Hacking [RELEASE] Wii U NAND Tools

[SundayWarrior]

Today i get teensy2.0++. Now i have slc.bin and two otp.bin files (one donor and one orig - with donor otp.bin file dump extracting but any .xml and other files - trash; with orig all fine)
Now i confused - nandtool cbhc remover get message "cant find system.xml backup are you sure cbhc is installed" and cant fix. Nandtool checker reporting what scfm.img bad.
What do next, or where i get more info about fixing?
Possible editing .xml files, then inject to dump and flash it back? Only "extract" option i find

--------------------- MERGED ---------------------------

NAND Extractor also does not open

Nand extractor only for slc dump. You can try open mlc

--------------------- MERGED ---------------------------

I have completed Leeful's hardmod method.
My dump file size is 31 784 435 bytes

Mlc not slc.
Only operation on slc dump can help with 160-0103

 

[SundayWarrior]

Find some what get error on boot (possible).
In system.xml default_title_id 0005000010179c00 - its chbc? Orig default_title_id is 0005001010040200? And how inject edit .xml back to encrypted slc.bin?


Edit. Yes - cbhc with "brain traning". And no have syshax.xml = no fix with hbch remover. What next? I find problem, can editing system.xml, but cant eject it to slc.bin.. help request

Solved. Solution on https://gbatemp.net/threads/guide-kaflukes-hardmod-cbhc-unbrick-guide.476725/page-9

 

[Stealphie]

deleted

 

[SundayWarrior]

Please, someone do a tutorial to how to use the CBHC Remover!
PLEASE

https://gbatemp.net/threads/guide-kaflukes-hardmod-cbhc-unbrick-guide.476725/

 

[Stealphie]

deleted

 

[bason24]

can someone help me, i need a clean slc.bin and otp.bin dump, i bricked my wii u by editing the sys_prod.xml and now it bootloops in wii u starts screen, i have already the slc.bin backup using my teensy++ but unluckily i dont have the otp.bin to extract and edit my slc.bin, i have the backup of original sys_prod.xml.

so this is what i will do for my experiment, i will use a donor slc.bin and otp.bin then extract the donor slc.bin and i will copy my original sys_prod.xml to the donor slc.bin and then i will flash it to my bricked wii u.

by the way my wii u is a japan unit.
if anybody here has an clean slc.bin and otp.bin please send it to me for my experiment.

thanks in advance...

 

[piratesephiroth]

can someone help me, i need a clean slc.bin and otp.bin dump, i bricked my wii u by editing the sys_prod.xml and now it bootloops in wii u starts screen, i have already the slc.bin backup using my teensy++ but unluckily i dont have the otp.bin to extract and edit my slc.bin, i have the backup of original sys_prod.xml.

so this is what i will do for my experiment, i will use a donor slc.bin and otp.bin then extract the donor slc.bin and i will copy my original sys_prod.xml to the donor slc.bin and then i will flash it to my bricked wii u.

by the way my wii u is a japan unit.
if anybody here has an clean slc.bin and otp.bin please send it to me for my experiment.

thanks in advance...

That won't work, The SLC key is different for every console and yours won't match the one that encrypts the dump.

 

[bason24]

ok thanks, so its dead already,

 

[piratesephiroth]

yep unless someoone finds an exploit to load an unsigned recovery image, like ntrboot on the 3DS

 

[CrazySquid]

Hm... for some reason Wii U NAND Extractor doesn't work with my Wii U mlc.bin, but it does work with my slc.bin, I can't extract my 32GB dump. Does anyone know how to fix this? my Wii U NAND it's merged with the following command:

copy /b mlc.bin.part01 + mlc.bin.part02 + mlc.bin.part03 + mlc.bin.part04 + mlc.bin.part05 + mlc.bin.part06 + mlc.bin.part07 + mlc.bin.part08 + mlc.bin.part09 + mlc.bin.part10 + mlc.bin.part11 + mlc.bin.part12 + mlc.bin.part13 + mlc.bin.part14 + mlc.bin.part15 mlc.bin

And when I open up that mlc.bin it says "Invalid or unsupported dump", I have otp.bin and my slc.bin opens no problem... I wonder what's happening here.

 

[SirKira001]

Supposing I bricked my Wii U with CBHC, with this tool I can start the CBHC debug menu, enter homebrew and somehow restore the nand?

 

[godreborn]

Supposing I bricked my Wii U with CBHC, with this tool I can start the CBHC debug menu, enter homebrew and somehow restore the nand?

can't restore the NAND without a hardmod. if you can't do that yourself, best to buy a new system, 'cause fixing it might cost the price of a new system. luckily, you only need the system, not the gamepad, so you can get one for around $60.

 

[carlos1984]

anyone can explain what this means,
2 hmas error
bad HMAC for "/sys/title/00050010/1000400a/code/fw.img"
hmac bad (1)
and bad HMAC for "/scfm.img

i have tried flashing slc to the nand, 1st time it completed with no error but system would not boot, sat on wiiu white screen.
could this two hmas error be causing that and if so how do i fix it?


** nandBinCheck : Wii nand info tool **
from giantpune
built: Mar 24 2017 23:49:06
NAND Type: SLC (WiiU)
checking boot1...
Boot1 hash: "3806d41a5c5f139f5b09bbe5b74a5ec45e0f5507"
Boot1 OK!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 7 (2291, 2292, 2293, 2294, 2295, 2296, 2297)
free 4a30
verifying ecc...
0 out of 880640 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 273 files
hmac bad (3)
"fw.img" is dfd200 bytes ( 380 ) clusters
00000000 ff2c58a4 11f1745e e9a56bf8 19b84acb .,X...t^..k...J.
00000010 14259d02 842c58a4 11f1745e e9a56bf8 .%...,X...t^..k.
00000020 19000000 00000000 00000000 00000000 ................
00000030 73067306 41084108 4c0cb303 84098409 s.s.A.A.L.......
00000000 ff2c58a4 11f1745e e9a56bf8 19b84acb .,X...t^..k...J.
00000010 14259d02 842c58a4 11f1745e e9a56bf8 .%...,X...t^..k.
00000020 19000000 00000000 00000000 00000000 ................
00000030 c805370a cf0ccf0c 380ec701 92039203 ..7.....8.......
00000000 2c58a411 f1745ee9 a56bf819 b84acb14 ,X...t^..k...J..
00000010 259d0284 %...
bad HMAC for "/sys/title/00050010/1000400a/code/fw.img"
hmac bad (1)
"scfm.img" is 8004000 bytes ( 2001 ) clusters
00000000 ff000000 00000000 00000000 00000000 ................
00000010 00000000 00000000 00000000 00000000 ................
00000020 00000000 00000000 00000000 00000000 ................
00000030 00000000 00000000 00000000 00000000 ................
00000000 ff000000 00000000 00000000 00000000 ................
00000010 00000000 00000000 00000000 00000000 ................
00000020 00000000 00000000 00000000 00000000 ................
00000030 00000000 00000000 9f059f05 380cc703 ............8...
00000000 f5798ec2 d68f2056 b6e7d046 4edb8629 .y.... V...FN..)
00000010 bc173a1f ..:.
bad HMAC for "/scfm.img"
2 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

also here is my slccmpt.bin, it has more hmas errors.


nandBinCheck.exe slccmpt.bin -all
** nandBinCheck : Wii nand info tool **
from giantpune
built: Mar 24 2017 23:49:06
NAND Type: SLCCMPT (vWii)
vWii - not checking boot
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 0 ()
free 625b
verifying ecc...
3 out of 484672 pages had incorrect ecc.
they were spread through 3 clusters in 3 blocks:
(626, 1441, 1684)
3 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 252 files
hmac bad (1)
"00000000.app" is 1ec80 bytes ( 8 ) clusters
00000000 ff2622d9 c2676781 71e58863 50f5342b .&"..gg.q..cP.4+
00000010 1bda79ee 312622d9 c2676781 71e58863 ..y.1&"..gg.q..c
00000020 50000000 00000000 00000000 00000000 P...............
00000030 140b140b 4d014d01 2706d809 3c073c07 ....M.M.'...<.<.
00000000 fff5342b 1bda79ee 31000000 00000000 ..4+..y.1.......
00000010 00000000 00000000 00000000 00000000 ................
00000020 00000000 00000000 00000000 00000000 ................
00000030 a909a909 b906b906 1b04e40b c808c808 ................
00000000 9d2d6675 4a966892 245270f5 67ee5c78 .-fuJ.h.$Rp.g.\x
00000010 f2de52cc ..R.
bad HMAC for "/title/00010002/48435641/content/00000000.app"
hmac bad (1)
"00000001.app" is 332e80 bytes ( cd ) clusters
00000000 ffc3441d bddef23f cf2e0c39 122fc959 ..D....?...9./.Y
00000010 361ff87a 34c3441d bddef23f cf2e0c39 6..z4.D....?...9
00000020 12000000 00000000 00000000 00000000 ................
00000030 0b060b06 b505b505 b707b707 9e0b6104 ..............a.
00000000 ff2fc959 361ff87a 34000000 00000000 ./.Y6..z4.......
00000010 00000000 00000000 00000000 00000000 ................
00000020 00000000 00000000 00000000 00000000 ................
00000030 0706f809 720a8d05 a401a401 02080208 ....r...........
00000000 3937fd64 d97fb6a0 c10820f4 e56cdd0a 97.d...... ..l..
00000010 3497c2e5 4...
bad HMAC for "/title/00010002/48414241/content/00000001.app"
hmac bad (1)
"0000000d.app" is 28b9f4 bytes ( a3 ) clusters
00000000 ff838894 727fd5d0 77082f67 528b3015 ....r...w./gR.0.
00000010 aed8e950 10838894 727fd5d0 77082f67 ...P....r...w./g
00000020 52000000 00000000 00000000 00000000 R...............
00000030 0d060d06 28092809 7b0f8400 56005600 ....(.(.{...V.V.
00000000 ff8b3015 aed8e950 10000000 00000000 ..0....P........
00000010 00000000 00000000 00000000 00000000 ................
00000020 00000000 00000000 00000000 00000000 ................
00000030 fe09fe09 9e009e00 2e02d10d c5083a07 ..............:.
00000000 ad1c647a 749dd8fd 6f962931 43f63708 ..dzt...o.)1C.7.
00000010 8c8929e6 ..).
bad HMAC for "/shared1/0000000d.app"
3 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

 

[carlos1984]

You have ECC errors in your NANDs, those errors are probably the reason for the bad HMACs.
Those may be fixable ECC errors (one bit error), and if those are, everything is fine. But I don't check for that.

@Brenex, it is weird that you don't have syshax.xml. and your suggestion was actually the original thing that I did. I think that I still have those code, I will check later. And if you use this way you will only need to flash the few changed sectors back.

Hi @pelago How would go about flashing just the" few changed sectors", I successfully flashed my slc. bin backed up before cbhc with no errors, the systme.xml had the correct title key for usa region but my wiiu would not boot, just sit at wiiu screen with no error, the gamepad would say something like plug your tv or something like that.
So I tried writing the same slc.bin to it again but now all I get is verification errors , stating at
block=0x0 page=0 130944kb/540672kb to
block=0xfff page=262080 540672kb/540672kb
So basically the whole chip, what could be going on.
Weird thing is I can dump the nand with no issues, the dumped nand looks good if I check its system.xml.

 

[Cosmopool]

That won't work, The SLC key is different for every console and yours won't match the one that encrypts the dump.

The keys are binded to the apu?

I was thinking in replace the entirely nand chip, but it wouldn't work unless i replace the apu too (i can do reball)?

 

[SundayWarrior]

The keys is binded to the apu?

Yes.

I was thinking in replace the entirely nand chip

If all write and read correctly - no reason for that

 

[piratesephiroth]

The keys are binded to the apu?

I was thinking in replace the entirely nand chip, but it wouldn't work unless i replace the apu too (i can do reball)?

There's a bunch of keys and other stuff stored in the OTP and SEEPROM which should be inside either the CPU or GPU packages.
I suppose it would work if you transfered the CPU and NAND chips from other console but then why don't you just use the other mainboard?

 

[FictiveTida]

Can any of these tools be used to format the system to factory settings? Wiping the NAND or something if it's bricked from a parental pin lock and a Nintendo ID lock, too? Bought a second hand one that's my situation, Nintendo say they can't help. Sorry noob question

 

[GaryOderNichts]

Can any of these tools be used to format the system to factory settings? Wiping the NAND or something if it's bricked from a parental pin lock and a Nintendo ID lock, too? Bought a second hand one that's my situation, Nintendo say they can't help. Sorry noob question

You can use the mkey generator to bypass parental lock: https://mkey.salthax.org/
To remove the NNID you might be able to remove the files associated with the user profile, although this isn't tested and might not even work with the primary user profile.

 

[FictiveTida]

You can use the mkey generator to bypass parental lock:
To remove the NNID you might be able to remove the files associated with the user profile, although this isn't tested and might not even work with the primary user profile.

Thanks for the reply. Unfortunately I can't get into the parental settings to generate the code which the mkey tool needs in order to do it's thing. There's only one profile can't login through Nintendo ID and when I go to add a new profile it asks me for the parental pin code retrying three times doesn't give me the opportunity to generate a code. Is there any way I can get rid of the NNID without logging in? I guess there's always a brute force method but that's 10,000 possible combinations. Tried all the common ones