Hacking A channel-less, sd-less entry point: str2hax
- Thread starter Fullmetal5
- Start date
- Views 117,440
- Replies 226
- Likes 86
- Joined
- Sep 12, 2009
- Messages
- 13,803
- Trophies
- 3
- Age
- 38
- Location
- Cyprus, originally from Toronto
- Website
- modmii.github.io
- XP
- 9,788
- Country
Sorry about the wait.Shameless bump
Most of the issues surrounding that have been figured out. I'll try to push out an update tonight with a fixed version that loads in the correct order.
I'll post when the update is out.
I was ready to say no to this idea however after some Googleing my answer may be different.
I don't have a DSi and I couldn't find much info on the EULA screen for the DSi but from DSiBrew it seems Nintendo was still using Opera for the browser on the DSi at that point and the last update for the internet channel in the DSi lists it as Opera 9.50 which should be vulnerable to this.
I have no idea how the EULA page on the DSi works. If the page is over https then this would fail, if it's not a web page but just plain text then this will fail, if it's actually WebKit and not Opera then this will probably fail. (This might affect WebKit too but I'm not sure.)
You can't just replace the EULA page for the DSi with this one and expect it to work. Someone will need to do the porting. Also does the DSi have ALSR/DEP? idk. This will be MUCH more difficult if it has ASLR. DEP is just an inconvenience, without ASLR it can be defeated pretty easily.
Someone familiar with the DSi scene might take a look at this as it might actually lead to something. Currently their only available exploit is FlipNote Lenny so if someone wants a SD-less + game-less DSi entry point then this has potential.
@ItsaMamaLuigi How? Did you do somethign wrong? Did you click on the wrong region (Ex: chose 4.3U instead of 4.3J), or was your SD card not FAT32? Or maybe you mistyped your MAC address.
- Joined
- Sep 12, 2009
- Messages
- 13,803
- Trophies
- 3
- Age
- 38
- Location
- Cyprus, originally from Toronto
- Website
- modmii.github.io
- XP
- 9,788
- Country
The DSi browser has no webkit. There's only the Opera. And you possibly could use shutterbug's nds-contrain't.
The DSi doesn't have a kernel so there's no ASLR/DEP what so ever. Btw, we have the Unlaunch exploit, bootcode exploit basically that has access to everything basically.
Turns out I just had to run a system update even though my Wii was already on 4.3U. Once I did that, Letterbomb worked for me. I had done everything else (version, MAC address, SD card format) correctly.
The update is out. The loader now prioritizes SD cards over network. Sorry for the delay.No rush and no pressure but just curious on the status of this
I just wanted to try that exploit but I get the error "ERROR: hostent was null" when it tries to resolve hbc.hackmii.com, then it tries two more times, and then it freezes. Any idea why that might be?
And, is there any guess about when you'll have that write-up and/or source code ready? I'd really like to try and make a variant of this that boots the Wiimmfi patcher instead of the Hackmii installer. I looked at the stuff the Wii downloads when running this (EULA web page, rd.png and payload.png) but payload.png doesn't look like normal PPC assembler (obfuscated?).
EDIT: Afterwards the DNS is set to "0.0.0.0" both for primary and secondary - I believe that might be the problem?
And, is there any guess about when you'll have that write-up and/or source code ready? I'd really like to try and make a variant of this that boots the Wiimmfi patcher instead of the Hackmii installer. I looked at the stuff the Wii downloads when running this (EULA web page, rd.png and payload.png) but payload.png doesn't look like normal PPC assembler (obfuscated?).
EDIT: Afterwards the DNS is set to "0.0.0.0" both for primary and secondary - I believe that might be the problem?
Last edited by leseratte,
- Joined
- Sep 12, 2009
- Messages
- 13,803
- Trophies
- 3
- Age
- 38
- Location
- Cyprus, originally from Toronto
- Website
- modmii.github.io
- XP
- 9,788
- Country
If it's complaining about hostent being null just try the exploit again. I'm not sure why this is happening. It's suppose to reset your dns settings so that dns resolution can work again then reload IOS for it to take effect but for some reason IOS doesn't like to answer DNS queries after being reloaded sometimes. Maybe it's a libogc issue? Dunno here.
As for the write-up the best I can say is "soon". School + work has taken most of my time but the write-up isn't too complicated/long so it shouldn't really take long. The main thing will be cleaning up the sources for stuff to be released.
As for the payload.png you're talking about that is actually the network loader but it's been packed into a valid png so that the wii will successfully decode it into a buffer and keep it around rather than freeing it and letting it get overwritten by something else like FlashHax does. There really isn't any need to change anything with it as when the source is released all you will need to do is change the server it downloads boot.elf from and let the rest of the scripts pack it into the payload.png file for you. (It has some special formatting requirements because of how Opera likes to keep RGBA files in memory. It actually keeps them in memory as ARGB so every dword need to be swapped a little.)
Also you really don't want to try to put your own payload into that file since there are REALLY strict size requirements (under 100KB) for it to be loaded. Currently the network loader is deflate'd and using a version of libogc compiled with -Os and luckily that's enough to make things fit. (Having to rip things out of libogc would have been a pain and hard to maintain)
The DNS settings ending up at 0.0.0.0 is intentional. The network loader switches back to automatic dns settings so that it's no longer using Go Daddy dns servers which don't know how to resolve anything not hosted there. If it didn't then you would have to reset the dns settings yourself and I didn't want people to have to do that manually since people are lazy and I'm sure they would have just left it and then been angry when their internet suddenly didn't work afterwords. Also this way the network loader can grab payloads that aren't hosted on your server.
I don't have any plans on back porting this to older versions. I would just do what everyone else suggested and update the console and then use it.
Well it seems as if for me it doesn't reset to "auto". It only resets the manual servers to 0.0.0.0, but doesn't switch back from "manual" to "auto" when I check the connections settings afterwards. I tried multiple times as well.
That's odd and could definitely be the source of the issue. Which of the 3 connections are you using on the Wii?
I am using connection 1, wired.
However because I use a static IP address (required in my network, no DHCP), I cannot use auto DNS (the button is disabled in the network config). Do you think you could mod your exploit so it sets the DNS to 8.8.8.8 / 8.8.4.4 when it detects that auto DNS is not possible?
Or, why not just make the exploit DNS resolvers redirect unknown queries to another DNS to get the answer, which is what all the other homebrew DNS servers do?
However because I use a static IP address (required in my network, no DHCP), I cannot use auto DNS (the button is disabled in the network config). Do you think you could mod your exploit so it sets the DNS to 8.8.8.8 / 8.8.4.4 when it detects that auto DNS is not possible?
Or, why not just make the exploit DNS resolvers redirect unknown queries to another DNS to get the answer, which is what all the other homebrew DNS servers do?
Last edited by leseratte,
Similar threads
- No one is chatting at the moment.
-
-
-
@
RedColoredStars:
Never even seen a tiger crust pizza in any stores around here. Walmart, Cub, or otherwise. -
-
-
@
RedColoredStars:
Last thing I told her is how much I love her, and that Im not leaving her there forever and I promise to come back and take her back home with me.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
