From WiiBrew
Jump to navigation Jump to search

BootMii as boot2

Does installing BootMii as boot2 prevent the launching of GC games because BC has the signature bug fixed? I have a boot1-vulnerable Wii but no GC discs. Hallowizer (talk) 21:16, 28 April 2021 (CEST)

No, it works fine on my Wii with BootMii as boot2 and no custom MIOS or BC. --Pokechu22 (talk) 01:48, 30 April 2021 (CEST)
Weird, I wonder if the HackMii installer automatically replaces BC? Hallowizer (talk) 03:49, 30 April 2021 (CEST)
Nope, seems to be the exact same (based on a bootmii dump imported in dolphin, title/00000001/00000100/content/ has a sha-1 of 22b7c2ba3583fcca24134cca707fd339236afcc5, same as BC v6 obtained from NUS).
Possibly BC doesn't actually check the signature on boot2; it does seem to interact with NAND, the AES engine, and the SHA-1 engine though. I also checked and it writes things to the debug port which may match with the info on boot1 (but I'm not 100% sure; the code is really confusing and I don't want to spend too much time investigating it). It definitely checks *something* (one function uses Hardware/NAND, Hardware/AES Engine, and Hardware/SHA-1 Engine, and uses strings related to certificates ("Root", "CA", "-", "CP", "XS"), and is also responsible for writing to the debug port), but I don't know if it's actually boot2 that it's checking or something else (there are basically no other strings to look at for context).
(As for the debug port, it writes a value, and then inverts all of the bits and writes that value, in a loop waiting 1000000 units each time (it seems to be a busy loop for waiting so I don't know the units). It also always writes 0xbc to the debug port at startup, which might be where the name came from since I don't see any other text that gives it a name, unless I'm forgetting something in the system menu.) --Pokechu22 (talk) 08:06, 30 April 2021 (CEST)
Oh, one more thing: I confirmed that bootmii doesn't start when launching a GC game, but it does launch when pressing the power button while a GC game is running. I think this means that BC does not launch boot2, but MIOS will launch boot2 to turn off the Wii (note that on selecting the System Menu from bootmii, it loads as normal, i.e. the shutdown doesn't actually go through. But if no SD card is inserted, then it will eventually shutdown after the disc drive does a thing.) This could be confirmed by seeing if BC needs to be patched when modifying MIOS. --Pokechu22 (talk) 06:40, 2 May 2021 (CEST)
The reason I thought it launched boot2 is because mini has a bit of code to detect GC compat mode:
if (read32(0x0d800190) & 2) {
	gecko_printf("GameCube compatibility mode detected...\n");
	vector = boot2_run(1, 0x101);
	goto shutdown;
Hallowizer (talk) 06:53, 2 May 2021 (CEST)
Also, bushing said that BC got its signature check fixed. Hallowizer (talk) 07:12, 2 May 2021 (CEST)
I'm just replying with info that i remember noticing, but i could be wrong.
1) i thought BC booted boot2, however no bootmii/mini logging is thrown at my USBGecko when booting a GC game. mini indeed has that piece of code, but its not doing the gecko_printf so mini is never started (or it is suppressed?)
2) when shutting down it does boot (as seen by bootmii booting up) and that somehow kills some kind of flag MIOS sets up. i always thought the bootstate told SM that it was shutting down, but something else is also going on. does BC boot mios directly? --DacoTaco (talk) 09:26, 2 May 2021 (CEST)
I can now confirm that BC did have the signing bug and it was fixed in v4; the function that checks the signature can be found by looking for the hex constant 0x000ac004 in memory, and then looking at either of the two function calls with that value as a parameter (both of which just call another function that does the actual check). In v2, there's a call to strncmp at ffff2236. In later versions, they do the comparison directly (at around ffff0fd2 (v4) or ffff0fca (v5, v6)). I'm still not sure what it's actually checking the signature of; figuring that out would require a deeper understanding of the way NAND is laid out I think. --Pokechu22 (talk) 22:26, 2 May 2021 (CEST)
Does the signature code actually get called though? I know boot2v3 fixed the signing bug in boot2, even though boot2 never called the signature verification code. Hallowizer (talk) 23:09, 2 May 2021 (CEST)
I can't say for sure that it's used, but I do see several paths from the main function that end up calling the signature code (but there's a giant messy function in the middle of everything that makes it hard to be sure). --Pokechu22 (talk) 01:18, 3 May 2021 (CEST)
Bushing said that they did something “mildly clever” to work around the BC sigcheck. I think this means we should dump our BootMii-boot2 to find out. Hallowizer (talk) 03:38, 11 May 2021 (CEST)
The relevant code is probably actually in the hackmii installer. I did some talking with DacoTaco and sven, and found that boot2 checks HW_CLOCKS and decides to launch MIOS in that case instead of the System Menu (boot2 also seems to be able to launch BC, but I don't think that code is actually reachable). I got confirmation that bootmii itself doesn't use HW_CLOCKS (and reverse-engineered bootmii as IOS to confirm that); sven also mentioned "iirc we didn't put any special gc mode/BC code into bootmii fwiw". I also did enough reverse engineering to determine that BC is almost certainly loading boot2, as it does a lot of NAND stuff in relevant places (including looking for two matching copies; this and this in MINI seem pretty similar). Probably they did something strange there to make BC reject the modified copy but boot1 allow it; it should show up in a bootmii NAND dump. --Pokechu22 (talk) 20:17, 11 May 2021 (CEST)
I think we’re over complicating this actually. Maybe the first boot2 has the BootMii loader, and the second one doesn’t. Boot1 defaults to the first one, but BC sees that the first one is invalid and goes to the second one? Hallowizer (talk) 20:40, 11 May 2021 (CEST)
I guess I could test that by downgrading my BC and calling ES_LaunchBC manually, with a custom armboot.bin. Not sure if ES_LaunchBC requires sysmenu though. Hallowizer (talk) 23:27, 11 May 2021 (CEST)
Actually, GCBooter launches BC manually, I can probably do that. Hallowizer (talk) 00:05, 12 May 2021 (CEST)
According to HackMii, BootMii-boot2 only installs into the first copy. The BC-loading code you found was probably the ES_LaunchBC ioctl used in normal IOS. Hallowizer (talk) 02:33, 15 July 2021 (CEST)