wraggster
May 5th, 2008, 19:54
Bushing (http://hackmii.com/2008/05/amoxiflash/)is back with another article :)
As promised:
A friend whose Wii I bricked was kind enough to hook me up with an Infectus chip to use as a NAND Flash programmer in my UnbrickMii project. I’ve spent the last couple of weeks just trying to get it to work, and have run into several, um, speedbumps along the way.
No Mac or Linux support. This one wasn’t really a surprise, but is still frustrating. That’s what VMWare is for, I suppose, and there’s always my old, shitty Dell laptop.
Inflexible programming. You basically get a “Program firmware” and a “Dump firmware” command. There is no way to specify a range of bytes to program.
“Erase” command is broken. It only erases half of the chip, twice. I’m not sure how anyone has actually managed to use this to restore a Wii dump
Verification is, too. There’s a “write verify” option, but it always fails when trying to program a Wii chip. Apparently, it does not correctly handle large-block flash chips, meaning that it tries to write 512 bytes, and then verify 2048 bytes, and then refuses to program any further.
Provided software makes permanent, irreversible changes to device. When you install the 0.0.3.9 software available from the Infectus site, it reflashes the firmware inside the SiLabs MCU that serves as the USB interface to the Actel chip. This means you can no longer use any older versions of the Infectus Programmer software. Well, I hope this version is a good version, then!
It’s not. It locks up whenever you try to select the NAND Programmer option. Ooops. (It turns out that you can work around this by selecting the “Timing Attack (Homebrew)” option, and then restarting the program — but this is hardly obvious, and you still run into the problems listed above.
Non-existent documentation. I’m a DIY sort, so I don’t need much — however, there is a fine art to reprogramming a flash-chip, in circuit, while the host system is still running. Some of the other pages on the Infectus site give directions for other consoles (”start a game and press pause, then program the chip”), etc. None of this was given for the Wii, which left many people guessing on their message board, and as far as I can tell nobody has gotten it right.
The last problem is probably the most pernicious, because it means that any dump taken with the Infectus has a high likelyhood of being corrupted, and the only way you’ll find this out is if you try to write the dump back to your flash chip and boot your Wii. Of course, if your dump IS corrupted, then you’ve just bricked your Wii, because there is currently no way to obtain compatible flash chips that you could use as spares. (If you know of a source, please let me know!)
So, what to do?
First, let me gather my courage and show you the way I ended up installing the chip in my test Wii (not yet the bricked one):
The key thing here is that little push-button — connected between D0 and ground. If you power on the Wii, even if nothing appears on the screen, the Starlet will still start up and write to your NAND flash. It does this every few minutes. If this ever happens while you’re trying to read or write to the flash chip, your dump is toast, and the contents of the flash may be corrupted. It is NOT enough to just remote the BT or Wifi modules to keep the thing from booting.
Instead, follow this sequence:
Plug in power cable to Wii. Observe power light coming on (red or orange LED).
Hold down special pushbutton to short D0 to ground.
Press Power button on front of Wii — watch LED turn green.
After LED turns green, release D0 button. You only need to keep that button held down for maybe half a second.
When the Wii turns on and the LED goes green, boot0 will run and it will try to load boot1 from the NAND flash. If you hold down D0, it will fail, and everything will halt; this will keep power applied to the NAND flash chip, but it won’t try to access the chip.
You’re now most of the way there — at least, electrically. (If you look closely, I had to add a second ground wire to the bottom -right of the Infectus chip — I explained why here.)
However, there’s still the problem that the software is entirely broken, and doesn’t even work on my MacBook Pro. So, I did what any good hacker would do — I reverse-engineered the protocol and wrote my own Mac client (which is also a Linux client, and probably a Windows client, too — but I don’t know how to compile it for Windows). It’s still pretty minimal, but I’ve used it to brick and restore this Wii about 10-15 times without problems. I’m sure you can find plenty of bugs and missing features — and if you do, please send patches my way and I’ll update the program.
As promised:
A friend whose Wii I bricked was kind enough to hook me up with an Infectus chip to use as a NAND Flash programmer in my UnbrickMii project. I’ve spent the last couple of weeks just trying to get it to work, and have run into several, um, speedbumps along the way.
No Mac or Linux support. This one wasn’t really a surprise, but is still frustrating. That’s what VMWare is for, I suppose, and there’s always my old, shitty Dell laptop.
Inflexible programming. You basically get a “Program firmware” and a “Dump firmware” command. There is no way to specify a range of bytes to program.
“Erase” command is broken. It only erases half of the chip, twice. I’m not sure how anyone has actually managed to use this to restore a Wii dump
Verification is, too. There’s a “write verify” option, but it always fails when trying to program a Wii chip. Apparently, it does not correctly handle large-block flash chips, meaning that it tries to write 512 bytes, and then verify 2048 bytes, and then refuses to program any further.
Provided software makes permanent, irreversible changes to device. When you install the 0.0.3.9 software available from the Infectus site, it reflashes the firmware inside the SiLabs MCU that serves as the USB interface to the Actel chip. This means you can no longer use any older versions of the Infectus Programmer software. Well, I hope this version is a good version, then!
It’s not. It locks up whenever you try to select the NAND Programmer option. Ooops. (It turns out that you can work around this by selecting the “Timing Attack (Homebrew)” option, and then restarting the program — but this is hardly obvious, and you still run into the problems listed above.
Non-existent documentation. I’m a DIY sort, so I don’t need much — however, there is a fine art to reprogramming a flash-chip, in circuit, while the host system is still running. Some of the other pages on the Infectus site give directions for other consoles (”start a game and press pause, then program the chip”), etc. None of this was given for the Wii, which left many people guessing on their message board, and as far as I can tell nobody has gotten it right.
The last problem is probably the most pernicious, because it means that any dump taken with the Infectus has a high likelyhood of being corrupted, and the only way you’ll find this out is if you try to write the dump back to your flash chip and boot your Wii. Of course, if your dump IS corrupted, then you’ve just bricked your Wii, because there is currently no way to obtain compatible flash chips that you could use as spares. (If you know of a source, please let me know!)
So, what to do?
First, let me gather my courage and show you the way I ended up installing the chip in my test Wii (not yet the bricked one):
The key thing here is that little push-button — connected between D0 and ground. If you power on the Wii, even if nothing appears on the screen, the Starlet will still start up and write to your NAND flash. It does this every few minutes. If this ever happens while you’re trying to read or write to the flash chip, your dump is toast, and the contents of the flash may be corrupted. It is NOT enough to just remote the BT or Wifi modules to keep the thing from booting.
Instead, follow this sequence:
Plug in power cable to Wii. Observe power light coming on (red or orange LED).
Hold down special pushbutton to short D0 to ground.
Press Power button on front of Wii — watch LED turn green.
After LED turns green, release D0 button. You only need to keep that button held down for maybe half a second.
When the Wii turns on and the LED goes green, boot0 will run and it will try to load boot1 from the NAND flash. If you hold down D0, it will fail, and everything will halt; this will keep power applied to the NAND flash chip, but it won’t try to access the chip.
You’re now most of the way there — at least, electrically. (If you look closely, I had to add a second ground wire to the bottom -right of the Infectus chip — I explained why here.)
However, there’s still the problem that the software is entirely broken, and doesn’t even work on my MacBook Pro. So, I did what any good hacker would do — I reverse-engineered the protocol and wrote my own Mac client (which is also a Linux client, and probably a Windows client, too — but I don’t know how to compile it for Windows). It’s still pretty minimal, but I’ve used it to brick and restore this Wii about 10-15 times without problems. I’m sure you can find plenty of bugs and missing features — and if you do, please send patches my way and I’ll update the program.