So I've been trying to dump the Nand on my Wii, mainly to see if I can't convince my WiiOS to boot, but also because I want to try out several of the WADs installed on my system and post results and screenies, etc etc.
I'm using WiiND for the dumping, and that seems to have gone well (although it was a lot quicker than I expected) but the instructions tell me that I need the keys from my Wii and I'm getting hung up there. The only homebrew program I can seem to find that will dump my Wii's keys for me is xyzzy, and it fails every time for some reason. I'd imagine this is because xyzzy downloads an IOS from Nintendo for the hack, and Nintendo has either removed that download or patched it one.
So I ask: is there any other way to dump the keys (most importantly, the NAND key) from my Wii? Am I perhaps using xyzzy in an incorrect fashion?
Thanks a bunch if anyone has any info.
-gamefreak
Edit: Hmm. Seems my WiiND isn't actually producing a dump file. Not that I can find anyway. Something is clearly amiss here. The Wii isn't updated past 3.3, do you suppose there's something else breaking this process?
Further Edit: I'm about to be sad here, one of my Nand dumpers I found (I've been running down the list) is telling me it has an error reading the NAND, I assume it was blocked with a patch of some sort? Quite sad indeed if this is true, although I don't remember reading about it. Anyone who has succeeded in doing this: is there something else I need to have installed on my Wii to make the dumper(s) work?
I myself had the exact same issues at one point with dumping my nand, when I never used to have any issues. Over time, it seems the nand does develop a bad sector that the system calls do not flag as such, but flag as some other error, which causes all existing nand dumpers to fail right at that instance. Because of this, I modified the nand dumper I normally use, to not quit on error, but instead, press on, skipping that sector anyways.
http://caitsith2.net/wii/YaWnD_v0.3.zip.
Additionally, I modified xyzzy to use a local cache of the files on the sd card, if you have them already. (The files on the NUS server are 000000010000000b/00000008, 000000010000000b/00000009, 000000010000000b/tmd.10 (save as tmd), and 000000010000000b/cetk, all saved to the [sd drive letter]:\000000010000000b\[required fles]).
http://caitsith2.net/wii/xyzzy-1.2.zip. This is handy if the wii you are dumping the nand from does not have internet connectivity. (If it does, and the files are not on the SD card, it will attempt to grab them as the original xyzzy did. (If you are using xyzzy v1.0, of course it will fail, as that version attempts to grab the latest ios 11, which has had the fake signing bug fixed, rather than version 10 of IOS 11.)
So far, in my attempts to run the system menu on dolphin, the system menu does show, and the system menu actually does put its disc channel where you last placed it, if you moved it. However, at present, none of the channels you have installed will show up in it, very good chance that it will report the message board as corrupt, and the settings of the sys menu do not work yet. (black screen when you attempt to go there.)
I do have good news though, if you present some of the other channels to dolphin as 1-2, it will boot them, and run them. Bad news though, is that yeah, the mii channel does run, but you can't edit any of the miis created on your actual wii, due to the fact that the mac address the emulated wii reads as 00:00:00:00:00:00, in other words, "can't edit miis you didn't create".
WOW. Your Modified version of YaWnD does indeed appear to be dumping. I just *knew* it was supposed to take longer than a split second, glad I wasn't being paranoid for nothing. ^_^
Is it... normal for the screen to go all happy and garbage-like when it reads the NAND? Anywho, I'm waiting for it to finish, I'll post the results of my attempt to decrypt the thing using my keys here in a second.
*waits*
*ahh... I think I understand why it's going all wonky with the display... it's outputting a newline character in the wrong character encoding. Neat. It makes this pretty almost checkerboard pattern on the console. ^_^*
I guess my real question is: does that bad sector (which appears to have been my problem as well) affect any semi-important files on the thing, or is it just something that the Wii firmware understands is bad, but the IOS doesn't or something to that effect? Either way, it's quite interesting.
I ran the original xyzzy and, although it did claim it had an error (fail... bricks... something to that effect) I ended up with a keys.txt file and what appeared to be hex codes, so I can only imagine it managed to get the keys anyway. I'm fairly certain that it failed attempting to download the proper IOS files to use, so I might try the cached version if it didn't get the keys I need to decrypt this thing.
All in all though, very very helpful, that was *exactly* what I needed. +42 internet for you.
Alright, successful nand dump, not-so-successful extraction. I've got the image file of my NAND, I've got nand-key.bin, but the extraction utility... hates me for some reason.
I've tried about every compatibility mode I can think of, but "zestig.exe" which I'm told does the actual extracting crashes immediately upon loading, no matter what I try to do to convince it otherwise. I'm running Vista, that's probably the issue, although I can't be certain. I've got nand-key.bin sitting at C:\keys\ like it should be, and using the Extractor.exe utility I'm supposed to be able to just open the .img file that is my NAND dump and it should be extracting away, no?
I'm investigating whether there's a cygwin conflict, since I noticed the cygwin .dlls sitting there. In any case, if this was originally a Linux application, do you suppose there's a native linux version of it? I've got a linux box or two lying around (my main laptop is linux only) and I could certainly try it there.
Really, I wasn't expecting this to be quite so difficult. ^_^
Edit: Further grr. Doesn't work on XP. So for the Microsoft side of things, doesn't work on XP, Vista, Windows 7, with or without the actual updated cygwin package installed on any. I found the linux version, but it can't seem to locate my nand-key, mainly because it's *very* unclear about where I need to drop it. This is just... painful.
OK. If I upload my nand-dump.img and nand-key.bin somewhere, can someone who is actually *able to run these tools* extract my nand for me and send be back the results? That seems to be what I need right now, I've thrown 4 different operating systems at this program and none of them are working out.
I'm frustrated, it's 3:00 in the morning, and I'm going to sleep now. (The great thing is, I'm venting on something other than Dolphin. Yay!)
(If you watched the progress at all, " . . . . . . . . . . . . . . . ." should be the reading result, for each pass that is good. A bad sector will be indicated by something
like " . . . . . . . . .0_ . . . . . ." (1 bad sector), or in the worst case, " . . . . . . . . .3z . . . . . ." (255 bad sectors) for that 3z.
(Basically, " ." means that out of 256 2048 byte sectors read, none of them were bad. If there is a number in place of that space, then, it means 64 * number, and the character that follows will form the number to add, in a base 64 type expression, in the order of "._0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz". On my own wii, with my most recent dump, the first 75% dumped flawlessly, then there was a "0_", (1 bad sector), then the rest of the nand dumped flawlessly.
Another modification you may or may not have noticed is dumping speed. THose that used the orginal versions of YaWnD, will definitely notice it, because the original version reads 8MiB at a time, then opens the file on the SD card for append, (which is essentially write if it doesn't exist), and writes it, then closes it. lather, rinse, repeat. Unfortunately, each open for append becomes slower than the previous one. This version keeps the file open, till the full nand dump is complete, which is considerably faster than open for append, write 8MiB, and close, 64 times.
Another consideration, did you dump with ECC or without? If you dumped with ECC, that might well explain why zestig is refusing to cooperate with you. ECC adds another 64 bytes for each sector read, making your nand dump 16MiB larger than the one without.
just to let you know:
afair dolphin only supports version 1.0 of the os...
so you have to have an original untouched wii from the first weeks of sale in japan... and you mustn't have your wii updated since then...
I'll try it again dumping without EEV. However, I think the problem is that zestig is never actually getting far enough to look at the file, it's crashing before producing any output (or I'd be pasting that output here).
It was my understanding that updates were applied on boot? Or rather, that a new update didn't delete any old files, it simply added new ones? Or does that only work for IOS, and not for the menu itself? I guess I'll find out once I get this thing to work. ^_^
Well, I'm running dump#2 without EEC right now, but I just realized something: the nand-key.bin I ended up with is 16 bytes of straight 00, which I'm fairly certain isn't my decryption key. So it seems that for whatever reason, I'm not actually getting the darn key.
I'm going to need to grab the IOS files manually. I know you can't provide them for me here, but can you elaborate on the nintento-server URL I need to look up to download them using my PC?
(03-25-2009, 03:42 PM)caitsith2 Wrote: [ -> ]Additionally, I modified xyzzy to use a local cache of the files on the sd card, if you have them already. (The files on the NUS server are 000000010000000b/00000008, 000000010000000b/00000009, 000000010000000b/tmd.10 (save as tmd), and 000000010000000b/cetk, all saved to the [sd drive letter]:\000000010000000b\[required fles]). http://caitsith2.net/wii/xyzzy-1.2.zip. This is handy if the wii you are dumping the nand from does not have internet connectivity. (If it does, and the files are not on the SD card, it will attempt to grab them as the original xyzzy did. (If you are using xyzzy v1.0, of course it will fail, as that version attempts to grab the latest ios 11, which has had the fake signing bug fixed, rather than version 10 of IOS 11.)
I followed all of these instructions. Your version of Xyzzy now performs "Sending things to earth..." and then says something like "Hmm. These things seem to be on earth already".
After that, it performs one more line of output which appears to be an error message of some kind, and then proceeds to exit to the HBC without writing anything.
I used the 4 files you mentioned, all downloaded from
http://ccs.shop.wii.com/ccs/download/000000010000000b/[filename]
including tmd.10 so it would grab the correct un-patched version. I understand what's *supposed* to be going on here, but I'm still not having any luck. I'll see if I can't post the exact error message I'm getting here...
-ES_Decrypt returned: -1017
/hash BAD
So it seems that it doesn't like something... somewhere. Interesting... I wonder what's going on? I don't know if it's complaining about the 4 files I provided it, or something else on my NAND or wherever it is that it's looking for those keys.
Edit: Wow, sorry about the tripple post here. I'm a little bent on success here, if you haven't figured that out. ^_^
(03-26-2009, 09:49 AM)thegamefreak0134 Wrote: [ -> ] (03-25-2009, 03:42 PM)caitsith2 Wrote: [ -> ]Additionally, I modified xyzzy to use a local cache of the files on the sd card, if you have them already. (The files on the NUS server are 000000010000000b/00000008, 000000010000000b/00000009, 000000010000000b/tmd.10 (save as tmd), and 000000010000000b/cetk, all saved to the [sd drive letter]:\000000010000000b\[required fles]). http://caitsith2.net/wii/xyzzy-1.2.zip. This is handy if the wii you are dumping the nand from does not have internet connectivity. (If it does, and the files are not on the SD card, it will attempt to grab them as the original xyzzy did. (If you are using xyzzy v1.0, of course it will fail, as that version attempts to grab the latest ios 11, which has had the fake signing bug fixed, rather than version 10 of IOS 11.)
I followed all of these instructions. Your version of Xyzzy now performs "Sending things to earth..." and then says something like "Hmm. These things seem to be on earth already".
After that, it performs one more line of output which appears to be an error message of some kind, and then proceeds to exit to the HBC without writing anything.
I used the 4 files you mentioned, all downloaded from
http://ccs.shop.wii.com/ccs/download/000000010000000b/[filename]
including tmd.10 so it would grab the correct un-patched version. I understand what's *supposed* to be going on here, but I'm still not having any luck. I'll see if I can't post the exact error message I'm getting here...
-ES_Decrypt returned: -1017
/hash BAD
So it seems that it doesn't like something... somewhere. Interesting... I wonder what's going on? I don't know if it's complaining about the 4 files I provided it, or something else on my NAND or wherever it is that it's looking for those keys.
Edit: Wow, sorry about the tripple post here. I'm a little bent on success here, if you haven't figured that out. ^_^
At present, I won't be able to troubleshoot the issue, as my wii got turned into a brick, that is now being shipped to a nintendo repair center. Of course, the file you are definitely looking for, from your xyzzy dump, is keys.txt, saved on your sd card. If the file has only the certificate, it did not run correctly, if however, it has the common key, sd key, nand aes key, nand hmac key and the like, then it did run properly. You do have to manually transcribe the data into the key files yourself though. And indeed, a nand aes key of ALL 0x00, is definitely incorrect.