Toggle sidebar

Hacking Smea's iosuhax

  • Thread starter Thread starter NyaakoXD
  • Start date Start date
  • Views Views 147,111
  • Replies Replies 447
  • Likes Likes 27
I have a 5.3.2 Wii U and a 5.5.1 Wii U, I don't mind breaking one or the other, because I barely use either of them tbh xD If anyone wants to try out some of this shit but don't wanna brick, I'm here to fuck with it.

--------------------- MERGED ---------------------------

Doing what I can to help out here, here is the source of wupserver + compiled.
THIS ZIP CONTAINS WUPSERVER ALREADY COMPILED :)
SOURCE: https://github.com/smealum/iosuhax
 

Attachments

But you can't actually run wupserver without an IOSU exploit, correct?
edit: or rather the hook from the patched fw, which ostensibly requires iosu to patch
 
punderino said:
I have a 5.3.2 Wii U and a 5.5.1 Wii U, I don't mind breaking one or the other, because I barely use either of them tbh xD If anyone wants to try out some of this shit but don't wanna brick, I'm here to fuck with it.

Doing what I can to help out here, here is the source of wupserver + compiled.
THIS ZIP CONTAINS WUPSERVER ALREADY COMPILED :)
SOURCE: https://github.com/smealum/iosuhax
Click to expand...

Have you also figured out how to use SMEA's CFW Builder?
It took me a while, but I can now get it to run 100% through.

I had to make a couple of small edits to the .PY script to get the keys to work properly, and getting the latest armips to compile was a bit of trouble - but it all seems to be running smoothly now.

It now creates what look to be clean and properly signed CFW.IMG files for the ARM Processor.
I can set different options in the scripts and re-compile with no errors.

Next is figuring a way to get this into the box without making bricks...
I'm sure there are checks in the OTP that the PPC uses to validate the ARM's code, so those would need to be dealt with.

-dl
 
  • Like
Reactions: VinsCool, Supster131 and piratesephiroth
I think smea would have been flashing cfw. Through a hard nand mod. He also had a software soluition for reading

Sent from my SM-G928I using Tapatalk
 
Datalogger said:
Have you also figured out how to use SMEA's CFW Builder?
It took me a while, but I can now get it to run 100% through.

I had to make a couple of small edits to the .PY script to get the keys to work properly, and getting the latest armips to compile was a bit of trouble - but it all seems to be running smoothly now.

It now creates what look to be clean and properly signed CFW.IMG files for the ARM Processor.
I can set different options in the scripts and re-compile with no errors.

Next is figuring a way to get this into the box without making bricks...
I'm sure there are checks in the OTP that the PPC uses to validate the ARM's code, so those would need to be dealt with.

-dl
Click to expand...
Dude, I cannot get it to work for the life of me, I looked a bit, and added 0x before the keys, couldn't get armips to compile, found a compiled version in the rxTools thread for 3DS, and now get
Code: 
D:\Downloads\iosuhax>make
make[1]: Entering directory `/d/Downloads/iosuhax/wupserver'
make[1]: Leaving directory `/d/Downloads/iosuhax/wupserver'
patches/0x10700000.s
make: execvp: armips: Bad file number
make: *** [patched_sections/0x10700000.bin] Error 127
>inb4 i use the wrong tags
 
Just for documentation purposed, and incase anyone can answer. 0x8120000.s in patches calls for sections/0x8140000.bin and patches_sections/0x8140000.bin and neither of them exist.
Thinking he might of meant 0x8120000?
 
punderino said:
Dude, I cannot get it to work for the life of me, I looked a bit, and added 0x before the keys, couldn't get armips to compile, found a compiled version in the rxTools thread for 3DS, and now get
Code: 
D:\Downloads\iosuhax>make
make[1]: Entering directory `/d/Downloads/iosuhax/wupserver'
make[1]: Leaving directory `/d/Downloads/iosuhax/wupserver'
patches/0x10700000.s
make: execvp: armips: Bad file number
make: *** [patched_sections/0x10700000.bin] Error 127
>inb4 i use the wrong tags
Click to expand...
The version from rxTools won't work.
(Check your PM)

And, you will need to edit the python script in IOSUHAX's anpack.py to get the keys to work properly.

def encrypt(self, file, offset):
key = 'B5xxxxxxxxxxxxxxxxxxxxxxxxxxxxFD'
iv = '91xxxxxxxxxxxxxxxxxxxxxxxxxxxx22'
key = key.decode('hex');
iv = iv.decode('hex');
file.seek(offset)
buffer = ""
hash = hashlib.sha1()

Add in the two lines below the key/iv and you should be good to go. (Of course replace the xx with the real keys...)

There is another "trick" to getting this to create a viable working fw.img.full.bin file for it to work with.

You must:
1: Take a fresh downloaded FW.IMG file
2: Open it up in a hex editor and cut the first 0x200 bytes and save them to a new "Header.bin" file (You will need them later)
3: Save the stripped down FW.IMG file (without the 0x200 bytes)
4: Use OPENSSL with both the key and the proper iv
5: Paste the "Header.bin" to the top of the results from OPENSSL (What SMEA called "Prepend", not sure that's really a word...)
6: Rename it to fw.img.full.bin and put it in the bin folder
7: make

--------------------- MERGED ---------------------------

punderino said:
Just for documentation purposed, and incase anyone can answer. 0x8120000.s in patches calls for sections/0x8140000.bin and patches_sections/0x8140000.bin and neither of them exist.
Thinking he might of meant 0x8120000?
Click to expand...
It should create all of them if the input file is fixed like above.

I had that same issue until I made a new input file.
Now I can delete everything in the iosuhax\patched_sections folder and it re-creates all of them - no edits to any of the scripts.
 
Datalogger said:
The version from rxTools won't work.
(Check your PM)

And, you will need to edit the python script in IOSUHAX's anpack.py to get the keys to work properly.

def encrypt(self, file, offset):
key = 'B5xxxxxxxxxxxxxxxxxxxxxxxxxxxxFD'
iv = '91xxxxxxxxxxxxxxxxxxxxxxxxxxxx22'
key = key.decode('hex');
iv = iv.decode('hex');
file.seek(offset)
buffer = ""
hash = hashlib.sha1()

Add in the two lines below the key/iv and you should be good to go. (Of course replace the xx with the real keys...)

There is another "trick" to getting this to create a viable working fw.img.full.bin file for it to work with.

You must:
1: Take a fresh downloaded FW.IMG file
2: Open it up in a hex editor and cut the first 0x200 bytes and save them to a new "Header.bin" file (You will need them later)
3: Save the stripped down FW.IMG file (without the 0x200 bytes)
4: Use OPENSSL with both the key and the proper iv
5: Paste the "Header.bin" to the top of the results from OPENSSL (What SMEA called "Prepend", not sure that's really a word...)
6: Rename it to fw.img.full.bin and put it in the bin folder
7: make

--------------------- MERGED ---------------------------


It should create all of them if the input file is fixed like above.

I had that same issue until I made a new input file.
Now I can delete everything in the iosuhax\patched_sections folder and it re-creates all of them - no edits to any of the scripts.
Click to expand...
I've never been able to understand this. https://gyazo.com/fd87f2074a0973e46f890a634f784426 Delete everything visable there? Or delete everything but the last line?
 
Cut (don't delete) all of this:
Code: 
EF A2 82 D9 00 00 00 00 00 00 00 20 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 02 70 E1 DE 66 A8 DC DA FA 5B DA 6A CD
5C B0 48 BB DF 54 9E 08 00 18 75 F5 DD 40 F3 51
69 41 EE 8B 32 72 CD 6B DF 35 42 01 20 7E C5 25
79 EA 11 62 39 0E AF 1E 99 83 48 73 FD 38 3F 88
81 01 F6 84 FD 0E BC A7 97 E4 87 F6 D6 97 9D 57
2F E1 79 32 03 E8 D6 9C 15 2B 96 F9 91 AE 71 01
BA C3 9F E5 A6 83 F3 E1 03 77 20 AB 84 3E D3 FF
D0 7C 46 4E 91 72 4C 90 7E B5 88 E8 2C B1 F9 2F
9D 59 A9 F2 46 BE 84 47 C6 1B 0C B7 86 F8 8B 1A
FC D1 21 54 4F D5 3F 37 EF 38 DD 72 B7 87 36 02
61 1D 20 80 B6 71 7D F9 7E DA 56 81 5F E3 CA FF
6C 8E 86 AC 71 6F A6 1C 85 B0 F6 CF 67 67 04 92
1D 4F EB 11 72 DC 76 D9 93 F1 C9 96 63 4B 7C A3
74 A0 4A 48 B7 5A 83 A6 D0 07 B7 F5 37 CC 36 38
55 04 79 96 FB AF A0 41 27 74 A1 88 E0 AA 80 93
43 7F 63 E9 25 7E 9C D6 1E 9C CC A1 6A 10 51 D4
D9 49 74 9F 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 21 00 00 00 02 00 DF D0 00
D0 46 DD 4D B9 32 24 49 E5 C3 1C A8 3B 83 80 2C
89 46 75 FD 00 00 00 02 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


You need to paste it back AFTER it gets decrypted.
The script will take care of replacing the Checksum at the end (94 52 A7...) to match the new image.
 
Last edited by Datalogger,
Datalogger said:
Cut (don't delete) all of this:
Code: 
EF A2 82 D9 00 00 00 00 00 00 00 20 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 02 70 E1 DE 66 A8 DC DA FA 5B DA 6A CD
5C B0 48 BB DF 54 9E 08 00 18 75 F5 DD 40 F3 51
69 41 EE 8B 32 72 CD 6B DF 35 42 01 20 7E C5 25
79 EA 11 62 39 0E AF 1E 99 83 48 73 FD 38 3F 88
81 01 F6 84 FD 0E BC A7 97 E4 87 F6 D6 97 9D 57
2F E1 79 32 03 E8 D6 9C 15 2B 96 F9 91 AE 71 01
BA C3 9F E5 A6 83 F3 E1 03 77 20 AB 84 3E D3 FF
D0 7C 46 4E 91 72 4C 90 7E B5 88 E8 2C B1 F9 2F
9D 59 A9 F2 46 BE 84 47 C6 1B 0C B7 86 F8 8B 1A
FC D1 21 54 4F D5 3F 37 EF 38 DD 72 B7 87 36 02
61 1D 20 80 B6 71 7D F9 7E DA 56 81 5F E3 CA FF
6C 8E 86 AC 71 6F A6 1C 85 B0 F6 CF 67 67 04 92
1D 4F EB 11 72 DC 76 D9 93 F1 C9 96 63 4B 7C A3
74 A0 4A 48 B7 5A 83 A6 D0 07 B7 F5 37 CC 36 38
55 04 79 96 FB AF A0 41 27 74 A1 88 E0 AA 80 93
43 7F 63 E9 25 7E 9C D6 1E 9C CC A1 6A 10 51 D4
D9 49 74 9F 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 21 00 00 00 02 00 E0 00 00
94 52 A7 BC 93 5D 70 2E CB E5 43 3F 5F 8D 6F 1F
6D 21 53 9C 00 00 00 02 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00


You need to paste it back AFTER it gets decrypted.
The script will take care of replacing the Checksum at the end (94 52 A7...) to match the new image.
Click to expand...
I have a different fw.img than you?
Code: 
EF A2 82 D9 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 70 E1 DE 66 A8 DC DA FA 5B DA 6A CD 5C B0 48 BB DF 54 9E 08 00 18 75 F5 DD 40 F3 51 69 41 EE 8B 32 72 CD 6B DF 35 42 01 20 7E C5 25 79 EA 11 62 39 0E AF 1E 99 83 48 73 FD 38 3F 88 81 01 F6 84 FD 0E BC A7 97 E4 87 F6 D6 97 9D 57 2F E1 79 32 03 E8 D6 9C 15 2B 96 F9 91 AE 71 01 BA C3 9F E5 A6 83 F3 E1 03 77 20 AB 84 3E D3 FF D0 7C 46 4E 91 72 4C 90 7E B5 88 E8 2C B1 F9 2F 9D 59 A9 F2 46 BE 84 47 C6 1B 0C B7 86 F8 8B 1A FC D1 21 54 4F D5 3F 37 EF 38 DD 72 B7 87 36 02 61 1D 20 80 B6 71 7D F9 7E DA 56 81 5F E3 CA FF 6C 8E 86 AC 71 6F A6 1C 85 B0 F6 CF 67 67 04 92 1D 4F EB 11 72 DC 76 D9 93 F1 C9 96 63 4B 7C A3 74 A0 4A 48 B7 5A 83 A6 D0 07 B7 F5 37 CC 36 38 55 04 79 96 FB AF A0 41 27 74 A1 88 E0 AA 80 93 43 7F 63 E9 25 7E 9C D6 1E 9C CC A1 6A 10 51 D4 D9 49 74 9F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 02 00 DF D0 00 D0 46 DD 4D B9 32 24 49 E5 C3 1C A8 3B 83 80 2C 89 46 75 FD 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

--------------------- MERGED ---------------------------

Okay, I believe I've made the correct edits, although I have a different fw.img for some reason. Now I'm still getting the error that 0x8140000 is missing.

--------------------- MERGED ---------------------------

One thing that might be contributing to this is it asks for python2, and I have to change it to python for it to start compiling.
 
Datalogger said:
What FW version are you testing with?

Mine's 5.5.1 US
000500101000400A\15702
Click to expand...
As am I. I don't know if for some reason I have the 5.3.2 one? But I believe I have the 5.5.1 one.

--------------------- MERGED ---------------------------

I've checked as I have them both downloaded, I'm using the 5.5.0/5.5.1 one. It might not matter, but what about the 0x8140000? I see on the github someone said they had to make it themselves.

--------------------- MERGED ---------------------------

"Almost there, but need a little assistance getting it to process 0x8140000 +
It looks like some of the binaries were manually created
[Edit: Got through the above issue by creating them manually.]"
How do you create them manually? Just an empty file or do you have to go find that from the fw.img or something and put it in for it?
 
Check your PM.
It definitely matters , as 0x8140000 is the IOS-Kernel DATA Area.
You can make your own copy, you can look in IDA for the first data string at 0x8140000
(In this case it's "IOS_InvalidateDCache(%p,0x%x) specified bad address")

Find that in Hxd and cut from there to the next 0x2478 bytes (the length of IOS-Kernel DATA")
 
Naked_Snake said:
Hahaha who can on it to me and tell me how to use it?
Click to expand...
Need a way to get it on the console I guess. Not sure how to go about doing this.

--------------------- MERGED ---------------------------

Datalogger said:
Check your PM.
It definitely matters , as 0x8140000 is the IOS-Kernel DATA Area.
You can make your own copy, you can look in IDA for the first data string at 0x8140000
(In this case it's "IOS_InvalidateDCache(%p,0x%x) specified bad address")

Find that in Hxd and cut from there to the next 0x2478 bytes (the length of IOS-Kernel DATA")
Click to expand...
I used the sections you gave me, that should of gotten around the issue? It compiled correctly.

--------------------- MERGED ---------------------------

This sounds like a good way to brick, but with wupinstaller, can we redecrypt this fw.img thats patched into a update installable by wupinstaller?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew Project  Modernized YouTube for Wii U

[discussion] what game do you wanna see next?

[discussion] Paper Mario Wii U or Mario Kart 64 wii u?

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

Gaming Homebrew Misc Project  Roséverse - a 1:1 Miiverse revival by Project Rosé!

Can the Wii u pro controller works for Wii games ?

[PRERELEASE] Sonic 3 A.I.R. (finally) Wii U

Sonic Advance 2 Wii U (another release, this time it's playable)