble and another homebrew at once - and if you're not going to run another homebrew, why use Tiramisu? So we just gave up on supporting it

True, but you can use wups (https://github.com/Maschell/WiiUPluginLoader) to do that in tiramisu. I get that it is a pain to support/develop both, and perhaps one day everything will be ported over to aroma - but also, perhaps not :(

In my experience, wiimmfi was all about ctgp, and the only available (yet, admittedly buggy and closed+lost source) ctgp for the wii-u (mk8 ultimate) only works in tiramisu (relies on a wups plugin).

My understanding of the CACERT error is that the console is rejecting our certs, which is weird because Inkay is supposed to disable verification entirely.

Something very weird is going on.

Hunch - do you know if you've rebuilt your NAND at all? NAND-AID or redNAND or usata or the like?

I MAY have experimented with redNAND back in the day, as a lark. I can't remember now, it's been so long. I've never rebuilt the nand or cracked open the case.

It is my understanding that the system cacerts are responsible for such ssl rejection/support. If this is the case, could you please provide the crc of the working cacerts on the wiiu side so I can check them against mine?

They can be found in storage_mlc\sys\title\0005001b\10054000\content. My guess is the ccerts and scerts folders being the likely most relevant.

My other hunch is this is somehow related to the dual boot setup (which only allows use of the second to latest aroma), or the system ios version spoof. Are the inkay/nimble patches ios version specific (i.e. patch specific addresses that change over ios revisions)?

Thanks for your help with this! I'd like to assist in any way i can to help get it sorted if possible.

Which files in specific, do you need to make a side by side comparison?

[jack4455667788]

Which files in specific, do you need to make a side by side comparison?

I'm not 100% sure. It partly depends on what certificate(s) pretendo is using on their side.

But assuming this IS a legitimate cacert error, then the general idea is to compare all of the certificates on our consoles (experiencing the 2160) against working consoles copies of the files.

The list of filenames most likely involved are below.

in the ccerts folder :

WIIU_ACCOUNT_1_CERT.der WIIU_ACCOUNT_1_RSA_KEY.aes WIIU_COMMON_1_CERT.der WIIU_COMMON_1_RSA_KEY.aes WIIU_OLIVE_1_CERT.der WIIU_OLIVE_1_RSA_KEY.aes WIIU_VINO_1_CERT.der WIIU_VINO_1_RSA_KEY.aes WIIU_WAGONU_CRYPTO_SYMKEY.aes WIIU_WAGONU_HMAC_KEY.aes WIIU_WOOD_1_CERT.der WIIU_WOOD_1_RSA_KEY.aes

in the scerts folder :

ADDTRUST_EXT_CA_ROOT.der AMAZON_ROOT_CA1.der BALTIMORE_CYBERTRUST_ROOT_CA.der CACERT_NINTENDO_CA.der CACERT_NINTENDO_CA_G2.der CACERT_NINTENDO_CA_G3.der CACERT_NINTENDO_CLASS2_CA.der CACERT_NINTENDO_CLASS2_CA_G2.der CACERT_NINTENDO_CLASS2_CA_G3.der COMODO_CA.der COMODO_RSA_CA.der CYBERTRUST_GLOBAL_ROOT_CA.der DIGICERT_ASSURED_ID_ROOT_CA.der DIGICERT_ASSURED_ID_ROOT_CA_G2.der DIGICERT_GLOBAL_ROOT_CA.der DIGICERT_GLOBAL_ROOT_CA_G2.der DIGICERT_HIGH_ASSURANCE_EV_ROOT_CA.der ENTRUST_CA_2048.der ENTRUST_ROOT_CA.der ENTRUST_ROOT_CA_G2.der ENTRUST_SECURE_SERVER_CA.der EQUIFAX_SECURE_CA.der GEOTRUST_GLOBAL_CA.der GEOTRUST_GLOBAL_CA2.der GEOTRUST_PRIMARY_CA.der GEOTRUST_PRIMARY_CA_G3.der GLOBALSIGN_ROOT_CA.der GLOBALSIGN_ROOT_CA_R2.der GLOBALSIGN_ROOT_CA_R3.der GTE_CYBERTRUST_GLOBAL_ROOT.der NTD_DEV_CA.der STARFIELD_SERVICES_ROOT_CERTIFICATE_AUTHORITY_G2.der THAWTE_PREMIUM_SERVER_CA.der THAWTE_PRIMARY_ROOT_CA.der THAWTE_PRIMARY_ROOT_CA_G3.der USERTRUST_RSA_CA.der UTN_DATACORP_SGC_CA.der UTN_USERFIRST_HARDWARE_CA.der VERISIGN_CLASS3_PUBLIC_PRIMARY_CA.der VERISIGN_CLASS3_PUBLIC_PRIMARY_CA_G2.der VERISIGN_CLASS3_PUBLIC_PRIMARY_CA_G3.der VERISIGN_CLASS3_PUBLIC_PRIMARY_CA_G5.der VERISIGN_UNIVERSAL_ROOT_CA.der VERIZON_GLOBAL_ROOT_CA.der

However, if ashquarky is right that inkay is supposed to disable ssl verification entirely (not a good idea) - then there is something else going on here and the checksums for our certs and those from working consoles will likely match.

[WizardNight7718]

CERTS.zip Here are the certs for my console

[Eco-Gaming]

When does that happen? When logging in or creating an account on the menu? Or opening the Miiverse applet? Are you using Inkay from the releases tab or the bleeding edge build? Which commit (if you know)?

Using both the latest release (crc32 = A75067AC) and the nightly (https://nightly.link/PretendoNetwork/Inkay/actions/runs/8714756349/inkay.zip - crc32 = A475D88D).

This is whenever account login or game server access/connection is requested. I presume Miiverse applet as well - although I have not tested that.

Interestingly enough, using SSSL also causes the same error (internet connection test succeeds).

Could this be a legitimate CACERT SSL error? Your servers refusing an ssl connection from our consoles or vice versa?

I have the exact same issue (didn't check which version I'm on, I can do that tomorrow).

I'm not that familiar with WiiU modding, but my console has a broken NAND chip so I followed this guide for using the SD card as NAND (I believe it uses rednand, at least that shows up during the boot sequence).

I can also provide my certs tomorrow if that helps.

[ashquarky]

My other hunch is this is somehow related to the dual boot setup (which only allows use of the second to latest aroma), or the system ios version spoof. Are the inkay/nimble patches ios version specific (i.e. patch specific addresses that change over ios revisions)?

Yep, 5.5.4 and 5.5.5+ have different IOS versions and different patches. If you're spoofing, that would mix up Inkay and prevent the ssl patches from working.

[ashquarky]

I'm not that familiar with WiiU modding, but my console has a broken NAND chip so I followed this guide for using the SD card as NAND (I believe it uses rednand, at least that shows up during the boot sequence).

MLC rebuilding (as per that guide) can also lead to your ios version and your system version not matching up, which confuses Inkay. Sounds like we might need to improve Inkay's version detection if this is getting more common...

[WizardNight7718]

When I was attempting to update to the latest version for the wii u, it wouldn't let me do it, so I originally downloaded the update and installed it manually, I don't exactly remember how I did that? Could that have been the cause?

[WizardNight7718]

When I was attempting to update to the latest version for the wii u, it wouldn't let me do it, so I originally downloaded the update and installed it manually, I don't exactly remember how I did that? Could that have been the cause?

If this was the cause, what could I do to fix it?

[ashquarky]

We probably have to fix it in Inkay, but I'm asking around for a workaround in the meantime

[ashquarky]

Try running a system update from Settings? when you rebuilt the MLC, most of your titles got updated to latest, but the SLC ones (including IOSU) are still outdated.

[Eco-Gaming]

Try running a system update from Settings? when you rebuilt the MLC, most of your titles got updated to latest, but the SLC ones (including IOSU) are still outdated.

Ohhh in the Rebuilding MLC part I skipped the SLC files, as I just assumed my console was running a recent version. I'm going to try reinstalling from scratch and include SLC this time.

Edit: Sure enough, this fixed it for me, Thank you very much!

[jack4455667788]

My other hunch is this is somehow related to the dual boot setup (which only allows use of the second to latest aroma), or the system ios version spoof. Are the inkay/nimble patches ios version specific (i.e. patch specific addresses that change over ios revisions)?

Yep, 5.5.4 and 5.5.5+ have different IOS versions and different patches. If you're spoofing, that would mix up Inkay and prevent the ssl patches from working.

I am on 5.5.0 (spoofed to 5.5.6). Are the particular addresses and patches known for this version (i don't mind compiling a special version to share with others in my boat)?

Is there a table or list of the addresses and patches from the current and any previous IOS versions available (preferably including what the hex before the patches are applied would/should be)?

I don't like to fix what isn't broken, and flashing the firmware is always a risk - so I'd like to stay on 5.5.0 if possible.

[WizardNight7718]

We all have different situations that lead to the same error, so what did we do or "inkay" detect wrong?

[theDSi2homebrewGuy]

I fixed my issue, I just redownloaded the inkay and aroma files to my sd card.

[ashquarky]

Will test some alternative methods to detect the IOSU version to support this situation.