lets talk boot1

Discussion in 'Wii - Hacking' started by Apekop, May 14, 2009.

  1. Apekop
    OP

    Apekop GBAtemp Regular

    Member
    223
    0
    Apr 9, 2009
    Netherlands
    Location, location, location.
    so, with the release of Bootmii beta, were coming to a new chapter in files we'd like to break open. The boot files.
    How are we going to go about overwriting these files with truncha bugged older versions?
    I hear these are supposed to be write once files, but is it possible to work around that?
     
  2. superrob

    superrob H4X H4X H4X!

    Member
    2,465
    3
    Apr 4, 2007
    GBATemp factory.
    *Edit* Whoops nevermind i was wrong!
     
  3. WiiCrazy

    WiiCrazy Be water my friend!

    Member
    2,391
    1
    May 8, 2008
    Istanbul
    Dunno if it's writable or not but guess it's checksum or secure hash could be in the otp area... so no modifications, otherwise system will not boot...
     
  4. joda

    joda GBAtemp Fan

    Member
    436
    0
    Jul 12, 2007
    Umeå
    This unless someone discovers a weakness in SHA1 making it possible to spoof a boot1 (or boot2 for those with unvulnerable boot1s) which produces the same hash. This is however not veeeeeeeery likely since SHA1 is still considered safe, and is one of the most widely used hashing algoritms as of today. If there'd be a weakness, it'd probably be found elsewhere already.
     
  5. icefireicefire

    icefireicefire GBATemp Fails.

    Member
    961
    0
    Dec 19, 2008
    United States
    could be = is.
     
  6. Dialexio

    Dialexio GBAtemp Advanced Maniac

    Member
    1,553
    28
    Mar 14, 2009
    United States
    It is possible to modify boot1. The problem is, boot1 has its SHA-1 hash written into the OTP. That, and the fact SHA-1 was not entirely cracked means it's currently impossible to change boot1. (It's a safe assumption that the Wii will brick if the hashes don't match up.) Collision attacks have been found in SHA-1, but it is not enough to brute force the entire string.
     
  7. beegee7730

    beegee7730 ITS PAAFEKUTO!

    Banned
    1,693
    0
    Mar 31, 2009
    England
    It is possible though right?
    I mean, it was done on the Nintendo DS?
     
  8. cwstjdenobs

    cwstjdenobs Sodomy non sapiens

    Member
    1,757
    1
    Mar 10, 2009
    Ankh-Morpork
  9. piratesmack

    piratesmack GBAtemp Advanced Fan

    Member
    787
    0
    Mar 28, 2009
    United States
    $(pwd)
    http://hackmii.com/2009/02/bootmii-and-the-new-boot1/
     
  10. beegee7730

    beegee7730 ITS PAAFEKUTO!

    Banned
    1,693
    0
    Mar 31, 2009
    England
    Thats talking about other non-Nintendo consoles.
    Since the Wii and DS are both Nintendo consoles i would call it an educated guess.
     
  11. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    How about 10% of the GBAtemp members combining their PCs to brute force it? If we had a BootMii that is final, and had some space left that could be changed to brute force the signature? A correctly signed BootMii could be installed on every Wii that is hacked. Ok, i know it's not realistic, because even with such a high number of PCs, it would take 1 or 10 or 100 or 1000 or 10000... years?
     
  12. beegee7730

    beegee7730 ITS PAAFEKUTO!

    Banned
    1,693
    0
    Mar 31, 2009
    England
    This would also make it impossible to fix unless nintendo change their signature.
     
  13. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    No. I imagine that it would be very easy for nintendo to block that in new Wiis then, because they would know EXACTLY what to block.
     
  14. Athlon-pv

    Athlon-pv GBAtemp Advanced Fan

    Member
    621
    0
    Feb 25, 2005
    United States
    That largely depends on how well the client is written if you can get something like CUDA and cpu's in the mix (and the ATI counterpart (stream?) it shouldnt be that long of an excercise ....
     
  15. BlackEnigma

    BlackEnigma GBAtemp Fan

    Member
    344
    0
    Mar 1, 2009
    United States
    Was it scene activity that caused Nintendo to release the new boot1s in the later half of 2008 or whatever? Somehow I don't think that they just decided hey lets make a new more secure boot1.

    Basically what I'm asking is, did they take the initiative or was it a reaction?
     
  16. superrob

    superrob H4X H4X H4X!

    Member
    2,465
    3
    Apr 4, 2007
    GBATemp factory.
    Hmm well.. its still a large "safety" disorder at Nintendo's side. And since its kinda burned in it would be logic to permanently save it in the future.
     
  17. joda

    joda GBAtemp Fan

    Member
    436
    0
    Jul 12, 2007
    Umeå
    Well, without homebrew, piracy, and Datel, they probably wouldn't even know about the trucha bug ...
     
  18. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    Just general security i guess. Boot1 had the trucha bug, and so they updated it. BootMii was announced earlier and nintendo is going to close one known hole after the other, ok they do it slowly, but they eventually do it. Imagine the various anti twilight hack updates, how long trucha was known until it was fixed in all IOS, and how long the IOS16 hole wasn't fixed.
     
  19. Apekop
    OP

    Apekop GBAtemp Regular

    Member
    223
    0
    Apr 9, 2009
    Netherlands
    Location, location, location.
    thats true but since 4.0 just came out I cant imagine N coming up with games that require 4.1 for quite some time.
     
  20. WiiPower

    WiiPower GBAtemp Guru

    Member
    8,165
    72
    Oct 17, 2008
    Gambia, The
    Next step to higher security will be WiiMotion Plus. Since it will be used by a lot of games, and will require a new driver, nintendo would be stupid not to bundle the new required IOS with some new security.