Hacking OSDriver kernel exploit - a technical description

[Onion_Knight]

Be aware that with pygecko, it will freeze the console if you launch a game, quit it, and then return to the browser.
(well for me it freezes, maybe it's the modifications i made on pygecko so i'm not sure)

To resolve the problem I had to add a "GX2WaitForVsync" in the start function of the pygecko codehandler :

static void start(int argc, void *argv) {
    int sockfd = -1, clientfd = -1, ret, len;
    struct sockaddr_in addr;
    struct bss_t *bss = argv;

    socket_lib_init();

    while (1) {
        addr.sin_family = AF_INET;
        addr.sin_port = 7331;
        addr.sin_addr.s_addr = 0;

        sockfd = ret = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        CHECK_ERROR(ret == -1);
        ret = bind(sockfd, (void *)&addr, 16);
        CHECK_ERROR(ret < 0);
        ret = listen(sockfd, 1);
        CHECK_ERROR(ret < 0);
        len = 16;
        clientfd = ret = accept(sockfd, (void *)&addr, &len);
        CHECK_ERROR(ret == -1);
        socketclose(sockfd);
        sockfd = -1;
        ret = rungecko(bss, clientfd);
        CHECK_ERROR(ret < 0);
        socketclose(clientfd);
        clientfd = -1;

        GX2WaitForVsync();
        continue;
error:
        if (clientfd != -1)
            socketclose(clientfd);
        if (sockfd != -1)
            socketclose(sockfd);
        bss->error = ret;
        GX2WaitForVsync();
    }

I modified this section to withstand client side issues, but I will add that to my code.

    addr.sin_family = AF_INET;
     addr.sin_port = 7331;
     addr.sin_addr.s_addr = 0;
     sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);  //open a file handle to socket
     CHECK_ERROR(sockfd == -1);
     ret = bind(sockfd, (void *)&addr, 16);
     CHECK_ERROR(ret < 0);
     ret = listen(sockfd, 20);
     CHECK_ERROR(ret < 0);
     
     while(1) {
     len = 16;
     clientfd =  accept(sockfd, (void *)&addr, &len);
     CHECK_ERROR(clientfd == -1);
     ret = rungecko(bss, clientfd);
     CHECK_ERROR(ret < 0);
     socketclose(clientfd);
     clientfd = -1;
     }
     socketclose(sockfd);
     sockfd = -1;
error:
     if (clientfd != -1)
       socketclose(clientfd);
     if (sockfd != -1)
       socketclose(sockfd);
     bss->error = ret;
   
}
[code]

 

[Onion_Knight]

Yes, you can also add the read/write syscall to all syscall tables directly in the kernel exploit.

If you're on 5.3.2 :

in loader.h:
#define KERN_SYSCALL_TBL_1 0xFFE84C70 // unknown
#define KERN_SYSCALL_TBL_2 0xFFE85070 // works with games
#define KERN_SYSCALL_TBL_3 0xFFE85470 // works with loader
#define KERN_SYSCALL_TBL_4 0xFFEA9CE0 // works with home menu
#define KERN_SYSCALL_TBL_5 0xFFEAA0E0 // works with browser (previously KERN_SYSCALL_TBL)

in loader.c:
- replace "copy_payload[0xff8/4] = KERN_SYSCALL_TBL + (0x34 * 4);" by "copy_payload[0xff8/4] = KERN_SYSCALL_TBL_5 + (0x34 * 4);"
- add those lines after the " Map the loader and coreinit as RW before exiting" part :
/* Add read/write syscalls to the other syscall_tables */
kern_write(KERN_SYSCALL_TBL_1 + (0x34 * 4), KERN_CODE_READ);
kern_write(KERN_SYSCALL_TBL_1 + (0x35 * 4), KERN_CODE_WRITE);

kern_write(KERN_SYSCALL_TBL_2 + (0x34 * 4), KERN_CODE_READ);
kern_write(KERN_SYSCALL_TBL_2 + (0x35 * 4), KERN_CODE_WRITE);

kern_write(KERN_SYSCALL_TBL_3 + (0x34 * 4), KERN_CODE_READ);
kern_write(KERN_SYSCALL_TBL_3 + (0x35 * 4), KERN_CODE_WRITE);

kern_write(KERN_SYSCALL_TBL_4 + (0x34 * 4), KERN_CODE_READ);
kern_write(KERN_SYSCALL_TBL_4 + (0x35 * 4), KERN_CODE_WRITE);

Then you're free to use the syscalls everywhere

edit: sorry I didn't read well the question, I let this here if you are interested

DO I need to add the offsets in the headerfile for Kernal Read and Write, in loader.h

 

[golden45]

DO I need to add the offsets in the headerfile for Kernal Read and Write, in loader.h

In loader.h, inside the part "#elif VER == 532" => "#else# :
you should have something like this :

#elif VER == 532
  #define KERN_SYSCALL_TBL_1  0xFFE84C70 // unknown
  #define KERN_SYSCALL_TBL_2  0xFFE85070 // works with games
  #define KERN_SYSCALL_TBL_3  0xFFE85470 // works with loader
  #define KERN_SYSCALL_TBL_4  0xFFEA9CE0 // works with home menu
  #define KERN_SYSCALL_TBL_5  0xFFEAA0E0 // works with browser
  #define KERN_CODE_READ  0xFFF02274
  #define KERN_CODE_WRITE  0xFFF02294
  #define KERN_ADDRESS_TBL  0xFFEAAA10
  #define KERN_HEAP  0xFF200000
#else

KERN_CODE_READ and KERN_CODE_WRITE don't change, those are the addresses where the read/write code is called from the syscall handler.

 

[Onion_Knight]

In loader.h, inside the part "#elif VER == 532" => "#else# :
you should have something like this :

#elif VER == 532
  #define KERN_SYSCALL_TBL_1  0xFFE84C70 // unknown
  #define KERN_SYSCALL_TBL_2  0xFFE85070 // works with games
  #define KERN_SYSCALL_TBL_3  0xFFE85470 // works with loader
  #define KERN_SYSCALL_TBL_4  0xFFEA9CE0 // works with home menu
  #define KERN_SYSCALL_TBL_5  0xFFEAA0E0 // works with browser
  #define KERN_CODE_READ  0xFFF02274
  #define KERN_CODE_WRITE  0xFFF02294
  #define KERN_ADDRESS_TBL  0xFFEAAA10
  #define KERN_HEAP  0xFF200000
#else

KERN_CODE_READ and KERN_CODE_WRITE don't change, those are the addresses where the read/write code is called from the syscall handler.

Thats what I thought I posted in my question. I did exactly that. I was wondering if I needed to recalculate the addresses for KERN_CODE_READ/WRITE from those new base addresses and add add a define for those.

 

[Reecey]

I was just thinking on this thread, if others are creating there own osdrivers then maybe they might change bits and bobs to get it working better they should post them up for others to test. Someone might even hit the jackpot and discover a version that never errors a more cleaner booting version, its worth others testing them to find out the best osdriver. If this thread is about the osdriver then its the perfect thread to post them up and not in the wiiu hacking & homebrew thread where they all just get lost eventually in the masses of pages

 

[Psi-hate]

Sorry for uh.. asking such a question, but if the exploit was patched 5.5, then is 5.4 exploitable at all? I heard that one of the developers had it running on 5.4, but I don't seem to see anything about it on these forums?

 

[Marionumber1]

Sorry for uh.. asking such a question, but if the exploit was patched 5.5, then is 5.4 exploitable at all? I heard that one of the developers had it running on 5.4, but I don't seem to see anything about it on these forums?

I've had an alternate kernel exploit since early August, which is private and works fine on 5.5.0.

 

[n1ghty]

Sorry for uh.. asking such a question, but if the exploit was patched 5.5, then is 5.4 exploitable at all? I heard that one of the developers had it running on 5.4, but I don't seem to see anything about it on these forums?

The kernel exploit is the same for 5.4, but there is no public userland exploit for 5.4.
The non-public browser exploit for 5.4 is also usable in 5.5 and thus currently unpatched.
The public kernel exploit got patched in 5.5, but there is a non-public one.

Releasing the new browser exploit for 5.4 would be bad because it would probably get fixed in 5.6 and so on...

 

[Psi-hate]

The kernel exploit is the same for 5.4, but there is no public userland exploit for 5.4.
The non-public browser exploit for 5.4 is also usable in 5.5 and thus currently unpatched.
The public kernel exploit got patched in 5.5, but there is a non-public one.

Releasing the new browser exploit for 5.4 would be bad because it would probably get fixed in 5.6 and so on...

Ah, okay. Thanks for clarifying! If there's a userland exploit for 5.4 and above, I'd definitely wait for that. I suppose it'd be a good time to block the updates in case the 5.4+ userland exploits are released later?

 

[MLT]

for make online functions to works for loadiine i need to access to this area 0x0DD00000 wich is mapped on the kernel here:

0xFFEAAA30 value 0x0DD00000 virt addr
0xFFEAAA34 value 0x02300000 size
0xFFEAAA38 value 0x8DD00000 phy addr
0xFFEAAA3C value 0x2FF09400 memory flags....

any idea to can write on it or remap to another area wich that area are rwx , any ideas will be welcome , if i got access to that memory i can do so many thinks..

 

[NexoCube]

I've had an alternate kernel exploit since early August, which is private and works fine on 5.5.0.

I know this thread exists from a long time, but how did you find Syscalls Table like for OSDriver KExploit ?

    #define KERN_SYSCALL_TBL        0xFFEAA0E0
    #define KERN_CODE_READ            0xFFF02274
    #define KERN_CODE_WRITE            0xFFF02294
    #define KERN_ADDRESS_TBL        0xFFEAAA10
    #define KERN_HEAP                0xFF200000

I really don't know where these ares ? Is there a easy way to find them like documentation or something ?

 

[MLT]

I know this thread exists from a long time, but how did you find Syscalls Table like for OSDriver KExploit ?

    #define KERN_SYSCALL_TBL        0xFFEAA0E0
    #define KERN_CODE_READ            0xFFF02274
    #define KERN_CODE_WRITE            0xFFF02294
    #define KERN_ADDRESS_TBL        0xFFEAAA10
    #define KERN_HEAP                0xFF200000

I really don't know where these ares ? Is there a easy way to find them like documentation or something ?

just dumping the kernel and reversing the tables.....kernel code are at FFF00100

 

[Don Jon]

so ive got a question
ive found a working kernel exploit for firmware 5.5.1 through the process of brute forcing

my intentions are to either release it with a working emulator
or release it alone and let someone finish it

the thing is that I am fairly new to the community(was a microsoft guy)
and i would hate to release something that has already been discovered?
could I check @DeVS your exploit and compare
if they are different
there is no reason for holding back if it turns out mine is different

btw I AM open for donations

 

[MassExplosion213]

so ive got a question
ive found a working kernel exploit for firmware 5.5.1 through the process of brute forcing

my intentions are to either release it with a working emulator
or release it alone and let someone finish it

the thing is that I am fairly new to the community(was a microsoft guy)
and i would hate to release something that has already been discovered?
could I check @DeVS your exploit and compare
if they are different
there is no reason for holding back if it turns out mine is different

btw I AM open for donations

Nice scam dude.

 

[AHP_person]

through the process of brute forcing

Lemme just guess a bunch of times and see if I can get an IOSU exploit working. No way this could fail -0-

 

[emuman100]

Amazing work, Marionumber 1 and others!!!

 

[Don Jon]

hey guys
just got pm not long ago
i gave some info
turns out my exploit IS different from the private ones witheld

So
EXPECT A REALESE SOONtm

 

[Micael]

hey guys
just got pm not long ago
i gave some info
turns out my exploit IS different from the private ones witheld

So
EXPECT A REALESE SOONtm

For what system version?

 

[moops44]

For what system version?

gameboy color
pls stop spam threads -.-

 

[Micael]

gameboy color
pls stop spam threads -.-

5.x or other