Would this be possible?

Discussion in 'Wii - Hacking' started by SifJar, Apr 25, 2010.

  1. SifJar
    OP

    SifJar Not a pirate

    Member
    6,022
    892
    Apr 4, 2009
    Hi there. I was thinking about apps which patch the System Menu in RAM and then load the patched version, and was wondering, would the same principle be applicable to IOS?

    For example, an app is run via bannerbomb (to have extra permissions over launching via HBC) which patches Trucha Bug, ES_DiVerify (ES_Identify) and NAND permissions into IOS36 in RAM then reloads to that IOS and allows you to do anything requiring those exploits (e.g. install Priiloader etc.) without ever installing a patched IOS to NAND?

    Or is only the System Menu binary accessible when identified as System Menu (i.e. launched via bannerbomb)?

    If the later is the case, is this idea possible at all, even if you would need a patched IOS installed (if you only want one one patched IOS, but need to load an app with another patched IOS)?

    Thanks if anyone can answer my questions.
     
  2. nicksasa

    nicksasa GBAtemp Maniac

    Member
    1,410
    0
    Oct 25, 2008
    Belgium
    you could do that trough bootmii, cboot2 is an example of this
     
  3. giantpune

    giantpune GBAtemp Addict

    Member
    2,860
    122
    Apr 10, 2009
    United States
    when you launch an app from bannerbomb, it is running on the PPC. it has no access to the memory which IOS is running in except for the share stuff the ARM and PPC use to talk back and forth. it would have to somehow exploit the IOS using IPC calls across the shared memory to get the current running IOS to execute code that is not actually part of the IOS. once you have a way to access the memory which you are not supposed to be able to access, you can find what part of the IOS you want to change and directly patch the currently running IOS to let you do stuff that you are not supposed to be able to do.

    the STM release exploit explained on the hackmii blog is an example of this. i assume riivolution uses something like this as well.
     
  4. SifJar
    OP

    SifJar Not a pirate

    Member
    6,022
    892
    Apr 4, 2009
    I'm assuming the STM release exploit is fixed now? I did try to read that post a while back, but it confused me.