Hacking Why no nand / emmc hardware dumper yet?

[DeadlyFoez]

With all thats had been going on, why hasnt anyone successfully made an emmc dumper? I know TSK tried and failed, but is there anything that is preventing writing back a previous firmware dump like efuses or seeprom? I havent read of any.

I have all the tools to do it, i just dont have a wii u to go at it.

 

[Duo8]

No one bothered I guess.
Basically you need to dump an eMMC (easy) and a standard TSOP NAND afaik.

 

[NWPlayer123]

because keys

 

[FaTaL_ErRoR]

There's just no need. As long as open source webkit is on the console there will never be a need to revert to previous firmware.
Mostly because there are too many holes in both OS's that patching will just not fix.
Personally I think these guys already have a working websploit and are much further along then they lead on. I think E3 during "N" part the U hacking community is gonna go nuts.
I hope it's in before the interview portion with reggie. It'll be very funny.

 

[FaTaL_ErRoR]

There's just no need. As long as open source webkit is on the console there will never be a need to revert to previous firmware.
Mostly because there are too many holes in both OS's that patching will just not fix.
Personally I think these guys already have a working websploit and are much further along then they lead on. I think E3 during "N" part the U hacking community is gonna go nuts.
I hope it's in before the interview portion with reggie. It'll be very funny.

 

[NWPlayer123]

Well, WE don't, but someone else does Both a userspace and a kernel exploit. Working with them, should also help speed things up.

 

[DeadlyFoez]

because keys

Sorry, but that is a piss poor answer.

If we are able to make a raw dump from both banks of the nand and the emmc, is it possible to reflash those dumps after an update?

It may not seem useful now, but waninkoko has proved that dumps like those are very helpful later on. Just the ability to do so.

 

[NWPlayer123]

Sorry, but that is a piss poor answer.

If we are able to make a raw dump from both banks of the nand and the emmc, is it possible to reflash those dumps after an update?

It may not seem useful now, but waninkoko has proved that dumps like those are very helpful later on. Just the ability to do so.

I know, I'm just messing with you
Yes, should be. Could easily restore it if you have read/write.

 

[obcd]

Backing up the eMMC shouldn't be much of a problem I assume.
It just might be necessary to find a way to keep the wiiu in a reset state so that it doesn't try to control the eMMC during the dump.
The hardware needed for that is a sd 2 usb cardreader like the ones that are used to dump the 3ds. I have no idea if connecting only DAT0 is enough to do the trick, or if you need to connect the other 3 DAT lines as well.

You might be able to read the nand using software only. The vwii part of the nand can already be done.
With the webkit exploit and iosu exploit, it might be possible to do the Wiiu part as well.

With currently no practical use for it, trying to restore an older firmware is something you could do "in the name of science", but there is always a chanche of bricking your device.

I am unsure, but if I read the eMMC spec's, it looks like parts of it can be protected against writing and reading. This would mean that the device would need to receive a correct password before it allows to access some areas of it's memory. In such a case, a raw dump could be useless unless the area is already unlocked. A good protection strategy might only unlock it for a short period during powerup and quickly set the protection again afterwards. (Those areas could be used to store some keys.)

The safest method to test would be if you could dump the eMMC contents in another eMMC, and see if the Wiiu still boots properly with that other eMMC. If things go wrong, you still have your original eMMC contents to get the system running. As the eMMC is a bga package, it might be difficult to solder wires to it so that you can connect it to the wiiu. Another problem will be finding such an additional eMMC.
If ninty decided to use the eMMC serial number as part of the encryption, it might fail to transfer the eMMC contents to another chip.
Even if the experiment would be a failure, it would not result in a brick like that.
Simulating such an eMMC with different hardware (so that it produces an equal serial etc. is a whole different ballgame. Maybe someone with an expensive logic analyser could sniff the communication between the wiiu and the eMMC chip to see what protection tricks are used.

 

[Cyan]

To check if the eMMC uses password, maybe trying to write the dump back immediately after dumping could be done to check if write protection is used?
in this case, the writable areas would still contain the old data even if writing fails on some blocs.

Or there's probably a way to ask eMMC to answer if password is used, like the Gateway-3DS lock/brick option?

 

[Duo8]

To check if the eMMC uses password, maybe trying to write the dump back immediately after dumping could be done to check if write protection is used?
in this case, the writable areas would still contain the old data even if writing fails on some blocs.

Or there's probably a way to ask eMMC to answer if password is used, like the Gateway-3DS lock/brick option?

IIRC if you use an actual card reader the OS should be able to read most of the details from the eMMC.