Hacking [RELEASE] Wii U NAND Tools

EyeKey

Well-Known Member
OP
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
@EyeKey I've just tested nandCbhcRemover.exe by writing just the 3 blocks that were changed to the nand and it worked.
The WiiU booted the standard home menu without sigpatches. CBHC boot was removed successfully!

Could you get nandCbhcRemover.exe to display the hex offsets of the changed blocks so that people could write just those blocks to the nand. It would save people a lot of time.
It only takes about 5 seconds to write 3 blocks Vs 3 hours for a full nand write.
Thank you for confirming that it works!
And you have a good point, I will do something like that. You define block as the size 0x840 bytes? or cluster 0x4200 bytes?


And for all of you who asking about the extension, it doesn't matter. just specify the path of the file, the tools don't really care about the extension.


Hi @EyeKey
Finally i could use nandFixer, i renamed the img to bin and done
But it only "works" with slccmpt, with slc it says that it couldn't open input nand, and you said that mlc won't work too.
1 question: Indicates this that slc is fixed? [i think no because i tried it with the fixed slccmpt and it says: Invalid input NAND size (should be dump without ECC))]

2 question: what do you mean with make redNAND dump flashable? We can copy it in a non-formated SD or we can use a friend's dump?
Bye and thanks you so much!

You size of the slc dump is wrong, it should be 536,870,912 bytes.
And flashable mean that you can flash it with hardmod (to fix a brick for example)
 
Last edited by EyeKey,
  • Like
Reactions: Leeful

victormr21

Well-Known Member
Member
Joined
Dec 29, 2015
Messages
565
Trophies
0
XP
498
Country
Thank you for confirming that it works!
And you have a good point, I will do something like that. You define block as the size 0x840 bytes?


And for all of you who asking about the extension, it doesn't matter. just specify the path of the file, the tools don't really care about the extension.




You size of the slc dump is wrong, it should be 536,870,912 bytes.
And flashable mean that you can flash it with hardmod (to fix a brick for example)
Yeah, i checked it, and then i could use it with the program, and the previous version had the same size that you said, now the slc and slccmpt have 553,648,128 bytes. With this i understand that MLC is fixed without modifications no?
And if i try to flash the old files it wont work?
i thought that the Fixer was to add missing files (ex: in slccmpt there are some folders empty) but i checked them and they have the same files, only size changes
Bye!
 

Leeful

GBAtemp Member
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
You define block as the size 0x840 bytes? or cluster 0x4200 bytes?
No I would call the size 0x840 as a page, and 0x21000 as a block. (64 pages per block, 4096 blocks in a nand)
For a full nand write the teensy writes 1000 blocks (1000 being 'hex' so 4096 'decimal' blocks)

Basically in my nand the first page that had changed data was in page offset F8E2C00.
The start offset of that block which the page is in is at offset F8CA000 That is the 1930th block in the nand so in hex is 78A.
So the command for the teensy to write that 1 block is:
python NANDway.py COM6 0 vwrite SLC-With-CBHC-REMOVED.bin 78A 1

The second change was at offset 200CA000 which is the first page in the 3978th block of the nand (3978 in hex is F8A) so:
python NANDway.py COM6 0 vwrite SLC-With-CBHC-REMOVED.bin F8A 1

The third change was in the 3979th block of the nand (3979 in hex is F8B) so:
python NANDway.py COM6 0 vwrite SLC-With-CBHC-REMOVED.bin F8B 1

I hope I've explained it well enough. I started to confuse myself there:)

In the end the procedure for the end user to fix a CBHC brick would be:

1. Dump the SLC nand with the teensy.
2. Verify the dump with nandBinCheck.exe
3. Remove CBHC from the dump with nandCbhcRemover.exe and Verify with nandBinCheck.exe again.
4. Write back only the changed blocks that nandCbhcRemover.exe displays with the teensy.

Could you make nandCbhcRemover.exe have an seperate input and output file like nandFixer.exe does or mabe just make nandCbhcRemover automatically create a new file called SLC-CBHC-FIXED.bin or something like that.
 
Last edited by Leeful,
  • Like
Reactions: EyeKey and pelago

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,646
Country
France
Thank you for working on all these tools and helping users fix their console :)

Writing just the changed block is a good idea, it will be faster than writing the full nand back to the console.
maybe generating a file and a script at the same time to automate this could be done too (using the SLC-CBHC-FIXED.bin file mentioned above, but with a python script generated at the same time, knowing where to write blocks to)
generating it will prevent user's fault in typing these addresses manually, and the bin could have more than one non-contiguous block.
 
Last edited by Cyan,

Kafluke

Well-Known Member
Member
Joined
May 6, 2006
Messages
5,474
Trophies
0
Age
47
XP
4,636
Country
United States
@EyeKey and others. Thank you times a million! Game changer.

Please let me know when you feel this is "noob" ready.

I want to get a backup section in my guide as early in the post as possible.
 
  • Like
Reactions: KiiWii and Cava

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,646
Country
France
not that "noob", as it still requires a hardware mod and teensy.
but at least, tools and data are now available for anyone with necessary hardware.

there will probably be users fixing consoles for other users, like DeadlyFoez did in wii era.
 

EyeKey

Well-Known Member
OP
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
No it requires the OTP (in case of CBHC brick)

--------------------- MERGED ---------------------------

No I would call the size 0x840 as a page, and 0x21000 as a block. (64 pages per block, 4096 blocks in a nand)
For a full nand write the teensy writes 1000 blocks (1000 being 'hex' so 4096 'decimal' blocks)

Basically in my nand the first page that had changed data was in page offset F8E2C00.
The start offset of that block which the page is in is at offset F8CA000 That is the 1930th block in the nand so in hex is 78A.
So the command for the teensy to write that 1 block is:
python NANDway.py COM6 0 vwrite SLC-With-CBHC-REMOVED.bin 78A 1

The second change was at offset 200CA000 which is the first page in the 3978th block of the nand (3978 in hex is F8A) so:
python NANDway.py COM6 0 vwrite SLC-With-CBHC-REMOVED.bin F8A 1

The third change was in the 3979th block of the nand (3979 in hex is F8B) so:
python NANDway.py COM6 0 vwrite SLC-With-CBHC-REMOVED.bin F8B 1

I hope I've explained it well enough. I started to confuse myself there:)

In the end the procedure for the end user to fix a CBHC brick would be:

1. Dump the SLC nand with the teensy.
2. Verify the dump with nandBinCheck.exe
3. Remove CBHC from the dump with nandCbhcRemover.exe and Verify with nandBinCheck.exe again.
4. Write back only the changed blocks that nandCbhcRemover.exe displays with the teensy.

Could you make nandCbhcRemover.exe have an seperate input and output file like nandFixer.exe does or mabe just make nandCbhcRemover automatically create a new file called SLC-CBHC-FIXED.bin or something like that.
I think that the best option is to make a python script that wrap nandway, that compare two dumps and write only the differences. it will be more generic
 

EyeKey

Well-Known Member
OP
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
For those of you who interested in full NAND dump without hardmod, I modified iosuhax redNAND with a hack to dump the FULL slc and slccmpt, including the spare and ecc data to the sd.
https://github.com/koolkdev/iosuhax/

right now you will have to compile fw.img. But I am going to wrap it nicely in an homebrew soon.
It will dump it to slc.bin and slccmpt.bin on the root of the sd. (but I do recommend backing you sd before running it, for a case that my code will corrupt your sd..)



And one interesting point is that when I run nandBinCheck on the dumps everything was perfect except for scfm.img (a 128MB cache file), which gave HMAC errors. it doesn't have HMACs, just zeros.
Well, based on the nature of this file (cache file), that make sense..
 

GraFfiX420

Well-Known Member
Member
Joined
Oct 14, 2009
Messages
465
Trophies
1
XP
1,593
Country
United States
For those of you who interested in full NAND dump without hardmod, I modified iosuhax redNAND with a hack to dump the FULL slc and slccmpt, including the spare and ecc data to the sd.
https://github.com/koolkdev/iosuhax/

right now you will have to compile fw.img. But I am going to wrap it nicely in an homebrew soon.
It will dump it to slc.bin and slccmpt.bin on the root of the sd. (but I do recommend backing you sd before running it, for a case that my code will corrupt your sd..)



And one interesting point is that when I run nandBinCheck on the dumps everything was perfect except for scfm.img (a 128MB cache file), which gave HMAC errors. it doesn't have HMACs, just zeros.
Well, based on the nature of this file (cache file), that make sense..

Wow, this is awesome, I wasn't even sure it was possible to dump the ecc data, you're the man/woman!
 

Valery0p

Well-Known Member
Member
Joined
Jan 16, 2017
Messages
560
Trophies
0
XP
1,644
Country
Italy
For those of you who interested in full NAND dump without hardmod, I modified iosuhax redNAND with a hack to dump the FULL slc and slccmpt, including the spare and ecc data to the sd.
https://github.com/koolkdev/iosuhax/

right now you will have to compile fw.img. But I am going to wrap it nicely in an homebrew soon.
It will dump it to slc.bin and slccmpt.bin on the root of the sd. (but I do recommend backing you sd before running it, for a case that my code will corrupt your sd..)



And one interesting point is that when I run nandBinCheck on the dumps everything was perfect except for scfm.img (a 128MB cache file), which gave HMAC errors. it doesn't have HMACs, just zeros.
Well, based on the nature of this file (cache file), that make sense..
Is real EEC dumping, or you calculate them on the fly?
If is yes, well done! =D
 

Leeful

GBAtemp Member
Developer
Joined
Sep 4, 2015
Messages
1,903
Trophies
1
XP
7,068
Country
United Kingdom
@EyeKey How long will it take to dump using the homebrew version?

I thought I'd test out the iosuhax fw.img version but its been runnung for just over 1hour and its only at SLC 03800 / 40000. Is it safe to abort by holding the power button or should I just let it run?

I'm not complaining btw. We're all grateful for all the work you are doing.:)
 
Last edited by Leeful,

EyeKey

Well-Known Member
OP
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
@EyeKey How long will it take to dump using the homebrew version?

I thought I'd test out the iosuhax fw.img version but its been runnung for just over 1hour and its only at SLC 03800 / 40000. Is it safe to abort by holding the power button or should I just let it run?

I'm not complaining btw. We're all grateful for all the work you are doing.:)

Hmmm it was faster for me. And it is the same code for the homebrew. It is pretty much safe to abort it (I don't think that it will corrupt the fat32 too much).
It is probably slow because the fat library, I will try to tweak some optimiziation options that it has.
 
  • Like
Reactions: Leeful

nexusmtz

Well-Known Member
Member
Joined
Feb 17, 2016
Messages
1,386
Trophies
0
XP
1,425
Country
United States
Hmmm it was faster for me. And it is the same code for the homebrew. It is pretty much safe to abort it (I don't think that it will corrupt the fat32 too much).
It is probably slow because the fat library, I will try to tweak some optimiziation options that it has.
Wasn't your release before you set the buffer above 1? (github thought so, unless I'm reading it wrong)
 

EyeKey

Well-Known Member
OP
Member
Joined
Feb 10, 2017
Messages
280
Trophies
0
XP
1,096
Country
Israel
The homebrew version is working faster than the fw.img one . 05600 / 40000 after 30 mins.

Oh, I misread it before as 38000/40000 after an hour.
Wow, that is EXTREMELY slow. It took me maybe 4 minutes to get to 6000...
Can you try this release? see if it is better? What is the size of your SD?

EDIT: I think that it depends on the SD card. Now I used bigger sd card, with 64KB allocation unit, and it took me 3 minutes to dump slc.bin...
 

Attachments

  • nanddumper.zip
    38.3 KB · Views: 187
Last edited by EyeKey,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    realtimesave @ realtimesave: can troll SylverReZ the following day :)