In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

NAND Boot Program

From WiiBrew
Jump to navigation Jump to search

The NAND Boot Program is a DOL that is the boot content of every Broadway title (except the System Menu). It is linked with Revolution OS, though a separate copy from the game itself.

A special version can also be found in IOS15 and IOS21; this one lists "%s" as its version, and was probably added to those IOSes to cause error 001 to appear for IOS21 discs.

Similar to the System Menu, the NAND Boot Program is governed by its own BS2 with far fewer states.

A list of known functions can be found here.

Known global variables

This list contains both globals from Revolution OS and the NAND Boot Program, as it has not been determined which variables belong to which part of the DOL. r13 is the base pointer that all global variables (not constants) are stored relative to; it is initialized to 0x813735a0. They are stored at a negative offset, and the absolute value of the offset will be used for naming. For example, glob_7ec8 means -0x7ec8(r13).

  • glob_7944 holds the total number of IOS IPC messages enqueued
  • glob_7948 holds the number of pending IPC messages
  • glob_798c holds the current state for the asynchronous function that adds entries to /shared2/test2/nanderr.log. It starts at 1, immediately increments to 2, and counts up to 9.
  • glob_7990 holds a callback for the nanderr.log logging function that is called in the event of an error when writing nanderr.log itself.
  • glob_7c40 is the lower 32 bits of the IOS heap range
  • glob_7c50 is some counter that is decremented by 813394a8
  • glob_7c54 and glob_7c58 are the ends of some linked list. This linked list has a function pointer, an unknown value, and then a next pointer, and finally a prev pointer.
  • glob_7c60 is the pointer to the syscall table
  • glob_7c90 is an allocation stack that grows downward as a result of calling allocDownStack; it is decreased every time memory is allocated using that function.
  • glob_7cb8 holds 0x80000000, probably as a base address to add offsets to.
  • glob_7cdc is a boolean that stores whether OSInit has been called.
  • glob_7cec is a heap ID used by the NAND SDK library
  • glob_7d08 is the pointer to the bi2.bin buffer
  • glob_7d10 is the active title ID
  • glob_7d20 is the current BS2 state
  • glob_7d54 is the heap ID used by communication with IOS
  • glob_7d60-glob_7d58 form the string "/dev/es". It is not known why it is stored in the r13 area instead of as a normal global.
  • glob_7d68 is the current ES handle
  • glob_7e90 is a lock acquired by the nanderr.log code before logging an entry.
  • glob_7ec8 seems to control whether error 001 shows; 1 means error 001 should be shown by the NAND Boot Program, anything else means don't show the error. It can be set to 1 by the function that is LAB_8134a6e8 in the Mii Channel v6 SDK.
  • glob_7ee8 is 0 while the bi2.bin data is being processed by OSInit, 1 afterward
  • glob_7f68 is the upper 32 bits of the IOS heap range
  • glob_7f90 is an allocation stack that grows upward; memory is allocated using allocUpStack.

Versions

Several versions have been found: the %s version in IOS15 and IOS21, the v1.1 version in some channels, and the v1.0 version in Forecast Channel dummy and News Channel dummy. v1.1 has a build string of release build: Oct 26 2006 16:22:40 (0x4199_60831), while %s has a build string of release build: Jul 31 2007 12:29:44 (0x4199_60831). The only other differences between v1.1 and %s seem to be that %s includes patches for the Internet Channel, and %s mentions RVA units.

v1.0's strings are identical to v1.1's, although the RVL_SDK - OS that follows has a build date of Sep 15 2006 for v1.0, and Sep 21 2006 for v1.1.

GameCube version

Revolution OS checks that glob_7ce8 (or a different global in other apps) is set to true; if not, it checks whether the app was loaded by an apploader or the NAND Boot Program, and shows either "OS ERROR: boot program is not for RVL target. Please use correct boot program" or "OS ERROR: apploader[D].img is not for RVL target. Please use correct apploader[D].img." The D in the apploader error is not for string formatting; it probably stands for "Dolphin." This would mean the entire check is for whether the apploader is for GameCube or Wii, and since a very similar check exists for the NAND Boot Program, there was probably a NAND Boot Program for the GameCube, possibly for Wii development.

ESP

Error messages for ES_InitLib, ES_GetTitleId, ESP_OpenContentFile, ESP_ReadContentFile, ESP_CloseContentFile, and ESP_CloseLib can be found in the bi2.bin reading function. It is not clear what "ESP" is; it may have been an older version of ES, possibly even used on the iQue Player, which did not have a concept of titles but had a title-like system where each title was a single content.

Dev units

There is a string in the %s version saying "Set Device Code : [RVA]", which probably means dev units used code RVA instead of RVL. Strings already exist in the System Menu that suggest that RVL is not used for dev units.

There also seems to be a file called /title/00000001/00000002/data/RVA.txt that is referenced.

Internet Channel patches

The %s version performs a "MEM1 patch" and a "MEM2 patch" on the Internet Channel. The details of this patch are currently not known.

Retrieved from "https://wiibrew.org/w/index.php?title=NAND_Boot_Program&oldid=115744"