Hacking Smea's iosuhax

[Kohmei]

But we can't even repack NUS packages to install them, so we can't inject the modified fw. Or did I miss something?

If we can decrypt them, it seems like a trival matter to reverse the process? Especially since we know what the output should look like, ie the official update files

 

[Rob Blou]

I have 2 wii u now so I might consider dumping my slc and eMMC once there's something interesting to test.

 

[aracom]

Sorry for the low-quality shitpost. But may I call you Dad?
Also, I spoke with smealum about how he goes about installing this, and he replied:
"@progranade requires an iosu exploit. some of the patches should give you details on exactly how from there"
I replied asking what the how is, and haven't gotten a responce.

I'm pretty sure they patched IOSU(MCP?) at runtime(with an IOSU-Exploit) to be able to install unsigned titles, and therefore got it to flash a new fw to itself without checks. Would be my guess.

 

[punderino]

I'm pretty sure they patched IOSU(MCP?) at runtime(with an IOSU-Exploit) to be able to install unsigned titles, and therefore got it to flash a new fw to itself without checks. Would be my guess.

Yeah, so we just need to find an exploit for IOSU, and then use a program to backup our NAND, and we should be good to start trying then?

 

[Whatnoww]

And the flood of comments of all kinds begin in 3... 2... 1...

Wrong, you were already part of it.

 

[piratesephiroth]

If we can decrypt them, it seems like a trival matter to reverse the process? Especially since we know what the output should look like, ie the official update files

Sure it might be trivial to encrypt the files. Signing them, on the other hand...

 

[EclipseSin]

Sure it might be trivial to encrypt the files. Signing them, on the other hand...

You do not need to sign them if IOSU is patched. They are useless without a patch to IOSU(MCP?) anyway because we do not have private keys. Even if we did sign them (which I have). So it's likely going to be like 3DS, work on emulated nand or an MCP loader or some shit.

 

[Datalogger]

I'm thinking the next logical check would be to take a clean FW.IMG file, create a clean fw.img.full.bin file from it, edit the patches so all they do is parse the modules but don't modify anything, let it put the FW.IMG back together then test the SHA-1 to see if it's the same as what we started with.

I'm working on this now (on and off) and so far it's very close, but not 100% perfect.
It looks like something is shifting the image by 3 bytes somewhere around offset 0x7975B0 area.
Once this is cleaned up, we should have some good confidence that it is capable of tearing apart then piecing back together a good image.

Edit:
The difference is at offset 0x4975BF, there's a random 0x02 there.

According to my way of looking at it, that puts it at Physical Memory Location 0x24C6002, two bytes into IOS_NET's BSS segment... which makes no sense as BSS should be uninitialized empty space.

 

[z0mb3]

Interesting would be as well to install/update(/downgrade?) an official OSv10 00050010-1000400A via wupinstaller.
And maybe downgrading below 5.2.0 and use the IOSU bug info from naehrwert can be an option.

 

[forcefield]

Interesting would be as well to install/update(/downgrade?) an official OSv10 00050010-1000400A via wupinstaller.
And maybe downgrading below 5.2.0 and use the IOSU bug info from naehrwert can be an option.

Downgrading a title to reuse an exploit... Wii Trucha Bug logic, I like it.

 

[Kohmei]

Interesting would be as well to install/update(/downgrade?) an official OSv10 00050010-1000400A via wupinstaller.
And maybe downgrading below 5.2.0 and use the IOSU bug info from naehrwert can be an option.

Can't downgrade system titles without IOSU
A solution can't require what it's intended to unlock

I think the nand hardmod has the greatest potential, is there a pinout somewhere?

 

[Lush]

Part of me is hoping this will be a hard mod. My soldering iron touches every console generation till now.

Actually I've hard modded my o3ds and n3ds...

 

[piratesephiroth]

Can't downgrade system titles without IOSU
A solution can't require what it's intended to unlock

I think the nand hardmod has the greatest potential, is there a pinout somewhere?

http://wiiubrew.org/wiki/TSOP_NAND

 

[Datalogger]

OK, it looks like SMEA's .py script is failing to keep things Word Aligned properly.
If you extract the elf and run readelf -a, it does great until it gets down to virtual address 0x124C6000, where it stops Word Aligning.

Edit:
I can get it to make an almost perfect copy by rem'ing out two lines in the .PY script:

      #if not(special):
                      #self.phdrs[i].p_offset = data_offset

When I turn off all patches, it creates a new FW.IMG that is only one byte different than a "Stock" clean FW.IMG

The only difference is that one single 0x02 it does not put at 0x4975BF
(And of course the SHA because of it.)

Not sure what the "If Not (special):" was for, but without it, everything Word Aligns perfectly.


Edit2: =done.
OK, I got it to make a 100% same FW.IMG file by the change above and adding this to the top of the def encrypt

    def encrypt(self, file, offset):
        key='02'
        key = key.decode('hex');
        file.seek(0x497DC3)
        file.write(key)

(It's 0x4975bf+0x804 byte Header)

The SHA-1 matches the "stock" FW.IMG 100%

Obviously, I'm not a Python Programmer - but hey, it works!
Show me a more simple way to poke an 0x02 at that offset so I can get back to my comfort zone in raw assembly.



.

 

[godstriker8]

So is this separate from Hykem 's thing, or what?

 

[punderino]

So is this separate from Hykem 's thing, or what?

Hykem had the exploit to be able to run things like what Smealum has made. I think a few other people as well were working on things to have one huge release, but as you can see, it's not happening.

 

[Jow Banks]

So is this separate from Hykem 's thing, or what?

Please.
Don't use the "H" word around here - we are all trying to wash that bad memory from our minds.

It's very depressing to think about all of the false promises he made and how that person left the scene under fake pretenses and without leaving behind what he knew.
It's like opening up the largest box under the Christmas tree- just to find out that it's empty. - very sad.

And he knew a lot - just look at the wiki - but he left without telling us the one thing we all wanted to know. Four letters: I-O-S-U.

Let the new people work in this in peace without this sad - very depressing reminder of what could have been.

 

[punderino]

Please.
Don't use the "H" word around here - we are all trying to wash that bad memory from our minds.

It's very depressing to think about all of the false promises he made and how that person left the scene under fake pretenses and without leaving behind what he knew.
It's like opening up the largest box under the Christmas tree- just to find out that it's empty. - very sad.

And he knew a lot - just look at the wiki - but he left without telling us the one thing we all wanted to know. Four letters: I-O-S-U.

Let the new people work in this in peace without this sad - very depressing reminder of what could have been.

Just don't make something big out of it, Jow. He knew what he was doing, and the documentation he has made for us is amazing, just look at some of it. He made the mistake of promising and not being able to fulfill his promised, but you still need to see the amount of things he did for us. Even though he isn't here, Marionumber1 is working on IOSU, along with a few other people. Just give it some time, honestly. This modding community is still pretty basic, give it some time for the people to learn how everything works, read into the system, and you'll see development picking up. There's a lot going on behind the scenes, just make sure to not be under appreciating what you've been given.

 

[hudhair]

@Datalogger @punderino Are you guys working with marionumber1 or are you guys seperate?

 

[ShadowOne333]

Oh damn, this is getting interesting. Time to watch this thread carefully.