Hacking Overwriting Wii U title specific executable code?

BullyWiiPlaza

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Level 11
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,477
Country
Germany
Last edited by BullyWiiPlaza,
  • Like
Reactions: Deleted User, KiiWii, I pwned U! and 1 other person
QuarkTheAwesome

QuarkTheAwesome

🦊
Member
Level 13
Joined
Apr 19, 2015
Messages
1,023
Trophies
1
Location
Stuck in the PowerPC
Website
heyquark.com
XP
3,909
Country
Australia
I don't see why not. Basically, you'd want (in kernel mode) to write to some BAT registers to map the memory to wherever you'd like. There's separate mappings for data and instructions (DBATs and IBATs respectively) so you'll have to keep that in mind; you'd want to set up a DBAT so you can write to the code area as if it were data. You can find the documentation for this here (7-25 [actual page 290] for the format of the BAT registers, 7-20 [actual 285] for the chapter on BATs) and I wrote a bit of an example here (remember, # = comment, GitHub doesn't like that for some reason) which maps 0x14000000 to 0xE0000000 for instructions (making 0xE0000000 executable, basically). I inject that into a syscall and away it goes. I also noted down the DBATs used by HBL here so can get an idea which ones are in use and which ones aren't.

Worth noting that there's only meant to be 5 BATs so if you want to use the others you need to use their SPR numbers (listed here).
 
  • Like
Reactions: ARVI80, KiiWii, I pwned U! and 1 other person
W

wj44

Well-Known Member
Member
Level 4
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
506
Country
Gambia, The
kernel_write allows writing in this MEM region.
Code: 
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
 
Last edited by wj44,
R

rendering

Member
Newcomer
Level 1
Joined
Feb 13, 2016
Messages
11
Trophies
0
XP
84
Country
United States
I have tried kernel_write long time ago, kernel_write can only writing in some parts of game's code area without problem, there are still some parts of game's code area, even if you use kernel_write still cause exception, use DBAT/IBAT method would be better
 
Last edited by rendering,
BullyWiiPlaza

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Level 11
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,477
Country
Germany
So can someone maybe make a TCP Gecko Installer with executable memory write permissions by default if you already know how it could work? The answers seem too tedious and impossible to do for an end user wanting this, too. It would make the application much better for what it's for, game modding ;)
 
Last edited by BullyWiiPlaza,
  • Like
Reactions: KiiWii
BullyWiiPlaza

BullyWiiPlaza

Nintendo Hacking <3
OP
Member
Level 11
Joined
Aug 2, 2014
Messages
1,932
Trophies
0
XP
2,477
Country
Germany
wj44 said:
kernel_write allows writing in this MEM region.
Code: 
data_start = kernel_read(0xFFEAB7A0 + 0 + 0x20);
data_len = kernel_read(0xFFEAB7A0 + 4 + 0x20);
Click to expand...
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code: 
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code: 
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
 
Last edited by BullyWiiPlaza,
shinyquagsire23

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Level 13
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
KiiWii said:
Slightly off topic: is it possible to make a Wii U file explorer with current Kexploit?
Click to expand...
No, IOS has file permissions which restrict looking at things on the file system. You can FSBindMount certain directories but you need to have proper permissions to actually access anything.
 
  • Like
Reactions: Deleted member 369977, KiiWii and VinsCool
W

wj44

Well-Known Member
Member
Level 4
Joined
Jun 18, 2015
Messages
477
Trophies
0
XP
506
Country
Gambia, The
BullyWiiPlaza said:
The following only overwrites an address (with an initial value of 00000000) so it's not valid executable code yet it crashes immediately:
Code: 
tcp = TCPGecko(ip_address)
tcp.writekern(0x01100000, 1)
print("Done.")
Code: 
def writekern(self, address, value):  # Only takes 4 bytes, may need to run multiple times
    # if not self.validrange(address, 4): raise BaseException("Address range not valid")
    # if not self.validaccess(address, 4, "write"): raise BaseException("Cannot write to address")
    self.socket.send(b"\x0B")  # cmd_writekern
    print(value)
    request = struct.pack(">II", int(address), int(value))
    self.socket.send(request)
    return
Click to expand...
Never checked if it can write to that region. But You can write to the .text region of a Game:
Code: 
tcp = TCPGecko(ip_address)
data_start = tcp.readkern(0xFFEAB7A0 + 0x20)
tcp.writekern(data_start, 1)
print("Done.")
 
  • Like
Reactions: BullyWiiPlaza

Site & Scene News

Go to forum More news

Popular threads in this forum

A really, REALLY old browser exploit (for 5.3.2)?

Gaming  Online services for the 3DS and Wii U have been shutdown. Here is how to get back online!

Hacking Hardware  Wii U No Display (Logs dumped)

Hacking Gaming  Xenoblade Chronicles X - Lifeline and Enhancement Mod

Homebrew  Huevo's Vault | Wii U Themes

Super Mario Maker Save Collection (All Event and Staff Courses Preserved, 3DS Mario Challenge Port, and More)

Watch videos on Wii U, offline, saved on SD?

Can you hack your wii u with something other than sd card

General chit-chat
Help Users
    Maximumbeans @ Maximumbeans: butte