@pyromixLua gerat news, we were able to format an MLC with a different key than the console was booted with.
Here is the short overview of the procedure:
What you need:
- working mlc image from another console
- scfm.img (extracted from the SLC) of the same backup as the mlc
- mlc key from the mlc you are using (you can get it from the otp.bin)
- de_fuse the console wich mlc you want to rebuild (you don't need to connect 3V3)
- another pico for udpih
- All 52 System titles for your consoles reagion in encrypted (app) format (JNUS Tool can download most of them, for the Rest use NUSPli on a different console)
First we need to get the console booting with the foreigen MLC:
- Dump the SLC
- Inject foreigen scfm.img into SLC.RAW (https://github.com/GaryOderNichts/wiiuqt/tree/master/fileInjector)
- flash SLC back
- flash foreigen MLC
- replace the MLC Key with the foreigen one in the otp.bin
Now the console should be booting up, when using defuse.
The next step is preparing a custom recovery for udpih, which directly starts into the wupserver. You do this by editing the menu.c and adding calls to the approprate options (load network config and then start wupserver).
Then you launch the recovery using udpih and see if it work and that you can connect with the wupclient (you need a special wupclient, that works with defuse).
When you have sorted out the wupserver part, we need to improve on the udpih timing. You do this by first enabling autoboot in defuse (to get consisten timing there) and then make a timed udpih by inserting a sleep, you can use this as refeence
https://github.com/GaryOderNichts/udpih/pull/12/commits/64dbe88dda401fb78fc4fa3a053ffee7b99a0e70 . With the sleep you should be able to plug in the pico for udpih before turning on the wii u. So you will get a very precise timing. You will need to experiment with the sleep time. You want to have te time a slow as possible, soudpih runs as early as possible. If the screen turns on, it's to late. You will see that UDPIH worked, whn the led turn purple and you can connect with wupserver.
When that works, we need to edit the recovery once again, so it will replace the MLC key, but this time the main.c of the kernel.
You want to add this code after the the restore_mmu(control_register); but before the enable_interrupts(level);
Code:
set_domain_register(domainAccessPermissions[0]);
uint64_t mlc_key[] = { MLC_KEY1, MLC_KEY2 };
uint64_t mlc_key_new[] = { MLC_KEY_NEW1, MLC_KEY_NEW2 };
for(uint32_t addr=0x402972c; addr<0x402bb2c; addr++){
//lolprint("%08X", addr);
if(!memcmp((void*)addr,mlc_key, 16)){
lolprint("Key found at %08X\n", addr);
memcpy((void*)addr,mlc_key_new, 16, 1);
}
}
You replace MLC_KEY with the foreigen MLC key and MLC_KEY_NEW with the one from the console we want to restore. The key gets split up in two parts, 64bit each. If you want to enter it in hex, you need to prefix each part with 0x
Then you boot this recovery, you only have one try. When this recovery loads, it will corupt the currently running mlc.
When you are back in wupclient do the following:
- unmount mlc
- format mlc
- mount mlc
- create usr directory
- create usr/boss directory
- create usr/save directory
- flush mlc
Then you reboot the console. This time without defuse. It wont boot completly, but UDPIH should now work (with adjusted timing). You can then use a recovery without the key replacment modification to reinstall the system titles.
After installing the titles, you
- change inital_launch in /vol/system/proc/prefs/cafe.xml to 255
- create usr/save/00050010
- create usr/packages
- create usr/tmp
- create usr/title
- flush_mlc
- reboot
The the console should go through a factory reset and boot up again.
Some of these folders should be quotas, but we are working on that and normal folder work just fine, if you do not fill up the internal storage 100%
Of course here are lots of details missing, this is just the outline. We wil do the details when we go through with it.
I hope
@Lazr1026 will provide the modified versions of the wup client, with all the helper functions we need.
Many thanks to Gary, for UDPIH and guiding us through the key replacement and
@Lazr1026 for testing everything out and shinyquagsire23 for de_fuse