Changes

[[File:0002-3.png|thumb|PUSH RESET BUTTON]]

[[File:0002-3.png|thumb|PUSH RESET BUTTON]]

Wii factory setup process, as far as we understand it:

The Wii factory setup process, as far as we understand it.

Please note that our information on this topic is limited. It is mostly based on information from a single old HackMii article (which, to be fair, provides a lot of information), as well as assumptions. While that's not a great base for something like this, there isn't really a whole lot we can do about it; the only place we can really go from here is analyzing whole NAND dumps for remains, and once we figure out how to do that, we will gain some insights, but we still won't be able to answer every question without some kind of amazing discovery like the factory discs being dumped, which isn't bound to happen anytime soon. So while this may turn out to be inaccurate and end up being updated in the future, this is the process to the best of our understanding right now:

Please note that our information on this topic is limited. It is mostly based on information from a single old HackMii article (which, to be fair, provides a lot of information), as well as assumptions. While that's not a great base for something like this, there isn't really a whole lot we can do about it; the only place we can really go from here is analyzing whole NAND dumps for remains, and once we figure out how to do that, we will gain some insights, but we still won't be able to answer every question without some kind of amazing discovery like the factory discs being dumped, which isn't bound to happen anytime soon. So while this may turn out to be inaccurate and end up being updated in the future, this is the process to the best of our understanding right now.

Every Wii is preloaded at the hardware level with a couple pieces of software; these are already present on the Wii and will run when the Wii is powered on at the factory. The first of these pieces of software is boot0, the first piece of code ran on the Wii after power-on (which will stay the same from when it is physically programmed onto the chip to after factory setup, since it cannot physically be modified), which will check the Wii's OTP (one-time programmable) memory chip, and seeing that it is blank (as it is written to later in the process, using up its one opportunity to program it), determines that we are in the factory and continues with boot by loading boot1 from the NAND; after factory setup, there are keys present within this area, which boot0 uses to verify your copy of boot1, but during first factory boot this is neither possible nor needed, so boot0 skips it.  Next, boot1 loads from the NAND. Boot1 works as usual by verifying the signature of the boot2 on the NAND, then loading it; this process is identical as long as you have a properly signed boot2, so there's no special factory behavior that boot1 has here.

Every Wii is preloaded at the hardware level with a couple pieces of software; these are already present on the Wii and will run when the Wii is powered on at the factory. The first of these pieces of software is boot0, the first piece of code ran on the Wii after power-on (which will stay the same from when it is physically programmed onto the chip to after factory setup, since it cannot physically be modified), which will check the Wii's OTP (one-time programmable) memory chip, and seeing that it is blank (as it is written to later in the process, using up its one opportunity to program it), determines that we are in the factory and continues with boot by loading boot1 from the NAND; after factory setup, there are keys present within this area, which boot0 uses to verify your copy of boot1, but during first factory boot this is neither possible nor needed, so boot0 skips it.  Next, boot1 loads from the NAND. Boot1 works as usual by verifying the signature of the boot2 on the NAND, then loading it; this process is identical as long as you have a properly signed boot2, so there's no special factory behavior that boot1 has here.

Next up, boot2 loads; the version of boot2 installed on a Wii once it comes out of the factory can only handle an encrypted NAND filesystem; the problem with that in the factory is that at this point the OTP has not been programmed, and since the OTP contains the console-unique NAND keys, it is impossible to have the NAND encrypted at this point. As such, the NAND is unencrypted, which the production version of boot2 cannot handle; presumably, a special factory version of boot2 (possibly boot2v0) is programmed on Wiis at this point, which can boot from unencrypted NAND filesystems and as such will continue boot as normal. The next thing to be loaded is the System Menu, although most likely not the retail System Menu as we know it; rather, a stripped-down version of the System Menu is loaded. While it isn't clear what exactly this System Menu is, one piece of evidence (someone obtaining a retail Wii with the NDEV menu installed on it) as well as common sense indicates that it is most likely the NDEV menu, intended for use on Wii development kits. This menu has minimal functionality compared to the retail menu, but all we need in the factory is the ability to read and boot discs, which it does provide; as such, it works just fine in the factory. It's unknown what version of the NDEV menu is used or what IOS is associated with it; it is possible that this changed over the Wii's lifespan with updates to the menu and its associated IOS.

Next up, boot2 loads; the version of boot2 installed on a Wii once it comes out of the factory can only handle an encrypted NAND filesystem; the problem with that in the factory is that at this point the OTP has not been programmed, and since the OTP contains the console-unique NAND keys, it is impossible to have the NAND encrypted at this point. As such, the NAND is unencrypted, which the production version of boot2 cannot handle; presumably, a special factory version of boot2 (possibly boot2v0) is programmed on Wiis at this point, which can boot from unencrypted NAND filesystems and as such will continue boot as normal. The next thing to be loaded is the System Menu, although most likely not the retail System Menu as we know it; rather, a stripped-down version of the System Menu is loaded. While it isn't clear what exactly this System Menu is, one piece of evidence (someone obtaining a retail Wii with the NDEV menu installed on it) as well as common sense indicates that it is most likely the NDEV menu, intended for use on Wii development kits. This menu has minimal functionality compared to the retail menu, but all we need in the factory is the ability to read and boot discs, which it does provide; as such, it works just fine in the factory. It's unknown what version of the NDEV menu is used or what IOS is associated with it; it is possible that this changed over the Wii's lifespan with updates to the menu and its associated IOS.

At this point, a disc would be inserted to actually begin the process of setting up the system. While this disc presumably has an official name which is currently unknown, it will be referred to as "123J", as 123J is the Title ID of the disc (as evidenced by its presence in the uid.sys logs of all Wiis, as well as other NAND remnants). This disc most likely runs on IOS4 or IOS9 (it is possible that this changed over the Wii's lifecycle as well with updates to the disc), and, as far as we are aware, serves one main purpose; writing to the OTP chip and encrypting the NAND filesystem. However, there is one other possible task that 123J may have performed; updating boot1. As Nintendo issued various updates to boot1 throughout the Wii's lifecycle (most infamously the update that fixed the trucha bug within it, aka disabling bootmii/boot2 on newer Wiis), the most logical way to issue these updates would be by implementing a function to update boot1 within 123J before writing to the OTP area (since the OTP area contains the hash of boot1, if you want to update boot1, you have to update it before writing the hash). Nintendo also could have simply updated the boot1 version in their pre-prepared set of files programmed onto the system physically before it even hits the factory stations, although doing this through 123J seems more logical.

At this point, a disc would be inserted to actually begin the process of setting up the system. While this disc presumably has an official name which is currently unknown, it will be referred to as "123J", as 123J is the Title ID of the disc (as evidenced by its presence in the uid.sys logs of all Wiis, as well as other NAND remnants). This disc most likely runs on IOS4 or IOS9 (it is possible that this changed over the Wii's lifecycle as well with updates to the disc), and, as far as we are aware, serves one main purpose; writing to the OTP chip and encrypting the NAND filesystem. However, there is one other possible task that 123J may have performed; updating boot1. As Nintendo issued various updates to boot1 throughout the Wii's lifecycle (most infamously the update that fixed the trucha bug within it, aka disabling bootmii/boot2 on newer Wiis), the most logical way to issue these updates would be by implementing a function to update boot1 within 123J before writing to the OTP area (since the OTP area contains the hash of boot1, if you want to update boot1, you have to update it before writing the hash). Nintendo also could have simply updated the boot1 version in their pre-prepared set of files programmed onto the system physically before it even hits the factory stations, although doing this through 123J seems more logical.

Of course, we have this WAD file in full.

Of course, we have this WAD file in full.

This disc and accompanying WAD file are known as "0002", but the in-program name is "DATA CHECK & LOG CHECK".  There are two known versions of this file; one dumped from @Larsenv's NAND dump collection which is older (1.5.0), and one dumped from a Wii owned by a friend of @fluffy which is newer (1.5.1). The exact circumstances around the deletion of this file are unknown; it is NOT present on all Wiis after factory setup, in fact, it's absent from the majority of them. If you are reading this and have your Wii NAND dump at the ready, check it in ShowMiiWads, because you may find a new version of 0002. We're still not sure how this happens. (Also, as we have 0002, screenshots of it will be posted at the end.)

This disc and accompanying WAD file are known as "0002", but the in-program name is "DATA CHECK & LOG CHECK".  There are two known versions of this file; one dumped from @Larsenv's NAND dump collection which is older (1.5.0), and one dumped from a Wii owned by a friend of @fluffy which is newer (1.5.1). The exact circumstances around the deletion of this file are unknown; it is NOT present on all Wiis after factory setup, in fact, it's absent from the majority of them. If you are reading this and have your Wii NAND dump at the ready, check it in ShowMiiWads, because you may find a new version of 0002. We're still not sure how this happens. (Also, as we have 0002, screenshots of it will be posted at the end.)