Ok Work is being done on getting iosu out there so here is something that will allow you all to join in and hopefully get this out faster. Idea being people work a bit on these and post what they find, I will take everything every week or so and post them off to the dev and see what should be added/taken away/trashed etc and eventually a complete iosu will be the result in theory. When a new zip is compiled I post it and everyone gets to have another go. This is what has been done so far This is for IDA Version 6.8.150423 (32-bit) These files have all of the known functions labeled and fully commented. All known Prototypes, Descriptions and Parameters are included. All known SysCalls are documented and "repeatable commented" with their parameters. Added in all ISO-CRYPTO OTP read data and locations. Began mapping of all ISO-CRYPTO ioctl and ioctlv commands in both PPC and ARM Finished mapping the IOCTL/IOCTLV commands Added in a copy of C2W.IMG file (fully decrypted - very revealing on how Nindy thinks... look at this one!) Added in all Thumb 16-Bit SysCalls (Mostly IOS-KERNEL) Added both BootRoms (Wii_& WiiU) to the PPC side based off feedback from the debugger Began exploring how to work with the PPC-KERNEL using SDK's multi5326 - added notes inside the IDA files on any findings. change may 1st 2016 Added and renamed some functions to match SMEA's released IOSUHax information Added in more found functions in both ARM and PPC decompiles Add documentation about the ARM ARM926EJ-S Processor (Technical Doc PDF) This is PUBLIC stuff It IS NOT for making private exploits I TAKE NO CREDIT FOR THIS AND AT THE DEVS REQUEST IM NOT CREDITING HIM EITHER here are the files http://www.filedropper.com/ppcandarmfirmware55xida32-bit_1 How to "Do-it-yourself" for those that want to learn on their own: PART 1: Tools you will need: * IDA Pro 6.x with ARM/Thumb and PPC modules in BigEndian (most copies already have these) * UWizard (or any other NUS Downloader of your choice) * HEX Editor (recommend HxD.exe) * A working copy of OPENSSL * A basic ARM command list for reference like: http://simplemachines.it/doc/arm_inst.pdf (Don’t worry about this too much now. It’ll make more sense later on) Getting Started: Start UWizard Select Settings Tab - all Keys should be green and say "Verified as Correct by SHA1" (Don't ask here for the keys, they are easily found elsewhere.) Select NUS Downloader U Tab. Type in the TitleID and Version of the firmware you want to download (see http://wiiubrew.org/wiki/Title_databasefor latest) TIP: Note the removal of the "-" dash in the TitileID and the "v" letter in the version as they are posted on wiiubrew. Example: OSv10 5.5.0/5.5.1 TitleID: 000500101000400A Version: 15702 Check the Decrypt Contents checkbox When UWizard is done, it will open up the decoded directory. (code) Copy the files you want to work with to your OPENSSL location (FW.IMG and/or KERNEL.IMG) The command to decrypt with openssl is: openssl enc -d -aes-128-cbc -K "KEY HERE" -iv 0 -nopad -in filename.IMG -out filename.BIN Note that the "K" must be UpperCase and there are no quotes around the key. KERNEL.IMG is decrypted with the EXPRESSO ANCAST KEY FW.IMG is decrypted with the STARBUCK ANCAST KEY TIP: You can copy/paste the keys from UWizard by unchecking the "Hide Keys" box. For now we will do the FW.BIN file first. It is in ARM/Thumb and is the base for any CFW. Open up the FW.BIN file created by OPENSSL in the HEX Editor and remove the header up until it starts with "0x7F 0x45 0x4c 0x46" (0x7F and the word ELF) In 5.5.1, it is the first 0x804 bytes Save it as FW.ELF Now the fun begins... Open up IDAPro (idaq.exe or idaq64.exe) and select the FW.ELF file IDA should say it’s an ELF for ARM (Executable) [elf64.i64] (-or- elf.ldw if you are using 32 bit) In the PROCESSOR TYPE pull-down, go up until you get to ARM BIG-ENDIAN ARMB Select the SET Button. ( Important step!! ) Next, select the KERNEL OPTIONS 1 and Un-Select DELETE INSTRUCTIONS WITH NO XREFS, then select OK Next, select the KERNEL OPTIONS 2 and Select COAGULATE DATA SEGMENTS IN THE FINAL PASS andAUTOMATICALLY CONVERT DATA TO OFFSETS, then select OK Now select the OK button to begin loading. If the ARM/THUMB SWITCHING message shows, select OK If the Hex-Rays message comes up, select OK Now the wait begins... Look at the lower left corner of the IDA screen; you will see that she is processing the file. Leave everything alone and wait until she is all done processing the file. When she finishes, a pop-up message will say something about Proximity Mode... Select YES Press the “+” key on your keyboards number pad to take it out of Proximity mode for now. (You can always press the “-“ key to turn it back on later.) As a basic first step, in IDA press SHIFT F12 to create a tab with the current strings she already found for you (this is not all of them, we will create more later) PART #2 Next is adding in some missing bits and pieces to our Firmware compilation. For this, you will need a copy of BOOT0 and BOOT1 for your firmware. For example, here is a copy of them for 5.5.1/5.5.0 I "found" on pastebin. : http://pastebin.com/5sBn1FKt It's a ZIP file. Make a ZIP file using the RAW data and copy/paste it into HxD.exe then save it as BOOTS.ZIP. Open it with your zip file utility and save the contents in your working folder. To Add BOOT1.BIN FILE -> LOAD FILE -> ADDITIONAL BINARY FILE Loading Segment = 0x0 Loading Offset = 0x0D400000 File Offset = 0x0 Number of bytes = 0x0 (max) Create Segments = CHECKED Code Segment = CHECKED To Add BOOT0.BIN FILE -> LOAD FILE -> ADDITIONAL BINARY FILE Loading Segment = 0x0 Loading Offset = 0x0D4100A0 File Offset = 0x0 Number of bytes = 0x0 (max) Create Segments = CHECKED Code Segment = CHECKED Now to create the other missing segments manually. We need to add: GP_RAM - 0xD000000 - 0xD010000 - DATA NAND - 0xD010000 to 0xD020000 - DATA AES - 0xD020000 to 0xD030000 - DATA SHA - 0xD030000 to 0xD040000 - DATA GPIO -0xD800000 to 0xD810000 - DATA DRAMCtrl - 0xD8B0000 to 0xD8C0000 - DATA To create a new segment, it's: EDIT -> SEGMENTS -> CREATE SEGMENT and use the information above. Example: Segment Name = GP_RAM Start address = 0xD000000 End address = 0xD010000 Base = 0x0 (default) Segment Class = DATA (All other settings can be left at default) Do the same as above for NAND, AES, SHA,GPIO and DRAMCtrl Now, it's time to clean things up a bit: Click on the IDA View-A tab Press SHIFT F7 to bring up the Segment List Scroll to the top of the list. Using the information from this Pastebin : http://pastebin.com/yQx8NLEy, rename all of the Segments by selecting one and pressing "CONTROL E" (or right click and EDIT SEGMENT) Change the SEGMENT NAME and the READ/WRITE/EXECUTE settings to match the pastebin information. Note that some are marked as "Unknown", it's part of our job to figure those out and label them and update wiiubrew.org While we are making changes to the Segments, we also need to make a minor adjustment to BOOT0 and edit theStart Address to 0xD410000 and the End Address to 0xD420000 We also need to make a minor adjustment to BOOT1 and edit the Start Address to 0xD400000 and End Address to0xD410000 This will pad the top and bottom of BOOTs so they match the publicly posted decodings. Now... IDA likes to compress unused data, but for our case we want to see all of the storage registers so we can name them. There is only one segment we created that she will compress, RAM(the others are too small for her to pay attention to) Press ALT S and double-click on the RAM segment Press the U key (Undefine) Press Y to confirm Next is to set the Names for what is stored in these new Segments using the information found here:http://pastebin.com/xDuwVaRh To add a name to an address, press G to bring up the "Jump To Address" menu, then type in the address to jump to. Press the N key to add/change the name. You may need to use the U key to Undefine the address if it is compressed. Now that we've added in new information that IDA didn't know about before, she needs to re-analyze the data and add in new storage locations. Before we do this, we need to verify a couple of options to make sure the data looks clean and our settings are still set. Do this by going to: OPTIONS -> GENERAL -> ANALYSIS and open up KERNEL OPTIONS 2 2nd one down is COAGULATE DATA SEGMENTS IN THE FINAL PASS, make sure it it still checked. Towards the middle of the list is AUTOMATICALLY CONVERT DATA TO OFFSETS, make sure it it still checked then select OK Select the REANALYZE PROGRAM button and select OK If all is well, she will start crunching through the code, adding in new storage locations and size them for you (BYTE,WORD,DWORD...) Hint: Watch the lower left corner of her screen She doesn't know the names of what is stored where yet, you will need to use the N key on your keyboard to teach her. Hint: It may be a lot easier to read the screen if you go to OPTIONS -> GENERAL select the DISSASEMBLY tab and change COMMENTS INDENTATION (NON GRAPH) to something like 80. If you want to see what all of the commands do, you can turn on AUTO COMMENTS, but I'd suggest you turn it back off after seeing what IDA can tell you for now. Use this file as a template and start naming functions in BOOT1http://static.hackmii.com/boot1.txt And for BOOT0, use this: http://pastebin.com/zePZT8Zi Use this to start naming the KERNEL SRAM data: http://wiiubrew.org/wiki/IOSU_Syscalls Note: to add a Comment, use the ; Semicolon key on your keyboard. It's better to use semicolon then colon comments as they show everywhere the location is referenced to/from. A Side note that needs to be talked about now: I figured I'd wait to bring this up until you've had a few successes working with IDA. In case you didn't already know, an ARM/Thumb processor is both 32 and 16 bit. ARM is 32 and Thumb is 16(and some 32 too). The saying goes "Nobody's Perfect" and IDA is just like everyone else, she makes mistakes. Working in ARM/Thumb is very difficult to reverse engineer. Sometimes what looks like good Code is actually Strings or Data. Luckily the FW.IMG is an ELF format file, so IDA knows where the Strings are. (even so, we still need to fix some strings but at least she doesn't think they might be code!) This is not so with the PPC's KERNEL.IMG as it has no ELF header. (more on this later) Working with most other processors this is no big deal as you can just change the Code and be done with it. With ARM/Thumb, this creates unique problems as the incorrectly Coded information can create links to other Data areas and sometimes, depending on the instructions, IDA thinks the other Data area needs to be in Thumb mode and she sets it to CODE16 when it really needs to be CODE32.(or vice versa) She uses two different "engines" to decode the hex data and she sets "tags" ( CODE16 / CODE32 ) to know which one to use. In a typical ARM/Thumb reverse engineering project, you have to manually correct any of these that she wrongfully set. It takes a little practice to understand when she got it right, and when it makes no sense what she did. This is very tedious and time consuming, but it's a heck of a lot less work than if you didn't have IDA to do 99% of the real work for you. The best practice is to use the search for CODE16 and do a sanity check for the code around it. Also, an ARM Processor is capable of performing jumps to areas of memory that IDA has no way of knowing about (PC can be modified directly via code) IDA will leave these areas in the CODE segments as compressed data, so you need to look for large "chunks" of data mid-stream in the code that need to be compiled using the "C" key. Sometimes it's advantageous to turn off IDA's Auto Analysis during this process (The Green Ball in the menu bar), especially if you are unsure if it's CODE16 or CODE32. If you have the Segment Register set wrong (Keycode CTRL-K), she can go wild setting other areas to the wrong type if in Auto mode.