Hacking BOOTMII UNBRICKED A WII B4 BOOTMII!!

[pspmte]

Aren't Boot1 and 2 part of the NAND? If so I don't see how this would work since by swapping NANDS from one wii to the other you move bootmii with them too, UNLESS he did it while the working bootmii wii was still running, but would that be risky? I mean you're soldering and crap while the system is running....

Yes i see what your saying but if you made a dump of the good nand u could reflash that back using an infectus

This idea is to get the keys from a bricked wii

 

[Shinigami Kiba]

ok so if it's stored on the NAND and one of the NANDs was a complete brick, how did he get bootmii on that NAND?

almost same time post

edit: so infectus is the key to all this, ok that makes perfect sense now
I don't know much about infectus but i know the same can be used for both the 360 and Wii

 

[knowthing]

No, boot1 is stored on the NAND with everything else. However, its SHA-1 hash is stored in non-writable memory.

Ah okay! I understand now. Thanks for explaining that!

 

[pspmte]

I did not use the infectus yet

I need to find how to get the keys from the nand.bin dump or wait for a program that runs in ppc that will get us the wiis keys

But as of now i have made a bricked wii come back to life with another wiis nand flash with bootmii installed

This means all wii can be done inc the new ones

 

[Shinigami Kiba]

in that case I STILL don't understand how you transferred bootmii to the bricked NAND
guys, am I the only one who doesn't get this part? Or did i miss something

 

[pspmte]

I transplanted a working nandflash ic with bootmii already installed on it for the bad one

 

[icebrg5]

If you transfered a nand from a good wii into a bad wii.

You still left with one bad wii and one good one.

How is that a fix?

 

[pcfree]

But as of now i have made a bricked wii come back to life with another wiis nand flash with bootmii installed

This means all wii can be done inc the new ones

The swap NAND process for bootmii could only work between old Wii with old boot1. Your bootmii is stored in NAND with old boot1+(bootmii+boot2) + encrypted FileSystem Data + unencrypted FileSystem Metadata. New Wii with new boot1 has different boot1 hash in OTP and cannot run old boot1 to launch bootmii.

 

[Screemer]

just a little addition:

the boot2 versions also need to match
or at least, the donor Wii's boot2 cannot be older than the dead wii's boot2

we only found that out a month or two ago -- they put some protection against downgrading boot2 by storing the current (expected) version number in SEEPROM inside the Hollywood package

 

[JohnnyCheeks]

pix or it didn't happen

 

[lajd]

I transplanted a working nandflash ic with bootmii already installed on it for the bad one

So it didn't make a difference if bootmii was installed in the good nand? Would've worked if it wasn't installed, right?

 

[fellaw]

I still don't get why this approach could be used to unbrick any Wii regardless what has been in NAND before(e.g. bricket Sysmenu or whatever). From my point of view, you only had success because the Boot1 SHA1 from both your bricked and your unbricked Wii were the same and vulnerable to use BootMii as Boot2. Otherwise, Starlet wouldn't have booted Boot1 or BootMii at all. To sum things up, to unbrick hardcore way you have to:[*]Get a working Wii with same Boot1 like yours[*]Boot1 has to be vulnerable in order to run BootMii as Boot2[*]Dump the NAND of the working Wii with BootMii[*]Desolder the NAND and re-solder it to the Wii you want to unbrick[*]Read out the NAND keys with BootMii and Xyzzy[*]Re-solder the broken NAND back[*]Flash the dumped, good NAND over the broken NAND with Infectus and the extracted keysI'm not sure about how the last step would involve the keys, because I've never used an infectus.

Your approach is clearly hardcore way. Doubt the average Wii user could even open their Wii, not to mention soldering the flash. Not even I ever tried that(tough I would be cappable of doing so). Anyway, it wouldn't work on Wiis with new Boot1, because those can't have BootMii as Boot2. Thus the encrypted parts of a re-soldered, working NAND never would be decrypted by Boot2 as part of the boot process. You only could save such Wiis if you had read out their keys before bricking.

 

[pspmte]

What about a new Mini ppc code that gets the keys using armcode

Fellaw It is hard core i know that and taking a nand of a board is not that easy
but this is a start to unbricking wiis that had the boot2 bug in them