Hacking Wiiu Nand Dump

Adr990 · Aug 27, 2015

FaTaL_ErRoR said:
It's encrypted with console specific keys. Once those have been entered in the raw image you can bit by bit view to see if they are identical or if parts are different. Also looking into decrypting console specific part. and using a different set of console key and attempting to flash it back to see what happens.

Kinda yeah. But I also wanna get inside the drive to see if there are any differences as well. these same methods also work for obtaining keys. (even one time programmable) http://www.cl.cam.ac.uk/~sps32/mcu_lock.html All you have to do is be willing to ruin a few consoles. And since all my children have recently upgraded to xbox 1 I have a few consoles I was not worried about ruining. Combine those consoles with the ones my wife poached from all over the globe and now I have plenty of them to destroy from all regions. Currently I am successful on my third attempt. But that third console is also ruined so I have no real way of validating my findings. I am attempting to correct it and not kill the console when they are extracted. And then will work on not messing up the first two. But my main focus right this minute is just to get one that dumps them without messing up the chip. I think I am going to remove the chip this time and see if any good luck comes my way.

Oh... I just have opened up my WiiU and I read this.

Have you tried to copy(dump) the NAND/eMMC of the WiiU? Did only this result in a brick? 0_o Jikes...

shinyquagsire23 · Aug 27, 2015

Adr990 said:
Oh... I just have opened up my WiiU and I read this.

Have you tried to copy(dump) the NAND/eMMC of the WiiU? Did only this result in a brick? 0_o Jikes...

Honestly someone should just dump it from vWii. Apparently it's perfectly possible, you just need to mess with NAND_UNK or something, I can't remember what I heard on #wiiudev

Marionumber1 · Aug 27, 2015

shinyquagsire23 said:
Honestly someone should just dump it from vWii. Apparently it's perfectly possible, you just need to mess with NAND_UNK or something, I can't remember what I heard on #wiiudev

tueidj did suggest using the NAND_UNK register, though didn't say how. Evidently, it now controls the bank switching on the Wii U, regardless of what it was for on the Wii.

FaTaL_ErRoR · Aug 28, 2015

Adr990 said:
Oh... I just have opened up my WiiU and I read this.

Have you tried to copy(dump) the NAND/eMMC of the WiiU? Did only this result in a brick? 0_o Jikes...

No no no. If you thought I was talking about dumping the nand to brick it that's incorrect.
I'm going after the "starbuck" keys. And whatever else I can get. I already have nand extracted. I pulled the chip out and used a flash extractor to get that. I have no problems moving that off and back on. I have a very decent solder/desolder setup.
So, no I haven't bricked a console by extracting or re flashing the nand. I really don't if your method of extraction will work or not.
I keep smoking DRH-WUP 811309G31 lol. I am connected to otp and every time the drh burns out two pins. I think I can fix the pins but since I just keep moving along I haven't tried. With a little luck I have 6 consoles with minor repair issues. I hope this is the case because I eventually am going to be out of consoles. (like in the next two tries and thats including the one connected to my gaming tv) If not I may have some real cheap "unknown condition" wii u's for sale....lol j/k.

I just thought of something though. Something that probably hasn't been tried....http://www.aliexpress.com/store/pro...ble-frame-guide-HDMI/1530056_32244038675.html
I wonder if you copy the flash from a good console then flash that to a good emmc from another bad wii u and plugged it in to the same wii u you copied the flash from what would happen??
I need one of these I wonder if I can find one a little bit cheaper. Lol, it will probably just tell me I need to format my storage but I am curious.

shinyquagsire23 · Aug 28, 2015

Marionumber1 said:
tueidj did suggest using the NAND_UNK register, though didn't say how. Evidently, it now controls the bank switching on the Wii U, regardless of what it was for on the Wii.

I'm thinking its closer to NAND_CE than NAND_UNK based on the description of that is done to it. It's probably set to 1 on boot to enable the CE pin and the chip, maybe it's something like 1 -> Wii U vWii and 2 -> Wii U CafeOS?

Dr.Hacknik · Aug 28, 2015

a MicroSD to USB Adapter would be nice, just remove the Unnecessary pins. Overall, i had no idea this was a thing!

Adr990 · Aug 28, 2015

Where does the 3.3v (TP 163) go?

Pictures of progress:

Before:

After:

Teensy prepared:

EclipseSin · Aug 28, 2015

https://www.pjrc.com/teensy/3volt.html should help

Edit: If you need 16Mhz, use external 3.3v from a PC PSU. Another option is letting the console power the nand, but not sure on how to do this on the Wii U. Meaning, i'm not sure if it's safe to just power on while hooked up with the Wii U nand.

FaTaL_ErRoR · Aug 29, 2015

Adr990 said:
Where does the 3.3v (TP 163) go?

Pictures of progress:

Before:

After:

Teensy prepared:

Whoa....Slow down, clean up the slop on the right second and third pins. Also looks like the 5th pin on the right is bridged..(though that one may just be the picture)
And if memory serves me correctly you should be able to grab 3.3v from the usb pc side. If it's higher then that use a resistor to drop the voltage.
Radio shack still has resistors in store....(If you can still find one open that is) Also some diodes will drop the voltage as well. A little info on resistors. http://www.alfonsomartone.itb.it/moisxc.html
Then you won't have to power the console up at all.

shinyquagsire23 · Aug 29, 2015

FaTaL_ErRoR said:
Whoa....Slow down, clean up the slop on the right second and third pins. Also looks like the 5th pin on the right is bridged..(though that one may just be the picture)
And if memory serves me correctly you should be able to grab 3.3v from the usb pc side. If it's higher then that use a resistor to drop the voltage.
Radio shack still has resistors in store....(If you can still find one open that is) Also some diodes will drop the voltage as well. A little info on resistors. http://www.alfonsomartone.itb.it/moisxc.html
Then you won't have to power the console up at all.

IIRC the recommended way in the PS3 community is external, separate from the Teensy USB. A standard PC power supply has a 3.3v line which works. So you can have a 3.3v regulator on the teensy and the PC PSU powering the NAND on the Wii U, or have the PC PSU power the 5v pin on the Teensy, skip the regulator, and bridge the 3.3v pin like normal.

Adr990 · Aug 29, 2015

shinyquagsire23 said:
IIRC the recommended way in the PS3 community is external, separate from the Teensy USB. A standard PC power supply has a 3.3v line which works. So you can have a 3.3v regulator on the teensy and the PC PSU powering the NAND on the Wii U, or have the PC PSU power the 5v pin on the Teensy, skip the regulator, and bridge the 3.3v pin like normal.

According to this post:
http://www.ps3hax.net/showthread.php?t=25408&page=82&p=573027#post573027

The Teensy needs 3.3v clean. OK.
The NAND needs 1.7v... So then I'd need a "[email protected] voltage regulator" on a 5v line. Ordered.

Apparently this is no job for Resistors?

I could read the NAND (info argument) once the WiiU was turned on, but obviously it was in no shape to make a dump.

---
eMMC talk:

I also received the Anker card reader.
It seems to be better at was it is supposed to do, but I haven't been able to make an actual dump yet.

Either the WiiU turns off, or stays on and Windows Explorer goes hay wire...

---

FaTaL_ErRoR said:
Whoa....Slow down, clean up the slop on the right second and third pins. Also looks like the 5th pin on the right is bridged..(though that one may just be the picture)
And if memory serves me correctly you should be able to grab 3.3v from the usb pc side. If it's higher then that use a resistor to drop the voltage.
Radio shack still has resistors in store....(If you can still find one open that is) Also some diodes will drop the voltage as well. A little info on resistors. http://www.alfonsomartone.itb.it/moisxc.html
Then you won't have to power the console up at all.

Yea, it does look a bit messy on some points. But I check for shorts every time I boot it up over at the NAND. It is still going strong.

mixelpixx · Aug 29, 2015

You are f*cking dumb if you backfeed power into your NAND. DO NOT F*CKING DO THIS. I am an electrical engineer, have been doing this stuff for a long time. The ONLY time -- AGAIN THE ONLY TIME I ever back fed power was to corrupt an old style flash chip -- for whatever reason (accident) it was discovered we could read, but not write --- there was write protection. When 12v was applied to the NAND, it went into an unhappy state and let us write to it no problem. But if you are just guessing then DON'T.

Also unless you can decrpyt the DUMP, it is useless. except to the console that it came from. My kids have managed to take my Wii U off my desk and update it everytime for some damn reason, so I had to stop working. But...

What can you do?

Backup your NAND by making a DISK IMAGE using an SD card reader. (using 1-bit aka bit-bang, is SLOW!) (Some card readers have different chipsets, some work, some don't)
You can write that NAND back to the console it came from, useless to other units.

Maybe?

I suspect you could have a console at 5.3.0, save the NAND Image.
Then update the console. Now backup that IMAGE.
You should be able to re-write 5.3.0 back to the console.

Children undoing my work did not help, but I can say that these NAND Images contain YOUR personal info, YOUR consoles MAC / Serial Number / Device ID / and I bet they may even have a console specific keyset generated from a combination of your individual MAC / Serial / Device ID embedded into it -- effectively marrying the software to the console.

but goddamnit quit with the back feed talk. Ignorance makes my blood boil.

--------------------- MERGED ---------------------------

To power the NAnd to dump it -- plug the unit into the wall. Thats it, don't turn it on, do not try to boot anything, the only thing the console needs is plugged in.

Adr990 · Aug 29, 2015

mixelpixx said:
You are f*cking dumb if you backfeed power into your NAND. DO NOT F*CKING DO THIS. I am an electrical engineer, have been doing this stuff for a long time. The ONLY time -- AGAIN THE ONLY TIME I ever back fed power was to corrupt an old style flash chip -- for whatever reason (accident) it was discovered we could read, but not write --- there was write protection. When 12v was applied to the NAND, it went into an unhappy state and let us write to it no problem. But if you are just guessing then DON'T.

Applying 12v to a chip to write to it... sound like an EEPROM to me, not a NAND?

mixelpixx said:
What can you do?

Backup your NAND by making a DISK IMAGE using an SD card reader. (using 1-bit aka bit-bang, is SLOW!) (Some card readers have different chipsets, some work, some don't)
You can write that NAND back to the console it came from, useless to other units.

You are confusing the TSOP NAND (aka just NAND) and eMMC NAND (aka just eMMC) of the WiiU.
You obviously meant that we can dump the eMMC with an SD card reader, giving the chip set is compatible, yes.

mixelpixx said:
Children undoing my work did not help, but I can say that these NAND Images contain YOUR personal info, YOUR consoles MAC / Serial Number / Device ID / and I bet they may even have a console specific keyset generated from a combination of your individual MAC / Serial / Device ID embedded into it -- effectively marrying the software to the console.

Well software is software... it's about the Console Key that is preventing a raw NAND dump to be shared among different consoles.
If you were to decrypt the NAND dump with your Console Key and encrypt it back with another Console Key, you could write it back on a other WiiU and it should work.

Also, a MAC address is stored on the NIC (Network Interface Card).

mixelpixx said:
To power the NAnd to dump it -- plug the unit into the wall. Thats it, don't turn it on, do not try to boot anything, the only thing the console needs is plugged in.

I have not been able to read 3,3v from TP 163 when it was plugged in to the wall, turned off (red led).
Neither did it seem possible to read anything from it, until I powered the WiiU with my Teensy.

mixelpixx · Aug 29, 2015

sorry. just woke, and was trying to prevent people who don't know, from back feed their consoles. ADR990, you would be excluded from that rant. Really any memory device with a 8051 as it brains/controller -- they all follow the same basic rules for reading, writing.

1.8v, 3.3v, etc... what Amp value? See there are diodes in place to prevent damage being done from back feeding, or an over voltage on a rail. You can apply a voltage, but if you have to much current you can do damage to components. And I see people using PC Desktop supplies as bench supplies -- these can produce over 20+ Amps @ 1VDC, so there is the danger. that is all. Sorry I woke up to be a crank.

and it was a TSOP that needed the 12v write protection removal, not a NAND, you are correct.

Adr990 · Aug 29, 2015

Indeed, people recommend a PC PSU, the reason for this eludes me. But people in the PS3 scene seem to be talking about 1.5A on 1.8v for example, claiming it is necessary.

http://pdf.datasheetarchive.com/indexerfiles/Datasheets-IS86/DSAH00529214.pdf
Reading the manual again, under section 2.2 we can read: vcc operation level 2.7v-3.6v.

However, I am yet unsure as to what effect the difference between 1.7v and 3.3v would be on dumping the NAND with the Teensy (with NANDway).
And the NANDs from the Wii,Xbox(360),PS3 and WiiU are all similar. So previous experiences should be taken

Also, TSOP stands for: Thin Small Outline Package. (Tbh, Google'd that)
Anyhow, TSOP is an IC (Integrated Circuit) form factor/surface mount standard. In this case, the Samsung K9 series NAND Flash (Probably varies, not excluding other (Toshiba etc.) manufactures.)

Edit:
I still believe you mean that 12v was necessary to program an EEPROM you once encountered. (aka enable write mode)

shinyquagsire23 · Aug 29, 2015

Adr990 said:
Indeed, people recommend a PC PSU, the reason for this eludes me. But people in the PS3 scene seem to be talking about 1.5A on 1.8v for example, claiming it is necessary.

http://pdf.datasheetarchive.com/indexerfiles/Datasheets-IS86/DSAH00529214.pdf
Reading the manual again, under section 2.2 we can read: vcc operation level 2.7v-3.6v.

However, I am yet unsure as to what effect the difference between 1.7v and 3.3v would be on dumping the NAND with the Teensy (with NANDway).
And the NANDs from the Wii,Xbox(360),PS3 and WiiU are all similar. So previous experiences should be taken

Also, TSOP stands for: Thin Small Outline Package. (Tbh, Google'd that)
Anyhow, TSOP is an IC (Integrated Circuit) form factor/surface mount standard. In this case, the Samsung K9 series NAND Flash (Probably varies, not excluding other (Toshiba etc.) manufactures.)

Edit:
I still believe you mean that 12v was necessary to program an EEPROM you once encountered. (aka enable write mode)

I believe the reason for a PC PSU is just that they are more accessable. Also, I'd try soldering a wire to TP163 and then try to get a voltage reading off that pin while powered on, just to be more certain. I'm *pretty* sure it's 3.3v just off the data sheet but I suppose 1.8v could work too maybe?

Adr990 · Aug 29, 2015

shinyquagsire23 said:
I believe the reason for a PC PSU is just that they are more accessable. Also, I'd try soldering a wire to TP163 and then try to get a voltage reading off that pin while powered on, just to be more certain. I'm *pretty* sure it's 3.3v just off the data sheet but I suppose 1.8v could work too maybe?

TP 163: Nothing...
TP 136: 12v (the test point close to the 163)

Also, giving the eMMC another try, with the new Anker reader, still out of luck:

I power on the WiiU, no video signal and the Gamepad cannot connect. Similar to the 3DS eMMC dumping process.

However, no dumping possible... but at least it detects something.

---

"Verwisselbare schijf" is Dutch for "Removable media".

And yes, I have more than 32GB space left on my C: drive.

FaTaL_ErRoR · Aug 29, 2015

mixelpixx said:
You are f*cking dumb if you backfeed power into your NAND. DO NOT F*CKING DO THIS. I am an electrical engineer, have been doing this stuff for a long time. The ONLY time -- AGAIN THE ONLY TIME I ever back fed power was to corrupt an old style flash chip -- for whatever reason (accident) it was discovered we could read, but not write --- there was write protection. When 12v was applied to the NAND, it went into an unhappy state and let us write to it no problem. But if you are just guessing then DON'T.

Also unless you can decrpyt the DUMP, it is useless. except to the console that it came from. My kids have managed to take my Wii U off my desk and update it everytime for some damn reason, so I had to stop working. But...

What can you do?

Backup your NAND by making a DISK IMAGE using an SD card reader. (using 1-bit aka bit-bang, is SLOW!) (Some card readers have different chipsets, some work, some don't)
You can write that NAND back to the console it came from, useless to other units.

Maybe?

I suspect you could have a console at 5.3.0, save the NAND Image.
Then update the console. Now backup that IMAGE.
You should be able to re-write 5.3.0 back to the console.

Children undoing my work did not help, but I can say that these NAND Images contain YOUR personal info, YOUR consoles MAC / Serial Number / Device ID / and I bet they may even have a console specific keyset generated from a combination of your individual MAC / Serial / Device ID embedded into it -- effectively marrying the software to the console.

but goddamnit quit with the back feed talk. Ignorance makes my blood boil.

--------------------- MERGED ---------------------------

To power the NAnd to dump it -- plug the unit into the wall. Thats it, don't turn it on, do not try to boot anything, the only thing the console needs is plugged in.

Huh?? Where is this rant coming from? Who on earth said they were backfeeding 12v to their nand chip?
I have learned the some of the strangest things come from the mouths of electrical engineers.
chipset requires 1.8-3.3v to power on. Who on earth would even imagine applying 12v to that.
Here I'll add to this You are f*cking dumb if you backfeed 110v directly to your cell phone battery. I mean since we are stating the obvious here.

@OP you can use resistors as long as you do the math and your power supply with resistors come to the same voltage output and amp rate.
It is much easier to order something already put together to do just that though.

ARd990: Ar you sure your rx and tx aren't reversed?
If it's visible theres a good chance somewhere in that direction is your problem.
And you may also need to isolate the power supply from everything else but the nand chip.
With the unit powered up it is possible you are being locked out of extraction.

--------------------- MERGED ---------------------------

oops my bad but need to make sure ARD990 reads this. Double check to see how much space is allocated to your f drive. You may find there isn't enough space allocated for the dump.
Also, if a mod would be kind to merge this??? Thanks.

Adr990 · Aug 29, 2015

In the screenshot I posted, I was attempting to dump the eMMC again.
The card reader showed up as drive F: (SD card slot) and drive G: (Micro SD card slot).

The WiiU's eMMC was connected the to SD card slot, therefore F: is not transparent, unlike the G: drive.
Like I stated that same post, I have more than 32GB of available space on my C: drive, as in plenty more. As also can be seen in the screenshot, I was trying to Read from F: to C:/WiiUNAND1.

As for the Rx and Tx signals... that terminology is incorrect.

The pin-out/signals of the NAND can be found here, section 1.6: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-IS86/DSAH00529214.pdf

Note that I do NOT yet have powered my NAND externally yet. I have only ordered the necessary components for that today.
Reading the NAND with the WiiU turned on was unstable for me.

I believe my wiring is correctly set up, I did check it a few times... But I will do a re check of everything once I receive the components to externally power the WiiU's NAND.

---

My WiiU stills runs though... heh.

Edit:
Just check for a random thought, between TP168 and R(ead)E(nabled) & W(rite)E(nabled) there is a 3.3v measured when the WiiU is powered on.

Between TP168 and GND, nothing.

hundshamer · Aug 29, 2015

I was getting the same exact error with my anker. Glad to know it wasn't just me...

Hacking Wiiu Nand Dump

To boldly go where no man has gone before!

SALT/Sm4sh Leak Guy

Well-Known Member

AKA ŦƕƎ ƠṀƐƝ

SALT/Sm4sh Leak Guy

Ashley | Developer | Trans

To boldly go where no man has gone before!

Ignorant Wizard

AKA ŦƕƎ ƠṀƐƝ

SALT/Sm4sh Leak Guy

To boldly go where no man has gone before!

hardware monkey

To boldly go where no man has gone before!

hardware monkey

To boldly go where no man has gone before!

SALT/Sm4sh Leak Guy

To boldly go where no man has gone before!

AKA ŦƕƎ ƠṀƐƝ

To boldly go where no man has gone before!

Well-Known Member

Similar threads

Popular threads in this forum