Acquisition and Reconstruction of the File System for the Internal NAND Memory of a Wii Console
Stephen Fisher Davies
The following documentation is advisory and should be tested and verified by
any examiners choosing to use this method. All testing conducted on a Nintendo
Wii Console running 4.3E. This method comes with no warranty or guarantees of
any kind. Please do not distribute without the expressed permission of the
Acquiring a NAND by editing the console boot procedure is not a forensically
perfect method and does write a small amount of data to the device. This is not a
replacement for a chip off but my method does use freely accessible software to
acquire a binary copy of the device memory and its device keys for decryption.
Before You Start, is your device supported?
To identify a Wii’s firmware using a Wii controller; Wii Firmware Go To ->
System -> Wii Settings and in the top right of the screen you will see the
firmware version. Note: To use a Wii remote for the first time on a Wii console,
you will need to pair the remote. Doing so will overwrite pairing information on
the Wii. If this may be eventually needed as evidence, it is advisable to operate
the Wii with a readily paired controller. I have also tested this method using 4.2
but any console capable of running ‘Supersmash Bros. Brawl’ without the need to
update should work.
Wii’s running 4.3U (USA) and 4.3Y (Japan) are also susceptible to the
‘SuperSmash Hack’ but these require the discs specific to their region. This
method of installing ‘Bootmii’ is also available using the ‘IndianaPWN’s’ hack, but
the ‘IndianaPWN’s’ method is far more long winded and requires writing an
extensive amount of data to the Wii console.
This method requires the user to insert an SD card into the front of the Wii
console. Evidence contained within the SD card of the console should always be
forensically imaged before booting the console. Further ‘Channel’ data can reside
on this card but this documentation does not describe how to analyse and
acquire this data.
Full details can be found below: