Hacking Overwriting Wii U title specific executable code?

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,477
Country
Germany
Last edited by BullyWiiPlaza,
Joined
Apr 19, 2015
Messages
1,024
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,931
Country
Australia
I don't see why not. Basically, you'd want (in kernel mode) to write to some BAT registers to map the memory to wherever you'd like. There's separate mappings for data and instructions (DBATs and IBATs respectively) so you'll have to keep that in mind; you'd want to set up a DBAT so you can write to the code area as if it were data. You can find the documentation for this here (7-25 [actual page 290] for the format of the BAT registers, 7-20 [actual 285] for the chapter on BATs) and I wrote a bit of an example here (remember, # = comment, GitHub doesn't like that for some reason) which maps 0x14000000 to 0xE0000000 for instructions (making 0xE0000000 executable, basically). I inject that into a syscall and away it goes. I also noted down the DBATs used by HBL here so can get an idea which ones are in use and which ones aren't.

Worth noting that there's only meant to be 5 BATs so if you want to use the others you need to use their SPR numbers (listed here).
 

wj44

Well-Known Member
Member
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
506
Country
Gambia, The
kernel_write allows writing in this MEM region.
Code:
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
 
Last edited by wj44,

rendering

Member
Newcomer
Joined
Feb 13, 2016
Messages
11
Trophies
0
XP
84
Country
United States
I have tried kernel_write long time ago, kernel_write can only writing in some parts of game's code area without problem, there are still some parts of game's code area, even if you use kernel_write still cause exception, use DBAT/IBAT method would be better
 
Last edited by rendering,

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,477
Country
Germany
So can someone maybe make a TCP Gecko Installer with executable memory write permissions by default if you already know how it could work? The answers seem too tedious and impossible to do for an end user wanting this, too. It would make the application much better for what it's for, game modding ;)
 
Last edited by BullyWiiPlaza,
  • Like
Reactions: KiiWii

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,477
Country
Germany
kernel_write allows writing in this MEM region.
Code:
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code:
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code:
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
 
Last edited by BullyWiiPlaza,

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?
No, IOS has file permissions which restrict looking at things on the file system. You can FSBindMount certain directories but you need to have proper permissions to actually access anything.
 

wj44

Well-Known Member
Member
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
506
Country
Gambia, The
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code:
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code:
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
Never checked if it can write to that region. But You can write to the .text region of a Game:
Code:
tcp = TCPGecko(ip_address)
data_start = tcp.readkern(0xFFEAB7A0 + 0x20)
tcp.writekern(data_start, 1)
print("Done.")
 
  • Like
Reactions: BullyWiiPlaza

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: what's that