Tutorial 

Dumping Wii U kiosk systems without hardmods

The current method for dumping a Wii U kiosk system (CAT-I, CAT-SES) requires using a hardmod to dump the eMMC, then using Recovery Mode to install 2.13.01 and dumping the keys. It turns out that, if the kiosk system has a recent enough firmware, it's possible to dump the eMMC (and SLC, etc) without any hardware modifications.

(This is based on a gist I wrote up here: https://gist.github.com/GerbilSoft/640956725ab3eb46e5e32d2f617c1151)
(Screenshots/video to be added at a later point)

The Wii U operating system (IOSU) includes a debug logging facility (enabled on devkits only) that logs debug output to two places:
  • Ethernet (CAT-DEV only)
  • USB Serial (CAT-DEV, CAT-R, CAT-I, CAT-SES)

In addition to simply logging debug information, the serial console can be used to run a limited set of commands in the CafeOS (cos) shell, as long as the system is in Development (not Production) mode. It turns out that, on recent enough firmware versions, there's a cos command to launch a title, and this can be used to launch System Config Tool.

Devkit Models: (in case readers are unfamiliar)
  • CAT-DEV: High-end debugging system in a metal case. This system has PC connectivity over Ethernet.
  • CAT-R Reader: Standard debugging and test system. Looks like a white Wii U with a green faceplate.
  • CAT-I: Disc-based kiosk system. Usually has a white Wii U chassis.
  • CAT-SES: HDD-based kiosk system. Usually has a black Wii U chassis. The two front USB ports are used by the internal HDD.

This guide is generally not needed for CAT-DEV or CAT-R units, but it should work with them regardless.

Preparations

You will need the following:

Serial cables known to work with Wii U's debug logging:

Instructions

Serial Cable Setup
  1. Connect the USB serial cable to the Wii U and to the PC.
  2. On the PC, open TeraTerm. Select Serial and select the COM port that corresponds to the serial cable, then click OK.
  3. In TeraTerm, click the Setup menu, then Terminal. Set New-line for both Receive and Transmit to CR+LF, then click OK.
  4. In teraTerm, click the Setup menu, then Serial port. Select the COM port that corresponds to the serial cable, set the speed to 57600, then click the "New setting" button.
  5. Turn on the Wii U devkit. In 5-10 seconds, you should start seeing debug messages printed on the console.

COS Shell

To determine if the COS Shell is working, type the following in the serial terminal, then press Enter:

Code: 
cos sdkversion

If COS Shell is working, and Development mode is enabled, a message similar to the following will be printed:

Code: 
cos sdkversion
# 00;01;55;243:
---- COS Debugging Shell Command: sdkversion ----
00;01;55;243: SDKVer:21301

In this example, the system has SDK version 2.13.01 installed. This is the latest version of the system software, which corresponds to Wii U menu 5.5.0.

Launch Title

To launch the System Config Tool, run the following command:

Code: 
cos launch 0x00050010 0x1F700500

This will result in one of the following:
  1. Nothing (just a '#') - the SDK version may be too old, in which case it doesn't have a launch command. Unfortunately there's no known workaround for this at the moment, other than dumping eMMC manually.
  2. Errcode -6: The specified title ID was not found. Make sure you entered it correctly. Note that some older firmware versions might have a different menu called DEVMENU installed, and DEVMENU has a different title ID.
  3. System Config Tool will load. This is what we want!
If either #1 or #2 happens, stop here and reply in this thread for support.

System Config Tool

TODO: Add screenshots

Set the default title to System Config Tool:
  1. Select Boot Configuration.
  2. Select Default Title.
  3. In the Default Title menu, select System Config Tool, press A to view title information, then press A to select.
  4. Power-cycle the system. It should boot to System Config Tool instead of the Kiosk Menu.

Install Homebrew Launcher:
  1. On PC, extract the debug-signed version of Homebrew Launcher to the SD card.
  2. Also extract Wii U NAND Dumper to the SD card. This will be used later.
  3. Put the SD card in the Wii U.
  4. In System Config Tool, select Data Manager, Title Manager, Install.
  5. Select SD Card, then browse to where Homebrew Launcher was copied.
  6. Homebrew Launcher will be detected as an Install Image. Highlight it and press A to select the title for installation.
  7. Press R to install. Follow the prompts to continue installation.

Wii U NAND Dumper

Set the system to Production Mode:

*** WARNING: After setting Production Mode, DO NOT RUN ANY KIOSK TITLES. Doing so may result in Kiosk Menu being set as the default title, and the COS Shell won't allow any commands to be run anymore since the system is in Production Mode.
  1. In the System Config Tool main menu, select Boot Configuration.
  2. Set System Mode to Production Mode and save changes.
  3. Power-cycle the system. System Config Tool should load.

Run the Wii U NAND Dumper:
  1. In System Config Tool, select Title Launcher.
  2. Select Homebrew Launcher, press A to view details, then press A twice to load it.
  3. In Homebrew Launcher, load Wii U NAND Dumper.
  4. In Wii U NAND Dumper, enable dumping of everything, including slc, slccmpt, mlc, otp, and seeprom.
  5. Dump everything. The system will look like it's rebooting, but a progress indicator will be printed on the gamepad screen. If it crashes instead of showing progress, make sure you set the system to Production Mode.

Switch Back to Development Mode

After dumping the system's NAND, put the system back in Development Mode to re-enable commands on the serial port:
  1. In the System Config Tool main menu, select Boot Configuration.
  2. Set System Mode to Development Mode and save changes.
  3. Power-cycle the system. System Config Tool should load.

Final Steps

Save the NAND dumps in a safe place for later use. You can use wfslib to browse the MLC dump and extract titles.

As an optional step, you can flash 2.13.01 and Wii U Menu Changer. This requires recovery image files that cannot be linked here and are beyond the scope of this guide.
 
  • Like
Reactions: Razor83, Mazamin, Madridi and 16 others
Click to expand...
C

CircuitBytes

New Member
Newbie
Level 1
Joined
Aug 29, 2021
Messages
1
Trophies
0
XP
31
Country
United States
GerbilSoft said:
Sorry for the delay, I haven't been checking in this thread too often.

If *no* commands work, the system might be in Prod mode, which is unusual for kiosks.

What firmware version is displayed on the kiosk settings menu, if any?
Click to expand...

I have the same issue as CosmoCortney with my CAT-SES Unit.
I can only send "cos help" and the commands that are listed. sdkversion and launch are sadly not in that list.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  SDUSB - The modern way to play Wii U games from SD - at full speed

Tutorial Homebrew app  USB Partition - Use partitioned USB HDDs with the Wii U

Unable to dump OTP.bin

Using a single external partitioned hard drive.

A Couple of Questions about GameCube Games

Homebrew  Is it safe to delete everything on my SD card and start again?

Please help! WUP Installer GX2 does not see my games!

How can I change the Wii U and vWii region of a japanese wii u to ntsc-u, and keep compatibility with the gamepad?

General chit-chat
Help Users
  • RedColoredStars @ RedColoredStars:
    I'm 52 years old and one of my jobs in life was marketing research. Im well aware. I've been online for around 30 years. Everyone and their grandmother already has my personal information. One more having my email address isn't ruining my life or even effecting me in any way whatsoever.
     +1
  • RedColoredStars @ RedColoredStars:
    In fact. I freely give info. Stuff like gasoline apps, to save $, grocery apps, lots of cash back from rakuten, etc. etc.
     +1
  • RedColoredStars @ RedColoredStars:
    $300 back last year from Rakuten for allowing them to track my purchase. I'll take the money for them to know I bought a bunch of stuff for my cat and some video games. lol
  • K3Nv2 @ K3Nv2:
    No matter what you sign up for your info is out there
     +1
  • RedColoredStars @ RedColoredStars:
    Thats what im saying
  • SylverReZ @ SylverReZ:
    @K3Nv2, Exactly.
  • RedColoredStars @ RedColoredStars:
    And for people to say things like "But I use all fake info". No, they don't. lol. They use fake info for all of their banking and online shopping? Fake shipping address, fake payment info? lol
  • RedColoredStars @ RedColoredStars:
    Fake name, address and payment info for internet service, etc? lol. Ill say it again. Everyone freaks out about OMG WINDOWS!! But crickets on anything else they do.
  • RedColoredStars @ RedColoredStars:
    Other windows stuff people complain about hypocritically too. Like "But but but Windows bundle junk apps!!!!" Yeah?? So do many Linux distributions. Dont like it? Use one without them. Same with windows. Either find a pre-made version without the bundled stuff, or very easily make your own installer with what you want and do not want.
     +1
  • console @ console:
    I agree with all above! Microsoft made a biggest mess with us and everyone! I wish Microsoft company should be fired then lost it. LOL :rofl2:
     +1
  • RedColoredStars @ RedColoredStars:
    I dont like the stuff added either. I have zero use for copilot or recall. But I also just simply disable it and move on.
     +2
  • RedColoredStars @ RedColoredStars:
    Always disabled dumb cortana from day 1 too.
     +2
  • K3Nv2 @ K3Nv2:
    When you're a billion dollar company even upper management is just peons to the company
     +1
  • RedColoredStars @ RedColoredStars:
    MS is funny. Insider programs for both Windows and Xbox, where they listen to absolutely none of the insider feedback and just do what the fuck they want. lolol
     +1
  • K3Nv2 @ K3Nv2:
    Xbox idea to make midrange consoles saved them this Gen and buying your wife
  • SylverReZ @ SylverReZ:
    The Xbox is dying already. I don't know what to say, Microsoft takes the L for that one.
  • SylverReZ @ SylverReZ:
    @RedColoredStars, Lol
  • K3Nv2 @ K3Nv2:
    How is the Xbox dying?
  • K3Nv2 @ K3Nv2:
    Xbox one sold nearly 60 million units
  • SylverReZ @ SylverReZ:
    Remember when Phil was going to buy out more studios to work with them? I guess they couldn't keep up with demands.
  • K3Nv2 @ K3Nv2:
    They already have dozens of studios with big names why care about little Jim making your favorite indie point and click exclusive
  • Psionic Roshambo @ Psionic Roshambo:
    Florida just getting your driver's license.... They sell your phone number and address to marketing companies lol
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    Like .3 cents a person or something
  • K3Nv2 @ K3Nv2:
    No psi that's a gun license they expect flordians to at least know how to break
  • K3Nv2 @ K3Nv2:
    Sorry officer I did not hear the body being dragged 20 miles out
    K3Nv2 @ K3Nv2: Sorry officer I did not hear the body being dragged 20 miles out