AES obfuscation on the Wii U bootrom

Discussion in 'Wii U - Hacking & Backup Loaders' started by harryoke, Mar 7, 2014.

?

am i being a media whore by sharing this news?

  1. yes... you should be ashamed , how dare you!!!

    28.3%
  2. no ... its good to share

    71.7%
  1. harryoke
    OP

    harryoke Newbie

    Newcomer
    6
    7
    Dec 18, 2013
    Inside Your Mind


  2. Maxternal

    Maxternal Peanut Gallery Spokesman

    Member
    5,210
    2,073
    Nov 15, 2011
    Deep in GBAtemp addiction
    I see no problem with sharing. The only problem is when everyone assumes that this means "YAY, next step, Wii U exploit and backup loaders!!!" (which is far from the truth. This is fun and interesting stuff, yes, but not needed or particularly useful in the process of running homebrew in Wii U mode.)

    As long as it's accurate, news is news and news is cool

    EDIT : just wanted to make that clear ... but interesting news nonetheless.
     
  3. Bobbybangin

    Bobbybangin GBAtemp Regular

    Member
    223
    154
    Aug 9, 2010
    United States
    HRESET is the next step and it's currently a work in progress. We're getting there.
     
  4. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    Nintendo did something right when it comes to security?
    This can only mean good things, it means they screwed up elsewhere! :P
     
  5. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    21,209
    10,078
    Apr 29, 2011
    United States
    Dr. Wahwee's castle

    That's the important thing :D
     
  6. edwardbirkholz05

    edwardbirkholz05 Advanced Member

    Newcomer
    77
    64
    Nov 23, 2011
    United States
    OMG, how utterly devious - they used function pointers! l337 h4xx0rz would never figure that out!
     
    Kargaroc likes this.
  7. Coto

    Coto GBAtemp Addict

    Member
    2,353
    403
    Jun 4, 2010
    Chile
    Took me a while to understand what it did..

    hmm.. on line 11,22 integers (negative) are doubled because 64 bit memory addresses?

    Good job so far
     
  8. edwardbirkholz05

    edwardbirkholz05 Advanced Member

    Newcomer
    77
    64
    Nov 23, 2011
    United States
    No it's just wrong. SP should only ever be adjusted by a multiple of 8 (largest native datatype, double = 8 bytes), this code would never work because it adjusts SP down by 4 and then adjusts it back up by 8 at the end of the function (Hint: this isn't disassembled bootrom code, it's just a crappy example of "obfuscation" that doesn't exist.)
    LR is also meant to be stored at SP+4 e.g. SP[1], not *SP.
     
    Ray Lewis likes this.
  9. Maxternal

    Maxternal Peanut Gallery Spokesman

    Member
    5,210
    2,073
    Nov 15, 2011
    Deep in GBAtemp addiction
    I remember from f0f's presentation that there's about 12k of the bootROM that's copied into cache at a different memory address and run from there for speed issues. I wonder if this complication has anything to do with that.
     
    Ray Lewis and KiiWii like this.
  10. Coto

    Coto GBAtemp Addict

    Member
    2,353
    403
    Jun 4, 2010
    Chile

    Yes I knew about SP being a Special purpose register indexed, which could be accesed only as some argument coming from opcodes such MFSPR or MTSPR. And .. I've seen other disassembled code that deals with negative integers (to reserve area, or loop back, re-use etc), but not on PPC.

    But the idea is there, I guess.
     
  11. asper

    asper GBAtemp Advanced Fan

    Member
    610
    307
    May 14, 2010
    United States
    Well, can someone guess what those "fixed" values are ?
    [​IMG]
     
  12. Ray Lewis

    Ray Lewis Banned

    Banned
    1,518
    386
    Dec 30, 2012
    United States
    No clue but Maxternal and others might;-)
     
  13. edwardbirkholz05

    edwardbirkholz05 Advanced Member

    Newcomer
    77
    64
    Nov 23, 2011
    United States
    They don't mean anything because you've disassembled data as code.
     
    Maxternal and Ray Lewis like this.
  14. Coto

    Coto GBAtemp Addict

    Member
    2,353
    403
    Jun 4, 2010
    Chile

    0x00003fb8: twi compares r21 contents with 18446744073709527839 (signed-extended ) , then & (and) performs a logical compare from 5 arguments given (29 seems wrong!). If it is not zero it will cause a program interrupt (could be breakpoint, or an event that halts or interfere with the current code running in PC, with an abnormal return to LR)

    As for such big value, it doesn't fit the calculator I use, so i'll wildly guess it's an external IC with SEVERAL bits masked externally.

    Same for twi 15,r19,26086.

    Keep in mind this is the same as swi (when usermode code tries to reach kernel,only access area), except it's triggered externally by the value fed

    http://publib.boulder.ibm.com/infoc...ic=/com.ibm.aix.aixassem/doc/alangref/twi.htm

    Why are you so sure? Because extracted offsets overlaps with different instructions? (this should not happen if code would've been disassembled correctly . )
     
    Ray Lewis likes this.
  15. Arras

    Arras GBAtemp Guru

    Member
    5,858
    2,673
    Sep 14, 2010
    Netherlands
    Kyouhei likes this.
  16. Maxternal

    Maxternal Peanut Gallery Spokesman

    Member
    5,210
    2,073
    Nov 15, 2011
    Deep in GBAtemp addiction
    that fits fine into windows calc :P ... and when I use it to convert it to hex I get 0xFFFFFFFFFFFFA31F but considering that Wii U is 32bit it's probably just a sign extended 0xFFFFA31F or ~0x5CE0
    (that doesn't mean I've really looked at the rest of it to figure out what that really means in context, though)

    EDIT : also, looking just above and below that at all those .byte's I'd say this is just random data that HAPPENS to line up with a legit machine instruction.
    EDIT2 : looks like edwardbirkholz05 already got that concept, though. I'm a little slow sometimes.
     
    Ray Lewis likes this.
  17. edwardbirkholz05

    edwardbirkholz05 Advanced Member

    Newcomer
    77
    64
    Nov 23, 2011
    United States
    Because the instructions make no sense, the program exception vector is stubbed and the "opcodes" surrounding these are invalid. Your description of twi was also wrong, the first value does not specify a register but a set of flags for the type of compare operation (greater than, less than etc) and swi is an ARM instruction, not PPC.
     
  18. Coto

    Coto GBAtemp Addict

    Member
    2,353
    403
    Jun 4, 2010
    Chile

    Whatever, I used swi as an example, ARM and PPC at the same time can get confusing (do note i've never said SWI was for PPC anyway...), or you got it all at first? :D .

    And yes, I made that mistake on the first argument (TO), thanks.

    Ya, I tried typing them as decimal and it didn't fit. The last digit didn't make it
     
    Ray Lewis likes this.
  19. Bladexdsl

    Bladexdsl ZOMG my posts...it's over 9000!!!

    Member
    16,123
    3,786
    Nov 17, 2008
    Australia
    Queensland
    need new option in poll : i don't know what the hell this is :lol:
     
    Taleweaver and the_randomizer like this.
  20. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    950
    444
    Jun 10, 2006
    United States
    If legit, It appears the dumper has been released into the wild a few hours ago.

    Wii-U bootrom/boot0.bin dumper - Pastebin.com
    pastebin.com/Zv6PDZiS

    There should be no copyright code violations but Mods feel free to edit if inappropriate.

    I'm an idiot (sometimes) totally missed
    http://gbatemp.net/threads/vwii-sneek.360615/page-9#post-4936803
    Sorry Maxternal
     
    Maxternal and Ray Lewis like this.