Hacking Overwriting Wii U title specific executable code?

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,446
Country
Germany
Last edited by BullyWiiPlaza,
Joined
Apr 19, 2015
Messages
993
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,470
Country
Australia
I don't see why not. Basically, you'd want (in kernel mode) to write to some BAT registers to map the memory to wherever you'd like. There's separate mappings for data and instructions (DBATs and IBATs respectively) so you'll have to keep that in mind; you'd want to set up a DBAT so you can write to the code area as if it were data. You can find the documentation for this here (7-25 [actual page 290] for the format of the BAT registers, 7-20 [actual 285] for the chapter on BATs) and I wrote a bit of an example here (remember, # = comment, GitHub doesn't like that for some reason) which maps 0x14000000 to 0xE0000000 for instructions (making 0xE0000000 executable, basically). I inject that into a syscall and away it goes. I also noted down the DBATs used by HBL here so can get an idea which ones are in use and which ones aren't.

Worth noting that there's only meant to be 5 BATs so if you want to use the others you need to use their SPR numbers (listed here).
 

wj44

Well-Known Member
Member
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
496
Country
Gambia, The
kernel_write allows writing in this MEM region.
Code:
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
 
Last edited by wj44,

rendering

Member
Newcomer
Joined
Feb 13, 2016
Messages
11
Trophies
0
XP
74
Country
United States
I have tried kernel_write long time ago, kernel_write can only writing in some parts of game's code area without problem, there are still some parts of game's code area, even if you use kernel_write still cause exception, use DBAT/IBAT method would be better
 
Last edited by rendering,

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,446
Country
Germany
So can someone maybe make a TCP Gecko Installer with executable memory write permissions by default if you already know how it could work? The answers seem too tedious and impossible to do for an end user wanting this, too. It would make the application much better for what it's for, game modding ;)
 
Last edited by BullyWiiPlaza,
  • Like
Reactions: KiiWii

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,446
Country
Germany
kernel_write allows writing in this MEM region.
Code:
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code:
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code:
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
 
Last edited by BullyWiiPlaza,

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,970
Trophies
0
Age
25
Location
Las Vegas
XP
3,648
Country
United States
Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?
No, IOS has file permissions which restrict looking at things on the file system. You can FSBindMount certain directories but you need to have proper permissions to actually access anything.
 

wj44

Well-Known Member
Member
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
496
Country
Gambia, The
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code:
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code:
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
Never checked if it can write to that region. But You can write to the .text region of a Game:
Code:
tcp = TCPGecko(ip_address)
data_start = tcp.readkern(0xFFEAB7A0 + 0x20)
tcp.writekern(data_start, 1)
print("Done.")
 
  • Like
Reactions: BullyWiiPlaza

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
  • FAST6191 @ FAST6191:
    On a different note entirely I randomly ended up on a hardware mods website. Lot of stuff for the GBA and DS it seems that I had missed entirely.
  • FAST6191 @ FAST6191:
    as well as the option to pay $2 for a surface mount standard fuse
  • Oleboy555 @ Oleboy555:
    i use re vanced
  • K3N1 @ K3N1:
    VPN YouTube premium $15 a year with a Turkey connection lol
  • M4x1mumReZ @ M4x1mumReZ:
    D, E, F, G...
  • cearp @ cearp:
    @FAST6191 - totally agree. not sure the reasons people use vanced/revanced over newpipe.
    I guess it's because of people still wanting to use their yt account (with vanced)?
    +1
  • cearp @ cearp:
    when I use newpipe, I am not signed in, no ads, have exportable watch lists etc... really good.
  • luotesi @ luotesi:
    Does anyone have a golden cheat for D2R v1.0.2.0?Like Money、Exp。
  • M4x1mumReZ @ M4x1mumReZ:
    Look elsewhere or make your own
  • Psionic Roshambo @ Psionic Roshambo:
    With hookers and booze!!!
  • x65943 @ x65943:
    damn that robot just knew to put the whole bottle of ketchup on the hamburger somehow
  • Sonic Angel Knight @ Sonic Angel Knight:
    Or put mustard on hamburger :ninja:
  • x65943 @ x65943:
    we are living in the future
  • K3N1 @ K3N1:
    Yeah cheese is a thing now
  • Julie_Pilgrim @ Julie_Pilgrim:
    ok if sony, xbox or nintendo arent going to e3 then
  • Julie_Pilgrim @ Julie_Pilgrim:
    who the fuck is going???
  • Julie_Pilgrim @ Julie_Pilgrim:
    are they just gonna have like a blank stage or something
  • Veho @ Veho:
    Indie devs.
  • Veho @ Veho:
    Instead of the "big three", you'll have the "little million".
  • Veho @ Veho:
    It will be two minutes per show.
  • Veho @ Veho:
    Instead of Sony holding a two hour conference, there will be sixty small devs holding two minute conferences.
    Veho @ Veho: Instead of Sony holding a two hour conference, there will be sixty small devs holding two minute...