Successfully dumped WiiU EMMC nand with hardmod.

Discussion in 'Wii U - Hacking & Backup Loaders' started by Leeful, Jan 13, 2017.

Jan 13, 2017
  1. Leeful
    OP

    Newcomer Leeful Advanced Member

    Joined:
    Sep 4, 2015
    Messages:
    85
    Country:
    United Kingdom
    The SLC chip in the WiiU are either Samsung K9K8G08U1D or Hynix H27U8G8G5DTR. Mine has the Hynix one.
     
    pelago likes this.


  2. pelago

    Member pelago Member

    Joined:
    Feb 20, 2006
    Messages:
    952
    Country:
    United Kingdom
    Thanks. I see the datasheet for Samsung K9K8G08U1D at http://wiiubrew.org/wiki/File:K9k8g08u1d.pdf . Haven't found the Hynix one yet. I'm finding a number of web hits for it, but when downloading they are for H27U4G8 etc. not U8G8. Don't know how important the distinction is. They may have the same ECC scheme.
     
    Last edited by pelago, Mar 14, 2017
  3. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    Hi there!
    I am the new one - registered a Account to share my thoughts.

    I am at the same point with my bricked Wii U (not booting due to a format with activated coldboothax)
    I do have the equivalent dumps from rednand :
    • slc
    • slccmtp
    • opt
    • mlc
    • eeprom
    yesterday i managed to dump slc and slccmtp with a teensy 2.0++ and NANDway (had to desolder the chip as no reading with chip on board - had this on PS3 Phat sometimes too)
    Found the current research here and i am Impressed - thanks for that.
    Seems that rednand gives us a (atm) non-restorable full backup ;) - iwas blue eyed and thaught i do not have to care as i do have a dump *bummer*

    Unfortuanally, when decrypting the dump i only earned crap (dump ran without problems, Flash was correct identified,....)
    when i decrypt the slc.img from rednand all looks fine (searched for Text "default_" in Hexed" - also checked if i dumped the correct Flash Area (decrypted the Vwii dump with slc key to probe)
    Anyone can confirm that a dump with Teensy should/would work indeed?

    For the ecc calculation:
    (Sorry, i am not a coder, i want to share what i found during my research)
    Perhaps the first attemp could be ECC calulation on a working console? - there should be a Function accessible in OS which could be used to parse a rednand dump.
    wiiubrew mentions ECC as ?non tested?: http://wiiubrew.org/wiki/Hardware/NAND_Interface
    Also there should be functions on Wii (which seems to use the same ECC calculation i guess) - see https://github.com/crowell/gbadev/blob/master/armboot/nand.c


    Perhaps one of the Coders could provide a Backup tool to dump the whole NAND incl. ECC to have complete backups in the Future - already done on Wii, see http://wiibrew.org/wiki/Wiinandfuse

    On PC side i found no specific tools for Wii U, only some Infos abount Hamming Code and Reed Solomon:
    https://hackerfall.com/story/nand-flash-dealing-with-a-flawed-medium
    https://pypi.python.org/pypi/unireedsolomon

    I guess the ECC on the Wii U side is provided by Hardware (ARM), so there would be only trial and error to achieve the right chunk/block sizes and Algos :(
    Also there would be no custom boot1 without a "parachute" on sysrom

    My next step is to flash the mlc dump and crossing fingers that the console would boot, but i think the ticket for the content on the mlc is missing in flas
     
    Leeful and pelago like this.
  4. pelago

    Member pelago Member

    Joined:
    Feb 20, 2006
    Messages:
    952
    Country:
    United Kingdom
    @Leeful said that he had to use "signal booster edition" not "dual nand edition" as otherwise each time he dumped he got different data. Which did you use? Did you dump several times and compare to make sure you were getting a stable dump?
     
  5. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    I used the "signal booster edition" and used a TSOP adapter-PCB to have no mess with components on th motherboard of the WiiU.
    Did only one dump, should do some more and compare - thanks for the hint, pelago.

    If i understood right, the keys are stored in OTP, so the encryption of the data should be done with the same key as the dump.
     
  6. StandardBus

    Newcomer StandardBus Member

    Joined:
    Aug 21, 2015
    Messages:
    36
    Country:
    Italy
    It is for the hardmod installation, but not for the SLC-to-teensy conversion.
    The only thing I know is that Smea had successfully restored its console starting from a software dump. He didn't have an installed Teensy before the brick. So we would be able to convert a SLC dump into a Teensy compatible one if we understand how he did it.
    (Not to mention that he could have done a full wii u NANDs dump using some custom developed nand dumper instead of the one available on the net)

    BTW, I dumped my Wii U nands using the signal booster edition .hex way before the release of the kernelhax, and it worked. So I confirm you should use that .hex and not the dual nand .hex.
     
    Last edited by StandardBus, Mar 15, 2017
    aut0mat3d and pelago like this.
  7. pelago

    Member pelago Member

    Joined:
    Feb 20, 2006
    Messages:
    952
    Country:
    United Kingdom
    aut0mat3d likes this.
  8. pelago

    Member pelago Member

    Joined:
    Feb 20, 2006
    Messages:
    952
    Country:
    United Kingdom
    Actually let's page @marcan_troll too. I'm not sure if he's still active here but I see his name mentioned in the nandway.py text so he may have some input.
     
  9. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    one hint for all who wants to dump their mlc/eMMC:
    do not solder on the smd-pads of the resistors, please use the vias aside.
    The smd resistors are damaged verry easy (super tiny thin metal ends - never saw a smd resistor break so fast when desoldering)

    Also i am not able to dump the mlc - tried 5+ cardreaders, single bit wiring, 4bit wiring, removing resistors - all without luck
    My next step will be a attemp to dd the dump of mlc to a micro-sd card and solder it in as replacement - i am curious if this was tried by anyone, or anyone does know if there is some security involved which checks the serial or Timing of the mlc storage for example.
     
    Last edited by aut0mat3d, Mar 16, 2017
    Leeful and pelago like this.
  10. Leeful
    OP

    Newcomer Leeful Advanced Member

    Joined:
    Sep 4, 2015
    Messages:
    85
    Country:
    United Kingdom
    @aut0mat3d Did you cut the CLK track? The SD reader will not read from the nand if the CLK signal on the motherboard is still being fed into the chip.
     
    aut0mat3d likes this.
  11. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    Thanks for the Hint, yepp did that too, triple checked the wiring to the sd-card adapter - linux (gparted) does not recognize a media inserted in the reader :(
     
  12. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    Last edited by aut0mat3d, Mar 17, 2017
    Leeful and pelago like this.
  13. GraFfiX420

    Member GraFfiX420 GBAtemp Regular

    Joined:
    Oct 14, 2009
    Messages:
    117
    Country:
    United States
    Quite interesting, from the readme:

    It needs to have a copy of the first 8 blocks of nand, a list of bad blocks, and AES & hmac keys. All of this data can be gotten from a bootmii nand dump, even if that nand is bricked.

    How can we get a bootmii nand dump?
     
  14. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    I think, this is one of the needed hints to restore the Filesystem as the first blocks should hold the bad block map
    indeed this would not work without modifications phps the second link mentioning ECC calculation would be more helpful.....
     
    GraFfiX420 likes this.
  15. Leeful
    OP

    Newcomer Leeful Advanced Member

    Joined:
    Sep 4, 2015
    Messages:
    85
    Country:
    United Kingdom
    The first 8 blocks of the V-Wii nand are all FF's but The AES & HMAC keys are in the OTP.bin. You can extract them using the attached python script.
    Credit to Whovian9369 for the script.
     

    Attached Files:

    Last edited by Leeful, Mar 17, 2017
    GraFfiX420 and aut0mat3d like this.
  16. GraFfiX420

    Member GraFfiX420 GBAtemp Regular

    Joined:
    Oct 14, 2009
    Messages:
    117
    Country:
    United States
    I was able to build the tools that you pointed out here:

    https://github.com/trapexit/wiiqt

    I had a build environment I setup for 3ds development, on a centos vm I have running on my esxi server. I wasn't able to get qmake(3?) to install, I was able to get qmake 4 to install, so I altered the build.sh script for the wiiqt repo as follows:

    Code:
    #!/bin/bash
    
    mkdir -p bin
    
    for app in nandBinCheck nandDump nandExtract ohneschwanzenegger
    do
        cd $app
        qmake-qt4
        make -j4
        cp $app ../bin
        cd ..
    done
    
    All I did was changed the reference to qmake in the build script to qmake-qt4. I haven't had a chance to work any further with it, but if anyone else is stuck at compiling this may help them.

    From the second link you posted, I was able to get wii-fsck to compile by adding this to explicitly include errno.h:

    Code:
    #include <errno.h>
    This was added to the file trunk/wii-fsck/wii-fsck.c from the second repository you mentioned. nanddump from this repo built fine with no modifications. I was not able to get zestig to build, but I found another repo here:

    https://github.com/Plombo/segher-wii-tools

    This appears to include a few more tools and builds fine in my test environment, it includes zestig and all the utilities from the other repo.

    The OTP key utility that Leeful pointed out worked fine for me.
     
    Last edited by GraFfiX420, Mar 18, 2017
    Leeful, aut0mat3d and pelago like this.
  17. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    Update:
    I think i found the fault, why i ws not able to read the mlc. When replacing the resistors i applied a little to much force when desoldering and destroyed a trace to the mlc chip :(
    I desoldered the bga chip - phps i will get some Schnaps (to have a steady hand) and doing the wiring manually, but it is soooooo tiny - atm my wii u is deaded:
    softbricked and (finally) hard bricked :P

    With the dumped mlc on a sd card the WiiU does not boot, but i am not sure if this is caused on filesystem check (not the same state after the format) or different Hardware.

    ATM i am fighting with myselve doing that at my spare WiiU - i think i am waiting to get a real cheap on ebay before doing that
     
  18. happydance

    Member happydance GBAtemp Advanced Fan

    Joined:
    Jul 16, 2009
    Messages:
    564
    Country:
    Philippines
    just curious, how long do it take to dump the full nand? I also got a teensy and dump several ps3 before.
     
  19. aut0mat3d

    Newcomer aut0mat3d Advanced Member

    Joined:
    Mar 15, 2017
    Messages:
    76
    Country:
    Austria
    about 2x 90 minutes dumping time (on linux, signal booster edition)
     
  20. WiiKiing

    Newcomer WiiKiing Advanced Member

    Joined:
    Jan 4, 2017
    Messages:
    86
    Country:
    Australia
    Hi guys I have no idea what most of you are talking about however I have theoretically bricked my wii u by installing cbhc to a out of region vc game. I have my otp file. Do you think if I took my console to a games console repair shop and showed them this post that they could find someway to repair my console? Preferably whilst keeping access to the game saves on my external hard drive?
     

Share This Page