Difference between revisions of "Wii factory process"

From Rare Gaming Dump
m
(Cleaned up a lot of the language on the page to make things easier to read)
 
(32 intermediate revisions by 8 users not shown)
Line 1: Line 1:
This article presents ''the little known'' information concerning the factory process of the Nintendo Wii, a console which [https://en.wikipedia.org/wiki/Wii_launch launched in 2006.]
+
{{Template:Outdated}}
  
Please note that our information on this topic is limited. It is mostly based on information from a single old HackMii article (which, to be fair, provides a lot of information), as well as assumptions. While that's not a great base for something like this, there isn't really a whole lot we can do about it; the only place we can really go from here is analyzing whole NAND dumps for remains, and once we figure out how to do that, we will gain some insights, but we still won't be able to answer every question without some kind of amazing discovery like the factory discs being dumped, which isn't bound to happen anytime soon. So while this may turn out to be inaccurate and end up being updated in the future, this is the process to the best of our understanding right now.  
+
'''Note''': This article is very old and inaccurate, mostly based on guesses and speculation from before data from the [[Zammis Clark Breach]] was available.
 +
 
 +
This article describes the process of how production Wii consoles are set up at the factory, from initial manufacturing of the chips to retail shipment.
 +
 
 +
===Basic Overview===
 +
 
 +
*[[boot0]] is imprinted into the Mask ROM inside the [[Hollywood]]/[[Bollywood]] during hardware production.
 +
 
 +
*A "prewrite" image is flashed to NAND containing [[boot1]] and a special [[boot2]] known as "sd_boot" during initial programming of the NAND.
 +
 
 +
*At the packaging plant, the Wii is powered on for the first time with SD card number 1 inserted. This SD card contains an image with a series of [[WAD]] files; sd_<nowiki/>boot will load one of these WADs, which is an installer program that installs the remaining WADs to NAND. These WADs typically include a System Menu, IOS4, and IOS9.
 +
 
 +
*Once the System Menu is installed, the "123J" disc is inserted. It is unknown what the actual title of this disc is, however it may be responsible for encrypting the NAND filesystem, updating [[boot1]], and setting the console's [[EFuse|eFuses]]. This disc seems to contain an additional partition with the Title ID "0000dead", which has been speculated to contain the program used to encrypt the NAND's filesystem.
 +
 
 +
*Next, a disc known as [[RVL_UJI_DIAG]] (with the Title ID 121J) is inserted, along with another SD card ("#1.5"). This disc runs test programs on the system to validate the operation of the hardware, writing logs to [[testlog.txt]] in the process; it then registers the console's serial number (over [[Waikiki]]), generates the system's [[Setting.txt]], and prepares for the next step of the process.
 +
 
 +
*The final disc, known as 122E, is then inserted; this disc installs a WAD called "DataChk.wad" from the SD card, which contains [[Data Check and Log Check]].
 +
*Data Check and Log Check (Title ID 0002) verifies the results of 121J, to ensure that the logs and console information on the system are correct.
 +
 
 +
*The contents of 122E's update partition are then installed, containing the standard set of channels found on a retail console along with the production [[Wii System Menu]].
 +
 
 +
Some [[Bollywood]] Wiis have a disc ID of "0003" in their [[uid.sys]] as well. It's currently unknown what it does, but it is generally found immediately after 122E and right before any signs of retail usage (typically seen as the 00010000-00555045 of a disc's UPDATE partition.)
  
Before setup, boot0, 1, and 2 are flashed, which begin the necessary processes of booting up the Wii in preparation for setup. Setup begins with a disc only titled "123J", also known as Data Check & Log Check, doing everything such as encrypting the NAND flash and potentially updating boot1. Another disc is inserted titled "121J", which we have less knowledge of. However, we know it enables the GameCube functionality of the Wii, and makes a factory test log file. Another disc titled "0002", also known as "Data Check & Log Check", runs tests from an SD card. After those tests, another disk named "122E" installs the System Menu, IOSes, and channels. After the installation of those files, the Wii is done with its factory phase and it would be now ready to ship.
 
 
__TOC__
 
__TOC__
== Preloading ==
 
Every Wii is preloaded at the hardware level with a couple pieces of software; these are already present on the Wii and will run when the Wii is powered on at the factory. The first of these pieces of software is boot0, the first piece of code ran on the Wii after power-on (which will stay the same from when it is physically programmed onto the chip to after factory setup, since it cannot physically be modified), which will check the Wii's OTP (one-time programmable) memory chip, and seeing that it is blank (as it is written to later in the process, using up its one opportunity to program it), determines that we are in the factory and continues with boot by loading boot1 from the NAND; after factory setup, there are keys present within this area, which boot0 uses to verify your copy of boot1, but during first factory boot this is neither possible nor needed, so boot0 skips it.  Next, boot1 loads from the NAND. Boot1 works as usual by verifying the signature of the boot2 on the NAND, then loading it; this process is identical as long as you have a properly signed boot2, so there's no special factory behavior that boot1 has here.
 
  
Next up, boot2 loads; the version of boot2 installed on a Wii once it comes out of the factory can only handle an encrypted NAND filesystem; the problem with that in the factory is that at this point the OTP has not been programmed, and since the OTP contains the console-unique NAND keys, it is impossible to have the NAND encrypted at this point. As such, the NAND is unencrypted, which the production version of boot2 cannot handle; presumably, a special factory version of boot2 (possibly boot2v0) is programmed on Wiis at this point, which can boot from unencrypted NAND filesystems and as such will continue boot as normal. The next thing to be loaded is the System Menu, although most likely not the retail System Menu as we know it; rather, a stripped-down version of the System Menu is loaded. While it isn't clear what exactly this System Menu is, one piece of evidence (someone obtaining a retail Wii with the NDEV menu installed on it) as well as common sense indicates that it is most likely the NDEV menu, intended for use on Wii development kits. This menu has minimal functionality compared to the retail menu, but all we need in the factory is the ability to read and boot discs, which it does provide; as such, it works just fine in the factory. It's unknown what version of the NDEV menu is used or what IOS is associated with it; it is possible that this changed over the Wii's lifespan with updates to the menu and its associated IOS.
+
==Preloading==
 +
Every Wii is preloaded at the hardware level with a few pieces of software; these are already present on the Wii and will run when the Wii is powered on at the factory. The first of these pieces of software is [[boot0]], which is the first piece of code that runs on the Wii after it powers on. This code always stays the same from when it is physically programmed onto the chip during manufacturing, since it cannot physically be modified. boot0 then checks the hash of the [[boot1]], which is stored in the Wii's [[eFuse]]<nowiki/>s, and at this point sees that they are blank, and determines that the Wii is currently in the factory and loads boot1 from NAND without a matching hash. This is because the eFuses are written to later during setup, using up the only opportunity to do so. boot1 works as usual by verifying the signature of [[boot2]] on the NAND, and then loading it.
  
== Setup ==
+
This version of boot2 being loaded at the factory is called "sd_boot", a special boot2 which does not read or write to NAND and instead boots from the SD card. An SD card (designated as SD#1) is prepared containing a number of [[WAD]] files (stored raw with no filesystem). One of these files contains an ARM binary that is then run on the [[IOP]], being an installer program which will install the other WADs on the SD card to the NAND. On production systems, this typically includes an [[NDEV Menu]], [[IOS]]4, and IOS9, although other variations have been seen such as images that install [[BC]] and [[MIOS]]. The NDEV Menu will then be booted, allowing for the next phase of setup to occur when a disc is inserted.
At this point, a disc would be inserted to actually begin the process of setting up the system. While this disc presumably has an official name which is currently unknown, it will be referred to as "123J", as 123J is the Title ID of the disc (as evidenced by its presence in the uid.sys logs of all Wiis, as well as other NAND remnants). This disc most likely runs on IOS4 or IOS9 (it is possible that this changed over the Wii's lifecycle as well with updates to the disc), and, as far as we are aware, serves one main purpose; writing to the OTP chip and encrypting the NAND filesystem. However, there is one other possible task that 123J may have performed; updating boot1. As Nintendo issued various updates to boot1 throughout the Wii's lifecycle (most infamously the update that fixed the trucha bug within it, aka disabling bootmii/boot2 on newer Wiis), the most logical way to issue these updates would be by implementing a function to update boot1 within 123J before writing to the OTP area (since the OTP area contains the hash of boot1, if you want to update boot1, you have to update it before writing the hash). Nintendo also could have simply updated the boot1 version in their pre-prepared set of files programmed onto the system physically before it even hits the factory stations, although doing this through 123J seems more logical.
 
  
After writing data to the OTP (therefore locking boot1, and setting all of the sysem's console-unique encryption keys), 123J encrypts the console's NAND filesystem using the newly generated NAND keys; these are the very same keys you get in your keys.bin file along with a BootMii dump, which are needed to decrypt the NAND. An odd behavior that many of the factory discs have which begins in 123J is "outsourcing" tasks by installing WADs to the NAND and then executing them in order to perform certain tasks, instead of just performing them with code on the disc. While it's not entirely clear why they chose to do this, it's good news for us since it means far more remnants are left on NAND for us to look at. 123J does this for the NAND encryption process by installing a title known as "0000dead"; you can see this for yourself in your very own Wii NAND dump by examining the installed titles; you will find one by this name which possesses no content, but it does still have a folder hierarchy and a TMD. This title also shows up in uid.sys, but not under the 0000dead name; instead, it shows up as a strange "√û" character, which is actually "DE AD" in hex.
+
==123J==
 +
At this point, a disc would be inserted to begin the process of setting up the system. While this disc presumably has an official name which is currently unknown, it will be referred to as "123J", as 123J is the [[GameID]] of the disc (as evidenced by its presence in the [[uid.sys]] logs of all Wiis, as well as other NAND remnants). This disc's exact purpose is unknown as no code from it has been recovered, but it is presumed that it plays the role of setting [[eFuse]] bits (which results in setting console-unique keys and finalizing the installed boot1 version), and possibly also updating boot1 and boot2 to prepare for the Wii to boot from a production encrypted NAND filesystem. This process likely would be done using a [[Waikiki]] from a PC host. This disc may contain a second partition with ID "0000dead".
  
Now that 123J has finished running, having written the OTP, encrypted the NAND, and possibly updated boot1, it's time to start our testing procedure to make sure the console is in working order. The next disc inserted to start this procedure is known by its title ID as 121J; 121J is probably the most mysterious of the factory discs, as its apparent purpose doesn't make much sense, and we don't have many remnants of it or information about it. It appears that 121J is a disc focused around the GameCube mode of the Wii; it installs BC and MIOS (files needed for GC compatibility), and performs a test of the GameCube compatibility mode. This seemingly makes sense, but as you'll see soon, 121J isn't the last disc to run tests; it's not known why it specifically was used for testing GC compatibility. While this is all we really know about the mysterious 121J, there is one more tidbit; 121J creates the factory test log file, which is then written to by the next factory disc. It's not known why the file isn't created by the next disc, but this may indicate '''that 121J had a larger part in the testing role than we believe'''. As GameCube testing information isn't written to the testlog, it's possible that originally it was, and this was simply removed but the testlog was still created by 121J so the next disc wouldn't have to be modified.
+
==RVL_UJI_DIAG==
The next disc is by far the most interesting. It does two things; installing an IOS used for testing, and installing a WAD file that does all the work.
+
The next disc inserted is [[RVL_UJI_DIAG]], with [[GameID]] 121J. A copy of this disc was obtained from an RVT-H Reader, and includes several testing programs which could be used to ensure the integrity of a unit's hardware, as well as programs that run pre-defined tests, the results of which are then written to [[testlog.txt]]. It also contains [[serNoReg]], the program which registers the console's serial number using a mentioned but unseen piece of PC software, and "PreWrite.dol", a program which seems to write data to NAND over [[EXI]] (Waikiki); it is unknown if this is used in retail system production or not.
  
Of course, we have this WAD file in full.
+
==122E==  
 
 
== DCLC Disc information ==  
 
 
[[File:0002-2.png|thumb|PUSH SD CARD, THEN REMOVE IT]]
 
[[File:0002-2.png|thumb|PUSH SD CARD, THEN REMOVE IT]]
 
[[File:0002-3.png|thumb|PUSH RESET BUTTON]]
 
[[File:0002-3.png|thumb|PUSH RESET BUTTON]]
 
''See also: [[Data Check and Log Check]]''
 
''See also: [[Data Check and Log Check]]''
  
This disc and accompanying WAD file are known as "0002", but the in-program name is "DATA CHECK & LOG CHECK".  There are two known versions of this file; one dumped from @Larsenv's NAND dump collection which is older (1.5.0), and one dumped from a Wii owned by a friend of @fluffy which is newer (1.5.1). The exact circumstances around the deletion of this file are unknown; it is NOT present on all Wiis after factory setup, in fact, it's absent from the majority of them. If you are reading this and have your Wii NAND dump at the ready, check it in ShowMiiWads, because you may find a new version of 0002. We're still not sure how this happens.
+
122E is a disc which has a game partition and an update partition; the game partition installs the title "0002" from the SD card (with filename "DataChk.wad"), and the update partition contains the final set of retail [[Wii System Menu]]/IOS/Channel data for production.
 +
 
 +
==0002==
 +
 
 +
0002 ('''DATA CHECK & LOG CHECK''') is a program which checks the results of 121J to ensure that diagnostics passed and data was written correctly. While this program is meant to be deleted before the process finishes, for unknown reasons it is still present intact on some Wiis and versions 1.5.0 and 1.5.1 have been recovered.
 +
 
 +
{{Template:WiiNavbox}}
  
Of course, that's just the meta info around 0002; what does it actually do? 0002 is the main app that runs all of the tests ran on each Wii during factory setup. However, 0002 doesn't actually contain any test programs; it reads and launches them off of an external SD card, based on a list of tests also present on said SD card known as all.ini. As this all.ini file is copied to NAND for an unknown reason, albeit removed afterwards, we also have a copy of it as bushing (RIP) salvaged it and uploaded it to HackMii. 0002 will read this file from the SD card, and launch test programs (in DOL format) from the SD card. As such, it's difficult to analyze 0002's behavior without actually having these test programs or all of the contents of the factory SD cards, as we only know about the all.ini and the presence of the test programs in it. It's worth noting that all.ini contains listings for test programs clearly intended only for Wii prototype models and even GameCube units of various types, meaning that it most likely dates back to pre-Wii and was used for some purpose on the GameCube; and that not all of the files are actually present on the factory SD cards, or at least not ran normally, as many of the programs would not even run on a standard retail Wii.
+
[[Category:Wii]]
  
Once 0002 has executed all its tests and verified that the Wii's hardware is OK to ship out, there's still one more step; installing the System Menu, IOSes, and channels. This process is akin to a standard disc update, where a disc is inserted, the contents of it are read, and WAD files are installed from those contents. The disc that handles this is known as 122E. Not much is specifically known about it, but it's pretty clear what it does; it installs the files on it, and sets up the Wii to be unboxed by the customer for the first time. As such, there are presumably many versions of this disc, and whenever Nintendo wanted to do an update to the Wii's pre-installed software, they just issued an update to this disc. Once this disc has finished doing its stuff, you're done; the System Menu has been installed, all of the pre-installed software has been installed, and the Wii is ready for packaging up and shipping. 35-year-old Jenny goes out and buys the Wii from her local Target and spends 10 minutes trying to figure out how to set up the sensor bar, then gets past the language select screen and sets it up so she can finally play Zumba Fitness.
+
[[Category:Factory]]

Latest revision as of 03:02, 17 December 2023

Note: This article is very old and inaccurate, mostly based on guesses and speculation from before data from the Zammis Clark Breach was available.

This article describes the process of how production Wii consoles are set up at the factory, from initial manufacturing of the chips to retail shipment.

Basic Overview

  • A "prewrite" image is flashed to NAND containing boot1 and a special boot2 known as "sd_boot" during initial programming of the NAND.
  • At the packaging plant, the Wii is powered on for the first time with SD card number 1 inserted. This SD card contains an image with a series of WAD files; sd_boot will load one of these WADs, which is an installer program that installs the remaining WADs to NAND. These WADs typically include a System Menu, IOS4, and IOS9.
  • Once the System Menu is installed, the "123J" disc is inserted. It is unknown what the actual title of this disc is, however it may be responsible for encrypting the NAND filesystem, updating boot1, and setting the console's eFuses. This disc seems to contain an additional partition with the Title ID "0000dead", which has been speculated to contain the program used to encrypt the NAND's filesystem.
  • Next, a disc known as RVL_UJI_DIAG (with the Title ID 121J) is inserted, along with another SD card ("#1.5"). This disc runs test programs on the system to validate the operation of the hardware, writing logs to testlog.txt in the process; it then registers the console's serial number (over Waikiki), generates the system's Setting.txt, and prepares for the next step of the process.
  • The final disc, known as 122E, is then inserted; this disc installs a WAD called "DataChk.wad" from the SD card, which contains Data Check and Log Check.
  • Data Check and Log Check (Title ID 0002) verifies the results of 121J, to ensure that the logs and console information on the system are correct.
  • The contents of 122E's update partition are then installed, containing the standard set of channels found on a retail console along with the production Wii System Menu.

Some Bollywood Wiis have a disc ID of "0003" in their uid.sys as well. It's currently unknown what it does, but it is generally found immediately after 122E and right before any signs of retail usage (typically seen as the 00010000-00555045 of a disc's UPDATE partition.)

Preloading

Every Wii is preloaded at the hardware level with a few pieces of software; these are already present on the Wii and will run when the Wii is powered on at the factory. The first of these pieces of software is boot0, which is the first piece of code that runs on the Wii after it powers on. This code always stays the same from when it is physically programmed onto the chip during manufacturing, since it cannot physically be modified. boot0 then checks the hash of the boot1, which is stored in the Wii's eFuses, and at this point sees that they are blank, and determines that the Wii is currently in the factory and loads boot1 from NAND without a matching hash. This is because the eFuses are written to later during setup, using up the only opportunity to do so. boot1 works as usual by verifying the signature of boot2 on the NAND, and then loading it.

This version of boot2 being loaded at the factory is called "sd_boot", a special boot2 which does not read or write to NAND and instead boots from the SD card. An SD card (designated as SD#1) is prepared containing a number of WAD files (stored raw with no filesystem). One of these files contains an ARM binary that is then run on the IOP, being an installer program which will install the other WADs on the SD card to the NAND. On production systems, this typically includes an NDEV Menu, IOS4, and IOS9, although other variations have been seen such as images that install BC and MIOS. The NDEV Menu will then be booted, allowing for the next phase of setup to occur when a disc is inserted.

123J

At this point, a disc would be inserted to begin the process of setting up the system. While this disc presumably has an official name which is currently unknown, it will be referred to as "123J", as 123J is the GameID of the disc (as evidenced by its presence in the uid.sys logs of all Wiis, as well as other NAND remnants). This disc's exact purpose is unknown as no code from it has been recovered, but it is presumed that it plays the role of setting eFuse bits (which results in setting console-unique keys and finalizing the installed boot1 version), and possibly also updating boot1 and boot2 to prepare for the Wii to boot from a production encrypted NAND filesystem. This process likely would be done using a Waikiki from a PC host. This disc may contain a second partition with ID "0000dead".

RVL_UJI_DIAG

The next disc inserted is RVL_UJI_DIAG, with GameID 121J. A copy of this disc was obtained from an RVT-H Reader, and includes several testing programs which could be used to ensure the integrity of a unit's hardware, as well as programs that run pre-defined tests, the results of which are then written to testlog.txt. It also contains serNoReg, the program which registers the console's serial number using a mentioned but unseen piece of PC software, and "PreWrite.dol", a program which seems to write data to NAND over EXI (Waikiki); it is unknown if this is used in retail system production or not.

122E

PUSH SD CARD, THEN REMOVE IT
PUSH RESET BUTTON

See also: Data Check and Log Check

122E is a disc which has a game partition and an update partition; the game partition installs the title "0002" from the SD card (with filename "DataChk.wad"), and the update partition contains the final set of retail Wii System Menu/IOS/Channel data for production.

0002

0002 (DATA CHECK & LOG CHECK) is a program which checks the results of 121J to ensure that diagnostics passed and data was written correctly. While this program is meant to be deleted before the process finishes, for unknown reasons it is still present intact on some Wiis and versions 1.5.0 and 1.5.1 have been recovered.