Hacking Smea's iosuhax

[punderino]

@Datalogger @punderino Are you guys working with marionumber1 or are you guys seperate?

Marionumber1 is working by himself (with the help of naehrwert I think) I'm working by myself right now, DataLogger is helping me, as is Nexocube. Me and Nexocube are working in IDA Pro looking for another direction for IOSU, and my work with DataLogger is checking out iosutools a bit closer.

 

[TiMeBoMb4u2]

I'm not one to usually spread unconfirmed rumors, but I've heard some serious chatter on IRC about not expecting an IOSU exploit, until after NX, or maybe even at all. @Marionumber1 are you able to confirm/deny these rumors?

 

[Selim873]

I'm not one to usually spread unconfirmed rumors, but I've heard some serious chatter on IRC about not expecting an IOSU exploit, until after NX, or maybe even at all. @Marionumber1 are you able to confirm/deny these rumors?

There's literally no good reason to wait that long, assuming they have something.

 

[punderino]

Well, I wouldn't expect one either, doesn't mean people aren't working towards it. It just isn't a priority. Most of the main devs here are in highschool, 3 months of summer break can mean a lot of time to work on this. Just give it time.

 

[Supster131]

Well, I wouldn't expect one either, doesn't mean people aren't working towards it. It just isn't a priority. Most of the main devs here are in highschool, 3 months of summer break can mean a lot of time to work on this. Just give it time.

Let's hope we see something in the Summer time then.

 

[punderino]

Let's hope we see something in the Summer time then.

I think we are already doing that, eh?

 

[TiMeBoMb4u2]

Well, I wouldn't expect one either, doesn't mean people aren't working towards it. It just isn't a priority. Most of the main devs here are in highschool, 3 months of summer break can mean a lot of time to work on this. Just give it time.

Well, I could have misunderstood, but time had nothing to do with it.
It was kind of a bitch-session, but at one point, there was mention of someone(s) trying to sell exploit details, instead.
My temper started to rise, and I had somewhere else to be, so I didn't get to the end of the discussion.

 

[Pecrow]

I traded my xbox one for another wii u when i saw the others were going to keep up with the iosu work. exited all the way

 

[brienj]

And the four or five Wii U games even worth playing can now be played on the PC with Cemu, so I'm missing your point on how trading an Xbox One for a Wii U is better than the other way around, but this is a discussion of how to make the Wii U worth my initial investment I made into it even better than just the kernel exploit, only a handful of decent games isn't that amount, so I'll keep any further comments strictly to the IOSU exploit being worked on.

 

[darklordrs]

And the four or five Wii U games even worth playing can now be played on the PC with Cemu, so I'm missing your point on how trading an Xbox One for a Wii U is better than the other way around, but this is a discussion of how to make the Wii U worth my initial investment I made into it even better than just the kernel exploit, only a handful of decent games isn't that amount, so I'll keep any further comments strictly to the IOSU exploit being worked on.

>tfw cemu barely even runs compared to, say, Dolphin, which itself isn't flawless

I mean.. okay. My B for the off topic tho?

 

[brienj]

Oh, why would anyone trade their Xbox one for a Wii u? That's kind of retarded imo.

Go back a page or so, and you'll see what started it all, someone traded their Xbox One for a Wii U, and I said that the person they traded with was a lucky person, and I'd trade my Wii U for an Xbox One in a heartbeat, especially since I could easily replace the Wii U for half the price of the Xbox One, so it would be like getting an extra Xbox One for half price, because I wouldn't care about buying a new system, even an old white 8 GB one is good enough considering the library.

 

[MAXLEMPIRA]

Oh... if only I would be able to help

 

[piratesephiroth]

Go back a page or so, and you'll see what started it all, someone traded their Xbox One for a Wii U, and I said that the person they traded with was a lucky person, and I'd trade my Wii U for an Xbox One in a heartbeat, especially since I could easily replace the Wii U for half the price of the Xbox One, so it would be like getting an extra Xbox One for half price, because I wouldn't care about buying a new system, even an old white 8 GB one is good enough considering the library.

Why would you want a console with no decent exclusives and crappy backwards compatibility (if it can even be called that)?

 

[Selim873]

..................................................So how's the iosuhax progress?

 

[TamDanny]

..................................................So how's the iosuhax progress?

Thinking the same thing. Don't get me wrong, the debate about that console trade thingy is very entertaining to read, but we're kinda curious on how's things are coming along with iosuhax.

 

[darklordrs]

Thinking the same thing. Don't get me wrong, the debate about that console trade thingy is very entertaining to read, but we're kinda curious on how's things are coming along with iosuhax.

PSA: if nothing is posted chances are everything is going according to keikaku

 

[Sumea]

I have a little hard time here; I have two Wii U's. (one gamepad) - Other is one I had for a while, both white 8 gigs. I have my own 5.5.1 Wii U I have a large HDD plugged in to, has my NNID on it, purchased games and DLC content for 150eur value, if not more. Other is a used Wii U I got, if you figured it out from my note earlier, for new gamepad in EU. Where I live I cannot buy officially just a new gamepad so I went to gamestop and got used Wii U. It happened to be 5.3.2 and stayed there and I also happened to hear news of all the hax at the time. So few weeks later Kernel hack comes out, loadiine happens, I tested it out and stuff; I have more or less still left that Wii U with less general use than my main one. So I split having a modified Wii U and my legit Wii U into two separate consoles because I can. Swapping gamepad between the consoles is not even that much a pain.

Now the new stuff is here; 5.5.1 kernelhack is out; and that is as far as I seen, not as good as 5-3-2 kernelhack (less reliable etc. on already not-so-reliable hax) - but if IOSU will be based on 5.5.1 only, I might want to update for that. Just dunno what to do.

I hope someone knows how things are going currently; Keep it at 5.3.2 (I mean, if need be someone will make a 5.5.1 WUP installer package right?) or what.

 

[Jow Banks]

Does anyone know the real booting order of the WiiU ?

I know what fail0verflow has on their website - but it doesnt actually tell you in detail.
I'm more wanting to know - is it like this


[---I'll use xxxy until I know if I've got the order and names correct.---]

a> power on
b> ppc processor starts first and loads 'xxx1' from its internal on-chip rom
c> the ppc loads 'xxx2' from external rom - decodes it - checks the key - then tells the arm to start and run it.
d> the arm loads 'xxx3' - decodes it - checks the key - then runs it itself
e> the arm then loads 'xxx4' from external rom - decodes it -checks the signature then runs it itself
f> the arm loads 'xxx5' - decodes it - checks the signature - then tells the ppc to run it and the Wii-U is running.
g> the arm and ppc go on loading menus and other unimportant things
[---Please correct this as needed.---]

//where
xxx1 = bootromU.bin (ppc code - static - cannot be changed)
xxx2 = boot1.bin (arm code - dynamic - possible to change with the boot1 key)
xxx3 = boot0.bin (arm code - dynamic - can be updated so long as its signed by root key)
xxx4 = fw.img (arm code - dynamic - can be updated but would need either the signatures patched or the private key leaked)
xxx5 = kernel.img (ppc dynamic - can be updated but would either need the signatures patched or the private key leaked)
[---Please correct this as needed.---]


//I would think that
xxx1 - not even nintendo can change as it is burnt in to the processor. It would have no checks as it is accessed via dma - never sees ram and is impossible to hack.
xxx2 - nintendo cant change this as it is checked against the boot1 key in the otp - it contains the root key
xxx3 - this can be updated and is verified by xxx2 using the root key - it contains the two rsa pub keys
xxx4 - arm IOSU and is encrypted with Expresso Ancast key + sha1 + signed by AES-128-CBC
xxx5 - ppc Kernel and is encrypted with Starbuck Ancast key + sha1 + signed by AES-128-CBC

//I would also think that
xxx1 cant do much as it is running one-instruction-at-a-time [no cache is on - its dma], so it could never deal with something as complex as running full signature checks.
at best it can verify a known key value.

xxx2 looks to be the weak link here - it can only be protected by a 'simple' key check.
we have the code - but its the only item we dont have the key for.
with this key - you have control over the boot process.
[---I'm guessing this must be what smea figured out---]

 

[lonelyhero]

@Sumea
The 5.5.1 kernel exploit seems to have a 100% success rate once properly set up I've seen a lot of people have issues in the begging of setting up the exploit but it's seems to come down to file placement and folder naming errors in most cases

 

[andriy921]

xxx1 = bootromU.bin (ppc code - static - cannot be changed)

From what I see it uses starbuck boot rom for wii u mode and espresso bootrom for vwii mode. So this is arm code.

Edit. I was mistaking, espresso bootrom is used to run vwii/ppc kernel. And you messed the order of boots:
a> power on
b> arm processor starts first and loads 'xxx1' from its internal on-chip rom
c> the arm loads 'xxx2' from external rom - we don't really know how it does the validation - and runs it.
d> the arm loads 'xxx3' - validates signature, then decrypts it and jumps to it.
e> the arm then loads 'xxx4' from external rom - checks the signature, decrypts and then runs it itself
f> the arm loads 'xxx5' and tells the ppc to run it.
g> the ppc starts 'xx6', which should validate hash/signatures of 'xxx5', decrypt and run it.
g> the arm and ppc go on loading menus and other unimportant things

//where
xxx1 = starbuck bootrom (arm code - static - cannot be changed)
xxx2 = boot0.bin (arm code - most likely static - i don't really know how this is validated, but mostlikely bootrom expects it to have valid hash)
xxx3 = boot1.bin (arm code - static - it seem like the hash of boot1 is stored in the otp and is used to validate it's signature)
xxx4 = fw.img (arm code - dynamic - can be updated but would need either the signatures patched or the private key leaked)
xxx5 = kernel.img (ppc dynamic - can be updated but would either need the signatures patched or the private key leaked)
xxx6 = espresso bootrom (ppc code - static -can not be changed)
[---Please correct this as needed.---]