Hacking What Wiis have vulnerable boot1?

[haru3173]

I get a message from Bootmii saying Boot Can be installed in one variant” -The installed boot1 version prevents a boot2 install (-2). So I installed bootmii as IOS. Is it because of hardware or software? Can I make my wii to have vulnerable boot1 so I can install bootmii boot2? My wii is Lu35 if that helps.

 

[jan777]

i think its hardware

because if it was software, they would have tried to fix it first before distributing it

maybe just wait where bootmii develops and eventually theyll be able to install it on all wiis

 

[frostyfrosty]

btw its boot2 =P

 

[_Alex_]

boot1 is software too, but its secured with a sha-1 encryption + hash, so if it's changed and doesn't match, your wii is permantly bricked...

 

[Slowking]

btw its boot2 =P

It's boot1...

Boot1 sits on a read only chip, so you can not change it and it verifys boot2. Since boot1s produced after mid 2008 don't have the signing bug in them anymore you can't fakesign boot2. It's that simple.

 

[haru3173]

btw its boot2 =P

It's boot1...

Boot1 sits on a read only chip, so you can not change it and it verifys boot2. Since boot1s produced after mid 2008 don't have the signing bug in them anymore you can't fakesign boot2. It's that simple.

Does that mean there's no hope for us?

 

[Don Killah]

yep, there's nothing we can do.
basically there's 2 type of Wii:
- those which can install as boot2 -> ultimate brick proof.
- all the others (mines fall into this categorie

) and install as ios -> brick proof with preloader...

 

[supagusti]

btw its boot2 =P

It's boot1...

Boot1 sits on a read only chip, so you can not change it and it verifys boot2. Since boot1s produced after mid 2008 don't have the signing bug in them anymore you can't fakesign boot2. It's that simple.

Does that mean there's no hope for us?

not till the real certificates are leaked...

edit: but maybe we can change the flash where boot1 resides. Is it a discrete chip or only part of something other - haven't found a systemboard layout yet!

 

[PNo4]

edit: but maybe we can change the flash where boot1 resides. Is it a discrete chip or only part of something other - haven't found a systemboard layout yet!

boot1 is protected by boot0, and boot0 is inside the Hollywood Starlet.

 

[supagusti]

edit: but maybe we can change the flash where boot1 resides. Is it a discrete chip or only part of something other - haven't found a systemboard layout yet!

boot1 is protected by boot0, and boot0 is inside the Hollywood Starlet.

That's real shit !
Cause according to http://wiire.org/Wii/console/motherboard and the datasheet of U14 (the NAND, see http://pdf1.alldatasheet.com/datasheet-pdf...9F4G08U0A.html) there is no technical reason, why we cannot exchange boot1 to an older versions (if it really resides on the chip)

 

[supagusti]

Ok - i've found it here: http://wiibrew.org/wiki/Boot_process
boot1 is secured through a hash:

boot1 Lives in a modifiable area of the NAND but cannot be changed due to its hash being stored in the OTP. Run by the Starlet.

As we know there are many different versions of code that produce the same hash.
So it is indeed possible to modify the boot1 on any console out there (although it cannot be done by me ;-))

 

[PNo4]

@supagusti

No need to complicate the explanations, with 2-3 pages of linked information.

boot1 is protected from alteration, by the sha-1 stored in OTP area, boot0 checks boot1 sha-1 against that sha-1 stored in the OTP area when you startup the Wii.

Oh and for someone to find a correct boot1 alteration that works and produce the same sha-1 as the one stored in the OTP area, i don't think we'll see that before Wii 50 has come if ever