NAND Boot Program/BS2

From WiiBrew
Jump to navigation Jump to search

The NAND Boot Program's BS2 is smaller than the System Menu's BS2. The function that sets it is assumed to be called BS2Tick due to that being the name in the System Menu.

The current state is stored in glob_7d20.


Italicized states in the "Next state(s)" column are directly jumped to instead of being returned.

State number Action Next state(s)
0 Initializes the ES library (including reading the active title ID) and reads bi2.bin. Sets the state to 2, but then starts executing state 2's code instead of returning, which ultimately results in state 1 or 3 being set by state 2. 2
1 Initializes several OSGlobals 5
2 Reads /title/00000001/00000002/data/state.dat and checks that the type is not 0xFF (unknown), changing it to unknown afterward. State 1 comes next if there was an error reading state.dat or the type was unknown, state 3 otherwise. 1, 3
3 This state has a number of possible paths. It reads /shared2/sys/NANDBOOTINFO, and writes the appropriate values to memory. Its offsets in NANDBOOTINFO seem to be off by 1, which most likely results in unintended behavior.

The first branch is whether titletype (probably meant to be apptype) is 0x80; if the launchcode is 0x4000000 or 0x8000000, the launchcode is written to an emulated bi2.bin. It then checks if apptype is 0x3c (probably supposed to be unk2); this will always be false, as apptype is 0x80 or 0x81, resulting in state 1 being next. If, for some reason, apptype is 0x3c, then stores the apptype in bi2.bin, and stores the dev debugger monitor address, although the actual calculation of this address looks strange; this is followed by returning state 1.

If the titletype is not 0x80, then the last bit is checked; if it is 1, then bi2.bin offset 0x800 is set to 1; this field is not mentioned in YAGCD, and is probably Wii-exclusive. The launchcode is written to the system globals and the bi2.bin is passed as a DOL parameter, followed by returning state 1.

If the last bit of titletype is 0, then the second last bit is checked; a 1 bit means launchcode is written to memory, and the apptype is written to "Application type 2" in memory. This is followed by directly jumping to state 4 (without returning).

If the second last bit of titletype is 0, then the third last bit is checked; a 1 bit means to write the launch code to the "Return code" location in memory, and write the apptype to "Application type 2." Regardless of this bit, the next state is state 1.

1, 4
4 Like state 2, this state never gets returned but execution falls to state 4 from state 3 under certain circumstances. Unknown function. 1, 1, 6
5 Loads content 1 into memory. The main function in the boot program does some additional stuff before calling BS2Tick if it detects this state. 5
6 Exits to the System Menu (or hangs if exiting fails) N/A