Post Reply 
Sending your Nintendo Wii in for repairs?
Know this..
Author Message
YoYoBallz
L4YoY0s

Posts: 6,057.4567
Threads: 644
Joined: 3rd Mar 2007
Reputation: 15.01961
E-Pigs: 13327.7533
Offline
Post: #1
Sending your Nintendo Wii in for repairs?
In the past I have read of many people with softmodding there Nintendo Wii's then having to send them back to Nintendo for repair, many success stories , some just got sent back not touched and with a crappy letter..  The latest HackMii blog post from genius Wii hacker bushing goes into how Nintendo now has a "Pre-Repair Disc" (much like the pink fish disc that gave us IOS16) for checking Wii NAND memory for altered/modified files and fakesigned tickets and IOS's.  Even if you don't understand the Wii hacking scene this is still a very good read, bushing is a super smart dude and I love reading about of his posts.

bushing of HackMii.com Wrote:faithful HackMii reader spent some time with AnyTitle Deleter and tried to clean everything odd off his Wii, and used the HackMii Installer to uninstall the HBC and BootMii/boot2.  He then sent his Wii into Nintendo (of America) to try to get them to repair a noisy drive; the warranty had expired, and he just wanted to pay them to repair the drive.

After they received the Wii, they wrote him back and said that because he had unauthorized software installed (something they could not fix themselves — but more on this later), it would cost $200 for them to do any repair.  He had them just send him back the Wii, and then reinstalled BootMii/boot2 and dumped the NAND and sent it to us to figure out what he had missed and anything else wee could gain from the image.

I have a few theories as to what they detected, based on what things he did not manage to delete — and for a while, that’s all wee had to go on, and it wasn’t going to make for a very interesting article.  However, several hours with 0xED and grep and xxd paid off, and I found some traces of the disc they ran to detect “Illegal software”.   Unfortunately, I was only able to find part of the data section of the main DOL of the disc, and not the code, so I don’t have actual screenshots to share — you’ll have to use your imagination this time.  (If anyone has sent a Wii in to Nintendo for repair in the past few months, and received the same Wii back — no refurbs! — I’d love to see a NAND dump, especially if you took one right after you received it back.  I may be able to reconstruct the rest of the disc.)

Here is the raw output of ’strings’ on the relevant part of the data section:

I (YoYo) but this output in a spoiler because it is kinda huge




Spoiler:
  *******************************************************
Check Disk for Pre-Repair Process
Disc TitleId    : 0x%08x(Hi) 0x%08x(Lo)
Num of Checking : %d
This running is "First Running".
Start Region Address : 0x%08x
End Region Address   : 0x%08x
main.cpp
*** EndSaveRegionAddr has been over rang ***
This running is "Restarted running".
Using language is Japanese.
Using language is English.
NRChecker is not inserted at SI port %d.
Waiting ejecting disk.
InitSD is failed.
Error. Line=%d
Start Checking Process.
Restart Disc...
Reset...
Shutdown...
End of Application
Unknown
Item %d : Load data from 0x%08x
Item %d : Save data to 0x%08x
Deleting the save data of SetPersonalData.wad...
Deleting the save data of DigicamPrintChannel...
/title/%08x/%08x/data/nocopy
NANDPrivateDelete : delete %s : %d
/title/%08x/%08x/data
/title/%08x/%08x/data/banner.bin
Searching unauthorized rewritten savedata...
/title/%08x/%08x/data/%s
zeldaTp.dat
/title/%08x/%08x/data
Checking %s
NANDOpen : %s(%d)
CheckSavedataZD : return false. This save data is unauthorized rewittern data.
Searching unauthorized title...
Unauthorized title num with checking ticket: %d
Unauthorized title num with checking TMD: %d
*** SearchUnauthCh_CheckTickets ***
Found ticket file num is %d
Result code of checking 0x%016llx is %d
*** SearchUnauthCh_CheckTMDs ***
Number of Home Directory is %d,
[%03d]Getting information about title id "0x%016llx"
- Title Name : %s
- TitleID    : 0x%016llx
- Type       : %d
- Visible    : %d
- Status     : %d
AnalyzeTitle : OSGetTitleStatus failed(%d).
/title/%08x/%08x/content/%08x.app
             Pre-repair Check Disk ver%s
         Pre-repair Check Disk ver%s - Detail
         Pre-repair Check Disk ver%s - Delete
     Pre-repair Check Disk ver%s - Launch Mode
     Pre-repair Check Disk ver%s - Output File
------------------------------------------
----------------------------------------------
Serial Number: %s
Waiting to Start
Processing
Complete
%d.??? >%s
%d.Altered Save Data Detection >%s
%d.Illegal Channel(s) Detection >%s
%d.Use of Copy Disk Detection >%s
Checking the following item(s)...(%d/%d)
Check is complete.
Press A Button to display detail screen.
Delete All Altered Save Data and Illegal Channel(s)/Firmware?
Detected %d pieces of data
No Data
Detected illegal channel(s) >
Press A Button to restart.
Automatic restart begins after %d seconds.
%2d/%2d      [Title ID/Name]
%s%2d  0x%016llx(%s)
    "%s"
[Type]   [Visible]   [Status]
%s %s    %s   %s
Detected %d title(s)
Press Button B to return to previous screen.
Deleting data...
Altered Save Data Deletion >%s
Illegal Channel/Firmware Deletion >%s
If you want to launch Wii illegal channel,
    Select the channel and push A button.
Launch the following title?
Title ID: 0x%016llx(%s)
Title Name: "%s"
ID: 0x%016llx(%s)
Push DOWN Button to display next page.
<>
<>
<>
<>
Serial Number
Device Id
Wii Menu
Wireless MAC
Bluetooth MAC
BT MAC
WC24 Count
WC24 Stage
WC24
Shopping
Not Used
(No File)
(Initial)
(Generated)
(Registered)
(Unknown)
%d. %s
    (DiscNum. %d   GameVer. %d)
%d. %s
    (DiscNum. %d  GameVer. %d)
%d. TitleName: %s
   DiscNum: %d GameVer: %d
   Error: 0x%08x(%d)
   DateTime: 0x%08x(%d)
   Status: 0x%08x(%d)
   Control: 0x%08x(%d)
   NextOffset: 0x%08x(%d)
%d. TitleName:%s
   DiscNum:%d GameVer:%d
   Error:0x%08x(%d)
   DateTime:0x%08x(%d)
   Status:0x%08x(%d)
   Control:0x%08x(%d)
   NextOffset:0x%08x(%d)
%d DVD error record(s) has been logged.
Output the DVD error logs to SD card?
Output the meta-data of illegal channel(s)?
Insert SD card.
                  [%s]           %s
(Deleted)
UNKNOWN
INSTALLED
NOEXISTS
DELETED
SAVEONLY
NORIGHTS
PARTIAL
FATAL
    File does not exist.
    File was deleted.
    Error occurred during processing(%d:%d)
    There is no problem with this console.
    Problematic save data was detected.
    Illegal channel(s)/firmware was detected.
    Disc needs to be restarted.
    Deleted all.
    Use of copy disk was detected.
Finished to output the file.
Controller
[Main View]
  UP: Back page
  DOWN: Next page
  A: Show the details
Controller
[Common]
  LEFT: Back
  RIGHT: Next
  B: Back to main view
[Illegal Channels Detection]
  UP/DOWN: Scroll list
  1+2(GC:X+Y): Launch channel
  A+2(GC:L+R): Delete illegal channels
[Use of Copy Disk]
  UP/DOWN: Scroll list
  1+2(GC:X+Y): Output DVD error log
[DVD Error Log]
  UP/DOWN: Scroll list
  1+2(GC:X+Y): Output DVD error log
InitChangeUid : NANDInit Error(%d)
InitChangeUid : ES_InitLib Error(%d)
InitChangeUid : ES_GetTitleId Error(%d)
Changing uid to %016llx
ChangeUid : ES_SetUid Error(%d)
ChangeUid : ISFS_CloseLib Error(%d)
ChangeUid : ISFS_OpenLib Error(%d)
/title/%08x/%08x/data
ChangeToGameSaveDir : NANDPrivateChangeDir Error(%d)

/ticket/%08x/%08x.tik
/title/%08x/%08x
/meta/%08x/%08x
Delete all files in %s.
NANDPrivateReadDir : %s(%d) num = %d
Returned DELETEFILES_ERR_OK_NOEXIST.
Returned DELETEFILES_ERR_FAILED.
memory allocate is failed.
NANDPrivateDelete : %s(%d)
Returned DELETEFILES_ERR_OK.
Running "DeleteProcess".
Start to delete unauthorized channels and save datas.
ATTENTION!! : current groupId is not 0.
ChangeUid to 0x%016llx : %d
NANDPrivateDelete : %s has been deleted.
/title/%08x/%08x/data/banner.bin
Running "LauchTitle".
Can not launch because target channel is not installed.
Can not launch because target module is not a channel application.
SaveResultFunc_SearchCopyDisc
LoadResultFunc_SearchCopyDisc
/shared2/test2/dvderror.dat
: Ver.%d(TMD)
: %02x:%02x:%02x:%02x:%02x:%02x
: %s %s %s %s
: %d %s
ES_InitLib is failed : %d
ES_GetTmdView is failed : %d
Memory Allocation is failed.
ES_GetDeviceId is failed : %d
NCDiGetWirelessMacAddress is failed : %d
/shared2/succession/shop.log
NANDPrivateGetStatus is failed : %d
/shared2/wc24/nwc24msg.cfg
NANDPrivateOpen is failed : %d
NANDRead is failed : %d
Running "FileOutput".
/shared2/test2/dvderror.dat
InitSD is failed.
%s%s/%08x
%s%s/%08x/%08x
%s%s/%08x/%08x/%s
H4A should not be cleared because of Broadway errata.
<< RVL_SDK - OS         release build: Mar  5 2009 08:59:58 (0x4199_60831) >>



busing of HackMii.com Wrote:Wee have to do some reading between the lines here, but what wee have is a disc with a fairly simple text-based UI (much like the “Wii Backup Disc” wee looked at a couple of years ago) — but at least this time they’ve added colors (the BL, YE, RD tags presumably change the color of text displayed on the screen). There are a few different menus / screens you can traverse through, but the long and short of it is that they are looking for:

    * Save data — they are looking to delete data from “SetPersonalData.wad” (?!) and from “DigicamPrintChannel” (which you might have if you had messed around with the regions on your Wii. They then run a check for “unauthorized rewittern data”, which seems to reuse the same old CheckSavedataZD function from the System Menu, after authenticating as RZDE/J/P.
    * “Illegal Channel(s)/Firmware” — as far as I can tell, this isn’t some specific check for HBC / DVDX / whatever. This is a bit more clever — they seem to be enumerating all tickets and all TMDs on the system, and looking to see if any of them are fakesigned. This will catch pretty much anything that is, as they say, “unauthorized” that you have installed.
    * “Use of Copy Disc” — I think this actually refers to their own Wii Backup Disc. It’s not entirely clear to me why they care about this. This check seems to be done by looking for the existence of /shared2/succession/shop.log. (In this context, “succession” seems to refer to the transfer of some identity info from one (presumably broken) Wii to another.)

Once they’ve done this scan, they can then do several things — most common is probably to generate a log file on an SD card. They can also launch any of the “Illegal Channels” they find, and output any of the TMD info to SD. They even have the option of deleting all of this stuff — but it seems that they’ve been told not to do this (remember, they claimed they can’t, and in fact, they didn’t before our friend got his Wii back).

In this case, what did they detect, and how? It continues to surprise me that Nintendo seems to not use any sort of special “hacked IOS” to make their lives easier — sure, the “Wii Backup Disc” came with its own (infamous) IOS16, but there wasn’t really anything special about it and wee were never quite clear why they bothered. The disc runs as 1-2 and judging by its error messages, as group 0 — this means they can read and write most files in the filesystem directly, but they seem to use ES calls to do most of the work.

As for what they found — this Wii was bought second-hand, and it looks like there was a lot of “poo poo” on it at one point. Purely by looking for fakesigned tickets and TMDs, I found one each for 1-250 (IOS250) and 1-0 (“IOS0″ — this is a bogus ticket used to gain group 0 access, Waninkoko’s old FS dumper used this and I think that AnyTitle Deleter may as well). Something that I found that Nintendo didn’t was a bunch of poo poo left over from a Preloader install — extra files in 1-2’s data directory, as well as some extra files in /shared2.


- Source: [HackMii.com]

<Myth0s> i love boys
-------------------------------------------------------------------
I Go To Earth When Mars Is Boring.
-------------------------------------------------------------------
¿ʞɔпɟ əɥʇ ʇɐɥʍ I was first EPerson to have upside down title.
-------------------------------------------------------------------
(This post was last modified: 25/04/2010 10:49 AM by YoYoBallz.)
25/04/2010 10:43 AM
Find all posts by this user Quote this message in a reply
Hellgiver
Team Ramrod

Posts: 1,875.3073
Threads: 230
Joined: 27th Sep 2007
Reputation: 2.15096
E-Pigs: 57.9774
Offline
Post: #2
RE: Sending your Nintendo Wii in for repairs?
Interesting read. I never got into the Wii hacking scene, as I barely use my Wii anyways. Funny how hard Nintendo is trying to detect illegal mods just so they can take one more consumer out of the loop. Wonder if someone at Nintendo could ever 'leak' the disc to the public...?

[Image: toocool.png]
<3 Diego!
25/04/2010 11:16 AM
Find all posts by this user Quote this message in a reply
ameer
Dey tuk er jerbs!

Posts: 300.9740
Threads: 17
Joined: 28th Jun 2007
Reputation: -0.34166
E-Pigs: 172.4147
Offline
Post: #3
RE: Sending your Nintendo Wii in for repairs?
I guess i got lucky. When i sent in my wii to replace the disk drive, i got a refurbished one back right away. I  was nervous as fudge they would detect all the mods i deleted before sending it in.

[Image: righthook.png]
25/04/2010 01:46 PM
Find all posts by this user Quote this message in a reply
YoYoBallz
L4YoY0s

Posts: 6,057.4567
Threads: 644
Joined: 3rd Mar 2007
Reputation: 15.01961
E-Pigs: 13327.7533
Offline
Post: #4
RE: Sending your Nintendo Wii in for repairs?
(25/04/2010 11:16 AM)Hellgiver Wrote:  Interesting read. I never got into the Wii hacking scene, as I barely use my Wii anyways. Funny how hard Nintendo is trying to detect illegal mods just so they can take one more consumer out of the loop. Wonder if someone at Nintendo could ever 'leak' the disc to the public...?


Could happen, and would be very useful to hackers.  What happened with the pink fish disc (Back Up Disc) It was found in someones Nintendo Wii after he/she sent it in for repairs.  What the disc itself did was useless to us really but the IOS16 that was on the disc (is used to make call to nand mem and write things as ES) allowed hackers to use it and make a 3.4 downgrade (downgrade is useless to us nowdays really) and fix banner bircks.   So yes it would be very nice for somebody get there hands on one of theses disc, like bushing said what else the disc may do is still unknown to us this is the the tail end on a caches.

<Myth0s> i love boys
-------------------------------------------------------------------
I Go To Earth When Mars Is Boring.
-------------------------------------------------------------------
¿ʞɔпɟ əɥʇ ʇɐɥʍ I was first EPerson to have upside down title.
-------------------------------------------------------------------
25/04/2010 01:48 PM
Find all posts by this user Quote this message in a reply
Hellgiver
Team Ramrod

Posts: 1,875.3073
Threads: 230
Joined: 27th Sep 2007
Reputation: 2.15096
E-Pigs: 57.9774
Offline
Post: #5
RE: Sending your Nintendo Wii in for repairs?
(25/04/2010 01:48 PM)YoYoBallz Wrote:  
(25/04/2010 11:16 AM)Hellgiver Wrote:  Interesting read. I never got into the Wii hacking scene, as I barely use my Wii anyways. Funny how hard Nintendo is trying to detect illegal mods just so they can take one more consumer out of the loop. Wonder if someone at Nintendo could ever 'leak' the disc to the public...?


Could happen, and would be very useful to hackers.  What happened with the pink fish disc (Back Up Disc) It was found in someones Nintendo Wii after he/she sent it in for repairs.  What the disc itself did was useless to us really but the IOS16 that was on the disc (is used to make call to nand mem and write things as ES) allowed hackers to use it and make a 3.4 downgrade (downgrade is useless to us nowdays really) and fix banner bircks.   So yes it would be very nice for somebody get there hands on one of theses disc, like bushing said what else the disc may do is still unknown to us this is the the tail end on a caches.

I remember back when that happened. I think you put up a thread for us. Regardless, it would be interesting if this disc were to fall into the hands of the hackers (sounds like a bad 80s movie on hacking).

[Image: toocool.png]
<3 Diego!
25/04/2010 02:23 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

 Quick Theme: