A strange little wii...

Discussion in 'Wii - Hacking' started by DeadlyFoez, Apr 23, 2019.

  1. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    I saw this post from @JoyBunny about a month ago...
    Not long after the owners sent me their wii along with a note stating that the previous owner said that HBC was installed, which doesn't sound quite right.

    I took the wii apart and dumped the nand. I then injected bootmii into boot2, using a boot2v4 from my tech wii. I then went and put the wii all back together and and booted it up. From there I used bootmii to dump the nand so I would have multiple copies from multiple sources, and it also let me get the keys.

    Here are a few interesting things to notice in these pictures below.

    Censored Serial.

    IMG_20190423_095412.

    ShowMiiNand.

    The label on the wii itself does say that this is a USA console, and the serial number confirms that.

    Bootmii does report this as a 1.0 SM wii, but also reports the wii as having boot2v2 installed when I in fact installed a boot2v4 instead. I have had this happen before and Marcan explained to me why.

    As you can see in the screenshot from ShowMiiNand, there are only 3 IOS's installed, and everything is reported as being the japanese regions of the channels. I am not sure if that is because those are universal channels or whatever. I never bothered getting deep into the software side of the wii. I was always more a hardware guy.


    I tried launching the hackmii installer from bootmii and it would just launch the system menu instead. I haven't been able to find anything that I can launch from within bootmii.

    I want to see if we can get homebrew running without having to do an online update.


    But as you can see, this wii is very interesting.
    IMG_20190423_105313. IMG_20190423_105450. IMG_20190423_105426.

    If anyone has any good ideas or if anyone wants any other info about it, just ask.
    Thank you.
     
  2. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    22
    Oct 27, 2002
    France
    Engine room, learning
    some ideas, probably bad and incomplete :

    zelda save exploit could work?
    but inserting the disc will add missing IOS from the update partition if you accept the update. you'll mess with your clean NAND.
    zelda uses IOS9, so maybe it won't ask to update. you should dump your ISO with cleanrip and check the update partition to see what it contains and will replace.
    Plus, launching hackmii installer would write HBC to NAND, if you want to keep it clean there are other choices.


    Casper was designed to use homebrew without softmodding the console.
    I never used it, so I don't know if it can work on 1.0
    I think it's launched from a game exploit. no bootmii required (the purpose is to not alter the NAND with homebrew at all)


    A burned autoboot disc could be an option too?
    replace boot.dol with homebrew filter's dol (so it doesn't require sigpatch because it's not installed as a channel)
    my memory is too vague, but I think a disc becomes autoboot if you replace Byte 0 of the ISO with "R". but some official games have their TitleID starting with R, so I'm probably wrong.


    cboot2, never used either, but replaces the bootmii's armboot.bin so you can launch it from bootmii@boot2.
    the armboot.bin extracts a ppcboot.elf into /tmp/ folder on NAND, temporarily patches one of the IOS it finds on NAND (from slot36 down to 3) to add sigpatch and NAND access and put it in memory (instead of usual cIOS installed in a slot). then it launches the elf from tmp folder which launches boot.dol from SD root. the tmp folder is deleted on next reboot, or maybe next IOS reload.


    that's just random idea, sorry if wrong or not useful.
     
    Last edited by Cyan, Apr 23, 2019
    CoolStarDood and DeadlyFoez like this.
  3. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    I just sent the wii back to the owner. I am going to convert this nand to work on my tech wii and play with it from there.

    It would be interesting to see what this does on one of them newer wii's with the fixed boot1. It likely will not boot at all.

    I did have an image for the pink fish disc, but i think i lost all my old stuff.

    What i want to find out of all of this is if there are any remnants of other software or anything else to find hidden within this nand. If this was one of those very first wiis that shipped with the pre release update discs then i hope we may be able to recover traces of that.

    At this moment i have no reason to believe that anything was ever run on this wii.
     
  4. Ryccardo

    Ryccardo and his tropane alkaloids

    Member
    13
    Feb 13, 2015
    Italy
    Imola
    0 is autoboot, R (and later S) is for regular commercial Wii discs

    Of course, any new titles write to nand (uid.sys) so it is impossible to make a clean backup with a game exploit, depending on the definition of clean :)

    Nice to see the Wii Shop stub (which, unlike the weather/news ones, doesn't exist on newer consoles because it shares the titleid with the actual one)

    1.0 may be region free to some extent (just the menu itself, or for all digital apps - not like you could have installed more anyway at the time), after all it's an universal build for all 3 regions, with all newer ones having region-specific versions...
     
    Cyan and DeadlyFoez like this.
  5. tech3475

    tech3475 GBAtemp Maniac

    Member
    8
    Jun 12, 2009
    Could bannerbomb work?
     
  6. Ryccardo

    Ryccardo and his tropane alkaloids

    Member
    13
    Feb 13, 2015
    Italy
    Imola
    Doubt it, I don't think it even supports 2.x, and 1.x should be missing significant parts of channel management (not to mention I have a feeling that most homebrew won't run fine as IOS9)
     
  7. pstrick

    pstrick Member

    Newcomer
    3
    Jul 6, 2018
    United States
    How did you get the console specific keys that allowed you to modify the NAND?

    Looks like it has all the release version of IOS. Like you said, the real prize will be in scraping the NAND and finding factory leftovers.

    Also, how did you inject bootmii into boot2? I have been doing some experimenting with RVT H units and manually installing bootmii would be helpful.
    (Do you know how to modify boot1? It's not hashed on development wiis and can be freely modified.)
     
  8. Ryccardo

    Ryccardo and his tropane alkaloids

    Member
    13
    Feb 13, 2015
    Italy
    Imola
    I think (haven't read about it for 10 years or so) that it works like on 3DS - using an encryption scheme where, without ever figuring out the "original" key, you can work out a "functional equivalent" (xorpad) if you positively know what the decrypted content is going to be and also have it in encrypted form
     
  9. pstrick

    pstrick Member

    Newcomer
    3
    Jul 6, 2018
    United States
    Bushing had that to say about the startup disc wii. Just keep it in mind if you do decide to run any discs to avoid overwriting everything.
     
  10. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    I have an infectus flash memory programmer. Boot1 is in block 0. Boot 2 resides as I think 3 copies in blocks 1-7. I just took the first 8 blocks (0-7) from my tech wii that already had bootmii installed and I just wrote them into the first 8 blocks of this wii's nand. Then I just had to insert my SD card with the bootmii files on and turn on the wii, do a nand dump through bootmii and get the keys. With that I did not have to touch any of the area of the nand that the actual system runs on.
     
    pstrick, XFlak and x65943 like this.
  11. pstrick

    pstrick Member

    Newcomer
    3
    Jul 6, 2018
    United States
    That's pretty cool.
    I really have to learn how to solder.
     
  12. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    I'm not sure which titles these are, but this is what seems to have been run on the wii.
    title.
     
  13. Razor83

    Razor83 GBAtemp Fan

    Member
    5
    Dec 23, 2009
    Great work @DeadlyFoez, and thanks to @JoyBunny for lending you their Wii :)

    I hope you are able to recover some factory tools from this Wii, like this:-
    https://tcrf.net/Wii#Wii_Factory_Tools
    Out of curiosity how do you search a NAND dump to find titles like this? Is there some program that can decrypt the NAND and search for previously deleted files?

    If you overwrite block 0 does that mean that the original boot1 was overwritten? In which case this Wii may have originally had boot1a installed instead of boot1b listed by bootmii? I guess examination of the original manual NAND dump could help to determine which boot1/boot2 was originally installed.
     
  14. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    Stuff like that is not what I am good at. I am trying to contact a few people to get them to look at the dump. But even I might be able to find a few things of use, but I just don't know how to use them yet.
    This wii did not have boot1a installed. Boot1 is checked against a hash into the OTP, so it can not be updated, but boot2 can be updated. If you have a flawed boot1 then you will always be able to install bootmii into boot2. Nintendo could do absolutely nothing to fix that.
     
    Last edited by DeadlyFoez, Apr 23, 2019
  15. Razor83

    Razor83 GBAtemp Fan

    Member
    5
    Dec 23, 2009
    Please let us know what they say and if you manage to find anything. I'm especially interested in any details on how to search for this sort of stuff in NAND dumps. I have seen some factory titles have been found for the Wii and 3DS, but nothing for the DSi and Wii U. If the techniques to finding deleted factory titles was more well known i'm sure the community could find lots more interesting stuff!

    Ah sorry I forgot that boot1 cannot be modified as its hash checked by boot0.

    Out of curiosity was there a reason why you didnt you just write blocks 1-7, skipping boot1? I realise you have the means to manually write back the untouched NAND with the Infectus even if the Wii failed to boot, but I only ask for those who are not as skilled with tiny soldering ;)
     
  16. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    Code:
    BOARD_TEST=START,V2.0
    BOARD_TEST=OK,V2.0
    FINAL_TEST=START,V1.0
    FINAL_TEST=OK,V1.0
    WRITE_NAND_DATA1=START,1.1.0
    WRITE_NAND_DATA1=OK,1.1.0
    SERIAL_NO_REGISTER=OK,1.1.0
    WIRELESS_TEST=OK,RVL001.01
    PRECHECK_DATA=START,1.4.0
    PRECHECK_DATA=OK,1.4.0
    CHECK_NAND_DATA=START,1.3.0
    CHECK_NAND_DATA=OK,1.3.0
           
    I just found this in shared2/text/textlog.txt

    — Posts automatically merged - Please don't double post! —

    It is easier to write blocks starting from the beginning of a flash chip. So I was goign to write the 0-7 of mine, and then write back the 0 from the original. But after I wrote blocks 0-7, I then compared block 0 to the original and saw that they were in fact the same so I didn't need to do anything else.
     
    XFlak and Razor83 like this.
  17. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    Other than giantpune the only other person I know of that's still semi active to maybe do something with this is FIX94.

    @FIX94, calling you out so you don't miss this news. I read your recent blog posts on Gameboy hacks so know you're still alive (at least you were a couple months ago)
     
  18. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    11
    GBAtemp Patron
    DeadlyFoez is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Apr 12, 2009
    United States
    I converted to nand dump to be able to work on my wii. Now I am trying to track down someone that has the actual prerelease SM stub nand dump. Bushing had it at one time, but I can't ask him about it now.

    Anything that I try to do with this wii, it just wants to update. Too bad I do not have all that many disc games to try that with, and the ribbon cable for my wode is busted.
     
  19. pstrick

    pstrick Member

    Newcomer
    3
    Jul 6, 2018
    United States
    Do you mean the start up disc wii nand dump?
     
    DeadlyFoez likes this.
  20. Razor83

    Razor83 GBAtemp Fan

    Member
    5
    Dec 23, 2009
    I have a copy of the partial extracted Wii Startup Disk NAND dump that was released some years ago but its in extracted folder format, not the original nand.bin/keys.bin (Which i'm not sure was ever released?)

    Is there any chance you could run nandBinCheck on this NAND dump? I'm curious to see the output (and the same for the Wii Startup Disk NAND dump, if anyone still has it)

    <EDIT> Thanks to a tip-off I now have a copy of the original Wii Startup Disk NAND dump. I was hoping to use nandBinCheck on it to show the build dates of BC and MIOS, but unfortunately it throws up an error about missing content.map
    Is there any other way I can find the BC and MIOS build dates? I'm just hoping to fill in the blanks for the table at the bottom of this page:-
    https://wiibrew.org/wiki/Boot1
     
    Last edited by Razor83, Apr 24, 2019
    DeadlyFoez likes this.
Loading...