Hacking Decrypting/re-encrypting MLC to "clone" donor Wii U's MLC

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
140
Country
United States
Hi all,
So, bought a Wii U from eBay, came with the wonderful 160-0103 issue (not from CBHC though, the MLC itself is corrupted). Reset it to stock and now it's completely bricked, as booting goes straight to the same issue. Well, since it's already broken, I guess I can't break it any further!

So, I soldered a hardmod to the MLC chip and dumped it through my SD card reader. Using wfs-extract revealed a lot of broken files, so I grabbed an MLC backup from my dad's Wii U and extracted its filesystem, hoping to replace the broken files and write the MLC back to the chip. However, when I tried to replace them with wfs-file-injector, it wasn't working; I think there's an issue with the actual block/sector allocation, so the injector can't write any data to the blocks that were corrupted.

Now I want to try something else: decrypting the entirety of the donor MLC and re-encrypting it with the OTP of my Wii U, then writing that back and seeing what happens. If it doesn't work, and the actual chip is bad, I'm going to try buying a new chip entirely and using that instead. However, I'm stuck on the decryption/encryption step.

Does anyone know how to decrypt/re-encrypt the MLC block by block instead of traversing the file system? I think replacing the entire thing has the best chance of succeeding, since I don't truly know the extent of the damage to the filesystem. I can't find any documentation on decryption/encryption of the MLC apart from wfslib, which seemingly doesn't have support for block-by-block traversal, and I can't wrap my head around how it works enough to reverse engineer just how the block encryption works by itself, divorced of being associated with any files.

Any help would be appreciated!
 

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
22,130
Trophies
3
Location
Space
XP
11,472
Country
Norway
Hi all,
So, bought a Wii U from eBay, came with the wonderful 160-0103 issue (not from CBHC though, the MLC itself is corrupted). Reset it to stock and now it's completely bricked, as booting goes straight to the same issue. Well, since it's already broken, I guess I can't break it any further!

So, I soldered a hardmod to the MLC chip and dumped it through my SD card reader. Using wfs-extract revealed a lot of broken files, so I grabbed an MLC backup from my dad's Wii U and extracted its filesystem, hoping to replace the broken files and write the MLC back to the chip. However, when I tried to replace them with wfs-file-injector, it wasn't working; I think there's an issue with the actual block/sector allocation, so the injector can't write any data to the blocks that were corrupted.

Now I want to try something else: decrypting the entirety of the donor MLC and re-encrypting it with the OTP of my Wii U, then writing that back and seeing what happens. If it doesn't work, and the actual chip is bad, I'm going to try buying a new chip entirely and using that instead. However, I'm stuck on the decryption/encryption step.

Does anyone know how to decrypt/re-encrypt the MLC block by block instead of traversing the file system? I think replacing the entire thing has the best chance of succeeding, since I don't truly know the extent of the damage to the filesystem. I can't find any documentation on decryption/encryption of the MLC apart from wfslib, which seemingly doesn't have support for block-by-block traversal, and I can't wrap my head around how it works enough to reverse engineer just how the block encryption works by itself, divorced of being associated with any files.

Any help would be appreciated!
Don't you need OTP.bin to decrypt the NAND backup? How did you get it on a bricked Wii U? :o
 

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
140
Country
United States
Don't you need OTP.bin to decrypt the NAND backup? How did you get it on a bricked Wii U? :o
Oh yeah, forgot to mention, the Wii U wasn't fully bricked before I reset it, so I was able to dump everything (but the MLC, which I got through the hardmod eventually). So having the keys to decrypt both MLCs isn't the issue, thankfully.
 
  • Like
Reactions: The Real Jdbye

The Real Jdbye

*is birb*
Member
Joined
Mar 17, 2010
Messages
22,130
Trophies
3
Location
Space
XP
11,472
Country
Norway
Oh yeah, forgot to mention, the Wii U wasn't fully bricked before I reset it, so I was able to dump everything (but the MLC, which I got through the hardmod eventually). So having the keys to decrypt both MLCs isn't the issue, thankfully.
So this is that same error that people were getting from Smash Bros right.
Afraid I can't be of much help when it comes to converting/encrypting a donor NAND to work though. It's not a much explored area of Wii U hacking, I watch GBAtemp every day and have been for many years and I dont think I've read anyone doing it successfully, or even attempting it, as, well, usually there is not much reason to want to use a NAND from another Wii U I guess.
I remember you can use a donor NAND in Mocha but the optical drive will not work. It uses OTP/SEEPROM from the donor, so the keys already match the NAND and no further changes are necessary. However, the disc drive will not work because that also relies on keys in SEEPROM and the keys from the donor do not match those in the actual hardware. Unless that's been fixed so that it does not redirect that specific area of SEEPROM "The WiiU drive key part of the SEEPROM is not redirected as this one has to match the console drive key" hey, turns out he did fix it.
That probably isn't much help though, because in order to run Mocha the Wii U must already be working.
 

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
140
Country
United States
So this is that same error that people were getting from Smash Bros right.
Afraid I can't be of much help when it comes to converting/encrypting a donor NAND to work though. It's not a much explored area of Wii U hacking, I watch GBAtemp every day and have been for many years and I dont think I've read anyone doing it successfully, or even attempting it, as, well, usually there is not much reason to want to use a NAND from another Wii U I guess.
I remember you can use a donor NAND in Mocha but the optical drive will not work. It uses OTP/SEEPROM from the donor, so the keys already match the NAND and no further changes are necessary. However, the disc drive will not work because that also relies on keys in SEEPROM and the keys from the donor do not match those in the actual hardware. Unless that's been fixed so that it does not redirect that specific area of SEEPROM "The WiiU drive key part of the SEEPROM is not redirected as this one has to match the console drive key" hey, turns out he did fix it.
That probably isn't much help though, because in order to run Mocha the Wii U must already be working.
Yeah, unfortunately it's not a thing I can do in the system's current state. Thanks though!
 

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
I've never been successful at decrypting the entire mlc. There's a problem with wfs extract when it encounters folders with capital letters. You just need the otp.bin for the mlc.
 

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
140
Country
United States
I've never been successful at decrypting the entire mlc. There's a problem with wfs extract when it encounters folders with capital letters. You just need the otp.bin for the mlc.
I actually fixed that issue in my local fork, but I don't want to traverse the filesystem itself, so that shouldn't matter. Or is the encryption on a file by file basis and there's no other way to do it?
 

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
this is what it does:

1633131536563.png

I could find no such file or directory myself, so I don't know where this file is.
 

mive

Well-Known Member
Member
Joined
Jul 19, 2018
Messages
252
Trophies
0
Age
39
XP
588
Country
Germany
your missing a package

Code:
Repository      : extra
Name            : boost
Version         : 1.75.0-2
Description     : Free peer-reviewed portable C++ source libraries - development
                  headers
Architecture    : x86_64
URL             : https://www.boost.org/
Licenses        : custom
Groups          : None
Provides        : None
Depends On      : boost-libs=1.75.0
Optional Deps   : python: for python bindings
Conflicts With  : None
Replaces        : None
Download Size   : 13.14 MiB
Installed Size  : 168.28 MiB
Packager        : Felix Yan <[email protected]>
Build Date      : Sat Dec 19 07:00:10 2020
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Ql |grep boost | grep file
...
boost /usr/include/boost/filesystem.hpp
...

$ pacman -Ss boost
extra/boost 1.75.0-2 [installed]
    Free peer-reviewed portable C++ source libraries - development headers
extra/boost-libs 1.75.0-2 [installed]
    Free peer-reviewed portable C++ source libraries - runtime libraries
 
  • Like
Reactions: godreborn

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
your missing a package

Code:
Repository      : extra
Name            : boost
Version         : 1.75.0-2
Description     : Free peer-reviewed portable C++ source libraries - development
                  headers
Architecture    : x86_64
URL             : https://www.boost.org/
Licenses        : custom
Groups          : None
Provides        : None
Depends On      : boost-libs=1.75.0
Optional Deps   : python: for python bindings
Conflicts With  : None
Replaces        : None
Download Size   : 13.14 MiB
Installed Size  : 168.28 MiB
Packager        : Felix Yan <[email protected]>
Build Date      : Sat Dec 19 07:00:10 2020
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Ql |grep boost | grep file
...
boost /usr/include/boost/filesystem.hpp
...

$ pacman -Ss boost
extra/boost 1.75.0-2 [installed]
    Free peer-reviewed portable C++ source libraries - development headers
extra/boost-libs 1.75.0-2 [installed]
    Free peer-reviewed portable C++ source libraries - runtime libraries
how do I install it? I installed the make command with devkit pro, I think. then, I installed g++ separately.
 

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
@mive , this is what it does (it looks like I don't have the boost command, and I'm very confused on how to install it. I tried to install its sh file, but I'm missing dependencies):

1633183844387.png
 
Last edited by godreborn,

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
I think I'm going to give up. I don't think this is possible with windows. I got boost installed, but it's not compiled. there's no such command in windows from what I've read.
 

Sierraffinity

Member
OP
Newcomer
Joined
Sep 18, 2021
Messages
12
Trophies
0
Age
25
XP
140
Country
United States
I think I'm going to give up. I don't think this is possible with windows. I got boost installed, but it's not compiled. there's no such command in windows from what I've read.
If you're on Windows, you can use the Visual Studio solution file... though I did I have to fix it to work on Windows 10. I can share my fork but you'll have to get cryptopp yourself and build/point to it, since the latest version isn't on nuget anymore: https://github.com/Sierraffinity/wfslib
 

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
If you're on Windows, you can use the Visual Studio solution file... though I did I have to fix it to work on Windows 10. I can share my fork but you'll have to get cryptopp yourself and build/point to it, since the latest version isn't on nuget anymore: https://github.com/Sierraffinity/wfslib
I have visual studio installed, but I don't understand what you mean by solution file or point to it:

1633210840732.png
 

godreborn

Welcome to the Machine
Member
Joined
Oct 10, 2009
Messages
33,317
Trophies
2
XP
22,436
Country
United States
the problem is not installing. it's compiling. I heard that I had to use libconfig, which doesn't exist for windows afaik. I have gcc installed, so I can install it, just not compile.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: Lol