New Exploit for the Wii - [SD Boot] announced.

SDBoot: BootMii shown in boot2 on every Wii


A few weeks ago, BroadOn leak mentioned "sd_boot", among other things, with which WAD files can be loaded directly from an SD card when the Wii is started. Now RedBees and Fluffy have shown an exploit that enables BootMii in boot2 on EVERY Wii.

sd_boot is actually used in the WIi manufacturing process; the source code for this, including a retail-signed WAD, appeared in the BroadOn leak a few weeks ago. RedBees has now released a rather humorous preview trailer that shows BootMii in boot2 on a new Wii in which the Trucha bug in boot1 was actually fixed.



This is a gap in the SD read code, which enables foreign code execution when cold booting (i.e. when the console is started).

An installer for SDBoot has not yet been released. The only catch is that the sd_boot WAD cannot be obtained legally and a standard SD card (i.e. not SDHC / XC) is required.

It is probably the most significant breakthrough in the Wii homebrew scene and finally a comprehensive brick protection for everyone! Except for Wii mini owners, of course, since they don't support SD cards anyway.

Source:wiidatabase.de (german)

 

A little "Background":

Basic Overview of the Wii Factory Process:

• During hardware manufacturing,boot0 is imprinted into the Mask ROM inside the Hollywood/Bollywood.
  Spoiler: Hollywood/Bollywood

  [*]Hollywood is the name of the graphics chip (GPU) used in the Nintendo Wii. It was designed by ATI (now AMD), and was manufactured using the same 90nm process as the Broadway CPU. Hollywood is a direct evolution of Flipper, the GPU used in the Wii's predecessor, the GameCube; in fact, the two GPUs are fundamentally identical. They are very similarly capable, with the Wii's GPU being clocked 50% faster (243MHz, as opposed to Flipper at 162MHz) with the same memory pool (3MB). Hollywood provides no improvements in programmability compared to Flipper, however the benefit of this similarity between the two chips is that Hollywood is completely backwards compatible with Flipper.
  
  Hollywood comes with the addition of an ARM chip, nicknamed "Starlet", which is clocked at the same speed as the graphics chip (243MHz). Starlet handles I/O, wireless (via SDIO) and security functionality among other things, and is responsible for the running of the Wii's IOS (internal operating system). Effectively, Starlet is the only meaningful difference between Hollywood and Flipper.
  
  
  [*]Bollywood is a revision of the Hollywood package inside the Wii first issued in mid-late 2008. It has modified timing from the original Hollywood, preventing older IOS versions from running and necessitating an update to all IOS versions and other software based on the IOS codebase for them to run on Bollywood. All Bollywood units also come packaged with a patched boot1, preventing use of the Trucha Bug to load unsigned code at boot time.
  
  Bollywood units are more commonly known as LU64+, due to the original serial number variation which was observed in NTSC Wiis when they began to ship with Bollywood. (This is inaccurate, as many serial numbers prior to LU64 contain Bollywood chips).

• During initial programming of the NAND chip, a "prewrite" image is flashed to NAND. This image contains boot1 and a special boot2 known as "sd_boot".

• At the packaging plant, the Wii is powered on for the first time with SD card number 1 inserted. This SD card contains an image with various BroadOn-format WADs; sd_boot will load one of these WADs, an installer program which installs the other WADs to NAND. These WADs typically include a System Menu, IOS4, and IOS9.

• Once the System Menu is installed, the "123J" disc is inserted. It is unknown what the actual title of this disc is, however it possibly serves the purpose of encrypting the NAND filesystem, updating boot1, and setting the console's eFuses.This disc seems to contain a partition with the title ID "0000dead", which may contain the program which encrypts the NAND filesystem.

• Another disc known as RVL_UJI_DIAG (or 121J) is inserted, along with another SD card ("#1.5"). This disc runs test programs on the system to validate the operation of the hardware, writing logs to testlog.txt in the process; it then registers the console's serial number (over Waikiki), generates the system's Setting.txt, and other actions to prepare for the next step of the process.

• The final disc, known as 122E, is then inserted; this disc installs a WAD called "DataChk.wad" from the SD card, which contains Data Check and Log Check.
• Data Check and Log Check (0002) verifies the results of 121J, to ensure that the logs and product info data on the system are correct.

• The contents of 122E's update partition are then installed, containing the standard set of channels for retail along with the production Wii System Menu.

• Some Bollywood Wiis have a disc ID of "0003" in their uid.sys as well. It's currently unknown what it does, but it is generally found immediately after 122E and right before any signs of retail usage (typically seen as the 00010000-00555045 of a disc's UPDATE partition.)

Source: https://wiki.mariocube.com