Difference between revisions of "Boot1"
m (Just updated this page for some reason... I had a look at an encrypted Wii Mini NAND a while back and the Boot1 version was Boot1d.)
|Line 65:||Line 65:|
Revision as of 00:39, 7 September 2018
boot1 is the second stage loader for the Wii. It is loaded by boot0, which is stored inside a Mask ROM inside the Hollywood. boot1 is contained inside the first block of NAND flash and encrypted with a key stored in the Mask ROM as part of boot0. As part of the boot process, boot0 will decrypt and hash boot1, and then compare it to a SHA1 hash stored in on-die OTP memory; if they do not match, then boot1 will not be executed. This means that any attempt to modify boot1 on a Wii will cause it to fail to boot.
There is a hard limit on the size of boot1: 48 pages of 2K each, or 96K. Of that, approximately 17K is actually used.
boot1 runs entirely out of on-die SRAM and performs initialization of the external DDR3 memory. It then loads boot2 (from a special partition in NAND), decrypts it and performs an RSA verification on it. Splitting the first part of the bootloader into boot0 and boot1 allows Nintendo to change RAM chips and also to fix bugs in RSA verification without respinning the Starlet core; at least 5 known versions of boot1 exist, most of which only differ in small ways in the DDR3 initialization code.
boot1 will detect an attempt to downgrade boot2, comparing the version number of the TMD in flash against a value store in the serial EEPROM. If the value in flash is less than that in EEPROM, it will fail to boot with error 10.
boot1 error codes
boot1 will flash error codes on the 8-bit debug port if a problem is encountered loading boot2 from the NAND flash.
|4||Misc error (valid blockmap not found)|
|5||Header error (length is not 0x20, or offset to data start is > 0x20000, or data start is not aligned to 64-byte boundary|
|8||RSA signature failure|
|9||Wrong key (CP used to sign ticket, etc)|
|10||EEPROM error (failure reading data from EEPROM, or EEPROM shows newer version of boot2 required)|
|11||Wrong ticket (not for boot2)|
Unfortunately, there is no build date encoded in boot1 anywhere, nor a version number. The labels have been chosen more or less in the order they were seen, and are just used as a shorthand when discussing different versions. (Feel free to add info on the differences between each version, as well as when each was first seen)
||Seen on some early Wiis; not very common|
||Most common version on launch-day Wiis|
||first version with fixed strncmp bug; first seen in 2008 (?)|
||Seemly the last publicly released Boot1 version. The Wii Mini uses this version too.|
For comparison, here is the version history of BC, which is very similar to boot1:
|2||0x414c||bc.0611021443||corresponds with boot1b?|
|4||0x4d8c||bc.0803040819||corresponds with boot1c?|
|6||0x502c||bc.0908240243||corresponds with boot1d?|