HackMii

Notes from inside your Wii

HackMii header image 2

Insert Startup Disc

September 22nd, 2010 by bushing · 46 Comments

Those of you who have been reading this blog for a year or two know that I’ve been fascinated with figuring out how Wiis are made at the factory. The driving reason is that if we can figure out how Wiis with blank flash chip are programmed at the factory, we could possibly wipe bricked Wiis and fix them.

Well, we never found that, but occasionally some hint poke up. Nintendo has gone out of their way to call out a specific message — Insert Startup Disc — and has declared that there is a problem with the “operating system” and let it be known that they very badly want to replace it. As with things like the iOS “diagnostic mode”, this generally means that a unit escaped from the factory without having completed all testing and programming steps. This can give a rare glimpse into factory steps normally concealed from us.

Searching online for information about this has been rather frustrating. Occasional articles from late 2006 show in-store kiosks displaying a blurry “Insert startup disk” message. A few private conversations have alluded to the fact that the few thousand Wiis that were sent to game stores with this disc, but nobody has been able to cough up a disc for me to examine (or at least an image of one!).

Fortunately, an alert member of assemblergames caught an auction on eBay for a broken Wii displaying our mysterious error message. (Thanks Paul!) He bought it and sent it to me to look at, and here are my findings.

Background

Stepping back a moment, the reason that this is strange is that the very lowest levels of the system — boot1, boot2 — can’t even talk to the DVD drive or the video output. IOS can talk to the DVD drive, but only at a very low level, and only in response to IPC from the PPC — there’s no way for the system to bootstrap itself with a blank flash, or with boot1 and boot2. You absolutely need PPC code running, and if you have that running, you might as well have the whole system menu running. It also probably means you have to either have a boot2 that can read an unencrypted NAND filesystem, or it means you have to program each chip individually with a key from a database using a flash programmer before soldering it down — an expensive and complicated operation, in comparison to flashing one image to all chips or programming a unit with test pads.

The only possible reason I could imagine for doing this would be that the flashing process has a long lead time — longer than pressing DVDs — and Nintendo therefore was able to ship these kiosk Wiis earlier by including a stub of a system menu that could install updates, and then making a few thousand in this state and shipping them out with these discs. Let’s take a look at Paul’s Wii.

It was posted on eBay “as-is” with no warranty; when it showed up, it was in pretty poor physical shape — the case was scratched and scuffed, and it had “needs startup disk” (or something) written on it with a marker. This is not the launch-day Wii I expected to see, because if a Wii was in this state, there’s no way anybody could have ever used it … ever. There’s no way for a working Wii to fall into this state, so any Wii that displayed this message should look like it sat in someone’s closet and pristine! The serial number on the label was LU325049098, which was strange because the Wii drive serial number tracking sites report this as probably a D2C drive — meaning, the Wii came from some time in 2008. The battery had a date stamped on it of “05 – 08” — probably May 2008. Again, this made no sense, but I had to open the thing up anyway to solder a modchip onto the drive so that I could burn discs in an attempt to make the thing boot.

I opened it up and removed the metal shield, and removed the drive — which ended up being a D2B drive. This still didn’t seem right — the launch day Wiis would have shipped with DMS drives — nor did it match the serial number on the outside. A couple of screws were missing inside the case. I decided to open it up all the way to see the date codes on the chips and PCB, and so that I’d be ready if I ended up needing to desolder the NAND flash chip from the bottom of the main board.

Once I finally got the main board out, it was clear that it was what I expected to see — a launch-day board. The PCB had a date-code of “3306” below the SD card slot — this means the 33rd week of 2006, so, around August 15th. Similarly, the Hollywood & Broadway chips had date codes of “0632” and “0631” — all consistent with a launch-day Wii. More on this later.

I put the thing back together enough to power the thing on, and was faced with these screens — photos courtesy of Crediar, and more on that later:



Recovery

The first screen appeared a few seconds after I applied power to the unit; if you insert a disc, it would transition to the other two discs, no matter what valid discs I tried. I tried a SaveMii, but it wasn’t recognized (the red LED came on, but neither the yellow nor green LEDs followed).

At this point, crediar reminded me that there’s a suspicious bit of code in the normal Wii’s System Menu — see BS2 states 9/10 — where it checks for a disc with the special ID ‘RAAE’. If it finds it, it refuses to load the disc — but by all other indications, this would be a valid Wii disc. He suggested that this may have been the ID associated with the “Startup Disc”, and this check was placed in the final system menu to keep anyone from trying to use that disc a second time

Fortunately, back in the old days we could burn fakesigned discs, and boot them with no addition hacks (beyond a drivechip) — so I took the old Homebrew Channel Installer ISO and patched RealWnD into it, set the first 4 bytes of the image to ‘RAAE’, burned it, and tried booting it.

To my delight, the screen faded to black, and RealWnD started up. This turned to frustration when I realized that the only way to start the program dumping was to navigate its menu using a Wiimote, and I had no way of syncing a Wiimote to this Wii without a working System menu. I (too-) quickly hacked GC pad support into the RealWnD code, burned it, booted it, and then watched it crash because I forgot to call PAD_Init(). A third try ended up working, and an hour later I had a NAND dump of an almost-unmodified Wii on my SD card.

From there, it was fairly straightforward to proceed, though I probably did end up burning 10 discs trying to get the thing fully recovered to “normal” status. I burned the old “NTSC Semi-Brick Fix Disc” (with the first bytes changed to RAAE) to install system menu 3.2, then ran into problems trying to get the Hackmii Installer to work (it didn’t like the ancient versions of IOS installed on it) and I couldn’t get any games to play — even Zelda insisted on installing an update, which failed every time I tried! After using Bannerbomb to run Dop-MII to install a couple of newer versions of IOS and update boot2 (more later), I was able to install the rest of the standard channels with a normal Super Paper Mario disc, and then install BootMii as boot2 and dump the keys out so I could dump the keys to SD.

Analysis

With the keys, I could decrypt the original NAND dump I had made with RealWnD, which was the whole reason I wanted to see this Wii! Here’s what I found.

  • Console ID: 0204cef9. Console IDs were issued (roughly) sequentially, beginning with 02000000 for retail Wiis — this would make this one the first 300,000 (or so) Wiis made. I suspect this may have been made towards the end of the first batch of pre-release Wiis as a spare main board and sent to a repair center to keep in stock as a replacement for any early returns.
  • boot1 revision “a” — this is common for early Wiis, up to console ID 021e7bed or so
  • boot2v1 — this has never been seen before, but doesn’t seem to be substantially different (in any interesting way) from the common boot2v2. All early Wii games came with boot2v2, so most people would have gotten that update with the first game they played if it wasn’t already installed at the factory. I had suspected that boot2v1 was a special factory boot2 that could handle an unencrypted NAND filesystem, but that doesn’t appear to be the case — it still may be true that there is a boot2v0 out there that serves that purpose.
  • setting.txt indicates a serial number of LU100166385 (which matches neither the one printed on the case, or the revision of the drive!)
  • Only five titles installed — 1-2, IOS4v3, IOS9v1, BCv0, MIOSv0. Four megabytes of content, total!
  • A stub of a system menu installed as 1-2, version 1, using IOS4

The title installed as 1-2 is approximately 2 megabytes, and is the only thing I’ve ever seen that uses IOS4. Just like all 1-2 titles — including all system menus and the NDEV menu — it has a string identifying it as “NDEV BOOT PROGRAM v%X.%02X (SYSTEM MENU:”. Other strings indicate that there is some code to install updates off a disc and to boot a disc .. and that’s about it, the rest of the binary seems to be the graphics shown above. I packaged the files up and sent them off to Crediar, who was able to get it running under SNEEK and produce the screenshots featured above.

We were able to scrape unused parts of NAND and find fragments and evidence of even older content, and in some cases entire contents. IOS4v3 is 0x5f331 bytes, but there’s an IOS4v1 (with a strange cid of 35016B91) that is only 0x28e51 bytes. IOS9v1 is a healthy 0x19ed76 bytes, but there’s a bizarro IOS9v1 with the same cid (0) and version, but only 0x2a671 bytes long. The stub system menu (v1, 0x200500 bytes) shadows an older v0 that is only 0x80500 bytes long.

Conclusion

I think what happened was that a few thousand Wiis were made with this “skeleton” set of files on NAND. Of those, most were sent out to game stores for pre-launch kiosks — it’s not clear if the startup discs were sent along with the Wiis or shortly afterwards (which would explain the photos online of the kiosks showing the screen). Some were probably also set aside as replacement units in service centers, and apparently a few actually made it into the hands of customers — which is why Nintendo had to put up a web page pleading for people with those consoles to return them for a new system. Of all of these, most would have had the disc installed by the service center — and then maybe they had to return the disc? (I’m not sure why else I’d have such a hard time finding one). Of the rest, people would have sent them back to Nintendo to get working Wiis.

The only Wiis left out would be ones where the owners somehow wouldn’t (or couldn’t) send the Wii back to Nintendo for repair. This Wii that landed in my hands was assembled from spare parts — the case, main board and drive all came from different sources. I suspect that somebody “came across” a pile of main boards, and tried to assemble them all into working systems — when they were finished, they may have had 10 working Wiis and then this one, and then they probably put it in a box somewhere on a shelf and forgot about it, then sold it along with some other broken Wiis to someone else. Nobody would ever have been in a position to return this one to Nintendo, but whoever put it together must have hoped to fix it someday (which is why they didn’t just throw out the board).

More Analysis

Warning: this last part is going to be dry, technical, and isn’t finished … most people should skip it. I will update it if I ever come up with a clearer picture of the state of this system. I’m putting it here so that it has a place to live and in case anyone else can share some insights.

The big thing that’s missing is any definite answers about how this NAND came to be. The one thing I can say is that it looks like it is “fresh” enough that we can see most of the original contents of flash — many clusters have not yet been overwritten. There are a few different patterns we can see by looking at some files which appear to be created incrementally — it’s clear that clusters are allocated in scattered chunks of contiguous blocks.

testlog.txt:

  • cluster 5382 — testlog.txt is created with the single line “BOARD_TEST=START,V1.0”
  • cluster 7242 — testlog.txt updated with “BOARD_TEST=OK,V1.0”
  • cluster 0210, 5302: testlog.txt updated with “FINAL_TEST=START,V1.0”
  • cluster 01ab: testlog.txt updated with “FINAL_TEST=OK,V1.0”
  • cluster 2782: testlog.txt updated with “WRITE_NAND_DATA1=START,1.1.0”
  • cluster 2784: testlog.txt updated with “WRITE_NAND_DATA1=OK,1.1.0”
  • cluster 027a, 5703: testlog.txt updated with “SERIAL_NO_REGISTER=OK,1.1.0”
  • cluster 0602: testlog.txt updated with “WIRELESS_TEST=OK,RVL001.01”
  • cluster 3c42: testlog.txt updated with “PRECHECK_DATA=START,1.2.0”
  • cluster 02a2, 34c3: testlog.txt updated with “PRECHECK_DATA=OK,1.2.0”

cert.sys:

  • cluster 032a: cert.sys with XS00000003 cert
  • cluster 032b: cert.sys with XS00000003 and CA00000001 certs
  • cluster 01e9, 0207, 0331: cert.sys with XS00000003, CA00000001 and CP00000004 certs

uid.sys:

  • cluster 0328: uid.sys with one entry for 1-2
  • cluster 0332: uid.sys with entries for 1-2 and 1-4
  • cluster 0363: uid.sys with entries for 1-2, 1-4, 1-9
  • cluster 2582: uid.sys with entries for 1-2, 1-4, 1-9, 123J
  • cluster 4482: uid.sys with entries for 1-2, 1-4, 1-9, 123J, 10000-dead
  • cluster 618f: uid.sys with entries for 1-2, 1-4, 1-9, 123J, 10000-dead, 1-100
  • cluster 0178,6194: uid.sys with entries for 1-2, 1-4, 1-9, 123J, 10000-dead, 1-100, 1-101
  • cluster 0200,4b02: uid.sys with entries for 1-2, 1-4, 1-9, 123J, 10000-dead, 1-100, 1-101, 121J
  • cluster 63c3: uid.sys with entries for 1-2, 1-4, 1-9, 123J, 10000-dead, 1-100, 1-101, 121J, 122E, 0002
  • cluster 0140, 0258, 02c9, 6542: uid.sys with entries for 1-2, 1-4, 1-9, 123J, 10000-dead, 1-100, 1-101, 121J, 122E, 0002, HAXX (my RealWnD disc)

I would expect the rest of flash … that which was never touched … to be all FF or 00, or something. However, it’s not. 441M of the decrypted flash is what looks like several copies of the same random garbage string — except, it’s garbage where all the bytes are 0..7F. Here’s a compressed form of all of the garbage from the flash, if anyone wants to try to figure out what it is: garbage.7z

Update:

Okay, I figured out what happened. Combining some of the information I dredged out of this flash with some of the stuff from my older factory post/research:

One of the titles listed above is “0002” — specifically, that’s 00010000-30303032, and it’s installed into flash from a WAD, and then executed using IOS9 with the AHBPROT flag set. It reads a list of tests to perform from an SD card — all.ini, which we only had fragments of before. That file lists 8 sets of tests, and then a filename, arguments, and description for each. The DOL files listed there are read from the SD card and executed. One of the tests, NandIOS2.dol, ended up being left in NAND on the older “factory” Wii, and I scraped it out of flash 2 years back but didn’t look at it too closely. Going back to it, I see that it writes out a 25.6MB file, /tmp/nandTest.dat, with random data … which it then CRCs, reads back, and checks to make sure it was written and read correctly. Disassembling the random data function, it looks like this:

s32 seed = 1;
s16 rand(void) {
    seed *= 0x41C64E6D;
    seed += 12345;
    return (s16) seed >> 16;
}

u8 getRandomChar(void) {
   return rand() >> 8;
}

The fact that rand() returns a signed value means that when it is shifted right, the sign bit (which is always 0) will be extended, resulting a number that is always positive but within the range of a signed 8-bit integer (0 .. 127, or 0 .. 0x7F, which matches what we see). The file is 25.6MB long, which is almost identical to the compressed size of the data we saw — so that’s the sequence length (thanks segher for pointing that out!). I’m not quite sure why we see multiple copies of it — either the test gets run multiple times, or something is copying chunks of data around in flash.

Tags: Wii

46 responses so far ↓

  • 1 Some Person // Sep 22, 2010 at 5:01 am

    Not directly related to the above post, but easiest place to ask my question:

    I remember back in the day, there was some outrage about Nintendo pushing an update for boot2 for /every/ single Wii (if I recall correctly it was an attempt to overwrite BootMii, if installed).

    The outrage was because apparently Nintendo’s boot2 flashing code sucked and would brick heaps of Wiis (and you guys wrote your own boot2 flashing code cos you didn’t trust Nintendo’s)

    Did the expected mass-bricking ever happen? Because I can’t recall hearing much about it after.

    Thanks

  • 2 tech3475 // Sep 22, 2010 at 5:37 am

    Once again, thank you for producing these types of articles which I always find an interesting read.

    @Some Person, I don’t know the exact number, but I heard that there were a number of cases but I am not sure if these are in the hundereds or thousands.

  • 3 Bent // Sep 22, 2010 at 6:33 am

    Well it seems we finally know what ios4 is for. What I don’t understand is, why have ios9 if the basic system menu is running off of ios4? Are we still missing part of the process? And it also seems kind of odd that gc files are on there from the start, you would think those would get added with the startup disc as well. Any ideas about this?

  • 4 hcs // Sep 22, 2010 at 8:51 am

    Did a frequency analysis on the garbage (because that’s my idea of a good time), except for a few regions it’s very evenly distributed in 0-7f. The exception regions are:
    0x2158000-0x2160000
    0x9F60000-0x9F64000
    0x9FC4000-0x9FC8000
    0x10200000-0x10208000
    0x18008000-0x1800C000
    0x1806C000-0x18070000

    As I have no Wii knowledge I can’t make any sense of what I see here, likely just normal FS stuff that wasn’t in active files (probably the stuff you already discussed), but for anyone wanting to analyze the garbage alone, exclude these regions.

    Thanks for the article!

  • 5 G0dLiKe // Sep 22, 2010 at 9:23 am

    Thx for that very interesting article, always a good reading here ๐Ÿ˜‰ Keep it up.

  • 6 tech3475 // Sep 22, 2010 at 9:32 am

    @Bent

    One reason could be that because Wii Sports uses it, they decided it was easier to have it on the console.

    Three possible theories for why there are files on NAND I have are:
    1. Security- they may have thought that units would be less likely stolen if they were useless without the disc.
    2. To make it easier for the people setting up the demo stand.
    3. The system software was still in development right until the main production started. This could explain somewhat why they still had stuff on NAND despite needing the disc, the few IOS files were stable but the system software itself was not ready.

  • 7 tech3475 // Sep 22, 2010 at 10:01 am

    Correction, I meant “three possible theories for you need the disc are:”.

  • 8 me.yahoo.com/nande_kudas… // Sep 22, 2010 at 10:22 am

    really intresting ๐Ÿ™‚
    thanks for posting it, i will keep my eyes open for these “special wiis”.
    also, i think that tech3475 has some very reasonable points.

  • 9 me.yahoo.com/nande_kudas… // Sep 22, 2010 at 10:38 am

    a quick search in spanish (my main language, also a language spoken by people that messes with tech stuff) reveals this:
    http://ecetia.com/2006/10/una-de-especulaciones-ยฟwii-startup-disc or http://www.vidaextra.com/wii/que-sera-el-wii-startup-disc

    the post date is 2006 and the box sais it includes the WiiStartupDisc

    i think the 3ยบ point of tech3475 would be the best guess. The system wasnt ready, and don’t forget that when it first came out they couldn’t cope with the demand, so it would make some sense to rely the last step of the production to some “trusted” (or not) retailers (maybe without them knowing).
    Probably by now they don’t reease these wiis intentionally because now they have time to do this step at the factory.

  • 10 veraca // Sep 22, 2010 at 10:40 am

    As amazingly interesting as this is, maybe I’m just confused. Why is there a IOS9 if the system runs on IOS4? What are the differences in the coding and the purposes between them, and does this mean that Nintendo has made IOS5-8 as Alpha versions for the system?

  • 11 Bent // Sep 22, 2010 at 10:52 am

    @tech3475

    Only trouble with that is Wii Sports has a newer version included in its update partition IIRC. I guess they could have been planning on using that version and put it on there, later updating it when the game went gold, but it still seems odd to me to include those titles. You would think the basics to install a system menu would be just the basics, not 3 extra titles.

  • 12 ketufe // Sep 22, 2010 at 12:08 pm

    once again thank’s

  • 13 Sephiroth // Sep 22, 2010 at 2:28 pm

    interesting read as usual…would be sooo nice to see you guys get your hands on one of those startup discs :/

  • 14 hydrous.net/ // Sep 22, 2010 at 3:22 pm

    Fascinating. I find it interesting that the garbage compresses so well, which seems to suggest that it’s not truly random … since truly random content compresses very poorly.

  • 15 Pattonfiend67 // Sep 22, 2010 at 5:22 pm

    very, very interesting read… thank you!!

  • 16 google.com/profiles/at… // Sep 22, 2010 at 5:56 pm

    Just so you guys know, the regions listed by hcs above are identical copies of the same 16kbs data copied to several regions (some of them are simply adjacent).

  • 17 winmaster // Sep 22, 2010 at 7:00 pm

    Extremely interesting. I love you guys.

    Sometimes I want Nintendo to break homebrew just so I get a blog post to read! Ok…maybe not quite. ๐Ÿ™‚

  • 18 exile // Sep 22, 2010 at 7:51 pm

    This is by far my favorite blog.

    I don’t know too much about this aspect of the Wii, but you always seem to explain everything in a way I can understand.

    Oh, and good luck figuring all of this out!

  • 19 bushing // Sep 23, 2010 at 1:35 am

    Okay, in order:

    @Some Person: That’s mostly true — the concern is more that updating the bootloader carries a certain statistical risk of bricking the Wii — even if we assume both installing BootMii and Nintendo updating boot2 creates the same small (say, 1 in 10,000) risk of bricking the console, then 50 million users being updated for no good reason may see 5,000 bricked Wiis and 50,000 users installing BootMii might see 5 bricked Wiis. At least those installing BootMii chose to do so because there was a potential benefit for them (and I don’t actually know of any units bricked by BootMii).

    If you go search on Google for “4.2 Wii bricked”, you’ll find a number of articles — some merely parrot each other or our warnings, but many link to posts on various forums — including Nintendo’s — with first-hand reports of consoles being bricked. It got to the point where Nintendo had to put up a note on their forum trying to minimize the problem.

    @Bent and veraca: With regards to IOS4 — IOS4 is a lot smaller and simpler than IOS9 (about 400K vs 1700K), due to the fact that many drivers are missing, specifically most of the networking drivers (WL, WD, SSL, NCD, KD). I tried to boot IOS4 once, a couple years back, and couldn’t get it to work — but I didn’t put too much effort into it, and it was important enough that Nintendo later stubbed that IOS out. IOS9 would be necessary to run the gamut of burn-in tests that they have — see the list in http://hackmii.com/2008/06/factory/. It’s possible that they only initially flash boot1, boot2, IOS4, and 1-2 into NAND externally — this would only be about 3 MB of data, and maybe shaving off that extra 1.5 MB saves money and time for them.

    I ended up figuring out the cause of the semi-random data, I’ll update the post above in a bit with the info.

  • 20 MrTaco // Sep 23, 2010 at 2:08 am

    Right when I got to the second paragraph, that Insert Startup Disc thing set off a whole lot of bells ringing in my head. I remembered seeing early pictures of the Wii box, and mentions on the contents list of a “Wii Startup Disc”, and everyone wondering what that was. Then I went to go double-check my Wii box and sure enough the picture of the disc was there like I remembered. But it was labelled as being Wii Sports ๐Ÿ˜›

    Good read, I love how there’s long periods of nothing then all of a sudden a new part of the story suddenly unfold out of nowhere.

  • 21 KingLewy // Sep 23, 2010 at 3:19 am

    This article is AMAZING! What a bloody good read. Well done bushing. It’s really interesting to see this “secret past” of the Wii. It’s almost like Time Team.

  • 22 rh2k2 // Sep 23, 2010 at 4:36 am

    wonderfull read, as allways.
    many thanks to all contributors.

    a bit of topic but does anybody note that in the all.ini file ???

    Lcd3D_2
    “Lcd3D_2 (special)”
    “3D LCD version of smp-onetri_dl”
    0xA204
    vi3d_onetri.dol
    “-crc” “Check”
    Lcd3D_3
    “Lcd3D_3 (special)”
    “3D LCD Static Images”
    0xA205
    vi3dtest.dol
    “-crc” “Check”

  • 23 Jinxter // Sep 23, 2010 at 11:53 am

    Thanks brilliant break down, things like this always interest me ๐Ÿ™‚

    Just a thought her but looking at this logically is it possible that as Nintendo were running short of time for the dash and get this onto launch Wiis, and from your article that the units were being made with a very basic BIOS effectively … that initially the free bundled game of Wii Sport was to have been a dual purpose disk to flash the NAND fully and also as a game, therefore encouraging it’s use? … this is after all the only first time (as far as I’m aware) that a game was given away with from the manufacture with a full game.

    Just a thought, but I think it has some merit.

    Cheers
    Jinxter

  • 24 mtu // Sep 23, 2010 at 12:56 pm

    @bushing: is there still unexplained garbage?

    if there – have you tried having a look at the data before running it through regular NAND decryption?

  • 25 yvonne.maginley // Sep 23, 2010 at 2:36 pm

    stupid question…
    isnt it possible that the “random garbage data” is some kind of nand test to find out, if there are enough good blocks? some kind of “ram” testing

  • 26 Phredreeke // Sep 23, 2010 at 3:38 pm

    bushing: Maybe I got this wrong but isn’t the bootmii install safer since it only changes one copy of boot2? if the bootmii install goes bad the Wii will boot the second copy, while if the boot2 install goes bad then you have nothing to fall back on.

  • 27 Ufis // Sep 24, 2010 at 1:17 am

    This is by far my favorite blog. Thanks Bushing for the time you put in to all of this.

    The US systems were shipped with the Wii Sports disc but not all countries? Would the data from the non US Wii’s be different or be the same and just load different language files?
    Even so they wouldn’t want to rely on the disc to update if not all Wii shipped with it.
    I know that Korean Wii’s have a few extra or different ios on them. That half-way answers my question but being that long ago when the first Wii were shipped I’m not sure how they rolled them out of the factory to different countries.

  • 28 Sephiroth // Sep 24, 2010 at 2:12 am

    @Phredreeke:

    i thought so too but apparently bushing doesnt like to make that claim…maybe it’s because you can’t be a 100% certain that this is actually true…

  • 29 nilum // Sep 24, 2010 at 8:20 pm

    Hi bushing. I’ve been trying to get in contact with you.

    I’m about to send my Wii out for repair, and I remembered from a post a while back you had asked for people who had sent their Wii’s out for repair to send you their NAND dumps.

    Not sure the best way to contact you. I sent an E-mail to your GMail account, but I’m not sure if you check that often.

    Looking forward to your reply.

  • 30 Wack0 // Sep 25, 2010 at 5:00 am

    I know there’s at least one case of Wiis with the ndev menu ending up in the hands of consumers; someone posted on Yahoo Answers about it.

  • 31 bushing // Sep 25, 2010 at 3:05 pm

    @yvonne.maginley: Yes, I’m pretty sure that is at least part of what it is. The program that writes that data out does in fact count the number of bad blocks and compare against a limit (80).

    @Phredreeke: We did that one-copy update as a way of trying to be brick-proof, but even Nintendo had their own way of trying to prevent bricks — It’s been a while since I last looked at it, but I believe they only write one copy of boot2, and then only write the second copy once the first one is verified. I’ve still never been able to get my hands on a Wii that was bricked by installing the new boot2, so I still don’t know what the exact failure mode was.

    @nilum: Sorry, I’m pretty bad with email, just ask Paul ๐Ÿ™‚ I see your message and will write back soon.

  • 32 Scaevola // Sep 25, 2010 at 5:37 pm

    I just read the article. It was very informative. Considering that you are doing this only in your spare time, I appreciate your efforts and the time spent on not just analyzing the Wii but also sharing it with everyone in such a detailed post.

    Reading your comments on searching online about this issue and seeing the multilanguage error screens, I wondered if this kind of broken Wiis and startup discs also exist in other countries. I checked eBay UK and Germany, but defective wiis mostly had disc read errors.

    Then I checked Ninty support sites. In Australia and Japan, there was no FAQ entry on startup disc. In Europe, all language sites contained the same FAQ entry about the startup disc, but I believe that it is just a result of translation without adjusting the content according to local needs.

    Probably, only US had these units but it may also be possible that these startup discs were available in Latin America and Canada. Somebody better check the local auction and classified sites for similar Wiis or startup discs. I did my job for Europe. ๐Ÿ™‚

    I continued Googling various phrases that contained “startup disc” and so, but this post is the most comprehensive information available. The discs were possibly collected back as you mentioned.

    By the way, while searching, I found a Google cached copy of the auction Paul got the Wii from and a thread in Ninty Support forums about the startup disc error. ๐Ÿ™‚

    And I have a final question. Why is this disc blocked in future system menu versions? Is it because it had the possibility to brick Wiis or is it because it contained exploitable stuff?

  • 33 Nickwiiman // Sep 26, 2010 at 1:30 pm

    Well hi all i have just had a thought on what some one said before sort of. When the launch of the wii was happening the demand was so high, that my thought was that they had cut their process time on flashing the NAND and put basic file reading firmware on to it and the rest of the coding on the wii sports disc, which needed IOS4 to run mmmmm…… well after a moment of madness i ripped the copy of wii sports and theres no obvious files on it.
    Question: (im not fully up to date on this but…)
    How does the wiimote connect to the wii when there is no obvious support on there or is it seperate to the nand?

  • 34 Nickwiiman // Sep 26, 2010 at 1:56 pm

    And just another silly coment really but a pause for thought the pictures above saying please insert wii start up disc, if you look at the picture of the wii in them they havent got sd card slots mmmm…… just another wierd observation lol. I do remember some time back i read an artical that said the wii originally was not going to have sd support but was a “so to speak” last minute thing after Nintendo was told they had to put some sort of support for developers to work with. Not sure on the truth of this but i thought i would share my wii bit of knowledge with ya!!!

  • 35 Sephiroth // Sep 26, 2010 at 4:02 pm

    @Scaevola:

    the system menu blocks the startup disc for one reason…there is absolutely no point in using the startup disc if you already have a working system menu, that’s why the id is blocked…i guess there is no other reason, or is there? Oo

  • 36 HyperHacker // Sep 27, 2010 at 9:23 pm

    “if you insert a disc, it would transition to the other two discs”
    Other two screens, perhaps? Couple other typos too… did you perhaps write this as you were playing with it? :-p

    It sounds like even this base image has an encrypted NAND and only boots [fake-]signed discs, which means there’s still no way for the system to bootstrap from a black NAND? I suppose they program each chip before installing it, but used these stubs because they wanted to ship before they’d finished writing the software. It’d still be interesting if you ever discovered exactly how they get that first image on there.

    Pretty neat to know more about what the startup disc does. I wonder if these “broken” units will become valuable now that they’re known to be hard to find? (Or less, if people can get the image and flash it to that state themselves for no good reason?) Maybe more of these discs will show up now?

  • 37 Nickwiiman // Sep 28, 2010 at 2:14 pm

    Just a bit more info found on the below website:

    Posted: Nov 16th 2006 12:31PM
    (Unverified) said I work at Eagle Global Logistics (EGL), a company like UPS that ships stuff, and we are currently shipping these demo units to GameStop stores, and I read a letter attached to one of the boxes. It said something about a Nintendo associate needing to visit the store to “activate” the Wii. That may have something to do with it.

    http://www.joystiq.com/2006/11/03/wii-startup-disc-is-a-surprise-set-up-disk/2#comments

    As this was posted in 2006 it would have been in the right era, but this was posted buy an american guy, but all the boxes that have shown the startup disc included have been european wiis mmm….STRANGE!

  • 38 knarrff // Oct 2, 2010 at 6:53 pm

    You write: “Iโ€™m not quite sure why we see multiple copies of it.”

    I am not sure if you figured that out already, but you write about the PRNG: “so thatโ€™s the sequence length”. I would ask, why would you only expect to see only one copy of it? If this was used to test the memory, there is no reason to only use one times the length of the sequence. I would rather simply overwrite (almost) the whole memory for the test, and thereby create a number of copies of the sequence simply because the sequence length happens to be shorter than the size of the tested memory.

  • 39 knarrff // Oct 2, 2010 at 6:54 pm

    And I forgot: thanks for the fascinating read. If I would have more time I would probably be as hooked as you. But thanks to your posts I can at least read about all that stuff.

  • 40 jmp765 // Nov 9, 2010 at 11:57 am

    Hi Folks,
    I just received a Wii I bought off E-bay. It shows the exact screen about insert start up disc. S/N 100134360. Called Nintendo and they said I could send in, but if opened or modified they would just send back. It looks in very good condition, besides minor scratches. I said it looked like it may have been opened and ended the call.
    If anyone wants to check this one out let me know.

  • 41 Wack0 // Jan 23, 2011 at 4:01 am

    jmp765: what region is this wii ?

  • 42 jmp765 // Mar 13, 2011 at 8:31 am

    The region is US. Unit is in excellent condition.

  • 43 jmp765 // May 24, 2011 at 10:32 am

    I waited as long as I could… Here it is.

    http://cgi.ebay.com/Nintendo-Wii-White-Console-VERY-RARE-/180671026541?pt=Video_Games&hash=item2a10d5156d

  • 44 NoJack // Mar 23, 2012 at 9:08 pm

    I don’t know if anyone is still watching this, but I just got one of these, didn’t realize it was rare. I just want it to work… is there anyone who can help me with that? Did we get a “recovery” disk made from all of Bushing’s hard work?

  • 45 tueidj // Mar 28, 2012 at 3:41 am

    NoJack: If you just want it to work like a normal wii, contact Nintendo: http://www.nintendo.com/consumer/systems/wii/en_na/ts_system.jsp?menu=error
    (select “Please Insert Startup Disc” from the menu on the left)

  • 46 NoJack // Apr 2, 2012 at 5:57 pm

    Nintendo can’t recognize the serial #… No ISO image I can get to fix it myself?

You must log in to post a comment.