The-Homebrew-Cloud/haxchi
2
0
Fork 0
mirror of https://github.com/wiiu-env/haxchi.git synced 2024-06-28 12:16:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
smea 2016-11-06 17:42:21 -08:00
parent 16d7c4507b
commit 37443ff760
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -1,6 +1,6 @@
# haxchi
haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi). it is possible due to "contenthax", a vulnerability in the wii u's title integrity design: only code and critical descriptors are signed, with all other contents left at the mercy of attackers. this can be exploited simply by asking IOSU to copy over files in /content/ directories on either MLC or USB. contenthax can also be exploited from powerpc userland by using the MCP_CopyTitle command. as there is no integrity data for that content, CopyTitle cannot validate the malicious content and will therefore happily copy it from SD card to MLC or USB if asked.
haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi). it is possible due to "contenthax", a vulnerability in the wii u's title integrity design: only code and critical descriptors are signed, with all other contents left at the mercy of attackers. this can be exploited simply by asking IOSU to copy over files in /content/ directories on either MLC or USB. contenthax can also be exploited from powerpc userland by using the MCP_CopyTitle command (not all processes have access, but for example home menu and system settings have it). as there is no integrity data for that content, CopyTitle cannot validate the malicious content and will therefore happily copy it from SD card to MLC or USB if asked.
it is likely that virtually all apps can be exploited in some way through contenthax, due to developers being less likely to program defensively against content that they should be the only ones to have control over. the Nintendo DS virtual console app was selected for this exploit because it has the ability to dynamically emit executable code. as a nice bonus, hachihachi includes symbols for its code. haxchi exploits a bug in the emulator's rom loader, and basically gets it to perform arbitrary memcpy operations. from there, achieving code execution is trivial given that there is no ASLR in place.
@ -8,7 +8,7 @@ note that haxchi was my first time doing PPC ROP so... yeah
## coldboothax
haxchi (and indeed any other contenthax) can be used to achieve persistent automatic unsigned code execution on the wii u. this is due to the fact that the wii u can be configured to boot into any given title simply by modifying a file on the SLC. the file in question is sys/config/system.xml, and <default_title_id type="hexBinary" length="8">...</default_title_id> can be set to any arbitrary title ID, such as hachihachi's.
haxchi (and indeed any other contenthax) can be used to achieve persistent automatic unsigned code execution on the wii u. this is due to the fact that the wii u can be configured to boot into any given title simply by modifying a file on the SLC. the file in question is sys/config/system.xml, and `<default_title_id type="hexBinary" length="8">...</default_title_id>` can be set to any arbitrary title ID, such as hachihachi's.
**NOTE**: it is *very* easy to brick a wii u by messing with this file, so don't do it unless you really know what you're doing.

0
haxchi.bat
View File