Hacking Let's Finid A new way to fix 003 Error

[kashi777]

I found this here:

http://www.wiihacks.com/bricked-wii-issues...n-detected.html

 

[Thomas83Lin]

I found this here:

Heres a quote from your link
QUOTETo fix the Korean 4.2 error: 003 unauthorized device has been detected, you will need to reinstall your cios38r14, and install cIOS70 (from cIOSCORP 3.5) to fix 4.2 system menu. Or you may downgrade to an unaffected system menu.

????

you can't believe everything you read on net

 

[Abkarino]

I found this here:

Heres a quote from your link
QUOTETo fix the Korean 4.2 error: 003 unauthorized device has been detected, you will need to reinstall your cios38r14, and install cIOS70 (from cIOSCORP 3.5) to fix 4.2 system menu. Or you may downgrade to an unaffected system menu.

????

you can't believe everything you read on net

yea you are right since you can't run any homebrew application to install this wads so forget about it.
this solution will work only if we found a working way to launch our home made application such WAD Manager or HackMii

 

[lord_lufias]

I found this here:

Heres a quote from your link
QUOTETo fix the Korean 4.2 error: 003 unauthorized device has been detected, you will need to reinstall your cios38r14, and install cIOS70 (from cIOSCORP 3.5) to fix 4.2 system menu. Or you may downgrade to an unaffected system menu.

????

you can't believe everything you read on net

yea you are right since you can't run any homebrew application to install this wads so forget about it.
this solution will work only if we found a working way to launch our home made application such WAD Manager or HackMii

if you can autoboot SSBB, then you should able to run an exploit like smashstack and run a wad manager in 4.2K (bricked error:003).

only then you can reinstall or downgrade the IOS or whatever from the link above. it's already explained in the link.

 

[Abkarino]

if you can autoboot SSBB, then you should able to run an exploit like smashstack and run a wad manager in 4.2K (bricked error:003).

only then you can reinstall or downgrade the IOS or whatever from the link above. it's already explained in the link.

sorry till now you can't autoboot SSBB NTSC-U anyway there's no working method to do it
so may we try to find this method or waiting for comex to port his smashstack exploit to SSBB PAL verison.
or maybe if we found any one here that can contact with modchip teams like drivekey or wiikey for example to ask this to bypass an autoboot problem for NTSC version of SSBB using there modchips.

 

[lord_lufias]

yup.. i've already contact drivekey team to see if it can be done. waiting for their reply...

 

[Abkarino]

yup.. i've already contact drivekey team to see if it can be done. waiting for their reply...

that's sound good so i hope that the drivekey team can help us to bypass SSBB NTSC-U protection to let us fix our broken Korean Wii consoles

 

[Wiiwu]

One hardware method that will surely fix 003 error will be to blank out the area in the serial EEPROM holding the korean key.
Any h/w hackers? please step up.


from http://hackmii.com/2008/09/korean-wii/

Hiding Keys

There are two places inside the Hollywood package that contain programmable bits — a bank of OTP memory (One-Time Programmable, AKA fuses), and a serial EEPROM (which is actually reprogrammable).

The OTP area is 32 words x 32 bits = 1024 bits, total. This is actually quite a bit for an embedded OTP area — I’ve never seen another chip with that many fuses. (Most chips have more like 16.) The 32 words are organized like so:

5x32: boot1 SHA1 hash
4x32: common AES key
1x32: NG ID
7x32: NG Private Key
5x32: NAND HMAC
4x32: NAND AES key
4x32: RNG key
2x32: Unknown
32x32: Total

Whoops, looks like we’re out of room to stash keys in OTP. Even though there are 2 unknown words, we’d need 4 to store a second common key.

What about the sEEPROM? It stores a couple of flags that indicate whether this is a retail or development console (and therefore which set of public keys should be used), and then the certificate issued by Nintendo that is tacked onto your savegames. There are a couple more flags and counters stored there, but still — that’s less than half of the size of the smallest chip they could buy.

Sure enough, some digging reveals:

get_korean_keyÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; CODE XREF: load_all_keys+7C
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; DATA XREF: load_all_keys:off_13A7976C
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂPUSHÂÂÂÂ{R4,R5,LR}
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR4, R0, #0
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂdisable_interrupts
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR5, R0, #0
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂis_otp_programmed
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂCMPÂÂÂÂ R0, #0
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBEQÂÂÂÂ loc_FFFF1D48
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂMOVSÂÂÂÂR0, #0x3AÂÂÂÂÂÂ; offset
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR1, R4, #0ÂÂÂÂ ; dest
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂMOVSÂÂÂÂR2, #0x10ÂÂÂÂÂÂ; len
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂseeprom_read

loc_FFFF1D3CÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; CODE XREF: get_korean_key+32
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR0, R5, #0
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂenable_interrupts
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂPOPÂÂÂÂ {R4,R5}
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂPOPÂÂÂÂ {R0}
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBXÂÂÂÂÂÂR0
; ---------------------------------------------------------------------------
loc_FFFF1D48ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ; CODE XREF: get_korean_key+10
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂADDSÂÂÂÂR0, R4, #0
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂLDRÂÂÂÂ R1, =default_korean_key
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂMOVSÂÂÂÂR2, #0x10
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBLÂÂÂÂÂÂmemcpy
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂBÂÂÂÂÂÂ loc_FFFF1D3C
; ---------------------------------------------------------------------------
off_FFFF1D54ÂÂÂÂDCD default_korean_key ; DATA XREF: get_korean_key+2A
; End of function get_korean_key

This code checks to see if the OTP area is programmed; if not, it assumes it is in the factory and uses the default key (all zeroes). If it is, it reads 0×10 bytes from offset 0×3a of the sEEPROM, and uses those.
63 b8 2b b4 f4 61 4e 2e 13 f2 fe fb ba 4c 9b 7e

 

[SanGor]

well that sadly doesn't help at all the sEEPROM is pretty much unaccessable hardware wise.

the main problem is still getting code to run ... I wonder why nobody just sends his 003-wii to crediar or so it's a win:win situation in any case.
obviously nobody is able to come up with a fix ...

 

[Wiiwu]

Has the h/w already been explored and found unaccessible?

Or is it the lack of the chip pinout documentation? Can DeadlyFoez check with Bushing on this?

I think if we can erase this korean key, it will totally convert it into a US set, and also no more risk of 003 or 004

, 005

problem in the future too.

 

[SanGor]

http://wiibrew.org/w/images/a/aa/Wii_hw_diagram.png

you see the sEEPROM on the GPU, how the hell are you going to write something to that?

 

[smf]

you see the sEEPROM on the GPU, how the hell are you going to write something to that?

Using spi, you just need to find a way to get to it.
The diagram has it outside hollywood, which would make it easy.
Is it wrong?

 

[SanGor]

see the top picture, the sEEPROM is on the GPU

 

[Wiiwu]

Yes its on top, thanks for the pic.

And it looks like a discrete part with possibly exposed pins/trace to exploit? Maybe its even a off the shelf well known component. Very interesting front to explore I'd say. Perhaps GPIOS may point to something?

 

[Abkarino]

i think that if we can find any GPIO port let to SEEPROM so we can easily reprogram it or erasing it.
maybe Nintendo add some special GPIO Ports to Wii Motherboard to all it to program SEEPROM after GPU installed in Wii motherboard or may be this way that Nintendo use to fix this broken Wii Consoles so the solution now that we must found this ports. this is it exist

 

[Abkarino]

Hello Everybody
for more information about Wii SEEPROM see this link

Wii SEEPROM Information And Shots

this page also show some info about it
Wii SEEPROM

 

[Abkarino]

here's more info about Wii SEEPROM and GPIOS ports in Wii motherboard that may led us to fix our broken 003 korean wii using a custom made hardware

Hollywood GPIOs

 

[Wiiwu]

Thanks for the finding Abkarino.

So we now know quite a bit:

- korean common key location
- SEEPROM is a 93C56
- easy to program, 4 pin CS, CLK, MOSI MISO

I bet these pins are routed to the mainboard too, maybe amongst the many test point?

 

[Abkarino]

Thanks for the finding Abkarino.

So we now know quite a bit:

- korean common key location
- SEEPROM is a 93C56
- easy to program, 4 pin CS, CLK, MOSI MISO

I bet these pins are routed to the mainboard too, maybe amongst the many test point?

Think you Wiiwu
yes you maybe right i think that this pins maybe routed to mainboard also so if any one found a new information about it please share it with us here

 

[Abkarino]

Good luck finding them, and finding the right protocall to get the info. Team twiizers already has tried many hardware things to the wii and they never found anything close to it. After my talks with marcan, I believe that we find anything new about the wii. You almost have to disassemble the whole wii to find it. You will have to remove the hollywood chip and run continuity tests to find where each lead goes to.

The way that I bet it works is that once nintendo writes the data into the OTP and they blow the fuses, that only the hollywood chip itself will be able to see the keys and that data doesn't go outside of hollywood and that there is no way of getting it otherwise.

Hey, I could be wrong. But goodluck to whoever wants to kill their wii to find this info.

If someone sends me a test wii then I can remove the hollywood and start running tests. My wife wont let me do it to our wii because she loves the NSMBW too much.

Thank you man i hope that we can find it soon i have access to good test equipments like digital oscilloscope and logic analyzer etc.
So i hope that any one can tell us some more useful info to help us hacking this OTP memory