Hacking ROP from within IOS_USB (5.5.1)

[Deleted User]

At this point i am waiting for a IOSU kernel exploit from Donald Trump.

This is nosense. Someone called Hillary Clinton, registered today, released something quite hacky. Suspicious

Hykem is back

 

[NexoCube]

Well done ! I'm glad someone finally made it D

 

[EclipseSin]

Hykem is back

No, it's not Hykem. Sorry. It's some hip hop artist nobody likes. Lol j/k

 

[kingraa777]

This is an implementation of ROP getting userland code execution on the IOSU processor, which you can then use to run code in IOSU userland to exploit it's kernel

excuse me if im being stupid but couldn't you theoretically boot into a cfw or shell or similar from user-land this way ? from a hbl elf ->iosu code executed user-land exacuted kernal cfw ? there's something i'm trying to get at similar to how the 3ds uses rop maybe sorry for my vague description

 

[Swiftloke]

excuse me if im being stupid but couldn't you theoretically boot into a cfw or shell or similar from user-land this way ? from a hbl elf ->iosu code executed user-land exacuted kernal cfw ? there's something i'm trying to get at similar to how the 3ds uses rop maybe sorry for my vague description

Keep in mind this is to my knowledge. Please Understand.
ROP, or Return Oriented Programming, is a technique used to get around modern ARM processors eXecute Never (XN) bit for memory, which means the processor will never execute it, meaning you can't just write code wherever in memory (usually areas with XN are areas that initial exploits have access to, like save data) and expect the processor to execute it. Instead, what we do is call instructions that already exist in memory to build up further exploits. For example, this ROP calls instructions in IOSU userland that reboot the console. From here, what we need to do is find instructions and use them to set up the IOSU kernel exploit and have full console control. (No, IOSU userland which is what this runs in doesn't have enough control to boot a CFW)

 

[kingraa777]

i'm actually thinking there's some potential progress being made now iosu is worth reading again

 

[mariogamer]

If anyone want self host it,here is a code550.bin (will test it later).

 

[kingraa777]

so i suppose the next question is what can we do with this info and were to go next ?

 

[mariogamer]

so i suppose the next question is what can we do with this info and were to go next ?

I think that we need to find a way to access IOSU kernel thought this userland exploit...

 

[kingraa777]

shouldnt be that taxing \;p

 

[NexoCube]

Just use the IOSU_CreateThread with that then you're fine

 

[kingraa777]

question is what can be done at this point ?

 

[mariogamer]

Every function that can be done with IOSU on userland .

 

[smealum]

does this turn the screen to solid iosu-red? if not i don't think it counts

 

[proflayton123]

does this turn the screen to solid iosu-red? if not i don't think it counts

Mfw Smea


Sent from my iPhone using Tapatalk

 

[kingraa777]

Every function that can be done with IOSU on userland .

your joking right ? am so confused right now @smealum what are your thoghts on this ?

 

[iAqua]

does this turn the screen to solid iosu-red? if not i don't think it counts

true story.

 

[KiiWii]

does this turn the screen to solid iosu-red? if not i don't think it counts

Everyone knows it's purple.

 

[mariogamer]

No I'm not jocking. But they need to be implemented and/or known,I think?

P.S. @CreeperMario Can you give us the makefile you used? (I'm really not good with makefile grammar (like english ))

 

[kingraa777]

No I'm not jocking. But they need to be implemented and/or known,I think?

P.S. @CreeperMario Can you give us the makefile you used? (I'm really not good with makefile grammar (like english ))

good i was thinking along the same lines thats all