boot1 checksum algorithm November 08, 2009 05:29PM | Registered: 13 years ago Posts: 1 |
Re: boot1 checksum algorithm November 08, 2009 06:15PM | Admin Registered: 14 years ago Posts: 271 |
I'm not sure this would be useful, but I'm not sure I understand what you're getting at.Quote
stan423321
If we could make BootMii checksum made entirely of zeroes, it would be RSA-decoded to itself.
RSAQuote
So, my questions are:
1) do boot1 use ECC or RSA for boot2 signature decoding, and
It's the same that the rest of IOS uses. boot2 has a TMD that contains a SHA1 of the decrypted content of boot2; that TMD is then hashed (again with SHA1). The RSA signature on the TMD is decrypted to produce the expected SHA1 hash of the TMD; in early versions of IOS/boot1, the comparison of expected vs calculated hash was done using strncmp and some padding was ignored. The check is now more robust and seems properly implemented.Quote
2) what checksum algorithm does boot1 use (a link to understandable example code would be helpful)
Quote
3) overall, is it possible to "make" the checksum fixed.
Re: boot1 checksum algorithm November 09, 2009 11:40PM | Registered: 14 years ago Posts: 858 |
Re: boot1 checksum algorithm November 10, 2009 08:37PM | Registered: 14 years ago Posts: 5,075 |
Re: boot1 checksum algorithm November 11, 2009 03:20AM | Registered: 14 years ago Posts: 858 |
Re: boot1 checksum algorithm November 17, 2009 06:26AM | Admin Registered: 14 years ago Posts: 271 |
Re: boot1 checksum algorithm June 25, 2010 09:33PM | Registered: 12 years ago Posts: 1 |
Re: boot1 checksum algorithm June 27, 2010 02:30PM | Registered: 13 years ago Posts: 379 |
Ah, yes. But some OTP ROMs start out as all 1 and you can 'burn' the 1 to 0. So you might be change the 'OTP' boot0 after all.Quote
SifJar
Yeah, but the whole point of OTP is its OTP (One Time Programmable).
Re: boot1 checksum algorithm June 27, 2010 03:58PM | Moderator Registered: 14 years ago Posts: 5,075 |
Quote
DaidAh, yes. But some OTP ROMs start out as all 1 and you can 'burn' the 1 to 0. So you might be change the 'OTP' boot0 after all.Quote
SifJar
Yeah, but the whole point of OTP is its OTP (One Time Programmable).
Just looking at: [wiibrew.org], at "FFFF0474" there is the instruction "BNE hash_fail" and BNE translates to the hex code: "1A", while "BEQ" (just the opposite) is hex code "0A" so just burning out that 1 bit could in theory flip the boot0 from only booting valid boot1 code to only booting invalid boot1 code.
Re: boot1 checksum algorithm June 28, 2010 10:17AM | Registered: 13 years ago Posts: 379 |
On old fasion OTP roms it's just "set the address lines, apply 15V on data line for X miliseconds", the hardware around it is just to easily do that for every address. But until we know where the OTP ROM is, there is no way to know if this can really be done. You might fry other hardware in the process.Quote
SifJarQuote
DaidAh, yes. But some OTP ROMs start out as all 1 and you can 'burn' the 1 to 0. So you might be change the 'OTP' boot0 after all.Quote
SifJar
Yeah, but the whole point of OTP is its OTP (One Time Programmable).
Just looking at: [wiibrew.org], at "FFFF0474" there is the instruction "BNE hash_fail" and BNE translates to the hex code: "1A", while "BEQ" (just the opposite) is hex code "0A" so just burning out that 1 bit could in theory flip the boot0 from only booting valid boot1 code to only booting invalid boot1 code.
1A is 00011010 in binary and 0A is 00001010 so yeah, I guess that may be possible, but it would surely require expensive specialist hardware to "burn" a bit.