D
hi everyone ,it's a nice raining at home today so what do i do ? nothing special ... exept for those who will understand this
i found something interesting in wp<z0 what do you think guys and girls who know of what i am talking about ?
Mii Maker V 50
C Root-CA00000003-CP0000000b
seg000:0000000000000140 push rdx
seg000:0000000000000141 outsd
seg000:0000000000000142 outsd
seg000:0000000000000143 jz short near ptr unk_172 (jump to unk_172)
seg000:0000000000000145 db 43h
seg000:0000000000000145 xor [r8], sil
seg000:0000000000000149 xor [rax], dh
seg000:000000000000014B xor [rax], dh
seg000:000000000000014D xor [rbx], dh
seg000:000000000000014F sub eax, 30305043h
seg000:0000000000000154 xor [rax], dh
seg000:0000000000000156 xor [rax], dh
seg000:0000000000000158 xor [rdx+0], ah
Lt.QY
seg000:0000000000000223 ; ---------------------------------------------------------------------------
seg000:0000000000000223 jz short near ptr unk_254 (jump to unk_254)
seg000:0000000000000226 push rcx
seg000:0000000000000227 pop rcx
$\"Es
seg000:0000000000000D48 ; ---------------------------------------------------------------------------
seg000:0000000000000D48 add al, 24h ; '$'
seg000:0000000000000D4A and al, [rbp+73h]
seg000:0000000000000D4D sbb dh, [rsi+530EE3FEh]
seg000:0000000000000D53 xor eax, 0A9EB3E37h
seg000:0000000000000D58 jo short loc_D2F (jump to loc_2DF)
<snip>
.syscall:02000000 # Input MD5 : 874846BAADA27A8C3FFCD13E301CCE90
.syscall:02000000 # Input CRC32 : 03B0AA10
.syscall:02000000
.syscall:02000000
.syscall:02000000 # Processor : PPC
.syscall:02000000 # Target assembler: GNU Assembler
.syscall:02000000 # Byte sex : Big endian
.syscall:02000000 # SIMD Instructions: AltiVec
.syscall:02000000 # Processor Profile: Server
.syscall:02000000
.syscall:02000000 #include "ppc-asm.h"
.syscall:02000000 .set r1, 1; .set r2, 2
.syscall:02000000 .set lt, 0; .set gt, 1; .set eq, 2; .set so, 3
.syscall:02000000
.syscall:02000000
.syscall:02000000 # ===========================================================================
.syscall:02000000
.syscall:02000000 # Segment type: Pure code
.syscall:02000000 .section ".syscall"
.syscall:02000000 .org $+1
.syscall:02000000
.syscall:02000000 # =============== S U B R O U T I N E =======================================
.syscall:02000000
.syscall:02000000
.syscall:02000000 sub_2000000: # CODE XREF: sub_22F138C+10p
.syscall:02000000 # DATA XREF: .rodata:off_1001DE40o ...
.syscall:02000000 nop # No Operation
.syscall:02000004 blr # Branch unconditionally
.syscall:02000004 # End of function sub_2000000
.syscall:02000004
.syscall:02000004
.text:02000020 # ===========================================================================
.text:02000020
.text:02000020 # Segment type: Pure code
.text:02000020 .section ".text"
.text:02000020 .org $+2
.text:02000020
.text:02000020 # =============== S U B R O U T I N E =======================================
.text:02000020
.text:02000020
.text:02000020 sub_2000020: # CODE XREF: sub_218885C+1Cp
.text:02000020 # sub_218885C+3Cp
.text:02000020 lis r3, aWupNHaae@h # "WUP-N-HAAE"
.text:02000024 addi r3, r3, aWupNHaae@l # "WUP-N-HAAE"
.text:02000028 blr # Branch unconditionally
.text:02000028 # End of function sub_2000020
.text:02000028
.text:0200002C
.text:0200002C # =============== S U B R O U T I N E =======================================
.text:0200002C
.text:0200002C
.text:0200002C sub_200002C: # CODE XREF: sub_218E75C+64p
.text:0200002C li r3, 0x207 # Load Immediate
.text:02000030 blr # Branch unconditionally
.text:02000030 # End of function sub_200002C
.text:02000030
.text:02000034
.text:02000034 # =============== S U B R O U T I N E =======================================
.text:02000034
.text:02000034
.text:02000034 sub_2000034: # CODE XREF: sub_218BB24+4Cp
.text:02000034 lis r3, aUs@h # "US"
.text:02000038 addi r3, r3, aUs@l # "US"
.text:0200003C blr # Branch unconditionally
.text:0200003C # End of function sub_2000034
.text:0200003C
.text:02000040
.text:02000040 # =============== S U B R O U T I N E =======================================
.text:02000040
.text:02000040
.text:02000040 sub_2000040: # CODE XREF: sub_218B820+2Cp
.text:02000040
.text:02000040 .set var_18, -0x18
.text:02000040 .set var_14, -0x14
.text:02000040 .set var_10, -0x10
.text:02000040 .set var_C, -0xC
.text:02000040 .set var_8, -8
.text:02000040 .set var_4, -4
.text:02000040 .set arg_4, 4
.text:02000040
.text:02000040 mflr r0 # Move from link register
.text:02000044 stwu r1, -0x20(r1) # Store Word with Update
.text:02000048 stw r31, 0x20+var_4(r1) # Store Word
.text:0200004C stw r30, 0x20+var_8(r1) # Store Word
.text:02000050 mr. r31, r3 # Move Register
.text:02000054 stw r0, 0x20+arg_4(r1) # Store Word
.text:02000058 bne loc_200006C # Branch if not equal
.text:0200005C li r3, 0x1388 # Load Immediate
.text:02000060 bl sub_2057098 # Branch
.text:02000064 mr. r31, r3 # Move Register
.text:02000068 beq loc_2000194 # Branch if equal
.text:0200006C
.text:0200006C loc_200006C: # CODE XREF: sub_2000040+18j
.text:0200006C mr. r3, r31 # Move Register
.text:02000070 bne loc_2000084 # Branch if not equal
.text:02000074 li r3, 1 # Load Immediate
.text:02000078 bl sub_2057098 # Branch
.text:0200007C cmpwi r3, 0 # Compare Word Immediate
.text:02000080 beq loc_200008C # Branch if equal
.text:02000084
.text:02000084 loc_2000084: # CODE XREF: sub_2000040+30j
.text:02000084 lis r10, dword_1004EA00@ha # Load Immediate Shifted
.text:02000088 stw r3, dword_1004EA00@l(r10) # Store Word
.text:0200008C
.text:0200008C loc_200008C: # CODE XREF: sub_2000040+40j
.text:0200008C li r30, 0 # Load Immediate
.text:02000090 stw r30, 0(r31) # Store Word
.text:02000094 addic. r3, r31, 8 # Add Immediate Carrying
.text:02000098 sth r30, 4(r31) # Store Half Word
.text:0200009C bne loc_20000B0 # Branch if not equal
.text:020000A0 li r3, 0x124 # Load Immediate
.text:020000A4 bl sub_2057098 # Branch
.text:020000A8 cmpwi r3, 0 # Compare Word Immediate
.text:020000AC beq loc_20000B4 # Branch if equal
.text:020000B0
.text:020000B0 loc_20000B0: # CODE XREF: sub_2000040+5Cj
.text:020000B0 stw r30, 0(r3) # Store Word
.text:020000B4
.text:020000B4 loc_20000B4: # CODE XREF: sub_2000040+6Cj
.text:020000B4 addic. r3, r31, 0x12C # Add Immediate Carrying
.text:020000B8 bne loc_20000CC # Branch if not equal
.text:020000BC li r3, 0x2DC # Load Immediate
.text:020000C0 bl sub_2057098 # Branch
.text:020000C4 cmpwi r3, 0 # Compare Word Immediate
.text:020000C8 beq loc_20000D0 # Branch if equal
.text:020000CC
.text:020000CC loc_20000CC: # CODE XREF: sub_2000040+78j
.
Stop waiting for Hykem's iosu, he will never release anything.
Hey you were into satellite hacking? What forums did you use to rock on?I'm not sure what you are asking, but if you want to learn about using IDA and PPC/ARM-thumb code, maybe I can help you.
I can't say what source binary or CPU you selected, but that doesn't look like proper Wii-U code.
If you are trying to look at the Mii Maker V5.0's RPX, (ffl_app.rpx) it should be loaded as BigEndian PPC code, something like this:
Code:.syscall:02000000 # Input MD5 : 874846BAADA27A8C3FFCD13E301CCE90 .syscall:02000000 # Input CRC32 : 03B0AA10 .syscall:02000000 .syscall:02000000 .syscall:02000000 # Processor : PPC .syscall:02000000 # Target assembler: GNU Assembler .syscall:02000000 # Byte sex : Big endian .syscall:02000000 # SIMD Instructions: AltiVec .syscall:02000000 # Processor Profile: Server .syscall:02000000 .syscall:02000000 #include "ppc-asm.h" .syscall:02000000 .set r1, 1; .set r2, 2 .syscall:02000000 .set lt, 0; .set gt, 1; .set eq, 2; .set so, 3 .syscall:02000000 .syscall:02000000 .syscall:02000000 # =========================================================================== .syscall:02000000 .syscall:02000000 # Segment type: Pure code .syscall:02000000 .section ".syscall" .syscall:02000000 .org $+1 .syscall:02000000 .syscall:02000000 # =============== S U B R O U T I N E ======================================= .syscall:02000000 .syscall:02000000 .syscall:02000000 sub_2000000: # CODE XREF: sub_22F138C+10p .syscall:02000000 # DATA XREF: .rodata:off_1001DE40o ... .syscall:02000000 nop # No Operation .syscall:02000004 blr # Branch unconditionally .syscall:02000004 # End of function sub_2000000 .syscall:02000004 .syscall:02000004 .text:02000020 # =========================================================================== .text:02000020 .text:02000020 # Segment type: Pure code .text:02000020 .section ".text" .text:02000020 .org $+2 .text:02000020 .text:02000020 # =============== S U B R O U T I N E ======================================= .text:02000020 .text:02000020 .text:02000020 sub_2000020: # CODE XREF: sub_218885C+1Cp .text:02000020 # sub_218885C+3Cp .text:02000020 lis r3, aWupNHaae@h # "WUP-N-HAAE" .text:02000024 addi r3, r3, aWupNHaae@l # "WUP-N-HAAE" .text:02000028 blr # Branch unconditionally .text:02000028 # End of function sub_2000020 .text:02000028 .text:0200002C .text:0200002C # =============== S U B R O U T I N E ======================================= .text:0200002C .text:0200002C .text:0200002C sub_200002C: # CODE XREF: sub_218E75C+64p .text:0200002C li r3, 0x207 # Load Immediate .text:02000030 blr # Branch unconditionally .text:02000030 # End of function sub_200002C .text:02000030 .text:02000034 .text:02000034 # =============== S U B R O U T I N E ======================================= .text:02000034 .text:02000034 .text:02000034 sub_2000034: # CODE XREF: sub_218BB24+4Cp .text:02000034 lis r3, aUs@h # "US" .text:02000038 addi r3, r3, aUs@l # "US" .text:0200003C blr # Branch unconditionally .text:0200003C # End of function sub_2000034 .text:0200003C .text:02000040 .text:02000040 # =============== S U B R O U T I N E ======================================= .text:02000040 .text:02000040 .text:02000040 sub_2000040: # CODE XREF: sub_218B820+2Cp .text:02000040 .text:02000040 .set var_18, -0x18 .text:02000040 .set var_14, -0x14 .text:02000040 .set var_10, -0x10 .text:02000040 .set var_C, -0xC .text:02000040 .set var_8, -8 .text:02000040 .set var_4, -4 .text:02000040 .set arg_4, 4 .text:02000040 .text:02000040 mflr r0 # Move from link register .text:02000044 stwu r1, -0x20(r1) # Store Word with Update .text:02000048 stw r31, 0x20+var_4(r1) # Store Word .text:0200004C stw r30, 0x20+var_8(r1) # Store Word .text:02000050 mr. r31, r3 # Move Register .text:02000054 stw r0, 0x20+arg_4(r1) # Store Word .text:02000058 bne loc_200006C # Branch if not equal .text:0200005C li r3, 0x1388 # Load Immediate .text:02000060 bl sub_2057098 # Branch .text:02000064 mr. r31, r3 # Move Register .text:02000068 beq loc_2000194 # Branch if equal .text:0200006C .text:0200006C loc_200006C: # CODE XREF: sub_2000040+18j .text:0200006C mr. r3, r31 # Move Register .text:02000070 bne loc_2000084 # Branch if not equal .text:02000074 li r3, 1 # Load Immediate .text:02000078 bl sub_2057098 # Branch .text:0200007C cmpwi r3, 0 # Compare Word Immediate .text:02000080 beq loc_200008C # Branch if equal .text:02000084 .text:02000084 loc_2000084: # CODE XREF: sub_2000040+30j .text:02000084 lis r10, dword_1004EA00@ha # Load Immediate Shifted .text:02000088 stw r3, dword_1004EA00@l(r10) # Store Word .text:0200008C .text:0200008C loc_200008C: # CODE XREF: sub_2000040+40j .text:0200008C li r30, 0 # Load Immediate .text:02000090 stw r30, 0(r31) # Store Word .text:02000094 addic. r3, r31, 8 # Add Immediate Carrying .text:02000098 sth r30, 4(r31) # Store Half Word .text:0200009C bne loc_20000B0 # Branch if not equal .text:020000A0 li r3, 0x124 # Load Immediate .text:020000A4 bl sub_2057098 # Branch .text:020000A8 cmpwi r3, 0 # Compare Word Immediate .text:020000AC beq loc_20000B4 # Branch if equal .text:020000B0 .text:020000B0 loc_20000B0: # CODE XREF: sub_2000040+5Cj .text:020000B0 stw r30, 0(r3) # Store Word .text:020000B4 .text:020000B4 loc_20000B4: # CODE XREF: sub_2000040+6Cj .text:020000B4 addic. r3, r31, 0x12C # Add Immediate Carrying .text:020000B8 bne loc_20000CC # Branch if not equal .text:020000BC li r3, 0x2DC # Load Immediate .text:020000C0 bl sub_2057098 # Branch .text:020000C4 cmpwi r3, 0 # Compare Word Immediate .text:020000C8 beq loc_20000D0 # Branch if equal .text:020000CC .text:020000CC loc_20000CC: # CODE XREF: sub_2000040+78j .
I don't think this would be the place to start discussions about generic coding, as most everyone here is only interested in kexploits and the like.
There used to be a great place for coding discussions and learning how to hack at "Interesting Devices", like Game Consoles, Satellite Receivers and so on, but it seems to have faded away into the ether...
(I'm still looking for something like the old ID-Discussions site.)
P.S., if you are going to post code segments, please use spoiler tags.
I was on ID-Discussions, worked on RCA IRD's for DTV mostly (did the RCA420 ZKT and UnWink hacks and a few CFW's for TiVo, Dish and DTV)Hey you were into satellite hacking? What forums did you use to rock on?
I was on ID-Discussions, worked on RCA IRD's for DTV mostly (did the RCA420 ZKT and UnWink hacks and a few CFW's for TiVo, Dish and DTV)
aka PCR20
cfw for dtv? how?I was on ID-Discussions, worked on RCA IRD's for DTV mostly (did the RCA420 ZKT and UnWink hacks and a few CFW's for TiVo, Dish and DTV)
aka PCR20
Same way I'm working now on Wii-U, using a complete copy of the firmware in IDA Pro then using a simulator to trace and make the changes I want.cfw for dtv? how?
NOTE 0000000000000934 0000000000000BE0 R . . . L dword 01 public DATA 32 00 47
RAM 0000000000010000 0000000000040000 R W . . . byte 01 public DATA 32 00 01
IOS_CRYPTO 0000000004000000 0000000004017020 R . X . L dword 03 public CODE 32 00 47
IOS_CRYPTO 0000000004020000 0000000004023F70 R . . . L dword 04 public DATA 32 00 47
IOS_CRYPTO 0000000004024000 0000000004024ED4 R W . . L 64byte 05 public DATA 32 00 47
IOS_CRYPTO 0000000004025000 000000000402E5C0 R W . . L 64byte 06 public BSS 32 00 47
IOS_MCP 0000000005000000 00000000050598F0 R . X . L dword 07 public CODE 32 00 47
IOS_MCP 0000000005060000 000000000506FFC4 R . . . L 64byte 08 public DATA 32 00 47
IOS_MCP 0000000005070000 0000000005073420 R W . . L 64byte 09 public DATA 32 00 47
IOS_MCP 0000000005074000 00000000050BC574 R W . . L 64byte 0A public BSS 32 00 47
IOS_MCP(D_R) 0000000005100000 0000000005115D6C R . X . L dword 0B public CODE 32 00 47
IOS_KERNEL 0000000008120000 0000000008135000 R . X . L para 0C public CODE 32 00 47
IOS_KERNEL 0000000008140000 0000000008142478 R . . . L para 0D public DATA 32 00 47
IOS_KERNEL 0000000008143000 0000000008150000 R W . . L para 0E public DATA 32 00 47
IOS_KERNEL 0000000008150000 00000000081B1230 R W . . L byte 0F public BSS 32 00 47
NAND 000000000D010000 000000000D010020 R W . . . byte 01 public DATA 32 00 01
AES 000000000D020000 000000000D020014 R W . . . byte 01 public DATA 32 00 01
SHA 000000000D030000 000000000D030014 R W . . . byte 01 public DATA 32 00 01
BOOT1 000000000D400000 000000000D40F000 R . X . L byte 49 public CODE 32 00 49
BOOT0 000000000D40F000 000000000D414000 R . X . L byte 48 public CODE 32 00 48
GPIO 000000000D800000 000000000D8005C0 R W . . . byte 01 public DATA 32 00 01
DRAMCtrl 000000000D8B0000 000000000D8B0009 R W . . . byte 01 public DATA 32 00 01
GP_BSS 0000000010000000 0000000010100000 R W . . L byte 10 public BSS 32 00 47
IOS_USB 0000000010100000 00000000101312D0 R . X . L dword 11 public CODE 32 00 47
IOS_USB 0000000010140000 0000000010144694 R . . . L dword 12 public DATA 32 00 47
IOS_USB 0000000010145000 00000000101450DC R W . . L dword 13 public DATA 32 00 47
IOS_USB 0000000010146000 00000000104C54E8 R W . . L 32byte 14 public BSS 32 00 47
IOS_FS 0000000010700000 00000000107F81C4 R . X . L dword 15 public CODE 32 00 47
IOS_FS 0000000010800000 0000000010833B6C R . . . L 32byte 16 public DATA 32 00 47
IOS_FS 0000000010834000 00000000108345D0 R W . . L dword 17 public DATA 32 00 47
IOS_FS 0000000010835000 0000000011C3B554 R W . . L byte 18 public BSS 32 00 47
IOS_PAD 0000000011F00000 0000000011F85770 R . X . L dword 19 public CODE 32 00 47
IOS_PAD 0000000011FC0000 0000000011FD40B0 R . . . L dword 1A public DATA 32 00 47
IOS_PAD 0000000011FD5000 0000000011FF8234 R W . . L dword 1B public DATA 32 00 47
IOS_PAD 0000000011FF9000 000000001215841C R W . . L mempage 1C public BSS 32 00 47
IOS_NET 0000000012300000 0000000012431844 R . X . L dword 1D public CODE 32 00 47
IOS_NET 0000000012440000 00000000124688E8 R . . . L dword 1E public DATA 32 00 47
IOS_NET 0000000012469000 00000000124690E4 R W . . L dword 1F public DATA 32 00 47
IOS_NET 000000001246A000 00000000124C531D R W . . L dword 20 public DATA 32 00 47
IOS_NET 00000000124C6000 000000001288D028 R W . . L 64byte 21 public BSS 32 00 47
Global_heap 000000001D000000 000000001FB00000 ? ? ? . L byte 02 public DATA 32 00 47
Global_IOB 000000001FB00000 000000001FE00000 R W . . L dword 22 public DATA 32 00 47
Unknown 000000001FE00000 000000001FE14EF4 R W . . L 32byte 23 public DATA 32 00 47
Unknown 000000001FE40000 0000000020000000 R W . . L byte 24 public BSS 32 00 47
Unknown 0000000020000000 0000000028000000 R W . . L byte 25 public BSS 32 00 47
IOS_ACP 00000000E0000000 00000000E00DB65C R . X . L dword 26 public CODE 32 00 47
IOS_ACP 00000000E0100000 00000000E012088C R . . . L dword 27 public DATA 32 00 47
IOS_ACP 00000000E0121000 00000000E0121124 R W . . L dword 28 public DATA 32 00 47
IOS_ACP 00000000E0122000 00000000E0122650 R W . . L dword 29 public DATA 32 00 47
IOS_ACP 00000000E0123000 00000000E0261F10 R W . . L 64byte 2A public BSS 32 00 47
IOS_NSEC 00000000E1000000 00000000E1090D08 R . X . L dword 2B public CODE 32 00 47
IOS_NSEC 00000000E10C0000 00000000E10E13B4 R . . . L dword 2C public DATA 32 00 47
IOS_NSEC 00000000E10E2000 00000000E10E3734 R W . . L dword 2D public DATA 32 00 47
IOS_NSEC 00000000E10E4000 00000000E12E83B8 R W . . L 32byte 2E public BSS 32 00 47
IOS_NIM_BOSS 00000000E2000000 00000000E22651E0 R . X . L dword 2F public CODE 32 00 47
IOS_NIM_BOSS 00000000E2280000 00000000E22C8934 R . . . L dword 30 public DATA 32 00 47
IOS_NIM_BOSS 00000000E22C9000 00000000E22C9264 R W . . L dword 31 public DATA 32 00 47
IOS_NIM_BOSS 00000000E22CA000 00000000E22CA604 R W . . L dword 32 public DATA 32 00 47
IOS_NIM_BOSS 00000000E22CB000 00000000E26C89F0 R W . . L 64byte 33 public BSS 32 00 47
IOS_FPD 00000000E3000000 00000000E316BA14 R . X . L dword 34 public CODE 32 00 47
IOS_FPD 00000000E3180000 00000000E31AC78C R . . . L dword 35 public DATA 32 00 47
IOS_FPD 00000000E31AD000 00000000E31AD150 R W . . L dword 36 public DATA 32 00 47
IOS_FPD 00000000E31AE000 00000000E31AE9D0 R W . . L dword 37 public DATA 32 00 47
IOS_FPD 00000000E31AF000 00000000E32FCA94 R W . . L 64byte 38 public BSS 32 00 47
IOS_TEST 00000000E4000000 00000000E4019704 R . X . L dword 39 public CODE 32 00 47
IOS_TEST 00000000E4040000 00000000E4045AE8 R . . . L dword 3A public DATA 32 00 47
IOS_TEST 00000000E4046000 00000000E404605C R W . . L dword 3B public DATA 32 00 47
IOS_TEST 00000000E4047000 00000000E415823C R W . . L 32byte 3C public BSS 32 00 47
IOS_AUXIL 00000000E5000000 00000000E500FD64 R . X . L dword 3D public CODE 32 00 47
IOS_AUXIL 00000000E5040000 00000000E504328C R . . . L dword 3E public DATA 32 00 47
IOS_AUXIL 00000000E5044000 00000000E50446E4 R W . . L dword 3F public DATA 32 00 47
IOS_AUXIL 00000000E5045000 00000000E506E900 R W . . L 32byte 40 public BSS 32 00 47
IOS_BSP 00000000E6000000 00000000E6010A80 R . X . L dword 41 public CODE 32 00 47
IOS_BSP 00000000E6040000 00000000E6041B90 R . . . L dword 42 public DATA 32 00 47
IOS_BSP 00000000E6042000 00000000E6046990 R W . . L dword 43 public DATA 32 00 47
IOS_BSP 00000000E6047000 00000000E60481F4 R W . . L dword 44 public BSS 32 00 47
Unknown 00000000E7000000 00000000E7001000 R W . . L dword 45 public DATA 32 00 47
Unknown 00000000EFF00000 00000000EFF08000 R W . . L byte 46 public BSS 32 00 47
Kernel_SRAM 00000000FFFF0000 00000000FFFFEB0C R W X . L dword 47 public CODE 32 00 47
Same way I'm working now on Wii-U, using a complete copy of the firmware in IDA Pro then using a simulator to trace and make the changes I want.
Right now I have a complete IDA Pro decode of FW.IMG, along with fully de-crypted and decoded BOOT0 and BOOT1 segments.
Code:NOTE 0000000000000934 0000000000000BE0 R . . . L dword 01 public DATA 32 00 47 RAM 0000000000010000 0000000000040000 R W . . . byte 01 public DATA 32 00 01 IOS_CRYPTO 0000000004000000 0000000004017020 R . X . L dword 03 public CODE 32 00 47 IOS_CRYPTO 0000000004020000 0000000004023F70 R . . . L dword 04 public DATA 32 00 47 IOS_CRYPTO 0000000004024000 0000000004024ED4 R W . . L 64byte 05 public DATA 32 00 47 IOS_CRYPTO 0000000004025000 000000000402E5C0 R W . . L 64byte 06 public BSS 32 00 47 IOS_MCP 0000000005000000 00000000050598F0 R . X . L dword 07 public CODE 32 00 47 IOS_MCP 0000000005060000 000000000506FFC4 R . . . L 64byte 08 public DATA 32 00 47 IOS_MCP 0000000005070000 0000000005073420 R W . . L 64byte 09 public DATA 32 00 47 IOS_MCP 0000000005074000 00000000050BC574 R W . . L 64byte 0A public BSS 32 00 47 IOS_MCP(D_R) 0000000005100000 0000000005115D6C R . X . L dword 0B public CODE 32 00 47 IOS_KERNEL 0000000008120000 0000000008135000 R . X . L para 0C public CODE 32 00 47 IOS_KERNEL 0000000008140000 0000000008142478 R . . . L para 0D public DATA 32 00 47 IOS_KERNEL 0000000008143000 0000000008150000 R W . . L para 0E public DATA 32 00 47 IOS_KERNEL 0000000008150000 00000000081B1230 R W . . L byte 0F public BSS 32 00 47 NAND 000000000D010000 000000000D010020 R W . . . byte 01 public DATA 32 00 01 AES 000000000D020000 000000000D020014 R W . . . byte 01 public DATA 32 00 01 SHA 000000000D030000 000000000D030014 R W . . . byte 01 public DATA 32 00 01 BOOT1 000000000D400000 000000000D40F000 R . X . L byte 49 public CODE 32 00 49 BOOT0 000000000D40F000 000000000D414000 R . X . L byte 48 public CODE 32 00 48 GPIO 000000000D800000 000000000D8005C0 R W . . . byte 01 public DATA 32 00 01 DRAMCtrl 000000000D8B0000 000000000D8B0009 R W . . . byte 01 public DATA 32 00 01 GP_BSS 0000000010000000 0000000010100000 R W . . L byte 10 public BSS 32 00 47 IOS_USB 0000000010100000 00000000101312D0 R . X . L dword 11 public CODE 32 00 47 IOS_USB 0000000010140000 0000000010144694 R . . . L dword 12 public DATA 32 00 47 IOS_USB 0000000010145000 00000000101450DC R W . . L dword 13 public DATA 32 00 47 IOS_USB 0000000010146000 00000000104C54E8 R W . . L 32byte 14 public BSS 32 00 47 IOS_FS 0000000010700000 00000000107F81C4 R . X . L dword 15 public CODE 32 00 47 IOS_FS 0000000010800000 0000000010833B6C R . . . L 32byte 16 public DATA 32 00 47 IOS_FS 0000000010834000 00000000108345D0 R W . . L dword 17 public DATA 32 00 47 IOS_FS 0000000010835000 0000000011C3B554 R W . . L byte 18 public BSS 32 00 47 IOS_PAD 0000000011F00000 0000000011F85770 R . X . L dword 19 public CODE 32 00 47 IOS_PAD 0000000011FC0000 0000000011FD40B0 R . . . L dword 1A public DATA 32 00 47 IOS_PAD 0000000011FD5000 0000000011FF8234 R W . . L dword 1B public DATA 32 00 47 IOS_PAD 0000000011FF9000 000000001215841C R W . . L mempage 1C public BSS 32 00 47 IOS_NET 0000000012300000 0000000012431844 R . X . L dword 1D public CODE 32 00 47 IOS_NET 0000000012440000 00000000124688E8 R . . . L dword 1E public DATA 32 00 47 IOS_NET 0000000012469000 00000000124690E4 R W . . L dword 1F public DATA 32 00 47 IOS_NET 000000001246A000 00000000124C531D R W . . L dword 20 public DATA 32 00 47 IOS_NET 00000000124C6000 000000001288D028 R W . . L 64byte 21 public BSS 32 00 47 Global_heap 000000001D000000 000000001FB00000 ? ? ? . L byte 02 public DATA 32 00 47 Global_IOB 000000001FB00000 000000001FE00000 R W . . L dword 22 public DATA 32 00 47 Unknown 000000001FE00000 000000001FE14EF4 R W . . L 32byte 23 public DATA 32 00 47 Unknown 000000001FE40000 0000000020000000 R W . . L byte 24 public BSS 32 00 47 Unknown 0000000020000000 0000000028000000 R W . . L byte 25 public BSS 32 00 47 IOS_ACP 00000000E0000000 00000000E00DB65C R . X . L dword 26 public CODE 32 00 47 IOS_ACP 00000000E0100000 00000000E012088C R . . . L dword 27 public DATA 32 00 47 IOS_ACP 00000000E0121000 00000000E0121124 R W . . L dword 28 public DATA 32 00 47 IOS_ACP 00000000E0122000 00000000E0122650 R W . . L dword 29 public DATA 32 00 47 IOS_ACP 00000000E0123000 00000000E0261F10 R W . . L 64byte 2A public BSS 32 00 47 IOS_NSEC 00000000E1000000 00000000E1090D08 R . X . L dword 2B public CODE 32 00 47 IOS_NSEC 00000000E10C0000 00000000E10E13B4 R . . . L dword 2C public DATA 32 00 47 IOS_NSEC 00000000E10E2000 00000000E10E3734 R W . . L dword 2D public DATA 32 00 47 IOS_NSEC 00000000E10E4000 00000000E12E83B8 R W . . L 32byte 2E public BSS 32 00 47 IOS_NIM_BOSS 00000000E2000000 00000000E22651E0 R . X . L dword 2F public CODE 32 00 47 IOS_NIM_BOSS 00000000E2280000 00000000E22C8934 R . . . L dword 30 public DATA 32 00 47 IOS_NIM_BOSS 00000000E22C9000 00000000E22C9264 R W . . L dword 31 public DATA 32 00 47 IOS_NIM_BOSS 00000000E22CA000 00000000E22CA604 R W . . L dword 32 public DATA 32 00 47 IOS_NIM_BOSS 00000000E22CB000 00000000E26C89F0 R W . . L 64byte 33 public BSS 32 00 47 IOS_FPD 00000000E3000000 00000000E316BA14 R . X . L dword 34 public CODE 32 00 47 IOS_FPD 00000000E3180000 00000000E31AC78C R . . . L dword 35 public DATA 32 00 47 IOS_FPD 00000000E31AD000 00000000E31AD150 R W . . L dword 36 public DATA 32 00 47 IOS_FPD 00000000E31AE000 00000000E31AE9D0 R W . . L dword 37 public DATA 32 00 47 IOS_FPD 00000000E31AF000 00000000E32FCA94 R W . . L 64byte 38 public BSS 32 00 47 IOS_TEST 00000000E4000000 00000000E4019704 R . X . L dword 39 public CODE 32 00 47 IOS_TEST 00000000E4040000 00000000E4045AE8 R . . . L dword 3A public DATA 32 00 47 IOS_TEST 00000000E4046000 00000000E404605C R W . . L dword 3B public DATA 32 00 47 IOS_TEST 00000000E4047000 00000000E415823C R W . . L 32byte 3C public BSS 32 00 47 IOS_AUXIL 00000000E5000000 00000000E500FD64 R . X . L dword 3D public CODE 32 00 47 IOS_AUXIL 00000000E5040000 00000000E504328C R . . . L dword 3E public DATA 32 00 47 IOS_AUXIL 00000000E5044000 00000000E50446E4 R W . . L dword 3F public DATA 32 00 47 IOS_AUXIL 00000000E5045000 00000000E506E900 R W . . L 32byte 40 public BSS 32 00 47 IOS_BSP 00000000E6000000 00000000E6010A80 R . X . L dword 41 public CODE 32 00 47 IOS_BSP 00000000E6040000 00000000E6041B90 R . . . L dword 42 public DATA 32 00 47 IOS_BSP 00000000E6042000 00000000E6046990 R W . . L dword 43 public DATA 32 00 47 IOS_BSP 00000000E6047000 00000000E60481F4 R W . . L dword 44 public BSS 32 00 47 Unknown 00000000E7000000 00000000E7001000 R W . . L dword 45 public DATA 32 00 47 Unknown 00000000EFF00000 00000000EFF08000 R W . . L byte 46 public BSS 32 00 47 Kernel_SRAM 00000000FFFF0000 00000000FFFFEB0C R W X . L dword 47 public CODE 32 00 47
Still working on getting all of the Data Segments inserted for Boot0/Boot1 - but I'm getting there.
I have clean fully decoded copies of both linked into my FW.IMG image.
.
Cool see more devs with magical powers working too.
Maybe we can see a cfw/emunand soon without need to wait Hykem.
Please correct the spelling of Hykem's name in pour post above.
As I have said many time before, there would be nothing with without the work that Hykem is doing now.
What he is posting on wiiubrew is pure gold.
If you knew how many hours/days/weeks/months it takes to do this type of thing, you would be in awe of what he has accomplished.
He has the highest respect possible from me.
-dl
It's virtually the same. only a so called "browser fix"I'm still debating whether to update to 5.5.1 or stay on 5.5.0
that gbatemp needs more new users. Every 100k new users = another kernel exploit that will not be releasedHello,
Qlutoo on Twitter :
Introducing a new unit -- one gbatemp: 1 kernel exploit found per 100 000 users
What does it mean ?
Stuff like that doesn't work as well when you're on DarkTempthat gbatemp needs more new users. Every 100k new users = another kernel exploit that will not be released
this is serious stuff
eh, i wasnt even being seriousStuff like that doesn't work as well when you're on DarkTemp