Homebrew Official 5.5.X ELF Loader

[NexoCube]

Hi ! How are you ppl ? x)?z

 

[Piluvr]

I will share everything I find in here.
Right now, i'm looking at the kernel for 5.51 and tracing back the function calls so i can give them proper names.
some of the strings i'm cleaning up sample:

Spoiler

ROM:FFE84784 00000007 C FLASH\n 
ROM:FFE8478B 00000006 C DISC\n 
ROM:FFE84791 00000005 C USB\n 
ROM:FFE84796 00000008 C SDCARD\n 
ROM:FFE847A0 0000000C C CafeStd.ttf 
ROM:FFE847AC 0000000B C CafeCn.ttf 
ROM:FFE847B7 0000000B C CafeKr.ttf 
ROM:FFE847C2 0000000B C CafeTw.ttf 
ROM:FFE847D0 00000008 C memdump 
ROM:FFE847D8 00000006 C debug 
ROM:FFE847DE 00000007 C kpanic 
ROM:FFE847E5 00000005 C kill 
ROM:FFE8480C 0000000C C killrestart 
ROM:FFE84818 0000000A C coretrace 
ROM:FFE84822 0000000A C crashdump 
ROM:FFE8482C 00000009 C intstats 
ROM:FFEAA500 0000000C C /dev/syslog 
ROM:FFEAB9ED 00000018 C nvalid message pointer\n 
ROM:FFEB93E1 0000000F C R  = 0x%08X\n 
ROM:FFEB93F1 0000000F C TR  = 0x%08X\n 
ROM:FFEB9459 0000001B C Pre InitAddrSp End, ret=%d 
ROM:FFEB9475 0000003F C **An unrecoverable fatal error occurred while loading an RPX.\n 
ROM:FFEB9738 00000048 C DIAG:Result PrepareTitle(0x%08X%08X) came back with cosxml(0x%08X%08X)\n 
ROM:FFEB9840 0000003C C Failed to get master title type.  Default to NOT cafeMenu.\n 
ROM:FFEB989C 00000030 C ***User Mode IopShell command already pending.\n 
ROM:FFEB98CC 0000002A C !!!Abandoned Interrupt %d for process %d\n 
ROM:FFEB98F6 0000003A C *** User-mode interrupt for process that is not running!\n 
ROM:FFEB9935 00000009 C unknown> 
ROM:FFEB9942 00000010 C state= 0x%04X\n\n 
ROM:FFEB9952 00000030 C r%-2d  = 0x%08X (%14d)  r%-2d  = 0x%08X (%14d)\n 
ROM:FFEB9982 00000030 C coretime[%d] = 0x%016llX ticks, %lld second(s)\n 
ROM:FFEB99B2 0000000C C \nGQRs ----\n 
ROM:FFEB99BE 0000001E C \nOSContext is unused (NULL)\n\n 
ROM:FFEB99DD 00000025 C he pointer of OS context is invalid\n 
ROM:FFEB9A02 0000000E C LR  = 0x%08X 
ROM:FFEB9A10 0000000E C SRR0 = 0x%08X 
ROM:FFEB9A1E 00000022 C \nPer-core OSContext runtime ----\n 
ROM:FFEB9A41 00000045 C ------------------------- Context 0x%08X -------------------------\n\n 
ROM:FFEB9A88 0000002A C The stack back-chain pointer is invalid.\n 
ROM:FFEB9AB2 0000001E C \nCoreId: %d  Stack: 0x%08X 
ROM:FFEB9AD2 00000020 C \n\nApplication Stack Trace ----\n 
ROM:FFEB9AF2 0000001C C \n\nContext Stack Trace ----\n 
ROM:FFEB9B0E 0000001A C Process %d, Error 0x%08X\n 
ROM:FFEB9B28 00000022 C \n\nKernel Stack Trace 0x%08X ----\n 
ROM:FFEB9B4A 00000014 C AppPanic 0x%08X %s\n 
ROM:FFEB9B5E 0000004A C \n****************************** Core%d *********************************\n
ROM:FFEB9BA9 0000001F C \nApplication Stack Trace ----\n 
ROM:FFEB9BC8 00000020 C \n\nApplication Stack Trace ----\n 
ROM:FFEB9BE8 0000001C C \n\nContext Stack Trace ----\n 
ROM:FFEB9C04 00000022 C \n\nKernel Stack Trace 0x%08X ----\n 
ROM:FFEB9C26 00000026 C ***Failed to initialize handle table\n 
ROM:FFEB9C4D 00000031 C **Could not allocate per-core scheduling timer.\n 
ROM:FFEB9C80 0000001E C OS VERSION ID  0x%08X%08X\n 
ROM:FFEB9C9E 0000001A C Init&Pre InitAddrSp Start 
ROM:FFEB9CB8 00000016 C Init&Pre memset Start 
ROM:FFEB9CCE 00000026 C DIAG:+KiProcess_FinishInitAndPreload\n 
ROM:FFEB9CF4 0000003E C *** Illegal: No mapping exists of UPID 0x%08X to any RAMPID.\n 
ROM:FFEB9D32 0000002C C *** Process RAMPID 0x%08X is out of range.\n 
ROM:FFEB9D5E 00000022 C Kernel is loading shared data...\n 
ROM:FFEB9D81 00000019 C \nSysProtection Failure:\n 
ROM:FFEB9D9A 00000012 C /test/ppcprotviol

as you can see, some of the text is misaligned - so im going to fix all of those first.
its all for fun and learning how to drive this thing now that Mr. Hykem has left the keys in the ignition for us.


(with some prodding and help by Onion_Knight and NWPlayer123 of course)

If kernal happens to work, please make it released. Dont act high and mighty, act like one of us. Not to sound like a jerk, but that kind of behavior has been going around lately.

 

[Alysson Araújo]

It´s really nice to see how it´s evolving, @Jow Banks ! Keep up the good work. I wish i knew something so i can help, but i´m just too noob in all this. Just want you to know that all effort is appreciated.

 

[Onion_Knight]

This all looks very positive! I think we could actually pull this off!

Well optimism is nice, but mostly I'm offering a direction to look. What @Marionumber1 and company have done is pave the way for others to follow and not have to go blindly into the process. But it takes a look of research and effort. You have to be willing to put in the work to learn, and patient to handle the constant frustration of things not working when you think they should. Its an amazing feeling though when something you've been working on works for the 1st time though.

 

[Deleted User]

Well optimism is nice, but mostly I'm offering a direction to look. What @Marionumber1 and company have done is pave the way for others to follow and not have to go blindly into the process. But it takes a look of research and effort. You have to be willing to put in the work to learn, and patient to handle the constant frustration of things not working when you think they should. Its an amazing feeling though when something you've been working on works for the 1st time though.

I've only started to research and work on this because I want to train my abilities to work with offsets and addresses since I have only worked with nothing but code and pre-made functions in the past. ^^'

It's probably going to be a steep learning curve, but if I do actually put the upmost effort into it, then it sure is going to pay off!

 

[wartimekillers]

I will share everything I find in here.
Right now, i'm looking at the kernel for 5.51 and tracing back the function calls so i can give them proper names.
some of the strings i'm cleaning up sample:

Spoiler

ROM:FFE84784 00000007 C FLASH\n
ROM:FFE8478B 00000006 C DISC\n
ROM:FFE84791 00000005 C USB\n
ROM:FFE84796 00000008 C SDCARD\n
ROM:FFE847A0 0000000C C CafeStd.ttf
ROM:FFE847AC 0000000B C CafeCn.ttf
ROM:FFE847B7 0000000B C CafeKr.ttf
ROM:FFE847C2 0000000B C CafeTw.ttf
ROM:FFE847D0 00000008 C memdump
ROM:FFE847D8 00000006 C debug
ROM:FFE847DE 00000007 C kpanic
ROM:FFE847E5 00000005 C kill
ROM:FFE8480C 0000000C C killrestart
ROM:FFE84818 0000000A C coretrace
ROM:FFE84822 0000000A C crashdump
ROM:FFE8482C 00000009 C intstats
ROM:FFEAA500 0000000C C /dev/syslog
ROM:FFEAB9ED 00000018 C nvalid message pointer\n
ROM:FFEB93E1 0000000F C R  = 0x%08X\n
ROM:FFEB93F1 0000000F C TR  = 0x%08X\n
ROM:FFEB9459 0000001B C Pre InitAddrSp End, ret=%d
ROM:FFEB9475 0000003F C **An unrecoverable fatal error occurred while loading an RPX.\n
ROM:FFEB9738 00000048 C DIAG:Result PrepareTitle(0x%08X%08X) came back with cosxml(0x%08X%08X)\n
ROM:FFEB9840 0000003C C Failed to get master title type.  Default to NOT cafeMenu.\n
ROM:FFEB989C 00000030 C ***User Mode IopShell command already pending.\n
ROM:FFEB98CC 0000002A C !!!Abandoned Interrupt %d for process %d\n
ROM:FFEB98F6 0000003A C *** User-mode interrupt for process that is not running!\n
ROM:FFEB9935 00000009 C unknown>
ROM:FFEB9942 00000010 C state= 0x%04X\n\n
ROM:FFEB9952 00000030 C r%-2d  = 0x%08X (%14d)  r%-2d  = 0x%08X (%14d)\n
ROM:FFEB9982 00000030 C coretime[%d] = 0x%016llX ticks, %lld second(s)\n
ROM:FFEB99B2 0000000C C \nGQRs ----\n
ROM:FFEB99BE 0000001E C \nOSContext is unused (NULL)\n\n
ROM:FFEB99DD 00000025 C he pointer of OS context is invalid\n
ROM:FFEB9A02 0000000E C LR  = 0x%08X
ROM:FFEB9A10 0000000E C SRR0 = 0x%08X
ROM:FFEB9A1E 00000022 C \nPer-core OSContext runtime ----\n
ROM:FFEB9A41 00000045 C ------------------------- Context 0x%08X -------------------------\n\n
ROM:FFEB9A88 0000002A C The stack back-chain pointer is invalid.\n
ROM:FFEB9AB2 0000001E C \nCoreId: %d  Stack: 0x%08X
ROM:FFEB9AD2 00000020 C \n\nApplication Stack Trace ----\n
ROM:FFEB9AF2 0000001C C \n\nContext Stack Trace ----\n
ROM:FFEB9B0E 0000001A C Process %d, Error 0x%08X\n
ROM:FFEB9B28 00000022 C \n\nKernel Stack Trace 0x%08X ----\n
ROM:FFEB9B4A 00000014 C AppPanic 0x%08X %s\n
ROM:FFEB9B5E 0000004A C \n****************************** Core%d *********************************\n
ROM:FFEB9BA9 0000001F C \nApplication Stack Trace ----\n
ROM:FFEB9BC8 00000020 C \n\nApplication Stack Trace ----\n
ROM:FFEB9BE8 0000001C C \n\nContext Stack Trace ----\n
ROM:FFEB9C04 00000022 C \n\nKernel Stack Trace 0x%08X ----\n
ROM:FFEB9C26 00000026 C ***Failed to initialize handle table\n
ROM:FFEB9C4D 00000031 C **Could not allocate per-core scheduling timer.\n
ROM:FFEB9C80 0000001E C OS VERSION ID  0x%08X%08X\n
ROM:FFEB9C9E 0000001A C Init&Pre InitAddrSp Start
ROM:FFEB9CB8 00000016 C Init&Pre memset Start
ROM:FFEB9CCE 00000026 C DIAG:+KiProcess_FinishInitAndPreload\n
ROM:FFEB9CF4 0000003E C *** Illegal: No mapping exists of UPID 0x%08X to any RAMPID.\n
ROM:FFEB9D32 0000002C C *** Process RAMPID 0x%08X is out of range.\n
ROM:FFEB9D5E 00000022 C Kernel is loading shared data...\n
ROM:FFEB9D81 00000019 C \nSysProtection Failure:\n
ROM:FFEB9D9A 00000012 C /test/ppcprotviol

as you can see, some of the text is misaligned - so im going to fix all of those first.
its all for fun and learning how to drive this thing now that Mr. Hykem has left the keys in the ignition for us.


(with some prodding and help by Onion_Knight and NWPlayer123 of course)

A Brand New Hope for 5.5+ user, thanks for sharing, God Bless You Jow
I just really don't get what is the point to holding kexploit private when wiiu is almost dying now, replaced soon by NX
sorry for my bad english, never using them for a very long time

Once again Thanks

 

[NexoCube]

I hope MP4 Webkit Exploit will not be patched in the first version of NX x) or JS:String one !

 

[Deleted User]

To anyone who's trying to disassemble a decrypted kernel.img in IDA, what does it mean when you have to convert a string to code with 'c'?

 

[NexoCube]

To anyone who's trying to disassemble a decrypted kernel.img in IDA, what does it mean when you have to convert a string to code with 'c'?

kernel.img is not in the folder wher rpl are ? =)

 

[Deleted User]

kernel.img is not in the folder wher rpl are ? =)

Nevermind what I said, Onion_Knight is helping me in a PM.

 

[NexoCube]

Nevermind what I said, Onion_Knight is helping me in a PM.

This is not a valid answer.

 

[Deleted User]

This is not a valid answer.

Well, yeah, kernel.img is in the folder with the rpls, but that was out of the question. xD

 

[NexoCube]

Well, yeah, kernel.img is in the folder with the rpls, but that was out of the question. xD

A download that took me 5hours don't work well i fucked up my computer. Damn Spanish guy.

--------------------- MERGED ---------------------------

I think i'll cry. Or by optical fiber connection idk.

 

[Onion_Knight]

kernel.img is not in the folder wher rpl are ? =)

kernel.img is in:

00050010-1000400A

Download the title with NUSgrabber and decrypt with CDecrypt and common key.

 

[NexoCube]

kernel.img is in:

00050010-1000400A

Download the title with NUSgrabber and decrypt with CDecrypt and common key.

Right thanks.

 

[NexoCube]

kernel.img is in:

00050010-1000400A

Download the title with NUSgrabber and decrypt with CDecrypt and common key.

Eror non-authorized xD (401)

 

[Deleted User]

Eror non-authorized xD (401)

I got them!!

I just decrypted the .app files and then I saw a code folder, opened it, and there was the rpls and kernel.img!

 

[NexoCube]

I got them!!

I just decrypted the .app files and then I saw a code folder, opened it, and there was the rpls and kernel.img!

Why does i hvae this error so ? ^^

 

[Deleted User]

Why does i hvae this error so ? ^^

You should use the NUSGrabber command line and type in NUSGrabber.exe <titleid> and then press enter.

 

[NexoCube]

Maybe i should change my nus downloader, what's yours ?

--------------------- MERGED ---------------------------

Oh ok, i try the GUI one and UWizard