HackMii

Notes from inside your Wii

HackMii header image 2

Dual NAND Flash hack

June 3rd, 2008 by bushing · 41 Comments

ChipD has done a lot of work lately with the actual, physical NAND Flash chip on the Wii, and he just told me about his latest feat — two chips installed in one Wii, with a switch to toggle between them.  More pictures and info after the break.


The goal: mount two full NAND Flash chips at the same time inside a Wii, so that you can switch back and forth between them.

bare Wii board, chip removedcloned flash chips, compared to original
double-stacked clone chips, left sidedouble-stacked clone chips, right side
installed chip stack, right sideinstalled chip stack, left side
chip-enable wires added, close upchip-enable wires added, wide view

This isn’t exactly self-explanatory, so let me explain what’s going on here. He’s found some extra chips (see below) that are the same as the ones inside a Wii — he then desoldered his System-Menu 3.1U Wii’s flash chip from the Wii, and cloned it onto the two extra chips using an Infectus chip and amoxiflash. This way, if anything goes wrong, he can always desolder this hack from his Wii and go back to the normal one. (All of this soldering and desoldering is difficult and risky, but hey — you do what you gotta do. Carefully.)

NAND flash uses an 8-bit data bus and 7 control lines. One of those is Chip Enable (CE) — if Chip Enable is deselected, then the chip almost acts as if it’s not connected it all (all input and outputs go to tristate). Therefore, if we can make sure that only one of those two chips will have its CE pin active at any given time, we can just solder the rest of everything together. Then, to switch between the two chips, you just write up a 2-way switch. In one position, CE of one chip is connected back to CE from the Wii board. In the other position, the other CE is connected.

A schematic may make this clearer:

Now, let me be perfectly clear here — this is a neat hardware hack, but this is not something most people will be able to pull off, nor is it something most people will find useful. It will not help you fix a broken Wii, or downgrade a Wii, or anything of the sort.

In order to make use of this, you will need:

 

  • 1 or 2 extra NAND flash chips.  You can take these from a dead Wii, or certain (very specific) flash-based devices.   (Think USB flash sticks, CompactFlash cards, shitty MP3 players.)
We only know of one specific model that has the right chip:
If you find any others, please post and let us know!
  • A complete and intact image of your encrypted NAND chip — either done via software or hardware
  • A NAND programmer of some sort — perhaps an Infectus — to use to write your NAND flash image to your blank chips.  You will also probably want this so that you can reprogram one or both of the chips when you fuck them up– which is, after all, the only point of this endeavor.
  • Excellent soldering skills, patience, etc
And, most importantly:
  • Something clever to try out with this.  This allows you to try making changes to your flash, and then have a way to recover if they don’t work.  However, you only get one shot at that, and then you have to go use a hardware programmer to fix it.  
So, if you have any questions about what the usefulness of this hack is … you should probably move on.  However, if you do want to pull it off, let’s talk about it.  (If anyone out there actually has a good idea for a use for this and a victim Wii to try it on, but lack the programmer or the chips or the soldering skills, come find me or ChipD, and we might be able to work something out.

 

Tags: Wii

41 responses so far ↓

  • 1 Nobody // Jun 3, 2008 at 7:03 am

    If the purpose of this mod is to allow quick brick recovery for development, why not just solder an IC socket into place? That way, you could just pop the chip out and reprogram it without having to do any extra desoldering/soldering.

  • 2 Nobody // Jun 3, 2008 at 7:24 am

    http://www.primedistributing.com/index.asp?PageAction=VIEWPROD&ProdID=685

    This is a $7.00 48 pin TSOP socket.

    Here is the data sheet:
    http://www.adapt-plus.com/products/ic_sockets/tsop.html

    For NAND Flash development work, it’s ideal. Just solder it to the NAND flash socket and then you can drop your chips in.

  • 3 bushing // Jun 3, 2008 at 7:28 am

    Know of any cheap sockets that don’t suck ass to solder down to the PCB?

  • 4 Nobody // Jun 3, 2008 at 7:57 am

    They are all difficult, but this one looks to be a little easier.

    http://www.emulation.com/cgi-cfm/insert_quantity.cfm?part_number=S%2DTSO%2DSM%2D048%2DA,

    I haven’t used this one, but it appears that hobbyists have hand-placed it in the past.

    It also helps to have an angled, pointed iron tip, rather than a hoof or a straight point. This lets you get underneath a little better.

    Still, it’s not for amatuer solderers. But neither is piggybacking two TSOP’s.

  • 5 Maddoc // Jun 3, 2008 at 9:12 am

    I want try it, if only to make sure I have a backup copy of the NAND…
    Honestly I would like to make my own NAND reader/programmer and not use expensive infectus and amoxiflash. I still have to look for a substitute for these.

    Also found the pictured usb stick but something cheaper would be great, I’ll keep disassembling memory devices. A database with these would be nice.

    I am thinking about reading/programming the chip inside the Wii, maybe just disconnect the power tracks? It would be much easier!

  • 6 ChipD // Jun 3, 2008 at 10:22 am

    @ Nobody:

    This was just a proof of concept test run.Ive pondered easier ways to mount/unmount the nands.As bushing said, some test sockets are cheaply made,and are a pain to solder in.Also the height on these test sockets are 5.33mm and the clearence from the bottom case and board is roughly 4mm so if you plan to close your wii up at some point, the test socket will get in the way.I could stack 4 nands @ 4mm height and still put my wii back together with a switch mounted on the GC port side panel.

    BTW..that company you linked for test sockets has a $50 minimum order not including shipping.But $7.00 each is a pretty good deal if there decent quality.

  • 7 ChipD // Jun 3, 2008 at 10:42 am

    I forgot to add that im looking for someone with advanced knowledge in SLC/MLC/dual nCE & dual R/nB Nand flash’s.If you have any knowledge in the read/write/erase routines, and wiring schematics you can find me on efnet #wiidev ChipD, or Ch1pD.

  • 8 Ninth Sage // Jun 3, 2008 at 10:59 am

    This is a pretty interesting hack, even if it may not have much of a use for most. I wonder…if you have two copies of your NAND, then on one you buy a VC or a Wiiware title, copy it off to your SD card…will it copy back onto the other NAND flash ok? Does it need any extra info the second NAND doesn’t have?

  • 9 superdave // Jun 3, 2008 at 10:59 am

    Really, the more useful way to go about it is a variation on tmbinc’s NAND emulator; all you have to do is lift the CS pin on the existing NAND flash and then the rest of the wires can be tacked onto the vias further north on the PCB… the NAND emulator requires some FPGA skills, but I’ve been working on an open one for some time.

    In any case, you can get a lot more flexibility out of that than you can out of a backup flash; as long as you have something attached to the backend to fetch the pages from somewhere (ethernet, PCI interface, etc) you can instantly modify things.

  • 10 Nobody // Jun 3, 2008 at 11:04 am

    @ChipD

    I didn’t consider the closing of the Wii case because I didn’t think you would ever close up a development system. :P

    Why are you looking for dual CE chips? The ones you used were only single CE chips. Are you looking because it would make your piggybacking easier? (I noticed this because I’m trying to track down some 2 CE chips to expand my MP3 player.)

  • 11 CaitSith2 // Jun 3, 2008 at 11:34 am

    @Ninth Sage: The SD card backup you make of your VC title does not include anything they put into /SHARED1 of the Wii FS, nor does it include the ticket. Since your second NAND flash copy has neither of these files, you will not be able to copy your VC to that second instance. You should be able to in theory though, be able to redownload it though to that second NAND copy, as it would most likely be connecting with the same Wii shop account ID. (unless the system was never connected to the Wii shop channel prior to cloning.)

  • 12 ChipD // Jun 3, 2008 at 11:37 am

    @ Nobody

    Some dual CE chips have the same device ID’s as the supported nands in boot2.So its worth a shot to see if they would work.Basicly they are two 512’s in one, so yes it would make it easier to dual boot by switching banks, but also its interesting to see how they form 1GB of space.That feature is probably controller specific, but whats interesting is the wii has traces for dual CE & R/nB going to points on the wii.

  • 13 superdave // Jun 3, 2008 at 4:10 pm

    The dual-CE chips are essentially two chips in one; a single-package version of what you just did. The extra chip select and R/BY# usually occupy NCs on the control line side of the chip.

    I’d check out Micron’s datasheets for the flash chips (look for their 8 Gb large-block flash chips, which are essentially the dual-die version of what’s in the Wii). They do come in TSOP48 packages.

    In any case, yes, they would make this job a lot easier, since (not having looked under the flash chip yet) I imagine the other CS line isn’t even soldered down yet; you could always just lift the leg just in case.

  • 14 ChipD // Jun 3, 2008 at 5:09 pm

    @ superdave

    Theres no support for micron device ID’s in boot2.The nand in question is a hynix HY27UG088G5M its a 8Gbit dual nCE & R/nB with the same 0xAD 0xDC Device ID as the SLC’s i used for the dual boot nand project and is a tsop 48 package.In theory it should work if i could write to each bank seperately,but im having trouble with that currently.Anyway heres a link to the dual CE & RB pinouts on the wii: http://www.flickr.com/photos/27397238@N08/2548346865/

  • 15 Anonymous Coward // Jun 3, 2008 at 5:40 pm

    Wow, impressive soldering work. How many times did you have to remove unwanted bridges between two pins? ;-)

  • 16 Nobody // Jun 3, 2008 at 6:02 pm

    @ChipD

    Don’t all Hynix HY27U chips have the same device ID? I was under the impression that they didn’t change between chips in a family from a given Semiconductor company.

    Also, I can’t see from your pic if R191 is depopped or not. Can you confirm?

  • 17 mercluke // Jun 3, 2008 at 6:06 pm

    i have a 1gb hynix HY27UF031G2M, if that’s compatible with the wii then i’d be glad to let you have it

  • 18 mercluke // Jun 3, 2008 at 6:15 pm

    oh forgot to ask, is it something to do with the nand that makes the wii whatever region it is, or is that something else? because if so, this could be used to change from pal to ntsc at the flick of a switch

  • 19 NAND Switching « Gabriel Steinbach // Jun 3, 2008 at 6:34 pm

    […] Read More: Here […]

  • 20 ChipD // Jun 3, 2008 at 6:41 pm

    @ Nobody

    No the supported Hynix device ID’s in boot2 are:
    64mb= 0xAD 0x76, 128mb= 0xAD 0xF1, 512mb= 0xAD 0xDC. This particular hynix dual CE nand has two 512mb nands built in giving it the same 0xAD 0xDC ID.A single CE 1gb nand would have a ID of 0xAD 0xD3 which is not supported in boot2.And to confirm R191 is supposed to be missing a resistor.I double checked on my wii mainboard.

    @ mercluke

    Are you sure you have that part number right?I couldnt pull up a datasheet on those part numbers, but going by hynix part number decoder, “F” would mean single die ,”1G” would mean its 128mb in size, and “2” means its a single CE & R/nb, so if for some strange reason it is a 1GB nand, it wouldnt be supported in boot2 because any single 1GB flash would have 0xAD 0xD3.

  • 21 Nobody // Jun 3, 2008 at 6:59 pm

    @ChipD

    Thank you for clarifying.

    As far as datasheets go, don’t look at Hynix’s website. They only list chips that were made for customer samples and those that are currently being mass produced. You have to piece together data sheets across multiple members of the HY27 family to get the big picture.

    Did you happen to find a HY27UG088G5M, or were you just referencing that from Hynix’s webpage? If you need help tracking one down, maybe we can work together on that? I need to find a HY27UH08AG5M for my own purposes.

  • 22 ChipD // Jun 3, 2008 at 7:24 pm

    @ Nobody

    Yes http://www.hynix.com/datasheet/pdf/flash/HY27UG088G(5_D)M%20Series(Rev.0.6).pdf

  • 23 Naamah31 // Jun 3, 2008 at 7:43 pm

    @ChipD
    I live in China, near ShenZhen, the paradise of electronic… I will check as soon as possible for your dual CS Hynix chip.
    c u

  • 24 superdave // Jun 3, 2008 at 7:49 pm

    I know there’s no support for the Micron device IDs, but the datasheets are worthwhile reads if you’re curious about the devices, and Micron tends to have the clearest datasheets out of all of them. The special features (caching, dual plane operations, etc) tend to be different amongst all manufacturers, but the general flash protocols tend to be pretty much the same.

    I did notice that second (disconnected) R/B# line on mine, though, when I was tacking the wires on… one would assume that there’s support in the flash controller for a second CS, but I wouldn’t imagine it’s flash address-based; possibly something in the flash controller commands?

  • 25 ChipD // Jun 3, 2008 at 8:49 pm

    @ superdave

    Yeah your right, micron is alot more informative with their datasheets.Im referencing microns MT29F8G08DAA which “is a two-die stack that operates as two independent 4Gb devices” to the comparable Hynix HY27UG088G5M.Hopefully i can narrow why im having problems reading/writing , and selecting banks.

  • 26 galtor // Jun 4, 2008 at 12:23 am

    Awesome job! :)

  • 27 ieatpixels // Jun 4, 2008 at 5:45 am

    argghhhh, i don’t cast hax on my wii,
    it’s not clear what this thing can do!
    I know it can fix bricked wiis but can it copy VC games?
    they’re a flippin’ rip, it’s cheaper to buy the original cartz ffs

  • 28 Superrob // Jun 4, 2008 at 11:47 pm

    Sweet that mean that you could edit the firmware with NO risk :)

  • 29 Anonymous Coward // Jun 5, 2008 at 4:53 am

    @ieatpixels…

    People who ask if any new piece of homebrew which has anything to do with storage can be used for piracy are starting to get boring.

    No they’re not a “flippin’ rip” as this study proves…

    http://www.vintagecomputing.com/index.php/archives/416

  • 30 ChipD // Jun 5, 2008 at 9:06 am

    @ Superrob

    Well dual booting was just for fun.Even with just one replacement nand, you could edit with no risk as long as you original nand is safe somewhere.Since i had no confirmation that writing dumps back to the wii nand worked, i didnt want to risk bricking it so i figured a replacement nand to test on was the best approach.After i confirmed swapping the original out for a compatible nand replacement worked, i just thought it would be fun to see if i could put two in and switch between them.I can think of a few useful uses for dual boot, but not worth the effort for most people.Aside from having the extra space at the flick of a switch,you also have a for sure way to use homebrew in the event of a homebrew preventing firmware update.Nobody knows when/if it will ever happen, but its covered if it ever does.

    If anyone has any other ideas that doesnt involve piracy come see me @ wiidev#

    Also im really interested in these dual CE chips, but still having trouble making them work, so if you think you can help we can chat on irc.

  • 31 Naamah31 // Jun 5, 2008 at 9:05 pm

    @ChipD
    I juts bought 2 HY27UG088G5M for you. Give me an address to send it ;)

  • 32 Hack a Wii Admin // Jun 6, 2008 at 10:28 am

    Great hack. I would agree that it isn’t for everyone but it is a great concept.

  • 33 Altpersona // Jun 6, 2008 at 10:43 am

    is the retail chip attached to the motherboard by anything other than solder? is it glued down or anything like that?

  • 34 ChipD // Jun 6, 2008 at 11:13 am

    After looking at numerous datasheets from various manufactures ive finally figured out the wiring configurations to write to both banks independently on these dual CE hynix nands.More on this sometime this weekend.

    @ Altpersona

    No just solder.

  • 35 f // Jun 7, 2008 at 12:32 pm

    jkj

  • 36 - - - // Jun 7, 2008 at 12:33 pm

    hgh

  • 37 ChipD // Jun 11, 2008 at 6:17 pm

    Dual CE Hynix HY27UG088G5M doesnt boot completely.I was able to write a dump to it, dump it back twice,match both dumps, and decode the dumps, so i know there good, but when installed the wii goes to the main screen where it says “press A” except “press A” never appears.Wiimote still functions (power on/off works) and i can hear the dvd drive working.

  • 38 ChipD // Jun 12, 2008 at 9:03 am

    It appears that bank 1 has a bad block in the location where the system files are,allowing it to boot, but not into the system channels screen.Bank 2 also has bad blocks, but there in a location thats doesnt interfere with the boot process, or file system, so bank 2 boots, and funtions as normal.

  • 39 Naamah31 // Jun 13, 2008 at 8:04 pm

    very strange these bad blocks…

  • 40 ChipD // Jun 16, 2008 at 8:48 am

    Yeah its pretty much hit or miss with these nand chips.Even if you find a compatible nand,theres always the chance that it could have a bad block in an area that effects the wii booting process.This is why its so dangerous to play around with dumping/writing tools via hardware, or software with your original nand.Because if more bad blocks appear and you write over them it will corrupt the file system and brick your wii.The only safe way of doing this is through nintendo’s update system that has bad block correction,wear leveling..ect..ect.Hopefully when/if we can alter the data, we can add these features into read/write tools so its much safer.

  • 41 Wii Dual NAND Flash Hack - Hack a Wii - Wiimote Hacks, Mod Chips, DIY Nintendo Wii projects and more // Sep 6, 2008 at 8:22 am

    […] Link Via Via […]

You must log in to post a comment.