1. alexander1970

    OP alexander1970 Please a Pink Profilepagebackground for Christmas.
    Member

    Joined:
    Nov 8, 2018
    Messages:
    11,234
    Country:
    Austria
    SDBoot: BootMii shown in boot2 on every Wii


    A few weeks ago, BroadOn leak mentioned "sd_boot", among other things, with which WAD files can be loaded directly from an SD card when the Wii is started. Now RedBees and Fluffy have shown an exploit that enables BootMii in boot2 on EVERY Wii.

    sd_boot is actually used in the WIi manufacturing process; the source code for this, including a retail-signed WAD, appeared in the BroadOn leak a few weeks ago. RedBees has now released a rather humorous preview trailer that shows BootMii in boot2 on a new Wii in which the Trucha bug in boot1 was actually fixed.



    This is a gap in the SD read code, which enables foreign code execution when cold booting (i.e. when the console is started).

    An installer for SDBoot has not yet been released. The only catch is that the sd_boot WAD cannot be obtained legally and a standard SD card (i.e. not SDHC / XC) is required.

    It is probably the most significant breakthrough in the Wii homebrew scene and finally a comprehensive brick protection for everyone! Except for Wii mini owners, of course, since they don't support SD cards anyway.

    Source:wiidatabase.de (german)
     
  2. Zurdonx

    Zurdonx Advanced Member
    Newcomer

    Joined:
    Oct 2, 2018
    Messages:
    77
    Country:
    Venezuela
    Oh YES.
     
    jeannotte and alexander1970 like this.
  3. th3joker

    th3joker GBAtemp Fan
    Member

    Joined:
    Dec 30, 2015
    Messages:
    414
    Country:
    United States
    Love the video editing so quirky
     
    jeannotte, MetoMeto and alexander1970 like this.
  4. E1ite007

    E1ite007 Weird avatar guy
    Member

    Joined:
    Nov 19, 2016
    Messages:
    786
    Country:
    Mexico

    Oh NO!

    -Knuckles the Equidna

    Anyway, this is pretty nice.
     
  5. KleinesSinchen

    KleinesSinchen GBAtemp's Backup Reminder + Fearless Testing Sina
    Member

    Joined:
    Mar 28, 2018
    Messages:
    1,953
    Country:
    Germany
    Theory: Cool

    In practice: Not so cool. Since the exploit does not rely on a SHA1 hash collision replacing boot1 with a custom version (which is theoretically possible with enough compute power=money) but on a properly signed bootloader copyrighted by Nintendo, this is not really what I hoped for.

    Don't get me wrong: The development is good, the possibilities are good. Brick protection for all, long term usability like continue using a console with partially damaged NAND. It's just the legal status that comes from relying on leaked data. Feels like everything that comes from this leak is "poisoned".

    An installer could probably never distributed in the way the HackMiiInstaller it is now. If it requires SD boot all the time this is a bit of a downer anyway (wear and tear with constantly swapping SD ←→ SD(HC|XC) and no boot without SD.
     
  6. banjo2

    banjo2 gamer
    Member

    Joined:
    May 31, 2016
    Messages:
    1,711
    Country:
    United States
    Congratulations to RedBees and Fluffy on this development, along with anyone else involved :)

    OT, but I do wonder if that's the same Fluffy that I knew ages ago
     
    jeannotte and alexander1970 like this.
  7. alexander1970

    OP alexander1970 Please a Pink Profilepagebackground for Christmas.
    Member

    Joined:
    Nov 8, 2018
    Messages:
    11,234
    Country:
    Austria
    A little "Background":

    Basic Overview of the Wii Factory Process:
    • During hardware manufacturing,boot0 is imprinted into the Mask ROM inside the Hollywood/Bollywood.
      [*]Hollywood is the name of the graphics chip (GPU) used in the Nintendo Wii. It was designed by ATI (now AMD), and was manufactured using the same 90nm process as the Broadway CPU. Hollywood is a direct evolution of Flipper, the GPU used in the Wii's predecessor, the GameCube; in fact, the two GPUs are fundamentally identical. They are very similarly capable, with the Wii's GPU being clocked 50% faster (243MHz, as opposed to Flipper at 162MHz) with the same memory pool (3MB). Hollywood provides no improvements in programmability compared to Flipper, however the benefit of this similarity between the two chips is that Hollywood is completely backwards compatible with Flipper.

      Hollywood comes with the addition of an ARM chip, nicknamed "Starlet", which is clocked at the same speed as the graphics chip (243MHz). Starlet handles I/O, wireless (via SDIO) and security functionality among other things, and is responsible for the running of the Wii's IOS (internal operating system). Effectively, Starlet is the only meaningful difference between Hollywood and Flipper.


      [*]Bollywood is a revision of the Hollywood package inside the Wii first issued in mid-late 2008. It has modified timing from the original Hollywood, preventing older IOS versions from running and necessitating an update to all IOS versions and other software based on the IOS codebase for them to run on Bollywood. All Bollywood units also come packaged with a patched boot1, preventing use of the Trucha Bug to load unsigned code at boot time.

      Bollywood units are more commonly known as LU64+, due to the original serial number variation which was observed in NTSC Wiis when they began to ship with Bollywood. (This is inaccurate, as many serial numbers prior to LU64 contain Bollywood chips).
    • During initial programming of the NAND chip, a "prewrite" image is flashed to NAND. This image contains boot1 and a special boot2 known as "sd_boot".
    • At the packaging plant, the Wii is powered on for the first time with SD card number 1 inserted. This SD card contains an image with various BroadOn-format WADs; sd_boot will load one of these WADs, an installer program which installs the other WADs to NAND. These WADs typically include a System Menu, IOS4, and IOS9.
    • Once the System Menu is installed, the "123J" disc is inserted. It is unknown what the actual title of this disc is, however it possibly serves the purpose of encrypting the NAND filesystem, updating boot1, and setting the console's eFuses.This disc seems to contain a partition with the title ID "0000dead", which may contain the program which encrypts the NAND filesystem.
    • Another disc known as RVL_UJI_DIAG (or 121J) is inserted, along with another SD card ("#1.5"). This disc runs test programs on the system to validate the operation of the hardware, writing logs to testlog.txt in the process; it then registers the console's serial number (over Waikiki), generates the system's Setting.txt, and other actions to prepare for the next step of the process.
    • The final disc, known as 122E, is then inserted; this disc installs a WAD called "DataChk.wad" from the SD card, which contains Data Check and Log Check.
    • Data Check and Log Check (0002) verifies the results of 121J, to ensure that the logs and product info data on the system are correct.
    • The contents of 122E's update partition are then installed, containing the standard set of channels for retail along with the production Wii System Menu.
    • Some Bollywood Wiis have a disc ID of "0003" in their uid.sys as well. It's currently unknown what it does, but it is generally found immediately after 122E and right before any signs of retail usage (typically seen as the 00010000-00555045 of a disc's UPDATE partition.)

    Source: https://wiki.mariocube.com
     
    MetoMeto, BaamAlex, XFlak and 2 others like this.
  8. W00fer

    W00fer Member
    Newcomer

    Joined:
    Sep 22, 2019
    Messages:
    10
    Country:
    Anguilla
    For Wii Mini that is incorrect as somebody already soldered the SD port back onto it

    [​IMG]



    Deadlyfoez and his channel describe frequently about Wii mini hacks.
     
    Brawl345 likes this.
  9. MetoMeto

    MetoMeto GBAtemp Maniac
    Member

    Joined:
    Dec 28, 2018
    Messages:
    1,009
    Country:
    Australia
    These are great news since i have my second Wii withOUT the ability for boot2 instalation, only bootmii as an IOS.
    Cant wait for this...If this really comes out i can finally use my non boot2 Wii since its in best condition~ :blush:
     
  10. XFlak

    XFlak Wiitired but still kicking
    Member

    Joined:
    Sep 12, 2009
    Messages:
    10,698
    Country:
    Canada
    What i don't like about sd boot is that without an SD card the wii will not boot at all. So if your sd card reader breaks, the wii won't work until it is repaired.

    In theory sd boot will be unnecessary, instead something more like bootmii will be created that works on all wiis, and possibly will even have usb support. I'm not sure if this will happen anymore though with DeadlyFoez deciding to retire, there aren't many ppl with the recovery skills, motivation and time to safely test updates to boot2
     
    Last edited by XFlak, Oct 20, 2020
    jeannotte likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - announced, Exploit, Boot]