Hacking Boot2 Fixed bug

M

mike360X1

New Member
OP
Newbie
Level 1
Joined
Jul 23, 2010
Messages
3
Trophies
0
XP
1
Country
Canada
For starters, if you don't know what OTP means it's one time programmable which means that it only lets you edit, modify, change, etc, only once. That means if you have that kind of version of boot2 (or 1, don't remember) You wont be able to install bootmii. So, that being said, Why can't we just download the fixed bug of boot 2 from the nus server (Nintendo server) and analyze it or kind of study it. (are you with me here?) People can then develop a application that lets you delete that boot and replace that boot with the boot that already has the bootmii patch? Correct me if I'm wrong..... if this can be possible, then why didn't those programmers develop that already? But, I could be wrong. maybe OTP can't be deleted too.
 
S

smf

Well-Known Member
Member
Level 16
Joined
Feb 23, 2009
Messages
6,643
Trophies
2
XP
5,862
Country
United Kingdom
mike360X1 said:
For starters, if you don't know what OTP means it's one time programmable which means that it only lets you edit, modify, change, etc, only once. That means if you have that kind of version of boot2 (or 1, don't remember) You wont be able to install bootmii. So, that being said, Why can't we just download the fixed bug of boot 2 from the nus server (Nintendo server) and analyze it or kind of study it. (are you with me here?) People can then develop a application that lets you delete that boot and replace that boot with the boot that already has the bootmii patch? Correct me if I'm wrong..... if this can be possible, then why didn't those programmers develop that already? But, I could be wrong. maybe OTP can't be deleted too.
Click to expand...

Boot0 is inside your cpu and can't be changed.
Boot1 is in nand with a hash in OTP, the nand can be changed but the hash in OTP can't (*).
Boot2 is in nand and the signature is checked by boot1.

The bug is in boot1 on old Wii's & it's difficult for anyone including Nintendo to change boot1 as the OTP can't be changed (*).

If you don't have a bugged boot1 then the only possible ways of installing a custom boot2 are:

1. Sieve Nintendo's private key.

2. Create a custom boot1 with a hash collision with the fixed boot1. This could either be based on the bugged boot1 or something completely custom, but you need to keep changing unused bytes until the hash matches.

Both of these are hard.


(*) Technically OTP can be changed, you can change 1's to 0's but you can't change 0's back to 1's. But as you can't change all bits then it doesn't help to change any of them.
 
M

mike360X1

New Member
OP
Newbie
Level 1
Joined
Jul 23, 2010
Messages
3
Trophies
0
XP
1
Country
Canada
smf said:
mike360X1 said:
For starters, if you don't know what OTP means it's one time programmable which means that it only lets you edit, modify, change, etc, only once. That means if you have that kind of version of boot2 (or 1, don't remember) You wont be able to install bootmii. So, that being said, Why can't we just download the fixed bug of boot 2 from the nus server (Nintendo server) and analyze it or kind of study it. (are you with me here?) People can then develop a application that lets you delete that boot and replace that boot with the boot that already has the bootmii patch? Correct me if I'm wrong..... if this can be possible, then why didn't those programmers develop that already? But, I could be wrong. maybe OTP can't be deleted too.
Click to expand...

Boot0 is inside your cpu and can't be changed.
Boot1 is in nand with a hash in OTP, the nand can be changed but the hash in OTP can't (*).
Boot2 is in nand and the signature is checked by boot1.

The bug is in boot1 on old Wii's & it's difficult for anyone including Nintendo to change boot1 as the OTP can't be changed (*).

If you don't have a bugged boot1 then the only possible ways of installing a custom boot2 are:

1. Sieve Nintendo's private key.

2. Create a custom boot1 with a hash collision with the fixed boot1. This could either be based on the bugged boot1 or something completely custom, but you need to keep changing unused bytes until the hash matches.

Both of these are hard.


(*) Technically OTP can be changed, you can change 1's to 0's but you can't change 0's back to 1's. But as you can't change all bits then it doesn't help to change any of them.
Click to expand...

Ok cool. Sounds interesting... can you give me more info on those 2 ways?
or mabye a link from where you got them?
 
A

Abkarino

Well-Known Member
Member
Level 1
Joined
Sep 14, 2009
Messages
139
Trophies
0
XP
34
Country
Egypt
mike360X1 said:
smf said:
mike360X1 said:
For starters, if you don't know what OTP means it's one time programmable which means that it only lets you edit, modify, change, etc, only once. That means if you have that kind of version of boot2 (or 1, don't remember) You wont be able to install bootmii. So, that being said, Why can't we just download the fixed bug of boot 2 from the nus server (Nintendo server) and analyze it or kind of study it. (are you with me here?) People can then develop a application that lets you delete that boot and replace that boot with the boot that already has the bootmii patch? Correct me if I'm wrong..... if this can be possible, then why didn't those programmers develop that already? But, I could be wrong. maybe OTP can't be deleted too.
Click to expand...

Boot0 is inside your cpu and can't be changed.
Boot1 is in nand with a hash in OTP, the nand can be changed but the hash in OTP can't (*).
Boot2 is in nand and the signature is checked by boot1.

The bug is in boot1 on old Wii's & it's difficult for anyone including Nintendo to change boot1 as the OTP can't be changed (*).

If you don't have a bugged boot1 then the only possible ways of installing a custom boot2 are:

1. Sieve Nintendo's private key.

2. Create a custom boot1 with a hash collision with the fixed boot1. This could either be based on the bugged boot1 or something completely custom, but you need to keep changing unused bytes until the hash matches.

Both of these are hard.


(*) Technically OTP can be changed, you can change 1's to 0's but you can't change 0's back to 1's. But as you can't change all bits then it doesn't help to change any of them.
Click to expand...

Ok cool. Sounds interesting... can you give me more info on those 2 ways?
or mabye a link from where you got them?
Click to expand...

Sorry i think that no one here or maybe in another place can tell you more about this ways even to get a Nintendo Private Key (that's very cool if any one can get it by any means
tongue.gif
) Or you can try the second one if you have enough programming experience and also very very good reverse engineering experience also to disassemble a bugged boot1 and try to understand how it work in a real Wii hardware and i think it's also so hard
smile.gif
 
J

Jacobeian

Well-Known Member
Member
Level 4
Joined
May 15, 2008
Messages
1,893
Trophies
0
XP
387
Country
Cuba
you don't get it: people knows how the"bugged" boot1 is different from the "fixed" boot1;, it's the same old strcmp bug that enables "trucha" signing, which was present in all IOS before they start fixing them, there is no point in analysing anything further, this is known stuff

and no, it's just not possible to randomly modify bytes in a "bugged" boot1 so its hash matches the hash of the "fixed" boot1 in OTP, everything is encrypted / signed using RSA 2048, this is not exactly the kind of mechanism that has been designed to be so easily fooled.

The only solution you have is to get the signature key which is Nintendo property, either by sneaking into Nintendo's headquarter at night with your ninja skills or by bruteforcing it (try all possible combinations until you got a match) which should take you approximately 2 thousand years with super fast computers.


Seriously though, don't you think that if there was an easy solution, people wouldn't already have tried it ?
 
S

smf

Well-Known Member
Member
Level 16
Joined
Feb 23, 2009
Messages
6,643
Trophies
2
XP
5,862
Country
United Kingdom
M

mike360X1

New Member
OP
Newbie
Level 1
Joined
Jul 23, 2010
Messages
3
Trophies
0
XP
1
Country
Canada
So I guess it comes down to this..... there's no way of removing or exploting the Boot 1 fixed bug well........ at least no safe way or fast way....... I guess you all are right..... if there was a way, they would have already thought of it.......... sigh..........
 
thesund0g

thesund0g

Well-Known Member
Member
Level 1
Joined
Aug 6, 2009
Messages
452
Trophies
0
Age
44
Location
The Boonies
Website
Visit site
XP
135
Country
Your safest bet if you're worried about boot1/2 (I'm guessing you want to be able to recover from bricks) is to get a) an older, used Wii that's vulnerable (I traded with a kid for this) or b) get an Infectus or similar, make a NAND dump with it and use it to restore from when needed. Not as elegant as BootMii, but it will get the job done.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Emulation  Snes9x unacceptable input latency

Hacking  Bricked Wii Family Edition

Wiiflow brings me back to sys menu... sometimes.

64DD on Wii?

All Channels Discussion

Hacking  Wii randonly slowing down mid-game

Hacking  AARTool for Wii archives

Hacking Tutorial Project  Wiiflow lite 5.5.4 , 10 themes in one pack 2024 - with extras

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: @OctoAori20, Cool. Same here.