Nothing new at all. Nintendo included the decrypted iosu anacast image in sysupdate_for_sdk_2.12.13. This is for os_v10_ndebug.
sha1sum fw.bu.img
84e5a55f83b191e8db46733da83b14eabbca75ff *fw.bu.img
The elf header starts at offset 0x804. Trimming off the anacast header metadata we get:
sha1sum fw.bu.img.elf
712e7976eecdf898d570c8f1a4096ca82912c5b5 *fw.bu.img.elf
The firmware has been reverse engineered to some extent by comex, Hykem, Marionumber1, crediar and myself. The documentation can be found here:
http://wiiubrew.org/wiki/IOSU
People may wonder where reverse engineering starts. It's simple, with a strings dump of the memory. You can use those strings to start identifying device descriptors and their various ioctl functions. You can then backtrace the execution flow of the ioctl subroutines to find the device descriptors jumptable used to map ioctls to their corresponding opcodes. Once you determine the jumptable you can trace back even further into the IPC handler which is how the PPC and ARM processors communicate. Now you have a control flow graph of the complete execution flow from issuing an ioctl command from PPC to it running bare metal on the ARM processor. Mapping out the rest of the ioctl commands is easy because you can use the symbols in PPC rpls to determine their functions.
Once you have a basic idea of the system you can start looking for various memory corruption vulnerabilities through source code analysis and fuzzing. You can also try to determine various open source libraries that are included (like OpenSSL), and look for disclosed CVEs.
Well, that's a pretty comprehensive overview of how to develop exploits for IOSU. Two userland vulnerabilities have already been found (not including the one comex originally used to dump the OTP bank). Oh, I should also mention that the ARM926EJ-S doesn't support hardware DEP which makes hooking control flow a lot easier since ROP is not needed. However, IOSU has it's own kernel which needs it's own exploit.
Also, if you are curious to to know how to blindly reverse syscalls or want more information regarding other aspects of exploiting embedded systems please read:
https://cturt.github.io/ps4.html
