Bootmii Boot2 install

Discussion in 'Wii - Hacking' started by Kwartel, Sep 25, 2009.

Sep 25, 2009

Bootmii Boot2 install by Kwartel at 7:29 AM (4,613 Views / 0 Likes) 23 replies

  1. Kwartel
    OP

    Member Kwartel The fairest in all the land

    Joined:
    Apr 11, 2009
    Messages:
    1,298
    Country:
    Netherlands
    I was looking inside a Wii iso and inside the update partition I saw an update for boot2. Is it possible to replace that wad file with a patched wad file with bootmii boot2 in it. This way it could work on every Wii!
     


  2. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    No it won't work. You could install BootMii to boot2 with this way, but only on the Wiis where the installer works. But the installer has a very big advantage: When installed with the installer, it allows you to update or remove BootMii with minimal risc.
     
  3. Kwartel
    OP

    Member Kwartel The fairest in all the land

    Joined:
    Apr 11, 2009
    Messages:
    1,298
    Country:
    Netherlands
    Ok, thanks anywayz
     
  4. 0M39A

    Member 0M39A GBAtemp Fan

    Joined:
    Apr 24, 2009
    Messages:
    374
    Country:
    Australia
    as far as my understanding goes (which could be wrong, hopefully someone will correct me if i am), boot2 is writeable on any wii, but new boot2v4 wii's wont load bootmii, as the fakesign bug has been fixed in boot1 (ie. brick)
     
  5. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    It's only the boot1 version that matters.
     
  6. G0dLiKe

    Member G0dLiKe who needs a title ;)

    Joined:
    Aug 2, 2009
    Messages:
    1,674
    Country:
    United States
    Maybe you´re right, best would be to try it...
     
  7. Kwartel
    OP

    Member Kwartel The fairest in all the land

    Joined:
    Apr 11, 2009
    Messages:
    1,298
    Country:
    Netherlands
    Like I said. Here's a picture of it. It's ashame I couldn't find one in a 4.0 update. But maybe when there will be a anti-bootmii update we can replace that one with Bootmii [​IMG]
    [​IMG]
    Boot2 is selected!
     
  8. FenrirWolf

    Member FenrirWolf GBAtemp Psycho!

    Joined:
    Nov 19, 2008
    Messages:
    4,343
    Location:
    Beaverton, OR
    Country:
    United States
    As far as I can tell, every disc has Boot2v2 on it. But it never does anything since all Wiis already have boot2v2 or higher installed to them. And as was mentioned, the version of boot1 is what makes it possible to install BootMii or not, not the version of boot2.

    Perhaps Nintendo will one day try to push an update to boot2 to try overwriting BootMii, but from what I understand boot1 can never be updated since its signature hashes are stored in OTP memory, meaning those can't be overwritten by us nor Nintendo. Therefore a new boot2 probably wouldn't solve much of anything since boot1 is still vulnerable.

    I also doubt they'll go so far as to push a boot2 update since there's probably more chance of causing a brick when you mess with stuff involved in the console's boot chain. Disabling BootMii won't keep people from playing pirated games anyway.
     
  9. Helsionium

    Member Helsionium Alpha and Omega

    Joined:
    Jul 18, 2008
    Messages:
    348
    Location:
    Innsbruck, Austria
    Country:
    Austria
    EDIT: nvm, had some gross misconceptions about boot1 that made my entire post utterly irrelevant.
     
  10. Kwartel
    OP

    Member Kwartel The fairest in all the land

    Joined:
    Apr 11, 2009
    Messages:
    1,298
    Country:
    Netherlands
    Well, my idea wasn't as bad as the who thought he could get an original R4 to work on a DSi by patching it the acekard way. He didn't know what rom and ram was! I know enough about so I don't say anything shit!
     
  11. supagusti

    Member supagusti GBAtemp Regular

    Joined:
    Feb 2, 2008
    Messages:
    287
    Country:
    Austria
    As far as I understand, this works as follows:

    Wii is powerd on - Boot1 is executed, and if signing is OK Boot2 is executed and Boot2 loads the rest (also the systemmenu) - Wii is up and running

    Boot2 is signed with a private key. Boot1 will only start Boot2 if Boot2 is correctly signed
    For correctly signing Boot2 we need the private key from nintendo (which is not public).
    Older Boot1 versions have a bug (trucha) which allows starting of boot2 without beeing correctly signed (but fakesigned, I remenber it has to be something to do with an hash value starting with a 0...)
    Newer versions of Boot1 have this bug corrected. Boot1 is not writable and resides in the main CPU (Hollywood).

    You see, no way - if the private key remains unknown.

    Edit: Maybe i missed boot0 in my explanation - the full story can be read here
     
  12. oops_ur_dead

    Newcomer oops_ur_dead Advanced Member

    Joined:
    Dec 7, 2008
    Messages:
    66
    Country:
    United States
    The BootMii installer CAN install BootMii on every single Wii. However, if the Wii has a fixed boot1, then the Wii would be bricked and wouldnt start up. They prevent you from doing that. Your method will work in getting BootMii on a Wii, but since the boot1 wont accept it, BootMii won't even start and you'll have a shiny, white paperweight.
    Also, to the person above, boot1 IS writeable. It resides on the NAND. However, boot0 checks boot1 against a hash that IS hardcoded on the CPU, and if the hash doesnt match then boot0 doesnt load boot1.
     
  13. techboy

    Member techboy GBAtemp Advanced Maniac

    Joined:
    Mar 15, 2009
    Messages:
    1,720
    Location:
    Pennsylvania
    Country:
    United States
    As above, a modified boot2 wad with bootmii could in theory install bootmii as long as boot1 is vulnerable (or else you brick your wii).

    With all this security this early in the boot process, you wonder what the heck it is they are/were trying to protect. Seeing that even boot2v4 units can have trucha IOSes on them, what's the point? If Boot2v4 were doing its job properly (verifying the entire title before loading), installing preloader with boot2v4 would brick your wii. You think they would have fixed that...

    Also, security this early doesn't stop piracy (even though that was likely their original intent), nor prevent cheating online.
     
  14. olliepop2000

    Member olliepop2000 GBAtemp Fan

    Joined:
    Apr 4, 2009
    Messages:
    457
    Location:
    North West UK
    Country:
    United Kingdom
    From my limited understanding, i think it is nigh on impossible to get the checksum of the bootmii boot2 to match the original. Or something along those lines...
     
  15. 9th_Sage

    Member 9th_Sage GBAtemp Maniac

    Joined:
    Apr 30, 2008
    Messages:
    1,481
    Country:
    United States
    of the WAD? How would this help? It isn't as though it holds the private key or something. If it was really as easy as you think, I'm sure someone would have figured all of this out by now.
     
  16. CasperH

    CasperH Newbie

    The reason why BootMii can't be installed is because of a hash bug. It has nothing to do with some private key.
    The only way to make BootMii work is by altering the WAD just enough so the hash won't get broken
     
  17. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    Reverse engineer the key...

    I think it's 16 bytes, so it's 256^16 different possible keys, good luck trying them all.
     
  18. G0dLiKe

    Member G0dLiKe who needs a title ;)

    Joined:
    Aug 2, 2009
    Messages:
    1,674
    Country:
    United States
    Yeah, see you in 100.000.000 years...
     
  19. Kwartel
    OP

    Member Kwartel The fairest in all the land

    Joined:
    Apr 11, 2009
    Messages:
    1,298
    Country:
    Netherlands
    Uhm... How did they do the common-key of the DSi then. Isn't that partly the same stuff?
    Correct if I'm wrong. I'm not coder in anyway except a little bit HTML.
     
  20. WiiPower

    Member WiiPower GBAtemp Guru

    Joined:
    Oct 17, 2008
    Messages:
    8,165
    Country:
    Germany
    It's different, the common key(for both Wii and DSi) is used for the decryption of encrypted titles, that means the Wii/DSi has to know it or else it couldn't play games. So you "only" need to hack the device(with software or hardware or both) to read it.

    The private key is not stored on the Wii, that's at least one security flaw nintendo didn't do.
     

Share This Page