Hacking Overwriting Wii U title specific executable code?

BullyWiiPlaza · Sep 12, 2016

With the newest TCP Gecko installer write_kern actually seems to be working. However, not in all ranges. Around 0x0D550000 works fine but if I go up in the executable data section to e.g. 0x0DA50000 and poke something to its same value (!) it still crashes. It seems like the mapping is incomplete. Ideas?

Code:

// Make sure everything has kern I/O
kern_write((void*)KERN_SYSCALL_TBL_1 + (0x34 * 4), KERN_CODE_READ);
kern_write((void*)KERN_SYSCALL_TBL_2 + (0x34 * 4), KERN_CODE_READ);
kern_write((void*)KERN_SYSCALL_TBL_3 + (0x34 * 4), KERN_CODE_READ);
kern_write((void*)KERN_SYSCALL_TBL_4 + (0x34 * 4), KERN_CODE_READ);
kern_write((void*)KERN_SYSCALL_TBL_5 + (0x34 * 4), KERN_CODE_READ);

kern_write((void*)KERN_SYSCALL_TBL_1 + (0x35 * 4), KERN_CODE_WRITE);
kern_write((void*)KERN_SYSCALL_TBL_2 + (0x35 * 4), KERN_CODE_WRITE);
kern_write((void*)KERN_SYSCALL_TBL_3 + (0x35 * 4), KERN_CODE_WRITE);
kern_write((void*)KERN_SYSCALL_TBL_4 + (0x35 * 4), KERN_CODE_WRITE);
kern_write((void*)KERN_SYSCALL_TBL_5 + (0x35 * 4), KERN_CODE_WRITE);

rendering · Sep 23, 2016

If you don't mind using old things, you can try the below one, it was made several months ago, base on old pygecko source (web installer) and old kernel (for 532), but after running this tcpgeckoinstaller you can use write_kern write data in game's code area(0x0xxxxxxx-0x10000000)even if 0x0DA50000

tcpgeckoinstaller link
https://www.sendspace.com/file/kfkaup

tcpgeckoclient link
https://www.sendspace.com/file/t0aher

BullyWiiPlaza · Sep 23, 2016

rendering said:
If you don't mind using old things, you can try the below one, it was made several months ago, base on old pygecko source (web installer) and old kernel (for 532), but after running this tcpgeckoinstaller you can use write_kern write data in game's code area(0x0xxxxxxx-0x10000000)even if 0x0DA50000

tcpgeckoinstaller link
https://www.sendspace.com/file/kfkaup

tcpgeckoclient link
https://www.sendspace.com/file/t0aher

Thanks, I'll try it out. Do you happen to have the source code or know what made the increased write_kern range happen?

EDIT:
Does not work, still crashes

rendering · Sep 23, 2016

really?I forgot to say it is for the old kernel exploit (the normal one), for disc /HDD game, if possible , can you try
the tcpgeckoclient above (memory viewer)to poke value to 0x0da50000 instead of using kernel_write

BullyWiiPlaza · Sep 23, 2016

rendering said:
really?I forgot to say it is for the old kernel exploit (the normal one), for disc /HDD game, if possible , can you try
the tcpgeckoclient above (memory viewer)to poke value to 0x0da50000 instead of using kernel_write

Why don't you try it before you post and then explain? That would be more useful

rendering · Sep 23, 2016

I have tried it, but mostly test with the tcpgeckoclient,totally forgot some important things with writekern
very sorry, the most important part is:
if 0xAAAAAAAA is in (0x01000000--0x01800000)area or in (0x0D800000--0x10000000)
and if you use writekern
before using tcp.writekern(0xAAAAAAAA,0xYYYYYYYY)

do this first
tcp.readmem(0xAAAAAAAA,4)

then tcp.writekern(0xAAAAAAAA,0xYYYYYYYY)will not crash with this tcpgeckoinstaller,

if 0xAAAAAAAA is not in that area, no need to do this

also, you can
just use tcp.pokemem(0xAAAAAAAA,0xYYYYYYYY) with this tcpgeckoinstaller,, no need to do anything more

BullyWiiPlaza · Sep 23, 2016

rendering said:
I have tried it, but mostly test with the tcpgeckoclient,totally forgot some important things with writekern
very sorry, the most important part is:
if 0xAAAAAAAA is in (0x01000000--0x01800000)area or in (0x0D800000--0x10000000)
and if you use writekern
before using tcp.writekern(0xAAAAAAAA,0xYYYYYYYY)

do this first
tcp.readmem(0xAAAAAAAA,4)

then tcp.writekern(0xAAAAAAAA,0xYYYYYYYY)will not crash,

but no need to do this,
just use tcp.pokemem(0xAAAAAAAA,0xYYYYYYYY) with this tcpgeckoinstaller

I need to write to anything in the 01000000 - 10000000 range since that contains the executable code I want to patch...

NWPlayer123 · Sep 23, 2016

Yeah, you'll need to install read/write to all the tables in order to use it in any application, with just the one it only works in system titles e.g. browser and mii maker. You can steal Cafiine's Title ID address it uses to find a specific title to patch

BullyWiiPlaza · Sep 23, 2016

NWPlayer123 said:
Yeah, you'll need to install read/write to all the tables in order to use it in any application, with just the one it only works in system titles e.g. browser and mii maker. You can steal Cafiine's Title ID address it uses to find a specific title to patch

Ah, thanks. Which piece of code does it though?
https://github.com/NWPlayer123/Cafiine-5.5.X/

NWPlayer123 · Sep 23, 2016

BullyWiiPlaza said:
Ah, thanks. Which piece of code does it though?
https://github.com/NWPlayer123/Cafiine-5.5.X/

https://github.com/NWPlayer123/Cafiine-5.5.X/blob/master/client/cafiine550.ld#L57 u64

rendering · Sep 23, 2016

BullyWiiPlaza said:
I need to write to anything in the 01000000 - 10000000 range since that contains the executable code I want to patch...

this one work for games in all the executable code area you want to patch, it works in 0x01000000-0x01800000 and the 0xXXXXXXXX(different between games)-0x10000000

BullyWiiPlaza · Sep 23, 2016

NWPlayer123 said:
https://github.com/NWPlayer123/Cafiine-5.5.X/blob/master/client/cafiine550.ld#L57 u64

Yep, that can also be retrieved with a function call from coreinit.rpl but what after?

NWPlayer123 · Sep 23, 2016

BullyWiiPlaza said:
Yep, that can also be retrieved with a function call from coreinit.rpl but what after?

Just match it with the title you wanna patch =P simple magic
if (TitleID = 0x000500001010CF00) {dothing;} //BO2

rendering · Sep 23, 2016

please delete this post

BullyWiiPlaza · Sep 23, 2016

NWPlayer123 said:
Just match it with the title you wanna patch =P simple magic
if (TitleID = 0x000500001010CF00) {dothing;} //BO2

Sure but what's the patch to enable arbitrary kern read/write for the specific title? It would be nice to have a generic solution like for all titles

NWPlayer123 · Sep 23, 2016

BullyWiiPlaza said:
Sure but what's the patch to enable arbitrary kern read/write for the specific title? It would be nice to have a generic solution like for all titles

This is what I was talking about, just install it to all the syscall tables, it doesn't exist normally so no games should be calling it so you can whenever you need to
http://gbatemp.net/threads/overwrit...ic-executable-code.439262/page-2#post-6673093

Deleted User · Sep 23, 2016

Hmm...so what can we do with this?

BullyWiiPlaza · Sep 23, 2016

NWPlayer123 said:
This is what I was talking about, just install it to all the syscall tables, it doesn't exist normally so no games should be calling it so you can whenever you need to
http://gbatemp.net/threads/overwrit...ic-executable-code.439262/page-2#post-6673093

Okay but how would you do that? I don't know how exactly the tables work

wj44 · Sep 25, 2016

Turns out that KernelcopyData is actually working. I Just had to do it the same way as the codehandler.
The attached version should let you poke in any valid memory range.

BullyWiiPlaza · Sep 25, 2016

wj44 said:
Turns out that KernelcopyData is actually working. I Just had to do it the same way as the codehandler.
The attached version should let you poke in any valid memory range.

I also need the source (for the website version) please

Hacking Overwriting Wii U title specific executable code?

Nintendo Hacking <3

Member

Nintendo Hacking <3

Member

Nintendo Hacking <3

Member

Nintendo Hacking <3

Well-Known Member

Nintendo Hacking <3

Well-Known Member

Member

Nintendo Hacking <3

Well-Known Member

Member

Nintendo Hacking <3

Well-Known Member

Deleted User

Guest

Nintendo Hacking <3

Well-Known Member

Attachments

Nintendo Hacking <3

Similar threads

Popular threads in this forum