Guihong Wang

Guihong的博客

魔理沙一生推
twitter_id
github
email
bilibili
steam
discord server
discord user
namemc
netease cloud music
HomeArchives友链NFT

A Confused Era and the Losers - Wii U

#Wii U#随笔48
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the evolution of Nintendo's Wii U, highlighting its development process and unique features. Following the success of the original Wii, Nintendo introduced the Wii U in 2012, featuring a large tablet-like gamepad. The development included multiple prototype versions, with improvements in design and functionality over time. The article also delves into the hardware specifications, including the CPU and GPU, and how the Wii U can operate in a Wii mode. It emphasizes the challenges and innovations in creating the Wii U, as well as its capabilities in video rendering and gaming experience.

Front Row Reminder: Some parts of this article may have been written using machines (Microsoft Word's article checker) / AI (Grok 3-DeeperSearch, WPS AI prompt: polish this article). If you are sensitive to machine-generated content, please exit the page immediately.
The article is not only published on the blog but also simultaneously on my NetEase Cloud Music Column, WeChat Official Account, Bilibili Column, and Coolapk. You're welcome to show your support.

Just Wii#

The success of the Wii made Nintendo famous in the 2000s, but its shortcomings also emerged.

image1

Comparison of portable and home use, previous generation and "modern" from Nintendo official sources 1


image5

Resolution of game consoles from the same generation


Compared to other consoles of the same generation, the Wii appeared quite small.
Seeing this situation, Nintendo improved the Wii and released the next generation console (the enhanced version of the Wii).

At E3 2011, then-president of Nintendo of America, Reggie, announced the "debut" of the next-generation console.
image2

Source: Gamespot YouTube 2


Also at that E3, everyone got to try out the new "Wii U."

image3

E3 2011 Wii U gamepad kiosk version 3 Those who have played Wu should be able to notice the differences

It wasn't until the official release in 2012 that people confirmed the appearance of this huge tablet gamepad.

image4

Nintendo Wii U official website 4


But is that all? Let's take a look at other versions of the Wii U.

Special Models#

From late 2010 to early 2011, Nintendo began developing the first version of the Wii U prototype development machine.
Unfortunately, there are no images; here is a picture of the NDEV (Wii first-generation development machine) 5 (similar to NDev, it did not come with a gamepad but used the classic Wii controller for operation).

image6
image5
It wasn't until Cong Ge and his team were developing Nintendo Land 6 that the concept of a gamepad emerged.

image7

The first version used a screen from an unknown source attached to a Wii light gun with a gyroscope


image8

The second version original gamepad had the joystick part of a chicken leg added and then connected to the Wii's straight handle

By mid-2011 (E3 was in June), Nintendo's second prototype development machine [7] was released, this time with a gamepad.
image9
image10

The back of the gamepad


Later, Nintendo created a kiosk (also called Wii U station for demo games) for the Wii U 8 and DRC.
image7
image6

After a while, Nintendo produced the third version of the Wii U development machine [9], which had significant improvements over the second version, as it was painted white, much cleaner than before, and added a wired network port and a 300G hard drive, allowing it to run the system independently.
image8
After some time, the last V (Ver) shaped fourth-generation test machine was released [10], with faster RAM read/write and CPU.
image7
Thus, the V-shaped development machine came to an end, and the next step was to provide development machines [11] for third-party developers (MP type).
image8
After the Wii U was released, this heavy iron box gradually stopped being provided to developers, and instead, Development Kit development machines (codenamed CAT-R) were offered. The appearance of the console was the same as the regular retail Wii U, but the gamepad and console each had several versions.

In 2013, Nintendo of America uploaded several different Wii U models to Brazil's Anatel agency for licensing (similar to our network access license), but the biggest highlight was a machine that had never appeared before [12]. Aside from the front panel of the console and the back cover of the gamepad being bright SYNC color, magenta? (I can't think of a color to describe it, probably a bit brighter than the console's SYNC button).
imagea
image9
Unfortunately, this magenta Wii U has not appeared anywhere else apart from Anatel's documentation; it is the only machine besides the black, white, and green front panel versions and the only Wii U development machine without RF radio frequency.

By 2014, Nintendo began providing development machines with green front panels.
image9

Image source: rare gaming dump 13


imagea

The top of the development machine has jumpers; the DRC also has a switch to connect to the console


imageb

Source: Nintendo official development documentation


imageb

Showcasing the development machine's menu 13, the following image is a comparison with the regular retail version's menu


image
In the development machine, you can see DUMMY (system configuration); this application also appeared in the kiosk 8.
imagec
imaged
Used to set some more advanced content.
Here ends the introduction to the Wii U models, but there is more.

Hardware#

imagee

Official configuration 14


But in fact, if you hack the console and reverse engineer the system to look at the details, you will find this combination quite strange.

PU#

With three "Broadway" (Wii's CPU core) cores, the "Espresso" distilled coffee IBM PowerPC 7XX CPU + AMD/ATi Radeon R700 "Latte" GPU.

imagef

Memory#

This part is interesting, divided into three parts. One part is 2G of 512m DDR3L-1600*4; this 2G memory has 1G reserved for IOS (Internal OS, the internal system running from Wii to Wii U, similar to a kernel), leaving 1G for free allocation. The second part is 32M of special video memory, and the last part is 3M of SRAM used to enhance the connection between the GPU and memory.
image10

Original image source ifixit, the second version article changed to Copetti's introduction image 15

The most interesting point about the memory is that when starting in Wii mode, the Wii U's IOS will hide the 2G of memory, leaving 32M of memory + 3M of SRAM, turning off its three "Broadway" cores to just one, and then rebooting into the Wii's IOS and system.

At this point, the Wii U becomes a real Wii, but you can still use the Gamepad to display and operate (the DRC camera has light bars on both sides; by the way, this thing is still enabled by default in the Wii U's IOS, and there are no games using the DRC's light bar, purely wasting electricity).
imagec

fumofumo


However, you cannot use the Gamepad to operate; you can only use the straight handle.

Exiting is also simple: point to the Wii U menu to exit or press the power button on the console (similar to an unstable jailbreak). The Wii U will reboot itself and return to the Wii U's IOS.
imaged

FuMo

GPU#

It supports 1080P output; although the GPU is probably similar to the Wii, the manufacturer (ATi ➡ AMD) and technology have changed.

First, it is based on the TeraScale architecture. "The most obvious feature is the use of a unified shader model, concentrating vertex and pixel units into a single unit, now called SIMD units." Quoted from Copetti.

Nintendo refers to the render API available for the graphics card as GX2, supporting OpenGL GLSL 3.3 and OpenGL ESSL, and the newly added H.264 hardware decoding also gives this GPU better video rendering capabilities than contemporary graphics cards (used for streaming game visuals to the Gamepad).
image11

So who will make up for this missing wiiuwiiu?


Moreover, the Wii U's GPU also encapsulates some chips that are only used in Wii mode, such as the Wii's GPU (which can exclusively use 3M of memory for video memory in Wii mode) and a chip that forces HDMI signal output.

Audio#

Nintendo has taken audio channels to the extreme. Based on the original dual-channel TV + four straight handles, the TV and the new large controller have been upgraded.
image2

Can achieve 5.1 surround sound on TV


image3

And can achieve pseudo-surround sound on the gamepad


Why is it called "pseudo"? You can check iFixit's teardown of the Wii U, which also mentions the gamepad.
image12

This is the DRC teardown, but the speaker only has two 16


Although the audio of the DRC is not as good as that of the TV, the entire Wii U system is a good combination, especially performing excellently in some official software and games.
image13

In Nintendo Land dump games, you can see versions with and without dspad...


A more obvious (and audible) example is the built-in Mii maker of the machine.
image14

TV
TV

DRC
DRC

mix
mix

Playing DRC or TV alone will seem monotonous.

Operating System#

The Wii U runs four different systems internally.

The first is IOSU (codenamed Starbucks, the internal system of the Wii U), which is an upgraded version of the Wii's IOS. It not only upgrades performance but also "security" (the first hack of the Wii was achieved by exploiting a physical memory bug here; two memories stored the system, one encrypted and the other unencrypted. The hacker used external hardware to solder and found that the memory encryption was reversed, but the memory content remained the same, merging into one and ultimately achieving the first hack of the Wii).

The second is the "espresso" real OS (also called Cafe OS), the Wii U logo seen at startup is produced by Cafe OS. The subsequent system menu showing "Connecting to Nintendo Network" is the first thing Cafe OS does after booting, which also indicates its flexibility and "advanced" system concept (the console's system is not firmware but a real system that allows the system to serve games rather than hardware directly serving games).
imagee

It also indicates that the Wii U is like a machine; if one part fails, it can still run


(As a side note, two machines have already backed up important files. If the Wii U's menu really breaks, it can still be restored back, with full MLC backup. However, one system app just wouldn't back up, indicating it might be broken.)
But the result of this flexibility is a massive increase in memory usage; the original 2G of memory was consumed by Cafe OS, leaving only 1G for developers to allocate.
The third and fourth systems are reserved for Wii compatibility; one is the cold boot Wii mentioned in the "memory" section above, and the other is the hot boot Wii, which is the system for Wii games purchased from the eShop, directly opening Wii games.

Booting and Hacking#

Excerpted from Copetti, thank you (I will buy an e-book to support it later) 15.

"Starbuck is awakened and proceeds to...
Execute the code found in its reset vector (0xFFFF0000), which points to its mask ROM (where the first boot stage is, boot0). The first routine lets Starbuck copy boot0 to Starbuck's SRAM, so it runs faster.
Boot0 then initializes part of the I/O and nearby blocks by reading flags from OTP memory and SEEPROM. It then retrieves the next boot step (boot1) from NAND.
Boot1 has been encrypted and signed, so Starbuck first checks its signature (RSA type) and the integrity of the content (comparing SHA-1 hash values) before beginning to decrypt it (using AES). All necessary keys and certificates are extracted from OTP memory.
After more I/O initialization is completed, SEEPROM and part of OTP will be locked and inaccessible again. Finally, the initialization of boot1 comes to a temporary halt.
Boot1 initializes more I/O and prepares to use MEM2 and MEM0. It then reads IOSU firmware from NAND into MEM1 and executes the same verification & decryption process. If all goes well, Starbuck will disable the used OTP memory and completely clear sensitive data. Finally, it will transition to IOSU firmware.
IOSU firmware is a collection of programs. The first to boot is IOSU Loader, which loads the remaining firmware (like IOSU) to specific memory locations (SRAM and MEM0). It then clears itself from MEM1 and jumps to the SRAM waiting in the IOSU kernel.
The IOSU kernel first quickly checks MEM1; once completed, Starbuck will run in IOSU. To function properly, the relevant modules of IOSU can be found in MEM0.
Espresso is next, so IOSU will copy Cafe OS (in encrypted form) to MEM2 and boot Espresso.
Once the first core of Espresso starts...
The reset vector is at address 0x00000100, occupied by Boot ROM, so it begins executing there.
The MMU, L1/L2 cache, and registers are cleared. Then, Espresso switches to "translation mode" (activating virtual memory).
By tampering with the locked L1 cache and writing to empty memory, BootROM is copied to L1 (for faster operation) without reaching external RAM.
The reset vector becomes an infinite loop (to prevent the CPU from attempting to reset).
The AES key from OTP has been copied to L1. Then, OTP is disabled.
The header of the Cafe OS kernel has been copied to L1, and its signature is verified using the stored key.
The data of the Cafe OS kernel is hashed and decrypted using DMA, sent back and forth to L1 cache in blocks.
Now the unencrypted Cafe OS kernel is fully mapped in RAM and ready to execute. L1 and L2 have been flushed; the boot ROM has been disabled. Finally, jump to execute the Cafe OS kernel.
Espresso, running the Cafe OS kernel, checks the configuration file used to guide it to boot the system menu application.
The system menu is processed from NAND to MEM2 like other encrypted programs. If all goes well, the system menu will be launched.
The user will now be able to control the console!
"

Wii Mode Process#

"Restart Espresso.
Downclock Espresso and disable the two extra cores.
Upload firmware for the DMCU video encoder.
Upload the old font (Gamecube's font) to the MEM1 area, which can be accessed from the EXI interface (to create the old EXI routing).
Enable compatibility mode on the AHCI interface (i.e., the interface connected to the SATA optical drive) so that it can use the old disc interface (DI) protocol to command it.
Copy the keys from OTP memory to its built-in SRAM, as vWii will consider the internal SRAM as traditional SEEPROM.
Disable Wii U-exclusive I/O, except for the GamePad (unless it is disabled by the user or game).
Boot IOS. The choice of IOS slot depends on which vWii mode is used; if in HAI mode, it depends on the game.
The IOS software package designed for vWii has been slightly modified, adding some modules. This includes DI2SD to simulate the optical drive and OHCI1 to convert input from the GamePad into Bluetooth commands (to use Wii controllers).
Upload the Wii system menu or NAND boot program (the binary file running the Wii icon) to MEM2, depending on the vWii mode used.
Since Espresso will boot from the boot ROM, it can only receive binaries using the Wii U's security model. Therefore, the relevant programs for Wii have been modified for compatibility.
Boot Espresso and let it handle and run the specified binary.
The user will now be able to control the console again!
"

Hacking#

When it comes to hacking, everyone still wants to play games or bypass signatures, and achieving all this comes from Cafe OS and IOSU (once again, a side note: if the console is reset, the games on the external hard drive become invalid due to the mismatch of the new system keys and the hard drive; they must be reinstalled, and the same goes for save files).
image15

Here’s a picture to illustrate that under normal circumstances, do not reset the Wii U console because the hard drive also stores save files

Back to the main topic, the Wii U's hacking now mainly comes from the browser, and the initial hack also came from the browser.
Nintendo did not learn from the Wii's experience and did not close the hardware bug - it was possible to extract BootROM under Wii mode - analyze and hack BootROM to obtain the AES encryption key - the browser is open-source and has already been found to have vulnerabilities - using the browser to attempt to run bugs in the Wii U's IOSU resulted in success.
Now, although Nintendo has blocked the software vulnerabilities mentioned above, new methods still use hardware vulnerabilities (GPU accessing shared video memory, which conveniently bypasses most IOSU restrictions).

Solidification#

After hacking, solidification is necessary.
Although the hack is complete, power outages/shutdowns cause the hacking environment to disappear, so we need solidification to automatically hack the system.
Hacking must be parasitic within the system to prevent having to go through the hacking steps every time. At this point, the steps of IOSU booting help a lot (everything runs on Cafe OS, and after IOSU starts, it will wake up Cafe OS, which will call the "Wii U menu" channel).
And who would have thought that finding the official Wii U emulator for DS to read ROMs could also execute arbitrary code, leading to the popular Brain Training hack a few years ago (most DS games work, but this particular Brain Training was the cheapest on the eShop).

After installing Brain Training, it becomes a Wii U channel, indicating that it can replace the pre-set "Wii U menu" when Cafe OS finishes booting, thus completing the solidification of the hack.

However, free access and concerns have driven the development of solidification.
image16

Nintendo of America announcement 17


After 2023, the Wii U's eShop can no longer sell items, including DS's Brain Training, leading to the creation of Mii Maker (or Wii U menu) + custom firmware.
image17

The fw.img in the SD card is the custom firmware


For hacking, this is a huge success, just like Linux can configure its own kernel; you can make any firmware you want and load it onto the SD card.

Today's hacking only requires placing the magical file fw.img and other items on the SD card and opening the browser to complete the hack.

Finally, a review.
The Wii U was shipped in November 2012 and discontinued on January 31, 2017.
Corresponding services:
On August 11, 2015, Nintendo TVii was shut down.
On November 8, 2017, Miiverse was shut down.
On April 9, 2024, Nintendo Network and the old eShop will be completely shut down.
On July 3, 2024, official accessories will no longer be available, and the Wii U will be completely discontinued.

Regarding Nintendo Network, you can search for the video in the image below on Bilibili; it's quite interesting.
image18

Personal Opinion#

The Wii U is indeed a good "playing dumb to eat the tiger" console. Although it is quite heavy and lacks many good third-party games,
imagef
it is still a good console (many new concepts, Nintendo's dual screens that they couldn't let go of at the time, wireless streaming, NFC from 2012, video calls). It is a true "Nintendo" console, not only Wii but also U.

Finally, I would like to end this article, which I have been writing for nearly two months, with a quote from Cong Ge:
"On my business card, I am the president of Nintendo; in my mind, I am a game developer; and deep down, I am a player."

Acknowledgments and Citations#

Thanks to Copetti's "Wii U Architecture." Those who plant trees in the past enjoy the shade later. Without this article, I wouldn't have been able to write the following sections.

Thanks to Consolevariations and GaryOderNichts for creating WiiUIdent, which uploads non-sensitive information about the console to the database, allowing people to see the actual models of the Wii U (Wii U version of Lu Master).
image19
image4
Also, thanks to Rare Gaming Dump organization and Luckless Heaven for preserving interesting items.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.