HackMii

Notes from inside your Wii

HackMii header image 2

BrickMii?

April 26th, 2008 by bushing · 56 Comments

A lot of stuff has happened lately, and I haven’t written in a while.   VC piracy has (as expected) flourished, and we’re still waiting to see what form Nintendo’s reaction will take — at least, I don’t really feel like releasing any code until I see what happens.

So, I’ve stepped back and am working on another problem — well, I was sort of forced to.

Bricks as seen in the “scene” come in two forms — “full-brick” and “semi-brick”.  Both are the result of installing updated System Menus from discs that came from other regions.  (Tsk, tsk.)

A “full-brick” Wii displays an Opera error message instead of the “warning” screen when the Wii boots — it does not even check the disc drive for a disc before displaying this, meaning it is impossible to fix this using software.

ScreenSave.html error = \

A “semi-brick” Wii is similar, but it allows you to boot the system to the main menu, and play games, etc.  However, you can’t get into the Settings menu (to enable WiFi, update the software, etc), because when you do, you are presented with a similar screen to above (but I can’t find any pics online) — however, instead of ScreenSave.html, it’s Settings.html.

[Thanks to H. for the below picture:]

Let’s take a look at why this happens.  What’s this ScreenSave.html?

If you ever have the fun opportunity to select “Format System Memory” when the Wii boots up, you’ll be presented with this screen — *before* the “warning” screen:

Initial Settings screen

After this screen, you are then given a few screens that ask you to select a region, a console name, and some other settings — one of which is this screen:

Burn in settings

I don’t have a picture handy, but before you are shown this screen, you get one with a message that says “Your Wii console has a screen burn-in reduction feature. To use it, activate it in Wii Settings.”

the famous screensaver.html

 After you finish this series of configuration steps, it will finally show you the “warning” screen.  This is notable because this all happens before the warning screen loads.

These html files are all stored inside an archive inside the System Menu content storage.  Here’s the stupid part:

Each region has its own version of the System Menu (1-2).  For example, the newest version of the system menu available is v. 288 (NTSC/J), v.289 (NTSC/U), v.290 (PAL).  The only difference between those three versions is two different files — the main executable for the menu (a .DOL file, more or less) and an ARC archive that stores compressed versions of the HTML / image resources.

All of this is fine and good, but why put them in separately named directories? (E.g. EU/EU/GER/Setup/ScreenSave.html above)?  The path name could always be the same because there are different files for each version.

So, there’s a specific path that the graphics need to sit at.  So, you’d think they’d hard-code a pathname like that into the code, right?  No…

The code’s pretty hard to tease apart, but they seem to be trying to determine the system region from the SYSCONF file, and then building up a pathname to load like so: sprintf(filename, “html/%s2/iplsetting.ash/%s/%s/ENG/Setup/ScreenSave.html”, region, region, region).   This is so silly, because if they had hard-coded the path then the system would have booted just fine.  

The code does this in slightly different ways in several places — this has to somehow distinguish the semi-brick case from the full-brick case, although I don’t think that anyone really understands why some people end up with one and not the other.

Still, a semi-brick is better, because it will still boot discs, meaning that there is still some hope for a fix.  If you can find a game with a newer version of the system menu in its update partition, then you can run it, and it will automagically fix things.  However, this requires a wait of several months until one comes out.

A friend came and asked me if I could help him figure out how to fix a “semi-brick” Wii, manually.  All that needs to happen in this case is we need to install a newer version of the System Menu WAD.  There are a number of ways to do this, and unfortunately I picked the wrong one.

Marcan had written some test code that can manually load the System Menu, and I modified it to try to patch the System Menu enough to get into the Settings screen by correcting the pathname.  My theory was that then we could use that to have the Wii update itself using its own internal code.  This had to be safest, right?

Well, now we have:

Looks like I just bricked a Wii.  The owner was kind enough to send me the Wii so I can try to unbrick it — this is not currently possible, but I think we now know enough to do it using an external NAND flash programmer and a bunch of software which I need to write.

The bright side of this, if there is one, is that I’ve been wanting to address the “bricking problem” for a long time, and now I have a perfect test subject to work on.

More about my plan of attack in my next post.

Tags: Wii

56 responses so far ↓

  • 1 Odb718 // Apr 26, 2008 at 5:48 pm

    Good luck with it.
    Hopefully this process will be far too complicated for the average idiot that bricks their wii through piracy.

  • 2 Nobody // Apr 26, 2008 at 8:57 pm

    It looks like a NAND backup is in my future. Keep up the good work, Bushing.

    I do feel sorry for people who brick their Wii’s though. It’ll most likely involve a delicate soldering job, and the average joe just can’t handle that.

  • 3 LittleStevie // Apr 27, 2008 at 3:39 am

    hi bushing
    something that i have noticed, is that if you put a disk in on a full brick and boot it up it spins up and authenticates but doesnt seem to change the graphic interface, i have done this with a D2C with D2C key installed and an autoboot patched game, (dont worry not pirated). Its like the wii is expecting a specific TMD or something like that(watching the lights on the D2C mod i can see that it is patching the disk authentication). I do not know if this is any help to you at all but it might be some help.

    thank you for reading. and i hope you can come up with an unbricking solution. although another part of me hopes that you dont if nintendo activate a new patch which bricks wii’s with pirated VC channels.

    LittleStevie

  • 4 Phredreeke // Apr 27, 2008 at 6:29 am

    Interesting read as always :)

    A “full-brick” Wii displays an Opera error message instead of the “warning” screen when the Wii boots

    So the warning screen is stored on the Wii as a regular webpage? Could we replace that file and get something a bit more interesting when we boot the system?

    although another part of me hopes that you dont if nintendo activate a new patch which bricks wii’s with pirated VC channels.

    That’s a bit harsh I think. I don’t care if it unbricks a hundred pirates’ consoles if it lets us just unbrick a single legit one. Besides I don’t think Nintendo would do something like that anyway, imagine the bad PR they’d get.

  • 5 LittleStevie // Apr 27, 2008 at 7:22 am

    @phredreeke
    I understand that i may have sounded harsh, but having said that, 90% of wii’s that i have seen that are bricked (i work in an unauthorised console repair shop) have been from piracy. people download games then run them causing these bricks to happen (2 out of the 20 have been on legally owned games). as for bricking for pirating VC games wont get them in any trouble at all, 1) they warn that an update can cause the console not to work for any mod that is detected (i am going to call VC piracy a mod for lack of a better word as it is a softmod) and 2) people who scream “teh big N screwed me and bricked my wii” will be shunned by the community in general, as piracy is looked down on in quite a few circles, and is 100% illegal so screaming for action by VCAT (victorian small claims court {i live in australia}) or similar would be a dumb move.

    LittleStevie

  • 6 Phredreeke // Apr 27, 2008 at 8:31 am

    Legal or illegal, it would give them a lot of bad rep. Besides, I don’t see much point in it. I think the process is too complicated and “scary” for the average joe. Those people who understand the process will probably be smart enough to avoid Nintendo’s updates anyway.

    I think Nintendo should put out an official homebrew channel (with reasonable limitations, for example no direct access to NAND), then the Wii scene wouldn’t have an incentive to make a downgrader.

  • 7 HcC // Apr 27, 2008 at 11:39 am

    Some people have morals but don’t like buying games they play for 10 minutes and never touch again, especially with all the garbage that’s come out for the wii. Anyway this shouldn’t be a debate about piracy, it will be good if there’s a brick fix so we don’t have to be scared to try stuff.

  • 8 Christopher // Apr 28, 2008 at 12:48 am

    It would be fantastic if you ranted more often about how the Wii works, the bricks and whatnot, its really interesting and written in a very “friendly” way.

    Its great for us non coders, but still tech enthusiasts to be able to know whats really going on with the system.

    Obviously, i guess you cant really reveal too much, otherwise the efforts would go down the drain.

    Anyways, just leaving my 2 cents here, keep at it, and hope to see a little more info.

    Greetings from Chile!

  • 9 bushing // Apr 28, 2008 at 2:16 am

    @LittleStevie: Re: disc authentication. The only “special” disc recognition I can find in the System Menu is BS2IsDiagDisc(), which checks to see if the first character of the disc is ‘0’ or ‘1’ (what we’d call an ‘autoboot disc’). I’ve tried this with the bricked Wiis, but to no avail.

    Re: bricking vs piracy (VC, import, or otherwise) — I admit that the idea of bad people bricking their Wiis by doing bad things has some schadenfreude value. However, I don’t really think it’s a good idea for us to start judging people and deciding who “deserves” to have a broken Wii. Rather, I think that the Wii is a beautiful piece of hardware, and a broken Wii is a tragedy. It doesn’t matter why or how.

    Nintendo has shown no sign of planning to brick Wiis — it would be phenomenally stupid for them to do so. Remember, Nintendo does not have any way of telling how a random Wii got bricked — they have no better way to peek into a Wii than we have. People with chips don’t generally send their units in for warranty service, because most of them show obvious signs of physical tampering. The same would not be true for any VC hackery, etc, on an unmodded Wii. They’d be forced to just replace those units, because it would be cheaper to replace the main board on a Wii than to spend the time necessary to prove that the Wii was bricked through piracy.

    Hell, Nintendo has already written code that can detect modchips (sort of). I think they would even be able to get away with placing that code in the main System Menu, which would mean that chipped Wiis would refuse to boot — until you took the chip out. They haven’t even done that yet, so I don’t see that changing.

    @ Phredreeke: Yes, in theory we could replace the opening screens in the System Menu. Odb718 asked about this (more or less) in the comments in http://hackmii.com/2008/04/wii-system-software-a-guided-tour/. The problem is that patching the system menu is currently so risky that there’s almost nothing I can think of that would justify the risk — certainly nothing cosmetic.

    That’s another reason that the fragility of these units affects more than pirates — it prevents us from doing a lot of neat hacks to the system software. This is why we need to solve all of these problems at once.

    @Christopher: Okay, I’ll try to rant more often, thanks. :)

  • 10 Phredreeke // Apr 28, 2008 at 2:38 am

    Hell, Nintendo has already written code that can detect modchips (sort of).

    Are you referring to the SMG copy protection? It doesn’t detect the actual mod chip, merely whether the disc is a burned disc or original (and most mod chips got new firmwares now that pass this protection) Or are there a new copy protection that I haven’t heard about?

  • 11 bushing // Apr 28, 2008 at 3:23 am

    Yes, I’m referring to the SMG / “Error #001″ thing. It detects 2 things:

    * The actual size of a real DVD is slightly different than the size of a DVD-R (so yes, this is the “burned disc” check)

    * Incorrect response to one of the drive commands

    See http://www.openwii.org/forums/viewtopic.php?p=3382#3382 for more details. Anyway, that’s all tangent to my point, which was just that if Nintendo were to start increasing their security, they’d probably start there.

  • 12 crediar // Apr 28, 2008 at 3:35 am

    the SMG protection did two simple checks where drivechips returned incorrect values. Original discs still worked because most (all?) drivechips don’t patch anything when an original game is detected.

    There are some yet unused DI cmds which can be used to check if a disc is an original or burned, ie. read the BCA.
    There are also some other ways to generally detect chips, Nintendo could lockout drivechip users any time.

  • 13 Phredreeke // Apr 28, 2008 at 4:40 am

    There are some yet unused DI cmds which can be used to check if a disc is an original or burned, ie. read the BCA.

    Microsoft did something similar with 360 discs. Read back an incorrect stealth sector and you’re banned from Live. Pirates solved it by making the firmware read the stealth sector from a burnable area from the disc.

    There’s no perfect copy protection, just ways to slow piracy down. One might argue that slowing piracy down is better than not doing anything at all, but you have to weigh in the costs of applying such measures as well.

  • 14 Nuke // Apr 28, 2008 at 4:41 am

    cool stuff, keep up the good work. I’ve linked your blog from my site.

  • 15 Tino // Apr 28, 2008 at 5:48 am

    Two thoughts:

    How about the ‘maintance mode’? (Google for “Wii Maintenance Mode”) Does that alter the startup procedure in any way? Maybe it is related to the ‘autoboot’ feature?

    For semi-briked Wiis: if you still can write to the filesystem via e.g. the Zelda hack, couldn’t you insert the missing files? Just copying whatever from *ENG* to *GER* for example? (And if that works, perhaps it could be done as a precaution on non-bricked Wiis?)

  • 16 Phredreeke // Apr 28, 2008 at 5:51 am

    The only thing maintenance mode does is temporarily disable the Wii message board (so technicians can verify a Wii as working without invading the owner’s privacy)

  • 17 gamidi // Apr 28, 2008 at 12:00 pm

    From peeking inside the systemmenu code, do you believe that it is possible to completely change the region of a wii? Like turning a ntsc-j to ntsc-u wii? What it causes the wii to detect the other region systemmenus as invalid and bring these errors

  • 18 Christopher // Apr 28, 2008 at 6:50 pm

    Bushing, theres something that is worrying me a little..

    Now with the homebrew in all its awe, its only a matter of time before someone releases a malicious piece of code, wich can lead to full bricks (like a virus, minus the propagation, and im sure this has happenned on the NDS and PSP scene), any measure we can take (besides the, “do not install every piece of soft that you come by”) to prevent this?

    I know you guys are working on some kind of custom firmware that i guess would adress this issue, but from what i read, its more or less a trivial issue whats causing the bricks, isnt it? So, only patching up whats causing it, is it more complicated than it seems? (im guessing the answer is yes)

    Im also interested in knowing what exactly happens when you connect to the Wii Shop Channel and download for instance VC games.

    Im not talking about pirating those games, but wouldnt it be possible to simulate the same format that the VC games have, the requirements for it to be installed on the Wii, set up some sort of server on a PC (simulate the same enviroment than that of the Shop channel), access trough Opera and download VC homebrew games directly?

    Heh. like a Homebrew “shop” channel.

    I know most of it its probably 10x more complicated than what im saying, but i couldnt find much info on the subject.

    Im guessing theres some sort of ultra secret-top-encrypted-protocol-thing going while you communicate with the shop channel, but like i said, i didnt find much info about it on the Wiki of Shop Channel.

    I know you guys already have a fully functional method working and all, and if it work, why fix it, but this comes mostly from curiosity (but besides that, you cant deny it would be wicked to have it set up like that)

    Cheers, and i demand more updates to the blog!

    PS: Oh also, im a pretty decent pixel-artist, so if you ever need some graphics or whatever, give me a shout, maybe i can help out.

  • 19 LittleStevie // Apr 28, 2008 at 6:55 pm

    @Bushing: That is interesting about the disk recognition only seeing a “0” or “1” for the “autoboot”, the main reason i brought this up is because the wii i was running was bricked with the SMG update and while it didnt totally load it did auth and do the same amount of reading of the disk as just berfore the game launches on a normal wii. Thanks for clearing this up, i knew it was a 50/50 shot but worth taking a gamble on mentioning.

    LittleStevie

  • 20 Jake // Apr 28, 2008 at 7:31 pm

    This is great, please update more.

    I mod consoles for clients. What they do with their modded consoles is none of my business, but it’s really interesting to see the possibilities that are opening up.

    LittleStevie, What are the odds that Wii homebrew dev will get to the point that the original XBox is at? ie: full media management/emu/home networkability/added storage?

    I know it’s a huge question, but you’re the first person I’ve had the chance to ask who might be able to make a reasonable prediction.

  • 21 Poole // Apr 28, 2008 at 8:41 pm

    Most ‘real’ pirates would never brick their wii. It’s usually the unsuspecting people and very casual gamers who ask ‘whats a rar file’ in torrent comments 8)

    I don’t even play games on my wii anyway, just waiting for the scene to get to where it is on the DS 8)

  • 22 LittleStevie // Apr 28, 2008 at 8:53 pm

    @Jake: i would suggest possibly asking bushing on that one, as far as im aware we would require a CFW (ala psp) to be able to do this as things like usb Hard Disk support would be required in the IOS (bushing feel free to correct me on this if i am wrong), where i get this feeling from is that the wii linux POC uses the usb keyboard support within one of the IOS’ for this implementation. As for the media support i have already seen some good progress in front of me with the likes of the talented people who made the mp3 player. Now while the machine is nice (the wii) its not going to be much of an upgrade on the xbox due to the standard definition outs and low spec hardware (that runs great for what it is) the main additions are a motion sensing controller, SD card support and native usb ports (the xbox controller ports were a proprietry usb port connector while the backend still was OCHI complient)

    LittleStevie

  • 23 bushing // Apr 28, 2008 at 9:41 pm

    @Christopher: Yes, you’re right to be worried — there’s nothing from stopping someone from releasing malicious code in the form of a “VC Cheat” program or something similar. A similar thing happened on the DS, I believe.

    This isn’t really any different than the dangers of installing random software on your computer. Except for the lack of any way of determining if something’s malicious, and the lack of a recovery mechanism, I guess.

    Eventually, I’d like to set up a software distribution system — something along the lines of the iPhone AppTapp installer (http://iphone.nullriver.com/beta/). Then, we could set up a real PKI system with trust and certificates and such. However, that’s still a ways off. First, we have to finish and release the Homebrew Channel, and we’ll go from there.

    Re: a spot-fix to fix the bricking issue — well, it’s possible we could fix the system menu to be more resistant to bricking — but this would be hard, because generally the way that the bricks happen is that people mistakenly install a new version of the System Menu, but for the wrong region. We can’t patch a menu that hasn’t been installed yet.

    @Tino: Maintenance mode is worthless.

    As far as modifying the file contents — it’s not *quite* so simple, because the HTML stuff is zipped up inside an “ARC” archive (something like a ZIP file). We could replace the entire set of files, but at that point it would be safer / better to just reinstall the menu entirely.

    @gamidi: I suspect that it would be possible to change the region of a console by editing /shared2/sys/SYSCONF, but this is not something I’ve investigated. Hm.

  • 24 LittleStevie // Apr 28, 2008 at 10:21 pm

    @Bushing: Yes a similar thing did happen on the DS but ever since Flashme has exsisted (i use flashme v8 nostealth for this reason only) there has been a recovery mechanism built into the custom bootloaders bootblock. if i every get hit by malicious code on my DS it can read a slot1 or slot 2 card for a program to reflash the DS back to operational mode. Now with a full nand backup wouldnt it be feasable to start trying to include such a customisation with boot2? its good to hear you have an infectus now. hopefully you will be able to write a more stable operating program for it.

    LittleStevie

  • 25 Phredreeke // Apr 29, 2008 at 1:05 am

    a spot-fix to fix the bricking issue — well, it’s possible we could fix the system menu to be more resistant to bricking — but this would be hard, because generally the way that the bricks happen is that people mistakenly install a new version of the System Menu, but for the wrong region. We can’t patch a menu that hasn’t been installed yet.

    How about a custom System Menu that won’t install system menu or boot2 (as boot2 has the same signature bug as the old IOS versions, if Nintendo updates it we won’t be able to run our own custom system menu, and we would want to run our own boot2 anyway) from disc (updating the system menu would lose the custom features anyway) but still install new IOS files.

    For our own menu updates, maybe the system menu could have an option of updating from SD card?

  • 26 XboxGuru // Apr 29, 2008 at 2:18 am

    I’ve taken umbridge to calling playing of downloaded VC games piracy, since most of us own a ton of NES/SNES/N64/MegaDrive ROMS and are sat in a box in the attic. So you download a VC of one you already own – why on earth should you have to pay for it again? Don’t tarnish everyone with the same brush – just because the console may not work any more (or for some of us, the console has been passed on) but owning the cartridges should be sufficiently legal.

  • 27 Phredreeke // Apr 29, 2008 at 2:47 am

    Well, for one the VC game isn’t merely the game on the original cartridge. You own the (insert system here) game, but you don’t own the emulator to run it on Wii. If you want to run your games on the Wii without paying for the VC versions use a homebrew emulator instead.

  • 28 bushing // Apr 29, 2008 at 2:59 am

    @LittleStevie: Yes, the “end plan” is to hack a recovery mechanism into boot2. Easier said than done, but it’s probably the best option.

    @Phredreeke: Patching the system menu to block updates to boot2 / itself isn’t a bad idea — the only thing is we’d need to have a way to disable that block in case you do want to upgrade to a newer version of either of those titles.

    @XboxGuru: The case of playing games that you actually bought in cartridge form in an emulator (without paying a second time for it) is a moral gray area, and I’m not sure how I feel about it.

    However, if that’s all anyone did, I don’t think it would be that big of a deal. I’m more concerned with things like the “full VC collection” torrents that are floating around.

  • 29 LittleStevie // Apr 29, 2008 at 3:23 am

    @Bushing: I can see that it would be harder then just slap bang done. but as Phedreeke said isnt the RSA bug also in boot2? meaning with a nand programmer such as infectus you would now be in a possition where it would not be as “dangerous” to work on as if it gets bricked…. roll back evaluate what went wrong etc…

    LittleStevie

  • 30 Team-Gx » Wii Bricking Talk // Apr 29, 2008 at 6:25 am

    […] Source: HackMii […]

  • 31 dciso // Apr 29, 2008 at 10:16 pm

    “A friend came and asked me if I could help him figure out how to fix a “semi-brick” Wii, manually. All that needs to happen in this case is we need to install a newer version of the System Menu WAD. There are a number of ways to do this, and unfortunately I picked the wrong one.”

    LoL But we got it right the 2nd Time!!! Honestly I don’t think the 1st way was the wrong way. It was the combination of the 1st way and stuff we were unsure of. Now we know the 1st way did what is was written to do but didn’t do what it was expected to do.

    “@gamidi: I suspect that it would be possible to change the region of a console by editing /shared2/sys/SYSCONF, but this is not something I’ve investigated. Hm.”

    This is actually what I am working on at the moment. I am trying to see if I can turn NTSC-U Wii into the NTSC-J Wii. I am still playing around with other areas and testing NAND stuff but as bushing and a few others know there are alot of issues with infectus software for use in this matter. I will say I have had some success but other projects are keeping me a little to busy still.

    “The bright side of this, if there is one, is that I’ve been wanting to address the “bricking problem” for a long time, and now I have a perfect test subject to work on.”

    LoL I have another one sitting here that I am also playing with but I do have a NAND dump to go with it making it a little bit easier :)

  • 32 bushing // Apr 30, 2008 at 3:48 am

    @LittleStevie: Yes, the RSA bug is also in boot2 — or, to be a bit pedantic, the bug is in boot1 (which cannot be patched in Wiis that have left the factory), which means that boot1 does not correctly verify boot2, which means we can patch boot2.

    So, yes, I’m in a position to start hacking on this — it’s still fairly difficult because it’s hard to get useful debug info out of this thing. Usually, it either boots and puts stuff on the screen, or … it doesn’t. We have some ways around that — maybe I’ll write about that next — but it’s still tedious work that won’t happen quickly.

    @dciso: You’re just too chill for your own good — most people would have been positively livid if some random dude on the internets bricked their Wii. :) As far as the Infectus software goes, yes, I no longer feel bad saying it’s shite — it’s broken in some very fundamental ways. (See e.g. http://www.infectus.biz/forum/index.php?topic=1690.0).

    I have a fairly primitive tool I wrote by reverse-engineering their USB protocol, so I can now dump and program my Wii’s NAND from my Mac. It uses libusb, so it should work on Linux machines and probably Windows too… sounds like maybe I should GPL it and throw it up somewhere. It’s not pretty code, but it sounds like it would help you and at least half a dozen other people out there, so …

    So many projects, so little time …

  • 33 Phredreeke // Apr 30, 2008 at 4:13 am

    Isn’t not knowing the NAND key a big hurdle? You’ve got the encrypted NAND on your computer, but without the key I don’t see what you can do with it? boot1 is the same (for now, but they can change it for future Wii units) so could that be taken advantage of by attempting a known-plaintext-attack?

  • 34 LittleStevie // Apr 30, 2008 at 4:39 am

    @bushing: I have been helping a friend try to write to an equivilant NAND as a replacement for the wii so if anything ever should go wrong there is a backup and his problem is identical to the problem that ZeoNix from the infectus forums is having.

    I also have an infectus and am trying to get hold of a bricked NTSC /u wii that i know of for experemental purposes (infact this is that wii at work that i was talking about earlier). and a GPL’d code for infectus programming modes would be nice (i personally dislike windows even with a core2duo and 2 gig of ram vista is dog slow) but i am forced to by infectus for xbox360 downgrades and other work i do on it lol.

    LittleStevie

  • 35 bharter // May 1, 2008 at 10:35 am

    I make backups of ALL of my boys games. There are 2 reasons for this. 1) I don’t have to worry about the originals getting damaged. 2) I don’t have to worry about the neighborhood kids stealing the games because they won’t work on the consoles at home. This works so well that when the kid next door broke in, even though he had his own game console, he stole 1 of mine. Needless to say, he got busted.

  • 36 bushing // May 2, 2008 at 4:50 pm

    @Phredreeke: Yes, not knowing the keys is a problem. The current plan of record is to use a hacked boot2 to extract the keys from a console — tmbinc was able to do this with his NAND flash emulator (http://debugmo.de/?p=59), and I “simply” need to make that work without an emulator. In the mean time, I have my Infectus hooked up to a Wii for which I know the keys — this way, I can work on these two problems separately.

    @LittleStevie: Ok, I’m releasing the code shortly, that will probably be my next post here.

  • 37 Phredreeke // May 3, 2008 at 8:49 am

    The current plan of record is to use a hacked boot2 to extract the keys from a console

    But isn’t boot2 encrypted with a console specific key? How do you encrypt your hacked boot2 without knowing the console’s key?

  • 38 Kirtaner // May 3, 2008 at 8:22 pm

    I have a semi-bricked Wii, not through any of the usual accidents, I left my Wii alone for 2 weeks, turned it on, and was greeted by “The System files are Corrupted” after the warning screen.

    Autobooting discs will still boot, however. I don’t know if I can wait for a game with a new systemmenu patch and autoboot it, and I might be waiting for a while. If you want to use me as a guinea pig then go right ahead.

  • 39 bushing // May 4, 2008 at 12:08 am

    @Phredreeke: No, that’s the only reason this will work. boot1 and boot2 are bit-for-bit-identical on all Wiis. We can’t modify boot1 because it is checked against a hash permanently burned into the Hollywood, but boot2 is just like any other WAD — encrypted with the common key, and signed in the same broken fashion as everything else. Tmbinc was able to patch boot2 to extract the keys.

    @Kirtaner: I may have a solution for you. What region is your Wii? NTSC?

  • 40 Mark // May 4, 2008 at 12:16 am

    It’s great to see things progressing so fast! I hope some sort of fix becomes available soon for semi-bricked Wii’s, but I’m so glad that there are other things being worked on apart from new ways of playing pirated VC titles.

  • 41 LittleStevie // May 4, 2008 at 1:12 am

    @bushing: will a boot2 hacked to expose these keys and “unbrick” a wii going to be released publicly or is it one of those tools thats in a grey area because of nintendo copywritten code?

    LittleStevie

  • 42 Wii-Scene - La Mejor Comunidad de Scene de Wii» Blog Archive » Bushing habla sobre los Bricks // May 4, 2008 at 2:16 am

    […] este artículo podéis leer más sobre los varios caminos que hay para brickear tu Wii y soluciones sobre como […]

  • 43 jan777 // May 4, 2008 at 6:08 am

    @bushing

    in the future will you be able to change the ntsc j’s language to english?

    like replacing the arc files with the english ones?

    i hope you also work in a project like this

  • 44 malcy // May 4, 2008 at 1:45 pm

    @ Bushing I think I have the solution to unbrick the Wii. I think you are looking in the wrong places. Have you thought about trying to change the address in the two batteries in the wiimote??. It worked on the PSP. Only joking lol.

    Just a message to say keep up the good work that you do. You are the god in my eyes of the Wii scene and your work is truly amazing. good luck with this project your explainations are second to none. kind regards.

  • 45 Jojojohnson // May 4, 2008 at 4:13 pm

    Hey, nice article on bricking and the problems we’re currently facing. I had an idea while looking at these: could it be possible to have some kind of set Wii boot loadup, possibly one for each firmware, and be able to use that to boot it up? I know you mentioned that using the USB port would take too long as there is no existing codes for it, but I was wondering: what if you were to use the computer instead and somehow directly connected it to the Wii, so as it can understand it and circumvent the booting from the Wii to the PC? This way, at least there will be a way to somehow unbrick it. I know a similar method is used on CycloWiz, but its more complicated and it only works with their chip. Do you think there could be some universal connection (maybe besides USB) that could open it up? I was thinking of some other ideas, but i cant think of them at the moment. Well, good luck, and i’ll post up any new ideas i might get. Sorry if you guys already decided all of these ideas are already useless.

    Jon

  • 46 bushing // May 4, 2008 at 9:28 pm

    @malcy: Thanks for the kind words!

    @Jojojohnson: The big problem is we don’t have any way of writing code to let you pick a “backup” or “alternate” bootpath. One of the biggest obstacles there is that we have no way of getting any input from the user. I’d love to make it so that you could hold down the reset button (for example) while booting the Wii to make it enter a recovery mode — but we don’t even know how to detect the reset button from IOS code. The same goes for a GameCube controller (or pretty much anything else).

    Although it seems tempting, the idea of using USB to connect between the computer and the Wii (without some special-purpose device like the USBGecko) is a dead end. The Wii is a USB Host, as is your computer. There’s no way to connect two USB Hosts together.

    We’ve looked very hard for special ports on the Wii board — JTAG, serial, etc — and still have found nothing :(

  • 47 Newbie // May 7, 2008 at 7:47 pm

    The Wii is a USB Host, as is your computer. There’s no way to connect two USB Hosts together.
    Actually, the is: http://www.datapro.net/products/usb-2-0-host-to-host-cable.html
    Or just google for it.

  • 48 Newbie // May 7, 2008 at 8:20 pm

    In case you need source code:
    http://www-oss.fnal.gov/projects/fermilinux/common/class/advanced-admin/usbdevices.html
    The page is quite big, just search for “USB host-to-host” string

  • 49 bushing // May 8, 2008 at 5:13 am

    @Newbie: It looks like those cables act like Ethernet adapters — they’re passing Ethernet frames over USB.

    Why not just get a USB-ethernet adapter for the Wii?

  • 50 Newbie // May 8, 2008 at 11:46 am

    It looks like those cables act like Ethernet adapters — they’re passing Ethernet frames over USB.
    Why not just get a USB-ethernet adapter for the Wii?

    You do have Wii driver for SD card (with low footprint), and the one for USB-ethernet adapter gotta be in IOS somewhere too. No clue on its size… Not sure ether, how difficult is to transmit/receive block(s) using the driver and something like TFTP server on PC, but having that would be absolutely fantastic! :-)

  • 51 boot0 // May 31, 2008 at 5:26 am

    […] This post is part of a several-part series on fixing a “bricked“ Wii: […]

  • 52 amoxiflash // Jun 1, 2008 at 3:25 am

    […] A friend whose Wii I bricked was kind enough to hook me up with an Infectus chip to use as a NAND Flash programmer in my UnbrickMii project. I’ve spent the last couple of weeks just trying to get it to work, and have run into several, um, speedbumps along the way. […]

  • 53 Tita // Jun 12, 2008 at 8:15 am

    my wii turned to semi-brick after accidentaly pushed register button on wii number. My wii setting shows an error like you describe it “semi-brick”. Need help

  • 54 Wii Semi-Brick | Nineteen Labs // Jun 16, 2008 at 9:12 pm

    […] What is Wii Semi-Brick. Guys from hackmii.com explain it, the result of installing updated System Menus from discs that came from other regions. Semi-brick displays an Opera error message, allows you to boot the system to the main menu, and play games, etc. However, you can’t get into the Settings menu (to enable WiFi, update the software, etc), because when you do, you are presented an Opera error message. You can read their explanation here […]

  • 55 Reow // Jul 29, 2008 at 9:32 pm

    “If you can find a game with a newer version of the system menu in its update partition, then you can run it, and it will automagically fix things.”

    I’m just guessing here, but this probably works by comparing version strings right? e.g. your system has version 1.0, the disk has version 1.1 so it installs. if you have 1.1 or 1.2, it won’t install.

    If this is the case, is it possible to edit the version string in an existing version (if your Wii supports burned disks)? e.g. download/load a game with the latest version of the firmware for your correct region onto your PC. Modify the version string that says 1.1 so that it says 1.2. Burn the game.

    The reason that I am asking is because I am considering the following scenario… You have version 1.0 on your system, you play an overseas game with version 1.1 included and your console gets semi-bricked. You perform the above process so that you now have a game that claims to have firmware version 1.2 (it’s really just 1.1), you play this and your console gets unbricked.

    Ignore for the moment that when you want to install version 1.2 you are going to have some issues – I’m sure unbricking your console a few months early is worth the extra effort. Is the above plausible or simply too difficult?

  • 56 business » Blog Archive » Wii Semi-Brick // Sep 6, 2008 at 9:02 am

    […] What is Wii Semi-Brick?. Guys from hackmii.com explain it, the result of installing updated System Menus from discs that came from other regions. Semi-brick displays an Opera error message, allows you to boot the system to the main menu, and play games, etc. However, you can’t get into the Settings menu (to enable WiFi, update the software, etc), because when you do, you are presented an Opera error message. You can read their explanation here […]

You must log in to post a comment.