HackMii

We’ve seen a lot of interest in USB in the past few months — a slew of PS Jailbreak clones appeared from an USB trace taken with a $1500 Lecroy USB Analyzer, and marcan wrote a Kinect driver using libusb, based on some USB protocol traces taken with a $1200 Beagle 480 USB analyzer.

To build a decent USB 2.0 protocol analyser you don’t need that many things inside, and the designs aren’t all that much more complicated than the FPGA designs we worked with on the DSi. pytey and I have been discussing hardware USB 2.0 analysis on and off for 2+ years but we have never had the time (or funds) to create a gadget of our own. An opportunity arose when pytey showed me the absolutely fabulous Kickstarter site, where you can help fund fledgeling projects to get them off the ground.

Open-source hardware isn’t a new idea, but it’s not very easy to pull off designs of even modest complexity. Unlike open-source software (which can generally be made with free tools on any household computer, as long as you have the time to learn how to do so), hardware-hacking is … well … expensive, for lack of a better word, and slow. One attempt at making a board will generally take you from 5-500 hours of time to design it, and then a couple of weeks to have a prototyping house make you some PCBs. This will probably cost you $50-$200, and then you still have to buy the parts and assemble the board … assuming you have the right equipment to do so, this can take you another week (not including debugging!).

After you’ve done all that, if all goes well — you end up with one or two prototypes which you can then try to get working, usually involving some combination of firmware and client software on your computer. Unfortunately, you only have one or two boards, so it’s hard to do much collaboration online with people on one design.

pytey suggested that we might try to leverage Kickstarter to help us make the USB 2.0 analyzer a reality — and thus, OpenVizsla was born! This project has allowed us to collect enough funds ahead of time to have a factory make enough prototypes for all our colleagues to work on firmware, HDL and client software to make an open-source USB analyzer happen. We still have to put the work in to design the hardware, but we will have enough cash to be able to buy the parts for our boards in one chunk (achieving significant discounts with quantity), and we will be able to have enough prototypes made at once to justify a factory production run — no more hand-soldering for us! Once we’re done with this, we’ll end up with a design that people can tinker with and extend; there will be a project site that will soon host more details.

It seemed like a bit of a gamble, so we argued back and forth and picked a cash target high enough to ensure we would be able to make at least enough prototypes to have a decent chance of pulling the project off. I could never have expected the popular reaction to it; it seems like we really struck a nerve out there. We even got a couple of celebrities (Stephen Fry, DVDJon) on board, and our ploy to get some major backers (offering the right to directly participate in the early prototyping stages and a spot for a logo) paid off in spades. We even got support from Altium, who donated a couple of licenses of their lovely CAD/CAM software for us to use to speed up our design process.

Anyway, if you’re interested in the idea of playing with USB, I recommend you head over to the Kickstarter page; as of this writing, there’s still 3 days left for you to get in on the OpenVizsla production run.

On to CCC — our Console Hacking table at the Chaos Communication Congress in Berlin has become somewhat of a fixture there, so we’re trying to reserve some space this year. A few of you have already noticed that we have a “Console Hacking 2010″ wrapup presentation planned; the description’s still a bit vague because our presentation will depend on how much progress we make between now and then. There’s going to be a PS3 surprise though. No questions about the content, please — we’re still busy hacking away over here, so just come see us there or wait for the video!

Hello friends! I’m glad to report that (as mha reported earlier) we’ve surged past 600K installs of the HBC, worldwide.

We’ve always believed that the HBC is a valuable tool for development, especially with the convenience of being able to use Wiiload to load code over the network. Some of those 600K users out there have written us to say that they are Licensed Developers ™, and have reported that recent versions of the Hackmii Installer have been able to install the HBC on development hardware (NDEV, RVT-R and RVT-H) using e.g. Bannerbomb. We have taken pains to write code that can install in as many environments as possible, and to our knowledge, our code is generic enough to work on development hardware and to load binaries produced with Nintendo’s tools (on any hardware); if this isn’t the case, please file a bug (e.g. on our bug tracker).

We are once again planning to be at CCC with a table downstairs in the Hackcenter, and we hope many of you will stop by to say hello!

Those of you who have been reading this blog for a year or two know that I’ve been fascinated with figuring out how Wiis are made at the factory. The driving reason is that if we can figure out how Wiis with blank flash chip are programmed at the factory, we could possibly wipe bricked Wiis and fix them.

Well, we never found that, but occasionally some hint poke up. Nintendo has gone out of their way to call out a specific message — Insert Startup Disc — and has declared that there is a problem with the “operating system” and let it be known that they very badly want to replace it. As with things like the iOS “diagnostic mode”, this generally means that a unit escaped from the factory without having completed all testing and programming steps. This can give a rare glimpse into factory steps normally concealed from us.

Searching online for information about this has been rather frustrating. Occasional articles from late 2006 show in-store kiosks displaying a blurry “Insert startup disk” message. A few private conversations have alluded to the fact that the few thousand Wiis that were sent to game stores with this disc, but nobody has been able to cough up a disc for me to examine (or at least an image of one!).

Fortunately, an alert member of assemblergames caught an auction on eBay for a broken Wii displaying our mysterious error message. (Thanks Paul!) He bought it and sent it to me to look at, and here are my findings.

Background

Stepping back a moment, the reason that this is strange is that the very lowest levels of the system — boot1, boot2 — can’t even talk to the DVD drive or the video output. IOS can talk to the DVD drive, but only at a very low level, and only in response to IPC from the PPC — there’s no way for the system to bootstrap itself with a blank flash, or with boot1 and boot2. You absolutely need PPC code running, and if you have that running, you might as well have the whole system menu running. It also probably means you have to either have a boot2 that can read an unencrypted NAND filesystem, or it means you have to program each chip individually with a key from a database using a flash programmer before soldering it down — an expensive and complicated operation, in comparison to flashing one image to all chips or programming a unit with test pads.

The only possible reason I could imagine for doing this would be that the flashing process has a long lead time — longer than pressing DVDs — and Nintendo therefore was able to ship these kiosk Wiis earlier by including a stub of a system menu that could install updates, and then making a few thousand in this state and shipping them out with these discs. Let’s take a look at Paul’s Wii.

[Read more →]