Hacking Successfully dumped WiiU EMMC nand with hardmod.

EyeKey · Mar 22, 2017

Leeful said:
@EyeKey Ive done some testing with nandBinCheck on a vWii hardmod dump and at first it didnt work but then I noticed that the vWii dumps made with the DumpMii Nand Dumper homebrew had an extra 1024bytes at the end that included the wii section keys from the opt.

After adding the relevant 1024bytes with the keys to the hardmod dump it now works with nandbincheck.
View attachment 82021
It only found 1 page with incorrect ECC information. I'm not sure if the dump itself was 100% valid anyway to start with but at least it worked. The other dumps I did with the teensy Dual Nand Edition setup would not work at all. As said before The teensy Signal Booster Edition setup is much more reliable.

I hope this might be helpful.

That is good. It means that the dump is indeed reliable.

I am going to create a tool that will hopefully will make redNAND flashable.
And for those with bricked but not fucked NAND, a tool to fix CBHC brick just with OTP.

Hopefully we will finally see an unbricked WiiU soon.

GraFfiX420 · Mar 22, 2017

EyeKey said:
nandExtractor.cs:253:
Int32[] n_start = { 0x1FC00000, 0x20BE0000, 0x20BE0000 },
=>
Int32[] n_start = { 0x1F000000, 0x1FF80000, 0x1FF80000 },

Thank you, I don't know much, but I do like to mess around with stuff, you also mentioned that the magic for the superblock changed from SFFS to SFS, this means that it would change from 0x53464653 to 0x534653 , correct?

nexusmtz · Mar 22, 2017

GraFfiX420 said:
you also mentioned that the magic for the superblock changed from SFFS to SFS,

EyeKey said:
SFFS to SFS!,

Since there was a comma after ! I would take that literally. 53465321. (especially if the compare is 4 bytes) Should be pretty easy to test.

EyeKey · Mar 22, 2017

Yes, it is "SFS!".

I posted a proper modification of the NAND extractor to this thread, which will include the upcoming tools too.

GraFfiX420 · Mar 22, 2017

Would it be possible for one of you guys that has a teensy hooked up to send me your slc.full.img? I'm testing modifying some of the wii tools that are already out there and I need an slc dump that actually has ECC data. Thanks.

Leeful · Mar 22, 2017

GraFfiX420 said:
Would it be possible for one of you guys that has a teensy hooked up to send me your slc.full.img? I'm testing modifying some of the wii tools that are already out there and I need an slc dump that actually has ECC data. Thanks.

Sorry, I would but I don't have a valid SLC hardmod dump, every page is corrupted.
My only hope to fix it is for a rebuilt rednand dump with the calculated ECC data inserted.

I do have a modified rednand dump with 'dummy' ECC data (all FFs) inserted after every page and that works with EyeKey's Nand Extractor MOD but it won't be useful for testing any tool that uses the ECC data. let me know if you want it anyway.

GraFfiX420 · Mar 22, 2017

Leeful said:
Sorry, I would but I don't have a valid SLC hardmod dump, every page is corrupted.
My only hope to fix it is for a rebuilt rednand dump with the calculated ECC data inserted.

I do have a modified rednand dump with 'dummy' ECC data (all FFs) inserted after every page and that works with EyeKey's Nand Extractor but it won't be useful for testing any tool that uses the ECC data. let me know if you want it anyway.

Sure, if you can dropbox it or something I will see what I can do with it. Thanks.

Leeful · Mar 22, 2017

@GraFfiX420 PM sent with mega.nz link.

EyeKey · Mar 23, 2017

I made most of the needed changes to WiiQt, I got nandBinCheck -spare to work with WiiU nand, so now it should be able to check if a dump is valid or not.
Fixing the wrong ECC/HMACs is trivial (aka making a full dump from redNAND dump), I will do it tomorrow.

The source is here:
https://github.com/koolkdev/wiiuqt

Valery0p · Mar 23, 2017

Leeful said:
No Luck. Images are same size as rednand dumps

GraFfiX420 said:
It looks like the sections relevant to dumping the slc in hexfw are located here:

https://github.com/hexkyz/hexFW/blob/master/firmware/patches/0x10700000.s#L417

And in the hexcore program here:

https://github.com/hexkyz/hexFW/blob/master/firmware/programs/hexcore/source/main.c#L277

Judging from this line of code inside of the hexcore main.c:

Code:

// Open target device FSA_RawOpen("/dev/slc01", &fsa_raw_handle);

Probably the slc dump code is took directly from @smealum iosuhax, either in hexFW and mocha:
https://github.com/smealum/iosuhax/blob/master/patches/0x10700000.s#L622
So, how he recovered his brick? Maybe only decrypting the slc using his otp...

Ps: I'm not a programmer, so if there is any difference in that assembly code I can't see it Dx

Leeful · Mar 23, 2017

EyeKey said:
I made most of the needed changes to WiiQt, I got nandBinCheck -spare to work with WiiU nand, so now it should be able to check if a dump is valid or not.
Fixing the wrong ECC/HMACs is trivial (aka making a full dump from redNAND dump), I will do it tomorrow.

The source is here:
https://github.com/koolkdev/wiiuqt

Could you please upload a compiled version of nandBinCheck. I cant get Qt to compile correctly. Thanks.

EyeKey · Mar 23, 2017

Leeful said:
Could you please upload a compiled version of nandBinCheck. I cant get Qt to compile correctly. Thanks.

Didn't upload one yesterday because it was experimental and broken...

So I fixed many broken things, added some new things (like verifying boot1 hash) and created the tool that I promised.
nandFixer - Creating full dump from partial one:
https://github.com/koolkdev/wiiuqt/releases/latest

to fix a dump:
nandFixer.exe <input file> <output file>

I recommend to verify the new image with:
nandBinCheck.exe <input file> -all

Make sure to have otp.bin in the same directory of the dump.

I can't guarantee that I didn't miss something and it will work, but I do hope so...

Leeful · Mar 23, 2017

I'm getting 'Faild to load keys' error on both nandfixer and nandbincheck.
Both SLC.bin and otp.bin files work fine with the nand extractor.

EyeKey · Mar 24, 2017

Leeful said:
I'm getting 'Faild to load keys' error on both nandfixer and nandbincheck.
Both SLC.bin and otp.bin files work fine with the nand extractor.
View attachment 82306

this time otp.bin need to be in the directory of the dump. (Maybe I need to change nand extractor)

EDIT: oh nvm. I see that it is the same directory, hmmm. I will check what is wrong
2nd EDIT: Ok, I know what is the bug. You can get it to work now by specifying ./SLC.bin instead SLC.bin (and the same for the output file).

Leeful · Mar 24, 2017

I got it sort of working using an input and an output folder. nandFixer.exe input/SLC.bin output/SLC-FIXED.bin with the otp.bin in the output folder.

It inserts the 64 bytes every page but the ECC data is all FFs.

Just saw your Edit. same thing using ./

I tested it with a V-Wii dump and that seems to have worked.

Code:

S:\nand_fixer>nandBinCheck ./SLCCMPT-FIXED.bin -all
** nandBinCheck : Wii nand info tool **
from giantpune
built: Mar 24 2017 01:09:00
checking boot1...
Boot1 check failed!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 0 ()
free 5bd6
verifying ecc...
0 out of 592512 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 269 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

EyeKey · Mar 24, 2017

Leeful said:
I got it sort of working using an input and an output folder. nandFixer.exe input/SLC.bin output/SLC-FIXED.bin with the otp.bin in the output folder.

It inserts the 64 bytes every page but the ECC data is all FFs.

Ok, first of all I fixed that bug with finding the key and uploaded a fixed file.

Now, are you sure that all the ECC data is FF, it may be FF in unused pages.
Did it print any error? Did you run nandbincheck on that?

EDIT: Ok, it seems that something is broken. I am checking it.

Leeful · Mar 24, 2017

I ran nandbincheck on it and it passed. but there are still a lot of FF areas but in the original hardmod dump I did not notice any.

Code:

S:\nand_fixer>nandBinCheck ./SLC-FIXED.bin -all
** nandBinCheck : Wii nand info tool **
   from giantpune
   built: Mar 24 2017 01:09:00
checking boot1...
Boot1 OK!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 7f (530f, 58a1, 58a2, 58a3, 58a4, 58a5, 58a6, 58a7, 5abb, 5abc, 5abd, 5abe, 5abf,
 60f2, 60f3, 60f4, 60f5, 60f6, 60f7, 61f0, 61f1, 61f2, 61f3, 61f4, 61f5, 61f6, 61f7, 61f8, 61f9,
 6504, 6505, 6506, 6507, 6528, 6529, 652a, 652b, 652c, 652d, 652e, 652f, 6530, 6531, 6532, 6533,
free            4936
verifying ecc...
0 out of 897664 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
 ()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 367 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

I dont want to try and write back to the WiiU yet because it takes 3 hours for a verified write.

--------------------- MERGED ---------------------------

Most of the ECC areas seem to be correct. I'm just worried about the parts where it has just inserted FF.

EyeKey · Mar 24, 2017

Leeful said:
I ran nandbincheck on it and it passed. but there are still a lot of FF areas but in the original hardmod dump I did not notice any.
View attachment 82314

Code:

S:\nand_fixer>nandBinCheck ./SLC-FIXED.bin -all ** nandBinCheck : Wii nand info tool ** from giantpune built: Mar 24 2017 01:09:00 checking boot1... Boot1 OK! checking for lost clusters... found 0 lost clusters UNK ( 0xffff ) 7f (530f, 58a1, 58a2, 58a3, 58a4, 58a5, 58a6, 58a7, 5abb, 5abc, 5abd, 5abe, 5abf, 60f2, 60f3, 60f4, 60f5, 60f6, 60f7, 61f0, 61f1, 61f2, 61f3, 61f4, 61f5, 61f6, 61f7, 61f8, 61f9, 6504, 6505, 6506, 6507, 6528, 6529, 652a, 652b, 652c, 652d, 652e, 652f, 6530, 6531, 6532, 6533, free 4936 verifying ecc... 0 out of 897664 pages had incorrect ecc. they were spread through 0 clusters in 0 blocks: () 0 of those clusters are non-special (they belong to the fs) verifying hmac... verifying hmac for 367 files 0 files had bad HMAC data checking HMAC for superclusters... 0 superClusters had bad HMAC data

I dont want to try and write back to the WiiU yet because it takes 3 hours for a verified write.

--------------------- MERGED ---------------------------

Most of the ECC areas seem to be correct. I'm just worried about the parts where it has just inserted FF.
View attachment 82315

Yes, you have a point. I didn't update the ecc on unused pages, it shouldn't really matter, but to be more precise and similar to the original dump, I changed it to calculate the ecc for all the initialized pages. You can redownload it (v0.1b).

Leeful · Mar 24, 2017

That looks way better, Thanks for all your hard work.

I'm writing back to the WiiU now.
I'll report back in about 3 hours when its done. Fingers Crossed.

aut0mat3d · Mar 24, 2017

Thanks!
Will try that and compate it with my dump

Hacking Successfully dumped WiiU EMMC nand with hardmod.

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

GBAtemp Member

Well-Known Member

Similar threads

Popular threads in this forum