-
-
Save GerbilSoft/640956725ab3eb46e5e32d2f617c1151 to your computer and use it in GitHub Desktop.
Dumping Wii U kiosk systems without hardmods
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The current method for dumping a Wii U kiosk system (CAT-I, CAT-SES) requires | |
| using a hardmod to dump the eMMC, then using Recovery Mode to install 2.13.01 | |
| and dumping the keys. It turns out that, if the kiosk system has a recent | |
| enough firmware, it's possible to dump the eMMC (and SLC, etc) without any | |
| hardware modifications. | |
| The Wii U operating system (IOSU) includes a debug logging facility (enabled on | |
| devkits only) that logs debug output to two places: | |
| * Ethernet (CAT-DEV only) | |
| * USB Serial (CAT-DEV, CAT-R, CAT-I, CAT-SES) | |
| In addition to simply logging debug information, the serial console can be | |
| used to run a limited set of commands in the CafeOS (cos) shell, as long as | |
| the system is in Development (not Production) mode. All of the CAT-I and | |
| CAT-SES systems I've tested have been set to Development mode. | |
| It turns out that, on recent enough firmware versions, there's a cos command | |
| to launch a title, and this can be used to launch System Config Tool. | |
| Devkit Models: (in case readers are unfamiliar) | |
| * CAT-DEV: High-end debugging system in a metal case. This system has PC | |
| connectivity over Ethernet. | |
| * CAT-R Reader: Standard debugging and test system. Looks like a white | |
| Wii U with a green faceplate. | |
| * CAT-I: Disc-based kiosk system. Usually has a white Wii U chassis. | |
| * CAT-SES: HDD-based kiosk system. Usually has a black Wii U chassis. | |
| The two front USB ports are used by the internal HDD. | |
| This guide is generally not needed for CAT-DEV or CAT-R units, but it should | |
| work with them regardless. | |
| ## Preparations | |
| You will need the following: | |
| * Wii U development console (CAT-DEV, CAT-R, CAT-I, CAT-SES) | |
| * SD card (64 GB or larger, formatted as FAT32) | |
| * USB serial cable with FTDI FT232 chipset | |
| * [Debug-signed version of Homebrew Launcher for Wii U](https://archive.org/details/wiiu_hbl_testsigned) | |
| * [Wii U NAND Dumper](https://github.com/koolkdev/wiiu-nanddumper/releases) | |
| * [TeraTerm Pro](https://ttssh2.osdn.jp/index.html.en), or similar serial terminal program | |
| Serial cables known to work with Wii U's debug logging: | |
| * If you do not have a serial port on your PC: | |
| * FTDI USB-NMC-2.5M: https://www.amazon.com/gp/product/B00HKJSSQ2 | |
| * If you do have a serial port on your PC: | |
| * Digitus DA-70156 USB to Serial adapter: https://www.amazon.com/gp/product/B0030IT780 | |
| * Delock null-modem serial cable: https://www.amazon.com/gp/product/B0077969OS | |
| ## Instructions | |
| ### Serial Cable Setup | |
| 1. Connect the USB serial cable to the Wii U and to the PC. | |
| 2. On the PC, open TeraTerm. Select Serial and select the COM port that | |
| corresponds to the serial cable, then click OK. | |
| 3. In TeraTerm, click the Setup menu, then Terminal. Set New-line for both | |
| Receive and Transmit to CR+LF, then click OK. | |
| 4. In teraTerm, click the Setup menu, then Serial port. Select the COM port | |
| that corresponds to the serial cable, set the speed to 57600, then click | |
| the "New setting" button. | |
| 5. Turn on the Wii U devkit. In 5-10 seconds, you should start seeing debug | |
| messages printed on the console. | |
| ### COS Shell | |
| To determine if the COS Shell is working, type the following in the serial | |
| terminal, then press Enter: | |
| cos sdkversion | |
| If COS Shell is working, and Development mode is enabled, a message similar | |
| to the following will be printed: | |
| cos sdkversion | |
| # 00;01;55;243: | |
| ---- COS Debugging Shell Command: sdkversion ---- | |
| 00;01;55;243: SDKVer:21301 | |
| In this example, the system has SDK version 2.13.01 installed. This is the | |
| latest version of the system software, which corresponds to Wii U menu 5.5.0. | |
| ### Launch Title | |
| To launch the System Config Tool, run the following command: | |
| cos launch 0x00050010 0x1F700500 | |
| This will result in one of the following: | |
| 1. Nothing (just a '#') - the SDK version may be too old, in which case it | |
| doesn't have a launch command. Unfortunately there's no known workaround | |
| for this at the moment, other than dumping eMMC manually. | |
| 2. Errcode -6: The specified title ID was not found. Make sure you entered | |
| it correctly. Note that some older firmware versions might have a different | |
| menu called DEVMENU installed, and DEVMENU has a different title ID. | |
| 3. System Config Tool will load. This is what we want! | |
| If either #1 or #2 happens, stop here and contact GerbilSoft for support. | |
| ### System Config Tool | |
| TODO: Add screenshots | |
| Set the default title to System Config Tool: | |
| 1. Select Boot Configuration. | |
| 2. Select Default Title. | |
| 3. In the Default Title menu, select System Config Tool, press A to view | |
| title information, then press A to select. | |
| 4. Power-cycle the system. It should boot to System Config Tool instead | |
| of the Kiosk Menu. | |
| Install Homebrew Launcher: | |
| 1. On PC, extract the debug-signed version of Homebrew Launcher to the SD card. | |
| 2. Also extract Wii U NAND Dumper to the SD card. This will be used later. | |
| 3. Put the SD card in the Wii U. | |
| 4. In System Config Tool, select Data Manager, Title Manager, Install. | |
| 5. Select SD Card, then browse to where Homebrew Launcher was copied. | |
| 6. Homebrew Launcher will be detected as an Install Image. Highlight it and | |
| press A to select the title for installation. | |
| 7. Press R to install. Follow the prompts to continue installation. | |
| ### Wii U NAND Dumper | |
| Set the system to Production Mode: | |
| *** WARNING: After setting Production Mode, DO NOT RUN ANY KIOSK TITLES. | |
| Doing so may result in Kiosk Menu being set as the default title, and | |
| the COS Shell won't allow any commands to be run anymore since the system | |
| is in Production Mode. | |
| 1. In the System Config Tool main menu, select Boot Configuration. | |
| 2. Set System Mode to Production Mode and save changes. | |
| 3. Power-cycle the system. System Config Tool should load. | |
| Run the Wii U NAND Dumper: | |
| 1. In System Config Tool, select Title Launcher. | |
| 2. Select Homebrew Launcher, press A to view details, then press A twice | |
| to load it. | |
| 3. In Homebrew Launcher, load Wii U NAND Dumper. | |
| 4. In Wii U NAND Dumper, enable dumping of everything, including slc, | |
| slccmpt, mlc, otp, and seeprom. | |
| 5. Dump everything. The system will look like it's rebooting, but a progress | |
| indicator will be printed on the gamepad screen. If it crashes instead of | |
| showing progress, make sure you set the system to Production Mode. | |
| ### Switch Back to Development Mode | |
| After dumping the system's NAND, put the system back in Development Mode | |
| to re-enable commands on the serial port: | |
| 1. In the System Config Tool main menu, select Boot Configuration. | |
| 2. Set System Mode to Development Mode and save changes. | |
| 3. Power-cycle the system. System Config Tool should load. | |
| ## Final Steps | |
| Save the NAND dumps in a safe place for later use. You can use | |
| [wfslib](https://github.com/koolkdev/wfslib) to browse the MLC dump and | |
| extract titles. | |
| As an optional step, you can flash 2.13.01 and Wii U Menu Changer. This | |
| requires recovery image files that cannot be linked here and are beyond | |
| the scope of this guide. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment