Wii Crusher
 A reconstruction of one of the Wii Crusher disc from pieces. | |
| GameID | v2.7: USA: 008E JPN: 008J KOR: 008K PAL: 008P |
|---|---|
| Title IOS | IOS255 |
The Wii Crusher is a software disc which restores a Wii to factory state without having the Wii Menu. It instead uses IOS255, a normally blank IOS slot.
It has been found on both pressed discs and on drive emulator boards, and was released in every region.
Behavior
The Wii Crusher will not perform any operation without passing a console-specific challenge-response algorithm: it saves a "request" file to the SD card with console-specific contents (currently unknown, but it appears that the crusher count from serial EEPROM is part of the data used, as a response file can only be used once on a specific console), and then expects to read a response file that is signed (using ES_Sign in the same way as savegames) - after verifying the signature, the console ID in the certificate is then checked to a hardcoded list, and the response file is rejected if the signing console is not in that list.
Builds of Wii Crusher intended for Wii Mini (RVO) do not contain the challenge-response check at all.
The main operation is to increment the crusher count in serial EEPROM, zero the boot2 version, and then read from the SD card a NAND prewrite image containing boot1 and sdboot (for the corresponding Vegas/Bollywood version, based on boot1 hash read from fuses) and write it to the start of NAND. It also reads back the written prewrite image, and compares its checksum to what was written, although the only real action on a mismatched checksum is to show an error message to inform the operator that the system is now bricked: "Crusing[sic] is not perfect. But, system cannot reboot."
The recognised boot1 hashes in version 2.7 of Wii Crusher are the following:
| Hash | Unofficial name | Vegas/Bollywood version name from Crusher | prewrite filename read by Crusher |
|---|---|---|---|
b30c32b962c7cd08abe33d015b9b8b1db1097544
|
boot1a | Hollywood-MP1 | prewrite1.dat |
ef3ef78109608d56df5679a6f92e13f78bbddfdf
|
boot1b | Hollywood-MP2 | prewrite2.dat |
d220c8a486c631d0df5adb3196ecbc668780cc8d
|
boot1c | Hollywood-MP4 | prewrite4.dat |
caa13a1263b1ce5389ad2cd3e128543b59e44b0e
|
not previously known | Bollywood | prewrite5_1.dat |
f793068a09e80986e2a023c0c23f06140ed16974
|
boot1d | Bollywood | prewrite5_2.dat |
Wii Crusher version 2.7 will accept response data signed by the following console IDs: 50113324, 49568667, 49568663, 50849807, 49568657, 51006670, 49568652, 51006665, 49568646, 51006660, 49568495, 50471770, 49875399, 48681401, 51006653, 51006648, 50479771, 50948321, 50973364, 49568645
Versions
Three versions of the Wii Crusher are known to exist:
| Version | Date | Region |
|---|---|---|
| v00 | October 22, 2007 | PAL |
| v2.5 | May 10, 2010 | KOR |
| v2.7 | November 15, 2011 | KOR |
