[Wii U scene] de_Fuse ZIP v0.5 released

The developer Shiny Quagsire aims to overclock the Wii U console GPU through the latest update of de_Fuse ZIP , the modchip still in development built around the RP2040 microcontroller.

 

 

The open source modchip allows us to get boot1 done by injecting a voltage problem shortly after the reset, before the console starts executing the code.

 

The development of the de_Fuse modchip began on the Wii Mini console , at the time of the facts not yet hacked, born with the aim of performing the glitch on boot0.

Version 0.2 introduced support for SLC restore through minute(a fork of MINI and open source replacement for IOS made by the fail0verflow team) and OTP dumping through PRSH hax.

Keep in mind that this will not work for consoles with non-functional SLC NAND (if a drive’s LED turns blue, the NAND will be operational enough to dump the OTP, anything else may need to be reflashed/replaced).

BOOT1_SLC.RAWFrom version 0.3 SEEPROM restore, OTP dumping for all CDN boot1 versions, backup and restore of and the ability to synchronize SEEPROM boot1 versions with versions on NAND are also available .

The modchip is currently in its early stages of development and currently requires some sort of FPGA, but hasn’t been standardized in terms of schematics or parts, it is also thought to use an RP2040 microcontroller, the same one used on Switch consoles by the PicoFly modchip.

 

Note: This is a pre-1.0 release for early adopters who want to know if their RPi Pico is wired correctly for de_Fuse, as well as developers interested in coldboot CFW. Many things are currently not implemented and/or need improvement. However, what is provided is sufficient to verify that the Pico is installed correctly.

 

Files required

  • boot1.img: SD card image for minute_minute.
  • fw.img: Main bootloader, minute.
  • ios.patch: Patch de_Fuse_iosuhax for 5.5.1ish, I think this will technically work on 5.5.5 as well?
  • otp.bin: This can be downloaded via the minute menu, under Backup and Restore>  Dump OTP via PRSHhax. The menu will still be available if otp.binit is not there, however IOS will not be able to boot.

.zipThe following versions are provided in the archive :

Steps

  1. Flash the file pico_defuse.uf2to the Raspberry Pi Pico via USB. This can be done by copying the file to the USB mass storage device that appears.
  2. Flash the file boot1.imgto an SD card with at least 1GB of storage space. Some 2GB cards might work, but 1GB seems to be the sweet spot – it just has to be non-SDHC. boot1.imgincludes an MBR header, so you may need to format the partition to FAT32 after flashing to continue. Flashing can be done via win32diskimager, dd or any other SD card formatter.
  3. Copy the three files fw.imgios.patchand otp.binto the root of the SD card. If you do not have the file otp.bin, it can be downloaded via Backup and Restore>  Dump OTP via PRSHhax.
  4. Turn on the Wii U console. If functioning properly, the Power LED will flash purple. By default, the minute menu will be displayed on the serial console, however an INI file can be placed on the SD card to trigger autostart.

Access to minute menu

For now, a serial console is required to use the menu. On Windows you can use PuTTY, on Linux/macOS you can use minicom (for example: minicom -b 115200 -o -D /dev/cu.usbmodem11101).

minutecan be configured to start automatically in IOS via sdmc:/minute/minute.ini. To activate the menu manually, press (but don’t hold) the power button 3-10 times (as if you were trying to enter BIOS on a computer) or until the menu appears on the serial console.

From here you can swap the SD card and back up the NAND. To back up MLC, it is currently recommended to format the redNAND with a 64GB SD card, then copy the partitions from the SD card.

An example of autostart in minute.iniis as follows:

[boot]
autoboot = 1
autoboot_timeout = 3

Restoring NAND backups

minute now supports restoring NAND backups, however there may still be some lingering bugs. as long as you have your files backed up SLC.RAWand SLCCMPT.RAWsomewhere SAFE, YOU WILL BE FINE!!

I was able to completely clear my SLCCMPT and reset it, but I also did a reset where some sectors didn’t program for some reason. Might have just been my SD card though.

I’m going to continue working on this, since I also want to recover a drive that had its NAND completely erased without backup. However, the current state of affairs is as I said.

A corrupted NAND will appear as follows in the IOSU logs:

  • “Attached volume to slc01 (raw)”.
  • “Attached volume to slccmpt01 (raw)”.
  • Lots of spam on bad hashes (this happens even if otp.binit’s invalid or zeroed).

GPU overclocking

Since version 0.5 minute includes experimental support for overclocking (or underclocking) the Radeon GPU by specifying the PLL parameters inside the ini file.

This could potentially damage the Wii U console if the calculations are found to be incorrect . The console may also not boot into the menu properly or may become unstable during normal use.

Overview of manual PLL overrides:

div_select = ?
clkV is spread spectrum related maybe?
clkS is clock source...?

clkXtal = 27MHz
clkO = clkO0Div, clkO1Div, or clkO2Div (based on div_select)
clkF = (clkFMsb << 16) | (clkFLsb << 1)
freqMhz = clkXtal * (clkF/0x10000) / (clkR+1) / (clkO/2)

Example of unchanged INI values:

; Defaults:
; GPU = 544.999878MHz
; 27 * (0x285ED0 / 0x10000) / (0+1) / (0x4/2)
[clocks]
gpu_clk_r = 0x0
gpu_clk_f = 0x285ED0
gpu_clk_s = 0x1C2
gpu_clk_v = 0x7
gpu_clk_o_0div = 0x4
gpu_clk_o_1div = 0x4
gpu_clk_o_2div = 0x0

Overclocking example:

; GPU = 679.999878MHz (1.25x)
; 27 * (0x325ED0 / 0x10000) / (0+1) / (0x4/2)
[clocks]
gpu_clk_f = 0x325ED0

 

Note: The GPU becomes unstable at around 770 MHz during my tests.

 

troubleshooting

You will need a serial console attached for this, see above for help.

If the console LED stays red after pressing the power button and boots normally after about 30 seconds, it means that de_Fuse failed to detect properly or the SD card is invalid.

A successful de_Fuse looks like this:

[pico] Changed state: WIIU_STATE_POWERED_OFF -> WIIU_STATE_NEEDS_DEFUSE
Starting... 1152
Results:
Winner! 0xfb80
01
02
03
04
05
08
09
0a
0b
0c
0d
0e
13
14
15
18
1b
1c
1d
1e
1f
25
88
89
8a
...

  • If the initial lines are not 010203..., it means that the DEBUG GPIOs are not wired correctly.
  • If the last line is 0x1Eand the error code is 0x00, it is an invalid SD card. Invalid SD cards seem to hang in boot0.
  • If the final line is 0x25and in the output there are 1eand 1f, it means that the SD card was valid, but was not flashed properly (or otherwise could not be read).
  • If the final line is 0x25and 1eand 1fare NOT in the output, it means the EXI CLK cable is not connected properly or there is a problem with the EXI data cable.

Changelog v0.5

  • Added more safeties around button presses/SMC.
  • Fixed redNAND formatting not aborting properly at first prompt.
  • Added interactive console cmd uppuploadpatchfor uploading to ios.patchserial.
  • Added support for manual GPU overclocking via sdmc:/minute/minute.ini.

Changelog v0.3

    • boot1.imgnow check BoardConfig CRC32 and if it is invalid then DRAM is initialized using default fallback settings.
    • Added support for PRSHhax based OTP dumping for all boot1 versions available on CDN (prod and dev).
    • Added dumping and restoring of  BOOT1_SLC.RAW.
    • Added support for recovering seeprom.bin.
      • This option can result in not being able to download OTP via PRSH hax if you do something stupid!
      • I’ve added as many verification/security measures as possible to make sure PRSH hax doesn’t get blocked, but ultimately it’s your responsibility to keep otp.binit seeprom.binsafe.
      • An incomplete list of things that can stop working irreversibly if you lose your file backup seeprom.binand flash something wrong include:
        • The disk drive.
        • Saves stored on USB drive.
    • Added support for syncing SEEPROM boot1 versions with NAND after flashing BOOT1_SLC.RAW.
      • This option requires a copy of the file otp.binfrom the console itself (and this is verified).
    • Changed redNAND partitioning to place 1 MiB of free space at the beginning of the SD card for Ancast images.
    • Various reliability improvements.

Changelog v0.2

  • Hotfix: Fixed OTP not downloading without otp.binon SD card (lol).
  • OTP dumping via  Backup and RestoreDump OTP via PRSHhax.
  • Recovery of SLC.RAWand SLCCMPT.RAW, via  Backup and Restore.
  • Faster/more reliable serial console input.
  • A serial chainloader fw.imgfor minute_minute dev.
    • Set env var MINUTE_MINUTE_FW_IMG to the absolute path of fw.img.

Download: de_fuse v0.5

Download: Source code de_fuse v0.5

Source: twitter.com