Hacking Smea's iosuhax

  • Thread starter Thread starter NyaakoXD
  • Start date Start date
  • Views Views 147,257
  • Replies Replies 447
  • Likes Likes 27
I assume the .elf/bin would need IOSU kernel access to run but to me that suggests the patched FW is already loaded. There seems to be a link in the chain missing in how the fw.img is supposed to either be loaded or installed
basically, ye, need to find a function where the binary loads itself in which is normally done by boot1 but you have to mount an external media device, load in modded code, and clean up, smea suggested loading up system settings after pwning cause it does a full os reset, all done in 0x5D0 bytes according to Hillary, have to basically make IOSU work for you
 
The smealum thing spits out a wupsever and the custom fw.img?

if the custom fw.img is just compiled patched to those addresses in the /patches/ folder, would that constitute a ROP change viable to insert in Hillary's posted usb_rop zip main.c file?

in one of smealums patch bins he has
Code:
; nop out memcmp hash checks
.org 0x040017E0
    mov r0, #0
.org 0x040019C4
    mov r0, #0
.org 0x04001BB0
    mov r0, #0
.org 0x04001D40
    mov r0, #0
and hillary's main.c

Code:
int second_chain[] = {
    0x10123a9f, // 0x00         POP {R0,R1,R4,PC}
    CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000,     // 0x04         destination
    0x0,        // 0x08        
    0x0,        // 0x0C        
    0x101063db, // 0x10         POP {R1,R2,R5,PC}
    0x00130000, // 0x14         source
    sizeof(final_chain),          // 0x18         length
    0x0,        // 0x1C        
    0x10106D4C, // 0x20         BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
    0x0,        // 0x24        
    0x0,        // 0x28        
    0x101236f3, // 0x2C         POP {R1-R7,PC}
    0x0,        // 0x30         arg
    0x101001DC, // 0x34         stackptr
    0x68,       // 0x38         stacksize
    0x10101634, // 0x3C         proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
    0x0,        // 0x40
    0x0,        // 0x44
    0x0,        // 0x48
    0x1010388C, // 0x4C         CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
    0x0,        // 0x50
    0x0,        // 0x54
    0x1012CFEC, // 0x58         MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,   // 0x5C
    0x0,        // 0x60
    IOS_CREATETHREAD, // 0x64  
    0x1,        // 0x68         priority
    0x2,        // 0x6C         flags
    0x0,        // 0x70
    0x0,        // 0x74
    0x101063db, // 0x78         POP {R1,R2,R5,PC}
    0x0,        // 0x7C        
    -(0x240 + 0xF000), // 0x80  stack offset
    0x0,        // 0x84        
    0x1011D424, // 0x88         LDMFD SP!, {R4-R11,PC}
    0x0,        // 0x8C        
    0x0,        // 0x90        
    0x0,        // 0x94        
    0x0,        // 0x98        
    0x0,        // 0x9C        
    0x0,        // 0xA0        
    0x0,        // 0xA4        
    0x4,        // 0xA8         R11 must equal 4 in order to pivot the stack
    0x1012EA68, // 0xAC         stack pivot
};

could you combine them eg:

Code:
int second_chain[] = {
    .org 0x040017E0
    mov r0, #0
.org 0x040019C4
    mov r0, #0
.org 0x04001BB0
    mov r0, #0
.org 0x04001D40
    mov r0, #0

};

would something like that have any effect when run?
 
I assume the .elf/bin would need IOSU kernel access to run but to me that suggests the patched FW is already loaded. There seems to be a link in the chain missing in how the fw.img is supposed to either be loaded or installed

A wild guess, but i think that the process is this one :

-Cold boot (original fw.bin loaded by boot1)
-launch elf iosu userland + kernel exploit to patch required part to load fw from sdcard instead of OSV10 - slc nand
-launch a warm reboot from IOS-MCP (custom fw.bin then loaded by IOS-MCP)

If not wrong then the IOS-MCP - reboot ptching code has not been released


http://wiiubrew.org/wiki/IOSU
 
I assume the .elf/bin would need IOSU kernel access to run but to me that suggests the patched FW is already loaded. There seems to be a link in the chain missing in how the fw.img is supposed to either be loaded or installed
If a IOSU exploit comes to browserhax you would just run the .elf and it will gain the permissions by itself. In order to use the fw.img you need to already have an IOSU exploit or some other wizardry.
 
http%3A%2F%2Fimg.tapatalk.com%2Fd%2F13%2F04%2F08%2Fe4u8a7ep.jpg
 
The smealum thing spits out a wupsever and the custom fw.img?

if the custom fw.img is just compiled patched to those addresses in the /patches/ folder, would that constitute a ROP change viable to insert in Hillary's posted usb_rop zip main.c file?

in one of smealums patch bins he has
Code:
; nop out memcmp hash checks
.org 0x040017E0
    mov r0, #0
.org 0x040019C4
    mov r0, #0
.org 0x04001BB0
    mov r0, #0
.org 0x04001D40
    mov r0, #0
and hillary's main.c

Code:
int second_chain[] = {
    0x10123a9f, // 0x00         POP {R0,R1,R4,PC}
    CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000,     // 0x04         destination
    0x0,        // 0x08       
    0x0,        // 0x0C       
    0x101063db, // 0x10         POP {R1,R2,R5,PC}
    0x00130000, // 0x14         source
    sizeof(final_chain),          // 0x18         length
    0x0,        // 0x1C       
    0x10106D4C, // 0x20         BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
    0x0,        // 0x24       
    0x0,        // 0x28       
    0x101236f3, // 0x2C         POP {R1-R7,PC}
    0x0,        // 0x30         arg
    0x101001DC, // 0x34         stackptr
    0x68,       // 0x38         stacksize
    0x10101634, // 0x3C         proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
    0x0,        // 0x40
    0x0,        // 0x44
    0x0,        // 0x48
    0x1010388C, // 0x4C         CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
    0x0,        // 0x50
    0x0,        // 0x54
    0x1012CFEC, // 0x58         MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,   // 0x5C
    0x0,        // 0x60
    IOS_CREATETHREAD, // 0x64 
    0x1,        // 0x68         priority
    0x2,        // 0x6C         flags
    0x0,        // 0x70
    0x0,        // 0x74
    0x101063db, // 0x78         POP {R1,R2,R5,PC}
    0x0,        // 0x7C       
    -(0x240 + 0xF000), // 0x80  stack offset
    0x0,        // 0x84       
    0x1011D424, // 0x88         LDMFD SP!, {R4-R11,PC}
    0x0,        // 0x8C       
    0x0,        // 0x90       
    0x0,        // 0x94       
    0x0,        // 0x98       
    0x0,        // 0x9C       
    0x0,        // 0xA0       
    0x0,        // 0xA4       
    0x4,        // 0xA8         R11 must equal 4 in order to pivot the stack
    0x1012EA68, // 0xAC         stack pivot
};

could you combine them eg:

Code:
int second_chain[] = {
    .org 0x040017E0
    mov r0, #0
.org 0x040019C4
    mov r0, #0
.org 0x04001BB0
    mov r0, #0
.org 0x04001D40
    mov r0, #0

};

would something like that have any effect when run?
No....
 
  • Like
Reactions: KiiWii
what about taking that Hillary thing where it says 'insert rop chain here' in the main.c and take the main.c from compiled wupserver and pasting that in there? would that do something?
ROP!=Compiled code
Also, I guess you can't just paste any code and hope it runs :P
sadly
 
Last edited by rw-r-r_0644,
ROP!=Compiled code
Also, I guess you can't just paste any code and hope it runs :P
sadly
The thing trump made, in the source I think used hillarys main.c so he put his 'rop chain' stuff where it said to.

I guess what I am confused about ( amongst many things) is that all iosu hax is a wupserver and a patched fw.img I don't get what commands you would actually run in the iosu kernel to actually do anything. because his tools were all about ( I guess) ripping the sections from the decrypted fw.img, patching them, then packaging it back up into a new fw.img.

I am guessing the newly made fw.img is the resultant rednand, but how did he install the channel on the sysNAND that loaded redNAND of the SD?
 
The thing trump made, in the source I think used hillarys main.c so he put his 'rop chain' stuff where it said to.

I guess what I am confused about ( amongst many things) is that all iosu hax is a wupserver and a patched fw.img I don't get what commands you would actually run in the iosu kernel to actually do anything. because his tools were all about ( I guess) ripping the sections from the decrypted fw.img, patching them, then packaging it back up into a new fw.img.

I am guessing the newly made fw.img is the resultant rednand, but how did he install the channel on the sysNAND that loaded redNAND of the SD?
He presumibly have a boot1 vulnerability that let him get full control early on boot; then he make boot1 skip signature checks (or patch mcp and reload it from there?) and he has rednand. BTW, he didn't install channels to sysnand
 
He presumibly have a boot1 vulnerability that let him get full control early on boot; then he make boot1 skip signature checks (or patch mcp and reload it from there?) and he has rednand. BTW, he didn't install channels to sysnand
in the video didn't he first boot into sysNAND and there was a red channel that said redNAND? or did he boot straight into redNAND in the beginning of the video?
 
in the video didn't he first boot into sysNAND and there was a red channel that said redNAND? or did he boot straight into redNAND in the beginning of the video?
No. He booted straight into redNAND.
the "red channel" is a folder he tells he use to check if he's on sysnand or rednand (he says that in the video) to prevent messing stuff with sysnand
 
He presumibly have a boot1 vulnerability that let him get full control early on boot; then he make boot1 skip signature checks (or patch mcp and reload it from there?) and he has rednand. BTW, he didn't install channels to sysnand
in the video didn't he first boot into sysNAND and there was a red channel that said redNAND? or did he boot straight into redNAND in the beginning of the video?
 
in the video didn't he first boot into sysNAND and there was a red channel that said redNAND? or did he boot straight into redNAND in the beginning of the video?
No. He booted straight into redNAND.
the "red channel" is a folder he tells he use to check if he's on sysnand or rednand (he says that in the video) to prevent messing stuff with sysnand
 
No. He booted straight into redNAND.
the "red channel" is a folder he tells he use to check if he's on sysnand or rednand (he says that in the video) to prevent messing stuff with sysnand
So the iosuhax generated fw.img is intended to be written to the SD card and loaded from right? It also has the patch to redirect anything from sysNAND's fw to itself. Now before that's booted from automatically on boot he had a boot1 command to boot from SD? and that part he didn't make public? With the iosu kernel exploit that is public now, does it have the ability to access that early in the boot chain?

What about the NAND dump script that he mentions in the read me? is that actually in the repository? because I would think and NAND dump script would have to be run in sysNAND somehow? are his dump scripts included in the patches in the patched fw.img? or did he run the dump commands from that wupserver he has? which I cant get to run either.
 
So the iosuhax generated fw.img is intended to be written to the SD card and loaded from right? It also has the patch to redirect anything from sysNAND's fw to itself. Now before that's booted from automatically on boot he had a boot1 command to boot from SD? and that part he didn't make public? With the iosu kernel exploit that is public now, does it have the ability to access that early in the boot chain?

What about the NAND dump script that he mentions in the read me? is that actually in the repository? because I would think and NAND dump script would have to be run in sysNAND somehow? are his dump scripts included in the patches in the patched fw.img? or did he run the dump commands from that wupserver he has? which I cant get to run either.
There still aren't any public boot exploit.
To boot that thing you'll need to manuay trigger the exploit I guess (browserhax again :P)
 
Obviously, I'm not a Python Programmer - but hey, it works!
Show me a more simple way to poke an 0x02 at that offset so I can get back to my comfort zone in raw assembly.
Here:
Code:
    def encrypt(self, file, offset):
        file.seek(0x497DC3)
        file.write('02'.decode('hex'))

Or:
Code:
    def encrypt(self, file, offset):
        file.seek(0x497DC3)
        file.write('\x02')

Or:
Code:
    def encrypt(self, file, offset):
        value = '02' # So it would be changeable in an easy way
        file.seek(0x497DC3)
        file.write(value.decode('hex'))
 
  • Like
Reactions: Datalogger
Kinda confused, i would like this to improve my ftp speeds for the Helper Transfer Tool.
But i don't understand it, do you need to have Mocha, so just HaxChi isn't enough?

And does it have any other effect on the Wii U, meaning will it affect gaming in any way?
 

Site & Scene News

Popular threads in this forum