Masonry is where it's at... right? RIGHT!?

Not essentially a problem related to having my Wii bricked (God forbid), but still related to the topic.

I've been lurking in the forum's shadows for some time (all the while, trying to help out and answer different questions related to homebrew to the best of my abilities), and a concept I keep watching pop up with rather consistency is "manually programming the NAND with a programmer".
Do take heed that whlile I do have a bit of knowledge on how the Wii works (not that much... only what many consider "the basics", and probably a little bit more, but that's it), if anyone would like to answer to this post, try to give me as detailed an answer as is possible (I'm not looking for vague answers like "buy this, then run this" without explaining what the hell is it I'm actually doing).

I'd like this to be as complete an answer as possible.

Exactly, what kind of bricks would I be able to fix by manually programing the NAND? From what I learned, this would fix bricks related to a formatted NAND, or a corrupt one.

How would I go about learning how to fix these with said programmer? I would like to know if there are any documents out there for beginners, or at least some references as to where to learn the basics of this otherwise difficult process. I understand well that I need decent soldering skills to begin with, but that's something I can probably pick up while practicing with other stuff first.

The reason I'd want to learn is basically because I've been curious how exactly does fixing the Wii through this method works. Also, I want to somehow help all the despaired souls (read: n00bs) recover from a brick without having to whine to Nintendo how they screwed up by updating when they weren't supposed to, among other unfortunate mishaps.

I have no actual experience programming ANYTHING (I did take a small course on C and Pascal a few years... pretty worthelss since I can't remember anything at all today). Regardless of this, I'd really like to get a grasp, and would request to everyone thinking about writing a discouraging post to refrain from doing so. Let ME discourage myself =P.

Looking back, I don't think this is exactly one of my most "easy-to-read", cleanest post. So many ideas and questions were running through my head while I wrote this. But I hope the main idea of this post somehow got through.

Thank you in advance for answering this poor, ignorant n00b.

... seeing as this has not generated any kind of interest in the past week, could it be that I posted in the wrong subforum? If so... could it be moved to a different area where it might get someone's attention?

Quote
Magil
Exactly, what kind of bricks would I be able to fix by manually programing the NAND? From what I learned, this would fix bricks related to a formatted NAND, or a corrupt one.

You can fix most bricks this way. If the Wii is old enough (i.e. has a vulnerable boot1) you can manually install BootMii as boot2 in order to restore a BootMii NAND backup or run Comex's NAND Formatter. I'm not quite sure about newer Wii's though, you may be able to manually restore a NAND backup but I don't know how to do this without BootMii.

Quote
Magil
How would I go about learning how to fix these with said programmer?

I'm sure there's a guide somewhere on the internet although I don't know where at the moment. I'm sure a quick search will turn up results. I'm not very hardware savvy so I don't know exactly how one uses a NAND programmer.

I would say that I'm even less experienced than you, but I do have a good understanding of how the Wii works. I believe the process goes like this:
- Get a BootMii NAND backup
- Desolder the Wii's NAND chip
- Solder it to the NAND Programmer (?)
- Flash the first few blocks (this contains BootMii boot2) from the NAND backup to the NAND chip
- Solder the NAND back to the Wii
- Boot the Wii to BootMii and run the necessary process to fix the Wii.

(Someone feel free to correct me as I'm not 100% sure :P )

Any brick can be fixed this way, provided any one of the following conditions is true:
1) The wii has boot1b or older
2) A working NAND dump from the bricked wii is available
3) The bricked wii's keys are known

There are guides available. In fact, there is a current discussion of this in another topic.



Edited 1 time(s). Last edit at 09/23/2010 03:54AM by jbc007.

This seems like an appropriate place to continue this discussion.

Betwiin can be used to convert a NAND backup to work on another wii. This is one option for fixing a brick, either with a hardware NAND programmer of Bootmii/boot2. However, to do this, you must have the keys from the bricked wii. Usually when fixing a wii using a NAND programmer, if a working NAND dump is available from said wii, it is easiest to simply restore it. If a working NAND backup is not available, odds are the keys are unknown as well. In this case, Bootmii/boot2 must be manually installed. After that, Comex's NAND formatter is by far easier to use than obtaining and converting a NAND dump from another wii.

There are a few issues with converting NAND dumps to work on other wiis. Primarily, the donor wii must have the same boot1 and same or greater boot2 revision (I'm not sure why, boot1 and boot2 are not over written when Bootmii restores a NAND dump). Also, though somewhat rare, bad blocks can cause issues. Therefore, this is not usually the most convenient option.

Now, I'm doing my research across various places on the net, and I'd like to go about posting questions regarding my findings and crazy noobish ideas I have along the way.

Let's say that a theoretic bricked Wii does not have bootmii as boot2, and does not have a vulnerable boot2 that I could use to install bootmii manually. Could there be a way then to install bootmii somewhere else (say, as an IOS...), and then Priiloader manually? I know this sounds pretty crazy, since boot1 and boot2 are easily found in the first seven blocks of the NAND, whereas attempting to find where IOS are on the damn thing will be a bit harder (calculating where each IOS begins and ends... since they must not take dedicated whole blocks per IOS, right?).

Flashing the NAND would be OK... but then I'd have to figure how to install at least the necesary IOS that Priiloader depends from (again, this is regarding a non-vulnerable boot2 scenario), and bootmii as an IOS. But if I flashed the NAND... then it would all be for naught (since I'd have no way to obtain the keys then). Decisions, decisions...

I'll try to get some more research done and see if I can come back here with solutions. I apologize to anyone who finds this boring and/or too noobish. I'm trying to figure out how all of this works at my own pace and with my own method, and sharing my ideas to see if anyone else can elaborate.

These are all good questions. Its been awhile since I had a good theoretical discussion of the wii anyway. The NAND file system is encrypted with a set of keys unique to each wii. These keys can only be extracted by software, such as Bootmii or XYZZY. Therefore, without already having the keys, it is impossible to install anything on the NAND file system by hardware.

Boot1 and Boot2 are stored before the NAND file system, so they are not encrypted. That is why Bootmii/boot2 can be installed in this manner. Since boot1 can't be modified at all, boot2 can't be modified without fakesigning it (meaning it won't work on wiis with boot1c+), and everything else on the NAND is part of the NAND file system, nothing other than Bootmii/boot2 (or another, as yet non-existent, boot2 replacement) can be installed on a wii in such a situation.

Hmmm... I seem to be getting somewhere... and I'm starting to feel excited. Anyways...

Some time ago, I was reading about Team Twiizers first attempts at getting homebrew to run... and I found an interesting bit: [wiibrew.org] After all, they didn't have no bootmii when they first tried to get their NAND, or keys for that matter.

There's even a link there where said attack was detailed even further... though it seems to be dead today (I know it worked a very long time ago... dunno why it isn't working today). I did an overview read back then...

... but then again, as the wiki itself explains, it used an old MIOS version. What I'd like to know then is where the MIOS is stored, and wether it's possible to inject an older version of MIOS inside it. Also... if it's possible to set the Wii up to immediately start in Gamecube mode. Litterally, transforming the Wii into a Gamecube (temporarily, of course). If it's somehow possible, then maybe there is a way to press forward... I just hope so.



Edited 1 time(s). Last edit at 09/25/2010 12:42AM by Magil.

That is an interesting idea. Boot2 normally boots the system menu's IOS, which then load the system menu. However, when gamecube games are launched, boot2 is used to launch MIOS (in case you are wondering, Nintendo does not use boot2 to launch anything else). In theory, it may be possible to have it boot into gamecube mode automatically (I really don't know for sure; we are reaching the limits of my knowledge here). Though, I am not sure what, if anything, would have to be done for this to happen. I highly doubt that anyone has done it.

Still, there is another problem. As you know, the Twiizer Attack would only work with an old MIOS. Any wii that has such an old MIOS also has a vulnerable boot1 (assuming MIOS is not downgraded, which is extremely rare). MIOS is stored on the NAND file system just like everything else except boot1 and boot2. It can be upgraded or downgraded with DOP-Mii or WAD installs just like any other title. However, system files cannot be modified from gamecube mode, so MIOS can't be downgraded on such a bricked wii. Therefore, this is not a plausible method of recovery.

By the way, the link on that page still works; the site was probably just down when you tried. If you are interested in how MIOS now blocks the Twiizer Attack, you may want to read this.



Edited 1 time(s). Last edit at 09/25/2010 06:14AM by jbc007.

Hmm, anyone know where a particular Wii's keys are stored? If they're needed to decrypt the file system, surely they can't be IN the file system? It must be somewhere boot2 can access, right? And so if the keys are stored somewhere encrypted, boot2 must be able to access and decrypt them, then use them to decrypt the FS, correct? Therefore, should it not be possible to dump keys without decrypting the FS? The individual Wii's keys can't be encrypted using a unique key, as boot2 has to be able to access them and decrypt them, and AFAIK boot2 is not different for every Wii, so it must use the same key to decrypt the individual Wii's keys on every Wii. (Assuming the keys are encrypted, which I would assume they are).

Or have I made some big mistake here?

EDIT: To add more to my post:

On this page on the wiki : [wiibrew.org]

it says:

Quote

Encrypted filesystem data. Data is encrypted with a per-console AES key, and then signed with a (separate, per-console) HMAC key.

So what I was referring to in my post was the per-console AES key and per-console HMAC key, used by boot2 to decrypt the FS so it can load SM IOS and then SM. Where is that stored? OTP? If so, is there any way to dump the contents of OTP via hardware e.g. an Infectus? Is OTP a separate chip on the Wii motherboard, or is it part of the NAND chip?

Sorry for so many questions and very few answers, but this topic intrigues me greatly, it'd be fantastic if it were possible to unbrick ANY Wii.

EDIT: Here's the page on OTP: [wiibrew.org] - looks like that is where the keys are stored. So can OTP be accessed by hardware and dumped? Presumably it is not encrypted, as boot0 has to read it, and I don't think there'd be much point encrypting it to decrypt it as soon as the Wii is powered on.



Edited 3 time(s). Last edit at 09/25/2010 11:34PM by SifJar.

The keys are stored in the OTP, which is part of the Starlet. They can be extracted without decrypting the NAND file system, otherwise Bootmii would not be able to access them, and fixing a wii by manually installing Bootmii/boot2 would be impossible. In theory, it should be possible to extract these keys using hardware, but this has never been done. AFAIK, no body even knows exactly where the OTP is. Therefore, this is not an option at this time.



Edited 1 time(s). Last edit at 09/25/2010 11:38PM by jbc007.

So "all" we need to do is find the OTP then? :p

Good luck with that. The OTP is part of the Starlet, which is part of the Hollywood. Here is a picture of the Hollywood, though it's really much smaller than this makes it appear.
.
Somehow I doubt that anyone is going to open that up, locate the Starlet inside of it, and then find the OTP inside of the Starlet. Even if you somehow manage to locate it, dumping the OTP is completely another matter. Doing it without irreparably damaging the wii is practically impossible.



Edited 3 time(s). Last edit at 09/26/2010 12:04AM by jbc007.

Awww, crap... really, crap, crap, crap T___T. And I was just about to discuss that same thing...

There are still a few more things I can possibly ask, before actually giving up on this promising idea/topic of mine (sigh):

Now, I'm still a bit baffled by the ammount of keys the Wii requires for many tasks, but isn't there some sort of "master key" approach we could use?

Or in any event... aren't the keys encripted somehow in the NAND also, so that if we somehow dump it using the programmer, we could submit said dump to a software that could decrypt it somehow?

Regardless, there was something I think I missed completely with my posts... and that is the ability to actually inject back a working NAND dump without the assistance of bootmii. Is it possible...? I mean, I was doing research and going to great lengths to finding alternative ways of obtaining the keys, but I failed to think about the possibility of putting back a working NAND dump into the Wii "the hard way".

I'm kinda depressed now. -__-;;

EDIT: Doing some more research... I found a few interesting bits that might just be "our last hope". First, is a FULL guide to using the infectus, which has ALOT more detail than the one quoted in the other thread:

[www.wiihacks.com]

It is, in comparison, alot more complete. However, I only skimmed through it... and it explains with a little more depth the functions of the infectus. I think that it's possible to dump the NAND without the need of bootmii at all... but I wouldn't know if that dump would be of any use for us.

At any rate... remember my "software" proposal to obtain the keys from a NAND dump? This seems to be the answer:

[wiicrazy.tepetaklak.com]

If I'm not mistaken, this does indeed get the keys we're looking for (hopefully, NOT one of the other miscellaneous keys). And even then, according to some more research I've done, the keys are supposedly adhered to the very end of a NAND dump done via bootmii, and can be viewed through a hex editor.

This might not have been as great an informative news flash... but I'm trying to keep the flame of this dream of mine alive, heh.

I do hope I haven't lost any of you guy's attention.



Edited 2 time(s). Last edit at 09/26/2010 05:54AM by Magil.

Quote
Magil
Now, I'm still a bit baffled by the ammount of keys the Wii requires for many tasks, but isn't there some sort of "master key" approach we could use?

No, the NAND encryption keys are unique to each wii. It will not accept any sort of "master key".

Quote
Magil
Or in any event... aren't the keys encripted somehow in the NAND also, so that if we somehow dump it using the programmer, we could submit said dump to a software that could decrypt it somehow?

I'm not sure whether they keys are stored somewhere in the NAND (though I kind of doubt it). However, it doesn't matter. They certainly would be encrypted, and without the keys, the NAND FS can not be decrypted.

Quote
Magil
Regardless, there was something I think I missed completely with my posts... and that is the ability to actually inject back a working NAND dump without the assistance of bootmii. Is it possible...? I mean, I was doing research and going to great lengths to finding alternative ways of obtaining the keys, but I failed to think about the possibility of putting back a working NAND dump into the Wii "the hard way".

It is entirely possible. This is the best method to repair boot1c+ wiis. Of course, you must already have a NAND dump from the same wii for this to work. Otherwise, if you somehow have the keys, a NAND dump can be converted to work on said wii with Betwiin.

Quote
Magil
EDIT: Doing some more research... I found a few interesting bits that might just be "our last hope". First, is a FULL guide to using the infectus, which has ALOT more detail than the one quoted in the other thread:

[www.wiihacks.com]

It is, in comparison, alot more complete. However, I only skimmed through it... and it explains with a little more depth the functions of the infectus. I think that it's possible to dump the NAND without the need of bootmii at all... but I wouldn't know if that dump would be of any use for us.

That guide is better than the one I found. The NAND can be dumped with an Infectus, as this guide explains (or at least I think it does, I don't have time to read through it). This would not be beneficial to repair a bricked wii, however.

Quote
Magil
At any rate... remember my "software" proposal to obtain the keys from a NAND dump? This seems to be the answer:

[wiicrazy.tepetaklak.com]

If I'm not mistaken, this does indeed get the keys we're looking for (hopefully, NOT one of the other miscellaneous keys). And even then, according to some more research I've done, the keys are supposedly adhered to the very end of a NAND dump done via bootmii, and can be viewed through a hex editor.

I'm not quite sure how that works, and the download link is broken. However, there is no way it could help fix a bricked wii with boot1c+. If it is software that runs on the wii, there is no way to run it on such a bricked wii. If it is anything else, it couldn't get the keys anyway.



Edited 2 time(s). Last edit at 09/26/2010 06:24AM by jbc007.

Ummm... right. The download link doesn't work, but upon quickly googling, I found this on wiibrew: [wiibrew.org]

However, this one pertains an older version, compared to the one contained in the link I gave. And in essence, and according to Wiibrew, keys are used to sign save games, so that they can be used on other Wii.. or at least, that is what I could grasp (source: [wiibrew.org])

As far as I'm concerned, the KEYS are somewhere in the NAND. I know it's a bit hard to believe, but that is what I choose to believe for now. And I KNOW I read it somewhere just a few hours ago... but I have to retrace my steps carefully in order to link you to my proof.

I feel we're getting somewhere, people. Let's keep our fingers crossed.

... I know I've been kinda lazy today. I haven't made that good and informative posts like the past few days, but that's because weekends are kinda iffy for me... what, with me not being on my own laptop and all. But I'll be fixing my laptop sometime Monday or Tuesday this week, and then I'll be working full throttle.



Edited 1 time(s). Last edit at 09/26/2010 07:11AM by Magil.

That program is a PC utility for extracting and packing game saves. It requires a key dump from XYZZY or Bootmii, but that is it. It is not useful for brick recovery or key extraction.

Some keys are on the NAND (the common key is included in each IOS, IIRC), but I'm not sure that the NAND encryption key is. Again, if you are able to read that key from the NAND, you already have the key since it was needed to decrypt the NAND in the first place.

By the way, if you have not seen it yet, you may be interested to read Bushing's old Keys article.



Edited 1 time(s). Last edit at 09/26/2010 07:59AM by jbc007.

With that tool, you can extract SOME keys from a savegame, but not the ones needed to decrypt/encrypt a NAND FS. To get those keys, you must either make a BootMii NAND dump or xyzzy key dump (xyzzy is now outdated and redundant. BootMii is now the preferred way to get keys, which can be obtained via BootMii/IOS or BootMii/boot2)

Yes... or so I've read over and over again. Sigh...

I guess I might've come out as a noob with baseless theories and stupid ideas in the end. But let's look at it this way: we have a way to save the box with the lock (dumping NAND with infectus). As long as we have that lock, we can try shoving sticks and molding clay 'till we find the way we can pop open this lock.

So in light of this... I'd like to request if anyone who's interested in doing this, to somehow write a program that allows us to obtain a key for any NAND. I'd do it myself, but I'm alot more methodical, and to be blunt, have no idea how to program. On the other hand, I'm extremely rusty with mathematics (haven't taken anything on that subject for well 4 years now).

If anyone makes any groundbreaking discovery, feel free to post. I'm gonna try something... crazy... and depending on wether I rekindle this dream of mine, I'll post about it or not.