OSDriver kernel exploit - a technical description

Discussion in 'Wii U - Hacking & Backup Loaders' started by Marionumber1, Aug 20, 2015.

  1. Onion_Knight

    Onion_Knight GBAtemp Advanced Fan

    Member
    6
    Feb 6, 2014

    I modified this section to withstand client side issues, but I will add that to my code.

    Code:
        addr.sin_family = AF_INET;
         addr.sin_port = 7331;
         addr.sin_addr.s_addr = 0;
         sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);  //open a file handle to socket
         CHECK_ERROR(sockfd == -1);
         ret = bind(sockfd, (void *)&addr, 16);
         CHECK_ERROR(ret < 0);
         ret = listen(sockfd, 20);
         CHECK_ERROR(ret < 0);
         
         while(1) {
         len = 16;
         clientfd =  accept(sockfd, (void *)&addr, &len);
         CHECK_ERROR(clientfd == -1);
         ret = rungecko(bss, clientfd);
         CHECK_ERROR(ret < 0);
         socketclose(clientfd);
         clientfd = -1;
         }
         socketclose(sockfd);
         sockfd = -1;
    error:
         if (clientfd != -1)
           socketclose(clientfd);
         if (sockfd != -1)
           socketclose(sockfd);
         bss->error = ret;
       
    }
    [code]
     
  2. Onion_Knight

    Onion_Knight GBAtemp Advanced Fan

    Member
    6
    Feb 6, 2014
    DO I need to add the offsets in the headerfile for Kernal Read and Write, in loader.h
     
  3. golden45

    golden45 GBAtemp Regular

    Member
    4
    Jun 23, 2015
    France
    In loader.h, inside the part "#elif VER == 532" => "#else# :
    you should have something like this :

    Code:
    #elif VER == 532
      #define KERN_SYSCALL_TBL_1  0xFFE84C70 // unknown
      #define KERN_SYSCALL_TBL_2  0xFFE85070 // works with games
      #define KERN_SYSCALL_TBL_3  0xFFE85470 // works with loader
      #define KERN_SYSCALL_TBL_4  0xFFEA9CE0 // works with home menu
      #define KERN_SYSCALL_TBL_5  0xFFEAA0E0 // works with browser
      #define KERN_CODE_READ  0xFFF02274
      #define KERN_CODE_WRITE  0xFFF02294
      #define KERN_ADDRESS_TBL  0xFFEAAA10
      #define KERN_HEAP  0xFF200000
    #else
    KERN_CODE_READ and KERN_CODE_WRITE don't change, those are the addresses where the read/write code is called from the syscall handler.
     
    paulloeduardo likes this.
  4. Onion_Knight

    Onion_Knight GBAtemp Advanced Fan

    Member
    6
    Feb 6, 2014
    Thats what I thought I posted in my question. I did exactly that. I was wondering if I needed to recalculate the addresses for KERN_CODE_READ/WRITE from those new base addresses and add add a define for those.
     
  5. Reecey

    Reecey Mario 64 (favorite game of all time)

    Member
    10
    Mar 7, 2010
    At Home :)
    I was just thinking on this thread, if others are creating there own osdrivers then maybe they might change bits and bobs to get it working better they should post them up for others to test. Someone might even hit the jackpot and discover a version that never errors a more cleaner booting version, its worth others testing them to find out the best osdriver. If this thread is about the osdriver then its the perfect thread to post them up and not in the wiiu hacking & homebrew thread where they all just get lost eventually in the masses of pages:)
     
  6. Psi-hate

    Psi-hate GBATemp's Official Psi-Hater

    Member
    9
    Dec 14, 2014
    United States
    Houston
    Sorry for uh.. asking such a question, but if the exploit was patched 5.5, then is 5.4 exploitable at all? I heard that one of the developers had it running on 5.4, but I don't seem to see anything about it on these forums?
     
  7. Marionumber1
    OP

    Marionumber1 GBAtemp Maniac

    Member
    14
    Nov 7, 2010
    United States
    I've had an alternate kernel exploit since early August, which is private and works fine on 5.5.0.
     
    KytuzuEX, Chuardo and VinsCool like this.
  8. n1ghty

    n1ghty GBAtemp Regular

    Member
    5
    Aug 8, 2013
    Saint Kitts and Nevis
    The kernel exploit is the same for 5.4, but there is no public userland exploit for 5.4.
    The non-public browser exploit for 5.4 is also usable in 5.5 and thus currently unpatched.
    The public kernel exploit got patched in 5.5, but there is a non-public one.

    Releasing the new browser exploit for 5.4 would be bad because it would probably get fixed in 5.6 and so on...
     
  9. Psi-hate

    Psi-hate GBATemp's Official Psi-Hater

    Member
    9
    Dec 14, 2014
    United States
    Houston
    Ah, okay. Thanks for clarifying! If there's a userland exploit for 5.4 and above, I'd definitely wait for that. I suppose it'd be a good time to block the updates in case the 5.4+ userland exploits are released later?
     
  10. MLT

    MLT Member

    Newcomer
    1
    Oct 25, 2015
    for make online functions to works for loadiine i need to access to this area 0x0DD00000 wich is mapped on the kernel here:

    0xFFEAAA30 value 0x0DD00000 virt addr
    0xFFEAAA34 value 0x02300000 size
    0xFFEAAA38 value 0x8DD00000 phy addr
    0xFFEAAA3C value 0x2FF09400 memory flags....

    any idea to can write on it or remap to another area wich that area are rwx , any ideas will be welcome , if i got access to that memory i can do so many thinks..
     
    paulloeduardo and daxtsu like this.
  11. NexoCube

    NexoCube stop using piracy :(

    Member
    6
    Nov 3, 2015
    France
    Stack Pointer
    I know this thread exists from a long time, but how did you find Syscalls Table like for OSDriver KExploit ?

    Code:
        #define KERN_SYSCALL_TBL        0xFFEAA0E0
        #define KERN_CODE_READ            0xFFF02274
        #define KERN_CODE_WRITE            0xFFF02294
        #define KERN_ADDRESS_TBL        0xFFEAAA10
        #define KERN_HEAP                0xFF200000
    I really don't know where these ares ? Is there a easy way to find them like documentation or something ?
     
  12. MLT

    MLT Member

    Newcomer
    1
    Oct 25, 2015

    just dumping the kernel and reversing the tables.....kernel code are at FFF00100
     
  13. Don Jon

    Don Jon GBAtemp Maniac

    Member
    7
    Nov 20, 2015
    United States
    so ive got a question
    ive found a working kernel exploit for firmware 5.5.1 through the process of brute forcing

    my intentions are to either release it with a working emulator
    or release it alone and let someone finish it

    the thing is that I am fairly new to the community(was a microsoft guy)
    and i would hate to release something that has already been discovered?
    could I check @DeVS your exploit and compare
    if they are different
    there is no reason for holding back if it turns out mine is different

    btw I AM open for donations
     
    Last edited by Don Jon, Feb 12, 2016
  14. MassExplosion213

    MassExplosion213 .

    Member
    7
    Feb 15, 2015
    United States
    Nice scam dude. :P
     
    BIFFTAZ likes this.
  15. AHP_person

    AHP_person GBAtemp Fan

    Member
    4
    Nov 2, 2014
    United States
    Lemme just guess a bunch of times and see if I can get an IOSU exploit working. No way this could fail -0-
     
  16. emuman100

    emuman100 GBAtemp Regular

    Member
    3
    May 12, 2006
    United States
    Amazing work, Marionumber 1 and others!!!
     
  17. Don Jon

    Don Jon GBAtemp Maniac

    Member
    7
    Nov 20, 2015
    United States
    hey guys
    just got pm not long ago
    i gave some info
    turns out my exploit IS different from the private ones witheld

    So
    EXPECT A REALESE SOONtm
     
  18. Micael

    Micael Member

    Newcomer
    1
    Jan 16, 2016
    Brazil
    For what system version?
     
  19. moops44

    moops44 Prince of Darkness

    Member
    4
    May 15, 2014
    Germany
    Moon
    gameboy color
    pls stop spam threads -.-
     
    Net-KILLER and emuman100 like this.
  20. Micael

    Micael Member

    Newcomer
    1
    Jan 16, 2016
    Brazil
    5.x or other
     
Loading...