HackMii

Notes from inside your Wii

HackMii header image 2

BootMii: The Beginning

October 14th, 2008 by marcan · 94 Comments

A few days ago I posted a video of something that we’ve come to call BootMii. I think it’s time to answer some questions about what it really is, what it does, and how it will help you. Oh, and by the way, before I bore you and you stop reading this, at least note that BootMii is entirely software-based. The hardware in the video is merely for debugging.

The first thing that you need to realize is that BootMii isn’t a single application or hack – it’s a platform for hacks. Up until now, we’ve had little control over what software our Wiis truly run. Sure, we can run our own stuff, but ultimately we’re users of the system – everything we do has to go through Nintendo’s software. We can avoid updates and try to understand the existing system, but we’re still dependent on it. Every piece of Wii Homebrew currently depends on Nintendo’s IOS. This isn’t a bad thing (it provides many bits of code that we don’t have to write), but it also means we have to follow its rules.

Now, there have been some hacks around the system, of course. PatchMii was developed to get rid of some of the restrictions of IOS – but it’s not particularly practical, and only really works for one IOS at a time. Starfall gets rid of some annoyances of the system menu, but it’s an ugly low-level filesystem hack that will get erased with any Nintendo update. And at any time Nintendo can come and update the entire system to patch all the holes. Of course, we don’t expect the latter to happen (we have / will find more holes), but nonetheless it’s still unnerving to a degree.

BootMii – let’s call it the BootMii platform – is about changing that. Instead of being users of the system, doomed to hacking our ways from the inside, we’re going to turn the tables around. Now we’ll have control and Nintendo’s software will have to go through us to do anything.

Before going into details though, I must mention another subtle but important detail about how we’ve decided to go about designing BootMii. While we will be taking control of the system, we want to accomplish that while minimizing any changes to the existing system. This has many advantages. By keeping BootMii separate from the existing system for the most part, we can switch it on and off at will. This might become handy if, for example, Nintendo decides to start banning homebrewers from online games.

Now, I’ve said that BootMii is a platform. We’re still working on designing and building most of it, so don’t expect detailed explanations about the still-to-be-written pieces. Instead, today I’ll talk about the part of BootMii that was demoed in the video: BootMii-Core.

BootMii-Core is a very important piece of BootMii, ideologically speaking. What it does is give us full control of the console as early in the boot process as possible. A mere fraction of a second after you hit the power button on your console, BootMii-Core will already be running and you’ll have the ability to do anything at that point. This isn’t the only advantage, though. By being such an early hook, BootMii-Core is also the most brick-resistant piece of software that can be written for the Wii. You’d have to deliberately brick your Wii to kill BootMii, excluding one particular type of update by Nintendo (we’ll get to that later).

Let’s revisit the boot sequence of the Wii. The very first piece of code that runs is boot0, which is part of the mask artwork of the Hollywood chipset and thus entirely untouchable. It loads boot1 from the beginning of NAND and verifies it against a hash stored in non-writable memory. This ensures that boot1 is also untouchable (you’ll brick your Wii if you try). Here’s where it gets interesting: boot1 is supposed to load boot2 from a special reserved section of the NAND Flash memory. Boot2, which is a sort of mini-IOS, then kicks off the loading of the system menu (and ends up loading its required IOS beforehand). However, the boot2 verification uses the same exact infrastructure as the one used in the rest of the Wii, and it is also vulnerable to the fakesigning bug. Since boot1 is untouchable once the Wii leaves the factory, every current Wii in existence (as far as we know) is and forever will be vulnerable to this bug, which lets us install a fakesigned boot2 of our choice.

As you may have guessed, BootMii-Core is such a fakesigned boot2. However, it isn’t a hacked version of boot2, nor is it a replacement for boot2. First, you need to realize that boot2 as it actually is stored isn’t a monolithic piece of software. The following applies to boot2 and to all IOSes prior to IOS30, and to the boot file of IOS30 and beyond. These IOS binaries are in a simple format that is in three parts: a simple header, a small ELF loader, and the payload ELF proper. The ELF contains the actual IOS/boot2 code, and the ELF loader is a simple stub that loads it into memory and runs it. BootMii-Core replaces the ELF loader, leaving the original boot2 ELF payload intact.

Now, getting a bit more technical, the BootMii-Core “ELF loader” is itself a two-part file. Due to hardware limitations (strange memory accesses on the Wii and other technicalities that took us forever to figure out), we can’t just stick the main BootMii-Core code in place of the ELF loader. We actually have to make it its own loadable file, and then load it using our own ELF loader. Therefore, BootMii-Core replaces the boot2 ELF loader with a composite file consisting of our own ELF loader (the “stub”), and the BootMii-Core payload (the “loader” – we’ll get to that). Our new “boot2” now consists of three parts: Our stub ELF loader, the BootMii-Core ELF, and the original BOOT2 ELF – the former two taking up the spot of the original ELF loader.

The stub is a hopefully very simple piece of code that does two things: decide whether to load BootMii or the original boot2, and then load and jump to the selected option. Now, this isn’t going to be the normal way of falling back to boot2 – this is meant to be just a last-resort recovery option in case something goes seriously wrong (which would usually mean we’ve made a mistake). Getting the stub loader to load the original boot2 will probably involve something annoying like repeatedly pressing the RESET button on boot and hoping that the stub catches it. Let’s hope that we never have to resort to that.

The real fun starts in the loader portion. It’s a loader because it loads other code – from an SD card. Here’s the gist of the process: if the loader can successfully mount an SD card and load a certain file from it (/system/iosboot.bin), it will run it. Otherwise, it will just fall back to normal boot2 and your Wii boots normally.

That’s it. That’s BootMii-Core. From there, you can take it anywhere – you can stick a file on an SD card and it’ll be running about a second after you turn on your Wii – with full control over Starlet, and therefore full control over Broadway, Hollywood, and the rest of the Wii’s hardware. No restrictions. Cool, huh?

Now, I did mention that BootMii-Core also helped immensely with brick resistance. The Nintendo DS had FlashMe, which replaced the boot portion of the code and also placed a recovery stub inside a write-protected portion – you had to physically short out a jumper on the DS to install it and consequently to remove or break it. Unfortunately for us, no such hardware-based protection exists on the Wii. Sorry, folks, but we can’t stop someone if they’ve really set their mind on bricking your Wii (so please, be careful with the stuff that you run on it!) However, BootMii-Core is immune to almost any damage that you may cause to your Wii’s flash. It only depends on its own integrity and on boot1’s. boot2 (and therefore BootMii-Core) is stored in a separate section of the NAND, independent from the filesystem. This means that you could delete or format the entire directory structure of your Wii, and BootMii-Core would still run. This is one of the advantages of being independent from the original boot2 – that boot2 does depend on FS stuff as it expects certain things to be there and tries to mount the filesystem. There are only four possible ways of potentially overwriting the area where BootMii-Core and boot1 reside:

  • Using /dev/flash under IOS (untested)
  • Using /dev/boot2 under IOS (untested) (does not apply to boot1)
  • Using ES_ImportBoot (and a proper real or fakesigned boot2 that is newer than the current version) (does not apply to boot1)
  • Using direct hardware writes from outside of IOS, using some sort of custom code on Starlet (ask bushing about this one – he’ll tell you how fun it is to forget a NAND-erasing call in some early BootMii code)

Nintendo can still update boot2 though – and in the process overwrite BootMii-Core with a pristine copy. We’ll try to avoid this (by using a larger version number for BootMii-Core), but the ultimate solution will be to patch IOS to remove ES_ImportBoot and therefore Nintendo’s ability to do so. But that’s a topic for another chapter…

So what can you do with BootMii-Core anyway? Well, the sky’s the limit – you’re running Starlet code on boot, really, there are no limits. However, a simple example was seen in the video: by using a very simple iosboot.bin that just loads the original boot2 and patches it to change the boot title, we can run The Homebrew Channel on boot instead of the system menu. This by itself will already let you fix banner / system menu bricks and the like, as long as you have HBC and BootMii-Core installed. As a more elaborate example, you could load a NAND backup/restore utility from SD, using custom code instead of IOS and without depending on the filesystem. This would let you fix pretty much any brick that didn’t mess up BootMii-Core. And of course, other parts of the BootMii platform will also take advantage of this run-on-boot system to let you do more fun things. We’ll talk about those when the time comes :)

Oh, and don’t worry, we’ll release BootMii-Core when it’s ready. No need to pester us for the release date 😉

Happy hacking!

Tags: Wii

94 responses so far ↓

  • 1 Capt_Trips // Oct 17, 2008 at 11:53 am

    Please do whatever it takes to make this thing legal:

    That means Artificial Boots 0, 1 and 2, not just a splice into boot 2.

    I am just praying Nintendo is pleased with this, Otherwise it is all over.

    As a rare aside, Props for the idea Marcan. Did you get the idea only after opening up the Wii?

    Btw, Patents protect process and idea. You cannot use Nintendo’s process! You cannot open up the wii until you have a new process! You can only open up the wii to proove that process! You guys did everything backwards!

    Stop posting videos! Stop incriminating yourselves! Clean up your room!

  • 2 nightwatch // Oct 17, 2008 at 9:59 pm

    At least in theory it might be possible to use a “User Account Control” type of system for updating boot2. That is, whenever the Broadway asks IOS to upload a new boot2, just trap the request and make sure the user assents.

    If it’s not feasible to communicate with the user directly like that in IOS, an alternative could be to require that the user sign custom boot2 updates with a secret user-specific key. The user’s public key could be read from the SD card on startup and then stored in IOS memory, untouchable by Broadway-accessible code. Any updates not cryptographically signed by the user would be rejected. Nintendo couldn’t forge the signature, because the private key would be different for each user, and they couldn’t replace the public key on the SD card with their own, because BootMii would have already stored that key safely before any Nintendo code could run.

    Of course, I don’t claim to know that much about the technical limitations here: this is just theory. :)

  • 3 HyperHacker // Oct 18, 2008 at 5:47 pm

    Right, but you could add/patch an IOS call that would jump to an arbitrary memory location. You’d still be using IOS, but with the ability to take over the ARM core at will.

  • 4 Itsme // Oct 19, 2008 at 10:34 am

    On an entirely different subject, the monitor you’re using seems to be a normal computer TFT. (or is that me?)
    How did you connect those two?

  • 5 marcan // Oct 19, 2008 at 1:00 pm

    @Itsme:
    A DIY VGA transcoder. Google for “X2VGA”, it’s a similar (commercial) device. The DIY one is the box with the red and green LEDs sitting under the monitor.

    @HyperHacker:
    That’s true. Although just patching IOS would also let you do that, but with the BootMii platform you could seamlessly add it to any IOS without patching it physically.

    @Capt_Trips:
    I only approved your post to reply to it. You have no clue how patent law works. You have no clue how copyright law works. We’re not infringing on anyone’s copyright. We’re not infringing on any real patents. We might be infringing on software patents, just like pretty much all software out there, and that’s entirely irrelevant because we don’t care about software patents and neither does anyone else (except for companies who want to harass each other) – and they weren’t even legal (yet) in europe last I checked. Using boot0 or boot1 is completely legal. Splicing into boot2 is legal as long as we don’t distribute the spliced result. We can’t use a custom boot0 or boot1 unless you’re willing to have a go at your Wii with a focused ion beam microscope. In other words, you’re a clueless idiot. Stop posting nonsense on the forums. Don’t expect to get your next comment approved unless you’ve done your research and post actual facts.

  • 6 Itsme // Oct 19, 2008 at 1:31 pm

    Thanks.
    You guys are heroes around here by the way. :)

    And I know this post will be deleted, just wanted to be polite. 😉

  • 7 marcan releases more info on BootMii | NES Hacks // Oct 19, 2008 at 2:57 pm

    […] Source […]

  • 8 Wii/NDS - 任天堂破解資訊網站 - Dash Hacks Network » Blog Archive » BootMii 更詳盡的資訊 // Oct 21, 2008 at 7:55 am

    […] 來源 […]

  • 9 Lucario // Oct 22, 2008 at 2:37 pm

    Great job! but what would you need to instal it, like just the sd card or something we have to buy etc…, and what happens if the boot2 you guys release somehow got corrupted, would that brick your wii or just not work?

  • 10 Deozaan // Oct 23, 2008 at 8:28 pm

    You said you didn’t think Nintendo would block BootMii, but that’s exactly what they’ve done with the new system update. Obviously that means they’ve been working on it since before you posted this. How do you feel about that now?

  • 11 marcan // Oct 24, 2008 at 4:02 am

    @Deozaan.
    Nintendo didn’t block BootMii – they can’t. What they did is block normal BootMii installs, which is fine by me because we have several exploits to make it work anyway. When BootMii-Core comes out it’ll work on updated Wiis.

    @Lucario:
    If boot2 gets corrupted your Wii will be bricked. However, since it’s verified and the installer will check four or five times in different ways to ensure consistency, that should never happen. Any corruption would trigger many checks to fail and it wouldn’t get installed.

  • 12 Zim // Oct 24, 2008 at 5:13 am

    @Marcan:
    It’s good to hear that you guys have come up with more exploits.

    But the question to ask now would be this:
    Would any of these other exploits work against the most recent update? Will you guys come up with a homebrew app to fix this (BootMii?)?

  • 13 marcan // Oct 24, 2008 at 5:17 am

    @Zim:
    Yes, there are exploits that work with the most recent update.

  • 14 HCK // Oct 24, 2008 at 6:48 am

    Awesome news Marcan 😉

    You all rule, guys! They have no chance to block homebrew with you on our side!

  • 15 DRayX // Oct 24, 2008 at 11:39 am

    Will BootMii allow or person to install the homebrew channel on a Wii with the latest update, or will it require a new version of the homebrew channel installer? Glad to hear that you at least have some way of installing unsigned code now that they have fixed the signing bug in all versions of IOS.

  • 16 Lucario // Oct 24, 2008 at 2:17 pm

    @marcan:

    sounds really awesome cause now my wii will brick proof. oh and like i asked what might u need to do this(install it) im sorry i might have missed what u have said in previous comments to install boot2 with only SD card and a computer? oh and what version of linux would u reccomend for an advanced hacker, cause i want linux i just want best one in your opinion.

  • 17 chungy // Oct 24, 2008 at 2:22 pm

    In an earlier comment, you said “We want (need!) to keep BootMii as simple as possible as we want to minimize the need for updates (nobody likes overwriting boot2).”

    This isn’t completely clear to me. When you say nobody likes overwriting boot2, are you meaning of the potential dangers of modifying the way the Wii boots, or the possibility of a catastrophic power failure during installation?

    In the case of the later, I would think Nintendo would be very wary to update boot2 as well; surely the majority of Wii owners do not have any homebrew installed (or bootmii), and Nintendo wouldn’t particularly like fixing bricked Wiis partially caused by them (a power failure certainly will have a hand in it, too).

    I’ve not completely seen how the NAND filesystem operates, either. Is there any sort of journaling to prevent such catastrophes?

  • 18 lordofhyphens // Oct 24, 2008 at 5:31 pm

    Couldn’t leave a comment in the appropriate blog posting, but re: SaveMii, have you considered taking a “copyleft” approach to the design (see http://www.wired.com/techbiz/startups/magazine/16-11/ff_openmanufacturing?currentPage=all)? The article’s talking points seem to be similar to your concerns regarding SaveMii and the copycats.

  • 19 wiisixtyfour // Oct 24, 2008 at 6:02 pm

    So even if I accidentally updated yesterday, I could still install BootMii?
    Then, since BootMii doesn’t require IOS, couldn’t you make a downgrader?

  • 20 HyperHacker // Oct 25, 2008 at 11:53 pm

    wiisixtyfour: see reply #63.

    chungy: I don’t think a power failure is really something to worry about during this process. The actual write process should only take milliseconds; you’d have to have *extremely* unfortunate timing to have it cut out mid-write. The real danger is in the code; any bug in boot2 or the installer could brick the console. Nobody likes overwriting boot2 because it’s vital to the boot process.

    I wonder if new Wiis have or will have the signature bug fixed in boot1. Does the installer check for that?

  • 21 wiisixtyfour // Oct 26, 2008 at 12:50 pm

    @HyperHacker
    yeah, i figured that out, but are there going to be ways to downgrade the IOSs so that they have the fakesign bug again?

  • 22 spyro25 // Oct 26, 2008 at 11:31 pm

    i have a bricked korean wii, updated it with PAL wii music (i know, i know).

    I never installed the homebrew channel before the bricking

    Will bootmii help me to finally unbrick my wii?

  • 23 BootMii, saviour of Wii’s | Caesar's // Oct 27, 2008 at 4:35 pm

    […] BootMii cares about your wallet and saves you days of frustration. […]

  • 24 SnoFox // Oct 27, 2008 at 4:45 pm

    Sweet! I can wait until it is released! I sent my Wii into Nintendo to clean the disc drive, and when I got it back, it came with a notice saying it “Malfunctioned” and they gave me a new Wii with, of course, firmware 3.3. So now I can use some homebrew, like parts of Gecko OS. -.-‘

    Well, before I get too excited, I WILL be able to get around stuff like that with BootMii, right?

  • 25 Lucario // Oct 28, 2008 at 8:33 pm

    @SnoFox

    were did u send your wii? like whats there emailing address to do that cause i might do that can u give me the information needed to do this please thatnks:)

  • 26 aguamelon // Oct 30, 2008 at 11:51 pm

    I didnt get it, if you are not doing this to run normal homebrew apps, what is this for then? Dont get me wrong this looks good but i dont really understand what will the enduser be able to do?

  • 27 HyperHacker // Oct 31, 2008 at 9:28 pm

    What BootMii does (or future versions will likely do) for the average user:
    -Makes the console nearly impossible to accidentally brick. As long as boot2 is intact, it will be possible to boot a recovery program.
    -Prevents Nintendo blocking homebrew methods.

    And for the advanced coders and hackers:
    -Provides a “backdoor” to load arbitrary code on Starlet at bootup, which gives full control of the system.
    -Easier IOS hacks, without having to patch them in NAND nor run a program every time.

  • 28 cheatman3005 // Nov 1, 2008 at 8:17 pm

    I hope this will come out soon. I want my Wii back. Dang Banners. Oh well.

    Anyways, Keep up the good work, marcan.

  • 29 metroid maniac // Nov 8, 2008 at 1:15 am

    does iosboot.bin contain any code? or is it just a trigger? if it’s a code will we be able to see wiird direct from system boot on the menu, without launching gecko os? also, can starlet code do graphics? so u could make a no ios recovery app

  • 30 SnoFox // Nov 9, 2008 at 6:43 pm

    @ Lucario: Nintendo has an online request for order repairs. I had to go through the Super Smash Bros error section before I found the link. If you’re looking to send SSBB and Wii in use this form: http://my.nintendo.com/consumer/repair/repair_form_us_ssbb.jsp
    If it’s something else, you should go to Nintendo.com, and click support. BE SURE TO BACK UP YOUR SAVES BEFORE SENDING! I lost all my saves, and all my homebrew that wasn’t on an SD card because of something that happened in the shipping process. I got a Wii, but I’ve lost hours and hours from SSBB, Zelda, and the rest of my games.

  • 31 metroid maniac // Nov 13, 2008 at 1:31 am

    can there be a splash screen on some sort of delay on the stub? so that we have a better chance of recovery if bootmii core screws up lol. will there be two different kinds of stub, one which loads bootmii automatically, another that loads boot2. i would like the second one :-) (i only want to use it as brick recovery. damn out of region updates)

  • 32 FF1981 // Nov 14, 2008 at 8:51 am

    Someone told me that bootmii can’t work on Korean wii. I don’t know it is true or not ,and it is very very important to me .Pleaes tell me ! You are my last chance to save my wii.

    Since my fully bricked wii has no help now, I have no reason to keep it .Maybe I can send it
    to you, seriously,I am not kidding.

    Sorry for bugging you,good luck to your work

    my e-mail: ZZZFANG2003@YAHOO.COM.CN

  • 33 What’s next at tonatonari // Nov 18, 2008 at 11:16 am

    […] what do we really want to do? Rely on as little of Nintendo’s code as possible. This is what BootMii is all about. We want to hook into the Wii processes as early as possible, so we don’t have […]

  • 34 KickBan.net - Technical Blog » on the Wiiire. // Nov 23, 2008 at 6:35 am

    […] people are really working hard to make the Wii video Game system awe – wait for it – some. […]

  • 35 zeldarocks // Dec 10, 2008 at 2:29 pm

    @Marcan: how will installation of Bootmii work, will it be a Twilight-esque installation or will it be from the SD card directly?

  • 36 metroid maniac // Dec 16, 2008 at 1:31 am

    sry i’ve been kinda noobish but can you set bootmii installer to run off ios 16? As far as I know it is vunerable to fakesigning, only has one version and isn’t in updates. I mean as time goes on the bugs might get smaller to the point at which they are unusable.

  • 37 marcan // Dec 17, 2008 at 7:11 am

    IOS16 is illegal and will go away with the next update. We don’t plan on ever using it.

  • 38 Cathryne // Dec 29, 2008 at 8:58 am

    Lucario asked the following above, and I am left with the same question:

    “…what would you need to install it, like just the sd card or something we have to buy etc…”

    Are you at a pointin development that you can give us some insight into possible installation method(s) for BootMii once it is released? Even a “we’ll tell you when we’re ready” response would be appreciated. I’m very excited about the possibilities.

  • 39 Corysmart // Jan 4, 2009 at 7:38 am

    Using Bootmii couldn’t you delete the system menu and use your own. Plus when updates are downloaded couldn’t they be patch so updates won’t install ios’es but only updates for channels like the Shop Channel or Mii channel. All of you are extreamely talented hackers andI give you props.

  • 40 aledTH // Jan 4, 2009 at 9:21 am

    This is interesting. Will Bootmii have GUI? Will it have two buttons to load the Wii Menu or another thing (like HBC)?

  • 41 metroid maniac // Jan 19, 2009 at 12:45 am

    bootmii is awesome. when i’ve installed it i’m gonna install starfall. i dont want to take the risk (3.2j)

  • 42 chrisemersonnc // Aug 17, 2009 at 4:14 am

    First of all –> /bow_down – this is pure genius/awesomness.

    Secondly –> Where is the official forum for technical issues w/this? I’ve tried quite a few SD cards on the Wiibrew compatibility list and nothing is working. I’ve tried FAT, FAT32 and various cluster sizes but no matter what, the Wii doesn’t boot into BootMii after I install the files on the SD card :(

  • 43 Hack la Wii « Projet Galaxie De L'Oeil Noir // Jan 15, 2010 at 2:59 pm

    […] nouveau, tout chaud, le BootMii. Jusqu’à présent, il fallait tout faire sur la plate-forme fournie par Nintendo et […]

  • 44 別再花錢硬改Wii啦,軟改自己來,照樣玩台片! | 蝴蝶養貓 // May 7, 2010 at 12:29 pm

    […] more extensive "takeover" of the Wii than The Homebrew Channel. You can read more about it here and here, if you're […]

You must log in to post a comment.