Changes

Disc drive (view source)

Revision as of 02:01, 15 April 2025

1,387 bytes added , 15 April

no edit summary

Line 3: Line 3:

The Wii U has an internal disc drive capable of reading both Wii discs and Wii U discs. It's believed to be somewhat related to Blu-Ray drives, in a similar fashion to the Wii's relationship with DVD. Like the Wii, the drive is slot loading and mechanically complex. The drive casing has a label indicating it was manufactured by "China Hualu Panasonic AVC Networks Co., Ltd.".

−

== SATA ==

+

= SATA =

The drive is connected to the Wii U via a normal [[Hardware/SATA_Controller|SATA controller]], using AHCI 1.2. The IOSU may communicate with the controller (and, by extension, the drive). The drive identifies as a standard SATAPI disk drive, connected to port 0. In vWii mode, the AHCI controller is placed into a special compatibility mode, which causes it to emulate the Wii's DI and provide accurate backwards-compatibility for Wii software.

−

== SCSI Commands ==

+

= SCSI Commands =

Despite using normal SATAPI formatting for its commands (ATA PACKET, etc.), the Wii U disc drive doesn't appear to implement any of the required SCSI commands except for REQUEST SENSE. Instead, an entirely custom set of commands is used. All CDBs appear to be 12 bytes long.

−

=== 0xDA - ~~ATAPI_DI_READ_DISC_INFORMATION_CMD ===~~

+

{| class="wikitable"

+

|-

+

! Value

+

! Description

+

|-

+

| 0x0

+

| ATAPI_TEST_UNIT_READY_CMD

+

|-

+

| 0x3

+

| ATAPI_REQUEST_SENSE_CMD

+

|-

+

| 0x12

+

| ATAPI_INQUIRY_CMD

+

|-

+

| 0x1B

+

| ATAPI_START_STOP_CMD

+

|-

+

| 0x28

+

| ATAPI_READ10_CMD

+

|-

+

| 0x2A

+

| ATAPI_WRITE10_CMD

+

|-

+

| 0x46

+

| ATAPI_GET_CFG_CMD

+

|-

+

| 0x4A

+

| ATAPI_GET_EV_ST_NOTIF

+

|-

+

| 0x52

+

| ATAPI_READ_RZONE_INF_CMD

+

|-

+

| 0x53

+

| ATAPI_RESERVE_RZONE_CMD

+

|-

+

| 0x55

+

| ATAPI_MODE_SELECT_CMD

+

|-

+

| 0x5A

+

| ATAPI_MODE_SENSE_CMD

+

|-

+

| 0x5B

+

| ATAPI_CLOSE_RZONE_CMD

+

|-

+

| 0xA1

+

| ATAPI_BLANK_CMD

+

|-

+

| 0xDA

+

| ATAPI_DI_READ_DISC_INFO_CMD

+

|-

+

| 0xDB

+

| ATAPI_DI_REQUEST_DISC_STATUS_CMD

+

|-

+

| 0xDD

+

| ATAPI_DI_SET_MAX_ROTAION_CMD

+

|-

+

| 0xDF

+

| ATAPI_DI_SER_MEAS_CTRL_CMD

+

|-

+

| 0xE0

+

| ATAPI_DI_REQUEST_ERROR_CMD

+

|-

+

| 0xE3

+

| ATAPI_DI_STOP_MOTOR_CMD

+

|-

+

| 0xE5

+

| ATAPI_DI_INQUIRY_CMD

+

|-

+

| 0xE7

+

| ATAPI_DI_REPORT_KEY_CMD

+

|-

+

| 0xE8

+

| ATAPI_DI_READ_CMD

+

|-

+

| 0xEB

+

| ATAPI_DI_SEEK_CMD

+

|-

+

| 0xEC

+

| ATAPI_DI_START_CMD

+

|-

+

| 0xED

+

| ATAPI_DI_READ_CBC_CMD

+

|-

+

| 0xF0

+

| ATAPI_CF_REQUEST_DRIVE_ID_CMD

+

|-

+

| 0xF1

+

| [[#ATAPI_CF_AUTHENTICATION_CMD|ATAPI_CF_AUTHENTICATION_CMD]]

+

|-

+

| 0xF2

+

| [[#ATAPI_CF_START_STOP_UNIT_CMD|ATAPI_CF_START_STOP_UNIT_CMD]]

+

|-

+

| 0xF3

+

| [[#ATAPI_CF_READ_CMD|ATAPI_CF_READ_CMD]]

+

|-

+

| 0xF4

+

| [[#ATAPI_CF_TEST_UNIT_READY_CMD|ATAPI_CF_TEST_UNIT_READY_CMD]]

+

|-

+

| 0xF5

+

| [[#ATAPI_CF_INQUIRY_CMD|ATAPI_CF_INQUIRY_CMD]]

+

|-

+

| 0xF6

+

| [[#ATAPI_CF_SPINDLE_SPEED_CMD|ATAPI_CF_SPINDLE_SPEED_CMD]]

+

|-

+

| 0xF7

+

| ATAPI_CF_SER_MEAS_CTRL_CMD

+

|-

+

| 0xF8

+

| ATAPI_CF_READ_BUFFER_CMD

+

|-

+

| 0xF9

+

| ATAPI_CF_WRITE_BUFFER_CMD

+

|-

+

| 0xFA

+

| ATAPI_CF_SET_ERROR_CMD

+

|-

+

| 0xFB

+

| [[#ATAPI_CF_TOOLBOX_CMD|ATAPI_CF_TOOLBOX_CMD]]

+

|}

−

==~~= 0xE0 - ATAPI_DI_REQUEST_ERROR_ID_CMD ===~~

+

== ATAPI_CF_AUTHENTICATION_CMD ==

−

~~=== 0xED - ATAPI_DI_READ_CBC_CMD ===~~

−

~~=== 0xF1 - ATAPI_CF_AUTHENTICATE_CMD =~~==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 38: Line 152:

|}

−

==~~= 0xF2 - ATAPI_CF_START_STOP_CMD =~~==

+

== ATAPI_CF_START_STOP_UNIT_CMD ==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 82: Line 196:

|}

−

==~~= 0xF3 -~~ ATAPI_CF_READ_CMD ===

+

== ATAPI_CF_READ_CMD ==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 131: Line 245:

|}

−

==~~= 0xF4 -~~ ATAPI_CF_TEST_UNIT_READY_CMD ===

+

== ATAPI_CF_TEST_UNIT_READY_CMD ==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 150: Line 264:

|}

−

==~~= 0xF5 -~~ ATAPI_CF_INQUIRY_CMD ===

+

== ATAPI_CF_INQUIRY_CMD ==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 197: Line 311:

|}

−

==~~= 0xF6 - Unknown ATAPI_CF command =~~==

+

== ATAPI_CF_SPINDLE_SPEED_CMD ==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 220: Line 334:

|}

−

==~~= 0xFB - ATAPI_CF_FREC_READ_CMD =~~==

+

== ATAPI_CF_TOOLBOX_CMD ==

{| style="border-collapse: collapse; padding: 0.2em 0.2em 0.2em 0.2em; border: 1px solid #bbb;" border="1"

! colspan="3" style="padding: 0.2em; background-color: #ddd; text-align: center; font-size: 130%;" | CDB Description

Line 247: Line 361:

|}

−

== Authentication ==

+

= Authentication =

The disc drive uses a two-stage authentication handshake, first a simple [https://en.wikipedia.org/wiki/CBC-MAC CBC-MAC] challenge-response authentication so the console can prove it possesses the correct drive key, and then a function to derive a shared session key. The session key is used to decrypt some response data from the drive, using AES-128-CBC with a null IV.

−

=== Stage 1: CBC-MAC drive key proof ===

+

== Stage 1: CBC-MAC drive key proof ==

* First, the console requests a challenge from the drive by sending the Authenticate command with a step of 0. The drive responds with 32 random bytes.

* The console then encrypts these bytes using AES-128-CBC and the console drive key, null IV.

Line 256: Line 370:

* The console sends this 32 byte packet to the drive using the Authenticate command with a step of 1.

−

=== Stage 2: Session key derivation ===

+

== Stage 2: Session key derivation ==

* The console requests the drive's contribution to the session key by sending the Authenticate command with a step of 2. The drive responds with a 32-byte packet - 16 random bytes, then 16 "ee" bytes. If the drive is unhappy with the console's CBC-MAC proof from stage 1, it will instead give a SCSI error.

* The console extracts the 16 random bytes, discarding the "ee"s.

Line 356: Line 470:

== Motherboard ==

−

=== VXX72132 ===

[[File:WiiU_DiscDrive_VJB72132_SIDE_A.jpg|800px|VJB72132, SIDE-A]]

[[File:WiiU_DiscDrive_VEP72132_SIDE_B.jpg|800px|VEP72132, SIDE-B]]

−

===== Chip Listing~~: =~~====

+

==== Chip Listing ====

{| class="wikitable sortable"

! Color

Line 398: Line 511:

[[File:WiiU_DiscDrive_VEP72135_SIDE_B.jpg|800px|VEP72135, SIDE-B]]

−

===== Chip Listing~~: =~~====

+

==== Chip Listing ====

{| class="wikitable sortable"

! Color

Line 436: Line 549:

[[File:VEP72137_SIDE_B.jpg|800px|VEP72137, SIDE-B]]

−

===== Chip Listing~~: =~~====

+

==== Chip Listing ====

{| class="wikitable sortable"

! Color

Line 459: Line 572:

|}

−

== See Also ==

+

= See Also =

[https://fail0verflow.com/blog/2014/console-hacking-2013-omake/ Fail0verflow's Console Hacking 2013 article], specifically the "DI" section for information on vWii compatibility mode and AHCI.

[[Category:Hardware]]

Hexkyz

Bureaucrats, Interface administrators, Administrators

339

edits