A channel-less, sd-less entry point: str2hax

Discussion in 'Wii - Hacking' started by Fullmetal5, Nov 14, 2018.

  1. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
    leseratte and XFlak like this.
  2. leseratte

    leseratte Wiimmfi Team

    Member
    5
    Jun 2, 2012
    Germany
    I have been trying to embed a custom payload but I get an error when running ./make-it.sh. Is this the error one gets when the payload is too big? (350 kB)

    Code:
    $ ./make_it.sh wiimmfi.elf
    pack_payload.c: In function ‘main’:
    pack_payload.c:42:32: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘uint32_t {aka unsigned int}’ [-Wformat=]
       printf("Failed to allocate %ld bytes!\n", size);
                                  ~~^
                                  %d
    EGG: PONY
    Size: 0x00025858
    Checksum: 0xFEC3B70C
    convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
    ./make_it.sh: Zeile 9: 23269 Abgebrochen             (Speicherabzug geschrieben) convert -depth 8 -size $(expr $(stat -c%s out.bin) / 4)x1+0 rgba:out.bin payload.png
    $
    (roughly translated: SetImageVirtualPixelMethod: assertion »image != (const Image *) NULL« not met, line 9, cancelled (memory dump written))

    EDIT: The error is caused by "convert":

    Code:
    $ convert -depth 8 -size 153704x1+0 rgba:out.bin payload.png
    convert: ../../magick/image.c:3187: SetImageVirtualPixelMethod: Zusicherung »image != (const Image *) NULL« nicht erfüllt.
    Abgebrochen (Speicherabzug geschrieben)
     
    Last edited by leseratte, Dec 18, 2018
  3. leseratte

    leseratte Wiimmfi Team

    Member
    5
    Jun 2, 2012
    Germany
    Apparently my payload is way too large, convert only supports up to 15999x1. I guess I have to use the network loader. Or recompile imagemagick.

    Or could we use, like 10000x10 instead of 100000x1? Or would that result in another (invalid) image binary?
     
  4. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
    You can try with different widths and heights, it should work just fine since it will get laid out the same. However if it's too large already it definitely isn't going to be able to download. Opera will just fail when downloading it and never run the call back so the page will just appear to do nothing. I highly recommend just using the network loader so that it can be as big as you want.
     
  5. leseratte

    leseratte Wiimmfi Team

    Member
    5
    Jun 2, 2012
    Germany
    Got it to convert by removing the safety measurements in /etc/ImageMagick-6/policies.xml.
    I just wanted to try with my binary (~250 KB) since you said you'd expect the max limit to be 512k so I thought 250kb uncompressed (150 kb compressed) would be fine.
     
  6. leseratte

    leseratte Wiimmfi Team

    Member
    5
    Jun 2, 2012
    Germany
    On the Wiimmfi server, we are now hosting a variant of this exploit that auto-boots the Wiimmfi patcher so people can easily connect to Wiimmfi on an unmodified Wii.

    Now I didn't get multiple different payloads to work on one page, so I just modified the Network Loader to download one or the other payload, depending on user selection.
     
  7. XFlak

    XFlak Wiitired but still kicking

    Member
    9
    Sep 12, 2009
    Canada
    Ontario
    Is there a link you can share with more information? Sounds interesting but also unclear given my limited knowledge on the subject
     
  8. leseratte

    leseratte Wiimmfi Team

    Member
    5
    Jun 2, 2012
    Germany
    More information about what exactly? The tutorial for the user can be found here, or, in video form, here.

    The only changes I made to the payload was to change the payload URLs and do some more cleanup, because apparently, running this exploit makes the Wii think you didn't accept the EULA which causes problems with RiiConnect24.
    And a hidden way to make the payload download the Hackmii Installer instead of the Wiimmfi patcher.

    I was unable to get the web page to load two different payloads depending on user selection, so I added that into the Network Loader itself.
     
    Last edited by leseratte, Dec 22, 2018
  9. Jayro

    Jayro MediCat USB and Mini Windows 10 Developer

    Member
    15
    GBAtemp Patron
    Jayro is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jul 23, 2012
    United States
    Octo Canyon
    An then there's me, an intellectual still using LetterBomb.
     
  10. Qube_

    Qube_ Newbie

    Newcomer
    1
    Dec 27, 2018
    Belgium
    Excuse my if this is a very stupid question. But do you have to change the "Auto-Obtain DNS" back to "Yes" after the installation of the homebrew channel?
     
  11. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
    No, that's optional. If Google's DNS servers work for you there is no need to go change it back.
     
  12. nitr8

    nitr8 GBAtemp Regular

    Member
    5
    Apr 4, 2007
    Gambia, The
    So it looks like there needs to be some more clarification upon hosting the exploit on an own webserver.
    I have Apache2 set up and the files compiled. Everything runs fine with one exception:
    I get to the screen with the pony. Redirects are working. Modules mime, cgi, php7.0, rewrite are enabled.
    ...but it still won't boot the network loader. AllowOverride is set to "All". System Menu is v4.1.
    I used the stripped ELF for compiling and the boot.elf from the Hackmii Installer.
    Any ideas or suggestions why the site isn't executing the payload? From what i can see in the Apache2 logs,
    there are no errors and it definitely "GET"s the "payload.png". I don't need that DNS stuff as i redirect the URL
    to my local web server inside a Raspberry Pi 3 using DNSMASQ in the router (works).
    Any help would be great.
    Thanks in advance.
     
    Last edited by nitr8, Jan 8, 2019
  13. leseratte

    leseratte Wiimmfi Team

    Member
    5
    Jun 2, 2012
    Germany
    If I recall correctly, the payload image needs to be delivered in some kind of compressed transport encoding, there is some Apache setting needed but I don't remember which one. Maybe @Wiimm does, he configured that on Wiimmfi.

    "the boot.elf from the hackmii installer"? Don't try to embed the hackmii installer. It's too large. Embed the network loader and let it download the hackmii installer.
     
  14. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
    So it just hangs there on the pony and never even so much as crashes? Even after ~2 minutes?
    Just to make sure, are you using the network loader or are you trying to use the boot.elf from the hackmii installer directly?
    If you are using the network loader as the boot.elf did you build libogc with -Os and compile the network loader with THAT version of libogc rather than the default?
     
  15. nitr8

    nitr8 GBAtemp Regular

    Member
    5
    Apr 4, 2007
    Gambia, The
    That's what i did:

    1.) libOGC Makefile = ..."-O2"... -> ..."-Os"...
    2.) sh make_it.sh WiiNetworkLoader-master.elf

    3.) It sits on the pony site and never loads anything nor does it crash. :rofl2::rofl2::rofl2:
     
  16. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
    Hm, can you upload the "WiiNetworkLoader-master.elf" file?
     
  17. nitr8

    nitr8 GBAtemp Regular

    Member
    5
    Apr 4, 2007
    Gambia, The
    Last edited by nitr8, Jan 8, 2019
  18. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
  19. nitr8

    nitr8 GBAtemp Regular

    Member
    5
    Apr 4, 2007
    Gambia, The
    Well, just to correct you: It doesn't! :rofl2::rofl2::rofl2:
     
  20. nitr8

    nitr8 GBAtemp Regular

    Member
    5
    Apr 4, 2007
    Gambia, The
    Well, just to correct you: It doesn't! :rofl2::rofl2::rofl2:

    Try this one:
    https://www.dropbox.com/s/763favp89vgnpc7/site.zip?dl=0

    If this works for you but not for me, there must be something really wrong...
     
    Last edited by nitr8, Jan 8, 2019
  21. Fullmetal5
    OP

    Fullmetal5 GBAtemp Regular

    Member
    4
    Dec 10, 2017
    United States
    Sorry for the late reply, gbatemp decided to stop telling me when people responded to me.
    The issue isn't anything to do with the payload. It seems the build of the index.html file failed. If you look in index.html there should be a giant decimal right after the parseFloat function but it's gone.
    Can you show me the output of when you run './create.sh'?
     
  22. nitr8

    nitr8 GBAtemp Regular

    Member
    5
    Apr 4, 2007
    Gambia, The
    I will do later. I just woke up.

    Gesendet von meinem BLA-L29 mit Tapatalk
     
  23. JesseTG

    JesseTG Newbie

    Newcomer
    1
    Jan 11, 2019
    Canada
    How would you get this to patch for something like AltWFC? Not everyone wants to connect to Wiimmfi ... In regards to custom servers for friends or college, where we have total and complete control.
    And I wouldn't want to force Homebrew on people, if they don't want it.

    This is nice for patching something like say, a console not owned by you, without actually installing anything.
     
    Last edited by JesseTG, Jan 11, 2019
Loading...