Toggle sidebar

Hacking Mail box bomb

  • Thread starter Thread starter KiiWii
  • Start date Start date
  • Views Views 56,647
  • Replies Replies 271
XFlak said:
They meant if there is a way to launch s/uneek on a virgin wii without installing anything onto the Wii, including bootmii @ IOS254


QUOTE(obcd @ Aug 9 2011, 10:09 PM) I obvious wasn't clear enough about that part. Sorry folks.
It should indeed work without the install of an ios.
I need to find a way to embed and execute armcode in a ppc elf file.
I can't think of anything that comes into the neiborhood of such functionallity.
Click to expand...

It can be done. The HackMii Installer loads MINI before installing anything. It uses an IOS exploit to load MINI, then once it has switched to MINI installs BootMii/IOS (i.e. MINI loader stub in IOS254 slot), then presents with menu to install HBC and BootMii/boot2.

The same technique could be used to load MINI without IOS254. Essentially all you need is to replicate the loader stub included in IOS254 as a standalone binary, which will then load MINI from the SD card (armboot.bin), along with SNEEK (ppcboot.elf). It can be done, but I doubt it'd be particularly easy.
 
QUOTE said:
It uses an IOS exploit to load MINI
Click to expand...

I don't think there is source code that shows how this is done?

Crediar also told once it was possible, but he had no interest in it.

You will probably need to hack into the running ios, and replace the code of one of it's modules like the di.
Upon triggering that modele (like with iosopen("/dev/di")you could transfer code execution to your arm code.

I can imagine it isn't easy. Idon't even know if the ppc can freely read and write into the arm code memory block.

Without an example, it will be above my programming skills and take a little to much of my spare time.

I wasn't aware that the Hackmii installer loaded mini first. I thought it installed ios254 the same way any wad can be installed.
Maybe it's needed to access the nand boot2 section and replace one of the copies with bootmii.
 
obcd said:
QUOTE said:
It uses an IOS exploit to load MINI

I don't think there is source code that shows how this is done?

Crediar also told once it was possible, but he had no interest in it.

You will probably need to hack into the running ios, and replace the code of one of it's modules like the di.
Upon triggering that modele (like with iosopen("/dev/di")you could transfer code execution to your arm code.

I can imagine it isn't easy. Idon't even know if the ppc can freely read and write into the arm code memory block.

Without an example, it will be above my programming skills and take a little to much of my spare time.

I wasn't aware that the Hackmii installer loaded mini first. I thought it installed ios254 the same way any wad can be installed.
Maybe it's needed to access the nand boot2 section and replace one of the copies with bootmii.


Nope there's no source code, that'd give away the source of the IOS exploit in use, which would make things easy for Nintendo. And it'd make it easy to remove the scam warning code, so those morons selling homebrew would be able to do so more easily.

As for HackMii Installer loading MINI first, I am pretty sure it was mentioned in a HackMii post. I will try and find it for you.

EDIT: http://hackmii.com/2009/08/timing-is-every...ftmoddable-wii/

QUOTE
Click to expand...
There are a couple of different possible paths for the Installer to use — if it can, it will just use an old IOS that still has the unpatched hash comparison function and unfettered access to /dev/flash (reloading to that IOS as necessary). If not, it would choose one of a list of IOS exploits we had found, depending on the versions of IOS installed (each exploit needs to be customized to a specific major/minor version of IOS), and use it to load MINI into memory and execute it. From there, we could directly access the NAND flash and detect the installed version of boot1 and boot2. Finally, having made the decision of whether or not we could allow BootMii to be installed as boot2, we would reload back into a normal IOS so that we could access the WiiMote. Of course, reloading back into IOS isn’t exactly trivial; MINI has a function that launches an arbitrary title from NAND by reading boot2 from the beginning of NAND, patching the call to ES_LaunchTitle(1-2) to the desired title ID, and then executing the patched boot2.
Click to expand...

Not exactly as I described it, but the application in this context is the same: MINI can be loaded purely from memory provided you have a working IOS exploit.

Of course, there are no public IOS exploits in any recent revisions of any IOS. A fully updated Wii will have no IOS that is vulnerable to the public IOS exploits. Although in the case of LetterBomb, provided IOS is not reloaded, System Menu permissions will most likely still be present, as they were with BannerBomb. I don't think that would be enough however to load MINI into memory and execute it, but I'm not sure. And that slightly elevated permissions may be in some way able to be abused to gain even further elevated permissions. But of course, that is just me theorising. I have very limited knowledge of hacking or programming, so most of what I say should be taken lightly.
 
there is a very long way between the possibilities being examined and the actual result being usable.
Team Twizzer could help with this if they would provide the source of the hackmii installer to the person willing to work on this.
They could also develop it themselfs, but I don't think it interests them. So don't expect anything soon.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking  Wii Preloader stuck

Hacking Emulation  What is the best way to recover my Wii Shop purchases?

Wii doesn't show image on TV after replacing DVD drive

Wii Brickers

Gaming Hardware  What can I do to increase the lifespan of my wii?

Issues with an Updated Jailbreak

Rare games N64 port

Hacking Homebrew  wiicalib: calibrate your Classic Controller (Pro)