Overwriting Wii U title specific executable code?

Discussion in 'Wii U - Hacking & Backup Loaders' started by BullyWiiPlaza, Aug 25, 2016.

  1. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,747
    1,423
    Aug 2, 2014
    Germany
    Last edited by BullyWiiPlaza, Aug 25, 2016


  2. QuarkTheAwesome

    QuarkTheAwesome Working for Hugs

    Member
    809
    1,990
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    I don't see why not. Basically, you'd want (in kernel mode) to write to some BAT registers to map the memory to wherever you'd like. There's separate mappings for data and instructions (DBATs and IBATs respectively) so you'll have to keep that in mind; you'd want to set up a DBAT so you can write to the code area as if it were data. You can find the documentation for this here (7-25 [actual page 290] for the format of the BAT registers, 7-20 [actual 285] for the chapter on BATs) and I wrote a bit of an example here (remember, # = comment, GitHub doesn't like that for some reason) which maps 0x14000000 to 0xE0000000 for instructions (making 0xE0000000 executable, basically). I inject that into a syscall and away it goes. I also noted down the DBATs used by HBL here so can get an idea which ones are in use and which ones aren't.

    Worth noting that there's only meant to be 5 BATs so if you want to use the others you need to use their SPR numbers (listed here).
     
  3. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    kernel_write allows writing in this MEM region.
    Code:
    data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
    data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
     
    Last edited by wj44, Aug 26, 2016
  4. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,747
    1,423
    Aug 2, 2014
    Germany
    But kernel read/write always freezes me in Python and Java alike so it can't be my client implementation...
     
    Last edited by BullyWiiPlaza, Aug 26, 2016
  5. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    Entering an false address will cause a freeze.
     
    Last edited by wj44, Aug 26, 2016
  6. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,747
    1,423
    Aug 2, 2014
    Germany
    Normal addresses freeze too, all addresses freeze with those functions
     
  7. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    I don't understand I tested with PyGecko and It was working fine.
     
  8. Maschell

    Maschell GBAtemp Advanced Fan

    Member
    905
    1,323
    Jun 14, 2008
    Gambia, The
    BullyWiiPlaza likes this.
  9. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
  10. Maschell

    Maschell GBAtemp Advanced Fan

    Member
    905
    1,323
    Jun 14, 2008
    Gambia, The
    You need to setup the syscall first, of course
     
  11. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    Of course, I tested it in Loadiine GX2
     
  12. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    Did you used the TCP Gecko Installer elf? In the past It was only working in the internet browser.
     
  13. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,747
    1,423
    Aug 2, 2014
    Germany
    Website version due to the "old" address layout which I still need to work with my existing stuff
     
  14. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    Thats probably the reason. You have to build the latest pyGecko Installer or you use the hbl version.
     
  15. rendering

    rendering Member

    Newcomer
    11
    1
    Feb 13, 2016
    United States
    I have tried kernel_write long time ago, kernel_write can only writing in some parts of game's code area without problem, there are still some parts of game's code area, even if you use kernel_write still cause exception, use DBAT/IBAT method would be better
     
    Last edited by rendering, Sep 5, 2016
  16. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,747
    1,423
    Aug 2, 2014
    Germany
    So can someone maybe make a TCP Gecko Installer with executable memory write permissions by default if you already know how it could work? The answers seem too tedious and impossible to do for an end user wanting this, too. It would make the application much better for what it's for, game modding ;)
     
    Last edited by BullyWiiPlaza, Sep 5, 2016
    KiiWii likes this.
  17. KiiWii

    KiiWii GBAtemp Psycho!

    Member
    3,817
    1,339
    Nov 17, 2008
    United Kingdom
    Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?
     
  18. BullyWiiPlaza
    OP

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,747
    1,423
    Aug 2, 2014
    Germany
    The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
    Code:
    tcp = TCPGecko(ip_address)
    tcp.writekern(0x01100000, 1)
    print("Done.")
    Code:
    def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
        # if not self.validrange(address, 4): raise BaseException("Address range not valid")
        # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
        self.socket.send(b"\x0B")  # cmd_writekern
        print(value)
        request = struct.pack(">II", int(address), int(value))
        self.socket.send(request)
        return
     
    Last edited by BullyWiiPlaza, Sep 5, 2016
  19. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    No, IOS has file permissions which restrict looking at things on the file system. You can FSBindMount certain directories but you need to have proper permissions to actually access anything.
     
    imthe666st, KiiWii and VinsCool like this.
  20. wj44

    wj44 GBAtemp Fan

    Member
    477
    354
    Jun 18, 2015
    Gambia, The
    Never checked if it can write to that region. But You can write to the .text region of a Game:
    Code:
    tcp = TCPGecko(ip_address)
    data_start = tcp.readkern(0xFFEAB7A0 + 0x20)
    tcp.writekern(data_start, 1)
    print("Done.")
     
    BullyWiiPlaza likes this.