@dimok @n1ghty @Maschell ... Has anyone been looking any further into the "symlink" mounting that dimok was referring to?
Thanks, again, @dimok
WOW! Even more impressive than the new ddd release, are the bolded statements above/below! ...and it leads to so many questions!...
Explanation on how it is done:
So how do we dump the meta folder which is normally not accessable through the FS functions?
I was looking through the men.rpx (system menu) assembly and i saw it calling an FS function that looked interessting, FSBindMount. That function was called with path parameters that were interessting. The system menu creates with this something similar to a symbolic link on linux for the path ".../meta" to a path called "/vol/app_priv". So I started checking it out and find out that you can actually link any titles meta folder, e.g. /vol/storage_odd3/meta to a folder like /vol/app_priv or even just /vol/meta. From that position you can then access the folder /vol/meta (or the app_priv) with normal FS functions. There is only one problem with that, that you dont have access to those paths from the game titles or any other titles I tested except Mii Maker, System Menu and, you might have guessed it, Home Menu. So thats why I had to first do a few changes to the ddd application to actually bind the correct title that we want to dump. Now this is quite nice that you can create symlinks with this. I checked binding /vol/storage_odd03/code to some path but that wasn't accessable but I expected that kind of, though its too bad.
Well i played a bit more with it and found out that you can actually just hook that function and replace whatever the system tries to link to /vol/app_priv (or /vol/meta_priv (odd03 meta/manual) or /vol/private_mnt (usb mount)) and just link some other path you like to it. This allows you to inject the system some other meta path and with that you can for example make it load different icons for the titles that the system menu or the home menu displays. What we do with this? Well for now nothing as I didnt have much time for digging much deeper into this but this just smells like something we can exploit a little more
EDIT:
I updated the WiiU archive on the release and added a new meta.xml and an icon.png from @TiMeBoMb4u2 (thanks)
Are you allowed to link a SD Card mount/location?
When you say "normal FS functions", does this mean read/write, or only read?
What locations/paths are you allowed to symlink to/from?
If the system tries to link/mount "/vol/private_mnt (usb mount)", are you able to hi-jack this mount to allow access to USB?
So, if this new "meta path" happens to contain a nicely-written exploit/payload, would the system be kind enough to execute that for us?
Uh, yeah! ...but I guess it really depends on how sand-boxed the mount is! I think you're really onto something here, though!! PLEASE keep us updated, and share all your findings!
Thanks, again, @dimok
New