Changes

Jump to navigation Jump to search
}
:::::[[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 06:53, 2 May 2021 (CEST)
:::::Also, [https://hackmii.com/2008/06/genie-into-bottle-mios/ bushing said] that BC got its signature check fixed. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 07:12, 2 May 2021 (CEST)
::::::I'm just replying with info that i remember noticing, but i could be wrong.
::::::1) i thought BC booted boot2, however no bootmii/mini logging is thrown at my USBGecko when booting a GC game. mini indeed has that piece of code, but its not doing the gecko_printf so mini is never started (or it is suppressed?)
::::::2) when shutting down it does boot (as seen by bootmii booting up) and that somehow kills some kind of flag MIOS sets up. i always thought the bootstate told SM that it was shutting down, but something else is also going on. does BC boot mios directly? --[[User:DacoTaco|DacoTaco]] ([[User talk:DacoTaco|talk]]) 09:26, 2 May 2021 (CEST)
:::::::I can now confirm that BC did have the signing bug and it was fixed in v4; the function that checks the signature can be found by looking for the hex constant 0x000ac004 in memory, and then looking at either of the two function calls with that value as a parameter (both of which just call another function that does the actual check). In v2, there's a call to strncmp at ffff2236. In later versions, they do the comparison directly (at around ffff0fd2 (v4) or ffff0fca (v5, v6)). I'm still not sure what it's actually checking the signature ''of''; figuring that out would require a deeper understanding of the way NAND is laid out I think. --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 22:26, 2 May 2021 (CEST)
::::::::Does the signature code actually get called though? I know boot2v3 fixed the signing bug in boot2, even though boot2 never called the signature verification code. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 23:09, 2 May 2021 (CEST)
:::::::::I can't say for sure that it's used, but I do see several paths from the main function that end up calling the signature code (but there's a giant messy function in the middle of everything that makes it hard to be sure). --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 01:18, 3 May 2021 (CEST)
::::Bushing said that they did something “mildly clever” to work around the BC sigcheck. https://hackmii.com/2009/11/updates-and-bricking/ I think this means we should dump our BootMii-boot2 to find out. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 03:38, 11 May 2021 (CEST)
:::::The relevant code is probably actually in the hackmii installer. I did some talking with DacoTaco and sven, and found that boot2 checks HW_CLOCKS and decides to launch MIOS in that case instead of the System Menu (boot2 also seems to be able to launch BC, but I don't think that code is actually reachable). I got confirmation that bootmii itself doesn't use HW_CLOCKS (and reverse-engineered bootmii as IOS to confirm that); sven also mentioned "iirc we didn't put any special gc mode/BC code into bootmii fwiw". I also did enough reverse engineering to determine that BC is almost certainly loading boot2, as it does a lot of NAND stuff in relevant places (including looking for two matching copies; [https://github.com/fail0verflow/mini/blob/befb64ce1cd493946c9a9a0a412262a998f478d9/boot2.c#L66 this] and [https://github.com/fail0verflow/mini/blob/befb64ce1cd493946c9a9a0a412262a998f478d9/boot2.c#L129 this] in MINI seem pretty similar). Probably they did something strange there to make BC reject the modified copy but boot1 allow it; it should show up in a bootmii NAND dump. --[[User:Pokechu22|Pokechu22]] ([[User talk:Pokechu22|talk]]) 20:17, 11 May 2021 (CEST)
::::::I think we’re over complicating this actually. Maybe the first boot2 has the BootMii loader, and the second one doesn’t. Boot1 defaults to the first one, but BC sees that the first one is invalid and goes to the second one? [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 20:40, 11 May 2021 (CEST)
:::::::I guess I could test that by downgrading my BC and calling ES_LaunchBC manually, with a custom armboot.bin. Not sure if ES_LaunchBC requires sysmenu though. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 23:27, 11 May 2021 (CEST)
:::::::Actually, [[GCBooter]] launches BC manually, I can probably do that. [[User:Hallowizer|Hallowizer]] ([[User talk:Hallowizer|talk]]) 00:05, 12 May 2021 (CEST)

Navigation menu