Hacking Completely Wipe NAND and Start Over?

[drfsupercenter]

Hey guys,

I remember posting about this subject several months ago but never was able to get it to work.

I have installed so many various different hacks over the course of having my Wii (all the way from the very original Twilight Hack, and just playing Snake and Tetris up until the most recent Homebrew Channel.

I've had a various plethora of cIOS files, some have messed things up while others haven't.

What I want to do is essentially "virginize" my Wii (boot2 vulnerable as it's a launch model, so I can use BootMii) and then just start over. Use something like Indiana Pwns and install HBC from scratch. And this time I won't install anything unless I'm absolutely sure I know what it does.

There was a program somebody suggested I use that would basically use my Wii's NAND keys to create a fresh NAND with the system menu installed, but every time I tried it the system wouldn't boot. I'd take out my BootMii SD card and nothing... just gave me a black screen.

And nobody ever did help me fix that.

So I thought I'd ask the question again and see if we can get anywhere now that the Wii is old news and all the hacks are public knowledge. I could upload my keys.bin if somebody could try creating me a NAND I can restore that will basically match a brand new retail system.

 

[drfsupercenter]

I'd just advise leaving your Wii as it is. Uninstalling all that stuff is risky. Also, your BootMii idea will not work because the keys are for each dump, they became invalid if you change them.

It's not "uninstalling" anything. I want to just start with a fresh system. You know, flash a fairly empty system to it, rather than just deleting all the titles.

Wait, what? I thought the keys were specific to each NAND, not each dump. Maybe that's why it wasn't booting before, then. I wonder what the point of that program is if it can't fix the keys.bin so you can flash it back...
The program is called Ohneswanzenegger, see here.

 

[Acidflare]

I read your other topic
if it is possible to encrypt the nand.bin after decrypting it with showmiiwads then I would suggest
Decrypting it, install priiloader, encrypt it then flash it you should be able to at least boot into priiloader as it renames the system menu .app file and installs priiloader as the system menu .app
if it is not possible to re-encrypt the nand.bin you could try using bootmii to install priiloader after flashing the prepared 4.1u. if loading the system menu is causing the issue then priiloader may be able to help, you could then use priiloader to load multi-mod-manager or wiimod and reinstall the 4.1u system menu

maybe the Ohneswanzenegger program is not working correctly as it should when installing the system menu itself that is, but by using it to have a base installation of 4.1u, use one of the 2 wad managers to reinstall the system menu it should work, then from there follow a guide to update to the 4.3u system menu without loosing bootmii as boot2 have the cios sets you want installed and you'll be where you want to be if it works the way it should

 

[drfsupercenter]

Well that's a big if... does anyone else know for sure?

I certainly don't mind using 4.1 as a base, I can just update through the Wii menu once I set it up. Obviously NUS is still alive for system channels.

 

[Acidflare]

remember that is if it is possible to re-encrypt a nand.bin for flashing after decrypting it with showmiiwads, if not I would say use a wad manager to play it safe, I am not sure completely on this topic due to having bootmii as IOS although my wii is a launch wii

the whole boot1/2 thing confuses me, if the OTP makes it so that boot1 can't be updated after factory release and a system menu update had updated boot2 to v4 from v2. shouldn't bootmii as boot2 be possible for me?, from what team twiizzers has stated boot1 has trucha bug which is how bootmii as boot2 is booted but the installer states bootmii as boot2 is not possible due to the boot1 check.

 

[drfsupercenter]

Correct me if I'm wrong, but I believe boot2 is completely separate from the NAND which is why BootMii checks to make sure you have it installed to your boot2 before it lets you restore.

So you could technically flash a completely empty NAND of just 0x00 to it, obviously you'd be bricked, but BootMii would still be there and usable.

 

[Acidflare]

http://hackmii.com/2008/06/boot1/

 

[drfsupercenter]

Huh... so how come my Ohneswanzenegger NAND image didn't boot at all (gave me a black screen) but still had BootMii as its boot2?

Unless boot2 isn't encrypted so you could have screwed up keys and it would still work as long as it's part of your NAND file?

 

[Acidflare]

because why would you program a software to erase it'self upon restoring the filesystem if the software is there for that specific purpose

 

[Acidflare]

try instructions from these sites
http://forums.afterdawn.com/threads...from-a-wii-brick-precautions-included.663263/
http://www.qj.net/qjnet/wii/savemiifrii-unbrick-a-wii-using-only-a-gamecube-controller.html


Read This http://hackmii.com/2010/09/insert-startup-disc/

don't watch this video use the description
Download the UniversalUnbrickDiskV2 a GC controller is needed hold up,down,left and right at the same time and turn on the console to use the disk

 

[drfsupercenter]

because why would you program a software to erase it'self upon restoring the filesystem if the software is there for that specific purpose

No, no, that's not what I'm getting at.

You said the keys change with each NAND dump, right? So quite possibly the reason that Ohneswanzenegger didn't work is because after formatting and recreating a blank NAND, the keys would have changed. So the contents were probably valid, but I used the wrong keys.bin file, so it just booted to a black screen.

If that's the case, then why was BootMii still accessible from boot2? If boot2 is part of the NAND, and the NAND won't boot due to encryption, then ????

Do you get what I'm saying?

 

[Acidflare]

because the system menu and ios' are after boot0/1/2 bootmii is a modified boot2 having a boot1 with the trucha bug allows for bootmii as boot2 to be run.
does Ohneswanzengger generate keys.bin or is the only keys.bin file you get from dumping the nand through bootmii?
if Ohneswanzengger generates a keys.bin that could possibly be the issue try using the keys.bin from bootmii

 

[mauifrog]

bootmii does not write to boot2, so bootmii always lives. The nand keys are specific to the wii and never change. Try Ohneswanzenegger again. Make a fresh nand dump, does not need to be from working wii, just needs to be new. Be sure to delete nand.bin and key.bin from sd:/ prior to making nand dump. Copy nand.bin and key.bin to folder on pc with Ohneswanzenegger. Open nand.bin with ohneswanzenegger, format nand.bin, then type 4.1u to install system. Enter proper serial number into setting.txt. Then check the nand.bin with nandbincheck -all -vvv. Then restore nand.bin. Should work without issue. If your still having issues, make another nand dump, then check that with nandbincheck. If nand check passes, nand is not your issue.

 

[drfsupercenter]

Yep. As I thought. Completely kaput as it was last time. I restored the NAND and got blackscreened. If I take the SD card out, black screen right away... if I leave it in, BootMii shows up and when I click for Wii Menu it blackscreens.

Here's what nandbincheck gives:

** nandBinCheck : Wii nand info tool **
   from giantpune
   svn r: 104
   built: Jun  5 2011 21:29:38
checking boot1 & 2... 
Boot1 B (vulnerable) 
found 3 copies of boot2 
"blocks 1 & 2: Marked as bad blocks; Content Sha1 matches TMD; TMD officially signed; Ticket officially signed; Version 4" 
"blocks 3 & 4: Used for booting; Content Sha1 matches TMD; TMD is fakesigned; Ticket officially signed; BootMii (Unk)" 
"blocks 7 & 6: Backup copy; Content Sha1 matches TMD; TMD officially signed; Ticket officially signed; Version 4" 
checking uid.sys... 
checking content.map... 
checking "/shared1/00000000.app" ... 
checking "/shared1/00000001.app" ... 
checking "/shared1/00000002.app" ... 
checking "/shared1/00000003.app" ... 
checking "/shared1/00000004.app" ... 
checking "/shared1/00000005.app" ... 
checking "/shared1/00000006.app" ... 
checking "/shared1/00000007.app" ... 
checking "/shared1/00000008.app" ... 
checking "/shared1/00000009.app" ... 
checking "/shared1/0000000a.app" ... 
checking "/shared1/0000000b.app" ... 
checking "/shared1/0000000c.app" ... 
checking "/shared1/0000000d.app" ... 
checking "/shared1/0000000e.app" ... 
checking "/shared1/0000000f.app" ... 
checking "/shared1/00000010.app" ... 
checking "/shared1/00000011.app" ... 
checking "/shared1/00000012.app" ... 
checking "/shared1/00000013.app" ... 
checking "/shared1/00000014.app" ... 
checking "/shared1/00000015.app" ... 
checking "/shared1/00000016.app" ... 
checking "/shared1/00000017.app" ... 
checking "/shared1/00000018.app" ... 
checking "/shared1/00000019.app" ... 
checking "/shared1/0000001a.app" ... 
checking "/shared1/0000001b.app" ... 
checking "/shared1/0000001c.app" ... 
checking "/shared1/0000001d.app" ... 
checking "/shared1/0000001e.app" ... 
checking "/shared1/0000001f.app" ... 
checking "/shared1/00000020.app" ... 
checking "/shared1/00000021.app" ... 
checking "/shared1/00000022.app" ... 
checking "/shared1/00000023.app" ... 
checking "/shared1/00000024.app" ... 
checking "/shared1/00000025.app" ... 
checking "/shared1/00000026.app" ... 
checking "/shared1/00000027.app" ... 
checking "/shared1/00000028.app" ... 
checking "/shared1/00000029.app" ... 
checking "/shared1/0000002a.app" ... 
checking "/shared1/0000002b.app" ... 
checking "/shared1/0000002c.app" ... 
checking "/shared1/0000002d.app" ... 
checking "/shared1/0000002e.app" ... 
checking "/shared1/0000002f.app" ... 
checking "/shared1/00000030.app" ... 
checking "/shared1/00000031.app" ... 
checking "/shared1/00000032.app" ... 
checking "/shared1/00000033.app" ... 
checking "/shared1/00000034.app" ... 
checking "/shared1/00000035.app" ... 
checking "/shared1/00000036.app" ... 
checking "/shared1/00000037.app" ... 
checking "/shared1/00000038.app" ... 
checking "/shared1/00000039.app" ... 
checking "/shared1/0000003a.app" ... 
checking "/shared1/0000003b.app" ... 
checking "/shared1/0000003c.app" ... 
checking "/shared1/0000003d.app" ... 
checking "/shared1/0000003e.app" ... 
checking "/shared1/0000003f.app" ... 
found 42 titles installed 
Checking 00000001-00000009 ... 
Checking 00000001-0000000c ... 
Checking 00000001-0000000d ... 
Checking 00000001-0000000e ... 
Checking 00000001-0000000f ... 
Checking 00000001-00000011 ... 
Checking 00000001-00000015 ... 
Checking 00000001-00000016 ... 
Checking 00000001-0000001c ... 
Checking 00000001-0000001f ... 
Checking 00000001-00000021 ... 
Checking 00000001-00000022 ... 
Checking 00000001-00000023 ... 
Checking 00000001-00000024 ... 
Checking 00000001-00000025 ... 
Checking 00000001-00000026 ... 
Checking 00000001-00000035 ... 
Checking 00000001-00000037 ... 
Checking 00000001-0000003c ... 
Checking 00000001-0000003d ... 
Checking 00000001-000000fe ... 
found 21 bootable IOS 
Checking 00000001-00000002 ... 
Checking 00000001-00000004 ... 
Checking 00000001-0000000a ... 
Checking 00000001-0000000b ... 
Checking 00000001-00000010 ... 
Checking 00000001-00000014 ... 
Checking 00000001-0000001e ... 
Checking 00000001-00000032 ... 
Checking 00000001-00000033 ... 
Checking 00000001-00000100 ... 
Checking 00000001-00000101 ... 
Checking 00010002-48414141 (HAAA) ... 
Checking 00010002-48414241 (HABA) ... 
Checking 00010002-48414341 (HACA) ... 
Checking 00010002-48414641 (HAFA) ... 
Checking 00010002-48414645 (HAFE) ... 
Checking 00010002-48414741 (HAGA) ... 
Checking 00010002-48414745 (HAGE) ... 
Checking 00010002-48415941 (HAYA) ... 
Checking 00010008-48414b45 (HAKE) ... 
Checking 00010008-48414c45 (HALE) ... 
Checking for 003 error ... 
Checking setting.txt stuff... 
Comparing uid.sys against the filesystem... 
checking for lost clusters... 
found 0 lost clusters
UNK ( 0xffff ) 0 () 
free            63d9 
verifying ecc... 
2 out of 461248 pages had incorrect ecc.
they were spread through 2 clusters in 2 blocks:
 (2, 6) 
0 of those clusters are non-special (they belong to the fs) 
verifying hmac... 
verifying hmac for 249 files 
0 files had bad HMAC data 
checking HMAC for superclusters... 
0 superClusters had bad HMAC data

So I'm confused.

I renamed the nand.bin and keys.bin nand.old and keys.old and then took another dump after that. The keys.bin has one difference (when I compare using HxD) and the nand.bin has a bunch of data where the Ohneschwanzenegger one was all 0xFF in that area.

What does this mean? Is my Wii not flashing correctly? What's very strange though is that I can backup and restore actual NANDs, not ones made on my computer, just fine. It doesn't seem to have any problems with those.

 

[mauifrog]

nandbincheck looks good. Is this from a fresh nand dump after restore?

 

[drfsupercenter]

nandbincheck looks good. Is this from a fresh nand dump after restore?

Oh, no. That's after I tried to turn the system on and got black-screened.
I could try restoring and redumping without power cycling, but what would that prove? The nand.bin I restored clearly doesn't work.

 

[Acidflare]

like I said the only way you probably will get your wii working again is with wii-mod (dop-mii mod) to reinstall the system menu but I believe a certain ios is needed for it work read the afterdawn forums link I posted a couple of posts behind it has some detailed info on reinstalling 4.1

 

[drfsupercenter]

Uh, so are you saying the Ohneswanzenegger NAND is missing IOS files?

 

[Acidflare]

no, I don't know, never used it. I only have bootmii as ios so I can't do that stuff go read the pages I posted they have detailed instructions on how to re-install the system menu you won't have to follow the guides exactly just use them as a guideline to try and come up with a method that gets your wii back on 4.1u without anything extra installed

 

[mauifrog]

Ok. What we need to know is if the nand is restoring to the wii properly or not. What is actually on the wii and what is the problem. So restore the good nand.bin that you formatted with ohneswanzeneger, the one that checks clean with nandbincheck. Then remove the nand.bin from sd:\ and make a new nand dump via bootmii. Then check that nand.bin with nandbincheck and see if the before and after reports match.