Hacking Overwriting Wii U title specific executable code?

[BullyWiiPlaza]

Since the kernel exploit maps the kernel memory at 0x01000000 to 0xA1000000 and makes it writable I'm wondering about the same for the app MEM2 region so that we can overwrite the game's assembly instructions without patching the RPL since it's really cumbersome and requires Loadiine. The app MEM2 region is write-protected.

Any hints or tips are greatly appreciated, thanks

@NWPlayer123
@CosmoCortney
@Mega-Mew
@NexoCube
@dimok
@wj44
@Mathew_Wi

 

[QuarkTheAwesome]

I don't see why not. Basically, you'd want (in kernel mode) to write to some BAT registers to map the memory to wherever you'd like. There's separate mappings for data and instructions (DBATs and IBATs respectively) so you'll have to keep that in mind; you'd want to set up a DBAT so you can write to the code area as if it were data. You can find the documentation for this here (7-25 [actual page 290] for the format of the BAT registers, 7-20 [actual 285] for the chapter on BATs) and I wrote a bit of an example here (remember, # = comment, GitHub doesn't like that for some reason) which maps 0x14000000 to 0xE0000000 for instructions (making 0xE0000000 executable, basically). I inject that into a syscall and away it goes. I also noted down the DBATs used by HBL here so can get an idea which ones are in use and which ones aren't.

Worth noting that there's only meant to be 5 BATs so if you want to use the others you need to use their SPR numbers (listed here).

 

[wj44]

kernel_write allows writing in this MEM region.

data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);

 

[BullyWiiPlaza]

kernel_write allows writing in this MEM region.

data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);

But kernel read/write always freezes me in Python and Java alike so it can't be my client implementation...

 

[wj44]

Entering an false address will cause a freeze.

 

[BullyWiiPlaza]

Entering an false address will cause a freeze.

Normal addresses freeze too, all addresses freeze with those functions

 

[wj44]

I don't understand I tested with PyGecko and It was working fine.

 

[Maschell]

https://github.com/dimok789/ddd/blob/master/src/kernel/syscalls.c#L12

This function should be able to copy data from/to any physical address

 

[wj44]

https://github.com/dimok789/ddd/blob/master/src/kernel/syscalls.c#L12

This function should be able to copy data from/to any physical address

This function will only crash the WiiU.
I tried it myself in the past.

 

[Maschell]

This function will only crash the WiiU.
I tried it myself in the past.

You need to setup the syscall first, of course

 

[wj44]

You need to setup the syscall first, of course

Of course, I tested it in Loadiine GX2

 

[wj44]

But kernel read/write always freezes me in Python and Java alike so it can't be my client implementation...

Did you used the TCP Gecko Installer elf? In the past It was only working in the internet browser.

 

[BullyWiiPlaza]

Did you used the TCP Gecko Installer elf? In the past It was only working with the internet browser.

Website version due to the "old" address layout which I still need to work with my existing stuff

 

[wj44]

Website version due to the "old" address layout which I still need to work with my existing stuff

Thats probably the reason. You have to build the latest pyGecko Installer or you use the hbl version.

 

[rendering]

I have tried kernel_write long time ago, kernel_write can only writing in some parts of game's code area without problem, there are still some parts of game's code area, even if you use kernel_write still cause exception, use DBAT/IBAT method would be better

 

[BullyWiiPlaza]

So can someone maybe make a TCP Gecko Installer with executable memory write permissions by default if you already know how it could work? The answers seem too tedious and impossible to do for an end user wanting this, too. It would make the application much better for what it's for, game modding

 

[KiiWii]

Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?

 

[BullyWiiPlaza]

kernel_write allows writing in this MEM region.

data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);

The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:

tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")

def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return

 

[shinyquagsire23]

Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?

No, IOS has file permissions which restrict looking at things on the file system. You can FSBindMount certain directories but you need to have proper permissions to actually access anything.

 

[wj44]

The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:

tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")

def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return

Never checked if it can write to that region. But You can write to the .text region of a Game:

tcp = TCPGecko(ip_address)
data_start = tcp.readkern(0xFFEAB7A0 + 0x20)
tcp.writekern(data_start, 1)
print("Done.")