Comments on: boot0

By: jrod54

jrod54 — Tue, 16 Feb 2010 04:11:50 +0000

Did notice something, tho. I’m playing with a bsod wii m’board, and it queries a usb key I have plugged in port 2 every thirty seconds. Don’t know if that is of any importance.

By: bushing

bushing — Sun, 14 Feb 2010 00:24:20 +0000

It’s a nice thought, but the whole point of this series of articles on the boot process of the Wii was to exhaustively search for such a call to external storage. It doesn’t exist.

By: jrod54

jrod54 — Sat, 13 Feb 2010 18:58:12 +0000

You got me to thinking-I wonder if the boot process makes a call to external storage during the authentication process? The reason I ask is that it makes sense to me that Nintendo would not worry about bricking if the boot routine included a search for a common fixed key burnt into the Starlet if the initial key failed, a “back door” to be used by the factory to recover a bricked motherboard for reuse.

By: twelvebaud

twelvebaud — Thu, 28 Jan 2010 06:24:19 +0000

slang:

The ARM9 “Starlet” core is physically part of the Hollywood, and cannot be separated or removed in such a way that a replacement could be grafted on. That’d be like going “Gee, I don’t like one of the cores on my new AMD thingy, so I’m gonna rip one out and put a fresh one in its place.”

It is possible to remove and replace the entire Hollywood from the console, but unless you have access to ATI’s factory and can nab one before they hit it with whatever they use to program the OTP, it’s not gonna do you much good; you’ll have a different, but still non-zero, key, and if you want to use your Wii normally after that… I heard a rumor about a program called “betwiin” that bushing did, but other than that, you’re not gonna have any luck.

I haven’t seen anything specific, but I imagine the Wii uses eFuse technology like several other consoles, irrecoverably destroying transistors within the processor. Once it’s burned, it can’t be unburned, and if they’re smart it burns to FF rather than 00.

boot0 is located on Hollywood, etched into a ROM area.

By: slang

slang — Wed, 06 Jan 2010 13:30:11 +0000

Now I see our misunderstanding, my bad. I don’t mean to replace the ‘core’, but the ARM926EJ-S itself on the Hollywood.
In theory.

By: slang

slang — Wed, 06 Jan 2010 12:22:06 +0000

I see. To win you can a) zero out (or make OTP read as all zeroes) the OTP. Or b) modify / replace boot0, right?

I don’t know what kind of memory the OTP is, but some memory is erasable by UV.

I mean fysically removing the ARM core and put in a new one. I just imagined the core to be the bga type, but I don’t know this of course.

Also where exactly is the boot0 located?
Is it in the SEEPROM on the Hollywood?

By: bushing

bushing — Wed, 06 Jan 2010 05:03:49 +0000

If you can make the OTP read as all zeroes, you win. I have not found a way to do that — I don’t really know what you mean by “replacing the ARM core”.

boot0 has never, to my knowledge, been updated — but I haven’t really checked. there’s not much reason for them to ever do so.

By: slang

slang — Tue, 05 Jan 2010 17:00:39 +0000

Maybe a stupid question, what security would fail if the ARM core was to be replaced? (Leaving the OTP with zeros..)

As I’ve understood the consequence would be:

Boot0 -> Boot1 hask check skipped

Which could make way for unencrypted code to load:

Boot1 -> modified or replaced with boot1b
Boot2 -> modified or BootMii

Has the Boot0 been updated?

By: boot0 / skyeye

boot0 / skyeye — Thu, 12 Jun 2008 12:26:20 +0000

[...] (This is a continuation of boot0) [...]

By: superdave

superdave — Mon, 02 Jun 2008 14:22:12 +0000

So from this, it looks like the OTP (in the Starlet memory map, anyway) is at 0×80000000, but the boot1 key/IV is hardcoded in the mask ROM (0xFFFF05Fc)? That would imply to me that the boot1 key is console-invariant, unless I’m mistaken.