Bootmii Boot2 install

Discussion in 'Wii - Hacking' started by Kwartel, Sep 25, 2009.

  1. Kwartel
    OP

    Kwartel The fairest in all the land

    Member
    1,298
    35
    Apr 11, 2009
    Netherlands
    I was looking inside a Wii iso and inside the update partition I saw an update for boot2. Is it possible to replace that wad file with a patched wad file with bootmii boot2 in it. This way it could work on every Wii!
     


  2. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    No it won't work. You could install BootMii to boot2 with this way, but only on the Wiis where the installer works. But the installer has a very big advantage: When installed with the installer, it allows you to update or remove BootMii with minimal risc.
     
  3. Kwartel
    OP

    Kwartel The fairest in all the land

    Member
    1,298
    35
    Apr 11, 2009
    Netherlands
    Ok, thanks anywayz
     
  4. 0M39A

    0M39A GBAtemp Fan

    Member
    374
    0
    Apr 24, 2009
    as far as my understanding goes (which could be wrong, hopefully someone will correct me if i am), boot2 is writeable on any wii, but new boot2v4 wii's wont load bootmii, as the fakesign bug has been fixed in boot1 (ie. brick)
     
  5. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    It's only the boot1 version that matters.
     
  6. G0dLiKe

    G0dLiKe who needs a title ;)

    Member
    1,674
    51
    Aug 2, 2009
    United States
    Maybe you´re right, best would be to try it...
     
  7. Kwartel
    OP

    Kwartel The fairest in all the land

    Member
    1,298
    35
    Apr 11, 2009
    Netherlands
    Like I said. Here's a picture of it. It's ashame I couldn't find one in a 4.0 update. But maybe when there will be a anti-bootmii update we can replace that one with Bootmii [​IMG]
    [​IMG]
    Boot2 is selected!
     
  8. FenrirWolf

    FenrirWolf GBAtemp Psycho!

    Member
    4,347
    329
    Nov 19, 2008
    United States
    Sandy, UT
    As far as I can tell, every disc has Boot2v2 on it. But it never does anything since all Wiis already have boot2v2 or higher installed to them. And as was mentioned, the version of boot1 is what makes it possible to install BootMii or not, not the version of boot2.

    Perhaps Nintendo will one day try to push an update to boot2 to try overwriting BootMii, but from what I understand boot1 can never be updated since its signature hashes are stored in OTP memory, meaning those can't be overwritten by us nor Nintendo. Therefore a new boot2 probably wouldn't solve much of anything since boot1 is still vulnerable.

    I also doubt they'll go so far as to push a boot2 update since there's probably more chance of causing a brick when you mess with stuff involved in the console's boot chain. Disabling BootMii won't keep people from playing pirated games anyway.
     
  9. Helsionium

    Helsionium Alpha and Omega

    Member
    351
    12
    Jul 18, 2008
    Australia
    Innsbruck, Austria
    EDIT: nvm, had some gross misconceptions about boot1 that made my entire post utterly irrelevant.
     
  10. Kwartel
    OP

    Kwartel The fairest in all the land

    Member
    1,298
    35
    Apr 11, 2009
    Netherlands
    Well, my idea wasn't as bad as the who thought he could get an original R4 to work on a DSi by patching it the acekard way. He didn't know what rom and ram was! I know enough about so I don't say anything shit!
     
  11. supagusti

    supagusti GBAtemp Regular

    Member
    287
    0
    Feb 2, 2008
    Australia
    As far as I understand, this works as follows:

    Wii is powerd on - Boot1 is executed, and if signing is OK Boot2 is executed and Boot2 loads the rest (also the systemmenu) - Wii is up and running

    Boot2 is signed with a private key. Boot1 will only start Boot2 if Boot2 is correctly signed
    For correctly signing Boot2 we need the private key from nintendo (which is not public).
    Older Boot1 versions have a bug (trucha) which allows starting of boot2 without beeing correctly signed (but fakesigned, I remenber it has to be something to do with an hash value starting with a 0...)
    Newer versions of Boot1 have this bug corrected. Boot1 is not writable and resides in the main CPU (Hollywood).

    You see, no way - if the private key remains unknown.

    Edit: Maybe i missed boot0 in my explanation - the full story can be read here
     
  12. oops_ur_dead

    oops_ur_dead Advanced Member

    Newcomer
    66
    0
    Dec 7, 2008
    United States
    The BootMii installer CAN install BootMii on every single Wii. However, if the Wii has a fixed boot1, then the Wii would be bricked and wouldnt start up. They prevent you from doing that. Your method will work in getting BootMii on a Wii, but since the boot1 wont accept it, BootMii won't even start and you'll have a shiny, white paperweight.
    Also, to the person above, boot1 IS writeable. It resides on the NAND. However, boot0 checks boot1 against a hash that IS hardcoded on the CPU, and if the hash doesnt match then boot0 doesnt load boot1.
     
  13. techboy

    techboy GBAtemp Advanced Maniac

    Member
    1,720
    21
    Mar 15, 2009
    United States
    Pennsylvania
    As above, a modified boot2 wad with bootmii could in theory install bootmii as long as boot1 is vulnerable (or else you brick your wii).

    With all this security this early in the boot process, you wonder what the heck it is they are/were trying to protect. Seeing that even boot2v4 units can have trucha IOSes on them, what's the point? If Boot2v4 were doing its job properly (verifying the entire title before loading), installing preloader with boot2v4 would brick your wii. You think they would have fixed that...

    Also, security this early doesn't stop piracy (even though that was likely their original intent), nor prevent cheating online.
     
  14. olliepop2000

    olliepop2000 GBAtemp Fan

    Member
    457
    0
    Apr 4, 2009
    North West UK
    From my limited understanding, i think it is nigh on impossible to get the checksum of the bootmii boot2 to match the original. Or something along those lines...
     
  15. 9th_Sage

    9th_Sage GBAtemp Maniac

    Member
    1,481
    1
    Apr 30, 2008
    United States
    of the WAD? How would this help? It isn't as though it holds the private key or something. If it was really as easy as you think, I'm sure someone would have figured all of this out by now.
     
  16. CasperH

    CasperH Newbie

    The reason why BootMii can't be installed is because of a hash bug. It has nothing to do with some private key.
    The only way to make BootMii work is by altering the WAD just enough so the hash won't get broken
     
  17. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    Reverse engineer the key...

    I think it's 16 bytes, so it's 256^16 different possible keys, good luck trying them all.
     
  18. G0dLiKe

    G0dLiKe who needs a title ;)

    Member
    1,674
    51
    Aug 2, 2009
    United States
    Yeah, see you in 100.000.000 years...
     
  19. Kwartel
    OP

    Kwartel The fairest in all the land

    Member
    1,298
    35
    Apr 11, 2009
    Netherlands
    Uhm... How did they do the common-key of the DSi then. Isn't that partly the same stuff?
    Correct if I'm wrong. I'm not coder in anyway except a little bit HTML.
     
  20. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    It's different, the common key(for both Wii and DSi) is used for the decryption of encrypted titles, that means the Wii/DSi has to know it or else it couldn't play games. So you "only" need to hack the device(with software or hardware or both) to read it.

    The private key is not stored on the Wii, that's at least one security flaw nintendo didn't do.