Hacking Smea's iosuhax

[Jow Banks]

So the ppc doesnt boot before the arm?

for boot roms-

ppc-
I see two different bootroms in ppc code, one has a header that says "2009-2011 Nintendo" and I would assume its for the vwii mode.
It contains aes rotation nudge, aes substitution table, aes td3, ecp hashes and the sha ciphers.

the other one also called bootrom in ppc code has no encryption data internal, but it is a ancast header - sha signed at byte 24 hex - so i assume it is the one from the on chip rom.

arm-
there are also two boot roms for the arm - one (boot1?) has the common key and the root key -nothing else

the other one - (boot0?) has two rsa keys, aes iv hash and sha hash.

 

[charlieb]

http://wiiubrew.org/wiki/TSOP_NAND

https://www.reboot.ms/forum/threads/guide-emmc-nand-dump-backup-restore.530/

 

[darklordrs]

says the above post quoted me

edited 1 minute after send

what u pullin rn

 

[Jow Banks]

Am I wrong here - or is the name of this thread SMEA's IOSUHax ?
When did it get hijacked into the trading a wiiu for xboxone thread?

My questions about the booting process are directly related to how SMEA was able to use these tools and how he was able to interrupt the boot cycle to inject customized firmware.

Can you please start a thread in edge of forms for this other subjuct?

 

[ShadowOne333]

Am I wrong here - or is the name of this thread SMEA's IOSUHax ?
When did it get hijacked into the trading a wiiu for xboxone thread?

My questions about the booting process are directly related to how SMEA was able to use these tools and how he was able to interrupt the boot cycle to inject customized firmware.

Can you please start a thread in edge of forms for this other subjuct?

Tempers gonna temp, yo.
This kiddos always get sidetracked with bullshit conversations.

In anyway, I agree, please stay on topic for the thread, I'm really interested in keeping an eye for the development and things that come up.
Reading all of that sure is interesting.

 

[Pecrow]

My intention was not to spam or hijack the thread. It was to share my exitement on the isou progress that i had gotten a second wii u (for gf) by trading my xbox one. I have a wii u, ps4, n3ds, and an xbox one that i had not turned one for over 3 months because it sucks. To me a wii u is more valuable than an xbox one that was just collecting dust.

 

[Sumea]

@Sumea i have exactly the same situation as you well near enogh one 8 gb wii u at 5.3.2 and one 32gb wii u at 5.5.1 but must say your wrong as me among others have much more reliabilty with the new kexploit especially when running from the hax java file

Not that but a lot of "5.5.1 loadiine cannot do these things; It seems 5.5.1 loadiine is more reliable of you run it from homebrew launcher" etc. - it is not the exploit hax itself but everything behind it currently seems to be... a little less reliable than with 5.3.2

 

[Jow Banks]

Well -this thread has turned into the wiiu vs xboxone trade thread so I'll move on to some other place and hope that they can stay on topic.

Too bad - as we all need to make progress on getting iosu up and running but I guess talking about other things is more important here

 

[piratesephiroth]

Well -this thread has turned into the wiiu vs xboxone trade thread so I'll move on to some other place and hope that they can stay on topic.

Too bad - as we all need to make progress on getting iosu up and running but I guess talking about other things is more important here

bye, felicia

 

[Nollog]

Well -this thread has turned into the wiiu vs xboxone trade thread so I'll move on to some other place and hope that they can stay on topic.

Too bad - as we all need to make progress on getting iosu up and running but I guess talking about other things is more important here

People like you are silly. Use the report button not the reply button. #Irony

 

[Datalogger]

Another promising looking thread down the toilet.

 

[fukseliten]

Another promising looking thread down the toilet.

Yeah , this site only saddens me these days. Even the proper research threads turns into shit now . Luckily there are other places to share information...

 

[andriy921]

Let's get this back to the topic.

So the ppc doesnt boot before the arm?

for boot roms-

ppc-
I see two different bootroms in ppc code, one has a header that says "2009-2011 Nintendo" and I would assume its for the vwii mode.
It contains aes rotation nudge, aes substitution table, aes td3, ecp hashes and the sha ciphers.

the other one also called bootrom in ppc code has no encryption data internal, but it is a ancast header - sha signed at byte 24 hex - so i assume it is the one from the on chip rom.

arm-
there are also two boot roms for the arm - one (boot1?) has the common key and the root key -nothing else

the other one - (boot0?) has two rsa keys, aes iv hash and sha hash.

Those are not bootroms. Bootrom is plain text code that is part of the cpu. Main task of those is to validate and decrypt images that are loaded from nand. So for arm it should be bootrom -> boot0 -> boot1 -> fw.img/cafe2wii. For ppc it should be bootrom -> kernel.img/NANDLoader.

 

[Jow Banks]

OK, thanks for the info - but I sold one of my wii-u's on ebay and gave the other one away.
There's no real wii-u scene - only pirating games with sd card and loadiine
thanks again and have fun with it.

 

[Jow Banks]

Let's get this back to the topic.

Those are not bootroms. Bootrom is plain text code that is part of the cpu. Main task of those is to validate and decrypt images that are loaded from nand. So for arm it should be bootrom -> boot0 -> boot1 -> fw.img/cafe2wii. For ppc it should be bootrom -> kernel.img/NANDLoader.

Oh - one more thing - just to set this straight for anyone who may read this later on.

The boot process you said is not correct--we know that the arm loads kernel.img into ram for the ppc to run.
you can see this if you look at the arm's fw.img file made by @davetheshrew here in another thread - take a look at address 503401E and you will see what I'm saying is right.

It's maybe closer to-- arm on-chip bootrom->boot0->boot1->fw.img then arm fw.img loads ppc kernel.img and lets ppc know to run it then arm goes -> protect system/control all io

At same time-- ppc is doing ppc bootrom-> waiting for arm to say it has loaded kernel.img then-> kernel.img-> main menus/load games

And one last thing - the names I said are right bootrom -- those are the bootrom files I'm talking about - If you dont believe me go to fail0verlow's website and watch the video
search for blog/2014/console-hacking-2013-omake.html

marcan -who knows way more than anyone else about this stuff - posted what he and the others at f0f named bootrom and the hashes -- those hashes are the same for the files I'm talking about.
Not just the vwii hash but the wiiu bootrom too!
If marcan says its a bootrom -- then it is a bootrom.


Reading the posts above I know noone cares about iosu anymore and the things you can do with it.
All that is now important is loadiine and kernel hax.

Thats why a sold/gave away my wiius - while they still have some people that want them.
With no one wanting to work in iosu anymore - by the time iosu come out - wiiu will be cheap as xbox360 is today and I'll buy another

 

[davetheshrew]

Oh - one more thing - just to set this straight for anyone who may read this later on.

The boot process you said is not correct--we know that the arm loads kernel.img into ram for the ppc to run.
you can see this if you look at the arm's fw.img file made by @davetheshrew here in another thread - take a look at address 503401E and you will see what I'm saying is right.

It's maybe closer to-- arm on-chip bootrom->boot0->boot1->fw.img then arm fw.img loads ppc kernel.img and lets ppc know to run it then arm goes -> protect system/control all io

At same time-- ppc is doing ppc bootrom-> waiting for arm to say it has loaded kernel.img then-> kernel.img-> main menus/load games

And one last thing - the names I said are right bootrom -- those are the bootrom files I'm talking about - If you dont believe me go to fail0verlow's website and watch the video
search for blog/2014/console-hacking-2013-omake.html

marcan -who knows way more than anyone else about this stuff - posted what he and the others at f0f named bootrom and the hashes -- those hashes are the same for the files I'm talking about.
Not just the vwii hash but the wiiu bootrom too!
If marcan says its a bootrom -- then it is a bootrom.


Reading the posts above I know noone cares about iosu anymore and the things you can do with it.
All that is now important is loadiine and kernel hax.

Thats why a sold/gave away my wiius - while they still have some people that want them.
With no one wanting to work in iosu anymore - by the time iosu come out - wiiu will be cheap as xbox360 is today and I'll buy another

wasnt me that made it mate

 

[QCLasky]

Another promising looking thread down the toilet.

every thread talking about smeas stuff turns like this..







LOL

 

[piratesephiroth]

Reading the posts above I know noone cares about iosu anymore and the things you can do with it.
All that is now important is loadiine and kernel hax.

Talking about IOSU won't make an exploit magically appear.
You think you're saying something relevant but the info you want to discuss is completely redundant for the people capable of finding exploits.

 

[ARVI80]

I love how over complicated everyone makes it when trying to explain iosu exploits.

Here, it's as simple as this:
1 Find 2 locations that can see each other (be shared) or the same location that can be read/called from iosu and also able to write files to from a different location such as userland using kexploit. (Remember kexploit has the same access to everything iosu does, just not the same authority.

2 write application to shared location and call it from iosu using elf.
e.g. If someone was to rewrite the homebrew channel, with built in kexploit, and also as an installable channel. It gets dumped in location 1 available to userland and called from location 2 that actually points to the same location but called using iosu that actually has the authority to install it.
Simples..... just nobody can be bothered with that particular task at the moment.
Don't believe me, ask your favourite Dev. ...

 

[piratesephiroth]

I love how over complicated everyone makes it when trying to explain iosu exploits.

Here, it's as simple as this:
1 Find 2 locations that can see each other (be shared) or the same location that can be read/called from iosu and also able to write files to from a different location such as userland using kexploit. (Remember kexploit has the same access to everything iosu does, just not the same authority.

2 write application to shared location and call it from iosu using elf.
e.g. If someone was to rewrite the homebrew channel, with built in kexploit, and also as an installable channel. It gets dumped in location 1 available to userland and called from location 2 that actually points to the same location but called using iosu that actually has the authority to install it.
Simples..... just nobody can be bothered with that particular task at the moment.
Don't believe me, ask your favourite Dev. ...

That's so crazy... it just might potato