boot2

Revision as of 06:45, 3 March 2021 by Conversion script (talk | contribs) (Conversion script moved page Boot2 to boot2: Converting page titles to lowercase)


Wii.png This topic has a Wiibrew article. For more information, check here.

boot2 is the Wii's third-stage bootloader; it is stored in the BroadOn WAD format, which includes a ticket that is encrypted with the common key and signed.

boot2 versions 1 through 4 are known to exist. 1 is only seen on prerelease consoles including those with the Startup Disc Menu installed, 2 is seen on earlier units, 3 came preinstalled on some newer systems, and 4 was deployed to all Wiis with a system menu update.

boot2 update controversy

Upon the release of the 4.2 System Menu update, which is believed to be the first time that a boot2 update was deployed to existing systems, it was discovered that a flaw in the ES_ImportBoot function used to update boot2 lead to the bricking of consoles which were installing the update.

It is unknown if this issue was ever encountered outside of this update, since this is believed to be the only time that a boot2 update was deployed to existing systems.

Verification

boot2 is verified by boot1, a program which cannot be changed on normal retail systems after factory setup due to boot0 verifying it against a fixed hash in the non-rewritable OTP. As such, it is impossible to downgrade boot1 to enable the use of a modified boot2 on Wiis which do not have a boot1 version which is vulnerable to the fakesigning bug, therefore making it impossible to install BootMii as boot2 (or other custom boot2 solutions) on these Wiis. These Wiis are known as LU64+ systems.

sd_boot

During the Wii Factory Process, a special boot2 known as "sd_boot" is used. This boot2 will verify and launch a BroadOn-format WAD from the SD card rather than continuing boot from NAND. sd_boot has an exploit in the SD reading code which allows for arbitrary code execution at coldboot with an SD card inserted, and as a retail signed sd_boot title is available which can be installed on any Wii (even Bollywood), this removes the previous restriction of not being able to run code (such as BootMii) as boot2 on newer Wiis.

This boot2 uses version number 0, while the earliest 'normal' boot2 has version number 1.