Difference between revisions of "Boot1"
(i'll let someone else wikify this :)) |
|||
| Line 1: | Line 1: | ||
| − | boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside a special partition on the | + | boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside the first block of NAND flash and encrypted with a key stored in the Mask ROM as part of boot0. As part of the boot process, boot0 will decrypt and hash boot1, and then compare it to a SHA1 hash stored in on-die OTP memory; if they do not match, then boot1 will not be executed. This means that any attempt to modify boot1 on a Wii will cause it to fail to boot. |
| + | |||
| + | There is a hard limit on the size of boot1: 48 pages of 2K each, or 96K. Of that, approximately 17K is actually used. | ||
| + | |||
| + | boot1 runs entirely out of on-die SRAM and performs initialization of the external DDR3 memory. It then loads boot2 (from a special partition in NAND), decrypts it and performs an RSA verification on it. Splitting the first part of the bootloader into boot0 and boot1 allows Nintendo to change RAM chips and also to fix bugs in RSA verification without respinning the Starlet core; at least 5 known versions of boot1 exist, most of which only differ in small ways in the DDR3 initialization code. | ||
| + | |||
| + | Some time in 2008, Nintendo fixed the strncmp bug in boot1 for newly-manufactured Wiis, preventing boot2 from being modified by e.g. [[BootMii]]. | ||
== boot1 error codes == | == boot1 error codes == | ||
Revision as of 05:21, 1 November 2009
boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside the first block of NAND flash and encrypted with a key stored in the Mask ROM as part of boot0. As part of the boot process, boot0 will decrypt and hash boot1, and then compare it to a SHA1 hash stored in on-die OTP memory; if they do not match, then boot1 will not be executed. This means that any attempt to modify boot1 on a Wii will cause it to fail to boot.
There is a hard limit on the size of boot1: 48 pages of 2K each, or 96K. Of that, approximately 17K is actually used.
boot1 runs entirely out of on-die SRAM and performs initialization of the external DDR3 memory. It then loads boot2 (from a special partition in NAND), decrypts it and performs an RSA verification on it. Splitting the first part of the bootloader into boot0 and boot1 allows Nintendo to change RAM chips and also to fix bugs in RSA verification without respinning the Starlet core; at least 5 known versions of boot1 exist, most of which only differ in small ways in the DDR3 initialization code.
Some time in 2008, Nintendo fixed the strncmp bug in boot1 for newly-manufactured Wiis, preventing boot2 from being modified by e.g. BootMii.
boot1 error codes
boot1 will flash error codes on the 8-bit debug port if a problem is encountered loading boot2 from the NAND flash.
| Error code | Notes |
|---|---|
| 4 | Misc error (valid blockmap not found) |
| 5 | Header error (length is not 0x20, or offset to data start is > 0x20000, or data start is not aligned to 64-byte boundary |
| 8 | RSA signature failure |
| 9 | Wrong key (CP used to sign ticket, etc) (or attempt to downgrade -- tmd version lower than SEEPROM version?) |
| 10 | EEPROM error (failure reading data from EEPROM) |
| 11 | Wrong ticket (not for boot2) |