5,579
edits
Changes
Jump to navigation
Jump to search
Removed the ceiling cat screenshot
Line 29:
Line 29:
BootMii creates a 553649152-byte NAND dump called "nand.bin" on an SD card. It is formatted as:
− 4096 * 64 pages of (2048 + 64) bytes of data + ECC
− A 1024-byte footer with keying information
−Specifically, the format of that 1024-byte footer is:
− 256 bytes of human-readable information (e.g. "BackupMii v1\nConsole ID: 0408cafa"), padded with null bytes
− 128 bytes of OTP data (copied directly from OTP)
− 128 bytes of padding
− 256 bytes of SEEPROM data (copied directly from OTP)
− 256 bytes of padding
== Console Keys and keys.bin ==
−Instead of using [[WiiND]], you can retrieve your console keys from the keys.bin file that BootMii v3+ produces when backing up the [[NAND]]. To view them, open keys.bin with a hex editor.<br />
−Here are the offsets for each key:
−<pre>
−boot1 hash: 0x100 (20 bytes)
−Common key (AES): 0x114 (16 bytes)
−Console ID: 0x124 (4 bytes)
−ECC Private Key: 0x128 (30 bytes)
−NAND HMAC: 0x144 (20 bytes)
−NAND AES key: 0x158 (16 bytes)
−PRNG seed (AES): 0x168 (16 bytes)
−ng_key_id: 0x208 (4 bytes)
−ng_sig: 0x20c (60 bytes)</pre>
−For a full description of the purpose of each key, see [http://hackmii.com/2008/04/keys-keys-keys/ this writeup on HackMii].
[[File:Bootmii_screenshot.png|right|thumb|200px|Screenshot. Click for larger image.]]
−
== How it works ==
== How it works ==
BootMii is a modified version of [[boot2]], which is loaded by [[boot1]], which is loaded by [[boot0]]. '''boot0''' is part of [[Hollywood]] and read-only. '''boot1''', although stored on the [[NAND]], is signed by a value in write-once memory and therefore cannot be changed without rendering a console unable to boot. '''boot2''', however, can be modified (with some restrictions). This means it can be hacked, updated, and corrupted. BootMii hijacks the [[boot process]] before the normal '''boot2''' is run, optionally allowing code to be run directly from the SD Card. This has many advantages, such as making it very difficult to [[brick]], and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting '''boot2'''. Along with the [[System Menu 4.2]] update, Nintendo released a new version of '''boot2''' (boot2v4); there is nothing in boot2v4 that prevents BootMii from working, but it will overwrite an existing BootMii installation when it is installed.
BootMii is a modified version of [[boot2]], which is loaded by [[boot1]], which is loaded by [[boot0]]. '''boot0''' is part of [[Hollywood]] and read-only. '''boot1''', although stored on the [[NAND]], is signed by a value in write-once memory and therefore cannot be changed without rendering a console unable to boot. '''boot2''', however, can be modified (with some restrictions). This means it can be hacked, updated, and corrupted. BootMii hijacks the [[boot process]] before the normal '''boot2''' is run, optionally allowing code to be run directly from the SD Card. This has many advantages, such as making it very difficult to [[brick]], and slowing Nintendo from blocking homebrew. Unfortunately, the only way we could completely stop Nintendo from blocking homebrew is by patching updates on-the-fly, or somehow preventing overwriting '''boot2'''. Along with the [[System Menu 4.2]] update, Nintendo released a new version of '''boot2''' (boot2v4); there is nothing in boot2v4 that prevents BootMii from working, but it will overwrite an existing BootMii installation when it is installed.
−== Compatibility ==
== Compatibility ==
Line 54:
Line 40:
== The new boot1 ==
== The new boot1 ==
Consoles made after some point in 2008 (no concrete date is known) have a new version of [[boot1]] that patches the vulnerability which allows the console to boot a modified [[boot2]]. The Hackmii Installer will detect this situation and refuse to modify '''boot2'''(see more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]). Since '''boot1''' cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new '''boot1'''.
Consoles made after some point in 2008 (no concrete date is known) have a new version of [[boot1]] that patches the vulnerability which allows the console to boot a modified [[boot2]]. The Hackmii Installer will detect this situation and refuse to modify '''boot2'''(see more at [http://hackmii.com/2009/02/bootmii-and-the-new-boot1/ Hackmii]). Since '''boot1''' cannot be updated, all consoles already manufactured before this update are safe. About 10% of the consoles that ran the BootMii Checker tool have the new '''boot1'''.
−== Media ==
== Media ==
−{|
{|
|-
|-