Boot1

From WiiBrew
Jump to: navigation, search

boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside the first block of NAND flash and encrypted with a key stored in the Mask ROM as part of boot0. As part of the boot process, boot0 will decrypt and hash boot1, and then compare it to a SHA1 hash stored in on-die OTP memory; if they do not match, then boot1 will not be executed. This means that any attempt to modify boot1 on a Wii will cause it to fail to boot.

There is a hard limit on the size of boot1: 48 pages of 2K each, or 96K. Of that, approximately 17K is actually used.

boot1 runs entirely out of on-die SRAM and performs initialization of the external DDR3 memory. It then loads boot2 (from a special partition in NAND), decrypts it and performs an RSA verification on it. Splitting the first part of the bootloader into boot0 and boot1 allows Nintendo to change RAM chips and also to fix bugs in RSA verification without respinning the Starlet core; at least 5 known versions of boot1 exist, most of which only differ in small ways in the DDR3 initialization code.

Some time in 2008, Nintendo fixed the strncmp bug in boot1 for newly-manufactured Wiis, preventing boot2 from being modified by e.g. BootMii.

boot1 will detect an attempt to downgrade boot2, comparing the version number of the TMD in flash against a value store in the serial EEPROM. If the value in flash is less than that in EEPROM, it will fail to boot with error 10.

boot1 error codes

boot1 will flash error codes on the 8-bit debug port if a problem is encountered loading boot2 from the NAND flash.

Error code Notes
4 Misc error (valid blockmap not found)
5 Header error (length is not 0x20, or offset to data start is > 0x20000, or data start is not aligned to 64-byte boundary
8 RSA signature failure
9 Wrong key (CP used to sign ticket, etc)
10 EEPROM error (failure reading data from EEPROM, or EEPROM shows newer version of boot2 required)
11 Wrong ticket (not for boot2)

Version History

Unfortunately, there is no build date encoded in boot1 anywhere, nor a version number. The labels have been chosen more or less in the order they were seen, and are just used as a shorthand when discussing different versions. (Feel free to add info on the differences between each version, as well as when each was first seen)

name length OTP hash notes
boot1a 0x42c0 B3C32B962C7CD8ABE33D15B9B8B1DB197544 Seen on some early Wiis; not very common
boot1b 0x4320 EF3EF781968D56DF5679A6F92E13F78BBDDFDF Most common version on launch-day Wiis
boot1c 0x4400 D22C8A486C631DDF5ADB3196ECBC66878CC8D first version with fixed strncmp bug; first seen in 2008 (?)
boot1d 0x4840 F793068A09E80986E2A023C0C23F06140ED16974  ?

For comparison, here is the version history of BC, which is very similar to boot1:

version length build tag notes
2 0x414c bc.0611021443 corresponds with boot1b?
4 0x4d8c bc.0803040819 corresponds with boot1c?
5 0x4f08 bc.0806101038
6 0x502c bc.0908240243 corresponds with boot1d?
Personal tools
Resources
Community