It's been known for some time that the Wii U's bootrom (boot0) has a provision for booting from SD card if a particular RTC flag, "UNSTBL_PWR", is set. (aka "sdboot" or "sdboot1") This is used by the de_Fuse exploit to load an unencrypted boot1 from SD, but it doesn't actually set the flag; it merely fakes it in the EXI data stream so boot0 *thinks* it's set.
Recently, a bunch of Nintendo factory GCN memory cards, SD cards, and "battery jigs" were obtained from various sellers. The "battery jig" was the most interesting bit, since it plugs into the Wii U's clock battery slot and injects a signal into TP73. It turns out this signal is what sets the "UNSTBL_PWR" flag, which is most likely how Nintendo's authorized repair centers repaired broken Wii Us. But there's more to getting it to work than just setting the flag...
A Wii U with one of the original battery jigs inserted in the clock battery slot. Photo provided by Kelly.
Full write-up here: https://consolebytes.com/wii-u-sdboot1-exploit-paid-the-beak/ (by DeadlyFoez)
Paid The Beak exploit code: https://github.com/Wack0/paid-the-beak (by Rairii)
Currently, the "battery jig" has been replicated on two different microcontrollers:
Note that this exploit currently only works on retail-keyed consoles with a working SEEPROM. If SEEPROM is corrupted, boot0 will refuse to boot anything unless the de_Fuse exploit is used. (It also works on dev-keyed consoles set to boot from PCFS, which is currently limited to CAT-DEV units.) In addition, an SDSC (<= 2 GB) card must be used, because boot0 doesn't support SDHC.
Credits to everyone on the linked pages for finding the parts and developing the exploit: WiiCurious, Kelly, Rairii, SDIO, Gary, DeadlyFoez, and anyone I may have missed.
Recently, a bunch of Nintendo factory GCN memory cards, SD cards, and "battery jigs" were obtained from various sellers. The "battery jig" was the most interesting bit, since it plugs into the Wii U's clock battery slot and injects a signal into TP73. It turns out this signal is what sets the "UNSTBL_PWR" flag, which is most likely how Nintendo's authorized repair centers repaired broken Wii Us. But there's more to getting it to work than just setting the flag...
A Wii U with one of the original battery jigs inserted in the clock battery slot. Photo provided by Kelly.
Full write-up here: https://consolebytes.com/wii-u-sdboot1-exploit-paid-the-beak/ (by DeadlyFoez)
Paid The Beak exploit code: https://github.com/Wack0/paid-the-beak (by Rairii)
Currently, the "battery jig" has been replicated on two different microcontrollers:
- Raspberry Pi Pico: https://github.com/jan-hofmeier/wiiu_unstable_power (by SDIO)
- PICAXE 08M2 (by DeadlyFoez; see the write-up for the code)
Note that this exploit currently only works on retail-keyed consoles with a working SEEPROM. If SEEPROM is corrupted, boot0 will refuse to boot anything unless the de_Fuse exploit is used. (It also works on dev-keyed consoles set to boot from PCFS, which is currently limited to CAT-DEV units.) In addition, an SDSC (<= 2 GB) card must be used, because boot0 doesn't support SDHC.
Credits to everyone on the linked pages for finding the parts and developing the exploit: WiiCurious, Kelly, Rairii, SDIO, Gary, DeadlyFoez, and anyone I may have missed.
Last edited by GerbilSoft,
