Successfully dumped WiiU EMMC nand with hardmod.

Discussion in 'Wii U - Hacking & Backup Loaders' started by Leeful, Jan 13, 2017.

  1. Tommy084

    Tommy084 Advanced Member

    Newcomer
    82
    53
    Feb 24, 2013
    Norway
    Great looking man!!!
    My Wiiu is now daed after trying to write back to nand, even got a write without error...
     


  2. Leeful
    OP

    Leeful GBAtemp Regular

    Member
    120
    154
    Sep 4, 2015
    @Tommy084 Have you tried to write back the original 528 MB dump you got with the teensy?
    What lines did you delete from the nandway.py?
     
    Tommy084 likes this.
  3. DeadlyFoez

    DeadlyFoez Banned!

    Member
    5,364
    1,352
    Apr 12, 2009
    United States
    Willing to bet the teensy writing to the nand is the issue. I havent used a teensy in that way yet but something has told me to not trust it.
     
    Tommy084 likes this.
  4. Tommy084

    Tommy084 Advanced Member

    Newcomer
    82
    53
    Feb 24, 2013
    Norway
    Yes, and now its blinking with the blue LED even with the jumper atached.
    Lines: 386-395 :)

    Started on my 2. Wiiu now, this time is solder to nandpoints and dumping with dualnand edition ;)

    What els can we use? Have progskeet and pheonix to... but those are to hard to setup.
    After trying to write back many times, and i got the same error on one block, trying to write back the rednand slc gives many errors. My geuss is the programmer, it says writing 1000 blocks to nand, but it is 4096 blocks. That and it adds a 16mb to the dump "RAS" i think. Those are just my thoght, i cant understand half of this :P
     

    Attached Files:

    Last edited by Tommy084, Feb 11, 2017
  5. DeadlyFoez

    DeadlyFoez Banned!

    Member
    5,364
    1,352
    Apr 12, 2009
    United States
    I use an infectus. It's slow but I have never had a single issue with writing to any NAND chip. Once I can finally rip the wii u away from the family then I will try this all out, but that likely wont be for a while.

    I also have to say, I DO NOT trust those nand clips. I always program my NAND chips after I desolder them from the motherboard. Personally, this is what I use http://www.ebay.com/itm/IC-MCU-Prog...SOP-48-D48-Adapter-Socket-SA247-/331920578984
     
    Tommy084 and Virtualpoker like this.
  6. nexusmtz

    nexusmtz GBAtemp Maniac

    Member
    1,226
    418
    Feb 17, 2016
    United States
    1000 hex is 4096 decimal. If the program shows the number of blocks as it writes, you should be able to see the digits going 0-F instead of 0-9.
     
    Tommy084 likes this.
  7. pelago

    pelago Member

    Member
    963
    46
    Feb 20, 2006
    I know everyone's distracted by the Switch, but has anyone had any more luck reading or writing from the Wii U's NANDs in hardware?
     
    Last edited by pelago, Mar 3, 2017
  8. Haseo13

    Haseo13 Member

    Newcomer
    21
    1
    Mar 12, 2017
    Poland
    Hi are any body fix by this tut bricked wii u ? I try this on my wii u brick after install cbhc.Not boot up show error 160-0101.
     
    Last edited by Haseo13, Mar 12, 2017
  9. pelago

    pelago Member

    Member
    963
    46
    Feb 20, 2006
    Have you got a backup of your NANDs etc?
     
  10. Haseo13

    Haseo13 Member

    Newcomer
    21
    1
    Mar 12, 2017
    Poland
    Yes all
     
  11. Leeful
    OP

    Leeful GBAtemp Regular

    Member
    120
    154
    Sep 4, 2015
    I've had no luck restoring the SLC or SLCCMPT but the MLC backup works. The slc & slccmpt backups made by dimoks' sdio nand_manager do not work with the teensy hardmod they are a smaller size (missing 64 bytes after every page of 2048 bytes).

    If you do attempt the hardmod I would reccomend using the 'signal booster edition' set up because I did several dumps using the 'dual nand edition' and there were differences with almost all the dumps but when using the 'signal booster edition' every dump was identical.

    A possible way to recover a CBHC brick is to dump the SLC, decrypt the image with the key from the otp backup (details here), with a hex editor find the part with the <default_title_id> that CBHC changed to the DS game title id and change it back to the original title id, Re-encrypt the image and write it back to the wiiU.
    Decrypted-CBHC-vs-CLEAN.jpg

    If this is attempted I would make sure that you do several SLC dumps first and make sure that they are identical and then when you flash back the edited image make sure that you use the 'vwrite' command to verify that it wrote back correctly to the nand without any errors.
     
    Last edited by Leeful, Mar 13, 2017
    Valery0p likes this.
  12. pelago

    pelago Member

    Member
    963
    46
    Feb 20, 2006
    I wonder why the SLC dumps from the Teensy are a different size to the rednand/sdio_manager ones. The 64 bytes every 2048 bytes sounds a bit like a checksum for each page. If so, maybe the rednand/sdio_manager dumps could be processed into the extended format, if you know what type of checksum the Teensy is expecting to see. Paging @dimok in case this interests him too.
     
  13. Leeful
    OP

    Leeful GBAtemp Regular

    Member
    120
    154
    Sep 4, 2015
    Ive tried manually inserting the 64bytes in all 262144 pages using a macro and hex editor but I have not got any pattern to work. (I've probably gone about this the wrong way but I thought I'd give it a try)
    64byte.jpg
    The WiiU will not boot at all with any of the patterns I've tried. The blue light does not even come on. I've also tried the sdio manager backup as is but that did not work either.

    Unfortunatley I dont have a working hardmod dump of my SLC because I was stupid and did not make several dumps to start off with to compare so the only hardmod dumps I have are corrupt.

    I've compared the corrupt hardmod dump with the rednand backup and although the data is mostly the same I've noticed that some of the pages are in a completely different order so its not a simple process of cutting the correct redand pages and pasting them over the corrupt image. I've started to try and rebuild the corrupt image but as I have to do it page by page it will take way to long to do.

    I bought this WiiU especially to mess around with and take risks so it's no big loss but I would like to get it working again if possible.
     
    Tommy084 and pelago like this.
  14. pelago

    pelago Member

    Member
    963
    46
    Feb 20, 2006
    I know nothing about Teensys, but it seems to me that someone in the Teensy community, or in the docs, could explain what those extra 64 bytes are for.
     
  15. Leeful
    OP

    Leeful GBAtemp Regular

    Member
    120
    154
    Sep 4, 2015
    In the nandway.py it says RAS 'Redundent Area Size' also I think I read somewhere that it is the ECC area like you mentioned before.
     
    pelago and Tommy084 like this.
  16. Haseo13

    Haseo13 Member

    Newcomer
    21
    1
    Mar 12, 2017
    Poland
    ok try it
     
  17. pelago

    pelago Member

    Member
    963
    46
    Feb 20, 2006
    I've been reading up on this, and it's definitely ECC. You'll need to work out, or find out, the algorithm, which I think can vary. Without writing it correctly, the system will think all the pages are invalid, so it won't boot.
     
    Tommy084 likes this.
  18. Valery0p

    Valery0p GBAtemp Regular

    Member
    182
    70
    Jan 16, 2017
    Italy
  19. Haseo13

    Haseo13 Member

    Newcomer
    21
    1
    Mar 12, 2017
    Poland
    But not understand one think make copy of nand , from rednand by sdio. Make hardmod fake sd card write mlc.img Wii U still show some error 160-0101.Them write slc.img some. Are backup from sdio are corrupted ?
    I made many xbox 360 with RGH, JTAG , PS3 SLIM CFW with 3.55 downgrade and unbrick it.Here it's harder any reovery menu , factory mode nothing..
    Are any body ever fix bricke Wii U with any backup of nand ? No rewire nand to working fix brick make but any think ?
    I'm great with solinding , fixing , mod device ... but not in programming .. We need here recovery menu like Hourglass9 on 3ds> I know it take years to make it work correct but this will help ..
     
  20. pelago

    pelago Member

    Member
    963
    46
    Feb 20, 2006
    What is the SLC chip in the Wii U, or is there more than one of them? I'm guessing the chip datasheets will tell you the ECC algorithm in use.

    It seems to me that ECC injection is probably already a "solved" problem in the NAND hacking/Teensy world.