I have 2 wii u now so I might consider dumping my slc and eMMC once there's something interesting to test.
I'm pretty sure they patched IOSU(MCP?) at runtime(with an IOSU-Exploit) to be able to install unsigned titles, and therefore got it to flash a new fw to itself without checks. Would be my guess.
- Joined
- Jan 5, 2016
- Messages
- 1,247
- Trophies
- 0
- Age
- 33
- Location
- Kansas City, Missouri
- Website
- www.anus.trade
- XP
- 2,549
- Country
Yeah, so we just need to find an exploit for IOSU, and then use a program to backup our NAND, and we should be good to start trying then?
You do not need to sign them if IOSU is patched. They are useless without a patch to IOSU(MCP?) anyway because we do not have private keys. Even if we did sign them (which I have). So it's likely going to be like 3DS, work on emulated nand or an MCP loader or some shit.
I'm thinking the next logical check would be to take a clean FW.IMG file, create a clean fw.img.full.bin file from it, edit the patches so all they do is parse the modules but don't modify anything, let it put the FW.IMG back together then test the SHA-1 to see if it's the same as what we started with.
I'm working on this now (on and off) and so far it's very close, but not 100% perfect.
It looks like something is shifting the image by 3 bytes somewhere around offset 0x7975B0 area.
Once this is cleaned up, we should have some good confidence that it is capable of tearing apart then piecing back together a good image.
Edit:
The difference is at offset 0x4975BF, there's a random 0x02 there.
According to my way of looking at it, that puts it at Physical Memory Location 0x24C6002, two bytes into IOS_NET's BSS segment... which makes no sense as BSS should be uninitialized empty space.
I'm working on this now (on and off) and so far it's very close, but not 100% perfect.
It looks like something is shifting the image by 3 bytes somewhere around offset 0x7975B0 area.
Once this is cleaned up, we should have some good confidence that it is capable of tearing apart then piecing back together a good image.
Edit:
The difference is at offset 0x4975BF, there's a random 0x02 there.
According to my way of looking at it, that puts it at Physical Memory Location 0x24C6002, two bytes into IOS_NET's BSS segment... which makes no sense as BSS should be uninitialized empty space.
Last edited by Datalogger,
Interesting would be as well to install/update(/downgrade?) an official OSv10 00050010-1000400A via wupinstaller.
And maybe downgrading below 5.2.0 and use the IOSU bug info from naehrwert can be an option.
And maybe downgrading below 5.2.0 and use the IOSU bug info from naehrwert can be an option.
http://wiiubrew.org/wiki/TSOP_NANDCan't downgrade system titles without IOSU
A solution can't require what it's intended to unlock
I think the nand hardmod has the greatest potential, is there a pinout somewhere?
OK, it looks like SMEA's .py script is failing to keep things Word Aligned properly.
If you extract the elf and run readelf -a, it does great until it gets down to virtual address 0x124C6000, where it stops Word Aligning.
Edit:
I can get it to make an almost perfect copy by rem'ing out two lines in the .PY script:
When I turn off all patches, it creates a new FW.IMG that is only one byte different than a "Stock" clean FW.IMG
The only difference is that one single 0x02 it does not put at 0x4975BF
(And of course the SHA because of it.)
Not sure what the "If Not (special):" was for, but without it, everything Word Aligns perfectly.
Edit2: =done.
OK, I got it to make a 100% same FW.IMG file by the change above and adding this to the top of the def encrypt
(It's 0x4975bf+0x804 byte Header)
The SHA-1 matches the "stock" FW.IMG 100%
Obviously, I'm not a Python Programmer - but hey, it works!
Show me a more simple way to poke an 0x02 at that offset so I can get back to my comfort zone in raw assembly.
.
If you extract the elf and run readelf -a, it does great until it gets down to virtual address 0x124C6000, where it stops Word Aligning.
Edit:
I can get it to make an almost perfect copy by rem'ing out two lines in the .PY script:
Code:
#if not(special):
#self.phdrs[i].p_offset = data_offsetWhen I turn off all patches, it creates a new FW.IMG that is only one byte different than a "Stock" clean FW.IMG
The only difference is that one single 0x02 it does not put at 0x4975BF
(And of course the SHA because of it.)
Not sure what the "If Not (special):" was for, but without it, everything Word Aligns perfectly.
Edit2: =done.
OK, I got it to make a 100% same FW.IMG file by the change above and adding this to the top of the def encrypt
Code:
def encrypt(self, file, offset):
key='02'
key = key.decode('hex');
file.seek(0x497DC3)
file.write(key)The SHA-1 matches the "stock" FW.IMG 100%
Obviously, I'm not a Python Programmer - but hey, it works!
Show me a more simple way to poke an 0x02 at that offset so I can get back to my comfort zone in raw assembly.
.
Last edited by Datalogger,
- Joined
- Jan 5, 2016
- Messages
- 1,247
- Trophies
- 0
- Age
- 33
- Location
- Kansas City, Missouri
- Website
- www.anus.trade
- XP
- 2,549
- Country
Hykem had the exploit to be able to run things like what Smealum has made. I think a few other people as well were working on things to have one huge release, but as you can see, it's not happening.
Please.
Don't use the "H" word around here - we are all trying to wash that bad memory from our minds.
It's very depressing to think about all of the false promises he made and how that person left the scene under fake pretenses and without leaving behind what he knew.
It's like opening up the largest box under the Christmas tree- just to find out that it's empty. - very sad.
And he knew a lot - just look at the wiki - but he left without telling us the one thing we all wanted to know. Four letters: I-O-S-U.
Let the new people work in this in peace without this sad - very depressing reminder of what could have been.
Last edited by Jow Banks,
- Joined
- Jan 5, 2016
- Messages
- 1,247
- Trophies
- 0
- Age
- 33
- Location
- Kansas City, Missouri
- Website
- www.anus.trade
- XP
- 2,549
- Country
Just don't make something big out of it, Jow. He knew what he was doing, and the documentation he has made for us is amazing, just look at some of it. He made the mistake of promising and not being able to fulfill his promised, but you still need to see the amount of things he did for us. Even though he isn't here, Marionumber1 is working on IOSU, along with a few other people. Just give it some time, honestly. This modding community is still pretty basic, give it some time for the people to learn how everything works, read into the system, and you'll see development picking up. There's a lot going on behind the scenes, just make sure to not be under appreciating what you've been given.Please.
Don't use the "H" word around here - we are all trying to wash that bad memory from our minds.
It's very depressing to think about all of the false promises he made and how that person left the scene under fake pretenses and without leaving behind what he knew.
It's like opening up the largest box under the Christmas tree- just to find out that it's empty. - very sad.
And he knew a lot - just look at the wiki - but he left without telling us the one thing we all wanted to know. Four letters: I-O-S-U.
Let the new people work in this in peace without this sad - very depressing reminder of what could have been.
Similar threads
- No one is chatting at the moment.
-
-
-
-
@
Psionic Roshambo:
Ughh gonna be bored today, class for new job has a lot of networking material and I'm certified in that already... -
-
-
-
@
Psionic Roshambo:
Employee code of conduct videos are awesome!!! Did you know eating the other employees is bad? I didn't know... Lol+1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@
BigOnYa:
Now what to play, Starfield or Fallout4. And what to drink, beer or Whiskey and Coke. Such tough decisions. -
