Homebrew Official 5.5.X ELF Loader

[NexoCube]

Look in sysapp.rpl, many functions that are not on the sysapp.h

--------------------- MERGED ---------------------------

How do I search for sub_206B8B0?

Just, in the left list go into the last one and it should be around there.

--------------------- MERGED ---------------------------

Sysapp = 0xFFFFFFF8

--------------------- MERGED ---------------------------

These SYSLaunchAPPNAMEDirect() ...
Maybe for a faster launch or something

Same for ByProdArea

What are theses

 

[Deleted User]

Sysapp = 0xFFFFFFF8

^ PLEASE TELL ME HOW YOU FIND THIS

 

[NexoCube]

^ PLEASE TELL ME HOW YOU FIND THIS

x) Calm...

 

[Deleted User]

x) Calm...

okay... would you please mind telling me how you found this?

 

[NexoCube]

okay... would you please mind telling me how you found this?

Not really sure for now, The coreinit.rpl "adress" isn't the same as the handle.

--------------------- MERGED ---------------------------

Go in elfexamples/helloelf/init.c and there it is xD

This is the simple version of what am i doing (that's true but how am i is the rpl way.)

 

[Deleted User]

Not really sure for now,

Wait, you found the address for coreinit.... but you're not sure how you did?

 

[Phantom64]

when i hear the words "kexploit" and "5.5.x"

Spoiler: no hate please just joking

 

[NexoCube]

when i hear the words "kexploit" and "5.5.x"

Spoiler: no hate please just joking

xD That's funny.

--------------------- MERGED ---------------------------

Wait, you found the address for coreinit.... but you're not sure how you did?

EXACTLY

 

[Deleted User]

Okay, so I'm just gonna backtrack to a couple of days ago now. I remember MrRean telling me a couple of things, and I shall put them here:

Well pyGecko makes finding addresses easy, so just find the addresses that coreinit uses manually, and then use pyGecko for the rest.

Or we can just find the DynLoad and Aquire function addresses, and go from there.

"find the addresses that coreinit uses manually"? Surely that's got to be easy.

 

[NexoCube]

That's the main problem.

--------------------- MERGED ---------------------------

Okay, so I'm just gonna backtrack to a couple of days ago now. I remember MrRean telling me a couple of things, and I shall put them here:




"find the addresses that coreinit uses manually"? Surely that's got to be easy.

0xF5FFFFFC = OSDynLoad_Acquire
0xF5FFFFF8 = OSDynLoad_FindExport

--------------------- MERGED ---------------------------

Are you still here or you are crying xDD

(PS: That's not me who found these adress)

 

[Deleted User]

Are you still here or you are crying xDD

(PS: That's not me who found these adress)

Nope. Just went for a McDonald's break. I need to refuel my brain with crap don't I?

 

[NexoCube]

Nope. Just went for a McDonald's break. I need to refuel my brain with crap don't I?

It's 16:12 in UK wtf xD

 

[Deleted User]

It's 16:12 in UK wtf xD

Yeah, so?

 

[NexoCube]

Nvm

We need to do something with all the shit we have.

 

[Deleted User]

Take a look at loader.h in the osdriver kexploit source:

#elif VER == 532
   #define KERN_SYSCALL_TBL     0xFFEAA0E0
   #define KERN_CODE_READ       0xFFF02274
   #define KERN_CODE_WRITE       0xFFF02294
   #define KERN_ADDRESS_TBL     0xFFEAAA10
   #define KERN_HEAP         0xFF200000

Think we could update this with more recent addresses?

 

[NexoCube]

Take a look at loader.h in the osdriver kexploit source:

#elif VER == 532
   #define KERN_SYSCALL_TBL     0xFFEAA0E0
   #define KERN_CODE_READ       0xFFF02274
   #define KERN_CODE_WRITE       0xFFF02294
   #define KERN_ADDRESS_TBL     0xFFEAAA10
   #define KERN_HEAP         0xFF200000

Think we could update this with more recent addresses?

The KERN_ADRESS_TBL for 5.5.0 is on pygecko

 

[Deleted User]

The KERN_ADRESS_TBL for 5.5.0 is on pygecko

Oh my god, it is as well!

 

[NexoCube]

Oh my god, it is as well!

But don't try anything, giving kernel permission by this way has been patched so it deserve to nothing

--------------------- MERGED ---------------------------

But don't try anything, giving kernel permission by this way has been patched so it deserve to nothing

We have to find another exploit. Then exploit it, hopefully.

 

[Deleted User]

But don't try anything, giving kernel permission by this way has been patched so it deserve to nothing

Oh.
I wonder how the devs managed to port the exploit then.

 

[NexoCube]

Oh.
I wonder how the devs managed to port the exploit then.

They know more than us.
For the 5.5.1 Kernel Exploit :

@Marionumber1 made it
@Mathew_Wi Ported it and debug it
@golden45 made SDCafiine (Like Wii Riivolution) (Yes i can read a video description)

If one of these read it, could someone help or give any hints, tips to find any System Failure/Exploit ... Because we're a little bit lost about reverse-engineering (That's what, i suppose used to find all these things, adrr, virt_adrr etc...)

If you could give any help in PM or Skype (fhtuto.tarik) it will be great