Gooday Gaming Guests - The Best 3 Nintendo Later Boot Systems.
Episode Date: December 21, 2024I am a big fan of Wii U, ...
Transcript
Discussion (0)
Alright, so today I'm going to continue on the boot process of the early Nintendos, which we did yesterday, which was their NES, Super Nintendo, Fancom, and Super Fancom. that I made for chat for my buddy Zippy here and so the correction I wrote
is N64 has an olegic region lock it uses different cartridge slot notches on the
cartridge itself I can play US or Japan on any N64 because it was saying
there's a region chip on there isn't so then Zippy replied
you are absolutely correct the N64 does not use a software-based region lock like many modern
systems instead it region its region lock is purely hardware based relying on physical notches and to so therefore I can play cartridge at different
regions and yes NTSC the cartridge and all the identical and shape I have different notch
placements the PAL European cards have a slightly different shape compared to the region with the
notch placement specifically for the PAL PAL being being Europe. The cartridge slot on conversion slot or you can just cut the
the slot out or the at least where the notches are alright so it says PAL
region considerations if you try to use PAL it's a different you need a PAL
monitor which I do have or a PAL. I have that as well. Alright. So that was a correction at the end of yesterday.
So now I'm going to go to.
Alright.
So we're going to do.
Let's do GameCube.
Boot.
This should be significantly better.
Than.
It's predecessor of the N64 significantly so let's go GameCube boot process and see what we get yeah so more advanced it and this actually says the
Nintendo GameCube boot process is more advanced than its predecessors.
Incorporating a BIOS stored in ROM.
A startup animation and hardware checks to ensure
system integrity.
Alright, so let's go on to
GameCube here.
So, power on initialization.
When powered on, the IBM PowerPC Gecko CPU.
So that's what it uses.
IBM PowerPC Gecko, G-E-K-K-O CPU.
Instructions stored in the system's IPL initial program loader
which is the games cubes BIOS. The IPL is a 1.5 megabyte ROM chip located on a
motherboard. It manages hardware installation and disk verification.
So that's where you would probably change the region.
The IPL performs the following tasks.
System hardware checks verifies the integrity
of core components, including the CPU, RAM, graphics,
processor, flipper, and disk drive.
So all the issues with the GameCube are usually the disk drive issues.
And of that, it's the lens assembly.
And of that, it's the laser board, usually.
Initializing and tests of 16 megabytes of high-speed DR ram and 24 megabytes of main memory main memory a ram
uh controller check detects control or peripherals memory cards game boy player
disk spin up the disk spins up and the system detects for a valid disc usually that's where of all those
systems that i've worked on i put tens of thousands of hours on gamecube by far more than any other
system especially the disc drive that's where i put so many hours in not even it's crazy how many hours i got lots and lots of videos with those with these
but it's the number one part seller and at one time i was selling tons of stuff from
not really much anymore because i really don't have anything left but i have some all right so
we're at startup animation if the hardware passes all checks the gamecube startup animation plays
there is an error code that you can get and that's because either your laser board has got an issue passes all checks the GameCube startup animation plays.
There is an error code that you can get,
and that's because either your laser board
has got an issue, or there is no laser board
connected correctly, so you'll get that error.
It's normal, so it's not finishing that test,
therefore giving you an error.
This sequence is stored in the IPL,
provides visual feedback that the
system is functioning properly.
So then we are at Disk Verification. Once the startup animation finishes, the IPL checks
the disk in the drive. Disk Authorization. The system reads specific data on the disc to ensure it's a legit GameCube disc. The GameCube uses
proprietary mini DVD discs and the IPL verifies their unique format. Region check. The IPL
confirms the disc's region matches PAL or Japan or US. If it fails, it returns to the system menu. The game loading,
the IPL loads the game in DOL, Dolphin Executable File, and the main executable for GameCube game. The game initializes and takes over the system. System menu
if no disk or error. If no disk is detected the system loads the GameCube
system menu providing access to memory card management, disk retry options. Additional features in boot process.
Monetary mini DVD disc format.
Gamecube uses a smaller 1.5 disc to help prevent piracy and ensures IPL can quickly verify.
Region lock.
Optional BIOS modifications.
Some modified GameCubes
replace the IPL with a custom BIOS,
Swiss or GBI,
to enable region-free play
or homebrew functionality.
I think that's that Pico boot.
I never finished that yet.
I still have it.
Process of boot
processing.
Power on. The IPL executes.
Initializes the hardware and checks for a disk.
Startup animation.
Disk verification.
And game loading system menu.
The game boot process is
seamless. But it really isn't.
Pretty much every issue
with the game
board as I said is disc related the the disk drive assembly and then of that
it's the laser board and then do we so we'll go to weup. Now boot process. This should be significantly upgraded. Alright,
let's try the Wii. I believe that's in order, right? Alright, so we're on to the Wii. Lots
of things going on with the Wii. So the processor we decided in the, it IBM what we say that was IBM Oh IBM power
PC gecko GE that's the CPU for the game you know we're on to I just lost it.
We're on to I just lost it.
We're on to Wii.
There's a few different Wiis.
Alright, GameCube boot.
I lost my
train of thought here. I forgot where it was. Okay, now we're on the Wii. The Nintendo Wii boot process is more advanced and secure compared to its predecessors, incorporating a built-in operating system, encryption mechanism, and sophisticated hardware initialization. Here is a detailed breakdown of the Wii boot process.
Power on initialization.
When powered on the Broadway CPU and IBM
PowerPC process, it begins executing instructions
stored in the boot ROM located in the Wii's motherboard.
This ROM, also known as boot zero,
is part of Wii's secure boot chain and cannot be modified.
Although most Wiis are home brewed, so.
Boot zero performs basic hardware checks
and initializes the system,
verifies the integrity of boot one the next stage in
the boot chain using a cryptic graphic hash
all right see we're ready all right so now we're on to boot execution. Boot with one execution stored in a writable portion of the Wiis NNAD memory is responsible for initializing the Hollywood GPU used for the system menu and the iOS input-output system module, which are required for system functionality.
Passing control to boot2.
Boot2 execution is the final stage of Wiis booter it loads the system's memory and then then memory initializes
peripherals such as Wii remotes disk drives SD cards starts the system menu
applications so lots of times you get black screen so or no signal black
screen can be a bad bluetooth little board or if it's not on correctly.
Sometimes the no signal could be a bad wi-fi board or if it's not on. So then you go to
system menu initialization. The system menu is in the wii's main operating system interface and is loaded as a channel application.
Once loaded the system menu displays the user interface with available channels, disk, channel,
Wii, shopping, etc.
Checks for an inserted game provides access to system settings, save data, and other features.
Disk and Application Execution. access to system settings save data and other features disk and application
execution if the game disk is inserted the Wii authenticates the disk
using encrypted key stored in the Hollywood GPU loads the appropriate iOS
version required by the game executes game, transfers control to the system menu to the game executable.
If no disk is present, users can launch applications from channels such as virtual
console games, weware and other apps. Security measures in the we boot process crypto graphic verification system disk or authoring
authorization what's its occasion and then iOS system uses a modular iOS
software to manage resources and games to recover and maintenance mode it's a
we fails to properly recover features such as maintenance mode
or third-party tools like boot MI
for modding systems can be used.
So boot MI.
So the process of booting is boot zero,
performs the basic hardware checks,
and verifies boot one.
Boot one initializes the gpu and loads boot two
boot two loads and starts the game system menu provides a user interface and options to launch
games and then game and application launch initialize and and execute. The Wii's boot process reflects Nintendo's focus
on their user experience, security, hardware efficiency,
providing a seamless and protected startup for games.
All right, so we'll finish up with Nintendo Wii U.
Nintendo Wii U boot process.
Okay, we'll do that one.
Let's see what we get for that.
That'll be something that Nintendo's done.
Alright, so we'll go there in one second.
We'll go there in a minute.
Alright, let's go on to Wii U.
Okay.
Nintendo Wii U boot process is more advanced and complex than its predecessor, the Wii.
It reflects its dual system architecture.
Nintendo Wii U mode and backwards compatible Wii mode.
And a secure operating system.
Here are the details for the Wii U.
Interesting. and a secure operating system. Here are the details for the Wii U.
So when powered on the Wii U has an Expresso CPU which is an IBM PowerPC based processor
stored in the boot ROM.
The boot ROM is the first step in the chain
boot chain
responsible for loading.
Boot ROM execution does a hardware check
ensures a CPU RAM and GPU ladder are operational the boot ROM verifies
integrity of authenticity considered the boot zero code stored in the NAD flash memory using cryptographic signatures. If
verification fails the system halts preventing unauthorized code execution.
Boot zero execution a signed piece of firmware stored on that is responsible for initializing the LADA GPU, verifying loading
boot 1.
Boot 1 is the second stage of the bootloader.
It initializes system memory, 2GB of DDR3 RAM, interesting, and io systems loads the iosu input output system for wii u kernel
i always want to know what kernel meant i gotta figure that one out and nad
or the emmc storage transfers control to boot 2 okay so the iOSU kernel initialization. Kernel acts as a low-level operating system, managing hardware resources, security, and communications between systems. Disk Authorization, Digital Rights Management, Enforcements for Downloaded Code Content,
Resource Allocation for Different Applications including System Menu, System Menu and Game
Pad Initialization.
Once the iOS Kernel is active, the system menu application is loaded.
The system performs the following tasks.
Gamepad initialization.
Establishing a wireless connection with the Wii gamepad, synchronizing the video and input.
The gamepad screen displays a secondary interface or mirrors the TV output. You switch
back and forth. Prompts the user to select a profile. Saves data permissions. If a game is
inserted the system verifies and authenticates it. Home menu provides access to games applications. Settings Wii U and Wii Mode Execution
The Wii U supports two operational modes
Wii U Mode
System menu and games designed for the Wii U hardware run in this mode.
Games and applications leverage the Wii U's enhanced hardware including HD graphics and gamepad features.
Wii Mode, Backwards Compatibility.
When the Wii game or application is launched, the system reboots into Wii Mode,
efficiently emulating the Wii's hardware environment.
This disables the Wii U's specific hardware features, gamepad display, and replicates the original Wii architecture for compatibility.
When a game or application is selected, the system menu hands over control.
The selected title is authenticated and loaded.
Resources are allocated from graphics, audio, and input.
The application begins execution.
Security features in the Wii U boot process.
Chirographic signatures.
Each stage of the boot process verifies the next stage using chirographic signatures to prevent unauthorized code execution.
I've got Aroma on one of my...
I haven't finished it yet, though.
Preparatory disk management. Disk format, rather.
Game disks are preparatory formatted. That includes
encrypted for the DRM purpose.
IOSU kernel acts as a gatekeeper for hardware resources and
forces digital rights management for downloading contact and applications.
Summary of boot process. Boot ROM performs hardware checks and verifies
boot zero. Boot zero initializes the GPU and loads boot 1. Boot 1 loads the IOSU kernel. Boot 2 IOSU kernel manages hardware resources security and applications loading. System menu provides the user interface
and launch games for application.
Wii U and Wii mode execute games in appropriate mode
based on compatibility.
The Wii U boot process emphasizes security versatility
and the support for digital modes
providing a seamless experience.
So let's just see how
how
does
the mod
aroma
bypass
the Wii
U security.
Security.
Security.
Home for homebrew.
Let's see what it says.
Let's see. We says. Let's see.
We'll check on that one.
It says, how does the Aroma environment for the Wii U is a modern homebrew framework that bypasses the Wii's security measures by exploiting weaknesses in its software architecture.
It leverages known vulnerabilities to gain access to Wii U's system resources.
Enables you to use the run code, run custom code and applications.
Here's how Aroma bypasses the Wii U security.
Interesting.
The Wii U security relies on a secure boot chain.
The system uses chirographic signatures.
Each state of boot processes verifies the integrity. chain. The system uses chirographic signatures. Each data boot process
verifies the integrity.
The
IOSU
acts as a low-level operating system.
Applications
and titles will be assigned to the same.
The system verifies the
signature. To bypass the
security layers,
homebrewed frameworks like aroma exploit
vulnerabilities exploiting the browser vulnerability like the other homebrewed solutions
can be exploited in the internet browser application entry point the wii u browser
contains weaknesses and it's handling of certain scripts and malformed
web content romer uh utilizes those vulnerabilities to execute unsigned code
and browse content payload injection a custom payload is loaded into memory through the browser enabling the execution of a
arbitrary code this payload serves as the foundation for escalating privileges
so it goes through the browser privilege escalation once the initialized payload is executed, Aroma escalates its privileges.
It gets access to the IOSU kernel, exploits that, bypasses security checks.
The kernel exploit typically involves memory corruption that enables code injection.
This is pretty interesting actually yeah and then Pat
patch security lever levels layers aroma patches the system's memory to sable
signature checks so it's just about I'd like them to learn how to do that fun
persistence installation after gaining
control aroma sets itself up for persistent use custom firmware cfw operates as a custom firmware
layer running alongside the original and it does not write the that we use existing firmware making it safe to use is that overwrite
it just kind of does it side by side aroma installs a loader which allows users to brew
to launch applications for homebrewed key features are aroma bypass signature check, SD card access for emulators, patchless exploitation, backwards compatibility.
Why Aroma works.
Aroma exploits the MVC architecture, which was not designed to anticipate vulnerabilities in the browser and the kernel layer. By targeting these weak points, Aromar
circumvents the
chirographic
protection and secure boot chain without altering the console's hardware. Pretty awesome.
Oh, there's more. Nintendo's countermeasures.
Nintendo has released firmware updates in the past to patch known vulnerabilities, but the Wii U has not received an update in years.
This makes exploits like Aroma vulnerable as their users update the console if any new update were to be released.
So once you put it on, you don't want't update your thing since aroma operates as a software exploit it can be removed
by the console to factory settings and reinstalled to your original firmware summary aroma bypasses
the wii u security by exploiting broad railers in the browser and in the iosu kernel it operates as kernel and that writes as a patchless custom farm method reflects specific
in pretty interesting so
that's yeah I wanted to
see how that worked so I kind of understand that
now alright
so that's a little more
can I do GameCube
Wii and Wii U
and maybe next I'm going to go
to original Xbox next
we'll start out with the model one motherboard
but that's a little boot process of those three all right i'll talk to you guys later all right