HackMii

40 responses so far ↓

• 1 brian // May 5, 2008 at 1:52 am

  Well done bushing

• 2 Phredreeke // May 5, 2008 at 2:22 am

  I concur, great job!

• 3 WunSick // May 5, 2008 at 5:46 am

  Nice work! Glad to hear progress.

• 4 Starlet // May 5, 2008 at 6:01 am

  Hi bushing!

  At first: WOW! Great job! And now: How you’d hacked it? What have you done? Are there any software (or hardware) to do this? I have search all the internet with google.com, too, but couldn’t find any thing released about this topic.

  Please help me! Um, maybe you visit my blog, i know it’s ugly now, but i think with YOUR HELP…^^

  Sincerely, st@rl3t

• 5 Greg // May 5, 2008 at 6:02 am

  Brilliant! Great job. Your explaination of how you did this is A+ I couldn’t stop reading.

• 6 Nobody // May 5, 2008 at 12:48 pm

  Good work, but I’ve gotta give you a wag of my finger on your ESD handling procedures.

• 7 ChucktheTekkie // May 5, 2008 at 9:14 pm

  I gotta agree, is that carpet the board is sitting on?

• 8 bushing // May 6, 2008 at 2:20 pm

  @Starlet: Thanks! I used this program to sniff the USB traffic: http://www.pcausa.com/Utilities/UsbSnoop
  Beyond that, it was just a day or two of staring at hex dumps and flash data sheets. I also disassembled the Infectus program, but found it much easier to stare at the packet logs.

  @ChucktheTekkie: I like to live on the edge 😉

• 9 Newbie // May 6, 2008 at 8:29 pm

  I was wondering what is position Infectus team on this?
  I’m sure they are very well aware about your development.
  If I would be them, I give you all source code right away!
  After all you are doing their job and one of results is pretty obvious – increase of Infectus chip sales.
  I’m sure you have tried to contact them in the past (and it makes very little sense to do it now as you know everything you wanted to). What was their response anyway?

• 10 Starlet // May 7, 2008 at 3:09 am

  @bushing: Thanks for answering me!

  But where do you know all this? Who have teach you or what ? (which books did you read?) I have heard all the time that hackersa say ‘you need Linux to hack!’. Is that true? I have Win32 installed and Linux (OpenSource!) needs FAT; i’ve only NTFS…
  Maybe you’d read about my idead: i want to build ahn D2C Chip for OpenSource. But how can i sniff the BIOS Firmware of the other D2C Chips? I want to have an clue and improve their FW.

  Thanks for answering!

  St@rlet

• 11 bushing // May 8, 2008 at 5:04 am

  @Newbie: http://www.infectus.biz/forum/index.php?topic=1793.0

  @Starlet: That question (“how do you learn all of this?”) is always difficult to answer. There aren’t really any books — it really is just a matter of spending lots and lots of time staring at this shit. You can end up feeling like you just wasted an evening (or a week, or a month …), and then suddenly you’ll figure something out, and instantly that “wasted” time is now justified.

  Of course, that rarely happens — most of the time you fail, and the time feels wasted. It’s not, really — you learn a lot. And it’s probably the only way to learn. Maybe another reader has some better suggestions?

  I think that “you need Linux to hack!” is a bad way to put it. You can hack on whatever you’d like — but hackers tend to like Linux (and other Unix-y things) for many reasons — one of which is that it’s much easier to customize a Linux machine than a Windows machine.

  … and I use a Mac.

  Try Ubuntu; it includes NTFS-3G, which will let you read and write NTFS drives.

  As for the D2C — it’s hard to say what equipment you will need to sniff the D2C chips without better understanding what *kind* of signals it’s sending. It would probably be easiest (and certainly cheapest) to start analyzing the firmware files you can download.

• 12 AjO // May 8, 2008 at 5:45 am

  Great job man, I loved the grounded “D0” trick to halt the boot 🙂

• 13 Starlet // May 8, 2008 at 6:34 am

  Sorry for *going on your nervs*, but I have a question; where and WHICH Firmware of Chips can I download and WHERE? I have the OpenWii and the Chiip Software; but that’s all in hex!!!
  I know about ASM, but i haven’t learnt it. (i’m going to school, there isn’t many time to…;)) tuts4you.com is a cracker site (reverse engineering), but there isn’t a topic about Console hacking… I afraid people will not write there ideas and clues aboutr hacking into to tutorials and books. So… Can you teel me (and us; i think the rest of the scene shall it know, how you hacked it!) WHAT and HOW you did it? Or is that a secret?

  Sincerely and best wishes

  Starlet

  P.S.: You can write to my e-Mail Adress Abflusshamster@gmx.de!

• 14 Newbie // May 8, 2008 at 12:13 pm

  http://www.infectus.biz/forum/index.php?topic=1793.0
  Looks like they are ready to give you the protocol. You have reversed it already, but (IMO!) worth to check as it may shed some light on performance improvement.
  They also think you have MAC version only – something not worth a penny in their eyes…
  Time to chime in again?

• 15 cAPTAIN^k // May 9, 2008 at 12:12 am

  It is a shame this site is sold out of the chips:

  http://www.atvgc.com/shop/details.php?id=14

  I remember him discussing the chips on a forum somewhere and how he just went through lots of different USB flash sticks looking for a compatible chip…

• 16 bushing // May 9, 2008 at 6:53 am

  @Starlet: Something is wrong with the configuration on your blog, I’m afraid — Your front page says “0 comments” (I think) for your first blog post, but if you click on http://mitglied.lycos.de/wii/wordpress/?p=3#respond, then you’ll see my comment from a few days ago.

  As far as ” WHAT and HOW you did it? Or is that a secret?” — no, it’s not a secret. The whole point of this blog is that it seemed like the best way for me to explain to people what I’ve learned. What *specifically* would you like to know? (What is “it” that I did?)

  @Newbie: Yeah, I guess I might as well. 🙂

  @cAPTAIN^k: Yes, it is. Actually, I tried to order some from him, and he said he didn’t have any, and that’s when he put up the “Sold Out” message. Someone needs to set up a “flash chip exchange”, and we can all start ripping open our USB thumbdrives … 🙂

  (I’m also kinda pissed at him for ignoring a PM I sent him many months ago, asking him what devices he’d been pulling the chips from. I can understand that he may not want to divulge that if he’s trying to sell them — but now that he seems to have no interest in doing so … WTF)

  FWIW, that forum thread was http://www.openwii.org/forums/viewtopic.php?t=312

• 17 Starlet // May 14, 2008 at 3:27 am

  @bushing: I just want to know HOW you reverse engineering the Wii. How do you write the Twilight Hack and how you’d implemented the hack into your (?) safegame. I’d heard you have written the hack in C. Is that right?!

• 18 Starlet // May 14, 2008 at 3:34 am

  And at last I wanted to know: What hardware did you use? At debugmo.de tmbinc had shown a schematic he has connected to the Wii. What was it? How can I connect my PC to the Wii and dump (and see!) datas and files on my Wii? I need a NAND dump. I have heard that i can connect my Wii to a Linux (distribution) System, but I’m afraid that the resistance isn’t high enough and I could damage my Wii…^^

  At least I wanted to know which software I have use.

  Sincerely and best wishes

  Starlet

• 19 Falcon // May 20, 2008 at 5:35 am

  Here is a small patch that adds support for the Xbox 360 NAND flash chip.

  case 0xAD73: printf(“Detected Hynix HY27US08281A 16MByte flash\n”);
  subpage_size = 0x210;
  page_size = 512;
  spare_size = 16;
  num_blocks = 1024;
  pages_per_block = 32;
  break;

• 20 Falcon // May 20, 2008 at 6:03 am

  Oops, maybe abit to fast posting that, it doesn’t work with flashing…

• 21 boot0 // Jun 5, 2008 at 12:23 am

  […] amoxiflash – Part 1, a way to modify the NAND Flash of a bricked Wii […]

• 22 bonx // Jun 14, 2008 at 8:22 am

  Hi bushing,
  I wrote a windows app based on the rei you did on the infectus.
  It works properly only with the nand mounted on an adapter.
  When i test it with the infectus mounted on the wii motherboard, i have an extra byte (FF) during writing operation (same thing with amoxiflash)
  I tried different wirings, the D0 system, but i have still the same problem.
  Do you have an idea about that ?
  Regards

• 23 bushing // Jun 15, 2008 at 2:38 am

  @bonx: Yes, I saw this during my tests. I posted on the Infectus forums (http://www.infectus.biz/forum/index.php?topic=1690.0), but in summary, it’s a ground-bounce issue that happens when the Infectus tries to overpower the Wii’s WE signal. You end up getting extra pulses on WE, causing inserted bytes.

  I was skeptical, but adding an extra ground wire fixed the problem; there are some other suggestions in that thread, too.

• 24 bonx // Jun 15, 2008 at 2:16 pm

  Hi,
  Adding an extra ground wire didn’t change anything for me. But i finally find a solution: replace the WE wire by a longer one (4 times the length of the other wires). It works fine !
  About the D0 trick, when i do it, the fan doesn’t turn and i am not able to read the flash (Data bus low)
  If i disconnect the wifi module, it works. How exactly do you do ?
  Regards

• 25 bushing // Jun 15, 2008 at 11:15 pm

  A *longer* WE wire? That is … very odd. But hey, if it works…

  You you say that when you do the D0 trick, you can’t read the flash (Data bus low) — what does this mean? The ID comes back as 00 00?

  (It is expected that the fan doesn’t come on. The D0 trick causes boot0 to die before starting boot1, and boot1 is probably what turns the fan on. The goal is to lock up the processor so that it does not try to access the flash.)

• 26 bonx // Jun 17, 2008 at 11:05 pm

  If i do only the D0 trick, without removing the wifi unit, the fan doesn’t come on and the Id is 000000.
  I checked the data bus, all are at 0.
  I i start the wii with the wifi unit removed , all the data io are pulled up, the fan come on.
  I read two times all the nand, the datas were the same.

• 27 winston154 // Jun 29, 2008 at 4:46 am

  this looks great!!! I have been having trouble running this on my Fedora 9 machine. I am sure it is something that I am doing wrong.

  Any help would be greatly appreciated

• 28 bushing // Jul 2, 2008 at 5:50 pm

  @winston154: Are you getting any error messages?

• 29 winston154 // Jul 4, 2008 at 5:00 am

  I am not getting that far, I downloaded the six files and I thought all I had to do is run the “make” command and it would compile it, but it doesn’t, I get: “Makefile:2: *** missing separator. Stop.”
  I have looked for a step by step instructions for this on how to flash the Infectus chip but unable to find one, this is probably operator error also.

• 30 winston154 // Jul 4, 2008 at 6:07 am

  It was operator error. Somehow the makefile was corrupted so I downloaded a new file and all is well.
  now to try it out!!!! Thanks Bushing

• 31 winston154 // Jul 5, 2008 at 3:05 pm

  hopefully last question, I now have the program running, but I am getting an error:

  [root@localhost amoxiflash]# ./amoxiflash dump test.dat
  amoxiflash version 0.4, (c) 2008 bushing
  infectus Device Found @ Address 005
  infectus Vendor ID 0x010c4
  infectus Product ID 0x082e3
  Infectus version (?) = 81
  Infectus Loader version = 128.1
  PLD ID: SPI Programmer
  ID = 200
  ID = 200
  ID = 200
  Unknown flash ID 0200
  If this is correct, please notify the author.

  I do not have the push button or extra gnd wire hooked up yet, not worried about having a corrupted file from the infectus, just want to make sure I can get this to work. I have not updated it with the latest programming firmware from infectus, version 0.0.3.9. I also have the blue and amber LED light on the programmer, power is on on the system.

• 32 geekatcmu // Dec 2, 2009 at 8:06 am

  Assuming you have a NAND backup (from bootmii), could this technique be used to recover from a Korean Wii bricked by the 4.2 update?

• 33 bushing // Dec 6, 2009 at 6:31 am

  Yes, but you have to be careful. You can back up the corrupted NAND image, extract boot1 and boot2 (first 8 * 64 * 2112 bytes of NAND dump) from the corrupted NAND image, and replace the older boot2 in your old NAND dump with boot2v4. Then you can reflash with amoxiflash to downgrade.

  (You must replace the older boot2 with the new boot2v4, because boot1 will not allow you to downgrade boot2.)

• 34 bluefire66 // Dec 27, 2009 at 8:19 am

  @bushing:
  Im sitting here with 2 bricked wiis and no nand backups…. i think they are a low level bricks because they do not show any picture on the screen. (the tv says “no signal”, but the wii makes the disk noise and the green LED lights up)

  If i buy an infectus chip, would i have any luck unbricking them?

  thanks

• 35 bluefire66 // Dec 27, 2009 at 8:43 am

  Actually, I found a old nand backup and keys (from bootmii) for one of the wiis.

  Can i flash this to the nand without bootmii, because mt wii cannot even get to it….

• 36 bushing // Jan 4, 2010 at 11:36 am

  Yes, you can use the Infectus chip as described in this article, but it’s not much fun to solder up.

• 37 nmaupu // Jan 18, 2010 at 1:04 pm

  Hi,

  I had exactly the same problem as Bushing and Bonx (Bytes inserted).

  I added a bounce-ground wire as bushing said. Not better …
  So I added a very long (4 ou 5 times the sizes of all wires) WE (Q pin) wire and I confirm that works !

• 38 billybob2611 // Mar 24, 2010 at 10:33 pm

  Hi all.

  Excellent work Bushing.
  I have 2 wiis with corrupt updates, Black screen.
  I have the NAND backups for both created with Hackmii, immediately after i installed HBC.
  After reading this, it is quite possible to use the infectus tool to re-flash the Bricks?

  Cheers

• 39 bushing // Mar 28, 2010 at 2:21 am

  Yes. Use amoxiflash to flash the nand.bin file from your SD card to the NAND chip.

• 40 Crypto // Jan 17, 2011 at 12:43 am

  Hi,

  I had exactly the same problem as Bushing and Bonx (Bytes inserted). The first on 2096 DEC.

  Where do you put the second ground wire on the infectus chip? On RST or direkt on the upper left corner?

  A longer WE (Q pin) wire don’t works better.
  I also treid the D0 trick.

  It’s a Samsung K9F4G08UOA NAND Chip.

  Do you have any idea what’s wrong?

You must log in to post a comment.