Hacking Successfully dumped WiiU EMMC nand with hardmod.

[Tommy084]

Finally got the courage to do the soldering. Dumping now using Dual Nand Edition. Will report back after more testing.
View attachment 77841 View attachment 77840 View attachment 77839

Great looking man!!!
My Wiiu is now daed after trying to write back to nand, even got a write without error...

 

[Leeful]

@Tommy084 Have you tried to write back the original 528 MB dump you got with the teensy?
What lines did you delete from the nandway.py?

 

[DeadlyFoez]

Willing to bet the teensy writing to the nand is the issue. I havent used a teensy in that way yet but something has told me to not trust it.

 

[Tommy084]

@Tommy084 Have you tried to write back the original 528 MB dump you got with the teensy?
What lines did you delete from the nandway.py?

Yes, and now its blinking with the blue LED even with the jumper atached.
Lines: 386-395

Started on my 2. Wiiu now, this time is solder to nandpoints and dumping with dualnand edition

Willing to bet the teensy writing to the nand is the issue. I havent used a teensy in that way yet but something has told me to not trust it.

What els can we use? Have progskeet and pheonix to... but those are to hard to setup.
After trying to write back many times, and i got the same error on one block, trying to write back the rednand slc gives many errors. My geuss is the programmer, it says writing 1000 blocks to nand, but it is 4096 blocks. That and it adds a 16mb to the dump "RAS" i think. Those are just my thoght, i cant understand half of this

 

[DeadlyFoez]

I use an infectus. It's slow but I have never had a single issue with writing to any NAND chip. Once I can finally rip the wii u away from the family then I will try this all out, but that likely wont be for a while.

I also have to say, I DO NOT trust those nand clips. I always program my NAND chips after I desolder them from the motherboard. Personally, this is what I use http://www.ebay.com/itm/IC-MCU-Prog...SOP-48-D48-Adapter-Socket-SA247-/331920578984

 

[nexusmtz]

, it says writing 1000 blocks to nand, but it is 4096

1000 hex is 4096 decimal. If the program shows the number of blocks as it writes, you should be able to see the digits going 0-F instead of 0-9.

 

[pelago]

I know everyone's distracted by the Switch, but has anyone had any more luck reading or writing from the Wii U's NANDs in hardware?

 

[Modi]

Hi are any body fix by this tut bricked wii u ? I try this on my wii u brick after install cbhc.Not boot up show error 160-0101.

 

[pelago]

Hi are any body fix by this tut bricked wii u ? I try this on my wii u brick after install cbhc.Not boot up show error 160-0101.

Have you got a backup of your NANDs etc?

 

[Modi]

Yes all

 

[Leeful]

I've had no luck restoring the SLC or SLCCMPT but the MLC backup works. The slc & slccmpt backups made by dimoks' sdio nand_manager do not work with the teensy hardmod they are a smaller size (missing 64 bytes after every page of 2048 bytes).

If you do attempt the hardmod I would reccomend using the 'signal booster edition' set up because I did several dumps using the 'dual nand edition' and there were differences with almost all the dumps but when using the 'signal booster edition' every dump was identical.

A possible way to recover a CBHC brick is to dump the SLC, decrypt the image with the key from the otp backup (details here), with a hex editor find the part with the <default_title_id> that CBHC changed to the DS game title id and change it back to the original title id, Re-encrypt the image and write it back to the wiiU.


If this is attempted I would make sure that you do several SLC dumps first and make sure that they are identical and then when you flash back the edited image make sure that you use the 'vwrite' command to verify that it wrote back correctly to the nand without any errors.

 

[pelago]

I've had no luck restoring the SLC or SLCCMPT but the MLC backup works. The slc & slccmpt backups made by dimoks' sdio nand_manager do not work with the teensy hardmod they are a smaller size (missing 64 bytes after every page of 2048 bytes).

I wonder why the SLC dumps from the Teensy are a different size to the rednand/sdio_manager ones. The 64 bytes every 2048 bytes sounds a bit like a checksum for each page. If so, maybe the rednand/sdio_manager dumps could be processed into the extended format, if you know what type of checksum the Teensy is expecting to see. Paging @dimok in case this interests him too.

 

[Leeful]

Ive tried manually inserting the 64bytes in all 262144 pages using a macro and hex editor but I have not got any pattern to work. (I've probably gone about this the wrong way but I thought I'd give it a try)

The WiiU will not boot at all with any of the patterns I've tried. The blue light does not even come on. I've also tried the sdio manager backup as is but that did not work either.

Unfortunatley I dont have a working hardmod dump of my SLC because I was stupid and did not make several dumps to start off with to compare so the only hardmod dumps I have are corrupt.

I've compared the corrupt hardmod dump with the rednand backup and although the data is mostly the same I've noticed that some of the pages are in a completely different order so its not a simple process of cutting the correct redand pages and pasting them over the corrupt image. I've started to try and rebuild the corrupt image but as I have to do it page by page it will take way to long to do.

I bought this WiiU especially to mess around with and take risks so it's no big loss but I would like to get it working again if possible.

 

[pelago]

I know nothing about Teensys, but it seems to me that someone in the Teensy community, or in the docs, could explain what those extra 64 bytes are for.

 

[Leeful]

In the nandway.py it says RAS 'Redundent Area Size' also I think I read somewhere that it is the ECC area like you mentioned before.

 

[Modi]

ok try it

 

[pelago]

I've been reading up on this, and it's definitely ECC. You'll need to work out, or find out, the algorithm, which I think can vary. Without writing it correctly, the system will think all the pages are invalid, so it won't boot.

 

[Valery0p]

@StandardBus this is bread for Your Teeth

 

[Modi]

But not understand one think make copy of nand , from rednand by sdio. Make hardmod fake sd card write mlc.img Wii U still show some error 160-0101.Them write slc.img some. Are backup from sdio are corrupted ?
I made many xbox 360 with RGH, JTAG , PS3 SLIM CFW with 3.55 downgrade and unbrick it.Here it's harder any reovery menu , factory mode nothing..
Are any body ever fix bricke Wii U with any backup of nand ? No rewire nand to working fix brick make but any think ?
I'm great with solinding , fixing , mod device ... but not in programming .. We need here recovery menu like Hourglass9 on 3ds> I know it take years to make it work correct but this will help ..

 

[pelago]

What is the SLC chip in the Wii U, or is there more than one of them? I'm guessing the chip datasheets will tell you the ECC algorithm in use.

It seems to me that ECC injection is probably already a "solved" problem in the NAND hacking/Teensy world.