Results 1 to 9 of 9

Thread: Sending your Wii to Nintendo for an official repair? An Important Article By Hackmii.

  1. #1
    Senior Member
    Join Date
    Oct 2009
    Thanked 2,299 Times in 1,217 Posts

    Sending your Wii to Nintendo for an official repair? An Important Article By Hackmii.

    Check Disk for Pre-Repair Process
    April 24th, 2010 by bushing · 7 Comments

    A faithful HackMii reader spent some time with AnyTitle Deleter and tried to clean everything odd off his Wii, and used the HackMii Installer to uninstall the HBC and BootMii/boot2. He then sent his Wii into Nintendo (of America) to try to get them to repair a noisy drive; the warranty had expired, and he just wanted to pay them to repair the drive.

    After they received the Wii, they wrote him back and said that because he had unauthorized software installed (something they could not fix themselves — but more on this later), it would cost $200 for them to do any repair. He had them just send him back the Wii, and then reinstalled BootMii/boot2 and dumped the NAND and sent it to us to figure out what he had missed and anything else we could gain from the image.

    I have a few theories as to what they detected, based on what things he did not manage to delete — and for a while, that’s all we had to go on, and it wasn’t going to make for a very interesting article. However, several hours with 0xED and grep and xxd paid off, and I found some traces of the disc they ran to detect “Illegal software”. Unfortunately, I was only able to find part of the data section of the main DOL of the disc, and not the code, so I don’t have actual screenshots to share — you’ll have to use your imagination this time. (If anyone has sent a Wii in to Nintendo for repair in the past few months, and received the same Wii back — no refurbs! — I’d love to see a NAND dump, especially if you took one right after you received it back. I may be able to reconstruct the rest of the disc.)

    Here is the raw output of ’strings’ on the relevant part of the data section:

    Check Disk for Pre-Repair Process
    Disc TitleId    : 0x%08x(Hi) 0x%08x(Lo)
    Num of Checking : %d
    This running is "First Running".
    Start Region Address : 0x%08x
    End Region Address   : 0x%08x
    *** EndSaveRegionAddr has been over rang ***
    This running is "Restarted running".
    Using language is Japanese.
    Using language is English.
    NRChecker is not inserted at SI port %d.
    Waiting ejecting disk.
    InitSD is failed.
    Error. Line=%d
    Start Checking Process.
    Restart Disc...
    End of Application
    Item %d : Load data from 0x%08x
    Item %d : Save data to 0x%08x
    Deleting the save data of SetPersonalData.wad...
    Deleting the save data of DigicamPrintChannel...
    NANDPrivateDelete : delete %s : %d
    Searching unauthorized rewritten savedata...
    Checking %s
    NANDOpen : %s(%d)
    CheckSavedataZD : return false. This save data is unauthorized rewittern data.
    Searching unauthorized title...
    Unauthorized title num with checking ticket: %d
    Unauthorized title num with checking TMD: %d
    *** SearchUnauthCh_CheckTickets ***
    Found ticket file num is %d
    Result code of checking 0x%016llx is %d
    *** SearchUnauthCh_CheckTMDs ***
    Number of Home Directory is %d,
    [%03d]Getting information about title id "0x%016llx"
    - Title Name : %s
    - TitleID    : 0x%016llx
    - Type       : %d
    - Visible    : %d
    - Status     : %d
    AnalyzeTitle : OSGetTitleStatus failed(%d).
                 Pre-repair Check Disk ver%s
             Pre-repair Check Disk ver%s - Detail
             Pre-repair Check Disk ver%s - Delete
         Pre-repair Check Disk ver%s - Launch Mode
         Pre-repair Check Disk ver%s - Output File
    Serial Number: %s
    Waiting to Start
    %d.??? >%s
    %d.Altered Save Data Detection >%s
    %d.Illegal Channel(s) Detection >%s
    %d.Use of Copy Disk Detection >%s
    Checking the following item(s)...(%d/%d)
    Check is complete.
    Press A Button to display detail screen.
    Delete All Altered Save Data and Illegal Channel(s)/Firmware?
    Detected %d pieces of data
    No Data
    Detected illegal channel(s) >
    Press A Button to restart.
    Automatic restart begins after %d seconds.
    %2d/%2d      [Title ID/Name]
    %s%2d  0x%016llx(%s)
    [Type]   [Visible]   [Status]
    %s %s    %s   %s
    Detected %d title(s)
    Press Button B to return to previous screen.
    Deleting data...
    Altered Save Data Deletion >%s
    Illegal Channel/Firmware Deletion >%s
    If you want to launch Wii illegal channel,
        Select the channel and push A button.
    Launch the following title?
    Title ID: 0x%016llx(%s)
    Title Name: "%s"
    ID: 0x%016llx(%s)
    Push DOWN Button to display next page.
    Serial Number
    Device Id
    Wii Menu
    Wireless MAC
    Bluetooth MAC
    BT MAC
    WC24 Count
    WC24 Stage
    Not Used
    (No File)
     %d. %s
        (DiscNum. %d   GameVer. %d)
     %d. %s
        (DiscNum. %d  GameVer. %d)
    %d. TitleName: %s
       DiscNum: %d GameVer: %d
       Error: 0x%08x(%d)
       DateTime: 0x%08x(%d)
       Status: 0x%08x(%d)
       Control: 0x%08x(%d)
       NextOffset: 0x%08x(%d)
    %d. TitleName:%s
       DiscNum:%d GameVer:%d
    %d DVD error record(s) has been logged.
    Output the DVD error logs to SD card?
    Output the meta-data of illegal channel(s)?
    Insert SD card.
                      [%s]           %s
        File does not exist.
        File was deleted. 
        Error occurred during processing(%d:%d)
        There is no problem with this console.
        Problematic save data was detected.
        Illegal channel(s)/firmware was detected.
        Disc needs to be restarted.
        Deleted all.
        Use of copy disk was detected. 
    Finished to output the file.
    [Main View]
      UP: Back page
      DOWN: Next page
      A: Show the details
      LEFT: Back
      RIGHT: Next
      B: Back to main view
    [Illegal Channels Detection]
      UP/DOWN: Scroll list
      1+2(GC:X+Y): Launch channel
      A+2(GC:L+R): Delete illegal channels
    [Use of Copy Disk]
      UP/DOWN: Scroll list
      1+2(GC:X+Y): Output DVD error log
    [DVD Error Log]
      UP/DOWN: Scroll list
      1+2(GC:X+Y): Output DVD error log
    InitChangeUid : NANDInit Error(%d)
    InitChangeUid : ES_InitLib Error(%d)
    InitChangeUid : ES_GetTitleId Error(%d)
    Changing uid to %016llx
    ChangeUid : ES_SetUid Error(%d)
    ChangeUid : ISFS_CloseLib Error(%d)
    ChangeUid : ISFS_OpenLib Error(%d)
    ChangeToGameSaveDir : NANDPrivateChangeDir Error(%d)
    Delete all files in %s.
    NANDPrivateReadDir : %s(%d) num = %d
    memory allocate is failed.
    NANDPrivateDelete : %s(%d)
    Running "DeleteProcess".
    Start to delete unauthorized channels and save datas.
    ATTENTION!! : current groupId is not 0.
    ChangeUid to 0x%016llx : %d
    NANDPrivateDelete : %s has been deleted.
    Running "LauchTitle".
    Can not launch because target channel is not installed.
    Can not launch because target module is not a channel application.
    : Ver.%d(TMD)
    : %02x:%02x:%02x:%02x:%02x:%02x
    : %s %s %s %s
    : %d %s
    ES_InitLib is failed : %d
    ES_GetTmdView is failed : %d
    Memory Allocation is failed.
    ES_GetDeviceId is failed : %d
    NCDiGetWirelessMacAddress is failed : %d
    NANDPrivateGetStatus is failed : %d
    NANDPrivateOpen is failed : %d
    NANDRead is failed : %d
    Running "FileOutput".
    InitSD is failed.
    H4A should not be cleared because of Broadway errata.
    << RVL_SDK - OS         release build: Mar  5 2009 08:59:58 (0x4199_60831) >>
    We have to do some reading between the lines here, but what we have is a disc with a fairly simple text-based UI (much like the “Wii Backup Disc” we looked at a couple of years ago) — but at least this time they’ve added colors (the BL, YE, RD tags presumably change the color of text displayed on the screen). There are a few different menus / screens you can traverse through, but the long and short of it is that they are looking for:

    • Save data — they are looking to delete data from “SetPersonalData.wad” (?!) and from “DigicamPrintChannel” (which you might have if you had messed around with the regions on your Wii. They then run a check for “unauthorized rewittern data”, which seems to reuse the same old CheckSavedataZD function from the System Menu, after authenticating as RZDE/J/P.
    • “Illegal Channel(s)/Firmware” — as far as I can tell, this isn’t some specific check for HBC / DVDX / whatever. This is a bit more clever — they seem to be enumerating all tickets and all TMDs on the system, and looking to see if any of them are fakesigned. This will catch pretty much anything that is, as they say, “unauthorized” that you have installed.
    • “Use of Copy Disc” — I think this actually refers to their own Wii Backup Disc. It’s not entirely clear to me why they care about this. This check seems to be done by looking for the existence of /shared2/succession/shop.log. (In this context, “succession” seems to refer to the transfer of some identity info from one (presumably broken) Wii to another.)
    • Once they’ve done this scan, they can then do several things — most common is probably to generate a log file on an SD card. They can also launch any of the “Illegal Channels” they find, and output any of the TMD info to SD. They even have the option of deleting all of this stuff — but it seems that they’ve been told not to do this (remember, they claimed they can’t, and in fact, they didn’t before our friend got his Wii back).

    In this case, what did they detect, and how? It continues to surprise me that Nintendo seems to not use any sort of special “hacked IOS” to make their lives easier — sure, the “Wii Backup Disc” came with its own (infamous) IOS16, but there wasn’t really anything special about it and we were never quite clear why they bothered. The disc runs as 1-2 and judging by its error messages, as group 0 — this means they can read and write most files in the filesystem directly, but they seem to use ES calls to do most of the work.

    As for what they found — this Wii was bought second-hand, and it looks like there was a lot of “crap” on it at one point. Purely by looking for fakesigned tickets and TMDs, I found one each for 1-250 (IOS250) and 1-0 (“IOS0″ — this is a bogus ticket used to gain group 0 access, Waninkoko’s old FS dumper used this and I think that AnyTitle Deleter may as well). Something that I found that Nintendo didn’t was a bunch of crap left over from a Preloader install — extra files in 1-2’s data directory, as well as some extra files in /shared2.
    "I think that the Wii is a beautiful piece of hardware, and a broken Wii is a tragedy. It doesn’t matter why or how." -- Bushing

  2. 7 Users Say Thank You to Ithian For This Useful Post

  3. #2
    Senior Member
    Retired Head Admin

    Do NOT PM for Site or Wii Issues
    Gen3SF's Avatar
    Join Date
    Jun 2009
    San Francisco
    Thanked 4,658 Times in 2,237 Posts
    Thanks for this interesting read, Ithian. Am I correct in reading that the items discovered are due to a less than thorough use of AnyTitleDeleter by the current owner of that Wii? Or are there items caught by the Pre-repair disc that can't be handled by ATD?

  4. #3
    Senior Member
    Join Date
    Oct 2009
    Thanked 2,299 Times in 1,217 Posts
    A little of both from what I've been reading. While the user did miss his IOS0 and IOS250 the UID is still present on the system which keeps a record of every title installed on the console, even the entries for the initial bootup disks at the factory. So without overwriting that it's still possible to detect what has or hasn't been tampered (fakesigned) with.

    Edit: I just saw this from bushing,

    @Muzer: It was probably nothing more than missing IOS250 from his deletion spree … but I just checked, and AnyTitle Deleter adds “IOS0″ and never cleans it up. I’m not even positive you *can* clean it up, since it uses that ticket/TMD to delete the files.
    "I think that the Wii is a beautiful piece of hardware, and a broken Wii is a tragedy. It doesn’t matter why or how." -- Bushing

  5. #4
    New Member Johnny2good's Avatar
    Join Date
    Apr 2010
    Thanked 1 Time in 1 Post
    Dont think they would ever fix a wii anyhow they just want a good snoop to see can they counteract new stuff added id say, Anyway why give them a Wii to fix why should they have all the fun fixing it Good info do Ithian nice to see your on your toes lol..

  6. #5
    Junior Member
    Join Date
    Apr 2010
    Thanked 0 Times in 0 Posts
    Great read, didnt understand half of it but belive I go the general gist. Good job!

  7. #6
    Junior Member
    Join Date
    Nov 2009
    Thanked 2 Times in 1 Post
    for a multi-million pound company thats been around forever you would have thought they would at least try(harder) to stop hackers,this was a good indication that they try but not too hard,maybe they are all stoners?
    PS: Is re-installing your Nand the same as cleaning the Wii,or does it leave something behind?

  8. #7
    Senior Member
    Join Date
    Oct 2009
    Thanked 2,299 Times in 1,217 Posts
    Here's another post by bushing I thought people might be interested in:

    Someone brought up a good point on IRC — it’s not clear how exactly they are doing this signature verification (just looking for zeroes, or is it actually running RSA on all of the tickets/TMDs)? If it’s fast enough, they might start doing this every time the system menu starts. A year ago, I’d have considered this unlikely, but –

    • They’re already using one of the functions from the system menu that runs on every boot in this program (CheckSavedataZD)
    • They’ve apparently added a function to the SDK for this purpose (OSGetTitleStatus)
    • They already have the code written to do this for all titles (SearchUnauthCh_CheckTMDs, SearchUnauthCh_CheckTickets)
    • They already released an update that “bricked” Wiis (4.2’s system menu looks for the Korean common key in EEPROM every time you boot, and halts if it finds this — I put “brick” in quotes because they would be able to fix this in a repair center if they had a disk that would reinstall the Korean system menu). I see no reason to think they would treat “Illegal channels” any differently, and they would probably justify this to themselves based on the fact that they would still be able to boot a disc and clear off the “Illegal channels” … for $200

    I say this every time, but it bears repeating — do not upgrade your Wii! It feels like we’re about due for another update, and this one will probably be worse than the last.

    To try to stem the inevitable flow of suggestions — there are a number of different ways to respond to a completely noxious update, but they’re all somewhat unpleasant (hard to code, invasive to the system, potential for misuse, potential for bricking the system). I even have a few of them already partially written. We’ve held back on releasing anything along those lines because there has been no need and we didn’t want to escalate the “arms race”, but if Nintendo is willing to nonchalantly update boot2 on all Wiis and put stupid checks in the system menu, we don’t have much to lose at this point.

    (Meaning: We don’t need any suggestions, but we’re not willing to show all of our cards yet.)

    Quote Originally Posted by hkot View Post
    PS: Is re-installing your Nand the same as cleaning the Wii,or does it leave something behind?
    If you mean a simple NAND restore via Bootmii, then no. While it will restore everything that loads after the initial bootup process (IOS/system menu/savedata/channels/etc.), there are other sectors on the console which retain diagnostic data and other miscellaneous information about what has been run/installed.
    "I think that the Wii is a beautiful piece of hardware, and a broken Wii is a tragedy. It doesn’t matter why or how." -- Bushing

  9. 3 Users Say Thank You to Ithian For This Useful Post

  10. #8
    New Member Ziut25's Avatar
    Join Date
    Jan 2010
    Washington State, USA
    Thanked 7 Times in 6 Posts
    So, if I understand correctly there is basically a sector that acts like the temporary internet history folder does in Windows. If this is the case, shouldn't there be a way to go in and delete the information we don't want them to know about?

  11. #9
    New Member
    Join Date
    Jun 2010
    Thanked 2 Times in 2 Posts
    Interesting to know that~~

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts