Comments on: factory

By: bushing

bushing — Tue, 13 Jan 2009 23:57:05 +0000

boot1 is always encrypted; the hash is not verified if OTP is blank. However, this is not even necessary for the scenario you propose — the NAND flash chips could be preprogrammed with the production boot1 and a factory-specific (and console-agnostic) boot2. Somewhere during the factory process, the boot2 could encrypt the NAND FS with the per-console key, and then they could install the production boot2. (All of that seems to happen over the EXI bus, actually, using a “Waikiki adapter”).

So, if they do use preprogrammed NAND flash chips, then they can do this without a magic bus, yes.

By: ericball

ericball — Fri, 09 Jan 2009 22:55:32 +0000

The Wii’s bootloader reminds me a lot of the Atari 7800 which had a boot ROM which would verify the digital signature of the cartridge before executing it. If the signature check failure, it would lock the system into Atari 2600 mode.

Anyway, the following is how I would I would do it.

First, boot0 will load an unencrypted boot1 if the OTP is zero. Thus, my assumption is this is how Hollywood delivered from the factory. The NAND is preprogrammed with an unencrypted custom boot1 along with a bunch of validation apps. After everything is soldered together, it’s put connected to an automated test station which probably controls everything via the USB port. The results are written to NAND so if there’s a failure a “fixer” can get that info and try to resolve it.

Assuming the tests all pass, the NRAM is re-written by a the Wii itself with the encrypted boot1 and the rest of the normal contents. Then the OTP is written with the proper keys and checksums. Then the OTP WE line is locked out (by writing to a OTP bit which is OR’d with WE). Bang, Wii is now ready for shipment, no mystery bus required.

By: factory 2

factory 2 — Tue, 08 Jul 2008 03:43:21 +0000

[...] (Note: this is a continuation of http://hackmii.com/2008/06/factory/) [...]

By: ehntoo

ehntoo — Mon, 07 Jul 2008 07:14:22 +0000

I’m not entirely sure if it’s helpful, but the Wii I got on launch day prompted me for a setup disc on boot, and wouldn’t do anything else. I couldn’t even sync the wiimote, leading me to believe the “setup disc” actually contained the firmware.

I wish I hadn’t returned it now.

By: Pizza2004

Pizza2004 — Sat, 05 Jul 2008 04:36:03 +0000

@Seoul: The startup disk was only mentioned on the leaked contents of the box for the Wii prior to release, none actually were sold in the box to the public.

By: Seoul

Seoul — Sat, 05 Jul 2008 00:02:07 +0000

@bushing: I’ve got a launch PAL Wii, but for the disc pictured on the box, it says:

9. Wii Disc [RVL-006{EUR)] Wii Sports.

Does not mention anywhere in the manuals or box about a start up disc or set up disc, so I’m assuming the PAL Wii’s already had the updated firmware?

By: bushing

bushing — Thu, 03 Jul 2008 07:38:39 +0000

@Lyoko is cool: I’ve been searching for someone with a startup disc, with no success. If anyone out there has one, I’d love to either borrow it and rip it (you can have it back), or just a copy of the contents.

@Pizza2004: You may be on to something here. We don’t understand the Disc Interface (DI) very well; one of the GameCube patents makes some mention about multiplexing JTAG lines with the DI bus. It’s something that would be worth exploring.

By: Pizza2004

Pizza2004 — Thu, 03 Jul 2008 03:27:54 +0000

*I meant right, sorry about the typo. If I’m right, then couldn’t the same method be used to restore the wii or debrick it?

By: Pizza2004

Pizza2004 — Thu, 03 Jul 2008 03:26:07 +0000

The CD drive isn’t attached yet write? Perhaps they plug something into the port for the CD drive that does this, and then they plug the CD drive in when it is done? I don’t really know anything though, so I could be very wrong.

By: etc

etc — Tue, 01 Jul 2008 23:27:11 +0000

[...] / Factory — both of these have updates which deserve their own article. Stay [...]