Write up has been posted and the source code is now available. (https://github.com/Fullmetal5/str2hax)
Hacking A channel-less, sd-less entry point: str2hax
- Thread starter Fullmetal5
- Start date
- Views 117,636
- Replies 226
- Likes 86
I have been trying to embed a custom payload but I get an error when running ./make-it.sh. Is this the error one gets when the payload is too big? (350 kB)
(roughly translated: SetImageVirtualPixelMethod: assertion »image != (const Image *) NULL« not met, line 9, cancelled (memory dump written))
EDIT: The error is caused by "convert":
Code:
$ ./make_it.sh wiimmfi.elf
pack_payload.c: In function ‘main’:
pack_payload.c:42:32: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘uint32_t {aka unsigned int}’ [-Wformat=]
printf("Failed to allocate %ld bytes!\n", size);
~~^
%d
EGG: PONY
Size: 0x00025858
Checksum: 0xFEC3B70C
convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
./make_it.sh: Zeile 9: 23269 Abgebrochen (Speicherabzug geschrieben) convert -depth 8 -size $(expr $(stat -c%s out.bin) / 4)x1+0 rgba:out.bin payload.png
$(roughly translated: SetImageVirtualPixelMethod: assertion »image != (const Image *) NULL« not met, line 9, cancelled (memory dump written))
EDIT: The error is caused by "convert":
Code:
$ convert -depth 8 -size 153704x1+0 rgba:out.bin payload.png
convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
Abgebrochen (Speicherabzug geschrieben)
Last edited by leseratte,
Apparently my payload is way too large, convert only supports up to 15999x1. I guess I have to use the network loader. Or recompile imagemagick.
Or could we use, like 10000x10 instead of 100000x1? Or would that result in another (invalid) image binary?
Or could we use, like 10000x10 instead of 100000x1? Or would that result in another (invalid) image binary?
You can try with different widths and heights, it should work just fine since it will get laid out the same. However if it's too large already it definitely isn't going to be able to download. Opera will just fail when downloading it and never run the call back so the page will just appear to do nothing. I highly recommend just using the network loader so that it can be as big as you want.
Got it to convert by removing the safety measurements in /etc/ImageMagick-6/policies.xml.
I just wanted to try with my binary (~250 KB) since you said you'd expect the max limit to be 512k so I thought 250kb uncompressed (150 kb compressed) would be fine.
I just wanted to try with my binary (~250 KB) since you said you'd expect the max limit to be 512k so I thought 250kb uncompressed (150 kb compressed) would be fine.
On the Wiimmfi server, we are now hosting a variant of this exploit that auto-boots the Wiimmfi patcher so people can easily connect to Wiimmfi on an unmodified Wii.
Now I didn't get multiple different payloads to work on one page, so I just modified the Network Loader to download one or the other payload, depending on user selection.
Now I didn't get multiple different payloads to work on one page, so I just modified the Network Loader to download one or the other payload, depending on user selection.
- Joined
- Sep 12, 2009
- Messages
- 13,809
- Trophies
- 3
- Age
- 38
- Location
- Cyprus, originally from Toronto
- Website
- modmii.github.io
- XP
- 9,799
- Country
Is there a link you can share with more information? Sounds interesting but also unclear given my limited knowledge on the subject
More information about what exactly? The tutorial for the user can be found here, or, in video form, here.
The only changes I made to the payload was to change the payload URLs and do some more cleanup, because apparently, running this exploit makes the Wii think you didn't accept the EULA which causes problems with RiiConnect24.
And a hidden way to make the payload download the Hackmii Installer instead of the Wiimmfi patcher.
I was unable to get the web page to load two different payloads depending on user selection, so I added that into the Network Loader itself.
The only changes I made to the payload was to change the payload URLs and do some more cleanup, because apparently, running this exploit makes the Wii think you didn't accept the EULA which causes problems with RiiConnect24.
And a hidden way to make the payload download the Hackmii Installer instead of the Wiimmfi patcher.
I was unable to get the web page to load two different payloads depending on user selection, so I added that into the Network Loader itself.
Last edited by leseratte,
No, that's optional. If Google's DNS servers work for you there is no need to go change it back.
So it looks like there needs to be some more clarification upon hosting the exploit on an own webserver.
I have Apache2 set up and the files compiled. Everything runs fine with one exception:
I get to the screen with the pony. Redirects are working. Modules mime, cgi, php7.0, rewrite are enabled.
...but it still won't boot the network loader. AllowOverride is set to "All". System Menu is v4.1.
I used the stripped ELF for compiling and the boot.elf from the Hackmii Installer.
Any ideas or suggestions why the site isn't executing the payload? From what i can see in the Apache2 logs,
there are no errors and it definitely "GET"s the "payload.png". I don't need that DNS stuff as i redirect the URL
to my local web server inside a Raspberry Pi 3 using DNSMASQ in the router (works).
Any help would be great.
Thanks in advance.
I have Apache2 set up and the files compiled. Everything runs fine with one exception:
I get to the screen with the pony. Redirects are working. Modules mime, cgi, php7.0, rewrite are enabled.
...but it still won't boot the network loader. AllowOverride is set to "All". System Menu is v4.1.
I used the stripped ELF for compiling and the boot.elf from the Hackmii Installer.
Any ideas or suggestions why the site isn't executing the payload? From what i can see in the Apache2 logs,
there are no errors and it definitely "GET"s the "payload.png". I don't need that DNS stuff as i redirect the URL
to my local web server inside a Raspberry Pi 3 using DNSMASQ in the router (works).
Any help would be great.
Thanks in advance.
Last edited by nitr8,
If I recall correctly, the payload image needs to be delivered in some kind of compressed transport encoding, there is some Apache setting needed but I don't remember which one. Maybe @Wiimm does, he configured that on Wiimmfi.
"the boot.elf from the hackmii installer"? Don't try to embed the hackmii installer. It's too large. Embed the network loader and let it download the hackmii installer.
"the boot.elf from the hackmii installer"? Don't try to embed the hackmii installer. It's too large. Embed the network loader and let it download the hackmii installer.
So it just hangs there on the pony and never even so much as crashes? Even after ~2 minutes?
Just to make sure, are you using the network loader or are you trying to use the boot.elf from the hackmii installer directly?
If you are using the network loader as the boot.elf did you build libogc with -Os and compile the network loader with THAT version of libogc rather than the default?
That's what i did:
1.) libOGC Makefile = ..."-O2"... -> ..."-Os"...
2.) sh make_it.sh WiiNetworkLoader-master.elf
3.) It sits on the pony site and never loads anything nor does it crash.
Hm, can you upload the "WiiNetworkLoader-master.elf" file?That's what i did:
1.) libOGC Makefile = ..."-O2"... -> ..."-Os"...
2.) sh make_it.sh WiiNetworkLoader-master.elf
3.) It sits on the pony site and never loads anything nor does it crash.
in a few seconds...
https://www.dropbox.com/s/lsidshq16wx5lkx/WiiNetworkLoader-master.elf?dl=0
Try this one...
Last edited by nitr8,
Looks like you didn't strip it. That's adding a significant amount to the file. Use the stripped version that was made for you by the makefile and it should work.
Well, just to correct you: It doesn't!
Try this one:
https://www.dropbox.com/s/763favp89vgnpc7/site.zip?dl=0
If this works for you but not for me, there must be something really wrong... [emoji853]
Last edited by nitr8,
Sorry for the late reply, gbatemp decided to stop telling me when people responded to me.Well, just to correct you: It doesn't!
Try this one:
https://www.dropbox.com/s/763favp89vgnpc7/site.zip?dl=0
If this works for you but not for me, there must be something really wrong... [emoji853]
The issue isn't anything to do with the payload. It seems the build of the index.html file failed. If you look in index.html there should be a giant decimal right after the parseFloat function but it's gone.
Can you show me the output of when you run './create.sh'?
I will do later. I just woke up. [emoji111]️[emoji57]
Gesendet von meinem BLA-L29 mit Tapatalk
How would you get this to patch for something like AltWFC? Not everyone wants to connect to Wiimmfi ... In regards to custom servers for friends or college, where we have total and complete control.
And I wouldn't want to force Homebrew on people, if they don't want it.
This is nice for patching something like say, a console not owned by you, without actually installing anything.
And I wouldn't want to force Homebrew on people, if they don't want it.
This is nice for patching something like say, a console not owned by you, without actually installing anything.
Last edited by JesseTG,
Similar threads
