ida stuff

Discussion in 'Wii U - Hacking & Backup Loaders' started by davetheshrew, May 1, 2016.

  1. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    Ok

    Work is being done on getting iosu out there so here is something that will allow you all to join in and hopefully get this out faster. Idea being people work a bit on these and post what they find, I will take everything every week or so and post them off to the dev and see what should be added/taken away/trashed etc and eventually a complete iosu will be the result in theory. When a new zip is compiled I post it and everyone gets to have another go. This is what has been done so far

    This is for IDA Version 6.8.150423 (32-bit)
    These files have all of the known functions labeled and fully commented.
    All known Prototypes, Descriptions and Parameters are included.
    All known SysCalls are documented and "repeatable commented" with their parameters.
    Added in all ISO-CRYPTO OTP read data and locations.
    Began mapping of all ISO-CRYPTO ioctl and ioctlv commands in both PPC and ARM
    Finished mapping the IOCTL/IOCTLV commands
    Added in a copy of C2W.IMG file (fully decrypted - very revealing on how Nindy thinks... look at this one!)
    Added in all Thumb 16-Bit SysCalls (Mostly IOS-KERNEL)
    Added both BootRoms (Wii_& WiiU) to the PPC side based off feedback from the debugger
    Began exploring how to work with the PPC-KERNEL using SDK's multi5326 - added notes inside the IDA files on any findings.

    change may 1st 2016

    Added and renamed some functions to match SMEA's released IOSUHax information
    Added in more found functions in both ARM and PPC decompiles
    Add documentation about the ARM ARM926EJ-S Processor (Technical Doc PDF)


    This is PUBLIC stuff

    It IS NOT for making private exploits

    I TAKE NO CREDIT FOR THIS AND AT THE DEVS REQUEST IM NOT CREDITING HIM EITHER

    here are the files http://www.filedropper.com/ppcandarmfirmware55xida32-bit_1


    How to "Do-it-yourself" for those that want to learn on their own:


    PART 1:

    Tools you will need:

    * IDA Pro 6.x with ARM/Thumb and PPC modules in BigEndian (most copies already have these)

    * UWizard (or any other NUS Downloader of your choice)

    * HEX Editor (recommend HxD.exe)

    * A working copy of OPENSSL

    * A basic ARM command list for reference like: http://simplemachines.it/doc/arm_inst.pdf
    (Don’t worry about this too much now. It’ll make more sense later on)




    Getting Started:

    Start UWizard

    Select Settings Tab - all Keys should be green and say "Verified as Correct by SHA1"
    (Don't ask here for the keys, they are easily found elsewhere.)

    Select NUS Downloader U Tab.

    Type in the TitleID and Version of the firmware you want to download (see http://wiiubrew.org/wiki/Title_databasefor latest)
    TIP: Note the removal of the "-" dash in the TitileID and the "v" letter in the version as they are posted on wiiubrew.

    Example: OSv10 5.5.0/5.5.1
    TitleID: 000500101000400A Version: 15702

    Check the Decrypt Contents checkbox

    When UWizard is done, it will open up the decoded directory. (code)

    Copy the files you want to work with to your OPENSSL location
    (FW.IMG and/or KERNEL.IMG)

    The command to decrypt with openssl is: openssl enc -d -aes-128-cbc -K "KEY HERE" -iv 0 -nopad -in filename.IMG -out filename.BIN
    Note that the "K" must be UpperCase and there are no quotes around the key.

    KERNEL.IMG is decrypted with the EXPRESSO ANCAST KEY
    FW.IMG
    is decrypted with the STARBUCK ANCAST KEY
    TIP: You can copy/paste the keys from UWizard by unchecking the "Hide Keys" box.

    For now we will do the FW.BIN file first.
    It is in ARM/Thumb and is the base for any CFW.

    Open up the FW.BIN file created by OPENSSL in the HEX Editor and remove the header up until it starts with "0x7F 0x45 0x4c 0x46"
    (0x7F and the word ELF)
    In 5.5.1, it is the first 0x804 bytes

    Save it as FW.ELF

    Now the fun begins...

    Open up IDAPro (idaq.exe or idaq64.exe) and select the FW.ELF file

    IDA should say it’s an ELF for ARM (Executable) [elf64.i64]
    (-or- elf.ldw if you are using 32 bit)

    In the PROCESSOR TYPE pull-down, go up until you get to ARM BIG-ENDIAN ARMB
    Select the SET Button. ( Important step!! )
    Next, select the KERNEL OPTIONS 1 and Un-Select DELETE INSTRUCTIONS WITH NO XREFS, then select OK
    Next, select the KERNEL OPTIONS 2 and Select COAGULATE DATA SEGMENTS IN THE FINAL PASS andAUTOMATICALLY CONVERT DATA TO OFFSETS, then select OK

    Now select the OK button to begin loading.

    If the ARM/THUMB SWITCHING message shows, select OK
    If the Hex-Rays message comes up, select OK

    Now the wait begins...
    Look at the lower left corner of the IDA screen; you will see that she is processing the file.

    Leave everything alone and wait until she is all done processing the file.
    When she finishes, a pop-up message will say something about Proximity Mode... Select YES

    Press the “+” key on your keyboards number pad to take it out of Proximity mode for now. (You can always press the “-“ key to turn it back on later.)


    As a basic first step, in IDA press SHIFT F12 to create a tab with the current strings she already found for you
    (this is not all of them, we will create more later)


    PART #2
    Next is adding in some missing bits and pieces to our Firmware compilation.

    For this, you will need a copy of BOOT0 and BOOT1 for your firmware.

    For example, here is a copy of them for 5.5.1/5.5.0 I "found" on pastebin. : http://pastebin.com/5sBn1FKt
    It's a ZIP file. Make a ZIP file using the RAW data and copy/paste it into HxD.exe then save it as BOOTS.ZIP. Open it with your zip file utility and save the contents in your working folder.

    To Add BOOT1.BIN
    FILE -> LOAD FILE -> ADDITIONAL BINARY FILE
    Loading Segment = 0x0
    Loading Offset = 0x0D400000
    File Offset = 0x0
    Number of bytes = 0x0 (max)
    Create Segments = CHECKED
    Code Segment = CHECKED

    To Add BOOT0.BIN
    FILE -> LOAD FILE -> ADDITIONAL BINARY FILE
    Loading Segment = 0x0
    Loading Offset = 0x0D4100A0
    File Offset = 0x0
    Number of bytes = 0x0 (max)
    Create Segments = CHECKED
    Code Segment = CHECKED


    Now to create the other missing segments manually.
    We need to add:

    GP_RAM - 0xD000000 - 0xD010000 - DATA
    NAND - 0xD010000 to 0xD020000 - DATA
    AES - 0xD020000 to 0xD030000 - DATA
    SHA - 0xD030000 to 0xD040000 - DATA
    GPIO -0xD800000 to 0xD810000 - DATA
    DRAMCtrl - 0xD8B0000 to 0xD8C0000 - DATA



    To create a new segment, it's:
    EDIT -> SEGMENTS -> CREATE SEGMENT and use the information above.

    Example:
    Segment Name = GP_RAM
    Start address = 0xD000000
    End address = 0xD010000
    Base = 0x0 (default)
    Segment Class = DATA
    (All other settings can be left at default)

    Do the same as above for NAND, AES, SHA,GPIO and DRAMCtrl


    Now, it's time to clean things up a bit:
    Click on the IDA View-A tab
    Press SHIFT F7 to bring up the Segment List
    Scroll to the top of the list.

    Using the information from this Pastebin : http://pastebin.com/yQx8NLEy, rename all of the Segments by selecting one and pressing "CONTROL E" (or right click and EDIT SEGMENT)
    Change the SEGMENT NAME and the READ/WRITE/EXECUTE settings to match the pastebin information.
    Note that some are marked as "Unknown", it's part of our job to figure those out and label them and update wiiubrew.org

    While we are making changes to the Segments, we also need to make a minor adjustment to BOOT0 and edit theStart Address to 0xD410000 and the End Address to 0xD420000
    We also need to make a minor adjustment to BOOT1 and edit the Start Address to 0xD400000 and End Address to0xD410000
    This will pad the top and bottom of BOOTs so they match the publicly posted decodings.


    Now...
    IDA likes to compress unused data, but for our case we want to see all of the storage registers so we can name them.
    There is only one segment we created that she will compress, RAM(the others are too small for her to pay attention to)

    Press ALT S and double-click on the RAM segment
    Press the U key (Undefine)
    Press Y to confirm


    Next is to set the Names for what is stored in these new Segments using the information found here:http://pastebin.com/xDuwVaRh
    To add a name to an address, press G to bring up the "Jump To Address" menu, then type in the address to jump to.
    Press the N key to add/change the name.
    You may need to use the U key to Undefine the address if it is compressed.


    Now that we've added in new information that IDA didn't know about before, she needs to re-analyze the data and add in new storage locations.

    Before we do this, we need to verify a couple of options to make sure the data looks clean and our settings are still set.

    Do this by going to: OPTIONS -> GENERAL -> ANALYSIS and open up KERNEL OPTIONS 2
    2nd one down is COAGULATE DATA SEGMENTS IN THE FINAL PASS, make sure it it still checked.
    Towards the middle of the list is AUTOMATICALLY CONVERT DATA TO OFFSETS, make sure it it still checked then select OK

    Select the REANALYZE PROGRAM button and select OK

    If all is well, she will start crunching through the code, adding in new storage locations and size them for you (BYTE,WORD,DWORD...)
    Hint: Watch the lower left corner of her screen

    She doesn't know the names of what is stored where yet, you will need to use the N key on your keyboard to teach her.

    Hint: It may be a lot easier to read the screen if you go to OPTIONS -> GENERAL select the DISSASEMBLY tab and change COMMENTS INDENTATION (NON GRAPH) to something like 80.
    If you want to see what all of the commands do, you can turn on AUTO COMMENTS, but I'd suggest you turn it back off after seeing what IDA can tell you for now.



    Use this file as a template and start naming functions in BOOT1http://static.hackmii.com/boot1.txt
    And for BOOT0, use this: http://pastebin.com/zePZT8Zi
    Use this to start naming the KERNEL SRAM data: http://wiiubrew.org/wiki/IOSU_Syscalls

    Note: to add a Comment, use the ; Semicolon key on your keyboard.
    It's better to use semicolon then colon comments as they show everywhere the location is referenced to/from.




    A Side note that needs to be talked about now:
    I figured I'd wait to bring this up until you've had a few successes working with IDA.

    In case you didn't already know, an ARM/Thumb processor is both 32 and 16 bit.
    ARM is 32 and Thumb is 16(and some 32 too).

    The saying goes "Nobody's Perfect" and IDA is just like everyone else, she makes mistakes.
    Working in ARM/Thumb is very difficult to reverse engineer. Sometimes what looks like good Code is actually Strings or Data.

    Luckily the FW.IMG is an ELF format file, so IDA knows where the Strings are. (even so, we still need to fix some strings but at least she doesn't think they might be code!)
    This is not so with the PPC's KERNEL.IMG as it has no ELF header. (more on this later)

    Working with most other processors this is no big deal as you can just change the Code and be done with it.

    With ARM/Thumb, this creates unique problems as the incorrectly Coded information can create links to other Data areas and sometimes, depending on the instructions, IDA thinks the other Data area needs to be in Thumb mode and she sets it to CODE16 when it really needs to be CODE32.(or vice versa)

    She uses two different "engines" to decode the hex data and she sets "tags" ( CODE16 / CODE32 ) to know which one to use.
    In a typical ARM/Thumb reverse engineering project, you have to manually correct any of these that she wrongfully set.
    It takes a little practice to understand when she got it right, and when it makes no sense what she did.

    This is very tedious and time consuming, but it's a heck of a lot less work than if you didn't have IDA to do 99% of the real work for you.
    The best practice is to use the search for CODE16 and do a sanity check for the code around it.

    Also, an ARM Processor is capable of performing jumps to areas of memory that IDA has no way of knowing about (PC can be modified directly via code)
    IDA will leave these areas in the CODE segments as compressed data, so you need to look for large "chunks" of data mid-stream in the code that need to be compiled using the "C" key.

    Sometimes it's advantageous to turn off IDA's Auto Analysis during this process (The Green Ball in the menu bar), especially if you are unsure if it's CODE16 or CODE32.
    If you have the Segment Register set wrong (Keycode CTRL-K), she can go wild setting other areas to the wrong type if in Auto mode.
     
    Last edited by davetheshrew, May 2, 2016
    justsomebun, eco95, lordelan and 27 others like this.
  2. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    btw as the zip gets updated (it does, often) I will re upload and add a changelog, cheers.
     
  3. Dylon99

    Dylon99 Lord of Dank

    Member
    541
    326
    Jan 12, 2016
    Netherlands
    Some cave in the mariana trench
    Did you write this all in just a few minutes? If so, hats off to you my friend.
     
  4. solitaire4eva

    solitaire4eva GBAtemp Regular

    Member
    162
    42
    Apr 12, 2014
    United States
    Everywhere
    Thank you kind sir.
     
  5. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    yeah took me like 30 seconds..nah lol its copy paste , but as I said, its public stuff, its always been intended to be that way except where this info comes from is preferred to be quiet without distraction..
     
  6. Dylon99

    Dylon99 Lord of Dank

    Member
    541
    326
    Jan 12, 2016
    Netherlands
    Some cave in the mariana trench
    Well, the files are public of course, but the instructions?
     
  7. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    its not written here but i will quote direct from the dev Dylon99

    Feel free to share the file, but do not share the link as this is not my Mega account. (thanks to the anonymous donor)
    Download it and share, or download and post it on another account.
    DO NOT CREDIT ME FOR THIS.
    THIS IS FOR PUBLIC USE ONLY.
    IT IS NOT TO BE USED FOR PRIVATE EXPLOITS!!!
     
    eco95 likes this.
  8. Dylon99

    Dylon99 Lord of Dank

    Member
    541
    326
    Jan 12, 2016
    Netherlands
    Some cave in the mariana trench
    Someone wrote this up and put it on the internet for everyone to use.
    He's the real MVP!
     
    TheKawaiiDesu and KiiWii like this.
  9. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    I truly hope it helps everyone on here. Any problems with the upload etc let me know, il set up a mega account soon.
     
    Masterwin likes this.
  10. KiiWii

    KiiWii GBAtemp Psycho!

    Member
    3,877
    1,400
    Nov 17, 2008
    United Kingdom
    Those in the know know where this is from.

    Thanks anonydev! ;)
     
    Wishi and davetheshrew like this.
  11. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    oh btw

    This is for IDA Version 6.8.150423 (32-bit)
    These files have all of the known functions labeled and fully commented.
    All known Prototypes, Descriptions and Parameters are included.
    All known SysCalls are documented and "repeatable commented" with their parameters.
    Added in all ISO-CRYPTO OTP read data and locations.
    Began mapping of all ISO-CRYPTO ioctl and ioctlv commands in both PPC and ARM
    Finished mapping the IOCTL/IOCTLV commands
    Added in a copy of C2W.IMG file (fully decrypted - very revealing on how Nindy thinks... look at this one!)
    Added in all Thumb 16-Bit SysCalls (Mostly IOS-KERNEL)
    Added both BootRoms (Wii_& WiiU) to the PPC side based off feedback from the debugger
    Began exploring how to work with the PPC-KERNEL using SDK's multi5326 - added notes inside the IDA files on any findings.

    Thats how far these files are at in terms of work, next update will have more and so on
     
  12. VinsCool

    VinsCool Disgusted

    Member
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,998
    28,998
    Jan 7, 2014
    Canada
    An Alternate Reality
    Cool, let's hope this leads to goodies.
     
    davetheshrew likes this.
  13. Masterwin

    Masterwin GBAtemp Regular

    Member
    282
    185
    Jan 7, 2016
    It was time!
     
    paulloeduardo and davetheshrew like this.
  14. brkun

    brkun GBAtemp Fan

    Member
    427
    71
    Mar 9, 2015
    United States
    thank you! =)
     
  15. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    I hope its all of good use for you. If you find things that need adding etc just copy pasta to here and il get it out regular. I will say though the dev when around works at lightspeed so dont be dissapointed if you have worked hard only to find stuff completed lol
     
    eco95, Masterwin and KiiWii like this.
  16. KiiWii

    KiiWii GBAtemp Psycho!

    Member
    3,877
    1,400
    Nov 17, 2008
    United Kingdom
    This is the injection the scene needs.

    I hope this proves useful for someone to piece together, and perhaps more knowing devs to chime in with some direction?

    :)
     
    Masterwin likes this.
  17. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    Give up, you wouldnt know what to do with it if you had it because you are all dumb, we are smart you are not, I am big you are small, its ready when its ready, soon.

    Im not being fair, but tbh this past week has been silly, there are great people here.
     
    Last edited by davetheshrew, May 2, 2016
  18. Dylon99

    Dylon99 Lord of Dank

    Member
    541
    326
    Jan 12, 2016
    Netherlands
    Some cave in the mariana trench
    Soon™. FTFY
     
  19. bajul

    bajul Member

    Newcomer
    35
    4
    Aug 26, 2015
    Indonesia
    Waiting can load loadiine
     
  20. davetheshrew
    OP

    davetheshrew GBAtemp Advanced Fan

    Member
    562
    590
    Jan 2, 2016
    eh?