Hacking Successfully dumped WiiU EMMC nand with hardmod.

EyeKey

Well-Known Member
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
@EyeKey Ive done some testing with nandBinCheck on a vWii hardmod dump and at first it didnt work but then I noticed that the vWii dumps made with the DumpMii Nand Dumper homebrew had an extra 1024bytes at the end that included the wii section keys from the opt.

After adding the relevant 1024bytes with the keys to the hardmod dump it now works with nandbincheck.
View attachment 82021
It only found 1 page with incorrect ECC information. I'm not sure if the dump itself was 100% valid anyway to start with but at least it worked. The other dumps I did with the teensy Dual Nand Edition setup would not work at all. As said before The teensy Signal Booster Edition setup is much more reliable.

I hope this might be helpful.
That is good. It means that the dump is indeed reliable.

I am going to create a tool that will hopefully will make redNAND flashable.
And for those with bricked but not fucked NAND, a tool to fix CBHC brick just with OTP.

Hopefully we will finally see an unbricked WiiU soon.
 

GraFfiX420

Well-Known Member
Member
Joined
Oct 14, 2009
Messages
465
Trophies
1
XP
1,593
Country
United States
nandExtractor.cs:253:
Int32[] n_start = { 0x1FC00000, 0x20BE0000, 0x20BE0000 },
=>
Int32[] n_start = { 0x1F000000, 0x1FF80000, 0x1FF80000 },

Thank you, I don't know much, but I do like to mess around with stuff, you also mentioned that the magic for the superblock changed from SFFS to SFS, this means that it would change from 0x53464653 to 0x534653 , correct?
 
Last edited by GraFfiX420,

GraFfiX420

Well-Known Member
Member
Joined
Oct 14, 2009
Messages
465
Trophies
1
XP
1,593
Country
United States
Would it be possible for one of you guys that has a teensy hooked up to send me your slc.full.img? I'm testing modifying some of the wii tools that are already out there and I need an slc dump that actually has ECC data. Thanks.
 

Leeful

GBAtemp Member
OP
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
Would it be possible for one of you guys that has a teensy hooked up to send me your slc.full.img? I'm testing modifying some of the wii tools that are already out there and I need an slc dump that actually has ECC data. Thanks.
Sorry, I would but I don't have a valid SLC hardmod dump, every page is corrupted.
My only hope to fix it is for a rebuilt rednand dump with the calculated ECC data inserted.

I do have a modified rednand dump with 'dummy' ECC data (all FFs) inserted after every page and that works with EyeKey's Nand Extractor MOD but it won't be useful for testing any tool that uses the ECC data. let me know if you want it anyway.
 
Last edited by Leeful,

GraFfiX420

Well-Known Member
Member
Joined
Oct 14, 2009
Messages
465
Trophies
1
XP
1,593
Country
United States
Sorry, I would but I don't have a valid SLC hardmod dump, every page is corrupted.
My only hope to fix it is for a rebuilt rednand dump with the calculated ECC data inserted.

I do have a modified rednand dump with 'dummy' ECC data (all FFs) inserted after every page and that works with EyeKey's Nand Extractor but it won't be useful for testing any tool that uses the ECC data. let me know if you want it anyway.

Sure, if you can dropbox it or something I will see what I can do with it. Thanks.
 

Valery0p

Well-Known Member
Member
Joined
Jan 16, 2017
Messages
560
Trophies
0
XP
1,644
Country
Italy
No Luck. Images are same size as rednand dumps:sad:
It looks like the sections relevant to dumping the slc in hexfw are located here:

https://github.com/hexkyz/hexFW/blob/master/firmware/patches/0x10700000.s#L417

And in the hexcore program here:

https://github.com/hexkyz/hexFW/blob/master/firmware/programs/hexcore/source/main.c#L277

Judging from this line of code inside of the hexcore main.c:

Code:
// Open target device
FSA_RawOpen("/dev/slc01", &fsa_raw_handle);
Probably the slc dump code is took directly from @smealum iosuhax, either in hexFW and mocha:
https://github.com/smealum/iosuhax/blob/master/patches/0x10700000.s#L622
So, how he recovered his brick? Maybe only decrypting the slc using his otp...

Ps: I'm not a programmer, so if there is any difference in that assembly code I can't see it Dx
 
Last edited by Valery0p,

Leeful

GBAtemp Member
OP
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
I made most of the needed changes to WiiQt, I got nandBinCheck -spare to work with WiiU nand, so now it should be able to check if a dump is valid or not.
Fixing the wrong ECC/HMACs is trivial (aka making a full dump from redNAND dump), I will do it tomorrow.

The source is here:
https://github.com/koolkdev/wiiuqt
Could you please upload a compiled version of nandBinCheck. I cant get Qt to compile correctly. Thanks.
 
  • Like
Reactions: aut0mat3d

EyeKey

Well-Known Member
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
Could you please upload a compiled version of nandBinCheck. I cant get Qt to compile correctly. Thanks.
Didn't upload one yesterday because it was experimental and broken...

So I fixed many broken things, added some new things (like verifying boot1 hash) and created the tool that I promised.
nandFixer - Creating full dump from partial one:
https://github.com/koolkdev/wiiuqt/releases/latest

to fix a dump:
nandFixer.exe <input file> <output file>

I recommend to verify the new image with:
nandBinCheck.exe <input file> -all

Make sure to have otp.bin in the same directory of the dump.

I can't guarantee that I didn't miss something and it will work, but I do hope so...
 
Last edited by EyeKey,

Leeful

GBAtemp Member
OP
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
I'm getting 'Faild to load keys' error on both nandfixer and nandbincheck.
Both SLC.bin and otp.bin files work fine with the nand extractor.
error.jpg
 

EyeKey

Well-Known Member
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
I'm getting 'Faild to load keys' error on both nandfixer and nandbincheck.
Both SLC.bin and otp.bin files work fine with the nand extractor.
View attachment 82306
this time otp.bin need to be in the directory of the dump. (Maybe I need to change nand extractor)

EDIT: oh nvm. I see that it is the same directory, hmmm. I will check what is wrong
2nd EDIT: Ok, I know what is the bug. You can get it to work now by specifying ./SLC.bin instead SLC.bin (and the same for the output file).
 
Last edited by EyeKey,

Leeful

GBAtemp Member
OP
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
I got it sort of working using an input and an output folder. nandFixer.exe input/SLC.bin output/SLC-FIXED.bin with the otp.bin in the output folder.

It inserts the 64 bytes every page but the ECC data is all FFs.

Just saw your Edit. same thing using ./

I tested it with a V-Wii dump and that seems to have worked.
Code:
S:\nand_fixer>nandBinCheck ./SLCCMPT-FIXED.bin -all
** nandBinCheck : Wii nand info tool **
from giantpune
built: Mar 24 2017 01:09:00
checking boot1...
Boot1 check failed!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 0 ()
free 5bd6
verifying ecc...
0 out of 592512 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 269 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data
 
Last edited by Leeful,

EyeKey

Well-Known Member
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
I got it sort of working using an input and an output folder. nandFixer.exe input/SLC.bin output/SLC-FIXED.bin with the otp.bin in the output folder.

It inserts the 64 bytes every page but the ECC data is all FFs.

Ok, first of all I fixed that bug with finding the key and uploaded a fixed file.

Now, are you sure that all the ECC data is FF, it may be FF in unused pages.
Did it print any error? Did you run nandbincheck on that?

EDIT: Ok, it seems that something is broken. I am checking it.
 
Last edited by EyeKey,

Leeful

GBAtemp Member
OP
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
I ran nandbincheck on it and it passed. but there are still a lot of FF areas but in the original hardmod dump I did not notice any.
compare-1.jpg
Code:
S:\nand_fixer>nandBinCheck ./SLC-FIXED.bin -all
** nandBinCheck : Wii nand info tool **
   from giantpune
   built: Mar 24 2017 01:09:00
checking boot1...
Boot1 OK!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 7f (530f, 58a1, 58a2, 58a3, 58a4, 58a5, 58a6, 58a7, 5abb, 5abc, 5abd, 5abe, 5abf,
 60f2, 60f3, 60f4, 60f5, 60f6, 60f7, 61f0, 61f1, 61f2, 61f3, 61f4, 61f5, 61f6, 61f7, 61f8, 61f9,
 6504, 6505, 6506, 6507, 6528, 6529, 652a, 652b, 652c, 652d, 652e, 652f, 6530, 6531, 6532, 6533,
free            4936
verifying ecc...
0 out of 897664 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
 ()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 367 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

I dont want to try and write back to the WiiU yet because it takes 3 hours for a verified write.

--------------------- MERGED ---------------------------

Most of the ECC areas seem to be correct. I'm just worried about the parts where it has just inserted FF.
compare-2.jpg
 
  • Like
Reactions: EyeKey

EyeKey

Well-Known Member
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
I ran nandbincheck on it and it passed. but there are still a lot of FF areas but in the original hardmod dump I did not notice any.
View attachment 82314
Code:
S:\nand_fixer>nandBinCheck ./SLC-FIXED.bin -all
** nandBinCheck : Wii nand info tool **
   from giantpune
   built: Mar 24 2017 01:09:00
checking boot1...
Boot1 OK!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 7f (530f, 58a1, 58a2, 58a3, 58a4, 58a5, 58a6, 58a7, 5abb, 5abc, 5abd, 5abe, 5abf,
 60f2, 60f3, 60f4, 60f5, 60f6, 60f7, 61f0, 61f1, 61f2, 61f3, 61f4, 61f5, 61f6, 61f7, 61f8, 61f9,
 6504, 6505, 6506, 6507, 6528, 6529, 652a, 652b, 652c, 652d, 652e, 652f, 6530, 6531, 6532, 6533,
free            4936
verifying ecc...
0 out of 897664 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
 ()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 367 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

I dont want to try and write back to the WiiU yet because it takes 3 hours for a verified write.

--------------------- MERGED ---------------------------

Most of the ECC areas seem to be correct. I'm just worried about the parts where it has just inserted FF.
View attachment 82315
Yes, you have a point. I didn't update the ecc on unused pages, it shouldn't really matter, but to be more precise and similar to the original dump, I changed it to calculate the ecc for all the initialized pages. You can redownload it (v0.1b).
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    Veho @ Veho: Mkay.