Wii U failing during boot sequence

[MontyMole98]

Yes to have to flash the SD. And after flashing you have to format it with FAT32 and resize the partition

Ok so it kinda looks like something worked, here is the terminal:

[pico] Changed state: WIIU_STATE_POWERED_OFF -> WIIU_STATE_NEEDS_DEFUSE
Starting... 3224:0
Results:
Winner! 0xf368
01
02
03
04
05
08
09
0a
0b
0c
0d
0e
13
14
15
18
1b
1c
1d
1e
1f
25
88
00
00
[pico] Changed state: WIIU_STATE_NEEDS_DEFUSE -> WIIU_STATE_DEFUSED
[pico] Changed state: WIIU_STATE_DEFUSED -> WIIU_STATE_MONITORING
U▒U▒U▒U▒U▒U▒U▒U▒[Pico] Switching to data mode...

fe 00 02 07 01 00 00 43 46 26 10 00 28 4d 45 4d
32 4d 45 4d 30 50 52 53 48 84 00 00 00 5d 5d 00
01 5d 5d 00 02 5d 5e 00 04 5d 5e 00 08 ef a2 82
d9 01 00 02 00 00 00 00 10 01 00 02 10 5d 5d 00
04 f0 0f ca ff f0 0f ca fa 55 aa 55 aa 55 aa 55
aa f0 0f ca [Pico] Switching to text mode...
beefcafeGPU TV addr: 17500001
GPU DRC addr: 00000000
minute loading
minute was loaded from boot1 context!
Initializing exceptions...
Configuring caches and MMU...
MEM: cleaning up
MEM: unprotecting memory
MEM: mapping sections
MEM: enabling caches
MEM: enabling MMU
MEM: configuring heap
MEM: init done
Interrupts initialized
prsh: Header at 10005a54, PRST at 10007ff0, 1 entries (32 capacity):
0: boot_info 0x58 10008000
crypto support initialized
BSP version: 0x26100028
Board type: CF (0x4346)
Board revision: 0x17
DDR props: size=2GiB (0x0800) speed=0x0002 vendor=U! (0x5521)

Initializing SD card...
sdhc: SDHC 1.0, 48 MHz base clock
sdhc_bus_power(0x300000)
sdhc_bus_clock(25000, 0)
sdhc_bus_width(1)
CID: 77017A2F0415102020434453604A7400
CID: mid=74 name='J`SDC ' prv=16.1 psn=05042f7a mdt=7/2007
CSD: 00800A80FFB76DBD835A5B32007F0000
taac=127 nsac=0 read_bl_len=10 c_size=3829 c_size_mult=7 card size=2008023040 bytes
sdcard_select: resp=700
sdhc_bus_;idth(4)
sdcard: enabling highspeed 52MHz clock (32)
sdhc_bus_clock(52000, 1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
sdcard: MMC_ALL_SEND_CID failed with 116
sdcard: could not enable highspeed clock for card, falling back to 48MHz highspeed?
sdhc_bus_clock(48000, 1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
sdcard: MMC_ALL_SEND_CID failed with 116
sdcard: could not enable highspeed clock for card, falling back to 25MHz highspeed?
sdhc_bus_clock(25000, 1)
Mounting SD card...
crypto: ~0x000 bytes of OTP loaded; JTAG is disabled (000000e1)

Console is de_Fused! Loading sdmc:/otp.bin...
Failed to load `sdmc:/otp.bin`!
Firmware will fail to load.
Press POWER/Q to continue.
[pico] Changed state: WIIU_STATE_MONITORING -> WIIU_CHECK_IF_POWERED_OFF
[pico] Changed state: WIIU_CHECK_IF_POWERED_OFF -> WIIU_STATE_POWERED_OFF



I also just noticed that a wire came off the Pi Pico, don't know if I defused it before that. Will have to solder that back on. Anything you can gain from this though?

EDIT: Just looked and it's the TP144 port on the motherboard that came off the Pi Pico end.

 

[SDIO]

This looks good, we need now the otp.bin. If you have an existing NAND backup or dumped it from the recovery, you can use that. If not go to the Backup and Restore menu and use PRSHhax to dump the otp.

 

[MontyMole98]

This looks good, we need now the otp.bin. If you have an existing NAND backup or dumped it from the recovery, you can use that. If not go to the Backup and Restore menu and use PRSHhax to dump the otp.

I'm assuming that I need to solder the missing wire (TP144) back to do that, or is it not necessary?

 

[SDIO]

If it is still in minute, you can probably still dump it. Bu tto defuse again, I would asusme you need that wire, as it is doing the reset, which is the core thing of defuse.

 

[MontyMole98]

If it is still in minute, you can probably still dump it. Bu tto defuse again, I would asusme you need that wire, as it is doing the reset, which is the core thing of defuse.

Okay, then I'll need to defuse again by resoldering that.

 

[MontyMole98]

If it is still in minute, you can probably still dump it. Bu tto defuse again, I would asusme you need that wire, as it is doing the reset, which is the core thing of defuse.

So I just soldered it, where and how do I dump the otp keys?

Post automatically merged: Sep 2, 2023

If it is still in minute, you can probably still dump it. Bu tto defuse again, I would asusme you need that wire, as it is doing the reset, which is the core thing of defuse.

Never mind, got it working. Successfully dumped the otp + seeprom! Where do I go from here now? Just in case this is what is needed, here are the crash logs displayed from minute:

Reading SMC crash buffer...
Exception registers:
R0-R3: 80b06b12 5e83a2a8 88d46247 7aa2c410
R4-R7: 2051b968 27a0d6b0 97578884 4accb828
R8-R11: 84360a81 3ca04a65 24082428 738c7426
R12-R15: 771700af 31b52166 fc45e42a 8101f98b

 

[SDIO]

Go to the Backup and Restore menu in minute and there use the Dump OTP with PRSHhax (don't remebmebr the name exactly) option. If it was successful it should produce a otp.bin on the sdcard

 

[MontyMole98]

Go to the Backup and Restore menu in minute and there use the Dump OTP with PRSHhax (don't remebmebr the name exactly) option. If it was successful it should produce a otp.bin on the sdcard

So I think you misinterpreted the crash logs, those were after I dumped the OTP successfully, and chose the "View crash logs" option to see what was on the Wii U, not issues with defuse/minute. PRSHax wasn't working so I had to dump using the "Dump OTP and SEEPROM" option. And now I have full access now that I have otp.bin, where do I go now? Again I viewed the crash logs and here they are:


Reading SMC crash buffer...
Exception registers:
R0-R3: 80b06b12 5e83a2a8 88d46247 7aa2c410
R4-R7: 2051b968 27a0d6b0 97578884 4accb828
R8-R11: 84360a81 3ca04a65 24082428 738c7426
R12-R15: 771700af 31b52166 fc45e42a 8101f98b

 

[SDIO]

If you look into your otp.bin with a hex editor, you will find that it is mostly 00.
Defuse causes the otp to read mostly zero, that's why we need to dump it with PRSHhax

 

[MontyMole98]

If you look into your otp.bin with a hex editor, you will find that it is mostly 00.
Defuse causes the otp to read mostly zero, that's why we need to dump it with PRSHhax

That wasn't working, I can try it again though...

 

[SDIO]

It can take multiple tries. If it doesn't work we would need the output from the serial

 

[MontyMole98]

It can take multiple tries. If it doesn't work we would need the output from the serial

I have tried several times now, and it hasn't worked. Here are logs when it tries (sorry it's so long lol):


9254f7bf 8f14dbd2
505276c9 505276c9
Guessing key based on boot1 header type 2
--> prod key
Dumping OTP using boot1 prod v8377, and offset 0x0d40ac6d...
WARNING: SEEPROM boot1 version v21274 does not match NAND version v8377!
Exploit might not work!

If this is the first time you're dumping otp.bin, ignore this message.
However, if you reflashed boot1, you might have to guess which boot1
version was originally on NAND and will match the SEEPROM version.
GPU clocked at: 544.999877MHz
Unmounting SLC...
Shutting down MLC...
sdhc_bus_power(0x0)
Shutting down SD card...
sdhc_bus_power(0x0)
Shutting down interrupts...
Shutting down caches and MMU...
Resetting (prshhax)...
U▒U▒U▒U▒U▒U▒U▒U▒P[Pico] Console requested prshhax prshhax reset...
[pico] Changed state: WIIU_STATE_MONITORING -> WIIU_STATE_NEEDS_DEFUSE
Starting... 3224:0
Results:
Winner! 0xf368
01
02
03
04
05
08
09
0a
0b
0c
0d
0e
13
14
15
18
1b
1c
1d
1e
1f
25
88
89
8a
0f
8f
0f
00
80
01
81
00
80
01
81
00
80
01
81
00
80
01
81
03
0f
8f
0f
00
01
81
00
80
01
81
00
80
01
81
00
80
01
81
00
80
0f
8f
0f
00
80
01
81
00
80
01
81
00
80
01
81
00
80
01
81
0f
8f
0f
00
01
81
00
80
01
81
00
80
01
81
00
80
01
81
00
80
0f
8f
0f
00
80
01
81
00
80
01
81
00
80
01
81
00
80
01
81
0f
8f
0f
00
01
81
00
80
01
81
00
80
01
81
00
80
01
81
00
80
0f
8f
0f
00
80
01
81
00
80
01
81
00
80
01
81
00
80
01
81
0f
8f
0f
00
01
81
00
80
01
81
00
80
01
81
00
80
01
81
00
80
0f
8f
0f
00
80
01
81
00
80
01
81
00
80
01
81
00
80
01
81
0f
8f
0f
00
01
81
00
80
01
81
00
80
01
81
00
80
01
81
00
80
0f
8f
0f
00
80
01
81
00
80
01
81
00
80
01
81
00
80
01
81
0f
8f
0f
00
01
81
00
80
01
81
00
80
01
81
00
80
[pico] Changed state: WIIU_STATE_NEEDS_DEFUSE -> WIIU_STATE_DEFUSED
[pico] Changed state: WIIU_STATE_DEFUSED -> WIIU_STATE_MONITORING
0701CF&10(MEM2MEM0PRSH]]01]]02]^04]^08efa282d9010210010210]]04f00fcafff00fcafaU▒U▒U▒U▒f00f[Pico] Switching to text mode...
cafeGPU TV addr: 17500001
GPU DRC addr: 00000000
minute loading
minute was loaded from boot1 context!
Initializing exceptions...
Configuring caches and MMU...
MEM: cleaning up
MEM: unprotecting memory
MEM: mapping sections
MEM: enabling caches
MEM: enabling MMU
MEM: configuring heap
MEM: init done
Interrupts initialized
prsh: Header at 10005a54, PRST at 10007ff0, 1 entries (32 capacity):
0: boot_info 0x58 10008000
crypto support initialized
BSP version: 0x26100028
Board type: CF (0x4346)
Board revision: 0x17
DDR props: size=2GiB (0x0800) speed=0x0002 vendor=U! (0x5521)

Initializing SD card...
sdhc: SDHC 1.0, 48 MHz base clock
sdhc_bus_power(0x300000)
sdhc_bus_clock(25000, 0)
sdhc_bus_width(1)
CID: 77017A2F0415102020434453604A7400
CID: mid=74 name='J`SDC ' prv=16.1 psn=05042f7a mdt=7/2007
CSD: 00800A80FFB76DBD835A5B32007F0000
taac=127 nsac=0 read_bl_len=10 c_size=3829 c_size_mult=7 card size=2008023040 bytes
sdcard_select: resp=700
sdhc_bus_width(4)
sdcard: enabling highspeed 52MHz clock (32)
sdhc_bus_clock(52000, 1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
sdcard: MMC_ALL_SEND_CID failed with 116
sdcard: could not enable highspeed clock for card, falling back to 48MHz highspeed?
sdhc_bus_clock(48000, 1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
sdcard: MMC_ALL_SEND_CID failed with 116
sdcard: could not enable highspeed clock for card, falling back to 25MHz highspeed?
sdhc_bus_clock(25000, 1)
Mounting SD card...
crypto: ~0x000 bytes of OTP loaded; JTAG is disabled (000000e1)

boot1 never jumped to payload! Offset or SEEPROM version might be incorrect.
(try it again just in case, sometimes the resets can get weird)
Press POWER/Q to continue.
Console is de_Fused! Loading sdmc:/otp.bin...
Failed to load `sdmc:/otp.bin`!
Firmware will fail to load.
Press POWER/Q to continue.
SEEPROM failed to verify!
(Check your otp.bin?)
Hardware params calc: 71d26d1f stored: 6bdc60f6
Primary boot1 params calc: 80331897 stored: 531aa4a7
Secondary boot1 params calc: df82c4b5 stored: 89dfca4d
Decrypted boot1 versions: v21274 (531a) and v35295 (89df)
Decrypted boot1 sectors: 0xa4a7 and 0xca4d
minini: Failed to open `sdmc:/minute/minute.ini`!
Initializing MLC...
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc_bus_power(0x40000000)
mlc: powerup failed for card
sdhc: SDHC 1.0, 48 MHz base clock
sdhc_bus_power(0x40300000)
sdhc_bus_clock(400, 0)
sdhc_bus_width(1)
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
mlc: MMC_SEND_OP_COND failed with 116
sdhc_bus_width(1)
sdhc_bus_clock(0, 0)
sdhc_bus_power(0x0)
sdhc_bus_power(0x40300000)
sdhc_bus_clock(400, 0)
sdhc_bus_width(1)
CID: 010000000000000000000000005A5A00
resetting due to error interrupt
timeout dump: error_intr: 0x0 intr: 0x2
mlc: MMC_SEND_CSD failed with 116
sdhc_bus_power(0x0)
Mounting SLC...
No OTP bin, showing menu...
Showing menu...

 

[MontyMole98]

If it doesn't work we need the output from the serial

How would I go about doing this? Where would I read the OTP data from?

 

[SDIO]

We don't see the otp there, I just needed the serial output so shiny can take a look, but I think he also doesn't know that's going wrong.

Just do be sure, ist the original eMMC still connected or did you cut the clk trace or something to dump it?

 

[MontyMole98]

Is the original eMMC still connected or did you cut the clk trace or something to dump it?

Yes, the original EMMC is still connected.

 

[MontyMole98]

I think he also doesn't know that's going wrong.

Do you think that the 3v3 that you told me not to solder could be part of it? Just curious. And the problem is the MLC not responding right?

 

[SDIO]

I don't think the 3V3 could cause this problem. Also I tested with a console without eMMC and there PRSHhax also works, so that probably also isn't the problem...

Maybe you could use nandBinCheck to see what boot1 version you have

 

[MontyMole98]

You could use nandBinCheck to see what boot1 version you have

I'm going to need you to show me how to do that, all the Google results have to do with the og Wii

 

[SDIO]

You find nandBinCheck for the Wii U here: https://github.com/koolkdev/wiiuqt/releases

It will complain that all the files are broken, but that's just because you are missing the right key in the otp

 

[MontyMole98]

You find nandBinCheck for the Wii U here: https://github.com/koolkdev/wiiuqt/releases

It will complain that all the files are broken, but that's just because you are missing the right key in the otp

So I dump the SLC?