Hacking Overwriting Wii U title specific executable code?

BullyWiiPlaza

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Level 11
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,512
Country
Germany
Last edited by BullyWiiPlaza,
  • Like
Reactions: Deleted User, KiiWii, I pwned U! and 1 other person
QuarkTheAwesome

QuarkTheAwesome

🦊
Member
Level 14
Joined
Apr 19, 2015
Messages
1,024
Trophies
2
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,992
Country
Australia
I don't see why not. Basically, you'd want (in kernel mode) to write to some BAT registers to map the memory to wherever you'd like. There's separate mappings for data and instructions (DBATs and IBATs respectively) so you'll have to keep that in mind; you'd want to set up a DBAT so you can write to the code area as if it were data. You can find the documentation for this here (7-25 [actual page 290] for the format of the BAT registers, 7-20 [actual 285] for the chapter on BATs) and I wrote a bit of an example here (remember, # = comment, GitHub doesn't like that for some reason) which maps 0x14000000 to 0xE0000000 for instructions (making 0xE0000000 executable, basically). I inject that into a syscall and away it goes. I also noted down the DBATs used by HBL here so can get an idea which ones are in use and which ones aren't.

Worth noting that there's only meant to be 5 BATs so if you want to use the others you need to use their SPR numbers (listed here).
 
  • Like
Reactions: ARVI80, KiiWii, I pwned U! and 1 other person
W

wj44

Well-Known Member
Member
Level 4
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
516
Country
Gambia, The
kernel_write allows writing in this MEM region.
Code: 
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
 
Last edited by wj44,
R

rendering

Member
Newcomer
Level 1
Joined
Feb 13, 2016
Messages
11
Trophies
0
XP
94
Country
United States
I have tried kernel_write long time ago, kernel_write can only writing in some parts of game's code area without problem, there are still some parts of game's code area, even if you use kernel_write still cause exception, use DBAT/IBAT method would be better
 
Last edited by rendering,
BullyWiiPlaza

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Level 11
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,512
Country
Germany
So can someone maybe make a TCP Gecko Installer with executable memory write permissions by default if you already know how it could work? The answers seem too tedious and impossible to do for an end user wanting this, too. It would make the application much better for what it's for, game modding ;)
 
Last edited by BullyWiiPlaza,
  • Like
Reactions: KiiWii
BullyWiiPlaza

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Level 11
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,512
Country
Germany
wj44 said:
kernel_write allows writing in this MEM region.
Code: 
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
Click to expand...
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code: 
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code: 
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
 
Last edited by BullyWiiPlaza,
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,979
Trophies
2
Age
27
Location
Las Vegas
XP
3,780
Country
United States
KiiWii said:
Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?
Click to expand...
No, IOS has file permissions which restrict looking at things on the file system. You can FSBindMount certain directories but you need to have proper permissions to actually access anything.
 
  • Like
Reactions: Deleted member 369977, KiiWii and VinsCool
W

wj44

Well-Known Member
Member
Level 4
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
516
Country
Gambia, The
BullyWiiPlaza said:
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code: 
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code: 
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
Click to expand...
Never checked if it can write to that region. But You can write to the .text region of a Game:
Code: 
tcp = TCPGecko(ip_address)
data_start = tcp.readkern(0xFFEAB7A0 + 0x20)
tcp.writekern(data_start, 1)
print("Done.")
 
  • Like
Reactions: BullyWiiPlaza

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Hardware  We can now use the AX88772B on the Wii U

Hardware  Help me unbrick my Wii U!

Hacking Homebrew Homebrew app  Not sure what to do with a hacked Wii U and VWii, Give me ideas!

More than 12 users on the Wii U modding?

Trying to fix bricked Wii U ... need help!

Wii U with controller adapters - Did any adapter work fully on vWii ?

Savemii error screen?

Rearranging plugins in the Aroma System Menu

General chit-chat
Help Users
  • Delerious @ Delerious:
    I don't think that has anything to do with it.
  • K3Nv3 @ K3Nv3:
    TV knows mature sells more
  • Delerious @ Delerious:
    More to do with the fact that YouTubers don't need talent scouts and managers to boost them up.
  • K3Nv3 @ K3Nv3:
    Youtubers get paid by small shop projects probably 1k per sponsor spot depending on product where actors get paid millions to pounce around in shit movies
  • Delerious @ Delerious:
    Yep yep.
  • K3Nv3 @ K3Nv3:
    You can't even say vagina in a youtube video without it's Ai bot system finding it offensive
  • Delerious @ Delerious:
    Funny how that works, isn't it? Especially when you get plenty of advertisers throwing their names in the movies that actors and actresses star in.
  • K3Nv3 @ K3Nv3:
    Like I said because they know more kids watch YouTube they don't want to get blamed for corrupting the youth
  • Delerious @ Delerious:
    Ah, gotcha-- I see what you're saying now.
  • K3Nv3 @ K3Nv3:
    Meanwhile two lions humping in a youtube video is "educational"
  • Delerious @ Delerious:
    Kek
  • Delerious @ Delerious:
    Funny thing is -- the youth are always "corrupted" in their teenage years, regardless. Hell, a teenage boy can still just view porn on PornHub for free, with no real means of age verification.
  • Delerious @ Delerious:
    And it's not like there isn't mature content on other social media platforms, either.
  • Delerious @ Delerious:
    Instagram and Twitter still allow adult content, as far as I know.
  • K3Nv3 @ K3Nv3:
    Yeah but it's a good security fall back so parents can't shout youtube ruined my kid that's why he's shooting everything up
  • Delerious @ Delerious:
    Pretty much.
  • Delerious @ Delerious:
    People always gotta find a scape goat.
  • Delerious @ Delerious:
    Because parents don't want to pay attention to what their kids are doing with the tablet or smart phone that they gave them.
  • K3Nv3 @ K3Nv3:
    "So tell me that your son doesn't know any cuss words
    When his bus driver's screamin' at him, fuckin' him up worse (Go sit the fuck down, you little fucking prick!)"
  • Delerious @ Delerious:
    Lol
  • Delerious @ Delerious:
    The older kids get, the more they swear, regardless. Once you're in middle school, especially.
  • K3Nv3 @ K3Nv3:
    Eh I'd rather kids mess up in high school like a cop told me once almost old enough for big jail
  • Delerious @ Delerious:
    The middle school social playground is the gateway to all sorts of new and exciting language.
  • Delerious @ Delerious:
    I see what you mean. Mess up early so that you can learn hard lessons early?
  • K3Nv3 @ K3Nv3:
    I was a little rebel thief in my younger days but $500 fines and jail isn't worth it over a $50 item
    K3Nv3 @ K3Nv3: I was a little rebel thief in my younger days but $500 fines and jail isn't worth it over a $50 item