5,579
edits
Changes
Jump to navigation
Jump to search
Line 29:
Line 29: − − BootMii creates a 553649152-byte NAND dump called "nand.bin" on an SD card. It is formatted as: − − 4096 * 64 pages of (2048 + 64) bytes of data + ECC − A 1024-byte footer with keying information − − Specifically, the format of that 1024-byte footer is: − − 256 bytes of human-readable information (e.g. "BackupMii v1\nConsole ID: 0408cafa"), padded with null bytes − 128 bytes of OTP data (copied directly from OTP) − − 128 bytes of padding − 256 bytes of SEEPROM data (copied directly from OTP) − 256 bytes of padding Line 54:
Line 40: − − == Console Keys and keys.bin == − Instead of using [[WiiND]], you can retrieve your console keys from the keys.bin file that BootMii v3+ produces when backing up the [[NAND]]. To view them, open keys.bin with a hex editor.<br /> − Here are the offsets for each key: − <pre> − boot1 hash: 0x100 (20 bytes) − Common key (AES): 0x114 (16 bytes) − Console ID: 0x124 (4 bytes) − ECC Private Key: 0x128 (30 bytes) − NAND HMAC: 0x144 (20 bytes) − NAND AES key: 0x158 (16 bytes) − PRNG seed (AES): 0x168 (16 bytes) − ng_key_id: 0x208 (4 bytes) − ng_sig: 0x20c (60 bytes)</pre> − − For a full description of the purpose of each key, see [http://hackmii.com/2008/04/keys-keys-keys/ this writeup on HackMii]. − [[File:Bootmii_screenshot.png|right|thumb|200px|Screenshot. Click for larger image.]] −
Removed the ceiling cat screenshot
== How it works ==
== How it works ==
BootMii is a modified version of [[boot2]], which is loaded by [[boot1]], which is loaded by [[boot0]]. '''boot0''' is part of [[Hollywood]] and read-only. '''boot1''', although stored on the [[NAND]], is signed by a value in write-once memory and therefore cannot be changed without rendering a console unable to boot. '''boot2''', however, can be modified (with some restrictions). This means it can be hacked, updated, and corrupted. BootMii hijacks the [[boot process]] before the normal '''boot2''' is run, optionally allowing code to be run directly from the SD Card. This has many advantages, such as making it very difficult to [[brick]], and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting '''boot2'''. Along with the [[System Menu 4.2]] update, Nintendo released a new version of '''boot2''' (boot2v4); there is nothing in boot2v4 that prevents BootMii from working, but it will overwrite an existing BootMii installation when it is installed.
BootMii is a modified version of [[boot2]], which is loaded by [[boot1]], which is loaded by [[boot0]]. '''boot0''' is part of [[Hollywood]] and read-only. '''boot1''', although stored on the [[NAND]], is signed by a value in write-once memory and therefore cannot be changed without rendering a console unable to boot. '''boot2''', however, can be modified (with some restrictions). This means it can be hacked, updated, and corrupted. BootMii hijacks the [[boot process]] before the normal '''boot2''' is run, optionally allowing code to be run directly from the SD Card. This has many advantages, such as making it very difficult to [[brick]], and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting '''boot2'''. Along with the [[System Menu 4.2]] update, Nintendo released a new version of '''boot2''' (boot2v4); there is nothing in boot2v4 that prevents BootMii from working, but it will overwrite an existing BootMii installation when it is installed.
== Compatibility ==
== Compatibility ==
== The new boot1 ==
== The new boot1 ==
Consoles made after some point in 2008 (no concrete date is known) have a new version of [[boot1]] that patches the vulnerability which allows the console to boot a modified [[boot2]]. The Hackmii Installer will detect this situation and refuse to modify '''boot2'''(see more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]). Since '''boot1''' cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new '''boot1'''.
Consoles made after some point in 2008 (no concrete date is known) have a new version of [[boot1]] that patches the vulnerability which allows the console to boot a modified [[boot2]]. The Hackmii Installer will detect this situation and refuse to modify '''boot2'''(see more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]). Since '''boot1''' cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new '''boot1'''.
== Media ==
== Media ==
{|
{|
|-
|-