Hacking Bootmii Boot2 install

Kwartel

The fairest in all the land
OP
Member
Joined
Apr 11, 2009
Messages
1,298
Trophies
0
Age
30
XP
449
Country
Netherlands
I was looking inside a Wii iso and inside the update partition I saw an update for boot2. Is it possible to replace that wad file with a patched wad file with bootmii boot2 in it. This way it could work on every Wii!
 

WiiPower

Well-Known Member
Member
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
No it won't work. You could install BootMii to boot2 with this way, but only on the Wiis where the installer works. But the installer has a very big advantage: When installed with the installer, it allows you to update or remove BootMii with minimal risc.
 

0M39A

Well-Known Member
Member
Joined
Apr 24, 2009
Messages
374
Trophies
0
XP
26
Country
as far as my understanding goes (which could be wrong, hopefully someone will correct me if i am), boot2 is writeable on any wii, but new boot2v4 wii's wont load bootmii, as the fakesign bug has been fixed in boot1 (ie. brick)
 

WiiPower

Well-Known Member
Member
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
0M39A said:
as far as my understanding goes (which could be wrong, hopefully someone will correct me if i am), boot2 is writeable on any wii, but new boot2v4 wii's wont load bootmii, as the fakesign bug has been fixed in boot1 (ie. brick)

It's only the boot1 version that matters.
 

G0dLiKe

who needs a title ;)
Member
Joined
Aug 2, 2009
Messages
1,674
Trophies
0
Website
db.tt
XP
206
Country
United States
DeadlyFoez said:
I think the OP might be onto something. Even the new wii's with the new boot1 still do have an upgradable boot2. Although I don't have a full understanding of the wii's internal workings, but why would it not be possible to exchange the code on an update to make it so it can install bootmii on the new wii's? Obviously nintendo has their key and unlock code to be able to edit the boot2, whats the holdup of someone discovering it and using it to get full access? There's enough hackers who are smart enough to dump everything and reverse engineer it.

I'm sure if that idea was possible someone would have already tried it by now.

Maybe you´re right, best would be to try it...
 

Kwartel

The fairest in all the land
OP
Member
Joined
Apr 11, 2009
Messages
1,298
Trophies
0
Age
30
XP
449
Country
Netherlands
Like I said. Here's a picture of it. It's ashame I couldn't find one in a 4.0 update. But maybe when there will be a anti-bootmii update we can replace that one with Bootmii
tongue.gif

2v3moeb.jpg

Boot2 is selected!
 

FenrirWolf

Well-Known Member
Member
Joined
Nov 19, 2008
Messages
4,347
Trophies
1
Location
Sandy, UT
XP
615
Country
United States
As far as I can tell, every disc has Boot2v2 on it. But it never does anything since all Wiis already have boot2v2 or higher installed to them. And as was mentioned, the version of boot1 is what makes it possible to install BootMii or not, not the version of boot2.

Perhaps Nintendo will one day try to push an update to boot2 to try overwriting BootMii, but from what I understand boot1 can never be updated since its signature hashes are stored in OTP memory, meaning those can't be overwritten by us nor Nintendo. Therefore a new boot2 probably wouldn't solve much of anything since boot1 is still vulnerable.

I also doubt they'll go so far as to push a boot2 update since there's probably more chance of causing a brick when you mess with stuff involved in the console's boot chain. Disabling BootMii won't keep people from playing pirated games anyway.
 

Kwartel

The fairest in all the land
OP
Member
Joined
Apr 11, 2009
Messages
1,298
Trophies
0
Age
30
XP
449
Country
Netherlands
Well, my idea wasn't as bad as the who thought he could get an original R4 to work on a DSi by patching it the acekard way. He didn't know what rom and ram was! I know enough about so I don't say anything shit!
 

supagusti

Well-Known Member
Member
Joined
Feb 2, 2008
Messages
287
Trophies
0
XP
115
Country
Australia
DeadlyFoez said:
I think the OP might be onto something. Even the new wii's with the new boot1 still do have an upgradable boot2. Although I don't have a full understanding of the wii's internal workings, but why would it not be possible to exchange the code on an update to make it so it can install bootmii on the new wii's? Obviously nintendo has their key and unlock code to be able to edit the boot2, whats the holdup of someone discovering it and using it to get full access? There's enough hackers who are smart enough to dump everything and reverse engineer it.

I'm sure if that idea was possible someone would have already tried it by now.

As far as I understand, this works as follows:

Wii is powerd on - Boot1 is executed, and if signing is OK Boot2 is executed and Boot2 loads the rest (also the systemmenu) - Wii is up and running

Boot2 is signed with a private key. Boot1 will only start Boot2 if Boot2 is correctly signed
For correctly signing Boot2 we need the private key from nintendo (which is not public).
Older Boot1 versions have a bug (trucha) which allows starting of boot2 without beeing correctly signed (but fakesigned, I remenber it has to be something to do with an hash value starting with a 0...)
Newer versions of Boot1 have this bug corrected. Boot1 is not writable and resides in the main CPU (Hollywood).

You see, no way - if the private key remains unknown.

Edit: Maybe i missed boot0 in my explanation - the full story can be read here
 

oops_ur_dead

Well-Known Member
Newcomer
Joined
Dec 7, 2008
Messages
66
Trophies
0
XP
205
Country
United States
The BootMii installer CAN install BootMii on every single Wii. However, if the Wii has a fixed boot1, then the Wii would be bricked and wouldnt start up. They prevent you from doing that. Your method will work in getting BootMii on a Wii, but since the boot1 wont accept it, BootMii won't even start and you'll have a shiny, white paperweight.
Also, to the person above, boot1 IS writeable. It resides on the NAND. However, boot0 checks boot1 against a hash that IS hardcoded on the CPU, and if the hash doesnt match then boot0 doesnt load boot1.
 

techboy

Well-Known Member
Member
Joined
Mar 15, 2009
Messages
1,720
Trophies
0
Age
31
Location
Pennsylvania
Website
Visit site
XP
306
Country
United States
As above, a modified boot2 wad with bootmii could in theory install bootmii as long as boot1 is vulnerable (or else you brick your wii).

With all this security this early in the boot process, you wonder what the heck it is they are/were trying to protect. Seeing that even boot2v4 units can have trucha IOSes on them, what's the point? If Boot2v4 were doing its job properly (verifying the entire title before loading), installing preloader with boot2v4 would brick your wii. You think they would have fixed that...

Also, security this early doesn't stop piracy (even though that was likely their original intent), nor prevent cheating online.
 

olliepop2000

Well-Known Member
Member
Joined
Apr 4, 2009
Messages
457
Trophies
0
Age
44
Location
North West UK
XP
117
Country
From my limited understanding, i think it is nigh on impossible to get the checksum of the bootmii boot2 to match the original. Or something along those lines...
 

9th_Sage

Well-Known Member
Member
Joined
Apr 30, 2008
Messages
1,481
Trophies
0
Website
twitter.com
XP
104
Country
United States
DeadlyFoez said:
Someone should do a full reverse engineer of the updater for boot2 and find the key that way.
of the WAD? How would this help? It isn't as though it holds the private key or something. If it was really as easy as you think, I'm sure someone would have figured all of this out by now.
 
C

CasperH

Guest
The reason why BootMii can't be installed is because of a hash bug. It has nothing to do with some private key.
The only way to make BootMii work is by altering the WAD just enough so the hash won't get broken
 

WiiPower

Well-Known Member
Member
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
Reverse engineer the key...

I think it's 16 bytes, so it's 256^16 different possible keys, good luck trying them all.
 

Kwartel

The fairest in all the land
OP
Member
Joined
Apr 11, 2009
Messages
1,298
Trophies
0
Age
30
XP
449
Country
Netherlands
Uhm... How did they do the common-key of the DSi then. Isn't that partly the same stuff?
Correct if I'm wrong. I'm not coder in anyway except a little bit HTML.
 

WiiPower

Well-Known Member
Member
Joined
Oct 17, 2008
Messages
8,165
Trophies
0
XP
345
Country
Gambia, The
kwartel said:
Uhm... How did they do the common-key of the DSi then. Isn't that partly the same stuff?
Correct if I'm wrong. I'm not coder in anyway except a little bit HTML.

It's different, the common key(for both Wii and DSi) is used for the decryption of encrypted titles, that means the Wii/DSi has to know it or else it couldn't play games. So you "only" need to hack the device(with software or hardware or both) to read it.

The private key is not stored on the Wii, that's at least one security flaw nintendo didn't do.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    The Real Jdbye @ The Real Jdbye: i always pee in the water