Hacking ROP from within IOS_USB (5.5.1)

[NexoCube]

0x1012EB64 is the right address for syscall 0x15 via IOS-USB.

I know but i was searching for USB_ioctl_15, sorry i misspelled x)

 

[Phantom64]

I know but i was searching for USB_ioctl_15, sorry i misspelled x)

can i have iosu

 

[rw-r-r_0644]

can i have iosu

You already have it from that thread -_-

 

[Phantom64]

You already have it from that thread -_-

-.-.-.-.-.-.-___

 

[NexoCube]

You already have it from that thread -_-

That was a private joke

 

[Mario10095]

Why do you want the .elf then? Is it just so it matches with your collection of other elf files?

Can you please upload the mp4 version of the OTP via IOSU?

 

[Deleted User]

Can you please upload the mp4 version of the OTP via IOSU?

I don't think an MP4 version of the OTP retriever would be possible. Libwiiu does not have (most of?) the neccessary library/include files for it. Only ELF (and possibly RPX soon?) are the only possible means of being able to boot the example for now.

 

[Mario10095]

I don't think an MP4 version of the OTP retriever would be possible. Libwiiu does not have (most of?) the neccessary library/include files for it. Only ELF (and possibly RPX soon?) are the only possible means of being able to boot the example for now.

ok, but is there a way to do this without an SD card because my SD card slot is messed up?

 

[Ghassen-ga]

ok, but is there a way to do this without an SD card because my SD card slot is messed up?

why do u even need to know your OTP at the moment ? it's literally useless.

 

[Mario10095]

why do u even need to know your OTP at the moment ? it's literally useless.

I don't, I just wanna try it somehow.

 

[Ghassen-ga]

I don't, I just wanna try it somehow.

Then you should really send your Wiiu to repair , The Sd card is going to be the most important factor when a CFW is released.

 

[Mario10095]

Then you should really send your Wiiu to repair , The Sd card is going to be the most important factor when a CFW is released.

My micro-SD to SD card converter broke inside of my Wii U. Do you think i could try to get the piece with something, and if so what?

 

[rw-r-r_0644]

Can you please upload the mp4 version of the OTP via IOSU?

There you go: https://drive.google.com/open?id=0B6pkRCU5qlTqR28tZXI1d2kwcUk

It uses https://github.com/rw-r-r-0644/HBAS-Portable that can download any hbl elf file in ram and launch it (mostly a LoadiineGX2 sd_loader ripoff)

PS: Launch rate is loaw due to binary size

 

[Mario10095]

There you go: https://drive.google.com/open?id=0B6pkRCU5qlTqR28tZXI1d2kwcUk

It uses https://github.com/rw-r-r-0644/HBAS-Portable that can download any hbl elf file in ram and launch it (mostly a LoadiineGX2 sd_loader ripoff)

PS: Launch rate is loaw due to binary size

do i have to run kexploit first?

 

[TheZander]

does the advent of this have anything to do with boot0 or boot1? like that last thing people were talking about, but it's exceptionally brick-risky to screw with? Or with messing with boot0, boot1 require another exploit? Are the OTP keys necessary to decrypt / encrypt a NAND back up to do CFW stuff to it? Such as dump > use keys to decrypt > patch > re-encrypt?

 

[rw-r-r_0644]

do i have to run kexploit first?

No

 

[recgame77]

does the advent of this have anything to do with boot0 or boot1? like that last thing people were talking about, but it's exceptionally brick-risky to screw with? Or with messing with boot0, boot1 require another exploit? Are the OTP keys necessary to decrypt / encrypt a NAND back up to do CFW stuff to it? Such as dump > use keys to decrypt > patch > re-encrypt?

Boot1 , kernel PPC and iosu firwware are 3 ancast images encrypted with 3 different keys;
the boot1 key has not been publicly leaked so far.

kernel ppc and iosu firmware are both located within OSV10 (Base release OS) "partition" and boot1 in its "own partition". I think both are located on the slc and not the mlc.

boot0 is located on a separate bootrom and i think is encrypted by a custom per console encryption key (not sure)

The near future will be to allow loadinne an other homebrew to get usb access permissions by using the iosu exploit. regarding cfw it could be possible to trigger the exploit and then kind of relaunch the OS with nand redirection .. For a CFW at boot , i think/guess that another trick / exploit is required and not disclosed atm.

 

[Ghassen-ga]

I really

My micro-SD to SD card converter broke inside of my Wii U. Do you think i could try to get the piece with something, and if so what?

have no idea, but i advice you not to mess with it and send it to Nintendo , or someone who has knowledge in repairing stuff.

 

[Deleted User]

There you go: https://drive.google.com/open?id=0B6pkRCU5qlTqR28tZXI1d2kwcUk

It uses https://github.com/rw-r-r-0644/HBAS-Portable that can download any hbl elf file in ram and launch it (mostly a LoadiineGX2 sd_loader ripoff)

PS: Launch rate is loaw due to binary size

I have uploaded it to ourbrew.ml/code550.mp4 if this not unpalatable for you

 

[Deleted User]

I really

have no idea, but i advise you not to mess with it and send it to Nintendo , or someone who has knowledge in repairing stuff.

I don't think Nintendo would repair that. They only repair liquid damage and physical damage.