Hacking Unusual issue with finding save files in Nand Dump

[Xangalore]

My wii recently went south for reasons unclear. So I went ahead and made a backup and then restored it to an old backup Nand that I have from like 1 1/2 years ago (I've never really been in the habit of regularly making backups, and I it seems I might pay for it). I was hoping I could extract my save files from the f*** up Nand dump that I made, but I can't find any save files using all the usual extraction programs. The "title" folder, and in fact all the folders except for the one that has the sysuid (or whatever it's called) are totally empty. But if I look at the Nand.bin in a hex editor, it's still ginormously full of alpha-numeric gobbledy gook. So it seems like the data is in there, but none of the various utilities I've downloaded can seem to extract the info in any usable way.

Any thoughts?

Is there a way to just dive into the hex file for the nand directly and search out the save data that way?

 

[tueidj]

The NAND is encrypted.
The main idea of encryption is to hide the original data, so even empty data looks like "gobbledy gook" when it is encrypted.
For the same reason you're not going to find your missing save data using a hex editor.

 

[Xangalore]

The NAND is encrypted.
The main idea of encryption is to hide the original data, so even empty data looks like "gobbledy gook" when it is encrypted.
For the same reason you're not going to find your missing save data using a hex editor.

Fair enough. But I wonder why the extraction programs can't seem to parse it out into those file folders. I tested my previous Nand backup (the one I used to restore my system), and all of that data could be separated out into those folders. So I wonder why this current backup won't do it.

 

[giantpune]

you got 15 "undo"s with the nand FS. all the nand dumpers out there use the newest version of the filesystem table to determine what all is where in the filesystem. you can edit one of the existing dumpers to use a different SFFS cluster and see if one of the other ones still has all the contents of the folders listed in it.

 

[DeadlyFoez]

^^That is interesting to find out. Thanks for that info pune.

@tueidj, I thought all blocks stayed zeroed out until the block get filled with some data and then it gets encrypted, in other words, I thought blank block stayed unencrypted. The reason why I think that is because I have done a dump of my nand after a failed nand format and it would have huge sections of all 00 or FF in the hex editor, but when I compared it to the same addresses before the failed nand format those addresses did contain encrypted data. Also, all my nands have no bad blocks, and when I say 'nand format', I mean using Comes's nand formatter, and it would fail on installing IOS's above 30 and just lock up.

 

[Xangalore]

you can edit one of the existing dumpers to use a different SFFS cluster

How would I go about doing that?

 

[tueidj]

There are two ways a NAND block can end up filled with zeroes:
- something (most likely the NAND formatter) erases them and then specifically writes zeroes.
- something screws up and writes the same block multiple times without erasing it. Each time you write a NAND block it sets the required bits to zero so if you keep overwriting different data to a block eventually all the bits will be zero.
Neither of these happens under normal operation:
- If a file containing zeroes is written, the data will get encrypted before being written to the NAND blocks (any encrypted data = looks like random data).
- If a block has been erased but not written it will contain 0xFFs.
- If a block previously held part of a file that was deleted, it still holds the (encrypted) file's data (the file is removed from the FAT but the blocks aren't erased).

 

[Xangalore]

When I use the Nand Extract program, it shows that only 17mb are in use. Almost all of it shows up as unused grey blocks. Very weird. How could that happen? Is that pretty conclusive that the data is just not there for some reason?

 

[DeadlyFoez]

Gotcha. Thank you for the info.

 

[tueidj]

When I use the Nand Extract program, it shows that only 17mb are in use. Almost all of it shows up as unused grey blocks. Very weird. How could that happen? Is that pretty conclusive that the data is just not there for some reason?

IOS has a "delete ALL the things" function that gets executed when something is seriously wrong. It's pretty pointless because deleting everything just makes the wii more unusable, but that sounds like what has happened.