Toggle sidebar

Hacking Bootmii Boot2 install

  • Thread starter Thread starter Kwartel
  • Start date Start date
  • Views Views 8,271
  • Replies Replies 23
Kwartel

Kwartel

The fairest in all the land
Member
Level 4
Joined
Apr 11, 2009
Messages
1,298
Solutions
4
Reaction score
35
Trophies
2
Age
32
XP
499
Country
Netherlands
I was looking inside a Wii iso and inside the update partition I saw an update for boot2. Is it possible to replace that wad file with a patched wad file with bootmii boot2 in it. This way it could work on every Wii!
 
No it won't work. You could install BootMii to boot2 with this way, but only on the Wiis where the installer works. But the installer has a very big advantage: When installed with the installer, it allows you to update or remove BootMii with minimal risc.
 
as far as my understanding goes (which could be wrong, hopefully someone will correct me if i am), boot2 is writeable on any wii, but new boot2v4 wii's wont load bootmii, as the fakesign bug has been fixed in boot1 (ie. brick)
 
0M39A said:
as far as my understanding goes (which could be wrong, hopefully someone will correct me if i am), boot2 is writeable on any wii, but new boot2v4 wii's wont load bootmii, as the fakesign bug has been fixed in boot1 (ie. brick)
Click to expand...

It's only the boot1 version that matters.
 
DeadlyFoez said:
I think the OP might be onto something. Even the new wii's with the new boot1 still do have an upgradable boot2. Although I don't have a full understanding of the wii's internal workings, but why would it not be possible to exchange the code on an update to make it so it can install bootmii on the new wii's? Obviously nintendo has their key and unlock code to be able to edit the boot2, whats the holdup of someone discovering it and using it to get full access? There's enough hackers who are smart enough to dump everything and reverse engineer it.

I'm sure if that idea was possible someone would have already tried it by now.
Click to expand...

Maybe you´re right, best would be to try it...
 
Like I said. Here's a picture of it. It's ashame I couldn't find one in a 4.0 update. But maybe when there will be a anti-bootmii update we can replace that one with Bootmii
tongue.gif

2v3moeb.jpg

Boot2 is selected!
 
As far as I can tell, every disc has Boot2v2 on it. But it never does anything since all Wiis already have boot2v2 or higher installed to them. And as was mentioned, the version of boot1 is what makes it possible to install BootMii or not, not the version of boot2.

Perhaps Nintendo will one day try to push an update to boot2 to try overwriting BootMii, but from what I understand boot1 can never be updated since its signature hashes are stored in OTP memory, meaning those can't be overwritten by us nor Nintendo. Therefore a new boot2 probably wouldn't solve much of anything since boot1 is still vulnerable.

I also doubt they'll go so far as to push a boot2 update since there's probably more chance of causing a brick when you mess with stuff involved in the console's boot chain. Disabling BootMii won't keep people from playing pirated games anyway.
 
Well, my idea wasn't as bad as the who thought he could get an original R4 to work on a DSi by patching it the acekard way. He didn't know what rom and ram was! I know enough about so I don't say anything shit!
 
DeadlyFoez said:
I think the OP might be onto something. Even the new wii's with the new boot1 still do have an upgradable boot2. Although I don't have a full understanding of the wii's internal workings, but why would it not be possible to exchange the code on an update to make it so it can install bootmii on the new wii's? Obviously nintendo has their key and unlock code to be able to edit the boot2, whats the holdup of someone discovering it and using it to get full access? There's enough hackers who are smart enough to dump everything and reverse engineer it.

I'm sure if that idea was possible someone would have already tried it by now.
Click to expand...

As far as I understand, this works as follows:

Wii is powerd on - Boot1 is executed, and if signing is OK Boot2 is executed and Boot2 loads the rest (also the systemmenu) - Wii is up and running

Boot2 is signed with a private key. Boot1 will only start Boot2 if Boot2 is correctly signed
For correctly signing Boot2 we need the private key from nintendo (which is not public).
Older Boot1 versions have a bug (trucha) which allows starting of boot2 without beeing correctly signed (but fakesigned, I remenber it has to be something to do with an hash value starting with a 0...)
Newer versions of Boot1 have this bug corrected. Boot1 is not writable and resides in the main CPU (Hollywood).

You see, no way - if the private key remains unknown.

Edit: Maybe i missed boot0 in my explanation - the full story can be read here
 
The BootMii installer CAN install BootMii on every single Wii. However, if the Wii has a fixed boot1, then the Wii would be bricked and wouldnt start up. They prevent you from doing that. Your method will work in getting BootMii on a Wii, but since the boot1 wont accept it, BootMii won't even start and you'll have a shiny, white paperweight.
Also, to the person above, boot1 IS writeable. It resides on the NAND. However, boot0 checks boot1 against a hash that IS hardcoded on the CPU, and if the hash doesnt match then boot0 doesnt load boot1.
 
As above, a modified boot2 wad with bootmii could in theory install bootmii as long as boot1 is vulnerable (or else you brick your wii).

With all this security this early in the boot process, you wonder what the heck it is they are/were trying to protect. Seeing that even boot2v4 units can have trucha IOSes on them, what's the point? If Boot2v4 were doing its job properly (verifying the entire title before loading), installing preloader with boot2v4 would brick your wii. You think they would have fixed that...

Also, security this early doesn't stop piracy (even though that was likely their original intent), nor prevent cheating online.
 
From my limited understanding, i think it is nigh on impossible to get the checksum of the bootmii boot2 to match the original. Or something along those lines...
 
DeadlyFoez said:
Someone should do a full reverse engineer of the updater for boot2 and find the key that way.
Click to expand...
of the WAD? How would this help? It isn't as though it holds the private key or something. If it was really as easy as you think, I'm sure someone would have figured all of this out by now.
 
The reason why BootMii can't be installed is because of a hash bug. It has nothing to do with some private key.
The only way to make BootMii work is by altering the WAD just enough so the hash won't get broken
 
Reverse engineer the key...

I think it's 16 bytes, so it's 256^16 different possible keys, good luck trying them all.
 
WiiPower said:
Reverse engineer the key...

I think it's 16 bytes, so it's 256^16 different possible keys, good luck trying them all.
Click to expand...

Yeah, see you in 100.000.000 years...
 
Uhm... How did they do the common-key of the DSi then. Isn't that partly the same stuff?
Correct if I'm wrong. I'm not coder in anyway except a little bit HTML.
 
kwartel said:
Uhm... How did they do the common-key of the DSi then. Isn't that partly the same stuff?
Correct if I'm wrong. I'm not coder in anyway except a little bit HTML.
Click to expand...

It's different, the common key(for both Wii and DSi) is used for the decryption of encrypted titles, that means the Wii/DSi has to know it or else it couldn't play games. So you "only" need to hack the device(with software or hardware or both) to read it.

The private key is not stored on the Wii, that's at least one security flaw nintendo didn't do.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking  Wii Preloader stuck

Hacking Emulation  What is the best way to recover my Wii Shop purchases?

Wii doesn't show image on TV after replacing DVD drive

Wii Brickers

Gaming Hardware  What can I do to increase the lifespan of my wii?

Issues with an Updated Jailbreak

Rare games N64 port

Gaming  Neo Geo VC in wrong aspect ratio on European Wii with 4:3 and 60 Hz at CRT