The-Homebrew-Cloud/wiiuhaxx_common
2
0
Fork 0
mirror of https://github.com/wiiu-env/wiiuhaxx_common.git synced 2024-12-18 12:11:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
f8882d4f93
wiiuhaxx_common/README.md
orboditilt e58e1d902a Fix a link in the README
2019-01-06 18:12:03 +01:00

113 lines
5.2 KiB
Markdown
Raw Blame History

# README
This fork is supposed a common base for Wii U ROP-chains.
## Building
Before using the ROP-chain, some files need to be compiled/generated, you can do it with `make`.
The makefile expects some binaries/files.
- `bin/ropgadget_patternfinder(.exe)` [Download](https://github.com/wiiu-env/ropgadget_patternfinder/releases)
- `bin/rpl2elf(.exe)` [Download](https://github.com/wiiu-env/rpl2elf/releases)
- `bin/FileDownloader.jar` [Download](https://github.com/wiiu-env/NUSFileDownloader/releases)
- `common.key` containing the retail Wii U common key (in binary form, 16 bytes).
When you have all needed files, you can use `make`.
On success, you can now find the following files:
- `wiiuhaxx_rop_sysver_*.php` one for each supported firmware.
- `wiiuhaxx_loader.bin`
# Original README
This is a common codebase for generating ROP-chains/etc for *seperate* Wii U PowerPC-userland exploits. This uses addresses auto-located from coreinit, with .php for each sysver that was pre-generated. This is basically a Wii U version of this: https://github.com/yellows8/3ds_browserhax_common
Currently only binary ROP-chains are supported, hence no support for using this easily with WebKit exploits. The core1-switch ROP here doesn't work correctly currently, hence this codebase isn't usable as-is unless the current core is already core1(which isn't the case for WebKit exploits it seems). In other words, this codebase is currently only usable with non-WebKit exploits. Hence the use of php, this is intended for running under browser-based titles, but could be used with others as well if the ROP-chain(s) are usable with them.
You must specify the "sysver={val}" URL parameter for pages using this codebase, for selecting your Wii U system-version:
* "532": 5.3.2
* "540": 5.4.0
* "550": 5.5.0 / 5.5.1
# Usage
This codebase uses config/etc names from the 3ds repo mentioned above.
If the exploit .php has to select a sysver without using the value selected with via the URL param, that could be done with the following for example(prior to using the require_once() for the common .php): "$sysver = 550;" DO NOT set $sysver to any data directly specified by the user.
The $ropchainselect field determines which ROP-chain to use. Only one ROP-chain is implemented currently. When this param isn't specified, the codebase will select the default ROP-chain(val1).
The default ROP-chain does the following(only usable with titles which have codegen access):
* 1) Runs the core1-switch ROP(see above).
* 2) Loads the codebin payload into the codegen/JIT area(with the required OSSwitchSecCodeGenMode() calls before/after), and does dcache/icache flushing/invalidation.
* 3) Pops addresses into registers which the codebin could then use, see source.
* 4) Jumps to the codebin payload.
* 5) See source.
The memory address of the codebin payload is required, see below. If the payload isn't guaranteed to always be at the exact same address all the time, storing a PowerPC NOP-sled right before the payload in memory is highly recommended(big-endian word value 0x60000000). The output of wiiuhaxx_generatepayload() is: wiiuhaxx_loader followed by the actual payload, with 4-byte alignment for the total size(see below).
Also note that this codebase *itself* does not need the address where the initial ROP-chain is located at all.
Example that the exploit .php can use:
```
<?php
...
require_once("wiiu_browserhax_common.php");
...
$generatebinrop = 1;
$payload_srcaddr = <address of payload codebin>;
$ROPHEAP = <some valid address the ROP can use for storing tmp data>;//Such as the following: $payload_srcaddr-0x1000.
generate_ropchain();
...
$payload = wiiuhaxx_generatepayload();//Binary codebin, include this in the output exploit so that it lands in memory usable by the ROP.
if($payload === FALSE)
{
header("HTTP/1.1 500 Internal Server Error");
die("The payload binary doesn't exist / is invalid.\n");
}
...
else if($i<{targetoffset})
{
$writeval = $ROP_POPJUMPLR_STACK12;//ROP NOP-sled.
}
else if($i=={targetoffset})
{
$con.= pack("N*", $ROP_POPJUMPLR_STACK12);
$con.= pack("N*", 0x48484848);//If LR ever gets loaded from here there's no known way to recover from that automatically, this code would need manually adjusted if that ever happens.
$i+= 0x8;
$con.= $ROPCHAIN;
$i+= strlen($ROPCHAIN)-4;
//Verify that the $ROPCHAIN isn't too large somewhere in here.
continue;
}
...
?>
```
A config file located at "wiiuhaxx_common_cfg.php" is also required.
* $wiiuhaxxcfg_payloadfilepath is the filepath for the actual codebin payload to run, this will be loaded to codegen+0.
* $wiiuhaxxcfg_loaderfilepath is the filepath for wiiuhaxx_loader.bin. This loads the above payload, since due to the NOP-sled the initial code which runs(wiiuhaxx_loader) won't (always) land at codegen+0. This can be built by running the following: "make OUTPATH={directorypath/filepath to copy the .bin to}".
For example:
```
<?php
$wiiuhaxxcfg_payloadfilepath = "<filepath for actual payload, such as wiiuhax_payload.bin, or for example: {projectdir}/bin/code550.bin>";//Remember that this is just an example, you can programmatically select the payload path by checking the request URL/etc if you want as well.
$wiiuhaxxcfg_loaderfilepath = "<filepath for wiiuhaxx_loader.bin>";
?>
```
Reference in New Issue View Git Blame Copy Permalink