boot1

From Rare Gaming Dump

Wii.png This topic has a Wiibrew article. For more information, check here.

boot1 is the Wii's second-stage bootloader. It is loaded by boot0 and loads and verifies boot2. It serves as a gap stage to allow boot2 to be updated on all systems while still keeping it secure (as boot0 has inadequate space for the signature verification code needed to verify boot2). Its only purpose is to load and verify boot2 using an RSA signature.

Verification

boot1 is verified by boot0 using a fixed hash present in the Wii's OTP area which is written during initial factory setup on retail units. This area is not rewritable, so the boot1 installed with the Wii at the factory is the only one which that Wii can ever run. However, boot0 allows the system to boot with a blank OTP, so on development systems with a blank OTP or uninitialized factory systems, boot1 can be modified.

Vulnerabilities

Older versions of boot1 were vulnerable to the fakesigning bug present in all initial versions of IOS, allowing custom versions of boot2 to be installed. This was fixed in later systems (known as LU64+ systems), and since boot1 cannot be modified post-retail factory setup, these systems cannot have boot2 modifications installed because of boot1.

BC

The GameCube backwards compatibility title, BC, present on the Wii (and, for unknown reasons, the vWii and Wii Mini) serves as a redirector to boot1 to bootstrap the system into GameCube mode. It complements MIOS in the role of allowing the Wii to boot and run GameCube games.