Boot2 Fixed bug

Discussion in 'Wii - Hacking' started by mike360X1, Jul 23, 2010.

Jul 23, 2010

Boot2 Fixed bug by mike360X1 at 11:45 PM (1,905 Views / 0 Likes) 10 replies

  1. mike360X1
    OP

    Newcomer mike360X1 Newbie

    Joined:
    Jul 23, 2010
    Messages:
    3
    Country:
    Canada
    For starters, if you don't know what OTP means it's one time programmable which means that it only lets you edit, modify, change, etc, only once. That means if you have that kind of version of boot2 (or 1, don't remember) You wont be able to install bootmii. So, that being said, Why can't we just download the fixed bug of boot 2 from the nus server (Nintendo server) and analyze it or kind of study it. (are you with me here?) People can then develop a application that lets you delete that boot and replace that boot with the boot that already has the bootmii patch? Correct me if I'm wrong..... if this can be possible, then why didn't those programmers develop that already? But, I could be wrong. maybe OTP can't be deleted too.
     
  2. LocoRoco

    Member LocoRoco GBAtemp Fan

    Joined:
    Jun 17, 2010
    Messages:
    320
    Country:
    Australia
  3. smf

    Member smf GBAtemp Advanced Fan

    Joined:
    Feb 23, 2009
    Messages:
    836
    Country:
    United Kingdom
    Boot0 is inside your cpu and can't be changed.
    Boot1 is in nand with a hash in OTP, the nand can be changed but the hash in OTP can't (*).
    Boot2 is in nand and the signature is checked by boot1.

    The bug is in boot1 on old Wii's & it's difficult for anyone including Nintendo to change boot1 as the OTP can't be changed (*).

    If you don't have a bugged boot1 then the only possible ways of installing a custom boot2 are:

    1. Sieve Nintendo's private key.

    2. Create a custom boot1 with a hash collision with the fixed boot1. This could either be based on the bugged boot1 or something completely custom, but you need to keep changing unused bytes until the hash matches.

    Both of these are hard.


    (*) Technically OTP can be changed, you can change 1's to 0's but you can't change 0's back to 1's. But as you can't change all bits then it doesn't help to change any of them.
     
  4. mike360X1
    OP

    Newcomer mike360X1 Newbie

    Joined:
    Jul 23, 2010
    Messages:
    3
    Country:
    Canada
    Ok cool. Sounds interesting... can you give me more info on those 2 ways?
    or mabye a link from where you got them?
     
  5. Abkarino

    Member Abkarino GBAtemp Regular

    Joined:
    Sep 14, 2009
    Messages:
    139
    Country:
    Egypt
    Sorry i think that no one here or maybe in another place can tell you more about this ways even to get a Nintendo Private Key (that's very cool if any one can get it by any means [​IMG]) Or you can try the second one if you have enough programming experience and also very very good reverse engineering experience also to disassemble a bugged boot1 and try to understand how it work in a real Wii hardware and i think it's also so hard [​IMG]
     
  6. elimist

    Member elimist GBAtemp Regular

    Joined:
    Mar 31, 2009
    Messages:
    282
    Country:
    United States
    does anyone know the type of hash being used and the public key?
     
  7. Jacobeian

    Member Jacobeian GBAtemp Advanced Maniac

    Joined:
    May 15, 2008
    Messages:
    1,879
    Country:
    Cuba
    you don't get it: people knows how the"bugged" boot1 is different from the "fixed" boot1;, it's the same old strcmp bug that enables "trucha" signing, which was present in all IOS before they start fixing them, there is no point in analysing anything further, this is known stuff

    and no, it's just not possible to randomly modify bytes in a "bugged" boot1 so its hash matches the hash of the "fixed" boot1 in OTP, everything is encrypted / signed using RSA 2048, this is not exactly the kind of mechanism that has been designed to be so easily fooled.

    The only solution you have is to get the signature key which is Nintendo property, either by sneaking into Nintendo's headquarter at night with your ninja skills or by bruteforcing it (try all possible combinations until you got a match) which should take you approximately 2 thousand years with super fast computers.


    Seriously though, don't you think that if there was an easy solution, people wouldn't already have tried it ?
     
  8. WiiCrazy

    Member WiiCrazy Be water my friend!

    Joined:
    May 8, 2008
    Messages:
    2,391
    Location:
    Istanbul
    Country:
    Turkey
    See here for the same discussion : http://forum.wiibrew.org/read.php?27,40556

    @Jacobeian : It boils down to cracking SHA or attacking SHA with the sole aim of creating a hash collision for this specific instance... boot1 and boot2 is not encrypted...
     
  9. smf

    Member smf GBAtemp Advanced Fan

    Joined:
    Feb 23, 2009
    Messages:
    836
    Country:
    United Kingdom
    This is a better thread.

    http://hackmii.com/2008/06/boot1/

    An SHA1 pre image attack is probably the easiest way, although it would take a while.
     
  10. mike360X1
    OP

    Newcomer mike360X1 Newbie

    Joined:
    Jul 23, 2010
    Messages:
    3
    Country:
    Canada
    So I guess it comes down to this..... there's no way of removing or exploting the Boot 1 fixed bug well........ at least no safe way or fast way....... I guess you all are right..... if there was a way, they would have already thought of it.......... sigh..........
     
  11. thesund0g

    Member thesund0g GBAtemp Fan

    Joined:
    Aug 6, 2009
    Messages:
    452
    Location:
    The Boonies
    Country:
    Antarctica
    Your safest bet if you're worried about boot1/2 (I'm guessing you want to be able to recover from bricks) is to get a) an older, used Wii that's vulnerable (I traded with a kid for this) or b) get an Infectus or similar, make a NAND dump with it and use it to restore from when needed. Not as elegant as BootMii, but it will get the job done.
     

Share This Page