HackMii

Notes from inside your Wii

HackMii header image 1

IOS: history, build process

June 30th, 2009 by bushing · 21 Comments

Another nerdy post, sorry. I want to talk about this “unsoftmoddable Wii” crap, but I need to go into some background first.

I’ve written in the past about IOS — or at least I’ve meant to — but it seems especially relevant now.

IOS probably stands for “Input/Output System” — because that’s what it does. It regulates I/O between the Broadway (PPC) and most of the rest of the Wii’s peripherals. It seems to have been written mostly from scratch by BroadOn.

Generally, when we talk about IOS, we mean the “firmware” that runs while normal code (game, system menu, etc) is running on the PPC. However, the same codebase is used to build boot2, boot1 and arguably even boot0! You can almost think of it as a set of matroshka dolls:

  • boot0 – ~1.4K
  • boot1 / BC – ~ 17K
  • boot2 – ~160K
  • IOS (multiple versions) – ~ 1.8MB each

There are many other ways to describe this situation — boot2 is the “kernel” and IOS is kernel + modules; boot1 is a stripped-down version of boot2; boot0 is a stripped down version of boot1. The important part is that they are all compiled out of the same codebase. That’s why the same strncmp() bug was present in boot1, BC, boot2 and all versions of IOS.

IOS has changed forms quite a bit over time, and in the past, you could see this in the different versions of IOS installed on the system. The very first version of IOS (IOS4) was (is?) probably just used for factory work — it has USB, SD, DI and basic networking drivers (for the USB ethernet dongle), but lacked SSL / KD (WiiConnect24) / WiFi support; somehow, this fit into just 400K! It was once even up on Nintendo’s download servers, but then they took it down (and have since replaced it with a stub version).

One of the fun things we do is look for clues about the process behind all of this. Every version of IOS has a build date (or several) embedded in it. IOS 4 has a build date of 8/10/2006. Actually, it’s easiest to see if I take all of the version information I have and sort it by build date … here’s the first part:

IOS vers. TMD vers. build date build tag
IOS12 6 Jun 4, 2006 fw.RVL.12.0.6.viper.0611041415
IOS4 3 Aug 10, 2006
boot2 2 Oct 1, 2006
IOS16 257 Oct 25, 2006 fw.RVL.16.1.1.viper.0611171440
IOS17 512 Oct 25, 2006 fw.RVL.17.2.0.viper.0611301141
IOS20 12 Oct 25, 2006 fw.RVL.20.0.12.viper.0702221710
IOS21 517 Oct 25, 2006 fw.RVL.21.2.5.viper.0708311326
mios 5 Nov 2, 2006 mios.64.0707060932
bc 2 Nov 2, 2006 bc.0611021443
IOS11 10 Nov 14, 2006 fw.RVL.11.0.10.viper.0611141652
IOS13 10 Nov 14, 2006 fw.RVL.13.0.10.viper.0611141652
boot2 3 Apr 17, 2007
IOS30 1040 Jun 25, 2007 fw.RVL.30.4.16.viper.0708311036
IOS31 1040 Jun 25, 2007 fw.RVL.31.4.16.viper.0708311036
IOS15 260 Aug 31, 2007 fw.RVL.15.1.4.viper.0708311323
IOS37 2070 Feb 23, 2008 firmware.64.0802290707
bc 4 Mar 4, 2008 bc.0803040819
mios 8 Mar 13, 2008 mios.0803140448
IOS30 2576 Apr 3, 2008 firmware.64.0804050736
IOS31 2576 Apr 3, 2008 firmware.64.0804050738
mios 9 Jun 5, 2008 mios.0806101043
bc 5 Jun 10, 2008 bc.0806101038
IOS4 ? Jul 11, 2008
boot2 4 Jul 11, 2008
IOS10 768 Jul 11, 2008 firmware.64.0808061128
IOS11 256 Jul 11, 2008 firmware.64.0808061135
IOS20 256 Jul 11, 2008 firmware.64.0808061144
IOS30 2816 Jul 11, 2008 firmware.64.0808070639
IOS37 3609 Jul 11, 2008 firmware.64.0808070706
IOS37 3612 Jul 11, 2008 firmware.64.0901260758
IOS28 1292 Jul 14, 2008 firmware.64.0808050212
IOS31 3088 Jul 14, 2008 firmware.64.0808041103
IOS4 65280 Aug 7, 2008 firmware.64.0808070753

I’ll let those of you out there fill in the timeline of outside events (24c3 presentation, Freeloader, Trucha Signer, Twilight Hack, HBC, etc). The interesting parts to note are the build dates of IOS37 and onwards. The version of BC that follows is the first version of BC with the strncmp bug fixed — which makes sense if they build all code out of the same source tree. BC is very similar to boot1, so Nintendo had a fixed boot1 at this time — it’s still not clear when they actually rolled that out in the factory. IOS30 and 31 were the rebuilt to block Freeloader (etc), and then shortly thereafter, boot2v4 was built.

boot2 does not actually check any signatures, so it doesn’t make sense for Nintendo to rebuild it just for the sake of fixing the signature-checking code. Instead, I think this probably was to support a PCB rev or two, but more about that later…

→ 21 CommentsTags: ·

BootMii beta 2

May 27th, 2009 by dhewg · 99 Comments

Edit: Please see the new FAQ up at bootmii.org.

Two weeks after beta 1 we bring you the first bugfix release: beta 2. Next to the usual metric ton of minor fixes and cleanups, here are the changes worth mentioning:

BootMii beta 2 (v0.9):

  • SD card performance has been improved, decreasing the boot and the NAND backup / restore time
  • backupmii accepts fragmented SD cards now, reformatting is not performed anymore. Old NAND dumps are still compatible.
  • Introduced the INI variable “BOOTDELAY” to set the timeout for the auto boot feature

The Homebrew Channel v1.0.3:

  • SDHC cards are working again
  • SD performance has been increased again (regression was introduced in v1.0.2)
  • HBC works on all system menu versions now
  • Fixed rare hangs when exiting HBC

DVDX:

  • Switched back to IOS < 37. While the SDHC problem for apps using DVDX has been fixed in libogc, there were also problems with USB keyboards under higher IOS versions

Installer v0.2:

  • Installer now works on newer Wiis with boot2v4 (instead of rebooting at “Press 1”)
  • Fixed reading of boot1/2 on Wiis with bad ECC data in that area
  • BootMii as boot2 and IOS can now be uninstalled

Grab the new installer here. Don’t forget to read the README before running the installer.

Please link to this post instead of mirroring the binary, thanks.

Enjoy.

→ 99 CommentsTags: ·

Twilight Hack source code

May 26th, 2009 by Segher · 26 Comments

Without further ado… here.

Have fun! Any and all comments welcome.

→ 26 CommentsTags: