Toggle sidebar

Hacking A channel-less, sd-less entry point: str2hax

  • Thread starter Thread starter Fullmetal5
  • Start date Start date
  • Views Views 135,226
  • Replies Replies 228
  • Likes Likes 86
I have been trying to embed a custom payload but I get an error when running ./make-it.sh. Is this the error one gets when the payload is too big? (350 kB)

Code: 
$ ./make_it.sh wiimmfi.elf
pack_payload.c: In function ‘main’:
pack_payload.c:42:32: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘uint32_t {aka unsigned int}’ [-Wformat=]
   printf("Failed to allocate %ld bytes!\n", size);
                              ~~^
                              %d
EGG: PONY
Size: 0x00025858
Checksum: 0xFEC3B70C
convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
./make_it.sh: Zeile 9: 23269 Abgebrochen             (Speicherabzug geschrieben) convert -depth 8 -size $(expr $(stat -c%s out.bin) / 4)x1+0 rgba:out.bin payload.png
$

(roughly translated: SetImageVirtualPixelMethod: assertion »image != (const Image *) NULL« not met, line 9, cancelled (memory dump written))

EDIT: The error is caused by "convert":

Code: 
$ convert -depth 8 -size 153704x1+0 rgba:out.bin payload.png
convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
Abgebrochen (Speicherabzug geschrieben)
 
Last edited by leseratte,
Apparently my payload is way too large, convert only supports up to 15999x1. I guess I have to use the network loader. Or recompile imagemagick.

Or could we use, like 10000x10 instead of 100000x1? Or would that result in another (invalid) image binary?
 
leseratte said:
Apparently my payload is way too large, convert only supports up to 15999x1. I guess I have to use the network loader. Or recompile imagemagick.

Or could we use, like 10000x10 instead of 100000x1? Or would that result in another (invalid) image binary?
Click to expand...
You can try with different widths and heights, it should work just fine since it will get laid out the same. However if it's too large already it definitely isn't going to be able to download. Opera will just fail when downloading it and never run the call back so the page will just appear to do nothing. I highly recommend just using the network loader so that it can be as big as you want.
 
Got it to convert by removing the safety measurements in /etc/ImageMagick-6/policies.xml.
I just wanted to try with my binary (~250 KB) since you said you'd expect the max limit to be 512k so I thought 250kb uncompressed (150 kb compressed) would be fine.
 
On the Wiimmfi server, we are now hosting a variant of this exploit that auto-boots the Wiimmfi patcher so people can easily connect to Wiimmfi on an unmodified Wii.

Now I didn't get multiple different payloads to work on one page, so I just modified the Network Loader to download one or the other payload, depending on user selection.
 
More information about what exactly? The tutorial for the user can be found here, or, in video form, here.

The only changes I made to the payload was to change the payload URLs and do some more cleanup, because apparently, running this exploit makes the Wii think you didn't accept the EULA which causes problems with RiiConnect24.
And a hidden way to make the payload download the Hackmii Installer instead of the Wiimmfi patcher.

I was unable to get the web page to load two different payloads depending on user selection, so I added that into the Network Loader itself.
 
Last edited by leseratte,
Excuse my if this is a very stupid question. But do you have to change the "Auto-Obtain DNS" back to "Yes" after the installation of the homebrew channel?
 
Qube_ said:
Excuse my if this is a very stupid question. But do you have to change the "Auto-Obtain DNS" back to "Yes" after the installation of the homebrew channel?
Click to expand...
No, that's optional. If Google's DNS servers work for you there is no need to go change it back.
 
So it looks like there needs to be some more clarification upon hosting the exploit on an own webserver.
I have Apache2 set up and the files compiled. Everything runs fine with one exception:
I get to the screen with the pony. Redirects are working. Modules mime, cgi, php7.0, rewrite are enabled.
...but it still won't boot the network loader. AllowOverride is set to "All". System Menu is v4.1.
I used the stripped ELF for compiling and the boot.elf from the Hackmii Installer.
Any ideas or suggestions why the site isn't executing the payload? From what i can see in the Apache2 logs,
there are no errors and it definitely "GET"s the "payload.png". I don't need that DNS stuff as i redirect the URL
to my local web server inside a Raspberry Pi 3 using DNSMASQ in the router (works).
Any help would be great.
Thanks in advance.
 
Last edited by nitr8,
If I recall correctly, the payload image needs to be delivered in some kind of compressed transport encoding, there is some Apache setting needed but I don't remember which one. Maybe @Wiimm does, he configured that on Wiimmfi.

"the boot.elf from the hackmii installer"? Don't try to embed the hackmii installer. It's too large. Embed the network loader and let it download the hackmii installer.
 
nitr8 said:
So it looks like there needs to be some more clarification upon hosting the exploit on an own webserver.
I have Apache2 set up and the files compiled. Everything runs fine with one exception:
I get to the screen with the pony. Redirects are working. Modules mime, cgi, php7.0, rewrite are enabled.
...but it still won't boot the network loader. AllowOverride is set to "All". System Menu is v4.1.
I used the stripped ELF for compiling and the boot.elf from the Hackmii Installer.
Any ideas or suggestions why the site isn't executing the payload? From what i can see in the Apache2 logs,
there are no errors and it definitely "GET"s the "payload.png". I don't need that DNS stuff as i redirect the URL
to my local web server inside a Raspberry Pi 3 using DNSMASQ in the router (works).
Any help would be great.
Thanks in advance.
Click to expand...
So it just hangs there on the pony and never even so much as crashes? Even after ~2 minutes?
Just to make sure, are you using the network loader or are you trying to use the boot.elf from the hackmii installer directly?
If you are using the network loader as the boot.elf did you build libogc with -Os and compile the network loader with THAT version of libogc rather than the default?
 
Fullmetal5 said:
So it just hangs there on the pony and never even so much as crashes? Even after ~2 minutes?
Just to make sure, are you using the network loader or are you trying to use the boot.elf from the hackmii installer directly?
If you are using the network loader as the boot.elf did you build libogc with -Os and compile the network loader with THAT version of libogc rather than the default?
Click to expand...

That's what i did:

1.) libOGC Makefile = ..."-O2"... -> ..."-Os"...
2.) sh make_it.sh WiiNetworkLoader-master.elf

3.) It sits on the pony site and never loads anything nor does it crash. :rofl2::rofl2::rofl2:
 
nitr8 said:
That's what i did:

1.) libOGC Makefile = ..."-O2"... -> ..."-Os"...
2.) sh make_it.sh WiiNetworkLoader-master.elf

3.) It sits on the pony site and never loads anything nor does it crash. :rofl2::rofl2::rofl2:
Click to expand...
Hm, can you upload the "WiiNetworkLoader-master.elf" file?
 
Last edited by nitr8,
nitr8 said:
Well, just to correct you: It doesn't! :rofl2::rofl2::rofl2:

Try this one:
https://www.dropbox.com/s/763favp89vgnpc7/site.zip?dl=0

If this works for you but not for me, there must be something really wrong... [emoji853]
Click to expand...
Sorry for the late reply, gbatemp decided to stop telling me when people responded to me.
The issue isn't anything to do with the payload. It seems the build of the index.html file failed. If you look in index.html there should be a giant decimal right after the parseFloat function but it's gone.
Can you show me the output of when you run './create.sh'?
 
Fullmetal5 said:
Sorry for the late reply, gbatemp decided to stop telling me when people responded to me.
The issue isn't anything to do with the payload. It seems the build of the index.html file failed. If you look in index.html there should be a giant decimal right after the parseFloat function but it's gone.
Can you show me the output of when you run './create.sh'?
Click to expand...
I will do later. I just woke up. [emoji111]️[emoji57]

Gesendet von meinem BLA-L29 mit Tapatalk
 
How would you get this to patch for something like AltWFC? Not everyone wants to connect to Wiimmfi ... In regards to custom servers for friends or college, where we have total and complete control.
And I wouldn't want to force Homebrew on people, if they don't want it.

This is nice for patching something like say, a console not owned by you, without actually installing anything.
 
Last edited by JesseTG,

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking  Wii Preloader stuck

Wii doesn't show image on TV after replacing DVD drive

Gaming Hardware  What can I do to increase the lifespan of my wii?

Rare games N64 port

Hacking Homebrew  wiicalib: calibrate your Classic Controller (Pro)

softmodded wii unable to play modded games

Hacking Project  Documenting an Obscure Japanese Wii Game – And-Kensaku

Usb loader gx freezes when HDD is plugged on USB