Hacking Firmware Reverse Engineering (Info Dump)

Datalogger · Apr 18, 2016

A little text might help explain what some of the unknown SysCalls do.

Here's 0x6300 with its text strings added:

Code:

Kernel:FFF12B30
Kernel:FFF12B30
Kernel:FFF12B30 SysCall_0x6300_Unknown:                                                                 
Kernel:FFF12B30                                                                                           
Kernel:FFF12B30                       mflr      r0
Kernel:FFF12B34                       bl        sub_FFF1D1A4
Kernel:FFF12B38                       addi      r3, r13, 0x3B34
Kernel:FFF12B3C                       bl        sub_FFF1849C
Kernel:FFF12B40                       bl        sub_FFF13038
Kernel:FFF12B44                       bne       loc_FFF12B50
Kernel:FFF12B48                       li        r31, 1
Kernel:FFF12B4C                       b         loc_FFF12D14
Kernel:FFF12B50 # ---------------------------------------------------------------------------
Kernel:FFF12B50
Kernel:FFF12B50 loc_FFF12B50:                                                                             
Kernel:FFF12B50                       lis       r29, dword_FFE9A700@ha
Kernel:FFF12B54                       li        r3, 0
Kernel:FFF12B58                       addi      r29, r29, dword_FFE9A700@l
Kernel:FFF12B5C                       bl        sub_FFF10EA0
Kernel:FFF12B60                       mulli     r12, r3, 0x17A0
Kernel:FFF12B64                       cmpwi     r31, 0
Kernel:FFF12B68                       add       r30, r12, r29
Kernel:FFF12B6C                       bne       loc_FFF12C64
Kernel:FFF12B70                       lwz       r12, 0x2AE4(r13)
Kernel:FFF12B74                       cmpwi     r12, 1
Kernel:FFF12B78                       beq       loc_FFF12B88
Kernel:FFF12B7C                       addi      r3, r2, -0x4D87                                               # "PrepareTitle(Relaunch) Succeeded.  IOS should have or will be telling us to shut down.\n"
Kernel:FFF12B80                       bl        fprintf_2
Kernel:FFF12B84                       b         loc_FFF12C5C
Kernel:FFF12B88 # ---------------------------------------------------------------------------
Kernel:FFF12B88
Kernel:FFF12B88 loc_FFF12B88:                                                                             
Kernel:FFF12B88                       lwz       r12, 0x3B4C(r13)
Kernel:FFF12B8C                       rlwinm.   r12, r12, 0,3,3
Kernel:FFF12B90                       beq       loc_FFF12B9C
Kernel:FFF12B94                       addi      r3, r2, -0x4D2F                                               # "PrepareTitle(Relaunch) Succeeded, but cosxml has DISABLE_FAST_RELAUNCH flag set. Revert to full relaunch.\n"
Kernel:FFF12B98                       b         loc_FFF12C6C
Kernel:FFF12B9C # ---------------------------------------------------------------------------
Kernel:FFF12B9C
Kernel:FFF12B9C loc_FFF12B9C:                                                                             
Kernel:FFF12B9C                       li        r3, 0
Kernel:FFF12BA0                       bl        sub_FFF139EC
Kernel:FFF12BA4                       cmpwi     r3, 0
Kernel:FFF12BA8                       bne       loc_FFF12BC0
Kernel:FFF12BAC                       addi      r3, r2, -0x4CC4                                               # "Could not start atomic relaunch operation. Power button probably pressed.\n"
Kernel:FFF12BB0                       bl        fprintf_2
Kernel:FFF12BB4                       bl        sub_FFF13000
Kernel:FFF12BB8                       li        r31, -3
Kernel:FFF12BBC                       b         loc_FFF12D14
Kernel:FFF12BC0 # ---------------------------------------------------------------------------
Kernel:FFF12BC0
Kernel:FFF12BC0 loc_FFF12BC0:                                                                             
Kernel:FFF12BC0                       bl        sub_FFF15A54
Kernel:FFF12BC4                       lwz       r12, 4(r30)
Kernel:FFF12BC8                       cmpwi     r12, 5
Kernel:FFF12BCC                       addi      r3, r30, 0xEB0
Kernel:FFF12BD0                       bne       loc_FFF12C54
Kernel:FFF12BD4                       li        r4, 1
Kernel:FFF12BD8                       bl        sub_FFF19D60
Kernel:FFF12BDC                       lwz       r12, 0xEBC(r30)
Kernel:FFF12BE0                       cmpwi     r12, 0
Kernel:FFF12BE4                       bne       loc_FFF12C14
Kernel:FFF12BE8                       bl        sub_FFF10990
Kernel:FFF12BEC                       addi      r6, r30, 0xEBC
Kernel:FFF12BF0                       bl        sub_FFF121F8
Kernel:FFF12BF4                       bl        sub_FFF1CA94
Kernel:FFF12BF8                       bl        sub_FFF1159C
Kernel:FFF12BFC                       bl        sub_FFF07738
Kernel:FFF12C00                       cmpwi     r31, 0
Kernel:FFF12C04                       beq       loc_FFF12C14
Kernel:FFF12C08                       bl        sub_FFF03760
Kernel:FFF12C0C                       addi      r4, r2, -0x4DE9                                               # "**Out of memory during fast relaunch.\n"
Kernel:FFF12C10                       bl        sub_FFF0EEB4
Kernel:FFF12C14
Kernel:FFF12C14 loc_FFF12C14:                                                                             
Kernel:FFF12C14                                                                                           
Kernel:FFF12C14                       lwz       r3, 0xEBC(r30)
Kernel:FFF12C18                       bl        sub_FFF12250
Kernel:FFF12C1C                       bl        sub_FFF09D60
Kernel:FFF12C20                       lwz       r12, 4(r30)
Kernel:FFF12C24                       mulli     r12, r12, 0x17A0
Kernel:FFF12C28                       li        r10, 1
Kernel:FFF12C2C                       add       r12, r12, r29
Kernel:FFF12C30                       stw       r10, 0xEB4(r12)
Kernel:FFF12C34                       li        r12, 2
Kernel:FFF12C38                       stw       r12, 0x2AD8(r13)
Kernel:FFF12C3C                       stw       r10, 0x2ADC(r13)
Kernel:FFF12C40                       bl        sub_FFF07898
Kernel:FFF12C44                       lwz       r3, 4(r30)
Kernel:FFF12C48                       li        r4, 0x40 # '@'
Kernel:FFF12C4C                       bl        sub_FFF16CEC
Kernel:FFF12C50                       b         loc_FFF12C5C
Kernel:FFF12C54 # ---------------------------------------------------------------------------
Kernel:FFF12C54
Kernel:FFF12C54 loc_FFF12C54:                                                                            
Kernel:FFF12C54                       li        r4, 0
Kernel:FFF12C58                       bl        sub_FFF19D60
Kernel:FFF12C5C
Kernel:FFF12C5C loc_FFF12C5C:                                                                             
Kernel:FFF12C5C                                                                                          
Kernel:FFF12C5C                       li        r31, 0
Kernel:FFF12C60                       b         loc_FFF12D14
Kernel:FFF12C64 # ---------------------------------------------------------------------------
Kernel:FFF12C64
Kernel:FFF12C64 loc_FFF12C64:                                                                            
Kernel:FFF12C64                       mr        r4, r31
Kernel:FFF12C68                       addi      r3, r2, -0x4C79                                               # "PrepareTitle(NoRelaunch) returned errcode %d. Going to try with relaunch.\n"
Kernel:FFF12C6C
Kernel:FFF12C6C loc_FFF12C6C:                                                                             
Kernel:FFF12C6C                       bl        fprintf_2
Kernel:FFF12C70                       lwz       r12, 0x2AE4(r13)
Kernel:FFF12C74                       cmplwi    r12, 2
Kernel:FFF12C78                       blt       loc_FFF12C90
Kernel:FFF12C7C                       mr        r4, r31
Kernel:FFF12C80                       addi      r3, r2, -0x4DC2                                               # "***PrepareTitle() for replace and for relaunch errcode %d\n"
Kernel:FFF12C84                       bl        fprintf_2
Kernel:FFF12C88                       bl        sub_FFF13000
Kernel:FFF12C8C                       b         loc_FFF12CFC
Kernel:FFF12C90 # ---------------------------------------------------------------------------
Kernel:FFF12C90
Kernel:FFF12C90 loc_FFF12C90:                                                                             
Kernel:FFF12C90                       li        r4, 2
Kernel:FFF12C94                       addi      r3, r13, 0x2AE4
Kernel:FFF12C98                       bl        sub_FFF19D60
Kernel:FFF12C9C                       addi      r3, r30, 0xEB0
Kernel:FFF12CA0                       li        r4, 3
Kernel:FFF12CA4                       bl        sub_FFF19D60
Kernel:FFF12CA8                       lbz       r12, 0x2AF0(r13)
Kernel:FFF12CAC                       cmpwi     r12, 0
Kernel:FFF12CB0                       beq       loc_FFF12CCC
Kernel:FFF12CB4                       lwz       r5, 0x3B30(r13)
Kernel:FFF12CB8                       addi      r3, r13, 0x2AF0
Kernel:FFF12CBC                       addi      r4, r13, 0x2B30
Kernel:FFF12CC0                       li        r6, 1
Kernel:FFF12CC4                       bl        sub_FFF1853C
Kernel:FFF12CC8                       b         loc_FFF12CD8
Kernel:FFF12CCC # ---------------------------------------------------------------------------
Kernel:FFF12CCC
Kernel:FFF12CCC loc_FFF12CCC:                                                                             
Kernel:FFF12CCC                       bl        sub_FFF13024
Kernel:FFF12CD0                       li        r7, 1
Kernel:FFF12CD4                       bl        sub_FFF18370
Kernel:FFF12CD8
Kernel:FFF12CD8 loc_FFF12CD8:                                                                             
Kernel:FFF12CD8                       mr.       r31, r3
Kernel:FFF12CDC                       beq       loc_FFF12D10
Kernel:FFF12CE0                       bl        sub_FFF13000
Kernel:FFF12CE4                       cmpwi     r31, 0
Kernel:FFF12CE8                       ble       loc_FFF12CF0
Kernel:FFF12CEC                       li        r31, -1
Kernel:FFF12CF0
Kernel:FFF12CF0 loc_FFF12CF0:                                                                             
Kernel:FFF12CF0                       mr        r4, r31
Kernel:FFF12CF4                       addi      r3, r2, -0x4E11                                               # "PrepareTitle Issue (Relaunch) error %d\n"
Kernel:FFF12CF8                       bl        fprintf_2
Kernel:FFF12CFC
Kernel:FFF12CFC loc_FFF12CFC:                                                                             
Kernel:FFF12CFC                       bl        sub_FFF0967C
Kernel:FFF12D00                       bne       loc_FFF12D14
Kernel:FFF12D04                       li        r3, 1
Kernel:FFF12D08                       bl        sub_FFF19304
Kernel:FFF12D0C                       b         loc_FFF12D14
Kernel:FFF12D10 # ---------------------------------------------------------------------------
Kernel:FFF12D10
Kernel:FFF12D10 loc_FFF12D10:                                                                            
Kernel:FFF12D10                       li        r31, 1
Kernel:FFF12D14
Kernel:FFF12D14 loc_FFF12D14:                                                                            
Kernel:FFF12D14                                                                                          
Kernel:FFF12D14                       b         loc_FFF03074
Kernel:FFF12D14 # End of function SysCall_0x6300_Unknown
Kernel:FFF12D14

.

FaTaL_ErRoR · Apr 18, 2016

Datalogger said:
OK, thanks.

If I understand it correctly, insrwi r12, r0, 5,22 is:
R12 = R0 Shift Left 5 & Mask with (32-(5+22)) = 5 bits Left of ((5+22)-1) = bit26 = 00000000000000000000001111100000 = 0x3E0
(PPC is a bit different than ARM/Thumb, but I think I can figure most of it out)

That makes 0x1F × 0x20 the max call distance from base, 0xFFFF21A0
That makes sense since that maps to the last syscall_App_Panic.
I only wish it was as easy as re-routing one of those useless App_Panics to jump for/back to where we want, but we can't mod here (yet).

Q: Has someone already started mapping all of the Strings to their instructions for 0xFFE84450 to 0xFFE84604/(0xFFE84688 to 0xFFE84754) and -or- 0xFFEB9840 to 0xFFEBE485 ?

I'm thinking they must be using a similar strategy to point to their locations, but thought I'd ask before researching it.

App panic is a great place to attack an OS. Giving an app a panic attack sometimes causes it to get stagefright.
Here is a patch for a app panic attack in enterprise suse...
ftp://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.desktop.12-patch.xml
Site itself will not give you an exploit. But a good starting point for building one for the kernel in question. (FYI ppc Suse was also in that log)
You have everything else you need, you just need to exploit that app panic.

davetheshrew · Apr 18, 2016

Mr Burns voice: Exxxcellent

Phantom64 · Apr 18, 2016

can i have kernel exploit and free games

lefthandsword · Apr 18, 2016

Phantom64 said:
can i have kernel exploit and free games

Go away.

NWPlayer123 · Apr 19, 2016

HeWhoShallNotBeNamed pointed out that the TOC and SDA (r2 and r13) are set for the kernel at FFE00288, and you can add them in manually with Options -> General -> Analysis -> Processor Specific Options -> TOC and SDA up top, once you put it in that second string section connects fine

Code:

ROM:FFE00288                 lis       r2, dword_FFEC13E0@h
ROM:FFE0028C                 ori       r2, r2, dword_FFEC13E0@l
ROM:FFE00290                 lis       r13, dword_FFEB2500@h
ROM:FFE00294                 ori       r13, r13, dword_FFEB2500@l

davetheshrew · Apr 19, 2016

NWPlayer123 said:
HeWhoShallNotBeNamed pointed out that the TOC and SDA (r2 and r13) are set for the kernel at FFE00288, and you can add them in manually with Options -> General -> Analysis -> Processor Specific Options -> TOC and SDA up top, once you put it in that second string section connects fine

Code:

ROM:FFE00288 lis r2, dword_FFEC13E0@h ROM:FFE0028C ori r2, r2, dword_FFEC13E0@l ROM:FFE00290 lis r13, dword_FFEB2500@h ROM:FFE00294 ori r13, r13, dword_FFEB2500@l

View attachment 46171

wow...so this is great news....right?

BurningDesire · Apr 19, 2016

NWPlayer123 said:
HeWhoShallNotBeNamed pointed out that the TOC and SDA (r2 and r13) are set for the kernel at FFE00288, and you can add them in manually with Options -> General -> Analysis -> Processor Specific Options -> TOC and SDA up top, once you put it in that second string section connects fine

Code:

ROM:FFE00288 lis r2, dword_FFEC13E0@h ROM:FFE0028C ori r2, r2, dword_FFEC13E0@l ROM:FFE00290 lis r13, dword_FFEB2500@h ROM:FFE00294 ori r13, r13, dword_FFEB2500@l

View attachment 46171

Psst if you find out how to do this and dont want to release It I have a idea. Post Instructions on how I make it

NWPlayer123 · Apr 19, 2016

davetheshrew said:
wow...so this is great news....right?

It gives me a way more complete linking of the kernel that shows me stuff like this

----------------------------------------------- BPERF: (0/%d) PPC Init.
Cafe OS SDK Version 2.13.01 Build 68939 Branch sdk_2_13
PPC NDEBUG Kernel Build date - Jul 28 2015 19:55:58
BUILT AS OS_VERSION_MAJOR 000500101000800A MINOR 0x3D56
core=1 COLD BOOT
SOFT INTERRUPT MODE
-----------------------------------------------

Datalogger · Apr 19, 2016

NWPlayer123 said:
HeWhoShallNotBeNamed pointed out that the TOC and SDA (r2 and r13) are set for the kernel at FFE00288, and you can add them in manually with Options -> General -> Analysis -> Processor Specific Options -> TOC and SDA up top, once you put it in that second string section connects fine
[/spoiler]

Yep, figured that out already.
Once I found the value, it was as simple as searching for where it was used in the beginning of the kernel.
The SDA was right there next to it.

Too bad whomever it is you are talking about (and I have no idea who it is) can't update someplace like the WiiUBrew wiki so we don't have to spend what little precious hours we have available trying to figure out what he/she already knows

NWPlayer123 · Apr 19, 2016

Datalogger said:
Yep, figured that out already.
Once I found the value, it was as simple as searching for where it was used in the beginning of the kernel.
The SDA was right there next to it.

Too bad whomever it is you are talking about (and I have no idea who it is) can't update someplace like the WiiUBrew wiki so we don't have to spend what little precious hours we have available trying to figure out what he/she already knows

Hykem is busy t̶r̶y̶i̶n̶g̶ ̶n̶o̶t̶ ̶t̶o̶ ̶b̶e̶ ̶d̶i̶s̶c̶o̶v̶e̶r̶e̶d̶ ̶b̶y̶ ̶t̶h̶e̶ ̶f̶e̶d̶s̶ with other stuff and just posts tidbits on IRC from time to time, been really helpful thus far

VinsCool · Apr 19, 2016

NWPlayer123 said:
Hykem is busy t̶r̶y̶i̶n̶g̶ ̶n̶o̶t̶ ̶t̶o̶ ̶b̶e̶ ̶d̶i̶s̶c̶o̶v̶e̶r̶e̶d̶ ̶b̶y̶ ̶t̶h̶e̶ ̶f̶e̶d̶s̶ with other stuff and just posts tidbits on IRC from time to time, been really helpful thus far

Glad to know he's not dead.

Volcanicfox123 · Apr 19, 2016

NWPlayer123 said:
Hykem is busy t̶r̶y̶i̶n̶g̶ ̶n̶o̶t̶ ̶t̶o̶ ̶b̶e̶ ̶d̶i̶s̶c̶o̶v̶e̶r̶e̶d̶ ̶b̶y̶ ̶t̶h̶e̶ ̶f̶e̶d̶s̶ with other stuff and just posts tidbits on IRC from time to time, been really helpful thus far

Awesome to know he's OK! I've been following this scene ever since MN1 et. all were releasing the 5.3.2 k-exploit. I really didn't know what happened in March, and was very curious... I couldn't find anything reliable through all of this hykem exploit whining BS!! I hope he didn't take too much of it to heart...

Keep up the great work people! :wub:

WulfyStylez · Apr 19, 2016

NWPlayer123 said:
just posts tidbits

( ͡° ͜ʖ ͡°)

davetheshrew · Apr 21, 2016

its gone fairly silent around here, anything good happened? I saw some stuff on wiiubrew yesterday, glad more and more people are contributing.

lefthandsword · Apr 21, 2016

davetheshrew said:
its gone fairly silent around here, anything good happened? I saw some stuff on wiiubrew yesterday, glad more and more people are contributing.

A iosu exploit is still being worked on, but documenting Cafe OS is still a priority it seems.

Hillary_Clinton · Apr 23, 2016

Do you guys know why the fw.img in OSv10 v11464 has syscalls that correspond to the debug ones listed here instead of the retail ones? I expected OSv10 v11464 to be the retail version.

Datalogger · Apr 23, 2016

vish said:
Do you guys know why the fw.img in OSv10 v11464 has syscalls that correspond to the debug ones listed here instead of the retail ones? I expected OSv10 v11464 to be the retail version.

Are you saying that OSv10 v11464 has SysCalls 0x88 to 0x93 ?

What does the syscall _handler say on the 12th line"

Code:

.
.
IOS_KERNEL:0812DD94                               AND             R10, R10, #0xFF
IOS_KERNEL:0812DD98                               CMP             R10, #0x88 ; 'ê'           <------ This Line ?                       
IOS_KERNEL:0812DD9C                               BGT             loc_812DE04                                          
.
.

(Your line numbers will be different)

Hillary_Clinton · Apr 23, 2016

Yeah I've got 0x94 here.

Code:

.
.
LOAD:0812E824 000                 AND             R10, R10, #0xFF
LOAD:0812E828 000                 CMP             R10, #0x94
LOAD:0812E82C 000                 BGT             loc_812E878
.
.

And the syscall table also appears to correspond to the debug syscalls.

pwsincd · May 1, 2016

Bumping this thread to inform all those who signed up to my forum , if they havent been in a while to check out the progress made and see if you could offer assistance ...

Hacking Firmware Reverse Engineering (Info Dump)

Living the Dream

AKA ŦƕƎ ƠṀƐƝ

Well-Known Member

Banned!

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Living the Dream

Well-Known Member

Persona Secretiva Felineus

Member

SALT/Bemani Princess

Well-Known Member

Well-Known Member

Member

Living the Dream

Member

Garage Flower

Similar threads

Popular threads in this forum