Hacking Successfully dumped WiiU EMMC nand with hardmod.

[Brenex]

Leeful, where are you attaching the 3v pin? I don't see it connected in your pictures

 

[Tommy084]

Leeful, where are you attaching the 3v pin? I don't see it connected in your pictures

You dont need, sens the wiiu is powered. But be sure to ground it, like in Leeful's pic

 

[aut0mat3d]

Not leeful, but i brobably can help: Tp 128 if i remember right, please do measurement before you solder.

 

[Brenex]

Vcc is connected to TP 163 and also the large ground pad he has his GND connected to in his pictures. I don't see his 3.3v pin connected to the wii u though. My understanding is that the teensy and usb can power the NAND without having to hook up the wii u to it's own power cable

 

[Leeful]

Leeful, where are you attaching the 3v pin? I don't see it connected in your pictures

The 3v pin is not connected to the WiiU at all. I just had the WiiU powered on.

I did try to connect the VCC and power the chip with just the teensy USB but I could not get it to work that way.
If I remember correctly, this point in the pic was directly connected to the VCC pin on the chip but my WiiU is not open at the moment so if your going to try it out make sure to check it first!


When I checked the continuity on the test points that were mentioned in some of the old threads (cant remember which ones) I found that they were actually connected to ground and not VCC. If you could confirm where the actual 3v is on the motherboard that would be great. I don't want to open up my console again.

 

[Brenex]

I just checked and yes, R210 is conencted to Vcc. So, did you power the NAND using the Wii U's normal power cable since you couldn't get the teensy to power it?

 

[Leeful]

I just checked and yes, R120 is conencted to Vcc. So, did you power the NAND using the Wii U's normal power cable since you couldn't get the teensy to power it?

yes. connect the teensy to the WiiU and the PC, then press the power button on the WiiU, then run the INFO command to check that the chip is detected by the teensy.

UPDATE:
Connect the teensy to the WiiU.
Press power button on the WiiU.
Then connect the teensy to the PC and run the INFO command.

 

[Brenex]

oh interesting. I thought that teensy would be able to power the NAND through the 3.3v channel on the teensy board. In that case, I guess the 3.3v teensy mod isn't really necessary then? I have already done it anways, just saying.

*EDIT* Just found this on the NANDway page:

• Vcc: Teensy 3.3V regulator cannot power the NANDs on the PS3. The drain of the motherboard summed by the other peripherals draw too much current (~1.8A). The NANDs can be powered from external 3.3V power supply like ATX power supply (the orange 3.3V line of the ATX main connector).

I imagine that the same thing is happening if you couldn't get it to work. The motherboard is leeching the 3.3v from the teensy when trying to only use the teensy to power the NAND. I guess it doesn't matter if you remove the NAND and put it into an adapter but I'm not going to be doing it that way. I will just do it your way with the Wii U power supply powering the NAND

 

[Leeful]

oh interesting. I thought that teensy would be able to power the NAND through the 3.3v channel on the teensy board. In that case, I guess the 3.3v teensy mod isn't really necessary then? I have already done it anways, just saying.

Not sure on this. I know the TSOP chip runs at 3.3v so I thought that the teensy also needed to be running at 3.3v. Even if it is not powering the chip itself. Better to be safe than sorry. Anyone else any info/thoughts on this?

I also tried to power the chip using an old PC ATX poer suppy but I could not get the teensy to recognise the chip. Everything shared the same ground and the 3.3v was correct but I just could not get it to work. mabe the wrong VCC connection point on the wiiU motherboard?

--------------------- MERGED ---------------------------

Sorry, I got the procedure wrong for booting the WiiU with the teensy. It should be:
Connect the teensy to the WiiU.
Press power button on the WiiU.
Then connect the teensy to the PC and run the INFO command.

 

[LuigiXL]

Removed

 

[Brenex]

Not sure on this. I know the TSOP chip runs at 3.3v so I thought that the teensy also needed to be running at 3.3v. Even if it is not powering the chip itself. Better to be safe than sorry. Anyone else any info/thoughts on this?

I also tried to power the chip using an old PC ATX poer suppy but I could not get the teensy to recognise the chip. Everything shared the same ground and the 3.3v was correct but I just could not get it to work. mabe the wrong VCC connection point on the wiiU motherboard?

--------------------- MERGED ---------------------------

Sorry, I got the procedure wrong for booting the WiiU with the teensy. It should be:
Connect the teensy to the WiiU.
Press power button on the WiiU.
Then connect the teensy to the PC and run the INFO command.

The connection you showed me above is direct to the Vcc so if that's the one you used (R210) it goes directly to Vcc. I will try your method above to power it up tomorrow and see if I can get the NANDway info command to read the NAND.

Dumping now

 

[Brenex]

Great to see you have made some progress with this. I'm gonna have to try it. I've been putting off doing the soldering for too long now.

On another note I've been trying to decrypt the nand dumps and this is what I've found that works.:

To decrypt the image:
openssl aes-128-cbc -d -nopad -K YOUR_KEY_FROM_OPT -iv 00000000000000000000000000000000 -in Input.img -out Decrypted.img

To re-encrypt the image:
openssl enc -e -aes-128-cbc -nopad -K YOUR_KEY_FROM_OPT -iv 00000000000000000000000000000000 -in Decrypted.img -out RE-Encrypted.img

View attachment 77826 View attachment 77827
To make it more easy to get the OTP keys I've attatched a python script to extract the need keys for each nand. Just run it in the same folder as your otp.bin

Although this might not help the current situation it may be useful to someone in the future.

I decrypted my NAND hard dump using the above method. I edited the file to fix the incorrect default_title_id in HxDen. I then took that and reencrypted it using the openssl enc command. The bin it creates is not recognized by nandBinCheck unfortunately

 

[Brenex]

Oh well, it didn't work. After writing back a rednand SLC bin after having run it through nandBinFix and BinCheck using vwrite with no issues, now my Wii U just boots up to the Wii U screen and stays there permanently. No more error message. I only flashed back the SLC.

 

[Xyphoseos]

It's possible now to restore the TSOP nand by hardmode ?

 

[Kafluke]

My Teensy 2.0 ++ that I ordered doesn't match up to the pics that @Leeful posted a few pages back. I had an extra Wii U and a full nand dump so I wanted to figure out the unbrick process. I have no idea where to solder the cables to the board. For example, on the teensy that I have there are no points that start with "A".

Solder points posted by Leeful:

Spoiler

I already ordered the mcp1825_sot223 to solder to my teensy 2.0++ but the rest of the points don't match up. Here's what I have:

Spoiler

 

[Leeful]

That looks like a Teensy 2.0 and not a Teensy++ 2.0.
https://www.pjrc.com/teensy/

 

[Kafluke]

Crap I guess I ordered the wrong one. Any chance I could use this?

 

[aut0mat3d]

No, not really. It seems you have to use the "Signal Booster Edition" of the Teensy-Software, so you have to use a ++ 2.0

 

[Kafluke]

@Tommy084 Great to see someone else can confirm the eMMC dumping works. Could you let me know the make and model of the SD Card reader you used so that I can add it to the 'Working card readers list' in the OP. cheers.

When did you make your Rednand? Before or after you installed CBHC?

If it was before you installed CBHC writing back just the eMMC (MLC.img) backup from the rednand wont help because the modified VC game CBHC uses will not be on there.

On the other hand if the rednand backup was created after you installed CBHC it might work if it was only the modified VC game that caused the brick.

If the modified system.xml is the cause of the brick, writing back just the eMMC wont help because system.xml is on the TSOP nand and that needs to be dumped with a teensy.

Thats why the best bet to recover from a brick is to restore both the eMMC and the TSOP nands.

I still have not got around to soldering up the TSOP yet but if you want to try it out before me here are some pics I made that I was gonna post when I did it:
View attachment 77322 View attachment 77323 View attachment 77324 View attachment 77325

I'm not sure if the 3.3v needs to be connected to the WiiU at all yet(or where to put it. some say TP163 is the 3.3v supply to the nand but here Crediar says that is not 3.3v).
I was going to just power up the wiiU with the eMMC clock jumper disconnected so that it is in the same state that allows the eMMC to be dumped.
If that does not work the TSOP will have to be powered with the WiiU switched off with its own 3.3v power supply from either the Teensy (might not be enough) or from another power suppy.

On the Teensy side the Teensy needs to be converted to 3.3v and you will need NANDway.py here and you would program your teensy with the NANDway_DualNANDEdition.hex.

I wish I could try it myself but still I'm waiting for a new magnifying lamp to do the soldering.

UPDATE: DO NOT USE THE DUAL NAND EDITION SETUP AS MENTIONED ABOVE, INSTEAD USE THE SIGNAL BOOSTER EDITION SETUP AS I COULD NOT GET CONSISTANT DUMPS USING DUAL NAND EDITION !!!
View attachment 81467

Where do these diagrams come from? I have a shitty soldering iron and lifted two solder points from the board. Are there any alternative solder points?

 

[Leeful]

Where do these diagrams come from? I have a shitty soldering iron and lifted two solder points from the board. Are there any alternative solder points?

They were my own images. Which points did you loose from the board?