Hacking ida stuff

davetheshrew

Well-Known Member
OP
Member
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
Ok

Work is being done on getting iosu out there so here is something that will allow you all to join in and hopefully get this out faster. Idea being people work a bit on these and post what they find, I will take everything every week or so and post them off to the dev and see what should be added/taken away/trashed etc and eventually a complete iosu will be the result in theory. When a new zip is compiled I post it and everyone gets to have another go. This is what has been done so far

This is for IDA Version 6.8.150423 (32-bit)
These files have all of the known functions labeled and fully commented.
All known Prototypes, Descriptions and Parameters are included.
All known SysCalls are documented and "repeatable commented" with their parameters.
Added in all ISO-CRYPTO OTP read data and locations.
Began mapping of all ISO-CRYPTO ioctl and ioctlv commands in both PPC and ARM
Finished mapping the IOCTL/IOCTLV commands
Added in a copy of C2W.IMG file (fully decrypted - very revealing on how Nindy thinks... look at this one!)
Added in all Thumb 16-Bit SysCalls (Mostly IOS-KERNEL)
Added both BootRoms (Wii_& WiiU) to the PPC side based off feedback from the debugger
Began exploring how to work with the PPC-KERNEL using SDK's multi5326 - added notes inside the IDA files on any findings.

change may 1st 2016

Added and renamed some functions to match SMEA's released IOSUHax information
Added in more found functions in both ARM and PPC decompiles
Add documentation about the ARM ARM926EJ-S Processor (Technical Doc PDF)


This is PUBLIC stuff

It IS NOT for making private exploits

I TAKE NO CREDIT FOR THIS AND AT THE DEVS REQUEST IM NOT CREDITING HIM EITHER

here are the files http://www.filedropper.com/ppcandarmfirmware55xida32-bit_1


How to "Do-it-yourself" for those that want to learn on their own:


PART 1:

Tools you will need:

* IDA Pro 6.x with ARM/Thumb and PPC modules in BigEndian (most copies already have these)

* UWizard (or any other NUS Downloader of your choice)

* HEX Editor (recommend HxD.exe)

* A working copy of OPENSSL

* A basic ARM command list for reference like: http://simplemachines.it/doc/arm_inst.pdf
(Don’t worry about this too much now. It’ll make more sense later on)




Getting Started:

Start UWizard

Select Settings Tab - all Keys should be green and say "Verified as Correct by SHA1"
(Don't ask here for the keys, they are easily found elsewhere.)

Select NUS Downloader U Tab.

Type in the TitleID and Version of the firmware you want to download (see http://wiiubrew.org/wiki/Title_databasefor latest)
TIP: Note the removal of the "-" dash in the TitileID and the "v" letter in the version as they are posted on wiiubrew.

Example: OSv10 5.5.0/5.5.1
TitleID: 000500101000400A Version: 15702

Check the Decrypt Contents checkbox

When UWizard is done, it will open up the decoded directory. (code)

Copy the files you want to work with to your OPENSSL location
(FW.IMG and/or KERNEL.IMG)

The command to decrypt with openssl is: openssl enc -d -aes-128-cbc -K "KEY HERE" -iv 0 -nopad -in filename.IMG -out filename.BIN
Note that the "K" must be UpperCase and there are no quotes around the key.

KERNEL.IMG is decrypted with the EXPRESSO ANCAST KEY
FW.IMG
is decrypted with the STARBUCK ANCAST KEY
TIP: You can copy/paste the keys from UWizard by unchecking the "Hide Keys" box.

For now we will do the FW.BIN file first.
It is in ARM/Thumb and is the base for any CFW.

Open up the FW.BIN file created by OPENSSL in the HEX Editor and remove the header up until it starts with "0x7F 0x45 0x4c 0x46"
(0x7F and the word ELF)
In 5.5.1, it is the first 0x804 bytes

Save it as FW.ELF

Now the fun begins...

Open up IDAPro (idaq.exe or idaq64.exe) and select the FW.ELF file

IDA should say it’s an ELF for ARM (Executable) [elf64.i64]
(-or- elf.ldw if you are using 32 bit)

In the PROCESSOR TYPE pull-down, go up until you get to ARM BIG-ENDIAN ARMB
Select the SET Button. ( Important step!! )
Next, select the KERNEL OPTIONS 1 and Un-Select DELETE INSTRUCTIONS WITH NO XREFS, then select OK
Next, select the KERNEL OPTIONS 2 and Select COAGULATE DATA SEGMENTS IN THE FINAL PASS andAUTOMATICALLY CONVERT DATA TO OFFSETS, then select OK

Now select the OK button to begin loading.

If the ARM/THUMB SWITCHING message shows, select OK
If the Hex-Rays message comes up, select OK

Now the wait begins...
Look at the lower left corner of the IDA screen; you will see that she is processing the file.

Leave everything alone and wait until she is all done processing the file.
When she finishes, a pop-up message will say something about Proximity Mode... Select YES

Press the “+” key on your keyboards number pad to take it out of Proximity mode for now. (You can always press the “-“ key to turn it back on later.)


As a basic first step, in IDA press SHIFT F12 to create a tab with the current strings she already found for you
(this is not all of them, we will create more later)


PART #2
Next is adding in some missing bits and pieces to our Firmware compilation.

For this, you will need a copy of BOOT0 and BOOT1 for your firmware.

For example, here is a copy of them for 5.5.1/5.5.0 I "found" on pastebin. : http://pastebin.com/5sBn1FKt
It's a ZIP file. Make a ZIP file using the RAW data and copy/paste it into HxD.exe then save it as BOOTS.ZIP. Open it with your zip file utility and save the contents in your working folder.

To Add BOOT1.BIN
FILE -> LOAD FILE -> ADDITIONAL BINARY FILE
Loading Segment = 0x0
Loading Offset = 0x0D400000
File Offset = 0x0
Number of bytes = 0x0 (max)
Create Segments = CHECKED
Code Segment = CHECKED

To Add BOOT0.BIN
FILE -> LOAD FILE -> ADDITIONAL BINARY FILE
Loading Segment = 0x0
Loading Offset = 0x0D4100A0
File Offset = 0x0
Number of bytes = 0x0 (max)
Create Segments = CHECKED
Code Segment = CHECKED


Now to create the other missing segments manually.
We need to add:

GP_RAM - 0xD000000 - 0xD010000 - DATA
NAND - 0xD010000 to 0xD020000 - DATA
AES - 0xD020000 to 0xD030000 - DATA
SHA - 0xD030000 to 0xD040000 - DATA
GPIO -0xD800000 to 0xD810000 - DATA
DRAMCtrl - 0xD8B0000 to 0xD8C0000 - DATA



To create a new segment, it's:
EDIT -> SEGMENTS -> CREATE SEGMENT and use the information above.

Example:
Segment Name = GP_RAM
Start address = 0xD000000
End address = 0xD010000
Base = 0x0 (default)
Segment Class = DATA
(All other settings can be left at default)

Do the same as above for NAND, AES, SHA,GPIO and DRAMCtrl


Now, it's time to clean things up a bit:
Click on the IDA View-A tab
Press SHIFT F7 to bring up the Segment List
Scroll to the top of the list.

Using the information from this Pastebin : http://pastebin.com/yQx8NLEy, rename all of the Segments by selecting one and pressing "CONTROL E" (or right click and EDIT SEGMENT)
Change the SEGMENT NAME and the READ/WRITE/EXECUTE settings to match the pastebin information.
Note that some are marked as "Unknown", it's part of our job to figure those out and label them and update wiiubrew.org

While we are making changes to the Segments, we also need to make a minor adjustment to BOOT0 and edit theStart Address to 0xD410000 and the End Address to 0xD420000
We also need to make a minor adjustment to BOOT1 and edit the Start Address to 0xD400000 and End Address to0xD410000
This will pad the top and bottom of BOOTs so they match the publicly posted decodings.


Now...
IDA likes to compress unused data, but for our case we want to see all of the storage registers so we can name them.
There is only one segment we created that she will compress, RAM(the others are too small for her to pay attention to)

Press ALT S and double-click on the RAM segment
Press the U key (Undefine)
Press Y to confirm


Next is to set the Names for what is stored in these new Segments using the information found here:http://pastebin.com/xDuwVaRh
To add a name to an address, press G to bring up the "Jump To Address" menu, then type in the address to jump to.
Press the N key to add/change the name.
You may need to use the U key to Undefine the address if it is compressed.


Now that we've added in new information that IDA didn't know about before, she needs to re-analyze the data and add in new storage locations.

Before we do this, we need to verify a couple of options to make sure the data looks clean and our settings are still set.

Do this by going to: OPTIONS -> GENERAL -> ANALYSIS and open up KERNEL OPTIONS 2
2nd one down is COAGULATE DATA SEGMENTS IN THE FINAL PASS, make sure it it still checked.
Towards the middle of the list is AUTOMATICALLY CONVERT DATA TO OFFSETS, make sure it it still checked then select OK

Select the REANALYZE PROGRAM button and select OK

If all is well, she will start crunching through the code, adding in new storage locations and size them for you (BYTE,WORD,DWORD...)
Hint: Watch the lower left corner of her screen

She doesn't know the names of what is stored where yet, you will need to use the N key on your keyboard to teach her.

Hint: It may be a lot easier to read the screen if you go to OPTIONS -> GENERAL select the DISSASEMBLY tab and change COMMENTS INDENTATION (NON GRAPH) to something like 80.
If you want to see what all of the commands do, you can turn on AUTO COMMENTS, but I'd suggest you turn it back off after seeing what IDA can tell you for now.



Use this file as a template and start naming functions in BOOT1http://static.hackmii.com/boot1.txt
And for BOOT0, use this: http://pastebin.com/zePZT8Zi
Use this to start naming the KERNEL SRAM data: http://wiiubrew.org/wiki/IOSU_Syscalls

Note: to add a Comment, use the ; Semicolon key on your keyboard.
It's better to use semicolon then colon comments as they show everywhere the location is referenced to/from.




A Side note that needs to be talked about now:
I figured I'd wait to bring this up until you've had a few successes working with IDA.

In case you didn't already know, an ARM/Thumb processor is both 32 and 16 bit.
ARM is 32 and Thumb is 16(and some 32 too).

The saying goes "Nobody's Perfect" and IDA is just like everyone else, she makes mistakes.
Working in ARM/Thumb is very difficult to reverse engineer. Sometimes what looks like good Code is actually Strings or Data.

Luckily the FW.IMG is an ELF format file, so IDA knows where the Strings are. (even so, we still need to fix some strings but at least she doesn't think they might be code!)
This is not so with the PPC's KERNEL.IMG as it has no ELF header. (more on this later)

Working with most other processors this is no big deal as you can just change the Code and be done with it.

With ARM/Thumb, this creates unique problems as the incorrectly Coded information can create links to other Data areas and sometimes, depending on the instructions, IDA thinks the other Data area needs to be in Thumb mode and she sets it to CODE16 when it really needs to be CODE32.(or vice versa)

She uses two different "engines" to decode the hex data and she sets "tags" ( CODE16 / CODE32 ) to know which one to use.
In a typical ARM/Thumb reverse engineering project, you have to manually correct any of these that she wrongfully set.
It takes a little practice to understand when she got it right, and when it makes no sense what she did.

This is very tedious and time consuming, but it's a heck of a lot less work than if you didn't have IDA to do 99% of the real work for you.
The best practice is to use the search for CODE16 and do a sanity check for the code around it.

Also, an ARM Processor is capable of performing jumps to areas of memory that IDA has no way of knowing about (PC can be modified directly via code)
IDA will leave these areas in the CODE segments as compressed data, so you need to look for large "chunks" of data mid-stream in the code that need to be compiled using the "C" key.

Sometimes it's advantageous to turn off IDA's Auto Analysis during this process (The Green Ball in the menu bar), especially if you are unsure if it's CODE16 or CODE32.
If you have the Segment Register set wrong (Keycode CTRL-K), she can go wild setting other areas to the wrong type if in Auto mode.
 
Last edited by davetheshrew,

davetheshrew

Well-Known Member
OP
Member
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
Did you write this all in just a few minutes? If so, hats off to you my friend.
yeah took me like 30 seconds..nah lol its copy paste , but as I said, its public stuff, its always been intended to be that way except where this info comes from is preferred to be quiet without distraction..
 

davetheshrew

Well-Known Member
OP
Member
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
its not written here but i will quote direct from the dev Dylon99

Feel free to share the file, but do not share the link as this is not my Mega account. (thanks to the anonymous donor)
Download it and share, or download and post it on another account.
DO NOT CREDIT ME FOR THIS.
THIS IS FOR PUBLIC USE ONLY.
IT IS NOT TO BE USED FOR PRIVATE EXPLOITS!!!
 
  • Like
Reactions: eco95

davetheshrew

Well-Known Member
OP
Member
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
oh btw

This is for IDA Version 6.8.150423 (32-bit)
These files have all of the known functions labeled and fully commented.
All known Prototypes, Descriptions and Parameters are included.
All known SysCalls are documented and "repeatable commented" with their parameters.
Added in all ISO-CRYPTO OTP read data and locations.
Began mapping of all ISO-CRYPTO ioctl and ioctlv commands in both PPC and ARM
Finished mapping the IOCTL/IOCTLV commands
Added in a copy of C2W.IMG file (fully decrypted - very revealing on how Nindy thinks... look at this one!)
Added in all Thumb 16-Bit SysCalls (Mostly IOS-KERNEL)
Added both BootRoms (Wii_& WiiU) to the PPC side based off feedback from the debugger
Began exploring how to work with the PPC-KERNEL using SDK's multi5326 - added notes inside the IDA files on any findings.

Thats how far these files are at in terms of work, next update will have more and so on
 

davetheshrew

Well-Known Member
OP
Member
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
I hope its all of good use for you. If you find things that need adding etc just copy pasta to here and il get it out regular. I will say though the dev when around works at lightspeed so dont be dissapointed if you have worked hard only to find stuff completed lol
 

davetheshrew

Well-Known Member
OP
Member
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
This is the injection the scene needs.

I hope this proves useful for someone to piece together, and perhaps more knowing devs to chime in with some direction?

:)

Give up, you wouldnt know what to do with it if you had it because you are all dumb, we are smart you are not, I am big you are small, its ready when its ready, soon.

Im not being fair, but tbh this past week has been silly, there are great people here.
 
Last edited by davetheshrew,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
  • Xdqwerty @ Xdqwerty:
    Yawn
  • S @ salazarcosplay:
    and good morning everyone
    +1
  • K3Nv2 @ K3Nv2:
    @BakerMan, his partner is Luke
  • Sicklyboy @ Sicklyboy:
    Sup nerds
    +1
  • Flame @ Flame:
    oh hi, Sickly
  • K3Nv2 @ K3Nv2:
    Oh hi flame
  • S @ salazarcosplay:
    @K3Nv2 what was your ps4 situation
  • S @ salazarcosplay:
    did you always have a ps4 you never updated
  • S @ salazarcosplay:
    or were you able to get new ps4 tracking it \
    as soon as the hack was announced
  • S @ salazarcosplay:
    or did you have to find a used one with the lower firm ware that was not updated
  • K3Nv2 @ K3Nv2:
    I got this ps4 at launch and never updated since 9.0
  • K3Nv2 @ K3Nv2:
    You got a good chance of buying a used one and asking the seller how often they used or even ask for a Pic of fw and telling them not to update
    K3Nv2 @ K3Nv2: You got a good chance of buying a used one and asking the seller how often they used or even ask...