Hacking [RELEASE] Wii U NAND Tools

Pachee

Pachee

Well-Known Member
Member
Level 5
Joined
Nov 3, 2015
Messages
480
Trophies
0
XP
562
Country
United States
Or a random, unknown hero could always leak the method used by Nintendo to boot bricked Wii Us to look for hacks before actually fixing them.
 
QuarkTheAwesome

QuarkTheAwesome

🦊
Member
Level 13
Joined
Apr 19, 2015
Messages
1,023
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,908
Country
Australia
Pachee said:
Or a random, unknown hero could always leak the method used by Nintendo to boot bricked Wii Us to look for hacks before actually fixing them.
Click to expand...
MCP Recovery. There's a check in boot0 which enables loading of boot1 from the SD card. It checks the RTC to see if the "UNSTBL_PWR" flag is set, and if it is, boot1 is loaded from the SD rather than the NAND. It's still sigchecked and sizechecked, however; so there's no real benefit to us. Nintendo can sign their own boot1 images so they can pass the sigcheck without a problem, but we don't get such luck, meaning that if we did figure out how to set that flag we would still be stuck with a stock boot1, just on the SD this time.
As for setting that flag, we know that it's not power+eject, dammit and that it's most likely something to do with either the CMOS battery or a component nearby. I tried to trigger it (and failed); iirc Hexkyz was also giving it a go but I don't think anyone's heard from him in a while.
The thing is that this does literally nothing for us that a hardmod can't do already. It might become useful if Nintendo's private keys leak or something, but as it is now there's not much point.
 
  • Like
Reactions: pelago, GraFfiX420 and aut0mat3d
Pachee

Pachee

Well-Known Member
Member
Level 5
Joined
Nov 3, 2015
Messages
480
Trophies
0
XP
562
Country
United States
QuarkTheAwesome said:
MCP Recovery. There's a check in boot0 which enables loading of boot1 from the SD card. It checks the RTC to see if the "UNSTBL_PWR" flag is set, and if it is, boot1 is loaded from the SD rather than the NAND. It's still sigchecked and sizechecked, however; so there's no real benefit to us. Nintendo can sign their own boot1 images so they can pass the sigcheck without a problem, but we don't get such luck, meaning that if we did figure out how to set that flag we would still be stuck with a stock boot1, just on the SD this time.
As for setting that flag, we know that it's not power+eject, dammit and that it's most likely something to do with either the CMOS battery or a component nearby. I tried to trigger it (and failed); iirc Hexkyz was also giving it a go but I don't think anyone's heard from him in a while.
The thing is that this does literally nothing for us that a hardmod can't do already. It might become useful if Nintendo's private keys leak or something, but as it is now there's not much point.
Click to expand...
But for Wii Us without a OTP dump to decrypt nand, the recovery method + boot1 exploit would be enough to fix a Wii U. That is, unless a full leak happens....
 
Last edited by Pachee,
eteles

eteles

Well-Known Member
Newcomer
Level 2
Joined
Jun 3, 2009
Messages
45
Trophies
0
XP
199
Country
Brazil
Thanks guys for all the answers... Already bought another working unit, so will keep the faulty one around just in case someone awesome discovers a way to revive my bricked Wii U...

Will dump the dam OTP keys from the new unit as soon as possible...

What's killing me is the fact that updating CBHC as I did should not result in a brick... Everything was in place, legit brain age on system memory, working haxchi... What could possibly have gone wrong?

As the scene is growing incredibly fast, I hope something comes up for helping bricked users without OTP dump.
 
Reecey

Reecey

Mario 64 (favorite game of all time)
Member
Level 14
Joined
Mar 7, 2010
Messages
5,864
Trophies
2
Location
At Home :)
XP
4,449
Country
What I was wandering how does the nandfixer work? so if you have your nand fully backed up with the nandextractor thread from the homebrew section, everything say, otp the lot on your sd card! So how does it work for example> say if you get a cbhc wiiu fully bricked down the line sometime, do you just leave the corrected fixed nand from "nandfixer" on your sd card and boot your bricked wiiu up and it will work magically or something?. I'm not really sure how it fixes a fully bricked wiiu from cbhc even with your nand fully backed up on your sd card? because surely if your wiiu is bricked with an error on boot up then how can it be fixed with the tools to get it working again? do you need to use wupserver with this to upload the new fixed nand.. I'm lost on how these tools can fix it! someone please explain to me cause I must be being very stupid here and tbh without fully accessing your main menu anyway I cannot see how it would fully fix a bricked wiiu from cbhc. Or do the applications work on an ip address basis to your wiiu and upload the new fixed nand? sorry if I am being a bit daft about this.

Edit: I see so basically you need hardmod tools to restore the image back to your wiiu. Great, so as long as you can make yourself a hardmod tool up for your wiiu, your ok but if you can't your out of luck! ;) I can see people popping up now doing wiiu hardmod services, its a good idea might take a look at it myself.
 
Last edited by Reecey,
A

aut0mat3d

Well-Known Member
Member
Level 5
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
568
Country
Australia
The Fixing is done by correcting system.xml which is parsed due the boot process to not load the custom title which had cbhc inside.
The corrected dump has to be flashed with a hardware flasher afterwards to resurrect the WiiU (Teensy 2.0 ++ for example)
If you want to get some Background of Hardware dumping/flashing, take a look: https://gbatemp.net/threads/successfully-dumped-wiiu-emmc-nand-with-hardmod.457165
(at the Start the author dumped emmc, afterwards the discussion/progress went into hardware flashing slc
 
D

Deleted User

Guest
QuarkTheAwesome said:
MCP Recovery. There's a check in boot0 which enables loading of boot1 from the SD card. It checks the RTC to see if the "UNSTBL_PWR" flag is set, and if it is, boot1 is loaded from the SD rather than the NAND. It's still sigchecked and sizechecked, however; so there's no real benefit to us. Nintendo can sign their own boot1 images so they can pass the sigcheck without a problem, but we don't get such luck, meaning that if we did figure out how to set that flag we would still be stuck with a stock boot1, just on the SD this time.
As for setting that flag, we know that it's not power+eject, dammit and that it's most likely something to do with either the CMOS battery or a component nearby. I tried to trigger it (and failed); iirc Hexkyz was also giving it a go but I don't think anyone's heard from him in a while.
The thing is that this does literally nothing for us that a hardmod can't do already. It might become useful if Nintendo's private keys leak or something, but as it is now there's not much point.
Click to expand...
Dumping and modifying boot1 part of Wii U's memory wouldn't work because it needs to be signed?
Oh right, to even do that, we need MLC manager tool, right?
 
A

aut0mat3d

Well-Known Member
Member
Level 5
Joined
Mar 15, 2017
Messages
212
Trophies
0
XP
568
Country
Australia
Yes, so it is. For a total Hack we need a hacked boot 0 or nintendos keys to sign boot 1.
Probably sometime i the Future some Factory tools will leak which will allow a restore too.....
 
C

Carlos_DobleC

Well-Known Member
Member
Level 8
Joined
Sep 22, 2016
Messages
237
Trophies
0
Age
27
XP
1,340
Country
Spain
EyeKey said:
nandCbhcRemover - Fixing CBHC bricks:
Note: Backup your nand and verify it with nandBinCheck before using this tool!
This tool restore the backed up system.xml. Can be used to fix CBHC brick.
Usage: nandCbhcRemover.exe <full slc dump>
It is recommended to verify the updated dump with nandBinCheck.exe <output dump> -all

Thanks to @Leeful that verified that both nandFixer and nandCbhcRemover can be used for unbricking!

If you want to follow the efforts to unbrick Wii U, and for more info about Wii U hardmod, visit this thread.
Click to expand...


If I get a dump from the nand of my bricked CBHC Wii U (http://gbatemp.net/threads/bricked-wiiu.463210/) can I fix it with this program?
 
temper999

temper999

Well-Known Member
Member
Level 4
Joined
Sep 22, 2015
Messages
327
Trophies
0
XP
520
Country
Gambia, The
Is this a normal message while checking slc:
verifying hmac...
verifying hmac for 371 files
hmac bad (1)
"scfm.img" is 8004000 bytes ( 2001 ) clusters
...
bad HMAC for "/scfm.img"
1 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data
Click to expand...
I receive the same for slccmpt.

Both where dumped with the new dumper by koolkdev.
 
Last edited by temper999,
GraFfiX420

GraFfiX420

Well-Known Member
Member
Level 9
Joined
Oct 14, 2009
Messages
465
Trophies
1
XP
1,593
Country
United States
This may be a stupid question, but where are you guys getting the fw.img to manually compile the NAND dumper? I was looking at grabbing it from NUS, but I'm not sure what program to use they all seem to be old, and I'm not sure if the update from nintendo is exactly what I need.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hardware Tutorial  MLC2SD - A Wii U NAND (eMMC) Replacement Interposer

A really, REALLY old browser exploit (for 5.3.2)?

Gaming  Online services for the 3DS and Wii U have been shutdown. Here is how to get back online!

Wii U after try to change region has no video signal, and no game pad synced

Hacking Hardware  Wii U No Display (Logs dumped)

Simpson's Hit & Run Wiiu

Homebrew  Huevo's Vault | Wii U Themes

Watch videos on Wii U, offline, saved on SD?

General chit-chat
Help Users
    Veho @ Veho: https://i.imgur.com/kTzpzBF.mp4