Hacking Wiiu Nand Dump

[FaTaL_ErRoR]

In the screenshot I posted, I was attempting to dump the eMMC again.
The card reader showed up as drive F: (SD card slot) and drive G: (Micro SD card slot).

The WiiU's eMMC was connected the to SD card slot, therefore F: is not transparent, unlike the G: drive.
Like I stated that same post, I have more than 32GB of available space on my C: drive, as in plenty more. As also can be seen in the screenshot, I was trying to Read from F: to C:/WiiUNAND1.


As for the Rx and Tx signals... that terminology is incorrect.
The pin-out/signals of the NAND can be found here, section 1.6: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-IS86/DSAH00529214.pdf

Note that I do NOT yet have powered my NAND externally yet. I have only ordered the necessary components for that today.
Reading the NAND with the WiiU turned on was unstable for me.

I believe my wiring is correctly set up, I did check it a few times... But I will do a re check of everything once I receive the components to externally power the WiiU's NAND.

---

My WiiU stills runs though... heh.

Edit:
Just check for a random thought, between TP168 and R(ead)E(nabled) & W(rite)E(nabled) there is a 3.3v measured when the WiiU is powered on.

Between TP168 and GND, nothing.

Actually rx and tx would be correct terms for describing the I/O pins. Input would be rx and output would be tx.
But I'm gonna guess there is something that is interfering with you dumping it. Heres a real good workup of a similar nand chip being dumped. http://h30499.www3.hp.com/t5/HP-Sec...ice-case-study-part/ba-p/6581528#.VeJJu8qtC3G
And an explanation on why you may have something blocking you from dumping it.
With basically this method I have dumped the nand.
But I haven't tried to write back an older dump after upgrade yet. If you de solder the vcc pin from the board and carefully pull the pin from the set you should be able to solder your power wire directly to it and eliminate having to remove the whole chip. Then maybe solder a small wire in that set and solder a small wire to vcc and use a couple m/f terminal connectors to re connect when needed. Honestly I do believe the system itself may be preventing you from dumping it. By only powering up the nand nothing else will energize and you should be able to dump it.

 

[obcd]

The current consumption of a chip is not constant. Because of that, you shouldn't use a resistor to lower the supply voltage. You need a lineair or switching regulator that produces a constant voltage, no matter how much current is requested. (obvious there is a maximum limit and some have a minimum limit as well.) It also would be more clear if people would not call the emmc 'nand' and the nand 'nand' as well. If the terms emmc and nand would be used, everybody would directly know what is talked about.
Maybe it's possible to dump the wiiu part of the nand in wii mode, but the problem will be to restore it. If you managed to corrupt the wiiu part of the nand, you likely won't be able anymore to reach wii mode to restore the nand. At that moment, hardware is the only solution.
If you only disconnect the power pin of the nand chip, all other lines will still be connected to the circuit. This causes a load on them. It might work, but it's also possible it doesn't work at all. It sure isn't the proper way to do things. A better way would be to power up the system and hold the 2 processors in their reset state. In that state, they keep the adres and data lines tri-state so that they don't form a load to other devices.
The emmc has several modes of operation. It can operate in spi mode, 1 bit sd mode and 4 bit sd mode. Once the wii has put it in one of those modes,it's very well possible that the cardreader doesn't recognise it anymore. Again, keeping the cpu's in their reset state would guarantee that the emmc stays in it's "power on" default state. Most cardreaders are expecting such a state, since if you insert a card, it's also powered up at that moment. Next, the cardreader will tell the emmc to switch to another mode. (usually 1 bit or 4 bit sd as those are faster). I am unsure, but if I rember reading well, an emmc can be divided into different partitions, and some of those partitions can be password protected against writing and even reading. This would mean that the chip needs the correct password before those partitions could be read. There are 2 ways to figure out if ninty uses such enhanced protection. First, you can read out the emmc and write the results back. If the system doesn't brick after such, you know that partition read protection isn't used. (You just risk to sacrisfy your wiiu.) Second way is connecting the emmc lines to a multi $$ sd card protocol logic analyser and logging all data that passes over the bus. Doing so, you can analyse the commands that are issued and you can figure out if the enhanced protection commands are used.
I do not want to temper your enthousiasm while experimenting with this. I just want to point you to possible booby traps you might find on your road to success and fame.
Sometimes, doing things the way they aren't suposed to be done is the way to go, like in the case of giving the ppc a reset pulse that is not long enough... So you can simply ignore all my writing. Fact is, you know there are minimal chanches to fubar your console with that short reset pulse, altough Murphy never sleeps. Maybe I am just to carefull, and that makes me a terrible hacker....
If I remember well, the ppc reset is controlled by the arm. (sorry, i keep forgetting those coffee names they give to those)So, if you find a hardware way to keep the arm in it's reset state, the ppc should remain quiet as well.

Am I correct in thinking that the nand is connected to the arm to provide that with instructions and that the emmc is connected to the ppc to give that instructions? Further, the nand is divided into 2 pieces. One is used in wiiu mode, the other in vwii mode. Knowing ninty, it's very well possible that the register to switch between the vwii part and the wiiu part can't be accessed anymore once you made the switch to vwii mode. (This last is just speculating for the worst without any prove at all.)
Good luck guys. (You probably will need it)

 

[FaTaL_ErRoR]

The current consumption of a chip is not constant. Because of that, you shouldn't use a resistor to lower the supply voltage. You need a lineair or switching regulator that produces a constant voltage, no matter how much current is requested. (obvious there is a maximum limit and some have a minimum limit as well.) It also would be more clear if people would not call the emmc 'nand' and the nand 'nand' as well. If the terms emmc and nand would be used, everybody would directly know what is talked about.
Maybe it's possible to dump the wiiu part of the nand in wii mode, but the problem will be to restore it. If you managed to corrupt the wiiu part of the nand, you likely won't be able anymore to reach wii mode to restore the nand. At that moment, hardware is the only solution.
If you only disconnect the power pin of the nand chip, all other lines will still be connected to the circuit. This causes a load on them. It might work, but it's also possible it doesn't work at all. It sure isn't the proper way to do things. A better way would be to power up the system and hold the 2 processors in their reset state. In that state, they keep the adres and data lines tri-state so that they don't form a load to other devices.
The emmc has several modes of operation. It can operate in spi mode, 1 bit sd mode and 4 bit sd mode. Once the wii has put it in one of those modes,it's very well possible that the cardreader doesn't recognise it anymore. Again, keeping the cpu's in their reset state would guarantee that the emmc stays in it's "power on" default state. Most cardreaders are expecting such a state, since if you insert a card, it's also powered up at that moment. Next, the cardreader will tell the emmc to switch to another mode. (usually 1 bit or 4 bit sd as those are faster). I am unsure, but if I rember reading well, an emmc can be divided into different partitions, and some of those partitions can be password protected against writing and even reading. This would mean that the chip needs the correct password before those partitions could be read. There are 2 ways to figure out if ninty uses such enhanced protection. First, you can read out the emmc and write the results back. If the system doesn't brick after such, you know that partition read protection isn't used. (You just risk to sacrisfy your wiiu.) Second way is connecting the emmc lines to a multi $$ sd card protocol logic analyser and logging all data that passes over the bus. Doing so, you can analyse the commands that are issued and you can figure out if the enhanced protection commands are used.
I do not want to temper your enthousiasm while experimenting with this. I just want to point you to possible booby traps you might find on your road to success and fame.
Sometimes, doing things the way they aren't suposed to be done is the way to go, like in the case of giving the ppc a reset pulse that is not long enough... So you can simply ignore all my writing. Fact is, you know there are minimal chanches to fubar your console with that short reset pulse, altough Murphy never sleeps. Maybe I am just to carefull, and that makes me a terrible hacker....
If I remember well, the ppc reset is controlled by the arm. (sorry, i keep forgetting those coffee names they give to those)So, if you find a hardware way to keep the arm in it's reset state, the ppc should remain quiet as well.

Am I correct in thinking that the nand is connected to the arm to provide that with instructions and that the emmc is connected to the ppc to give that instructions? Further, the nand is divided into 2 pieces. One is used in wiiu mode, the other in vwii mode. Knowing ninty, it's very well possible that the register to switch between the vwii part and the wiiu part can't be accessed anymore once you made the switch to vwii mode. (This last is just speculating for the worst without any prove at all.)
Good luck guys. (You probably will need

The vcc pin isn't really the problem at all. The spot they are connected to will backfeed power and turn on other chips.
That's why I said something about disconnecting the vcc pin and connecting directly to it. Also the resistor thought was a solution to assist if money was an issue. Resistors will work in a pinch. They may not be the best solution. But if someone is working on a limited budget they should suffice.
Furthermore sending a reset pulse to the starbuck is a great idea. Holding the starbuck in reset would probably solve this issue.
Hold the starbuck in reset state and it should dump.

 

[Marionumber1]

Am I correct in thinking that the nand is connected to the arm to provide that with instructions and that the emmc is connected to the ppc to give that instructions? Further, the nand is divided into 2 pieces. One is used in wiiu mode, the other in vwii mode. Knowing ninty, it's very well possible that the register to switch between the vwii part and the wiiu part can't be accessed anymore once you made the switch to vwii mode. (This last is just speculating for the worst without any prove at all.)

Both of them are connected to the ARM, since IOSU has storage drivers for the NAND and eMMC. The PPC has to call IOSU to get any data from the flash, though if the ARM disables AHBPROT, it may be able to have direct NAND/eMMC access. The idea of a NAND_UNK register has been mentioned by tueidj as working in vWii mode, so unless he just based it off IOSU code and never tried in vWii mode, it should work. There's no real advantage in disabling access to the Wii U NAND chip, since it's supposed to be hidden and you could never decrypt it without an IOSU exploit.

 

[Adr990]

I assume both the PPC and the ARM cpu's are under the same roof?
I would like to try to force the reset mode, but how I would be able to do that is unknown to me.

And I could try to lift the Vcc pin on the NAND and power the necessary 1.8v(according to PS3 scene)/3.3v(according to documentation) to power the NAND.
But maybe the power would still slip through to the console in some way though?

And as for the protections on the chips, how can I discover or recognize whether there are such measures in place?
What kind of logic analyzer would be necessary?
For the eMMC maybe a cheap 8 channel is enough, but I'm sure people with more experience here can enlighten me about these matters.

(Can logic analyzers replace/send signals too?)

 

[obcd]

The problem with the logic analyser is that you need to decode the data you are capturing. Yes, 8 channels should be enough. Not sure what speed you would need, but you might be able to check that with a good digital scope. A Logic analyser can send signals as well, but as I tried to explain before, you need to disable the device that should send the signals originally. You can't have 2 devices driving the same line unless it's an open collector setup. (Maybe the term is open drain now.) The ppc and arm cpu are 2 different chips on the main board. Sometimes, a separate power rail supervisor chip is used to drive the processor reset line to ensure it only comes out of reset when the supply voltages are stable.
You might measure the supply voltage on the nand to figure out what it normally needs to operate properly (1V8 or 3V3) They normally don't like if the signal lines voltage is higher than the supply voltage.
Basically, capturing the communication between the wiiu and the emmc, you should be able to see if some emmc commands are used to unlock a partition on the device.
Another thing you could do if you have a spare emmc is programming the dump in that device and connecting that device to the wiiu. (If I remember well there are some small resistors nearby the emmc bga that can be used to disconnect the device from the actual board.) If things don't work, you still have the original emmc with it's working contents on the board. Maybe there is a description on the net somewhere of all the chips on the wiiu main board? That might help.

 

[metaljay]

so has anyone been able to actually backup and restore their Wii U NAND yet?

 

[Adr990]

so has anyone been able to actually backup and restore their Wii U NAND yet?

That might be actually dangerous:


Comex changed something, and it so said written something to the NAND (without proper access?) and bricked his WiiU.
I might be incorrect, not remembering it correctly. But sufficed to say it will be a risk one has to take.

 

[Marionumber1]

That might be actually dangerous:


Comex changed something, and it so said written something to the NAND (without proper access?) and bricked his WiiU.
I might be incorrect, not remembering it correctly. But sufficed to say it will be a risk one has to take.

comex called the CreateKey() ioctl in /dev/crypto which bricked his Wii U. This wasn't necessarily a NAND modification, since he said he wasn't sure a NAND restore would have fixed it.

 

[Adr990]

comex called the CreateKey() ioctl in /dev/crypto which bricked his Wii U. This wasn't necessarily a NAND modification, since he said he wasn't sure a NAND restore would have fixed it.

Ah like so, I remember him saying something about doing something, then using the words brick and NAND.
I will likely still try it once I can get a hardware dump of everything then.

Perhaps I should buy a second WiiU right now, in case it bricks, so I still have a 5.3.2 WiiU, for the Homebrew.
Offtopic: Too bad 2.1.0 is unstable, might be just my WiiU. I would like to write an FTP application, but FS stuff would ultimately require Kernel/IOSU access anyways, right?

 

[stsaerox]

I want to try this and add a video of how to do it. It seems like my soldering iron equipment isn't good enough for this project...

Can anyone tell me please what is the most appropriate type of soldering iron equipment? How are called the soldering irons with small tips?

 

[Adr990]

I want to try this and add a video of how to do it. It seems like my soldering iron equipment isn't good enough for this project...

Can anyone tell me please what is the most appropriate type of soldering iron equipment? How are called the soldering irons with small tips?

I use a 1.0mm tip apparently. (This one: http://www.velleman.eu/products/view/?country=uk&lang=en&id=349590;VTSSC50N )
I don't know if it is big? But you just have to learn how to use it, and applying the right amount of tin, on the right spot of the tip, helps a lot.

Try looking for a 0.5mm tip (most likely you can just replace the tip of your iron), along with 0.5mm tin wire. Flux (no clean) comes in handy, tin wires with flux inside alone don't really work the same. And so does your choose of wires, Kynar, copper magnet wires (insulated), AWG matters, never use 30AWG wires over a longer distance for example...

Just try not to kick off a resistor and you should be good, soldering on 20-30 Watt (no higher) should case no damage, don't heat any components for too long. No biggy.

 

[stsaerox]

I use a 1.0mm tip apparently. (This one: http://www.velleman.eu/products/view/?country=uk&lang=en&id=349590;VTSSC50N )
I don't know if it is big? But you just have to learn how to use it, and applying the right amount of tin, on the right spot of the tip, helps a lot.

Try looking for a 0.5mm tip (most likely you can just replace the tip of your iron), along with 0.5mm tin wire. Flux (no clean) comes in handy, tin wires with flux inside alone don't really work the same. And so does your choose of wires, Kynar, copper magnet wires (insulated), AWG matters, never use 30AWG wires over a longer distance for example...

Just try not to kick off a resistor and you should be good, soldering on 20-30 Watt (no higher) should case no damage, don't heat any components for too long. No biggy.

I'm trying to find in my area a proper soldering pencil with 0.5 tip as you said but it is hard. It seems like I have to get a soldering station from abroad. You think that tempreture management is not neccecery... right? There are tips made from special material that keep solder on the tip when these are hot.... Are those ceramic ones? Also can you suggest something specific for me?

I have experience with soldering but for fine soldering I'll do some practice first because maybe I haven't done such a difficult task... Just to be sure.

 

[shinyquagsire23]

I'm trying to find in my area a proper soldering pencil with 0.5 tip as you said but it is hard. It seems like I have to get a soldering station from abroad. You think that tempreture management is not neccecery... right? There are tips made from special material that keep solder on the tip when these are hot.... Are those ceramic ones? Also can you suggest something specific for me?

I have experience with soldering but for fine soldering I'll do some practice first because maybe I haven't done such a difficult task... Just to be sure.

Temperature controlled irons are great. I got a Hakko and a fine tip and it worked fine for me. If you're on a budget just do as was suggested before though and choose your wattage and tip size carefully. Usually tips are changeable though, you just need to find the right size/type for your iron. They're somewhat standard as far as I know.

 

[metaljay]

Any progress?
What does the actual guide in Op allow you to do? As they believe they have a working NAND back and restore functionality?

My objective is purely backup 5.3.2, update to 5.X to play mario kart
Then downgrade when a hack is released with EmuNand

 

[FaTaL_ErRoR]

In the screenshot I posted, I was attempting to dump the eMMC again.
The card reader showed up as drive F: (SD card slot) and drive G: (Micro SD card slot).

The WiiU's eMMC was connected the to SD card slot, therefore F: is not transparent, unlike the G: drive.
Like I stated that same post, I have more than 32GB of available space on my C: drive, as in plenty more. As also can be seen in the screenshot, I was trying to Read from F: to C:/WiiUNAND1.


As for the Rx and Tx signals... that terminology is incorrect.
The pin-out/signals of the NAND can be found here, section 1.6: http://pdf.datasheetarchive.com/indexerfiles/Datasheets-IS86/DSAH00529214.pdf

Note that I do NOT yet have powered my NAND externally yet. I have only ordered the necessary components for that today.
Reading the NAND with the WiiU turned on was unstable for me.

I believe my wiring is correctly set up, I did check it a few times... But I will do a re check of everything once I receive the components to externally power the WiiU's NAND.

---

My WiiU stills runs though... heh.

Edit:
Just check for a random thought, between TP168 and R(ead)E(nabled) & W(rite)E(nabled) there is a 3.3v measured when the WiiU is powered on.

Between TP168 and GND, nothing.

Well I don't know if you didn't mention it or if you didn't do it...But, did you create a blank .txt file? And are you attempting to write to the .txt file?
Because that is where you are supposed to be writing to. And you need to see how much space is allocated to that .txt file. Sorry I took so long to respond on this. Honestly I think this method would be easier on linux just because there is less in your way as far as admin. goes.
(for extracting emmc anyway).

 

[shinyquagsire23]

For what it's worth by the way, you will need to keep backups and restore both the eMMC and the NAND for a full downgrade. mlc (eMMC) contains all the system apps, including web browser and the like. slc (TSOP NAND) contains all RPLs and kernel/IOSU images (and some other stuff like ticket info). So naturally, both should be upgraded and downgraded together to avoid issues. I'm fairly confident externally powering the NAND will let the NAND be dumped, whether it will let you downgrade though is a mystery to me. Hopefully though downgrading can be successful.

 

[EclipseSin]

Well I don't know if you didn't mention it or if you didn't do it...But, did you create a blank .txt file? And are you attempting to write to the .txt file? Because that is where you are supposed to be writing to. And you need to see how much space is allocated to that .txt file.

No..... Just no.. When you dump something in this fashion, you don't need to create some magic blank .txt file to save the binary information to. The Operating System(s) and software used to dump, such as dd or a hex editor, work together to create a file inside the File System on it's own. The only reason I could think of having to do this is if you're trying to bypass some security or access restrictions, in which case means you don't know what you're doing. And if the program says your outfile doesn't exist, use better software. I've seen a lot of stupid advice from you on this forum, I do hope people do not take you serious....

For what it's worth by the way, you will need to keep backups and restore both the eMMC and the NAND for a full downgrade. mlc (eMMC) contains all the system apps, including web browser and the like. slc (TSOP NAND) contains all RPLs and kernel/IOSU images (and some other stuff like ticket info). So naturally, both should be upgraded and downgraded together to avoid issues. I'm fairly confident externally powering the NAND will let the NAND be dumped, whether it will let you downgrade though is a mystery to me. Hopefully though downgrading can be successful.

@Adr990 @shinyquagsire23 If either of you attempt a full dump, upgrade, and downgrade, please tag me if you post results. If it does work with both chip dumps, we might be able to make donor nands/eMMC in the future to fix broken units, provided we have a way to extract per console keys at that time. If I get time and money, I'll do the same. Thanks!

 

[Adr990]

I'm about to attempt another TSOP NAND dumping session, I got the 3.3v regulator on the Teensy, and a 5v to 1.8v 1.5A regulator, the the PC PSU I have. (It obviously does have 3.3v wires though)

To seperatly power the NAND, I need to hook up either the 3.3v or 1.8v via the external PC PSU, right?
So basically, delivering power to the 168 (I believe) testpoint, and attempt to connect the Teensy to it, and Dump it via the PC. (Using nandWAY ofc)

That's it right? Nothing I skipped or doing wrong? (Just making sure.)

...As for the eMMC, the Anker Card Reader, it can read in one bit mode right? (I also have tried all 4 Data's, as done on the WiiUBrew page.)
I ordered a cheap LA, maybe something will turn up otherwise about the eMMC, maybe it also needs to be externally powered, which could be a possible problem. (Or it is a matter of losing the resistors while dumping...)

 

[FaTaL_ErRoR]

No..... Just no.. When you dump something in this fashion, you don't need to create some magic blank .txt file to save the binary information to. The Operating System(s) and software used to dump, such as dd or a hex editor, work together to create a file inside the File System on it's own. The only reason I could think of having to do this is if you're trying to bypass some security or access restrictions, in which case means you don't know what you're doing. And if the program says your outfile doesn't exist, use better software. I've seen a lot of stupid advice from you on this forum, I do hope people do not take you serious....


@Adr990 @shinyquagsire23 If either of you attempt a full dump, upgrade, and downgrade, please tag me if you post results. If it does work with both chip dumps, we might be able to make donor nands/eMMC in the future to fix broken units, provided we have a way to extract per console keys at that time. If I get time and money, I'll do the same. Thanks!

Kindly fuck off...

You should know exactly why this is done. Don't give me that "you've given tons of bad advice" shit. The reason people manage to fuck things up all the time is because they fail to follow instructions. I mean you don't honestly believe people when they say I don't know what happened I mean I followed all the instructions. Come on when people have problems with things that work well it's because they missed a step somewhere or tried to cut a corner.