Wii factory process

From Rare Gaming Dump
(Redirected from Wii Factory Process)

Note: This article is very old and inaccurate, mostly based on guesses and speculation from before data from the Zammis Clark Breach was available.

This article describes the process of how production Wii consoles are set up at the factory, from initial manufacturing of the chips to retail shipment.

Basic Overview

  • A "prewrite" image is flashed to NAND containing boot1 and a special boot2 known as "sd_boot" during initial programming of the NAND.
  • At the packaging plant, the Wii is powered on for the first time with SD card number 1 inserted. This SD card contains an image with a series of WAD files; sd_boot will load one of these WADs, which is an installer program that installs the remaining WADs to NAND. These WADs typically include a System Menu, IOS4, and IOS9.
  • Once the System Menu is installed, the "123J" disc is inserted. It is unknown what the actual title of this disc is, however it may be responsible for encrypting the NAND filesystem, updating boot1, and setting the console's eFuses. This disc seems to contain an additional partition with the Title ID "0000dead", which has been speculated to contain the program used to encrypt the NAND's filesystem.
  • Next, a disc known as RVL_UJI_DIAG (with the Title ID 121J) is inserted, along with another SD card ("#1.5"). This disc runs test programs on the system to validate the operation of the hardware, writing logs to testlog.txt in the process; it then registers the console's serial number (over Waikiki), generates the system's Setting.txt, and prepares for the next step of the process.
  • The final disc, known as 122E, is then inserted; this disc installs a WAD called "DataChk.wad" from the SD card, which contains Data Check and Log Check.
  • Data Check and Log Check (Title ID 0002) verifies the results of 121J, to ensure that the logs and console information on the system are correct.
  • The contents of 122E's update partition are then installed, containing the standard set of channels found on a retail console along with the production Wii System Menu.

Some Bollywood Wiis have a disc ID of "0003" in their uid.sys as well. It's currently unknown what it does, but it is generally found immediately after 122E and right before any signs of retail usage (typically seen as the 00010000-00555045 of a disc's UPDATE partition.)

Preloading

Every Wii is preloaded at the hardware level with a few pieces of software; these are already present on the Wii and will run when the Wii is powered on at the factory. The first of these pieces of software is boot0, which is the first piece of code that runs on the Wii after it powers on. This code always stays the same from when it is physically programmed onto the chip during manufacturing, since it cannot physically be modified. boot0 then checks the hash of the boot1, which is stored in the Wii's eFuses, and at this point sees that they are blank, and determines that the Wii is currently in the factory and loads boot1 from NAND without a matching hash. This is because the eFuses are written to later during setup, using up the only opportunity to do so. boot1 works as usual by verifying the signature of boot2 on the NAND, and then loading it.

This version of boot2 being loaded at the factory is called "sd_boot", a special boot2 which does not read or write to NAND and instead boots from the SD card. An SD card (designated as SD#1) is prepared containing a number of WAD files (stored raw with no filesystem). One of these files contains an ARM binary that is then run on the IOP, being an installer program which will install the other WADs on the SD card to the NAND. On production systems, this typically includes an NDEV Menu, IOS4, and IOS9, although other variations have been seen such as images that install BC and MIOS. The NDEV Menu will then be booted, allowing for the next phase of setup to occur when a disc is inserted.

123J

At this point, a disc would be inserted to begin the process of setting up the system. While this disc presumably has an official name which is currently unknown, it will be referred to as "123J", as 123J is the GameID of the disc (as evidenced by its presence in the uid.sys logs of all Wiis, as well as other NAND remnants). This disc's exact purpose is unknown as no code from it has been recovered, but it is presumed that it plays the role of setting eFuse bits (which results in setting console-unique keys and finalizing the installed boot1 version), and possibly also updating boot1 and boot2 to prepare for the Wii to boot from a production encrypted NAND filesystem. This process likely would be done using a Waikiki from a PC host. This disc may contain a second partition with ID "0000dead".

RVL_UJI_DIAG

The next disc inserted is RVL_UJI_DIAG, with GameID 121J. A copy of this disc was obtained from an RVT-H Reader, and includes several testing programs which could be used to ensure the integrity of a unit's hardware, as well as programs that run pre-defined tests, the results of which are then written to testlog.txt. It also contains serNoReg, the program which registers the console's serial number using a mentioned but unseen piece of PC software, and "PreWrite.dol", a program which seems to write data to NAND over EXI (Waikiki); it is unknown if this is used in retail system production or not.

122E

PUSH SD CARD, THEN REMOVE IT
PUSH RESET BUTTON

See also: Data Check and Log Check

122E is a disc which has a game partition and an update partition; the game partition installs the title "0002" from the SD card (with filename "DataChk.wad"), and the update partition contains the final set of retail Wii System Menu/IOS/Channel data for production.

0002

0002 (DATA CHECK & LOG CHECK) is a program which checks the results of 121J to ensure that diagnostics passed and data was written correctly. While this program is meant to be deleted before the process finishes, for unknown reasons it is still present intact on some Wiis and versions 1.5.0 and 1.5.1 have been recovered.