Hacking Smea's iosuhax

[solitaire4eva]

You explained it in a way for everyone to understand! Just checking out this thread and waiting for something productive to come from it. I think everyone is looking for usb hdd support in the future.

I love how over complicated everyone makes it when trying to explain iosu exploits.

Here, it's as simple as this:
1 Find 2 locations that can see each other (be shared) or the same location that can be read/called from iosu and also able to write files to from a different location such as userland using kexploit. (Remember kexploit has the same access to everything iosu does, just not the same authority.

2 write application to shared location and call it from iosu using elf.
e.g. If someone was to rewrite the homebrew channel, with built in kexploit, and also as an installable channel. It gets dumped in location 1 available to userland and called from location 2 that actually points to the same location but called using iosu that actually has the authority to install it.
Simples..... just nobody can be bothered with that particular task at the moment.
Don't believe me, ask your favourite Dev. ...

 

[Rob Blou]

OK, it looks like SMEA's .py script is failing to keep things Word Aligned properly.
If you extract the elf and run readelf -a, it does great until it gets down to virtual address 0x124C6000, where it stops Word Aligning.

Edit:
I can get it to make an almost perfect copy by rem'ing out two lines in the .PY script:

      #if not(special):
                      #self.phdrs[i].p_offset = data_offset

When I turn off all patches, it creates a new FW.IMG that is only one byte different than a "Stock" clean FW.IMG

The only difference is that one single 0x02 it does not put at 0x4975BF
(And of course the SHA because of it.)

Not sure what the "If Not (special):" was for, but without it, everything Word Aligns perfectly.


Edit2: =done.
OK, I got it to make a 100% same FW.IMG file by the change above and adding this to the top of the def encrypt

    def encrypt(self, file, offset):
        key='02'
        key = key.decode('hex');
        file.seek(0x497DC3)
        file.write(key)

(It's 0x4975bf+0x804 byte Header)

The SHA-1 matches the "stock" FW.IMG 100%

Obviously, I'm not a Python Programmer - but hey, it works!
Show me a more simple way to poke an 0x02 at that offset so I can get back to my comfort zone in raw assembly.



.

Could you please send me the modified script? Thanks

 

[andriy921]

Oh - one more thing - just to set this straight for anyone who may read this later on.

The boot process you said is not correct--we know that the arm loads kernel.img into ram for the ppc to run.
you can see this if you look at the arm's fw.img file made by @davetheshrew here in another thread - take a look at address 503401E and you will see what I'm saying is right.

It's maybe closer to-- arm on-chip bootrom->boot0->boot1->fw.img then arm fw.img loads ppc kernel.img and lets ppc know to run it then arm goes -> protect system/control all io

At same time-- ppc is doing ppc bootrom-> waiting for arm to say it has loaded kernel.img then-> kernel.img-> main menus/load games

And one last thing - the names I said are right bootrom -- those are the bootrom files I'm talking about - If you dont believe me go to fail0verlow's website and watch the video
search for blog/2014/console-hacking-2013-omake.html

marcan -who knows way more than anyone else about this stuff - posted what he and the others at f0f named bootrom and the hashes -- those hashes are the same for the files I'm talking about.
Not just the vwii hash but the wiiu bootrom too!
If marcan says its a bootrom -- then it is a bootrom.


Reading the posts above I know noone cares about iosu anymore and the things you can do with it.
All that is now important is loadiine and kernel hax.

Thats why a sold/gave away my wiius - while they still have some people that want them.
With no one wanting to work in iosu anymore - by the time iosu come out - wiiu will be cheap as xbox360 is today and I'll buy another

It doesn't matter who loads encrypted img into the memory. ppc bootrom still validates and decrypts it. Or am I incorrect?

Could you specify some timing. From what is see marcan names boot0 boot0, boot1 boot1 and booroms bootrom. But I can still be missing something since there is so few places where you can read about this.

 

[Jow Banks]

I love how over complicated everyone makes it when trying to explain iosu exploits.

Here, it's as simple as this:
1 Find 2 locations that can see each other (be shared) or the same location that can be read/called from iosu and also able to write files to from a different location such as userland using kexploit. (Remember kexploit has the same access to everything iosu does, just not the same authority.

2 write application to shared location and call it from iosu using elf.
e.g. If someone was to rewrite the homebrew channel, with built in kexploit, and also as an installable channel. It gets dumped in location 1 available to userland and called from location 2 that actually points to the same location but called using iosu that actually has the authority to install it.
Simples..... just nobody can be bothered with that particular task at the moment.
Don't believe me, ask your favourite Dev. ...

Sorry - but it's not like that at all.
IOS is under control of the very powerful ARM processor.
It may be slower in clock -but it's much smarter in security than PPC.

The PPC can poke little tiny holes in ARMs security and allow kernel - but that won't give up full control like the old wii did.

F0F gave up as soon as they realized they were beat by Nintendo and couldn't get a clean IOSU to work on each console reliable. (And I'm not talking about the drunken cat thing, that was on PPC side)
They knew they couldn't get the boot1 keys - so they had no way to exploit the boots like on wii - it was game over for them.

ARM is very strong - and the PPC can't get past all of its abilities to block good access.

Maybe smea and the girl that gave up last december had info that others could use to get in - but they are too scared to admit they couldn't do it either.
But someone is working on it that will find a real hole - but it will be a long time as they are all very busy with school.

In the mean time -I'll just enjoy my fully hacked 3ds and ps3

 

[ARVI80]

Sorry - but it's not like that at all.
IOS is under control of the very powerful ARM

Does not matter how strong ARM is we have kernel access, so it is exactly as I described. IOSU is already possible just currently a brick hazard if done wrong. Exploit/full system can and has been proven to run straight from SD. Video proof is available in these forums.

 

[Jow Banks]

Does not matter how strong ARM is we have kernel access, so it is exactly as I described. IOSU is already possible just currently a brick hazard if done wrong. Exploit/full system can and has been proven to run straight from SD. Video proof is available in these forums.

Limited Kernel Access is not equal to IOSU.
No where near it, but good enough for 99.999% of the average wii-U user.
Once the kexploit was leaked, interest in trying to get a full IOSU working dropped by 99.999%

All most wanted is loadiine, not full access.
The wii-U is not a "HomeBrew" console - it's a pirate base only.

And - I've seen the video "proof" of IOSU - but there's more to it than what you see.

If you've seen how unstable the IOSU hack is, you would understand why it's not being released.
The ARM has tricks up it's sleeve that the PPC has no way of running countermeasures for.

This is why the "H" person(still not sure if it was a he or a she), SMEA, Yellow8 and even Marcan and others from f0f gave up.
It wasn't due to their "worries" about pirating - that never stopped them before.
It's because there is no way to get it to run for the average user that doesn't know how to restore from a hard brick using a T2 and a whole lot of difficult wiring.

It's just not worth it.

In all fairness, the ARM sucks at playing games as much as the PPC sucks at running security and I/O control.

But that's why the wii-U has both.
The difference in the wii and wii-u is, this time they got some of it right.
Don't believe me ?
Show me the boot1 key. (Oh, wait-you can't. No one can.)

If you want to see what can be done with 100% full control - pick up a 3DS.

 

[FaTaL_ErRoR]

Limited Kernel Access is not equal to IOSU.
No where near it, but good enough for 99.999% of the average wii-U user.
Once the kexploit was leaked, interest in trying to get a full IOSU working dropped by 99.999%

All most wanted is loadiine, not full access.
The wii-U is not a "HomeBrew" console - it's a pirate base only.

And - I've seen the video "proof" of IOSU - but there's more to it than what you see.

If you've seen how unstable the IOSU hack is, you would understand why it's not being released.
The ARM has tricks up it's sleeve that the PPC has no way of running countermeasures for.

This is why the "H" person(still not sure if it was a he or a she), SMEA, Yellow8 and even Marcan and others from f0f gave up.
It wasn't due to their "worries" about pirating - that never stopped them before.
It's because there is no way to get it to run for the average user that doesn't know how to restore from a hard brick using a T2 and a whole lot of difficult wiring.

It's just not worth it.

In all fairness, the ARM sucks at playing games as much as the PPC sucks at running security and I/O control.

But that's why the wii-U has both.
The difference in the wii and wii-u is, this time they got some of it right.
Don't believe me ?
Show me the boot1 key. (Oh, wait-you can't. No one can.)

If you want to see what can be done with 100% full control - pick up a 3DS.

Lol wut? Cant show boot 1 key? Its been in my signature for months now. Besides that thought you said you were done and no longer have a wiiu. So why you posting in a section for which you have nothing to contribute besides theories?

 

[BurningDesire]

Lol wut? Cant show boot 1 key? Its been in my signature for months now. Besides that thought you said you were done and no longer have a wiiu. So why you posting in a section for which you have nothing to contribute besides theories?

How is this the boot one key?
㔌㔌㔌㔌㔌⌌㔌㔌㔌㔌㔌㔌㔌㔌㔌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌僐䍋㡓 Seems like a mix of kanji and encrypted shit.

 

[ARVI80]

Limited Kernel Access is not equal to IOSU.
No where near it.

Lol, you seem to be missing the point that iosu access is not needed to get iosu access, that would be groundhog day.
First you need to be reacquainted with the definition of what a hack is. Second, you must realise that you are just simply over complicating what can be done with some trickery using what's already available.
Third, nobody seems to notice what is put right in front of them at the best of times.

Here's a bad analogy that should be easy for anyone to understand. If I was to hack anything with an automated screen saver, no matter what keys it needs or how clever the security is to access those keys. I would simply just replace the screen saver being called with what I wanted to be called as the screen saver already has access, as long as the screen saver appears to be the same file, the system will call it and that's basically the 101 on hacks. No different here.

Also once you poke a hole in something surely you realise that the hole only gets bigger the more you poke at it.

 

[TotalInsanity4]

Lol, you seem to be missing the point that iosu access is not needed to get iosu access, that would be groundhog day.
First you need to be reacquainted with the definition of what a hack is. Second, you must realise that you are just simply over complicating what can be done with some trickery using what's already available.
Third, nobody seems to notice what is put right in front of them at the best of times.

Here's a bad analogy for you. If I was to hack anything with an automated screen saver, no matter what keys it needs or how clever the security is to access those keys. I would simply just replace the screen saver being called with what I wanted to be called as the screen saver already has access, as long as the screen saver appears to be the same file, the system will call it and that's basically the 101 on hacks. No different here.

Also once you poke a hole in something surley you realose that the hole only gets bigger the more you poking at it.

I hate to be that guy, but care to put your money where your mouth is?

 

[ARVI80]

If you don't want to be that guy then I won't let you be. So nope.

As always patience is paramount.

 

[FaTaL_ErRoR]

How is this the boot one key?
㔌㔌㔌㔌㔌⌌㔌㔌㔌㔌㔌㔌㔌㔌㔌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌㘌僐䍋㡓 Seems like a mix of kanji and encrypted shit.

This is exactly what it is.
It wouldnt still be in my signature if it wasn't.
\Uffffffff\Uffffffff\Uffffffff This is the other way I had posted it in the past.(but I repeated it and long stringed it and ran it off the page so ppl here took it down for me) As this is what it looks like copy/pasted from hex editor....
One thing is for sure "one" of the previous "leaked" wii u keys will decrypt this. When I copy/pasted this sig from my pc the site recognizes what I pasted as these symbols and I liked it so I left it. Had it posted on another site back in early 2013. Thinking about it now I think it is still posted there. But it displayed the same way it looked to me on my screen when I encrypted it.
And for everyone. Once an app is cleared to run (signature is validated) the PPC processor has full control of running it. So modifying it after it is validated should cause no issues and allow for full control of said app.

 

[I pwned U!]

This is exactly what it is.
It wouldnt still be in my signature if it wasn't.
\Uffffffff\Uffffffff\Uffffffff This is the other way I had posted it in the past.(but I repeated it and long stringed it and ran it off the page so ppl here took it down for me) As this is what it looks like copy/pasted from hex editor....
One thing is for sure "one" of the previous "leaked" wii u keys will decrypt this. When I copy/pasted this sig from my pc the site recognizes what I pasted as these symbols and I liked it so I left it. Had it posted on another site back in early 2013. Thinking about it now I think it is still posted there. But it displayed the same way it looked to me on my screen when I encrypted it.
And for everyone. Once an app is cleared to run (signature is validated) the PPC processor has full control of running it. So modifying it after it is validated should cause no issues and allow for full control of said app.

Assuming that this is real, which key decrypts it, and what are the required steps that I would have to follow for me to generate a decrypted version?

 

[Dork]

Lol, you seem to be missing the point that iosu access is not needed to get iosu access, haha i'm so retarded

I'm sure if it was as easy as just replacing everything that's encrypted then it would have been done long ago, either that or nobody wants to make something from scratch to replace said files because it's more work than it's worth. Sorry boy genius, it's not that easy.

 

[ARVI80]

I'm sure if it was as easy as just replacing everything that's encrypted then it would have been done long ago, either that or nobody wants to make something from scratch to replace said files because it's more work than it's worth. Sorry boy genius, it's not that easy.

Ok Dork, thanks for the genius compliment.
Say hello to iggy for me xx

 

[Jow Banks]

Lol wut? Cant show boot 1 key? Its been in my signature for months now. Besides that thought you said you were done and no longer have a wiiu. So why you posting in a section for which you have nothing to contribute besides theories?

I would not believe that someone that can't even figure out how to post a set of keys correctly could possible have the real ones.
Anybody can post gibberish and say "It's the key!" ------It's not.

And why I replied was because I forgot to hit the "UnWatch" thread button and got a notification.
(Fixed that) - bye now.

 

[GerbilSoft]

Converting that "garbage" to UCS-2 Big Endian results in:

00000000  fe ff e1 00 35 0c e1 80  35 0c e1 84 35 0c e1 68  |....5...5...5..h|
00000010  35 0c e1 8c 35 0c e1 98  23 0c e1 44 35 0c e1 a8  |5...5...#..D5...|
00000020  35 0c e1 b0 35 0c e1 c4  35 0c e1 d0 35 0c e1 74  |5...5...5...5..t|
00000030  35 0c e1 d8 35 0c e1 e4  35 0c e1 f0 35 0c e1 fc  |5...5...5...5...|
00000040  36 0c e1 08 36 0c e1 14  36 0c e1 20 36 0c e1 24  |6...6...6.. 6..$|
00000050  36 0c e1 34 36 0c e1 44  36 0c e1 50 36 0c e1 60  |6..46..D6..P6..`|
00000060  36 0c e1 6c 36 0c e1 74  36 0c e1 84 36 0c e1 94  |6..l6..t6...6...|
00000070  36 0c e1 a4 36 0c e1 b4  36 0c e1 c4 36 0c 50 d0  |6...6...6...6.P.|
00000080  43 4b 38 53                                       |CK8S|

(the first two bytes are a Byte Order Mark, so they can be ignored)

Doesn't look like much of a key to me.

 

[Bug_Checker_]

This is exactly what it is.
It wouldnt still be in my signature if it wasn't.
\Uffffffff\Uffffffff\Uffffffff This is the other way I had posted it in the past.(but I repeated it and long stringed it and ran it off the page so ppl here took it down for me) As this is what it looks like copy/pasted from hex editor....
One thing is for sure "one" of the previous "leaked" wii u keys will decrypt this. When I copy/pasted this sig from my pc the site recognizes what I pasted as these symbols and I liked it so I left it. Had it posted on another site back in early 2013. Thinking about it now I think it is still posted there. But it displayed the same way it looked to me on my screen when I encrypted it.
And for everyone. Once an app is cleared to run (signature is validated) the PPC processor has full control of running it. So modifying it after it is validated should cause no issues and allow for full control of said app.

You must be a liar or horribly mistaken.
The signature from codeleakers was mostly likely deleted on here because of spam or a misunderstanding.

To be clear you are claiming to have the boot1 key before fail0verflow (who in december of 2013 did not have it).

 

[FaTaL_ErRoR]

Converting that "garbage" to UCS-2 Big Endian results in:

00000000  fe ff e1 00 35 0c e1 80  35 0c e1 84 35 0c e1 68  |....5...5...5..h|
00000010  35 0c e1 8c 35 0c e1 98  23 0c e1 44 35 0c e1 a8  |5...5...#..D5...|
00000020  35 0c e1 b0 35 0c e1 c4  35 0c e1 d0 35 0c e1 74  |5...5...5...5..t|
00000030  35 0c e1 d8 35 0c e1 e4  35 0c e1 f0 35 0c e1 fc  |5...5...5...5...|
00000040  36 0c e1 08 36 0c e1 14  36 0c e1 20 36 0c e1 24  |6...6...6.. 6..$|
00000050  36 0c e1 34 36 0c e1 44  36 0c e1 50 36 0c e1 60  |6..46..D6..P6..`|
00000060  36 0c e1 6c 36 0c e1 74  36 0c e1 84 36 0c e1 94  |6..l6..t6...6...|
00000070  36 0c e1 a4 36 0c e1 b4  36 0c e1 c4 36 0c 50 d0  |6...6...6...6.P.|
00000080  43 4b 38 53                                       |CK8S|

(the first two bytes are a Byte Order Mark, so they can be ignored)

Doesn't look like much of a key to me.

Well, if it was as simple as inserting it to hex editor I am sure by now it would have been taken down by site admin. As wii u keys are not allowed to be posted.

You must be a liar or horribly mistaken.
The signature from codeleakers was mostly likely deleted on here because of spam or a misunderstanding.

To be clear you are claiming to have the boot1 key before fail0verflow (who in december of 2013 did not have it).

You on codeleakers? My sig on codeleakers is meant to be a joke. I posted a signature here that rolled off the side of the box (long stringed)
It was removed. (that is really not important here though)
The fact it's been posted public since early 2013 is what makes everything so funny. And the fact it's encrypted with one of the other keys makes it even funnier.
But, the funniest part of all is the "IOSU" key makes three appearances in the "leaked" fwimg.


As for Jow, the key is posted correctly. (it is posted exactly how I wanted it, encrypted) I can't help that your pc/ phone sees something else... Nor do I care. I realy don't know why anyone would want the IOS key anyway. It isn't needed to take over anyway. It makes general syscalls. Most of its functions are very general.(for arm anyway) Just use the usual vulns in arm instruction and you'll have IOS at your mercy.




For every one person who has something there are 500 others that quickly attempt to claim false.
Best advice I can give is to hold strong and let time prove you right.

 

[ARVI80]

Fail0verflow didn't just give up on boot1 key, just as @FaTaL_ErRoR also pointed out the key is not needed to take over anyway. Fail0verflow was wise to compare this to the iPhone GID Key never being found as you wouldn't say that iPhone's have not been jailbroken, everything is possible on an iPhone. However boot1 keys are more than possible to obtain with more than 1 method, I beleive Fail0verflow's solution is a side attack but it's pointless.