The-Homebrew-Cloud
/
payload_loader
mirror of https://github.com/wiiu-env/payload_loader.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
payload_loader/README.md

72 lines
3.0 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Payload loader
This is a generic payload loader for the Wii U to load arbitrary from the SD Card.
Currently it's hardcoded to loads a `.elf` file from `sd:/wiiu/payload.elf`.
# Preconditions
This loader expects:
- to be able to run at `0x011DD000` (and copied to this place and then executed).
- to be running inside Mii Maker (for the SD card access),
- the common `kern_write` (0x35) and `kern_read` (0x34) syscalls installed
(hooks on `0x0xFFF02234` (write) / `0x0xFFF02214` (read) on FW 5.5.0+)
- the 0x09 syscall installed which is expected to be a function manipulate
IBAT0 (`extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);`)
Running in any other application with sd access may also work, the IBAT0 setup
may be to be adjusted though (set back to orignal values at the end)
# Usage
A common usage for this would be to exploit an application, do a kernel exploit
to be able to have kernel read/write, somehow copy the sections of the payload
loader `.elf` file to the expected destination in memory fulfill the mentioned
preconditions.
After that, simply put the `.elf` to be loaded in `sd:/wiiu/payload.elf`
The loaded `.elf` needs to be statically linked somewhere between `0x00800000
and 0x01000000`. This whole area is has rwx for both, user and supervisor
(kernel) mode and can be used.
**This mapping only lasts for this exeuction!** As soon as you leave the running
application (in this case the Mii Maker), the mapping will be reset and you will
loose access to the `0x00800000` region.
# Compiling
In order to be able to compile this, you need to have installed
[devkitPPC](https://devkitpro.org/wiki/Getting_Started) with the following
pacman packages installed.
```
pacman -Syu devkitPPC
```
Make sure the following environment variables are set:
```
DEVKITPRO=/opt/devkitpro
DEVKITPPC=/opt/devkitpro/devkitPPC
```
# Technical details
- This payload loader is supposed to loaded somewhere between
`01000000..01800000` (virtual address), `0x011DD000...0x011E0000` should be free to use.
- The 0x09 syscall is used to set IBAT0 to map `01000000..01800000` (virtual address) to
`32000000..32800000` (physical address) with r/w for user and kernel.
This includes the region where payload loader is, and allows us to register
and execute kernel syscall.
- This setting is meant to match the orignal IBAT0 values (at least in Mii Maker),
but with r/w for the kernel. Resetting is not needed when using the Mii Maker,
but may be needed to be adjusted.
- Afterwards it's possible to register an own syscall (we use 0x36 as it's unused)
to setup IBAT4 and DBAT5 to make `00800000..01000000` (virtual address) to
`30800000..31000000` (physical address) with r/w for user and supervisor.
This allows full user/kernel access to this region, for data and code.
- The mapping is done for all 3 cores.
# Credits
- orboditilt
- dimok789: Most parts (especially sd loading, elf copying) are based on the [homebrew launcher sd loader](https://github.com/dimok789/homebrew_launcher/tree/master/sd_loader).
Reference in New Issue View Git Blame Copy Permalink