Hacking [RELEASE] Wii U NAND Tools

[EyeKey]

So after the recent development with the Wii U, and the growing number of bricks, it is about time that we will finally have tools for the Wii U NAND. It isn't very different from the Wii NAND.

(This thread is about the 512MB SLC, not the 8GB/32GB MLC)

If you want to take proper dumps of your NAND, check out this homebrew:
https://gbatemp.net/threads/nand-dumper-create-full-dumps-of-the-nand.465680/


Wii U NAND Extractor:

Download (Source)
Modified Wii NAND Extractor by parannoyed. Now supports Wii/vWii/WiiU (Full dump/redNAND dump/..)
Place otp.bin in the directory of this program and load the dump.

WiiUQt - Collection of Qt NAND Tools:
Download (experimental) (Source)
Collections of tools based on the WiiQt for the Wii.

Note: To use those tools, you must have otp.bin in the directory of your dump.

nandBinCheck - Verify integrity of NAND backups:
Usage: nandBinCheck.exe <path to dump> <options>
Run it without arguments for list of options.

nandFixer - Fixing partial dumps (Making redNAND dump flashable):
This tool add important missing metadata to the dump. Can be used to flash redNAND dump to SLC.
Usage: nandFixer.exe <input rednand dump> <output dump>
It is recommended to verify the newly created dump with nandBinCheck.exe <output dump> -all

nandCbhcRemover - Fixing CBHC bricks:
Note: Backup your nand and verify it with nandBinCheck before using this tool!
This tool restore the backed up system.xml. Can be used to fix CBHC brick.
Usage: nandCbhcRemover.exe <full slc dump>
It is recommended to verify the updated dump with nandBinCheck.exe <output dump> -all

Thanks to @Leeful that verified that both nandFixer and nandCbhcRemover can be used for unbricking!

If you want to follow the efforts to unbrick Wii U, and for more info about Wii U hardmod, visit this thread.

 

[Kafluke]

So after the recent development with the Wii U, and the growing number of bricks, it is about time that we will finally have tools for the Wii U NAND. It isn't very different from the Wii NAND.

(This thread is about the 512MB SLC, not the 8GB/32GB MLC)

Right now there is only one tool here, but I am going to update this thread with more ported/new tools soon.

Wii U NAND Extractor:
Download (Source)
Modified Wii NAND Extractor by parannoyed. Now supports Wii/vWii/WiiU (Full dump/redNAND dump/..)
Place otp.bin in the directory of this program and load the dump.


Upcoming tools:
Ported WiiQt lib.
Tool to fix CBHC bricked NAND (with OTP and hardmod).
Tool to make a partial dump (like redNAND dump) flashable. (Hopefully there won't be issues with it)

If you want to follow the efforts to unbrick Wii U, and for more info about Wii U hardmod, visit this thread.

Nicely done. Thx for starting this thread.

 

[Kafluke]

Can't wait for you to figure this out @EyeKey . I'd love to have backup and restore steps included in my guide

I might even be willing to brick my spare just to test out

 

[GraFfiX420]

So after the recent development with the Wii U, and the growing number of bricks, it is about time that we will finally have tools for the Wii U NAND. It isn't very different from the Wii NAND.

(This thread is about the 512MB SLC, not the 8GB/32GB MLC)

Right now there is only one tool here, but I am going to update this thread with more ported/new tools soon.

Wii U NAND Extractor:
View attachment 82154
Download (Source)
Modified Wii NAND Extractor by parannoyed. Now supports Wii/vWii/WiiU (Full dump/redNAND dump/..)
Place otp.bin in the directory of this program and load the dump.


Upcoming tools:
Ported WiiQt lib.
Tool to fix CBHC bricked NAND (with OTP and hardmod).
Tool to make a partial dump (like redNAND dump) flashable. (Hopefully there won't be issues with it)

If you want to follow the efforts to unbrick Wii U, and for more info about Wii U hardmod, visit this thread.

Glad to see you're going to work on this, looking at the source for ohneschwanzenegger I think you will probably be able to make these modifications to this program as well fairly easily. Good work!

 

[Deleted User]

Tool to fix CBHC bricked NAND (with OTP and hardmod).

owo Can't wait.

 

[jbuck1975]

This is awesome to hear someone working on it

 

[Deleted member 408660]

This looks promising, nice job!

 

[Valery0p]

This next experiment
Seems
Very
Very
Interesting
...

 

[aut0mat3d]

Thank You verry much for your Work!

Ran nandFixer over my RedNAND dump and browsed the output .bin with NAND Extractor - worked fine.
Doing a nandbincheck on the converted .bin (with genereated ECC data) i stumbled over the following output:

D:\wiiwork>nandBinCheck.exe slc.fixed.bin -all
** nandBinCheck : Wii nand info tool **
   from giantpune
   built: Mar 24 2017 04:17:01
checking boot1...
Blocks0to1::CheckBoot1 -> not enough blocks 2
Boot1 check failed!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 7e (771, 772, 773, 774, 775, 776, 777, cc8, cc9, cca, ccb, ccc, ccd, cce, ccf, cf8, cf9, cfa, cfb, cfc, cfd, cfe, cff, 11b8, 11b9, 11ba, 11bb, 11bc, 11bd, 11be, 11bf, 11d8, 11d9, 11da, 11db, 11dc, 11dd, 11de, 11df, 11e0, 11e1, 11e2, 11e3, 11e4, 11e5, 11e6, 11e7, 1260, 1261, 1262, 1263, 1264, 1265, 1266, 1267, 1614, 1615, 1616, 1617, 1720, 1721, 1722, 1723, 1724, 1725, 1726, 1727, 1830, 1831, 1832, 1833, 1834, 1835, 1836, 1837, 1838, 1839, 183a, 183b, 183c, 183d, 183e, 183f, 1840, 1841, 1842, 1843, 1844, 1845, 1846, 1847, 1868, 1869, 186a, 186b, 186c, 186d, 186e, 186f, 1a50, 1a51, 1a52, 1a53, 1a54, 1a55, 1a56, 1a57, 1a90, 1a91, 1a92, 1a93, 1a94, 1a95, 1a96, 1a97, 26a4, 26a5, 26a6, 26a7, 5111, 5112, 5113, 5114, 5115, 5116, 5117)
free            4825
verifying ecc...
0 out of 915136 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
 ()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 513 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

I do have the following questions/suggestions:
When using nandFixer to restore a Dump to a Wii U we need to have a way to move/rearrange bad Blocks: Could you please implement that in nandFixer?

• Import Hardwaredump
• Import fixed Dump
• Move Blocks according to Bad Block Mapping of the Hardwaredump
• Output fixed Dump with BBM

Having the Abitility to edit/fix system.xml in the Extractor would be great to repair bricked Wii U´s

Anone knows a Way to dump OTP via hardware? - i think, there are many bricks out in the Wild without dumped OTP

Thanks again, this is a awesome Progress you made!

 

[Cava]

Very cool OP! Thanks for your work!

 

[EyeKey]

Thank You verry much for your Work!

Ran nandFixer over my RedNAND dump and browsed the output .bin with NAND Extractor - worked fine.
Doing a nandbincheck on the converted .bin (with genereated ECC data) i stumbled over the following output:

D:\wiiwork>nandBinCheck.exe slc.fixed.bin -all
** nandBinCheck : Wii nand info tool **
   from giantpune
   built: Mar 24 2017 04:17:01
checking boot1...
Blocks0to1::CheckBoot1 -> not enough blocks 2
Boot1 check failed!
checking for lost clusters...
found 0 lost clusters
UNK ( 0xffff ) 7e (771, 772, 773, 774, 775, 776, 777, cc8, cc9, cca, ccb, ccc, ccd, cce, ccf, cf8, cf9, cfa, cfb, cfc, cfd, cfe, cff, 11b8, 11b9, 11ba, 11bb, 11bc, 11bd, 11be, 11bf, 11d8, 11d9, 11da, 11db, 11dc, 11dd, 11de, 11df, 11e0, 11e1, 11e2, 11e3, 11e4, 11e5, 11e6, 11e7, 1260, 1261, 1262, 1263, 1264, 1265, 1266, 1267, 1614, 1615, 1616, 1617, 1720, 1721, 1722, 1723, 1724, 1725, 1726, 1727, 1830, 1831, 1832, 1833, 1834, 1835, 1836, 1837, 1838, 1839, 183a, 183b, 183c, 183d, 183e, 183f, 1840, 1841, 1842, 1843, 1844, 1845, 1846, 1847, 1868, 1869, 186a, 186b, 186c, 186d, 186e, 186f, 1a50, 1a51, 1a52, 1a53, 1a54, 1a55, 1a56, 1a57, 1a90, 1a91, 1a92, 1a93, 1a94, 1a95, 1a96, 1a97, 26a4, 26a5, 26a6, 26a7, 5111, 5112, 5113, 5114, 5115, 5116, 5117)
free            4825
verifying ecc...
0 out of 915136 pages had incorrect ecc.
they were spread through 0 clusters in 0 blocks:
 ()
0 of those clusters are non-special (they belong to the fs)
verifying hmac...
verifying hmac for 513 files
0 files had bad HMAC data
checking HMAC for superclusters...
0 superClusters had bad HMAC data

I do have the following questions/suggestions:
When using nandFixer to restore a Dump to a Wii U we need to have a way to move/rearrange bad Blocks: Could you please implement that in nandFixer?

• Import Hardwaredump
• Import fixed Dump
• Move Blocks according to Bad Block Mapping of the Hardwaredump
• Output fixed Dump with BBM

Having the Abitility to edit/fix system.xml in the Extractor would be great to repair bricked Wii U´s

Anone knows a Way to dump OTP via hardware? - i think, there are many bricks out in the Wild without dumped OTP

Thanks again, this is a awesome Progress you made!

That check is fine. The UNK thing is normal, maybe I should change this message. And the boot0 check is broken in the last version so you can ignore it.

About bad blocks, as for my understanding, they are marked during manufacture, and not dynamically, so they shouldn't change.

And about system.xml, I am going to to create another tool for that. And what is BMM?

And if someone doesn't have otp.... Nothing he can do. The redNAND dump is worthless by itself. Extracting OTP? He can exploit boot0 with glitching, but good luck with that watch the Nintendo presentation in 33C3 for explanation..). And if someone does it, please give us the boot1 key

 

[aut0mat3d]

I meant bad block mapping
Bad blocks can occour everytime in a NAND Flash.
Bad Block Remapping is done on Driver Side (Firmware) if i remember right, so if you have a Dump which is one year old and the NAND gets a new badblock (or rednand dump) you will have no chance to flash without remapping

Edit: A PDF about Bad Block mapping/handling on NAND flash memory: https://www.micron.com/~/media/docu...-note/nand-flash/tn2959_bbm_in_nand_flash.pdf

 

[EyeKey]

I meant bad block mapping
Bad blocks can occour everytime in a NAND Flash.
Bad Block Remapping is done on Driver Side (Firmware) if i remember right, so if you have a Dump which is one year old and the NAND gets a new badblock (or rednand dump) you will have no chance to flash without remapping

An internal bad block remapping is transparent to the software, or anyone reading from the NAND. The value of page X in the NAND should never change (but internally it may be remapped to another block). In the software side, there is bad blocks mapping in the filesystem, but it is set during manufacture.

 

[aut0mat3d]

ok, i misunderstood that. I thought software has to care about new bad blocks.

 

[lefthandsword]

Could this be extended in the future to edit the MLC or WFS formatted drives?

 

[EyeKey]

Could this be extended in the future to edit the MLC or WFS formatted drives?

Unrelated to this, I did some work understanding the WFS format. I will probably release extracting tool soon. Since it is complex file system, modifying it will require much more work... so I can't promise anything.

 

[EyeKey]

Added two new tools: nandBinCheck and nandFixer

 

[Pachee]

Unrelated to this, I did some work understanding the WFS format. I will probably release extracting tool soon. Since it is complex file system, modifying it will require much more work... so I can't promise anything.

SLC = Wii like filesystem, eMMC = WFS/New Format?
I don't know how far you are into it but i was looking at some error output from a rpx and it looked like a linux GFS2 error string.

 

[EyeKey]

SLC = Wii like filesystem, eMMC = WFS/New Format?
I don't know how far you are into it but i was looking at some error output from a rpx and it looked like a linux GFS2 error string.

Yes WFS is used in eMMC and external USBs. Well I am pretty far into it. I already know how to parse it, I just need to write some code now. It is a proprietary file system, which error string did you see?

 

[Pachee]

Yes WFS is used in eMMC and external USBs. Well I am pretty far into it. I already know how to parse it, I just need to write some code now. It is a proprietary file system, which error string did you see?

00:00:05:084: ISFS: fs_ops.c(3733)Can not change the owner Id of a non-empty file
00:00:05:084: ISFS: fs_ops.c(6719)Could not set attribute, rc=-524312
It was on a log actually. fs_ops.c, the only google result related to that is GFS2.