Wii - Understanding Bootmii Installed in boot2

vbimport

#1

to install bootmii run the hackmii installer using bannerbomb

there are two versions of bootmii.

bootmii installed as IOS

as a backup restore method, bootmii/IOS is completely useless. [well, there is method to load bootmii/IOS from priiloader and autoboot disc, however if you are able to access priiloader and recovery menu then there are better methods to recover]

bootmii Installed in boot2

as a backup restore method, bootmii/boot2 is the best, most helpful and reliable method available.

being able to install bootmii/boot2 gives you the advantage to backup your NAND and the ability to restore your NAND no matter what happens to the rest of your Wii’s software. as the boot2 is what actually calls for the IOS, System Menu and PPC to load. you can completely erase every IOS and remove your system menu. boot2 will still load with bootmii installed and you can recovery your NAND backup.

boot2 is the first writable area of the wii which is loaded during power up. boot2 has limited hardware functionality. as such the wii remote and usb device is not accessible. only the sd card slot, a gamecube controller and the front panel buttons are functional.

to navigate the bootmii menu you briefly press the power button to navigate and briefly press the reset button to select.

Here’s how the system normally boots:

  1. System turns on
  2. boot0 / boot1 / boot2 run on Starlet
  3. boot2 loads the TMD for the System Menu, reads the required IOS version, then chainloads to that version of IOS
  4. Newly loaded version of IOS loads System Menu from NAND into memory, then turns on PPC and starts it executing
  5. User selects channel or disc; IOS loads TMD, reloads into new IOS
  6. IOS loads game from NAND or disc into RAM, then bootstraps PPC

boot0 is the first part of the Starlet bootchain. It is hardcoded in mask rom in every Hollywood chip; it will never change. It is designed to be small and simple, because it’s impossible to fix any bugs that are found there. boot0 function is to retrieve a hash to compare boot1 against, NAND Flash controller to read the encrypted boot1, SRAM to store the decrypted boot1 and to authenticate boot1.

boot1 is the second stage of the Wii’s bootloader. It lives at the beginning of flash; it is encrypted using a fixed key. It is hashed and verified against a hash that is burned into OTP memory inside the Hollywood during manufacturing. Therefore, boot1 can be changed in a Wii before it leaves the factory, and new Wiis could have a new version of boot1 — but it’s not possible to upgrade or modify boot1 in an existing Wii. Fortunately, there is at least one bug in boot1 — the strncmp / hash verification bug [or known as trucha bug] and this is what makes all the hacking possible. Unfortunately almost every Wii produced after Aug 2008 has a fixed boot1 making bootmii/boot2 impossible.


#2

I must say i was pretty scared when the bootmii didn’t respond to my remotes and after the 5 dot countdown i saw a lot of bright flashed on the tv. But it booted anyway, so all is well.

This, and all the other threads you have posted Troy512 have helped me a lot and i hope it will help others. Many many thanks!

Perhaps it’s time to put all the tutorials in a big huge sticky post :slight_smile: