Hacking Betwiin v.10

Erikie · Mar 2, 2010

check if your drivebay led flashes at least once
If it stays on either your data is not flashed correctly or your boot1 hash mismatches

stefanox · Mar 2, 2010

drivebay led stays on, when i put the wii on.
no flikkering,

Erikie · Mar 2, 2010

Read back the data from the nand and compare it with what you flashed in it. I bet you have extra FFs at certain places

Erikie · Mar 2, 2010

DeadlyFoez said:
In the end I am finding it easier to just remove the nand. I have noticed some slight problems when writing to the hynix chips when doing a full nand restore using the infectus. I have found that about 1 out of 100 blocks wont match when compared to the source. All I have to do is just erase and rewrite that particular block and everything is fine. But the overall best way to write to the nand is to just remove it and then use a tsop48 clip to write to it. It really is so much easier and more reliable.

I agree with you however not everybody can remove the nand chips so easy without breaking the board. I have a hot air station and then it is a breeze.
Others use a wire which they pull underneath the legs of the nand which I think is a risky thing to do.

If you only need to flash one wii I think the wiring method is the best option to go for. You are fixing a lot of wiis for others so removing it is so much faster then getting the infectus hooked up every time to a wii....

Erikie · Mar 2, 2010

I read about that chipquik thingy too, however with only heat applied for a couple of seconds on the nand by my hot air station I don't think it will get any damage.

delicator · Mar 10, 2010

Hello All

I read every 18 pages of this topic, and I'm tired ^^

I think I understand one thing,
if bricked wii is to recent, it's not boot1 compatible, and I can inject bootmii in.

But, I read in one page, perhaps we can, take off nand with bootmii installed in boot2, and sold on bricked wii, just for booting bootmii, take the nand backup (wrong backup) but with the key of processor of bricked wii.

My idea if it possible, is:

1 do copy of nand with bootmii in boot 2 with an infectus
2 replace nand bricked with this copy,
3 boot bootmii and dump (wrong dump, good key)
4 take the key, and do stuff with betwin etc...
5 flash nand

?

I dont read or I dont understand if boot2 was encrypted too, and, if a bricked wii can boot bootmii for another nand

Thank you !

Erikie · Mar 10, 2010

bootmii flashing in the nand only works with boot1b
those are in the older wiis. The newer wiis have boot1c and boot1b

happydance · Mar 10, 2010

delicator said:
Hello All

I read every 18 pages of this topic, and I'm tired ^^

I think I understand one thing,
if bricked wii is to recent, it's not boot1 compatible, and I can inject bootmii in.

But, I read in one page, perhaps we can, take off nand with bootmii installed in boot2, and sold on bricked wii, just for booting bootmii, take the nand backup (wrong backup) but with the key of processor of bricked wii.

My idea if it possible, is:

1 do copy of nand with bootmii in boot 2 with an infectus
2 replace nand bricked with this copy,
3 boot bootmii and dump (wrong dump, good key)
4 take the key, and do stuff with betwin etc...
5 flash nand

?

I dont read or I dont understand if boot2 was encrypted too, and, if a bricked wii can boot bootmii for another nand

Thank you !

you could do that if both wii are capable installing bootmii as boot2

delicator · Mar 10, 2010

thanks for answer

The capability of installing bootmii at boot2 is related to processor ? or component on motherboard ?

XFlak · Mar 10, 2010

related to boot1

Erikie · Mar 10, 2010

xflak40 said:
related to boot1

which is actually related to the hash in OTP so also a bit CPU related too

delicator · Mar 11, 2010

Ok ! Understand, And it's because of that, if the console is to new, proc change, boot1 change and even if i sold fonctional NAND who come with bootmii in boot2, I can't boot.

but boot1 & boot2 are encrypted with the hash in cpu ? it's sure i mean ?

Erikie · Mar 11, 2010

boot1 is stored inside an eeprom in the cpu, boot2 is decrypted by boot1 and hash checked against the stored hash key in OTP memory. So no way bootmii will run on a boot1c or higher wii

Hopefully a way will be found someday to use bootmii on newer wiis in boot2 but I doubt that

tueidj · Mar 11, 2010

Erikie said:
boot1 is stored inside an eeprom in the cpu, boot2 is decrypted by boot1 and hash checked against the stored hash key in OTP memory.

Let's try that again: Boot1 is stored on the nand but cannot be modified because its hash is stored in OTP memory. boot2 is also stored on the nand and can be changed, but with a fixed boot1 it cannot be fakesigned.

delicator · Mar 11, 2010

ok, and the winner is ?

One of two solutions are the good one ?

And, with recent version of boot1, we can't use breach into boot1 to fakesign boot2 to use bootmii in boot2 ? that it ?
And if we don't know key we can't write a valid boot1

Even if I change the nand with good one with bootmii in boot2, boot1 encryption doesn't match processor vérification ?

EDIT: read entiere gbatemp board is loooooooooooong, but sometimes found usefull infos :

QUOTE said:
How your wii works. This information is solely for what I have specifically asked TeamTwiizer members. Anyone feel free to correct me if I am wrong. I might not be %100 accurate about the theory but the basic concept is correct;

When you turn on your wii the first thing that happens is there is code in boot0 which is stored in the Hollywood processor.
Boot0 does a hash type check on the boot1 code which is stored in the nand. If the hash does not match the the system halts. (so boot1 versions are incompatibly on wii's that have a different boot1)
Boot1 does a hash check on boot2. If that hash check passes the boot1 will execute boot2.
On older wii's, boot1 has the famous trucha bug in it so the contents of boot2 can be manipulated and boot1 does not correctly hash check boot2.

delicator · Mar 14, 2010

Another question,
I want to be sure,
breach is boot1 and console after last 2008 have new boot1 and can't have bootmii in boot2.
And update never can block boot1 breach, If I have old console, I'm sure it have boot1 breach even if is in 4.2 update ?

Natas666 · Mar 16, 2010

Anyone have a nand/keys for a wii that would work with the following?
BootMii v1.1
SysMenu - 4.1U boot1b boot2v3

The bricked Wii is 4.9U boot1b boot2v2

I keep getting the mismatch

Natas666 · Mar 16, 2010

DeadlyFoez said:
Natas666 said:

Anyone have a nand/keys for a wii that would work with the following?
BootMii v1.1
SysMenu - 4.1U boot1b boot2v3

The bricked Wii is 4.9U boot1b boot2v2

I keep getting the mismatch

Click to expand...

Yeah...I wonder why? Maybe because you have no clue of what you are talking about or doing. Read the thread in my sig, and there is also a link in that thread that will give you some info so you aren't so clueless. enjoy

Thank you almighty forum contributor. I appreciate your quick response and helpful information

Natas666 · Mar 16, 2010

DeadlyFoez said:
in case you didn't find it yet http://gbatemp.net/index.php?showtopic=199055 thats the other link. Although that will not be completely helpful to you in your situation it will at least give you a little bit more info on how the wii works.

But to answer your question, if you did run betwiin to convert a nand dump then you will have some hex ediiting to do to make the converted nand dump work with your wii.

By the way, no one can give you their keys to work with your wii, unless you are using it as a donor to convert to become for your wii.

I did everything correct with Betwiin. The area I'm confused about is the hex editing, I'm seeing first 1024, last 1024, but wait, it's 1057 etc... I'm familiar with 010 Editor and able to edit HEX files, just need the info.

I was asking for a donor, since I wasn't sure if what I posted will work, meaning my good wii has SysMenu - 4.1U boot1b boot2v3 and the bricked one has 4.0U boot1b boot2v2

Natas666 · Mar 16, 2010

DeadlyFoez said:
Natas666 said:

DeadlyFoez said:

in case you didn't find it yet http://gbatemp.net/index.php?showtopic=199055 thats the other link. Although that will not be completely helpful to you in your situation it will at least give you a little bit more info on how the wii works.

But to answer your question, if you did run betwiin to convert a nand dump then you will have some hex ediiting to do to make the converted nand dump work with your wii.

By the way, no one can give you their keys to work with your wii, unless you are using it as a donor to convert to become for your wii.

Click to expand...

I did everything correct with Betwiin. The area I'm confused about is the hex editing, I'm seeing first 1024, last 1024, but wait, it's 1057 etc... I'm familiar with 010 Editor and able to edit HEX files, just need the info.

I was asking for a donor, since I wasn't sure if what I posted will work, meaning my good wii has SysMenu - 4.1U boot1b boot2v3 and the bricked one has 4.0U boot1b boot2v2

Click to expand...

By what you are saying, if what you are saying is correct, then it should have worked. Make sure you put the keys at the end of the nand.bin before trying to do a nand restore.

But really, if you got bootmii in boot2, just use comex's nand formatter. It is a lot simpler.

So copy 1024 worth of keys from my good flash.bin to my outputted nand from betwiin? My nand from the output has 1024 more already.

Tried Comex Formatter and a system file and IOS first, and got the Opera error saying it can't find the startup html file. Not a good night! Thanks for help so far...

Hacking Betwiin v.10

Active Member

Well-Known Member

Active Member

Active Member

Active Member

Member

Active Member

Well-Known Member

Member

Wiitired but still kicking

Active Member

Member

Active Member

I R Expert

Member

Member

Member

Member

Member

Member

Similar threads

Popular threads in this forum