boot1
boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside the first block of NAND flash and encrypted with a key stored in the Mask ROM as part of boot0. As part of the boot process, boot0 will decrypt and hash boot1, and then compare it to a SHA1 hash stored in on-die OTP memory; if they do not match, then boot1 will not be executed. This means that any attempt to modify boot1 on a retail Wii will cause it to fail to boot.
There is a hard limit on the size of boot1: 47 pages of 2K each, or 94K. Of that, approximately 17K is actually used.
boot1 runs entirely out of on-die SRAM and performs initialization of the external DDR3 memory. It then loads boot2 (from a special partition in NAND), decrypts it and performs an RSA verification on it. Splitting the first part of the bootloader into boot0 and boot1 allows Nintendo to change RAM chips and also to fix bugs in RSA verification without respinning the Starlet core; at least 5 known versions of boot1 exist, most of which only differ in small ways in the DDR3 initialization code.
Some time in 2008, Nintendo fixed the strncmp bug in boot1 for newly-manufactured Wiis, preventing boot2 from being modified by e.g. BootMii.
boot1 will detect an attempt to downgrade boot2, comparing the version number of the TMD in flash against a value store in the serial EEPROM. If the value in flash is less than that in EEPROM, it will fail to boot with error 10.
boot1 error codes
boot1 will flash error codes on the 8-bit debug port if a problem is encountered loading boot2 from the NAND flash.
| Error code | Notes |
|---|---|
| 4 | Misc error (valid blockmap not found) |
| 5 | Header error (length is not 0x20, or offset to data start is > 0x20000, or data start is not aligned to 64-byte boundary |
| 8 | RSA signature failure |
| 9 | Wrong key (CP used to sign ticket, etc) |
| 10 | EEPROM error (failure reading data from EEPROM, or EEPROM shows newer version of boot2 required) |
| 11 | TMD does not have title ID 1-1 (ID for boot2) |
Version History
Unfortunately, there is no build date encoded in boot1 anywhere, nor a version number. The labels have been chosen more or less in the order they were seen, and are just used as a shorthand when discussing different versions. (Feel free to add info on the differences between each version, as well as when each was first seen)
| name | length | OTP hash | notes |
|---|---|---|---|
| boot1a | 0x42c0 | b30c32b962c7cd08abe33d015b9b8b1db1097544
|
Seen on some early Wiis; not very common |
| boot1b | 0x4320 | ef3ef78109608d56df5679a6f92e13f78bbddfdf
|
Most common version on launch-day Wiis |
| boot1c | 0x4400 | d220c8a486c631d0df5adb3196ecbc668780cc8d
|
first version with fixed strncmp bug; first seen in 2008 (?) |
| boot1d | 0x4840 | f793068a09e80986e2a023c0c23f06140ed16974
|
Seemly the last publicly released Boot1 version. The Wii Mini uses this version too. |
For comparison, here is the version history of BC, which is very similar to boot1:
| version | length | build tag / date | notes |
|---|---|---|---|
| 0 | 0x41be | Aug 11, 2006* | corresponds with boot1a? |
| 1 | 0x412a | Sep 2, 2006* | corresponds with boot1b? |
| 2 | 0x414c | bc.0611021443 | |
| 4 | 0x4d8c | bc.0803040819 | corresponds with boot1c? |
| 5 | 0x4f08 | bc.0806101038 | |
| 6 | 0x502c | bc.0908240243 | corresponds with boot1d? |
- No build tags are included with early versions of BC, so approximate dates are listed from corresponding MIOS. These dates are likely very close (If not identical) to the actual BC build dates.