Thanks. I see the datasheet for Samsung K9K8G08U1D at http://wiiubrew.org/wiki/File:K9k8g08u1d.pdf . Haven't found the Hynix one yet. I'm finding a number of web hits for it, but when downloading they are for H27U4G8 etc. not U8G8. Don't know how important the distinction is. They may have the same ECC scheme.
Last edited by pelago,
Hi there!
I am the new one - registered a Account to share my thoughts.
I am at the same point with my bricked Wii U (not booting due to a format with activated coldboothax)
I do have the equivalent dumps from rednand :
Found the current research here and i am Impressed - thanks for that.
Seems that rednand gives us a (atm) non-restorable full backup
- iwas blue eyed and thaught i do not have to care as i do have a dump *bummer*
Unfortuanally, when decrypting the dump i only earned crap (dump ran without problems, Flash was correct identified,....)
when i decrypt the slc.img from rednand all looks fine (searched for Text "default_" in Hexed" - also checked if i dumped the correct Flash Area (decrypted the Vwii dump with slc key to probe)
Anyone can confirm that a dump with Teensy should/would work indeed?
For the ecc calculation:
(Sorry, i am not a coder, i want to share what i found during my research)
Perhaps the first attemp could be ECC calulation on a working console? - there should be a Function accessible in OS which could be used to parse a rednand dump.
wiiubrew mentions ECC as ?non tested?: http://wiiubrew.org/wiki/Hardware/NAND_Interface
Also there should be functions on Wii (which seems to use the same ECC calculation i guess) - see https://github.com/crowell/gbadev/blob/master/armboot/nand.c
Perhaps one of the Coders could provide a Backup tool to dump the whole NAND incl. ECC to have complete backups in the Future - already done on Wii, see http://wiibrew.org/wiki/Wiinandfuse
On PC side i found no specific tools for Wii U, only some Infos abount Hamming Code and Reed Solomon:
https://hackerfall.com/story/nand-flash-dealing-with-a-flawed-medium
https://pypi.python.org/pypi/unireedsolomon
I guess the ECC on the Wii U side is provided by Hardware (ARM), so there would be only trial and error to achieve the right chunk/block sizes and Algos
Also there would be no custom boot1 without a "parachute" on sysrom
My next step is to flash the mlc dump and crossing fingers that the console would boot, but i think the ticket for the content on the mlc is missing in flas
I am the new one - registered a Account to share my thoughts.
I am at the same point with my bricked Wii U (not booting due to a format with activated coldboothax)
I do have the equivalent dumps from rednand :
- slc
- slccmtp
- opt
- mlc
- eeprom
Found the current research here and i am Impressed - thanks for that.
Seems that rednand gives us a (atm) non-restorable full backup
- iwas blue eyed and thaught i do not have to care as i do have a dump *bummer*Unfortuanally, when decrypting the dump i only earned crap (dump ran without problems, Flash was correct identified,....)
when i decrypt the slc.img from rednand all looks fine (searched for Text "default_" in Hexed" - also checked if i dumped the correct Flash Area (decrypted the Vwii dump with slc key to probe)
Anyone can confirm that a dump with Teensy should/would work indeed?
For the ecc calculation:
(Sorry, i am not a coder, i want to share what i found during my research)
Perhaps the first attemp could be ECC calulation on a working console? - there should be a Function accessible in OS which could be used to parse a rednand dump.
wiiubrew mentions ECC as ?non tested?: http://wiiubrew.org/wiki/Hardware/NAND_Interface
Also there should be functions on Wii (which seems to use the same ECC calculation i guess) - see https://github.com/crowell/gbadev/blob/master/armboot/nand.c
Perhaps one of the Coders could provide a Backup tool to dump the whole NAND incl. ECC to have complete backups in the Future - already done on Wii, see http://wiibrew.org/wiki/Wiinandfuse
On PC side i found no specific tools for Wii U, only some Infos abount Hamming Code and Reed Solomon:
https://hackerfall.com/story/nand-flash-dealing-with-a-flawed-medium
https://pypi.python.org/pypi/unireedsolomon
I guess the ECC on the Wii U side is provided by Hardware (ARM), so there would be only trial and error to achieve the right chunk/block sizes and Algos
Also there would be no custom boot1 without a "parachute" on sysrom
My next step is to flash the mlc dump and crossing fingers that the console would boot, but i think the ticket for the content on the mlc is missing in flas
@Leeful said that he had to use "signal booster edition" not "dual nand edition" as otherwise each time he dumped he got different data. Which did you use? Did you dump several times and compare to make sure you were getting a stable dump?
I used the "signal booster edition" and used a TSOP adapter-PCB to have no mess with components on th motherboard of the WiiU.
Did only one dump, should do some more and compare - thanks for the hint, pelago.
If i understood right, the keys are stored in OTP, so the encryption of the data should be done with the same key as the dump.
Did only one dump, should do some more and compare - thanks for the hint, pelago.
If i understood right, the keys are stored in OTP, so the encryption of the data should be done with the same key as the dump.
It is for the hardmod installation, but not for the SLC-to-teensy conversion.@StandardBus this is bread for Your Teeth
The only thing I know is that Smea had successfully restored its console starting from a software dump. He didn't have an installed Teensy before the brick. So we would be able to convert a SLC dump into a Teensy compatible one if we understand how he did it.
(Not to mention that he could have done a full wii u NANDs dump using some custom developed nand dumper instead of the one available on the net)
BTW, I dumped my Wii U nands using the signal booster edition .hex way before the release of the kernelhax, and it worked. So I confirm you should use that .hex and not the dual nand .hex.
Last edited by StandardBus,
one hint for all who wants to dump their mlc/eMMC:
do not solder on the smd-pads of the resistors, please use the vias aside.
The smd resistors are damaged verry easy (super tiny thin metal ends - never saw a smd resistor break so fast when desoldering)
Also i am not able to dump the mlc - tried 5+ cardreaders, single bit wiring, 4bit wiring, removing resistors - all without luck
My next step will be a attemp to dd the dump of mlc to a micro-sd card and solder it in as replacement - i am curious if this was tried by anyone, or anyone does know if there is some security involved which checks the serial or Timing of the mlc storage for example.
do not solder on the smd-pads of the resistors, please use the vias aside.
The smd resistors are damaged verry easy (super tiny thin metal ends - never saw a smd resistor break so fast when desoldering)
Also i am not able to dump the mlc - tried 5+ cardreaders, single bit wiring, 4bit wiring, removing resistors - all without luck
My next step will be a attemp to dd the dump of mlc to a micro-sd card and solder it in as replacement - i am curious if this was tried by anyone, or anyone does know if there is some security involved which checks the serial or Timing of the mlc storage for example.
Last edited by aut0mat3d,
For creating slc and slccmtp from a rednand dump, perhaps someone who is a programmer could get some hints out of ohneschwarzenegger, which was made to manipulate/restore Wii NAND images (ECC handling, File injection,..)
Take a look at https://github.com/trapexit/wiiqt/blob/master/ohneschwanzenegger/readmii.txt
Phps this would be a base to unbrick consoles with Teensy (system.xml)
Also found this for ECC calculation: https://code.google.com/archive/p/wii-fsck/source/default/source
Take a look at https://github.com/trapexit/wiiqt/blob/master/ohneschwanzenegger/readmii.txt
Phps this would be a base to unbrick consoles with Teensy (system.xml)
Also found this for ECC calculation: https://code.google.com/archive/p/wii-fsck/source/default/source
Last edited by aut0mat3d,
Quite interesting, from the readme:
It needs to have a copy of the first 8 blocks of nand, a list of bad blocks, and AES & hmac keys. All of this data can be gotten from a bootmii nand dump, even if that nand is bricked.
How can we get a bootmii nand dump?
I think, this is one of the needed hints to restore the Filesystem as the first blocks should hold the bad block map
indeed this would not work without modifications phps the second link mentioning ECC calculation would be more helpful.....
The first 8 blocks of the V-Wii nand are all FF's but The AES & HMAC keys are in the OTP.bin. You can extract them using the attached python script.
Credit to Whovian9369 for the script.
Last edited by Leeful,
I was able to build the tools that you pointed out here:
https://github.com/trapexit/wiiqt
I had a build environment I setup for 3ds development, on a centos vm I have running on my esxi server. I wasn't able to get qmake(3?) to install, I was able to get qmake 4 to install, so I altered the build.sh script for the wiiqt repo as follows:
All I did was changed the reference to qmake in the build script to qmake-qt4. I haven't had a chance to work any further with it, but if anyone else is stuck at compiling this may help them.
From the second link you posted, I was able to get wii-fsck to compile by adding this to explicitly include errno.h:
This was added to the file trunk/wii-fsck/wii-fsck.c from the second repository you mentioned. nanddump from this repo built fine with no modifications. I was not able to get zestig to build, but I found another repo here:
https://github.com/Plombo/segher-wii-tools
This appears to include a few more tools and builds fine in my test environment, it includes zestig and all the utilities from the other repo.
The OTP key utility that Leeful pointed out worked fine for me.
https://github.com/trapexit/wiiqt
I had a build environment I setup for 3ds development, on a centos vm I have running on my esxi server. I wasn't able to get qmake(3?) to install, I was able to get qmake 4 to install, so I altered the build.sh script for the wiiqt repo as follows:
Code:
#!/bin/bash
mkdir -p bin
for app in nandBinCheck nandDump nandExtract ohneschwanzenegger
do
cd $app
qmake-qt4
make -j4
cp $app ../bin
cd ..
doneAll I did was changed the reference to qmake in the build script to qmake-qt4. I haven't had a chance to work any further with it, but if anyone else is stuck at compiling this may help them.
From the second link you posted, I was able to get wii-fsck to compile by adding this to explicitly include errno.h:
Code:
#include <errno.h>This was added to the file trunk/wii-fsck/wii-fsck.c from the second repository you mentioned. nanddump from this repo built fine with no modifications. I was not able to get zestig to build, but I found another repo here:
https://github.com/Plombo/segher-wii-tools
This appears to include a few more tools and builds fine in my test environment, it includes zestig and all the utilities from the other repo.
The OTP key utility that Leeful pointed out worked fine for me.
Last edited by GraFfiX420,
Update:
I think i found the fault, why i ws not able to read the mlc. When replacing the resistors i applied a little to much force when desoldering and destroyed a trace to the mlc chip
I desoldered the bga chip - phps i will get some Schnaps (to have a steady hand) and doing the wiring manually, but it is soooooo tiny - atm my wii u is deaded:
softbricked and (finally) hard bricked
With the dumped mlc on a sd card the WiiU does not boot, but i am not sure if this is caused on filesystem check (not the same state after the format) or different Hardware.
ATM i am fighting with myselve doing that at my spare WiiU - i think i am waiting to get a real cheap on ebay before doing that
I think i found the fault, why i ws not able to read the mlc. When replacing the resistors i applied a little to much force when desoldering and destroyed a trace to the mlc chip
I desoldered the bga chip - phps i will get some Schnaps (to have a steady hand) and doing the wiring manually, but it is soooooo tiny - atm my wii u is deaded:
softbricked and (finally) hard bricked
With the dumped mlc on a sd card the WiiU does not boot, but i am not sure if this is caused on filesystem check (not the same state after the format) or different Hardware.
ATM i am fighting with myselve doing that at my spare WiiU - i think i am waiting to get a real cheap on ebay before doing that
just curious, how long do it take to dump the full nand? I also got a teensy and dump several ps3 before.
Hi guys I have no idea what most of you are talking about however I have theoretically bricked my wii u by installing cbhc to a out of region vc game. I have my otp file. Do you think if I took my console to a games console repair shop and showed them this post that they could find someway to repair my console? Preferably whilst keeping access to the game saves on my external hard drive?
Similar threads
-
- Article
- No one is chatting at the moment.
-
-
-
-
-
-
-
-
@
Xdqwerty:
@Purple_Heart, then I will be actually older than him for a bit (ik thats not how ages work btw) -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
