boot0

From WiiBrew
Jump to navigation Jump to search

boot0 is the first-stage bootloader of the Starlet ARM core on board the Hollywood; it's contained in 4K of Mask ROM (only 1.5K of which is actually used).

It contains code to read the first 48 pages of the attached NAND flash, reserved for boot1, decrypt them with a fixed AES key, hash them with SHA-1 Engine, and compare the hash with a value read from OTP memory. If the hashes do not match, the system will refuse to proceed to boot1, causing a brick. However, if the hash in OTP is all zeroes, then the system will always boot — this is true of development consoles and probably also during the manufacturing process. For more discussion on this subject, see bushing's HackMii post.

The division between boot0/boot1 allows the RSA signature verification to be done using trusted code loaded from flash. It would not have fit into the 4K of space available. It is coded in a mixture of C and assembly.

The assembly code of boot0 can be found here.