Firmware Reverse Engineering (Info Dump)

Discussion in 'Wii U - Hacking & Backup Loaders' started by NWPlayer123, Apr 4, 2016.

  1. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Well this is going to be completely impromptu just like most other things I do, but...
    I'd like it if this thread was kept clean, it's fine if it's only posted in every other day as long as all posts are adding new info
    TODO: Loading IOSU and/or cafe2wii into IDA and more details about them cause I'm running out of steam

    Tools Usually Used

    • OpenSSL is needed to decrypt the various binaries once you get them from NUS
    • A hex editor, I use HxD even tho there are probably better ones
    • Windows or Linux recommended
    • The Interactive Disassembler, or "IDA" Pro, I am currently using 6.8 and I've also used 6.1 and 6.6 in the past, 6.1 is too outdated to have support for Paired Singles, the unique instructions that the Gamecube, Wii, and Wii U all use
      • Once you've obtained a copy, you're gonna want to edit cfg/ppc.cfg with these Special Purpose Registers, should be all the ones the Wii U uses, put it right after the .default line and before the .pcc section so it's at the very start of the file, and change that default to .wiiu if you want
      • Warning: Spoilers inside!

      • Note that this is only for the Espresso but since the Starbuck is ARM and this is ppc.cfg we don't need to worry about stuff being messed up
    • Something to keep track of all your data EG Dropbox or MEGA so it doesn't get lost as easily
    Obtaining decrypted binaries

    What you're looking for is the version for OSv10 for the firmware you're targetting, be it 5.3.2, 5.5.X, or something lower.
    Then it depends on what you want to go after.
    • root.rpx, not sure its actual importance, it's RAMPID 1 after the kernel and most of the first .rodata section is just a giant zlib compressed file, on the original firmware it was a tga but it seems they changed up the format some time since then. Probably sets up userspace after the kernel initializes
    • kernel.img is the Espresso's Kernel Ancast Image, which is what lets us gain more privileges on it to allow for custom memory mappings and starting our code before a program runs.
      • As such, it needs the Espresso Ancast Key and IV (which I'm not sure the IV matters after a quick usage, only affects first 0x10 bytes, probably some sort of key check thing).
      • Hopefully you have openssl installed for command line use, just cd folder and run "openssl enc -d -aes-128-cbc -nopad -K key -iv iv -in kernel.img -out kernel.d.img"
        • run OpenSSL, specify decryption
        • we want to use the AES algorithm with a 128 bit key using Cipher Block Chaining
        • -nopad is needed for Windows, not sure about other OSes
        • we specify the key, in this case the Espresso Ancast Key
        • then the IV which you can either try to find or set to 0, zecoxao so kindly put it on his page on the PS3 Dev Wiki
        • Then you specify the in and out files, I like using .d.img cause it keeps it short
      • If it worked correctly, you should be able to open it in a hex editor (I use HxD), scroll down, and see plaintext and also lots of null bytes (00).
      • Then you want to copy and drag to select the first 0x100 bytes and delete them, then save as some other filename, I'd suggest something like kernel.anc (ancast), kernel.bin, or kernel.ppc, it'll automatically detect as a binary file in IDA so it doesn't matter as long as you can find it
    • fw.img or firmware.img is "IOSU" or the IOSU Ancast Image (even tho the entire file isn't IOS_KERNEL) that runs on the Starbuck after chainloaded from boot0 and boot1
      • This will need the Starbuck Ancast Key and IV (not the common key)
      • Again need to run "openssl enc -d -aes-128-cbc -nopad -K key -iv iv -in fw.img -out fw.d.img
        • see kernel.img for what the command does
      • This time you want to select everything up to the .ELF magic (including the 00 00 01 00 before it), should be at like 0x804.
    • c2w.img or cafe2wii is in a different title so you'll need to go back to your NUS program and download OSv0 or OSv1, I'd stick with OSv0 though.
      • It's also a Starbuck Ancast Image so use the same key and IV you used with fw.img, and it also contains an ELF

    Loading into IDA

    PPC Kernel
    Binary Method
    • If you haven't edited the ppc.cfg file, do that now with the code in "Tools Usually Used" above
    • Open the binary file to bring up the GUI
    • Scroll Processor type to PowerPC Big-endian [PPC] and click set
    • Kernel Options 1
      • Turn off "delete instructions with no xrefs"
      • Also turn off "Use flirt signatures" since we don't have any anyways
      • Turn on "create function" right after
      • Turn off "Create stack variables" and "trace stack pointer"
      • The rest should all be on
    • Kernel Options 2
      • Highly suggest turning off BOTH "Coagulate data segments" and "Coagulate code segments" further down, otherwise you'll have to do more cleanup
      • Turn off "Automatically hide library functions" since there aren't any anyways
      • Turn off "Check for unicode string", "comment anonymous library functions", "Multiple copy library function recognition", and especially "Create function tails", saves you a lot of headache when cleaning up
      • Turn on "full stack pointer analysis"
      • Turn off "truncate functions"
    • Processor options
      • If you want to compare binaries between versions, you'll want to keep "create subi functions" off for when you load the database into bindiff from zynamics
      • Change instruction set support to "PS" for Paired Singles, if you don't have this you should probably obtain a newer version of IDA
      • Turn off Server if you wish
    • Hit OK, Disassembly memory organization
      • ROM start address and loading address, if you deleted the first 0x100 bytes, should be 0xFFE00100, else 0xFFE00000, then hit OK again
    • Might ask you about devices, just click wiiu and hit OK, turn off Memory layout, then hit OK again
    • Then you can begin cleaning and exploring.
    ELF Method
    PPC Kernel Specifics

    Basic Notes
    • We only really need to worry about syscall_system at FFEAAA60 in 5.5.X because as long as we're running code thru the browser, that's all the ones it can access. Could use syscall_games at FFE85070 if someone ever made a game-based exploit
    • As such, once we have a kernel exploit, we should install kern_read and kern_write in both of those so games can access those as well with TCPGecko
    • Syscall tables are 0x100 words long, 00 thru FF
    • IRQs and IPC are all documented on WiiUBrew, thanks MN1. The Processor Interface is also another good page to look at
    Structures
    Tables
    • interrupt_data_tbl is at FFE84438 (table for next 3 tables)
    • ints_masks is at FFE84624 (8 entries, 3 words each)
    • dsp_irqs is at FFE84684 (8 entries, 3 words each)
    • ipc_irqs is at FFE846E4 (10 entries, 3 words each)
    • CodegenCopyAreas (???) is at FFE8475C
    • unknown syscall table at FFE84850, most loader w/ two empty
    • syscall_empty is at FFE84870
    • syscall_RAMPID1 is at FFE84C70
    • syscall_games is at FFE85070 (Might wanna use loadiine installer/launcher.h header as ref)
    • syscall_loader is at FFE85470
    • syscall_table is at FFEAAA40 (based on RAMPID, 0 is Kernel, 4 is Browser, 7 is Games)
    • syscall_system is at FFEAAA60
    • syscall_unknown at FFEAAE60 isn't linked to, previously KERN_SYSCALL_TBL for writing custom syscalls
    • memmap_tbl is at FFEAB7A0 (0x24 before means 0x24 entries of 4 words, Virtual Address, Size, Physical Address, Flags)
    I'm only using a 5.5.1 binary, offsets are going to be (slightly?) different in past binaries
    Starting from 0xFFF00000, every 0x100 bytes is a new piece of code with null bytes in between, including numerous infinite loops, you'll have to convert these manually.
    When an sc instruction is run, r0 is passed in for the syscall number. If a number is not divisible by 0x100, it goes to one of the fastcalls. 0xFFF00C00 handles fastcalls, and it'll go to 0xFFF021A0 + (num * 0x20). Because all normal syscalls are divisible by 0x100, it'll go to "fastcall 0", 0xFFF021A0 is a jump to 0xFFF01EC0, which is the table dispatcher for all "normal" syscalls.
    Aaaand that's about all the farther I've gotten, next step would be to rename all the syscalls and translate them into C to look for possible bugs.
     
    Last edited by NWPlayer123, Apr 4, 2016


  2. punderino

    punderino aka Big-Dick Swinger

    Member
    849
    464
    Jan 5, 2016
    United States
    Kansas City, Missouri
    Thanks for this, NW. I'm sure tons of people will use this, we all appreciate your work! Thanks a bunch <3
     
  3. troylly

    troylly Member

    Newcomer
    44
    14
    Dec 25, 2015
    United States
    I HAVE FAITH IN YOU!
     
  4. Net-KILLER

    Net-KILLER computer says no

    Member
    610
    365
    Oct 22, 2009
    Saint Kitts and Nevis
    in a pineapple under the sea
    Awesome

    Thx Nikki
     
  5. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,607
    Nov 3, 2013
    United States
    "Where's the button to list vulnerabilities?"
     
  6. Exavold

    Exavold GBAtemp Advanced Fan

    Member
    995
    1,043
    Nov 9, 2015
    France
    Were is da downlod button ;;;;;;;;;o;;;;;;;

    ...

    Sorry.
     
    TotalInsanity4 likes this.
  7. Masterwin

    Masterwin GBAtemp Regular

    Member
    278
    178
    Jan 7, 2016
    OK! we are going to work!
    You are big! NWPlayer123
     
    Last edited by Masterwin, Apr 4, 2016
    paulloeduardo, Bysan08 and Exavold like this.
  8. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    I'd prefer it if this thread was kept to just posts adding more info about kernel etc so others don't have to dig thru pages
     
    socialbacon, Loko4, Psi-hate and 15 others like this.
  9. Exavold

    Exavold GBAtemp Advanced Fan

    Member
    995
    1,043
    Nov 9, 2015
    France
    Make this clear in the OP.
     
  10. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Yeaaaaa most people use less than legal methods unless it's like already provided to them thru whatever work they're doing, I would write something better but the only promising one, Capstone, doesn't support Paired Singles, I'd have to add a patch or make my own code entirely, replicating the Disassembly functions in coreinit and probably something other than python so it isn't eternally slow
     
    Masterwin and adreiro like this.
  11. adreiro

    adreiro Newbie

    Newcomer
    2
    0
    Apr 4, 2016
    Mexico
    NWPlayer123 we encourage hope in you.
     
  12. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    Update: Cleaned up kernel info so it's actually semi-readable, syscall tables there are 00 to FF, so all the functions available to the loader are under Access: L here. There's also a 0x83 and 0x84 syscall at FFE8567C that isn't in the list??
    At least now I can start bulk renaming things
     
  13. LinkMain111

    LinkMain111 GBAtemp Regular

    Member
    125
    54
    Jul 21, 2015
    Can a mod sticky this and remove all our comments.
     
  14. punderino

    punderino aka Big-Dick Swinger

    Member
    849
    464
    Jan 5, 2016
    United States
    Kansas City, Missouri
    I cannot get NUSGrabber to download OSv10 for the life of me. NEW-NUSGrabber tells me it's not implemented to download, JNUSTOOL flat out doesn't want to work, and NUSGrabber-GUI just gives a blank command prompt and then closes.
     
  15. Keylogger

    Keylogger GBAtemp Advanced Maniac

    Member
    1,715
    365
    May 3, 2006
    France
  16. LinkMain111

    LinkMain111 GBAtemp Regular

    Member
    125
    54
    Jul 21, 2015
  17. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,629
    6,226
    Feb 17, 2012
    United States
    The Everfree Forest
    In that case, go look up my Pastebin and download NUS Downloader which'll let you put the Title ID in without a dash and work with basically anything you give it, then you gotta get cdecrypt to do its thing, I'd just use my fancy py file also included
     
  18. punderino

    punderino aka Big-Dick Swinger

    Member
    849
    464
    Jan 5, 2016
    United States
    Kansas City, Missouri
    Will do, thanks for the help!
     
  19. Merzeal

    Merzeal Member

    Newcomer
    30
    17
    Jan 19, 2016
    United States
    I had a hell of a time getting them to download, ended up going with uwizard, which worked fine. (Just delete the hyphen and add a 0 to the end of title ID, I believe)

    Decrypted fw.img, now I'm just staring at it, way in over my head.
     
  20. steelseth
    This message by steelseth has been removed from public view by BORTZ, Apr 4, 2016.
    Apr 4, 2016
  21. Merzeal

    Merzeal Member

    Newcomer
    30
    17
    Jan 19, 2016
    United States
    I've never seen NWPlayer go off about piracy. Some other ones though... Your post is both off topic, and trash.

    Side note: Nice to see devs looking for a more crowd sourced approach in the general public, hopefully smarter people than I can help get this documented out faster. I'll continue to poke around, and as discussion grows, I'll probably get a better idea of where to poke around.
     
    Subtle Demise likes this.