Description: Feel free to check out my other work or follow me on social media in the links below.
hacking (890) emulation (140) exploit (82) wiiu (37) bootloader (16)
The Wii U has had a fairly small homebrew scene, I believe in part because it currently has no commercial nor open-source modchips for facilitating early-boot code execution. While there exists a coldboot boot1 vulnerability, isfshax , it leaves a lot to be desired, and it is unfortunately not useful for recovering consoles from an unknown state, since NAND is encrypted per-console based on an OTP key. Additionally, certain SEEPROM corruptions can cause consoles to never reach boot1, resulting in unrecovera
With the news that a handful of Hynix Wii U eMMCs were starting to rapidly degrade, I decided to revisit a recurring project idea of mine: an open-source Wii U modchip. I had originally started this endeavor by glitching the Wii mini, which at the time had not been hacked, however my efforts were quickly sniped by FullMetal5’s bluebomb ( which later precipitated to Wii U by GaryOderNichts as bluubomb , however it is a different vulnerability). I did, however, manage to get boot1 execution on my Wii mini in
The Wii was extremely basic in how it handled booting: ROM was somewhat expensive (for die space, but also more likely, for chip revisions), so the Wii’s boot0 simply loaded boot1 from NAND, decrypted it with a key stored in ROM, and checked that its hash matched fused values in OTP. If it matched, it booted. However, there is one special case for factory-fresh console (and apparently dev units): If the OTP hash is entirely 00s, it will run anything that is loaded from NAND. More details are available on it