Difference between revisions of "Boot2"

From RGDWiki
m
(Added SDBoot info)
 
Line 1: Line 1:
 
{{DISPLAYTITLE: boot2}}
 
{{DISPLAYTITLE: boot2}}
 +
 
<span style="background: #F1EBEB; border: 2px #CACACA solid; padding: 2px 1px 2px 4px;">
 
<span style="background: #F1EBEB; border: 2px #CACACA solid; padding: 2px 1px 2px 4px;">
[[File:Wii.png |30px|30px]] This topic has a Wiibrew article. For more information, check [http://wiibrew.org/wiki/boot2 here].</span>
+
[[File:Wii.png |30px]] This topic has a Wiibrew article. For more information, check [http://wiibrew.org/wiki/boot2 here].</span>
  
 
'''boot2''' is the Wii's third-stage bootloader; it is stored in the [[BroadOn]] WAD format, which includes a ticket that is encrypted with the common key and signed.
 
'''boot2''' is the Wii's third-stage bootloader; it is stored in the [[BroadOn]] WAD format, which includes a ticket that is encrypted with the common key and signed.
Line 7: Line 8:
 
boot2 versions 1 through 4 are known to exist. 1 is only seen on prerelease consoles including those with the [[Startup Disc Menu]] installed, 2 is seen on earlier units, 3 came preinstalled on some newer systems, and 4 was deployed to all Wiis with a system menu update.
 
boot2 versions 1 through 4 are known to exist. 1 is only seen on prerelease consoles including those with the [[Startup Disc Menu]] installed, 2 is seen on earlier units, 3 came preinstalled on some newer systems, and 4 was deployed to all Wiis with a system menu update.
  
== boot2 update controversy ==
+
==boot2 update controversy==
  
 
Upon the release of the 4.2 System Menu update, which is believed to be the first time that a boot2 update was deployed to existing systems, it was discovered that a flaw in the [[ES]]_ImportBoot function used to update boot2 lead to the bricking of consoles which were installing the update.
 
Upon the release of the 4.2 System Menu update, which is believed to be the first time that a boot2 update was deployed to existing systems, it was discovered that a flaw in the [[ES]]_ImportBoot function used to update boot2 lead to the bricking of consoles which were installing the update.
Line 13: Line 14:
 
It is unknown if this issue was ever encountered outside of this update, since this is believed to be the only time that a boot2 update was deployed to existing systems.
 
It is unknown if this issue was ever encountered outside of this update, since this is believed to be the only time that a boot2 update was deployed to existing systems.
  
== Verification ==
+
==Verification==
  
 
boot2 is verified by [[boot1]], a program which cannot be changed on normal retail systems after factory setup due to [[boot0]] verifying it against a fixed hash in the non-rewritable [[OTP]]. As such, it is impossible to downgrade boot1 to enable the use of a modified boot2 on Wiis which do not have a boot1 version which is vulnerable to the fakesigning bug, therefore making it impossible to install BootMii as boot2 (or other custom boot2 solutions) on these Wiis. These Wiis are known as [[LU64+]] systems.
 
boot2 is verified by [[boot1]], a program which cannot be changed on normal retail systems after factory setup due to [[boot0]] verifying it against a fixed hash in the non-rewritable [[OTP]]. As such, it is impossible to downgrade boot1 to enable the use of a modified boot2 on Wiis which do not have a boot1 version which is vulnerable to the fakesigning bug, therefore making it impossible to install BootMii as boot2 (or other custom boot2 solutions) on these Wiis. These Wiis are known as [[LU64+]] systems.
  
== boot2v0 ==
+
==sd_boot==
 +
 
 +
During the [[Wii Factory Process]], a special boot2 known as "sd_boot" is used. This boot2 will verify and launch a [[BroadOn]]-format [[WAD]] from the SD card rather than continuing boot from NAND. sd_boot has an exploit in the SD reading code which allows for arbitrary code execution at coldboot with an SD card inserted, and as a retail signed sd_boot title is available which can be installed on any Wii (even [[Bollywood]]), this removes the previous restriction of not being able to run code (such as BootMii) as boot2 on newer Wiis.
  
The existence of boot2v1 (a normal but very early version of boot2) would imply the existence of boot2v0, as with other Wii titles. This title may have been used during the factory process to boot from an unencrypted NAND.
+
This boot2 uses version number 0, while the earliest 'normal' boot2 has version number 1.
  
 
{{Template:WiiNavbox}}
 
{{Template:WiiNavbox}}

Latest revision as of 16:07, 16 May 2020


Wii.png This topic has a Wiibrew article. For more information, check here.

boot2 is the Wii's third-stage bootloader; it is stored in the BroadOn WAD format, which includes a ticket that is encrypted with the common key and signed.

boot2 versions 1 through 4 are known to exist. 1 is only seen on prerelease consoles including those with the Startup Disc Menu installed, 2 is seen on earlier units, 3 came preinstalled on some newer systems, and 4 was deployed to all Wiis with a system menu update.

boot2 update controversy

Upon the release of the 4.2 System Menu update, which is believed to be the first time that a boot2 update was deployed to existing systems, it was discovered that a flaw in the ES_ImportBoot function used to update boot2 lead to the bricking of consoles which were installing the update.

It is unknown if this issue was ever encountered outside of this update, since this is believed to be the only time that a boot2 update was deployed to existing systems.

Verification

boot2 is verified by boot1, a program which cannot be changed on normal retail systems after factory setup due to boot0 verifying it against a fixed hash in the non-rewritable OTP. As such, it is impossible to downgrade boot1 to enable the use of a modified boot2 on Wiis which do not have a boot1 version which is vulnerable to the fakesigning bug, therefore making it impossible to install BootMii as boot2 (or other custom boot2 solutions) on these Wiis. These Wiis are known as LU64+ systems.

sd_boot

During the Wii Factory Process, a special boot2 known as "sd_boot" is used. This boot2 will verify and launch a BroadOn-format WAD from the SD card rather than continuing boot from NAND. sd_boot has an exploit in the SD reading code which allows for arbitrary code execution at coldboot with an SD card inserted, and as a retail signed sd_boot title is available which can be installed on any Wii (even Bollywood), this removes the previous restriction of not being able to run code (such as BootMii) as boot2 on newer Wiis.

This boot2 uses version number 0, while the earliest 'normal' boot2 has version number 1.