Homebrew Official 5.5.X ELF Loader

NexoCube

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
28
Location
France
XP
1,305
Country
France
Look in sysapp.rpl, many functions that are not on the sysapp.h

--------------------- MERGED ---------------------------

How do I search for sub_206B8B0?

Just, in the left list go into the last one and it should be around there.

--------------------- MERGED ---------------------------

Sysapp = 0xFFFFFFF8

--------------------- MERGED ---------------------------

These SYSLaunchAPPNAMEDirect() ...
Maybe for a faster launch or something

Same for ByProdArea

What are theses
 
  • Like
Reactions: Deleted User

NexoCube

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
28
Location
France
XP
1,305
Country
France
okay... would you please mind telling me how you found this? ^_^
Not really sure for now, The coreinit.rpl "adress" isn't the same as the handle.

--------------------- MERGED ---------------------------

Go in elfexamples/helloelf/init.c and there it is xD

This is the simple version of what am i doing (that's true but how am i is the rpl way.)
 

Phantom64

Banned!
Banned
Joined
Aug 18, 2015
Messages
581
Trophies
0
XP
605
Country
Saint Kitts and Nevis
when i hear the words "kexploit" and "5.5.x"
2hgehau.jpg
 
D

Deleted User

Guest
Okay, so I'm just gonna backtrack to a couple of days ago now. I remember MrRean telling me a couple of things, and I shall put them here:

MrRean in some thread I can't remember now... said:
Well pyGecko makes finding addresses easy, so just find the addresses that coreinit uses manually, and then use pyGecko for the rest. ;)

Or we can just find the DynLoad and Aquire function addresses, and go from there.


"find the addresses that coreinit uses manually"? Surely that's got to be easy. :unsure:
 

NexoCube

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
28
Location
France
XP
1,305
Country
France
That's the main problem.

--------------------- MERGED ---------------------------

Okay, so I'm just gonna backtrack to a couple of days ago now. I remember MrRean telling me a couple of things, and I shall put them here:




"find the addresses that coreinit uses manually"? Surely that's got to be easy. :unsure:

0xF5FFFFFC = OSDynLoad_Acquire
0xF5FFFFF8 = OSDynLoad_FindExport

--------------------- MERGED ---------------------------

Are you still here or you are crying xDD

(PS: That's not me who found these adress)
 
D

Deleted User

Guest
Take a look at loader.h in the osdriver kexploit source:

Code:
#elif VER == 532
   #define KERN_SYSCALL_TBL     0xFFEAA0E0
   #define KERN_CODE_READ       0xFFF02274
   #define KERN_CODE_WRITE       0xFFF02294
   #define KERN_ADDRESS_TBL     0xFFEAAA10
   #define KERN_HEAP         0xFF200000

Think we could update this with more recent addresses?
 

NexoCube

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
28
Location
France
XP
1,305
Country
France
Take a look at loader.h in the osdriver kexploit source:

Code:
#elif VER == 532
   #define KERN_SYSCALL_TBL     0xFFEAA0E0
   #define KERN_CODE_READ       0xFFF02274
   #define KERN_CODE_WRITE       0xFFF02294
   #define KERN_ADDRESS_TBL     0xFFEAAA10
   #define KERN_HEAP         0xFF200000

Think we could update this with more recent addresses?

The KERN_ADRESS_TBL for 5.5.0 is on pygecko
 
  • Like
Reactions: Deleted User

NexoCube

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
28
Location
France
XP
1,305
Country
France
Oh my god, it is as well! :lol:

But don't try anything, giving kernel permission by this way has been patched so it deserve to nothing

--------------------- MERGED ---------------------------

But don't try anything, giving kernel permission by this way has been patched so it deserve to nothing

We have to find another exploit. Then exploit it, hopefully.
 

NexoCube

Well-Known Member
Member
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
28
Location
France
XP
1,305
Country
France
Oh. :(
I wonder how the devs managed to port the exploit then. :huh:

They know more than us.
For the 5.5.1 Kernel Exploit :

@Marionumber1 made it
@Mathew_Wi Ported it and debug it
@golden45 made SDCafiine (Like Wii Riivolution) (Yes i can read a video description)

If one of these read it, could someone help or give any hints, tips to find any System Failure/Exploit ... Because we're a little bit lost about reverse-engineering (That's what, i suppose used to find all these things, adrr, virt_adrr etc...)

If you could give any help in PM or Skype (fhtuto.tarik) it will be great
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: Hope they made lots of spaget