Line 29: |
Line 29: |
| == How it works == | | == How it works == |
| BootMii is a modified version of [[boot2]], which is loaded by [[boot1]], which is loaded by [[boot0]]. '''boot0''' is part of [[Hollywood]] and read-only. '''boot1''', although stored on the [[NAND]], is signed by a value in write-once memory and therefore cannot be changed without rendering a console unable to boot. '''boot2''', however, can be modified (with some restrictions). This means it can be hacked, updated, and corrupted. BootMii hijacks the [[boot process]] before the normal '''boot2''' is run, optionally allowing code to be run directly from the SD Card. This has many advantages, such as making it very difficult to [[brick]], and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting '''boot2'''. Along with the [[System Menu 4.2]] update, Nintendo released a new version of '''boot2''' (boot2v4); there is nothing in boot2v4 that prevents BootMii from working, but it will overwrite an existing BootMii installation when it is installed. | | BootMii is a modified version of [[boot2]], which is loaded by [[boot1]], which is loaded by [[boot0]]. '''boot0''' is part of [[Hollywood]] and read-only. '''boot1''', although stored on the [[NAND]], is signed by a value in write-once memory and therefore cannot be changed without rendering a console unable to boot. '''boot2''', however, can be modified (with some restrictions). This means it can be hacked, updated, and corrupted. BootMii hijacks the [[boot process]] before the normal '''boot2''' is run, optionally allowing code to be run directly from the SD Card. This has many advantages, such as making it very difficult to [[brick]], and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting '''boot2'''. Along with the [[System Menu 4.2]] update, Nintendo released a new version of '''boot2''' (boot2v4); there is nothing in boot2v4 that prevents BootMii from working, but it will overwrite an existing BootMii installation when it is installed. |
− |
| |
− | BootMii creates a 553649152-byte NAND dump called "nand.bin" on an SD card. It is formatted as:
| |
− |
| |
− | 4096 * 64 pages of (2048 + 64) bytes of data + ECC
| |
− | A 1024-byte footer with keying information
| |
− |
| |
− | Specifically, the format of that 1024-byte footer is:
| |
− |
| |
− | 256 bytes of human-readable information (e.g. "BackupMii v1\nConsole ID: 0408cafa"), padded with null bytes
| |
− | 128 bytes of OTP data (copied directly from OTP)
| |
− |
| |
− | 128 bytes of padding
| |
− | 256 bytes of SEEPROM data (copied directly from OTP)
| |
− | 256 bytes of padding
| |
| | | |
| == Compatibility == | | == Compatibility == |
Line 54: |
Line 40: |
| == The new boot1 == | | == The new boot1 == |
| Consoles made after some point in 2008 (no concrete date is known) have a new version of [[boot1]] that patches the vulnerability which allows the console to boot a modified [[boot2]]. The Hackmii Installer will detect this situation and refuse to modify '''boot2'''(see more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]). Since '''boot1''' cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new '''boot1'''. | | Consoles made after some point in 2008 (no concrete date is known) have a new version of [[boot1]] that patches the vulnerability which allows the console to boot a modified [[boot2]]. The Hackmii Installer will detect this situation and refuse to modify '''boot2'''(see more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]). Since '''boot1''' cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new '''boot1'''. |
− |
| |
− | == Console Keys and keys.bin ==
| |
− | Instead of using [[WiiND]], you can retrieve your console keys from the keys.bin file that BootMii v3+ produces when backing up the [[NAND]]. To view them, open keys.bin with a hex editor.<br />
| |
− | Here are the offsets for each key:
| |
− | <pre>
| |
− | boot1 hash: 0x100 (20 bytes)
| |
− | Common key (AES): 0x114 (16 bytes)
| |
− | Console ID: 0x124 (4 bytes)
| |
− | ECC Private Key: 0x128 (30 bytes)
| |
− | NAND HMAC: 0x144 (20 bytes)
| |
− | NAND AES key: 0x158 (16 bytes)
| |
− | PRNG seed (AES): 0x168 (16 bytes)
| |
− | ng_key_id: 0x208 (4 bytes)
| |
− | ng_sig: 0x20c (60 bytes)</pre>
| |
− |
| |
− | For a full description of the purpose of each key, see [http://hackmii.com/2008/04/keys-keys-keys/ this writeup on HackMii].
| |
| | | |
| == Media == | | == Media == |
− | [[File:Bootmii_screenshot.png|right|thumb|200px|Screenshot. Click for larger image.]]
| |
− |
| |
| {| | | {| |
| |- | | |- |