‘ eFuses’ technically encompass a large variety of different types of PROMs. I haven’t figured out if fuse cutting is done before or after the chip is soldered to the motherboard. (Tumblr probably murdered the image resolution An SVG is available here.)įuses on both the Wii and Wii U are provisioned via JTAG, and JTAG is locked out via its own eFuse, which is readable via OTP registers. The Wii U is significantly more sophisticated in how it boots: the boot1 Ancast image can be loaded from either NAND or the SD card, images are specific to the hardware they are signed for (NAND vs SD card), signature pubkeys are specific to dev vs retail hardware configs, and security fuses can be configured to disable encryption and sigchecks entirely: More details are available on its WiiBrew page. However, there is one special case for factory-fresh console (and apparently dev units): If the OTP hash is entirely 00s, it will run anything that is loaded from NAND. The Wii was extremely basic in how it handled booting: ROM was somewhat expensive (for die space, but also more likely, for chip revisions), so the Wii’s boot0 simply loaded boot1 from NAND, decrypted it with a key stored in ROM, and checked that its hash matched fused values in OTP. I did, however, manage to get boot1 execution on my Wii mini in a novel way: by inserting a voltage glitch shortly after reset, before the console started executing code, OTP had been cleared to zero. I had originally started this endeavor by glitching the Wii mini, which at the time had not been hacked, however my efforts were quickly sniped by FullMetal5’s bluebomb ( which later precipitated to Wii U by GaryOderNichts as bluubomb, however it is a different vulnerability). With the news that a handful of Hynix Wii U eMMCs were starting to rapidly degrade, I decided to revisit a recurring project idea of mine: an open-source Wii U modchip. Additionally, certain SEEPROM corruptions can cause consoles to never reach boot1, resulting in unrecoverable bricks (at least without drilling through the SoC substrate). While there exists a coldboot boot1 vulnerability, isfshax, it leaves a lot to be desired, and it is unfortunately not useful for recovering consoles from an unknown state, since NAND is encrypted per-console based on an OTP key. The Wii U has had a fairly small homebrew scene, I believe in part because it currently has no commercial nor open-source modchips for facilitating early-boot code execution.