Unable to dump OTP.bin with de_fuse

MarcoC · Sunday at 7:25 AM

Got a WiiU with static red LED and I installed pico to de_fuse it.
When I try to dump OTP via PRSHhax I get this error:

Found existing entry: boot_info, data: 10008000, size: 00000058, is_set: 80000000
prsh: checksum header: old=9254f7bf new=8f14dbd2
prsh: checksum prst: old=505276c9 new=505276c9
Dumping OTP using boot1 prod v8377 (slot0=v8377, slot1=v8377), and offset 0x0d40ac6d...

WARNING: SEEPROM slot0 boot1 version v17079 does not match NAND version v8377!
Exploit might not work!

WARNING: SEEPROM slot1 boot1 version v17079 does not match NAND version v8377!
Exploit might not work!

If this is the first time you're dumping otp.bin, ignore this message.
However, if you reflashed boot1, you might have to guess which boot1
version was originally on NAND and will match the SEEPROM version.
prsh: Header at 10005a54, PRST at 10007ff0, 1 entries (32 capacity):
0: boot_info 0x58 d40ac6d
GPU clocked at: 544.999877MHz
Unmounting SLC...
Shutting down MLC...
Shutting down SD card...
sdhc_bus_power(0x0)
Shutting down interrupts...
Shutting down caches and MMU...
Resetting (prshhax)...

boot1 never jumped to payload! Offset or SEEPROM version might be incorrect.
(try it again just in case, sometimes the resets can get weird)
Press POWER/Q to continue.

I tried to dump the memory of the cry_pto (I cannot post without _ :-() module following the suggestion of another post but when I tried with nandBinCheck against my SLC dump there were 64 bad hmac.

Is there something I can try?
I also have another WiiU in really bad conditions always with static red led, should I try to de_fuse that WiiU to dump OTP/SLC and move them to this WiiU?

SDIO · Sunday at 12:44 PM

red means that boot1 isn't executed. So PRSHhax can't work. And the other method would also require the system to boot further to copy the keys to memory.
This can either be caused by a corrupted boot1 on the SLC or by a version mismatch of the boot1 and the boot1 version in the SEEPROM. The SEEPROMs are all encrypted using the same key. So you can get the seeprom key from another consoles OTP to decrypt your SEEPROM and look at the version there.
The NAND bin check will fail the HMAC check because it's missing the correct HMAC key, but it should still be able to tell you the boot1 version.

MarcoC · Sunday at 1:15 PM

Thanks for the explanation.

Boot1 version

NAND Type: SLC (WiiU)
checking boot1...
Boot1 hash: "3806d41a5c5f139f5b09bbe5b74a5ec45e0f5507"
Boot1 OK!

I dumped the seeprom.bin but it seems just 00. So I don't know how to go ahead from here...

SDIO · Sunday at 1:47 PM

Do you have any history on the console? What happened to it? This is very strange...
We could try rebuilding a seeprom for your console, but we need to be careful, because I think a bad SEEPROM could also break defuse.
What is the manufacturer the DRAM on the board?

MarcoC · Sunday at 2:00 PM

No I don't have any history... was sold as not working.
You mean the nand chip? If so samsung

SDIO · Sunday at 2:18 PM

Not the NAND, but the dram. Because the dram config is in the SEEPROM

MarcoC · Sunday at 9:15 PM

It should be samsung (K4W4G1646E-BC1A)

MarcoC · 2024-11-12T12:03:06+0000

MarcoC said:
It should be samsung (K4W4G1646E-BC1A)

View attachment 470526

And TSOP Nand Spansion: S34ML08G101TFI20

Lazr1026 · 2024-11-12T19:54:22+0000

here's a SEEPROM from a (dead, I think) WUP-50. It'll work here

MarcoC · 2024-11-12T22:08:16+0000

Lazr1026 said:
here's a SEEPROM from a (dead, I think) WUP-50. It'll work here

Thanks! I saw that is for a NTSC board, mine is PAL do you think that I should change some parameters before using it?

Lazr1026 · 2024-11-12T22:09:59+0000

just slap it in there. can fix that stuff later on, what really matters is the boot1 stuff

MarcoC · 2024-11-12T22:37:28+0000

WARNING: SEEPROM slot0 boot1 version v5135 does not match NAND version v8377!
Exploit might not work!

WARNING: SEEPROM slot1 boot1 version v5135 does not match NAND version v8377!
Exploit might not work!

boot1 never jumped to payload! Offset or SEEPROM version might be incorrect.
(try it again just in case, sometimes the resets can get weird)

Same error when I try to dump OTP via PRSHhax (boot1 version now is different from original message). Should I try to dump a partial OTP using the crypto_dump method ?

Lazr1026 · 2024-11-12T22:42:39+0000

boot1 v5135 isnt listed on wiiubrew.. I could send you boot1 v8377 to get this in a known state

MarcoC · 2024-11-12T22:44:09+0000

Yes please

Lazr1026 · 2024-11-12T22:44:46+0000

wait, no, go do Backup and Restore -> Sync boot1 versions to seeprom

Post automatically merged: Yesterday at 10:46 PM

argh that wont work either. restore the seeprom and when it asks you to sync the boot1 versions, dont.

MarcoC · 2024-11-12T22:48:07+0000

boot1 version cannot be written to SEEPROM without a valid otp.bin!

no way

SDIO · 2024-11-12T22:49:46+0000

The first test would be if it goes to blue LED without defuse

Post automatically merged: Yesterday at 10:51 PM

To see what boot1 version you have installed, you can run nandBinCheck on the SLC.RAW. It will say hmac error on all superblocks, but it should detect the boot1 version
EDIT: NVM we see the boot1 version on the SLC from the minute output in the first post.

Also make sure to have a backup of the SLC

MarcoC · 2024-11-12T22:52:09+0000

No still RED solid

SDIO · 2024-11-12T22:55:31+0000

Can you read back the SEEPROM and check if it's the same you wrote?

MarcoC · 2024-11-12T23:13:39+0000

after I turned the console off and on again the SEEPROM was changed again and only contains 00

Post automatically merged: Yesterday at 11:14 PM

If can be useful this is the log when I restore the seeprom

Making mandatory OTP/SEEPROM backups...
Dumping OTP to `sdmc:/backup_otp_0.bin`...
Dumping SEEPROM to `sdmc:/backup_seeprom_0.bin`...
Write sdmc:/seeprom.bin to SEEPROM?
[POWER/Q] No | [EJECT/P] Yes...
Restoring SEEPROM from `sdmc:/seeprom.bin`...
Verifying seeprom.bin...
SEEPROM failed to verify!
(Check your otp.bin?)
Hardware params calc: 71d26d1f stored: 6bdc60f6
Primary boot1 params calc: 51be263a stored: 4e3b4f9c
Secondary boot1 params calc: df82c4b5 stored: 89dfca4d
Decrypted boot1 versions: v20027 (4e3b) and v35295 (89df)
Decrypted boot1 sectors: 0x4f9c and 0xca4d

SEEPROM failed to verify!
(A valid otp.bin is required)

Unable to dump OTP.bin with de_fuse

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Member

Attachments

Well-Known Member

Attachments

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Similar threads

Popular threads in this forum