Hacking Betwiin v.10

[pspmte]

Hey guys u are nearly there with this

HiBit great thread

Ok i have a Infectus2 all installed, it takes hours to dump the nand.bin, Dont forget Hibit to use bushings and NDT software to dump the nand.bin also D0 must be shorted for at least a few second to frezze the wii
Now here my idea for an unbricker, you installed the Infectus on a working wii desolder the nand flash off and inplace put an IC Socket there that will take the Nand flash
Then all you have to do is desolder the bricked wiis flash,put it into the Wiiunbricker and dump get the keys Betwiin it and flash back solder back in.
Dont for get i swapped a bricked nand flash with a good Bootmii installed nand and i got bootmii runing on a bricked wii, so this means you could use bootmii v3 and get the keys and Hmac
Anyway my wife has just had a baby so i might go back on this now and build the Unbricker

 

[tony996]

just to let you know, if you can get bootmii to install, then you might not have to run betwiin unless it is for kicks, but if you can install bootmii then you use this method, its worth a try.

cboot2.zip

Here's the thread I read about it
CBoot2 rev 16 with a GC controler wad manager - GBAtemp.net


as for me i am still looking for a wii, with the same boot1 version. so close......

 

[HiBit]

OMG, it's done!
Fu**, the full brick is really unbricked!

Yooooooo!


Ok, lets start with the story and i hope it can help other users.

First of all start soldering the infectus to the NAND:




There is no need to win a design challenge, we only need to flash the NAND and nothing more. If it's done we must remove the infectus and
a dirty installation is enough:




I have a lot of problems with the damn infectus software.
First, my pc didn't boot if the infectus was connected ... update ... it boot ... today it didn't boot.
After i changed some usb settings in my bios the pc work fine, but now the original infectus software didn't find the infectus.

Ok, letzt try another software and you can see it work. Here it read the NAND from the full brick:




Now i open the dumped NAND and compare the boot1 part with other dumps.
I found a compatible dump and flash it back to the Wii:




God, this moment was hard.
I connect the Wii together with the infectus to my tv and insert a sd card with the bootmii files(i use v0.2 - i didn't like 0.3):




YES!
Bootmii work and i can dump the NAND and - of cause - the HMAC and the NAND key from the bricked Wii:




Ok, now i get the HMAC/NAND key and put it into the hmac-key and into the nand-key with an hex editor. Also i remove the last 1024 bytes and save them to my HDD. I need this data later because i must add the 1024 bytes to the converted flash.bin. Bootmii need this data, otherwise i can't restore the NAND with bootmii:




Now i start betwiin to build a working NAND with the keys from the bricked Wii:




I put the 1024 at the end of this new NAND image, rename it to nand.bin and restore it with bootmii:


You see my problem?
Yes, bootmii didn't accept the boot1. But it was flashed to the NAND with the infectus, it's the same NAND from where bootmii run on the bricked Wii.
Why it didn't accept things that it already use?

For this problem i have no answer, but i have a solution.
Use the first megabyte from the NAND dump you get from the bricked Wii and insert(replace) this megabyte to the fresh converted and unbricked nand.bin.
EDIT:
Sorry to the user that has a problem with my wrong description. It must be a megabyte(select $0 to $fffff) and not only a kilobyte!




Now i try it again and i'm sure the simulation run:

Of cause, you can use the infectus to flash the NAND, but i didn't like it.
The infectus is unstable and ..... *brrrrrr* NO!



Also i'm sure it say you can restore the NAND:





That's all.

Switch your Wii off and restart it, now it should be unbricked!
If it work remove the infectus and reassemble the Wii.



Ok, now i drink some beer and try my fresh unbricked Wii.
It was hard for me to understand all this in the last days, now i do nothing other than play with a Wii(i spend xxx hour to fix and learn, but i'm sure i only spend x hour to play

).

I hope tomorrow i need < 1 hour to fix the next brick.

Thanks for all your help.

 

[computerboy]

Congratulations

and well done for writing a tutorial for other people with bricks.

 

[WiiCrazy]

Wov, Well done!

It would be nice to have a high res picture of that beast (infectus) installed on the wii.. (picture 1 and 2)

 

[HiBit]

Ok, but it's only a very simple installation to flash the NAND and you can't see all the cables.

^^ Sorry, i have only a two year old cam.


This is the picture that explain what you must connect:




Tomorrow i use better cable on another Wii.

 

[pspmte]

HiBit you should make a fully no holds bared guide for this

great work mate

How long did the infectus take to dump the nand, also did you find any topssy48 ic sockets?

We could easy make an unbrick a kind of ATE idea would be kool, what we need is the solderless mod chip idea that can go on a samsung nand flash
Then you would not even need to desolder the nand ic

 

[tony996]

Hibit, that is awesome..... well i got another donner wii, this time specs were fine, received the same error as you, so i replaced the first 1024 bytes from bricked wii, and now it is telling me nand is from a different wii. this is killing me, i thought i had it figured out. well atleast i know it can be done will try some it later.

 

[paulotasso]

Hello, thanks HiBit for sharing information with us.

So...I want to unbrick my wii too.

Tell me if i am wrong.

First step: Sold infectus 2.
2nd: Flash bootmii to bricked wii's nand.
3rd: Boot up wii and dump nand with keys using bootmii, right?

and..next steps...please i have no knowledge about managin codes, either amoxiflash and this stuff.
The technician will sold the infectus2 for me using the diagrams....but the software part will be all by myself...

Hibit...please save* me! (*help

)

 

[gd48202]

Congratulations HiBit,

If you could please put all the software that you used into a zipped file and placed on mediafire or some other share platform, that would help all the others who would like to do this as well.

If you could also please list the detailed pieces/parts that are required to do this would also be appreciated.

Again, Congratulations on your success.

GD

 

[madtamski]

Way to go on your unbricking!

Great work and and thanks for the guide

 

[Adr990]

Neat!

So, does this work on older Wii's & "LU64+" serial Wii's?

That would be really cool.

 

[HiBit]

So, does this work on older Wii's & "LU64+" serial Wii's?

It work only on a Wii that has a vulnerable boot1 or if you have a NAND backup, then you can unbrick every Wii.
That's the reason why i suggest to make a NAND backup also if you can install bootmii only as IOS.




Btw, in the last days i talk with a lot of user and here is a list of question (and answers) that reach me again and again.




Q: How can i solder the cables to the nand?

A: STOP HERE!
Sorry, but if you ask i'm sure you should ask a friend with enough skill to solder the Infectus to the NAND.

Please look at this picture(€ Cent vs. NAND

):

You see, the NAND is a very small ic and never try to solder the cables if you are unsure!





Q: My wii didnt boot into bootmii after i flashed the new boot1/2 with bootmii.

A: Verify you use the same boot1 and the same or an newer boot2 where bootmii is installed.
If that didn't work use the verify function from the flash tool or dump the NAND and use a tool to verify it on your pc.
If you found additional $ff in the dump solder the ground cable to another point on the Wii mainboard.
If it didn't help to fix the additional $ff use shorter/longer/other cables to the NAND(it sounds stupid, but i can help).

If all this is ok it's possible your NAND has a bad block at boot(1?)2. Thand you must move the blocks where bootmii is installed
to another location.





Q: Can i only flash boot1 and 2 to start BootMii?

A: Yes, that's enough.




Q: How should i convert my NAND?

A: Read this thread.




Q: How can i edit my dump?

A: Read this thread.





Q: My unbricked Wii is unstable and/or something didn't work after i flash the converted NAND.

A: Reinstall every IOS and reinstall every channel. I think UNCORP is a great tool to install all the IOS you need.

It's possible you can't change the region with AnyRegion Changer or some settings and the Wii is unstable after you
reinstall all you need.
I didn't have an simple solution for this problem, but mostly it help you use a dump from another Wii.


Edit:
It ^^ has nothing to do with the bad blocks. You can get the same problems if you convert a dump to a Wii with no bad blocks.

 

[sirakain]

This is cool, cuz before he was doing this for 10$

Is posting NAND allowed ? It contains Ninty code, and your VC/WW...

 

[sirakain]

Double post, sorry

 

[HiBit]

Is posting your own NAND allowed ?

I think it's not allowed, in your NAND is all the code from Nintendo ... every IOS ... the sysmenu ... the channels ...


But it's encrypted.

Possible a mod can help us.

 

[OSW]

Is posting your own NAND allowed ?

I think it's not allowed, in your NAND is all the code from Nintendo ... every IOS ... the sysmenu ... the channels ...


But it's encrypted.

Possible a mod can help us.

No NAND Sharing please, for the reason you stated. If you want to share yours, do it privately not on the forums.

Thanks.

 

[paulodeleo]

Hi! I tried to unbrick 2 Wiis but the result wasn't the expected. That's what I did:

- Both bricked Wiis can run Bootmii to dump the nand, so I did it.
- Both have boot1b. One have boot2v2 and another have boot2v3.
- I also have 2 nand backups from two other working Wiis, both boot1b. Like the bricked ones, one have boot2v2 and another have boot2v3.
- Extracted hmac and key from the Bootmii generated nands of the bricks, as described on post #54.
- Installed python, PyCrypto, numpy as described at post #103. Also installed OpenSSH, as noted at http://www.wiibrew.org/wiki/Betwiin .
- Downloaded and unpacked betwiin.
- Put nand-hmac and nand-key of the bricked wii in the output folder.
- Put nand-hmac and nand-key of the working wii in the input folder.
- Removed the last 1KB from the nand of the working wii (the hmac + key area), so betwiin can accept the nand.
- Put the nand of the working wii in the input folder.
- Executed betwiin.
- 40 minutes later it finished without errors.
- Put the last 1KB from the bricked nand at the end of the generated nand at the output folder.
- Tried to write the generated nand using Bootmii.
- With one of the Wiis (the boot2v2 one), Bootmii said boot1 mismatch, as shown in post #103. Like described, I replaced the first 1MB of the generated nand with the first 1MB of the bricked nand, - and then Bootmii accepted the generated nand.
- Simulation was ok. Writing was ok.
- Reseted Wii.
- In Bootmii again, tried to enter Homebrew Channel (to install it).
- The disclaimer screen shows up, but hangs there.
- After about 1 or 2 minutes, the "Press 1 to continue" message shows up (and the message doesn't blink), but nothing happens if I press any button (using a GC controller). It just stay that way, no matter what I do:

I also tried to replace the first 1MB of the nand for the boot2v2 nand and the same happends.
I also tried to put the nand-hmac and nand-key of the bricked wii in the input folder, but betwiin hangs using all RAM of my PC and can't finish.

Can anyone point what I made wrong, or something else I could try to do?
Thanks for any help!

 

[pinesal]

How much of this thread is still relevant? Do I need to hex edit the keys out stilll? Bootmii nand backup produced an keys.bin file along with the nand.bin. What is the keys.bin for?

I don't want to go through all the steps and learn that it's outdated information.

 

[pinesal]

Well, I tried to fallow the steps but restoremii tells me the dump is for a different Wii.