Hacking A strange little wii...

DeadlyFoez · Apr 23, 2019

I saw this post from @JoyBunny about a month ago...

JoyBunny said:
I have a System Menu v1.0 Wii I recently bought secondhand. I thought this my be a rare, never-updated Wii console, but I have no idea how to get a nand dump from it without hardmods. Anyone have ideas?

Not long after the owners sent me their wii along with a note stating that the previous owner said that HBC was installed, which doesn't sound quite right.

I took the wii apart and dumped the nand. I then injected bootmii into boot2, using a boot2v4 from my tech wii. I then went and put the wii all back together and and booted it up. From there I used bootmii to dump the nand so I would have multiple copies from multiple sources, and it also let me get the keys.

Here are a few interesting things to notice in these pictures below.

The label on the wii itself does say that this is a USA console, and the serial number confirms that.

Bootmii does report this as a 1.0 SM wii, but also reports the wii as having boot2v2 installed when I in fact installed a boot2v4 instead. I have had this happen before and Marcan explained to me why.

As you can see in the screenshot from ShowMiiNand, there are only 3 IOS's installed, and everything is reported as being the japanese regions of the channels. I am not sure if that is because those are universal channels or whatever. I never bothered getting deep into the software side of the wii. I was always more a hardware guy.

I tried launching the hackmii installer from bootmii and it would just launch the system menu instead. I haven't been able to find anything that I can launch from within bootmii.

I want to see if we can get homebrew running without having to do an online update.

But as you can see, this wii is very interesting.

If anyone has any good ideas or if anyone wants any other info about it, just ask.
Thank you.

Cyan · Apr 23, 2019

some ideas, probably bad and incomplete :

zelda save exploit could work?
but inserting the disc will add missing IOS from the update partition if you accept the update. you'll mess with your clean NAND.
zelda uses IOS9, so maybe it won't ask to update. you should dump your ISO with cleanrip and check the update partition to see what it contains and will replace.
Plus, launching hackmii installer would write HBC to NAND, if you want to keep it clean there are other choices.

Casper was designed to use homebrew without softmodding the console.
I never used it, so I don't know if it can work on 1.0
I think it's launched from a game exploit. no bootmii required (the purpose is to not alter the NAND with homebrew at all)

A burned autoboot disc could be an option too?
replace boot.dol with homebrew filter's dol (so it doesn't require sigpatch because it's not installed as a channel)
my memory is too vague, but I think a disc becomes autoboot if you replace Byte 0 of the ISO with "R". but some official games have their TitleID starting with R, so I'm probably wrong.

cboot2, never used either, but replaces the bootmii's armboot.bin so you can launch it from bootmii@boot2.
the armboot.bin extracts a ppcboot.elf into /tmp/ folder on NAND, temporarily patches one of the IOS it finds on NAND (from slot36 down to 3) to add sigpatch and NAND access and put it in memory (instead of usual cIOS installed in a slot). then it launches the elf from tmp folder which launches boot.dol from SD root. the tmp folder is deleted on next reboot, or maybe next IOS reload.

that's just random idea, sorry if wrong or not useful.

DeadlyFoez · Apr 23, 2019

I just sent the wii back to the owner. I am going to convert this nand to work on my tech wii and play with it from there.

It would be interesting to see what this does on one of them newer wii's with the fixed boot1. It likely will not boot at all.

I did have an image for the pink fish disc, but i think i lost all my old stuff.

What i want to find out of all of this is if there are any remnants of other software or anything else to find hidden within this nand. If this was one of those very first wiis that shipped with the pre release update discs then i hope we may be able to recover traces of that.

At this moment i have no reason to believe that anything was ever run on this wii.

Ryccardo · Apr 23, 2019

Cyan said:
I think a disc becomes autoboot if you replace Byte 0 of the ISO with "R". but some official games have their TitleID starting with R, so I'm probably wrong.

0 is autoboot, R (and later S) is for regular commercial Wii discs

Of course, any new titles write to nand (uid.sys) so it is impossible to make a clean backup with a game exploit, depending on the definition of clean

Nice to see the Wii Shop stub (which, unlike the weather/news ones, doesn't exist on newer consoles because it shares the titleid with the actual one)

1.0 may be region free to some extent (just the menu itself, or for all digital apps - not like you could have installed more anyway at the time), after all it's an universal build for all 3 regions, with all newer ones having region-specific versions...

tech3475 · Apr 23, 2019

Could bannerbomb work?

Ryccardo · Apr 23, 2019

tech3475 said:
Could bannerbomb work?

Doubt it, I don't think it even supports 2.x, and 1.x should be missing significant parts of channel management (not to mention I have a feeling that most homebrew won't run fine as IOS9)

pstrick · Apr 23, 2019

How did you get the console specific keys that allowed you to modify the NAND?

Looks like it has all the release version of IOS. Like you said, the real prize will be in scraping the NAND and finding factory leftovers.

Also, how did you inject bootmii into boot2? I have been doing some experimenting with RVT H units and manually installing bootmii would be helpful.
(Do you know how to modify boot1? It's not hashed on development wiis and can be freely modified.)

Ryccardo · Apr 23, 2019

pstrick said:
How did you get the console specific keys that allowed you to modify the NAND?

I think (haven't read about it for 10 years or so) that it works like on 3DS - using an encryption scheme where, without ever figuring out the "original" key, you can work out a "functional equivalent" (xorpad) if you positively know what the decrypted content is going to be and also have it in encrypted form

pstrick · Apr 23, 2019

Other than that, the fact that we succeeded in booting the system off a disc without installing anything means that some directories were created in flash, a file was added for the disc I booted (00010001-HAXX), and an entry was added to /sys/uid.sys for that title. In real terms, that means 2 16KB clusters of other data was overwritten and lost, but those changes would be fairly easily reversible by hand.

If I had thought it through a bit more, I could have used the 1-2 title ID (like the pinkfish disc and "homebrew checker" disc!) for my disc, and avoided both of those changes; alas.

Bushing had that to say about the startup disc wii. Just keep it in mind if you do decide to run any discs to avoid overwriting everything.

DeadlyFoez · Apr 23, 2019

pstrick said:
How did you get the console specific keys that allowed you to modify the NAND?

Looks like it has all the release version of IOS. Like you said, the real prize will be in scraping the NAND and finding factory leftovers.

Also, how did you inject bootmii into boot2? I have been doing some experimenting with RVT H units and manually installing bootmii would be helpful.
(Do you know how to modify boot1? It's not hashed on development wiis and can be freely modified.)

I have an infectus flash memory programmer. Boot1 is in block 0. Boot 2 resides as I think 3 copies in blocks 1-7. I just took the first 8 blocks (0-7) from my tech wii that already had bootmii installed and I just wrote them into the first 8 blocks of this wii's nand. Then I just had to insert my SD card with the bootmii files on and turn on the wii, do a nand dump through bootmii and get the keys. With that I did not have to touch any of the area of the nand that the actual system runs on.

pstrick · Apr 23, 2019

DeadlyFoez said:
I have an infectus flash memory programmer. Boot1 is in block 0. Boot 2 resides as I think 3 copies in blocks 1-7. I just took the first 8 blocks (0-7) from my tech wii that already had bootmii installed and I just wrote them into the first 8 blocks of this wii's nand. Then I just had to insert my SD card with the bootmii files on and turn on the wii, do a nand dump through bootmii and get the keys. With that I did not have to touch any of the area of the nand that the actual system runs on.

That's pretty cool.
I really have to learn how to solder.

DeadlyFoez · Apr 23, 2019

I'm not sure which titles these are, but this is what seems to have been run on the wii.

Razor83 · Apr 23, 2019

Great work @DeadlyFoez, and thanks to @JoyBunny for lending you their Wii

I hope you are able to recover some factory tools from this Wii, like this:-
https://tcrf.net/Wii#Wii_Factory_Tools
Out of curiosity how do you search a NAND dump to find titles like this? Is there some program that can decrypt the NAND and search for previously deleted files?

DeadlyFoez said:
I have an infectus flash memory programmer. Boot1 is in block 0. Boot 2 resides as I think 3 copies in blocks 1-7. I just took the first 8 blocks (0-7) from my tech wii that already had bootmii installed and I just wrote them into the first 8 blocks of this wii's nand. Then I just had to insert my SD card with the bootmii files on and turn on the wii, do a nand dump through bootmii and get the keys. With that I did not have to touch any of the area of the nand that the actual system runs on.

If you overwrite block 0 does that mean that the original boot1 was overwritten? In which case this Wii may have originally had boot1a installed instead of boot1b listed by bootmii? I guess examination of the original manual NAND dump could help to determine which boot1/boot2 was originally installed.

DeadlyFoez · Apr 23, 2019

Razor83 said:
Out of curiosity how do you search a NAND dump to find titles like this? Is there some program that can decrypt the NAND and search for previously deleted files?

Stuff like that is not what I am good at. I am trying to contact a few people to get them to look at the dump. But even I might be able to find a few things of use, but I just don't know how to use them yet.

Razor83 said:
If you overwrite block 0 does that mean that the original boot1 was overwritten? In which case this Wii may have originally had boot1a installed instead of boot1b listed by bootmii? I guess examination of the original manual NAND dump could help to determine which boot1/boot2 was originally installed.

This wii did not have boot1a installed. Boot1 is checked against a hash into the OTP, so it can not be updated, but boot2 can be updated. If you have a flawed boot1 then you will always be able to install bootmii into boot2. Nintendo could do absolutely nothing to fix that.

Razor83 · Apr 23, 2019

DeadlyFoez said:
Stuff like that is not what I am good at. I am trying to contact a few people to get them to look at the dump. But even I might be able to find a few things of use, but I just don't know how to use them yet.

Please let us know what they say and if you manage to find anything. I'm especially interested in any details on how to search for this sort of stuff in NAND dumps. I have seen some factory titles have been found for the Wii and 3DS, but nothing for the DSi and Wii U. If the techniques to finding deleted factory titles was more well known i'm sure the community could find lots more interesting stuff!

DeadlyFoez said:
This wii did not have boot1a installed. Boot1 is checked against a hash into the OTP, so it can not be updated, but boot2 can be updated. If you have a flawed boot1 then you will always be able to install bootmii into boot2. Nintendo could do absolutely nothing to fix that.

Ah sorry I forgot that boot1 cannot be modified as its hash checked by boot0.

Out of curiosity was there a reason why you didnt you just write blocks 1-7, skipping boot1? I realise you have the means to manually write back the untouched NAND with the Infectus even if the Wii failed to boot, but I only ask for those who are not as skilled with tiny soldering

DeadlyFoez · Apr 23, 2019

Code:

BOARD_TEST=START,V2.0
BOARD_TEST=OK,V2.0
FINAL_TEST=START,V1.0
FINAL_TEST=OK,V1.0
WRITE_NAND_DATA1=START,1.1.0
WRITE_NAND_DATA1=OK,1.1.0
SERIAL_NO_REGISTER=OK,1.1.0
WIRELESS_TEST=OK,RVL001.01
PRECHECK_DATA=START,1.4.0
PRECHECK_DATA=OK,1.4.0
CHECK_NAND_DATA=START,1.3.0
CHECK_NAND_DATA=OK,1.3.0

I just found this in shared2/text/textlog.txt

--------------------- MERGED ---------------------------

Razor83 said:
Out of curiosity was there a reason why you didnt you just write blocks 1-7, skipping boot1? I realise you have the means to manually write back the untouched NAND with the Infectus even if the Wii failed to boot, but I only ask for those who are not as skilled with tiny soldering

It is easier to write blocks starting from the beginning of a flash chip. So I was goign to write the 0-7 of mine, and then write back the 0 from the original. But after I wrote blocks 0-7, I then compared block 0 to the original and saw that they were in fact the same so I didn't need to do anything else.

XFlak · Apr 24, 2019

Other than giantpune the only other person I know of that's still semi active to maybe do something with this is FIX94.

@FIX94, calling you out so you don't miss this news. I read your recent blog posts on Gameboy hacks so know you're still alive (at least you were a couple months ago)

DeadlyFoez · Apr 24, 2019

I converted to nand dump to be able to work on my wii. Now I am trying to track down someone that has the actual prerelease SM stub nand dump. Bushing had it at one time, but I can't ask him about it now.

Anything that I try to do with this wii, it just wants to update. Too bad I do not have all that many disc games to try that with, and the ribbon cable for my wode is busted.

pstrick · Apr 24, 2019

DeadlyFoez said:
I converted to nand dump to be able to work on my wii. Now I am trying to track down someone that has the actual prerelease SM stub nand dump. Bushing had it at one time, but I can't ask him about it now.

Anything that I try to do with this wii, it just wants to update. Too bad I do not have all that many disc games to try that with, and the ribbon cable for my wode is busted.

Do you mean the start up disc wii nand dump?

Razor83 · Apr 24, 2019

I have a copy of the partial extracted Wii Startup Disk NAND dump that was released some years ago but its in extracted folder format, not the original nand.bin/keys.bin (Which i'm not sure was ever released?)

Is there any chance you could run nandBinCheck on this NAND dump? I'm curious to see the output (and the same for the Wii Startup Disk NAND dump, if anyone still has it)

<EDIT> Thanks to a tip-off I now have a copy of the original Wii Startup Disk NAND dump. I was hoping to use nandBinCheck on it to show the build dates of BC and MIOS, but unfortunately it throws up an error about missing content.map

Wii Startup Disk nandBinCheck said:
** nandBinCheck : Wii nand info tool **
from giantpune
svn r: 104
built: Jun 5 2011 21:29:38
checking boot1 & 2...
Boot1 A (vulnerable)
found 2 copies of boot2
"blocks 1 & 2: Used for booting; Content Sha1 matches TMD; TMD officially signed
; Ticket officially signed; Version 1"
"blocks 7 & 6: Backup copy; Content Sha1 matches TMD; TMD officially signed; Tic
ket officially signed; Version 1"
checking uid.sys...
checking content.map...
NandBin::ItemFromPath ->item not found "/shared1/content.map"
"No content map found in the nand"
Press any key to continue . . .

Is there any other way I can find the BC and MIOS build dates? I'm just hoping to fill in the blanks for the table at the bottom of this page:-
https://wiibrew.org/wiki/Boot1

Hacking A strange little wii...

XFlak Fanboy

GBATemp's lurking knight

XFlak Fanboy

Penguin accelerator

Well-Known Member

Penguin accelerator

Banned!

Penguin accelerator

Banned!

XFlak Fanboy

Banned!

XFlak Fanboy

Well-Known Member

XFlak Fanboy

Well-Known Member

XFlak Fanboy

Wiitired but still kicking

XFlak Fanboy

Banned!

Well-Known Member

Similar threads

Popular threads in this forum