Why no nand / emmc hardware dumper yet?

Discussion in 'Wii U - Hacking & Backup Loaders' started by DeadlyFoez, May 15, 2015.

  1. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    5,468
    1,499
    Apr 12, 2009
    United States
    With all thats had been going on, why hasnt anyone successfully made an emmc dumper? I know TSK tried and failed, but is there anything that is preventing writing back a previous firmware dump like efuses or seeprom? I havent read of any.

    I have all the tools to do it, i just dont have a wii u to go at it.
     
    Margen67 and Mr. Mysterio like this.
  2. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    No one bothered I guess.
    Basically you need to dump an eMMC (easy) and a standard TSOP NAND afaik.
     
  3. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    because keys
     
    Margen67 likes this.
  4. FaTaL_ErRoR

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    There's just no need. As long as open source webkit is on the console there will never be a need to revert to previous firmware.
    Mostly because there are too many holes in both OS's that patching will just not fix.
    Personally I think these guys already have a working websploit and are much further along then they lead on. I think E3 during "N" part the U hacking community is gonna go nuts.
    I hope it's in before the interview portion with reggie. It'll be very funny.
     
    Margen67 likes this.
  5. FaTaL_ErRoR

    FaTaL_ErRoR AKA ŦƕƎ ƠṀƐƝ

    Member
    491
    346
    Mar 9, 2014
    United States
    There's just no need. As long as open source webkit is on the console there will never be a need to revert to previous firmware.
    Mostly because there are too many holes in both OS's that patching will just not fix.
    Personally I think these guys already have a working websploit and are much further along then they lead on. I think E3 during "N" part the U hacking community is gonna go nuts.
    I hope it's in before the interview portion with reggie. It'll be very funny.
     
    Margen67 likes this.
  6. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    Well, WE don't, but someone else does :P Both a userspace and a kernel exploit. Working with them, should also help speed things up.
     
    Margen67 likes this.
  7. DeadlyFoez
    OP

    DeadlyFoez GBAtemp Guru

    Member
    5,468
    1,499
    Apr 12, 2009
    United States
    Sorry, but that is a piss poor answer.

    If we are able to make a raw dump from both banks of the nand and the emmc, is it possible to reflash those dumps after an update?

    It may not seem useful now, but waninkoko has proved that dumps like those are very helpful later on. Just the ability to do so.
     
    Margen67 likes this.
  8. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    I know, I'm just messing with you :P
    Yes, should be. Could easily restore it if you have read/write.
     
  9. obcd

    obcd GBAtemp Advanced Maniac

    Member
    1,594
    278
    Apr 5, 2011
    Belgium
    Backing up the eMMC shouldn't be much of a problem I assume.
    It just might be necessary to find a way to keep the wiiu in a reset state so that it doesn't try to control the eMMC during the dump.
    The hardware needed for that is a sd 2 usb cardreader like the ones that are used to dump the 3ds. I have no idea if connecting only DAT0 is enough to do the trick, or if you need to connect the other 3 DAT lines as well.

    You might be able to read the nand using software only. The vwii part of the nand can already be done.
    With the webkit exploit and iosu exploit, it might be possible to do the Wiiu part as well.

    With currently no practical use for it, trying to restore an older firmware is something you could do "in the name of science", but there is always a chanche of bricking your device.

    I am unsure, but if I read the eMMC spec's, it looks like parts of it can be protected against writing and reading. This would mean that the device would need to receive a correct password before it allows to access some areas of it's memory. In such a case, a raw dump could be useless unless the area is already unlocked. A good protection strategy might only unlock it for a short period during powerup and quickly set the protection again afterwards. (Those areas could be used to store some keys.)

    The safest method to test would be if you could dump the eMMC contents in another eMMC, and see if the Wiiu still boots properly with that other eMMC. If things go wrong, you still have your original eMMC contents to get the system running. As the eMMC is a bga package, it might be difficult to solder wires to it so that you can connect it to the wiiu. Another problem will be finding such an additional eMMC.
    If ninty decided to use the eMMC serial number as part of the encryption, it might fail to transfer the eMMC contents to another chip.
    Even if the experiment would be a failure, it would not result in a brick like that.
    Simulating such an eMMC with different hardware (so that it produces an equal serial etc. is a whole different ballgame. Maybe someone with an expensive logic analyser could sniff the communication between the wiiu and the eMMC chip to see what protection tricks are used.
     
    Mr. Mysterio likes this.
  10. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,754
    9,037
    Oct 27, 2002
    France
    Engine room, learning
    To check if the eMMC uses password, maybe trying to write the dump back immediately after dumping could be done to check if write protection is used?
    in this case, the writable areas would still contain the old data even if writing fails on some blocs.

    Or there's probably a way to ask eMMC to answer if password is used, like the Gateway-3DS lock/brick option?
     
  11. Duo8

    Duo8 I don't like video games

    Member
    3,444
    1,144
    Jul 16, 2013
    IIRC if you use an actual card reader the OS should be able to read most of the details from the eMMC.