boot2
| This article is a stub. You can help WiiBrew by expanding it. |
boot2 is the Wii's third-stage bootloader. It is responsible for loading the System Menu TMD and loading the appropriate IOS under normal circumstances, although it can also load MIOS if it detects the lowered clock speed set by BC (if syscall 55 returns 162).
boot2 itself is not much of a bootloader, and more of an IOS configured slightly differently with get_kernel_flavor returning 0 instead of 3. The main boot code is found in ES, but this code is present in other IOS branches as well.
boot2 is also launched by MIOS when the power button is pressed; the System Menu is initialized in this case, and 0x80003164 is set to 1 if the SRSTB_CPU bit is set in HW_RESETS; the System Menu checks 0x80003164 and shuts down if it is enabled and state.dat is set appropriately, with the message "Shutdown system from GC!".
There are two copies of boot2 housed in NAND blocks 1-7 in case of failure, loaded by boot1. boot2 seems to include code to complete the update if it detects /sys/boot.sys on the NAND; this code does not update the SEEPROM version.
boot2 was updated in the 4.2 update to boot2v4, the only time Nintendo has ever pushed a boot2 update, besides on prelaunch consoles. This was done by calling ES_ImportBoot to install it into the boot2 region of the NAND. Unfortunately, Nintendo did not test ES_ImportBoot very well, which led to many Wiis receiving a low-level brick, even if they were previously unmodded. The cause of this is unknown, although it may be related to the failure to write ECC data.
Format
boot2 is stored in a WAD-like format.
| Offset | Length | Description |
|---|---|---|
| 0x00 | 4 | Header length (always 0x20) |
| 0x04 | 4 | Data offset |
| 0x08 | 4 | Length of certificate chain |
| 0x0c | 4 | Length of ticket |
| 0x10 | 4 | Length of TMD |
| 0x14 | 12 | Padding (always 0) |
Following the header is the certificate chain, then the ticket, then the TMD, and finally the single bootable content[1].
Versions
boot2 stores its version in 3 places: the "title version" in the TMD, the "system version," and in SEEPROM. The title version is used by IOS to prevent downgrading on install, as well as the System Menu when deciding whether it is appropriate to try to update boot2.
The system version is normally a title ID; for boot2, the first 7 bytes are 0, while the last one is the version, which is supposed to match the SEEPROM version. This is to prevent downgrading during boot, as boot1 will hang if the version in SEEPROM is higher than the last byte of the system version. The other bytes of the system version do not seem to be checked.
Version history
| Version | Description |
|---|---|
| v0 | Installs the System Menu and IOS4. For older consoles, it also installs IOS9. For newer consoles, it also installs BC, MIOS, and 0000.[2][3][4] |
| v1 | Present on Prelaunch consoles. |
| v2 | Present on launch-day Wii's and in a large number of pre-2008 game disc update partitions. |
| v3 | Only found in Wiis released before LU64+ that were not updated to 4.2. Hardware compatibility updates. |
| v4 | Packaged in the 4.2 update to erase BootMii as boot2. Also found preinstalled in LU64+ Wiis. Improves hardware compatibility, fixes the signing bug in the unused signature check code, and unintentionally breaks the HackMii Installer |
| v5 | Only found on Arabian Wiis, the Wii Mini and newer RVL-101 units. |
References
↑ 1. https://github.com/fail0verflow/mini/blob/befb64ce1cd493946c9a9a0a412262a998f478d9/boot2.c#L35
↑ 2. https://hackmii.com/2008/07/factory2/
↑ 3. https://hackmii.com/2010/09/insert-startup-disc/
↑ 4. Factory 3 post by Hallowizer