Tmbinc says: "Wii hacked it!"

Status
Not open for further replies.

Railgun

( ' _ ' )
OP
Member
Joined
Feb 20, 2006
Messages
326
Trophies
0
Location
GBAtemp City
XP
327
Country
Gambia, The
QUOTE said:
Tmbinc has detailed his exploits in hacking the Wii to run unsigned code on the Debugmo blog...

http://debugmo.de/?p=59

Summary...
Quote:
QUOTE said:
* First thing which ever executes on the Wii is the “boot0? code, which is probably stored inside the hollywood in a mask rom.
* boot0 loads the first 0×2F pages (”boot1?) from flash, decrypts them with a fixed aes key, calculates a SHA-1 hash (with some obscure bugs specialities, I still couldn’t calculate it by hand), and checks that versus the expected values, read from some internal memory.
* If the hash bytes in the “internal memory” is all-zero, the hash check is skipped. This is probably used for production, and maybe for devkits.
* boot1 then searches a certain header in flash, where it extracts specific information where to find boot2.
* At that position, some certificate chain is checked, and finally the boot2 “tmd” is verified, and the hash extracted.
* The boot2 payload is load from flash, decrypted, and hash-checked (against the hash from the boot2 tmd).
* boot2 will then load the firmware, or whatever. That’s not my region of interest at the moment.

SOURCE

Wow, the homebrew is coming soon i think
smile.gif
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Badcatalex @ Badcatalex: they killed LittleBigPlanet online, which was the main core of every LBP game