Jump to navigation Jump to search
Does installing BootMii as boot2 prevent the launching of GC games because BC has the signature bug fixed? I have a boot1-vulnerable Wii but no GC discs. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 21:16, 28 April 2021 (CEST)
:No, it works fine on my Wii with BootMii as boot2 and no custom MIOS or BC. --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 01:48, 30 April 2021 (CEST)
::Weird, I wonder if the HackMii installer automatically replaces BC?[[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 03:49, 30 April 2021 (CEST):::Nope, seems to be the exact same (based on a bootmii dump imported in dolphin, <code>title/00000001/00000100/content/</code> has a sha-1 of 22b7c2ba3583fcca24134cca707fd339236afcc5, same as BC v6 obtained from NUS).:::Possibly BC doesn't actually check the signature on boot2; it does seem to interact with NAND, the AES engine, and the SHA-1 engine though. I also checked and it writes things to the [[debug port]] which may match with the info on [[boot1]] (but I'm not 100% sure; the code is really confusing and I don't want to spend too much time investigating it). It definitely checks *something* (one function uses [[Hardware/NAND]], [[Hardware/AES Engine]], and [[Hardware/SHA-1 Engine]], and uses strings related to certificates ("Root", "CA", "-", "CP", "XS"), and is also responsible for writing to the debug port), but I don't know if it's actually boot2 that it's checking or something else (there are basically no other strings to look at for context).:::(As for the debug port, it writes a value, and then inverts all of the bits and writes that value, in a loop waiting 1000000 units each time (it seems to be a busy loop for waiting so I don't know the units). It also always writes 0xbc to the debug port at startup, which might be where the name came from since I don't see any other text that gives it a name, unless I'm forgetting something in the system menu.) --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 08:06, 30 April 2021 (CEST)::::Oh, one more thing: I confirmed that bootmii doesn't start when launching a GC game, but it ''does'' launch when pressing the power button while a GC game is running. I think this means that BC does ''not'' launch boot2, but MIOS ''will'' launch boot2 to turn off the Wii (note that on selecting the System Menu from bootmii, it loads as normal, i.e. the shutdown doesn't actually go through. But if no SD card is inserted, then it will eventually shutdown after the disc drive does a thing.) This could be confirmed by seeing if BC needs to be patched when modifying MIOS. --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 06:40, 2 May 2021 (CEST):::::The reason I thought it launched boot2 is because mini has a bit of code to detect GC compat mode: if (read32(0x0d800190) & 2) { gecko_printf("GameCube compatibility mode detected...\n"); vector = boot2_run(1, 0x101); goto shutdown; }:::::[[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 06:53, 2 May 2021 (CEST):::::Also, [ bushing said] that BC got its signature check fixed. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 07:12, 2 May 2021 (CEST)::::::I'm just replying with info that i remember noticing, but i could be wrong. ::::::1) i thought BC booted boot2, however no bootmii/mini logging is thrown at my USBGecko when booting a GC game. mini indeed has that piece of code, but its not doing the gecko_printf so mini is never started (or it is suppressed?)::::::2) when shutting down it does boot (as seen by bootmii booting up) and that somehow kills some kind of flag MIOS sets up. i always thought the bootstate told SM that it was shutting down, but something else is also going on. does BC boot mios directly? --[[User:DacoTaco|DacoTaco]] ([[User talk:DacoTaco|talk]]) 09:26, 2 May 2021 (CEST):::::::I can now confirm that BC did have the signing bug and it was fixed in v4; the function that checks the signature can be found by looking for the hex constant 0x000ac004 in memory, and then looking at either of the two function calls with that value as a parameter (both of which just call another function that does the actual check). In v2, there's a call to strncmp at ffff2236. In later versions, they do the comparison directly (at around ffff0fd2 (v4) or ffff0fca (v5, v6)). I'm still not sure what it's actually checking the signature ''of''; figuring that out would require a deeper understanding of the way NAND is laid out I think. --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 22:26, 2 May 2021 (CEST)::::::::Does the signature code actually get called though? I know boot2v3 fixed the signing bug in boot2, even though boot2 never called the signature verification code. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 23:09, 2 May 2021 (CEST):::::::::I can't say for sure that it's used, but I do see several paths from the main function that end up calling the signature code (but there's a giant messy function in the middle of everything that makes it hard to be sure). --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 01:18, 3 May 2021 (CEST)::::Bushing said that they did something “mildly clever” to work around the BC sigcheck. I think this means we should dump our BootMii-boot2 to find out. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 03:38, 11 May 2021 (CEST):::::The relevant code is probably actually in the hackmii installer. I did some talking with DacoTaco and sven, and found that boot2 checks HW_CLOCKS and decides to launch MIOS in that case instead of the System Menu (boot2 also seems to be able to launch BC, but I don't think that code is actually reachable). I got confirmation that bootmii itself doesn't use HW_CLOCKS (and reverse-engineered bootmii as IOS to confirm that); sven also mentioned "iirc we didn't put any special gc mode/BC code into bootmii fwiw". I also did enough reverse engineering to determine that BC is almost certainly loading boot2, as it does a lot of NAND stuff in relevant places (including looking for two matching copies; [ this] and [ this] in MINI seem pretty similar). Probably they did something strange there to make BC reject the modified copy but boot1 allow it; it should show up in a bootmii NAND dump. --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 20:17, 11 May 2021 (CEST)::::::I think we’re over complicating this actually. Maybe the first boot2 has the BootMii loader, and the second one doesn’t. Boot1 defaults to the first one, but BC sees that the first one is invalid and goes to the second one? [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 20:40, 11 May 2021 (CEST):::::::I guess I could test that by downgrading my BC and calling ES_LaunchBC manually, with a custom armboot.bin. Not sure if ES_LaunchBC requires sysmenu though. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 23:27, 11 May 2021 (CEST):::::::Actually, [[GCBooter]] launches BC manually, I can probably do that. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 00:05, 12 May 2021 (CEST)

Navigation menu