Has anybody else looked at what's inside SMEA's IOSUHax he put up on Github?
I worked with a while and was actually able to get it to run all the way through.
What it does is patch a decoded FW.IMG file, add in a whole bunch of hacks to allow access to IOSU then re-compiles a new encrypted FW.IMG file.
The new file has all of the checksums turned off and a new wupserver hook turned on that allows you to connect inside IOSU via an client app running on a PC.
Example (theres more than just this)
The question is, how can we load this onto a wii-u ?
Would it help to take a older wii-u, like on 5.3.2 then figure out a way to get it to update to 5.5.1 using the modified FW.IMG file?
I'd be willing to "risk-a-bricked 5.32" to try if this might work.
(the wii-u's kinda boring anyways, so no big loss)
I worked with a while and was actually able to get it to run all the way through.
What it does is patch a decoded FW.IMG file, add in a whole bunch of hacks to allow access to IOSU then re-compiles a new encrypted FW.IMG file.
The new file has all of the checksums turned off and a new wupserver hook turned on that allows you to connect inside IOSU via an client app running on a PC.
Example (theres more than just this)
Code:
NEW_TIMEOUT equ (0xFFFFFFFF) ; over an hour
; fix 10 minute timeout that crashes MCP after 10 minutes of booting
.org 0x05022474
.word NEW_TIMEOUT
; hook main thread to start our thread ASAP
.org 0x05056718
.arm
bl mcpMainThread_hook
; patch OS launch sig check
.org 0x0500A818
.thumb
mov r0, #0
mov r0, #0
; patch IOSC_VerifyPubkeySign to always succeed
.org 0x05052C44
.arm
mov r0, #0
bx lr
.org 0x050282AE
.thumb
bl launch_os_hook
; patch pointer to fw.img loader path
.org 0x050284D8
.word fw_img_path
.org CODE_BASE
.arm
mcpMainThread_hook:
mov r11, r0
push {r0-r11,lr}
sub sp, #8
mov r0, #0x78
str r0, [sp] ; prio
mov r0, #1
str r0, [sp, #4] ; detached
ldr r0, =wupserver_entrypoint ; thread entrypoint
mov r1, #0 ; thread arg
ldr r2, =wupserver_stacktop ; thread stacktop
mov r3, #wupserver_stacktop - wupserver_stack ; thread stack size
bl MCP_SVC_CREATETHREAD
cmp r0, #0
blge MCP_SVC_STARTTHREAD
ldr r1, =0x050BD000 - 4
str r0, [r1]
add sp, #8
pop {r0-r11,pc}
The question is, how can we load this onto a wii-u ?
Would it help to take a older wii-u, like on 5.3.2 then figure out a way to get it to update to 5.5.1 using the modified FW.IMG file?
I'd be willing to "risk-a-bricked 5.32" to try if this might work.
(the wii-u's kinda boring anyways, so no big loss)