boot2

From WiiBrew
Jump to navigation Jump to search

boot2 is the Wii's third-stage bootloader. It is responsible for loading the System Menu TMD and loading the appropriate IOS under normal circumstances, although it can also load MIOS if it detects the lowered clock speed set by BC (if syscall 55 returns 162).

Like IOS, boot2 has multiple modules. In this way, it can be thought of as an IOS installed to a special part of the NAND. However, all modules are contained within a single binary, much like IOSes before IOS28. Boot2 has a kernel with IOSC functionality, an ES module, and an FS module. Unlike IOS, get_kernel_flavor writes 0 to the first argument instead of 3, which distinguishes it from IOS.

boot2 is also launched by MIOS when the power button is pressed; the System Menu is initialized in this case, and 0x80003164 is set to 1 if the SRSTB_CPU bit is set in HW_RESETS; the System Menu checks 0x80003164 and shuts down if it is enabled and state.dat is set appropriately, with the message "Shutdown system from GC!".

There are two copies of boot2 housed in NAND blocks 1-7 in case of failure, loaded by boot1.

boot2 was updated in the 4.2 update to boot2v4, the only time Nintendo has ever pushed a boot2 update, besides on prelaunch consoles. This was done by calling ES_ImportBoot to install it into the boot2 region of the NAND. Unfortunately, Nintendo did not test ES_ImportBoot very well, which led to many Wiis receiving a low-level brick, even if they were previously unmodded. The cause of this is unknown, although it may be related to the failure to write ECC data.

Format

boot2 is stored in a WAD-like format.

Offset Length Description
0x00 4 Header length (always 0x20)
0x04 4 Data offset
0x08 4 Length of certificate chain
0x0c 4 Length of ticket
0x10 4 Length of TMD
0x14 12 Padding (always 0)

Following the header is the certificate chain, then the ticket, then the TMD, and finally the single bootable content[1].

Version history

Version Description
v0 Installs the System Menu and IOS4. For older consoles, it also installs IOS9. For newer consoles, it also installs BC, MIOS, and 0000.[2][3][4]
v1 Present on Prelaunch consoles.
v2 Present on launch-day Wii's.
v3 Only found in Wiis released before LU64+ that were not updated to 4.2. Hardware compatibility updates.
v4 Packaged in the 4.2 update to erase BootMii as boot2. Also found preinstalled in LU64+ Wiis. Improves hardware compatibility, fixes the signing bug in the unused signature check code, and unintentionally breaks the HackMii Installer
v5 Only found on Arabian Wiis, the Wii Mini and newer RVL-101 units.

References

1. https://github.com/fail0verflow/mini/blob/befb64ce1cd493946c9a9a0a412262a998f478d9/boot2.c#L35
2. https://hackmii.com/2008/07/factory2/
3. https://hackmii.com/2010/09/insert-startup-disc/
4. Factory 3 post by Hallowizer