User:Hallowizer/Factory3: Difference between revisions

I’ll be updating stuff from Factory 2.

Before I continue, I want to mention that you may have ideas that came from supposed “leaks.” Please do not discuss those here.

First, 122E installing DataChk is a very confusing thing. My guess is that DataChk also comes in 122E’s update partition, and Nintendo never removed that code.

Next, bushing said that LU64+ consoles have “crap installed as IOS3, IOS4, and IOS254.” We know that IOS4 is used by the factory System Menu, from the “Insert Startup Disc” NAND. The fact that IOS3 was never used by homebrew or known to be leaked (like IOS16) suggests that this must’ve been used in the factory. I messaged some people on Discord (thank you DraconicNEO and zepd76 for your files!), who were able to send me their /sys/uid.sys files, from both a LU64+ console and a WFE unit. They both had identical factory stuff:

00000001-00000002 ...�
00000001-00000004 ...�
00000001-00000100 ..�.
00000001-00000101 ..��
00010000-30303030 0000
00000001-00000003 ...�
00000001-00000024 ...$
00010000-30303032 0002
00000001-00000009 ...	
00000001-0000000a ...
00000001-0000000b ...�
00000001-0000000c ...�
00000001-0000000d ...
00000001-0000000e ...�
00000001-0000000f ...�
00000001-00000010 ...�
00000001-00000011 ...�
00000001-00000014 ...�
00000001-00000015 ...�
00000001-00000016 ...�
00000001-0000001c ...�
00000001-0000001e ...�
00000001-0000001f ...�
00000001-00000021 ...!
00000001-00000022 ..."
00000001-00000023 ...#
00000001-00000025 ...%
00000001-00000026 ...&
00000001-00000028 ...(
00000001-00000029 ...)
00000001-0000002b ...+
00000001-0000002d ...-
00000001-0000002e ....
00000001-00000030 ...0
00000001-00000032 ...2
00000001-00000033 ...3
00000001-00000034 ...4
00000001-00000035 ...5
00000001-00000037 ...7
00000001-00000038 ...8
00000001-00000039 ...9
00000001-0000003a ...:
00000001-0000003c ...<
00000001-0000003d ...=
00000001-00000046 ...F
00000001-00000050 ...P
00010002-48414341 HACA
00010002-48414141 HAAA
00010002-48415941 HAYA
00010002-48414641 HAFA
00010002-48414645 HAFE
00010002-48414241 HABA
00010002-48414741 HAGA
00010002-48414745 HAGE
00010008-48414b45 HAKE
00010008-48414c45 HALE
00010001-48434c45 HCLE
00010001-48414a45 HAJE
00010001-48415045 HAPE
00010001-48414445 HADE
00010001-48415445 HATE
00010001-48434745 HCGE
00010000-31323245 122E
00010000-30303033 0003
00010000-00555045 .UPE
00010000-53503245 SP2E

The first thing I immediately noticed was that 122E and .UPE are the only discs inserted now. SP2E is Wii Sports Resort, which may have also been inserted to clear the cache.dat. We can assume that 0000 and 0003 are normal channels, just like 0002 (DataChk).

The next difference here is that IOS3 and IOS36 seem to be installed first by 122E, probably indicating that 122E uses IOS3, and DataChk uses IOS36.

Later, I was curious about my /meta, which seems to have an entry for the System Menu, IOS4, and IOS9 on them. These all have one thing in common: they get installed through magic prior to inserting discs. My theory was that these get installed through the same mechanism that installs that initial set of titles. (I later found out that those files contained build tags, aka content 0.)

I decided I should test this theory by asking for the /meta contents of these people. It turned out both of them had empty /meta directories. Seemed very strange.

But, there is one other interesting thing. One thing bushing noted was that DataChk deletes its /meta entry when it uninstalls itself. There seems to be no reason for this to happen, besides the factory IOSes including code to write to /meta on title install.

Wait a minute. If IOS used to write to /meta, this probably means an IOS-like tool is being used to install this initial set of titles. And, it makes sense that this tool was updated to stop writing to /meta.

So, we have a mysterious IOS used to install IOS4 and the System Menu (and IOS9 on older consoles). There is no way this IOS could have been installed as a title, because it does not exist in uid.sys. The only explanation is that this exists at some point in the boot process. We can immediately rule out boot0, because it’s stored in ROM. While boot1 can probably be modified in the factory due to boot0 allowing a blank hash, no known mechanisms exist in IOS that allow boot1 to be rewritten. It is possible that 0000 or 0003 updates boot1 through AHBPROT, but this seems very risky, considering that there is only one copy present. The only remaining option is it being preinstalled into boot2.

Regarding boot2, we have seen v2, v3, v4, and v5 on consoles. The Startup Disc Menu console seems to have boot2v1, but that does not have the features previously listed. The only remaining option is boot2v0.