forked from smealum/haxchi
-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
now includes a homebrew launcher loader! credits to the original go t…
…o dimok compiles in once piece now to a directly usable rom.zip
- Loading branch information
Showing
34 changed files
with
3,183 additions
and
531 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,18 @@ | ||
.PHONY := all haxchi/haxchi_code.bin | ||
.PHONY := all code550.bin | ||
|
||
all: haxchi.srl | ||
all: WUP-N-DAAP.nds | ||
|
||
haxchi/haxchi_code.bin: | ||
@cd haxchi_code && make clean && make && cd .. | ||
code550.bin: | ||
@cd hbl_loader && make && cd .. | ||
|
||
haxchi_rop_hook.bin haxchi_rop.bin: haxchi/haxchi_code.bin haxchi_rop.s | ||
haxchi_rop_hook.bin haxchi_rop.bin: code550.bin haxchi_rop.s | ||
armips haxchi_rop.s | ||
|
||
haxchi.srl: haxchi_rop_hook.bin haxchi_rop.bin haxchi.s | ||
WUP-N-DAAP.nds: haxchi_rop_hook.bin haxchi_rop.bin haxchi.s | ||
armips haxchi.s | ||
zip -JXjq9 rom.zip WUP-N-DAAP.nds | ||
|
||
clean: | ||
@rm -f *.bin haxchi.srl | ||
@rm -f *.bin WUP-N-DAAP.nds rom.zip | ||
@cd hbl_loader && make clean && cd .. | ||
@echo "all cleaned up !" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,42 +1,26 @@ | ||
# haxchi | ||
|
||
haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi). it is possible due to "contenthax", a vulnerability in the wii u's title integrity design: only code and critical descriptors are signed, with all other contents left at the mercy of attackers. this can be exploited simply by asking IOSU to copy over files in /content/ directories on either MLC or USB. contenthax can also be exploited from powerpc userland by using the MCP_CopyTitle command (not all processes have access, but for example home menu and system settings have it). as there is no integrity data for that content, CopyTitle cannot validate the malicious content and will therefore happily copy it from SD card to MLC or USB if asked. | ||
|
||
it is likely that virtually all apps can be exploited in some way through contenthax, due to developers being less likely to program defensively against content that they should be the only ones to have control over. the Nintendo DS virtual console app was selected for this exploit because it has the ability to dynamically emit executable code. as a nice bonus, hachihachi includes symbols for its code. haxchi exploits a bug in the emulator's rom loader, and basically gets it to perform arbitrary memcpy operations. from there, achieving code execution is trivial given that there is no ASLR in place. | ||
|
||
note that haxchi was my first time doing PPC ROP so... yeah | ||
|
||
## coldboothax | ||
|
||
haxchi (and indeed any other contenthax) can be used to achieve persistent automatic unsigned code execution on the wii u. this is due to the fact that the wii u can be configured to boot into any given title simply by modifying a file on the SLC. the file in question is sys/config/system.xml, and `<default_title_id type="hexBinary" length="8">...</default_title_id>` can be set to any arbitrary title ID, such as hachihachi's. | ||
|
||
**NOTE**: it is *very* easy to brick a wii u by messing with this file, so don't do it unless you really know what you're doing. | ||
This is a ported version of the haxchi exploit created by smea and others for the european release of brain training. | ||
In addition to being ported it also includes a homebrew launcher loader as its payload so you can use it for a lot of things. | ||
|
||
## install process | ||
|
||
haxchi can be very easily installed using iosuhax's wupclient. for example, if hachihachi is installed to the MLC, it suffices to do: | ||
``` | ||
w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/101A5600/content/0010/rom.zip") | ||
w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/10179C00/content/0010/rom.zip") | ||
``` | ||
of course, using wupclient to install haxchi permanently requires that redNAND be disabled, unless hachihachi is installed to USB, in which case it can be installed from redNAND using: | ||
``` | ||
w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/101A5600/content/0010/rom.zip") | ||
``` | ||
coldboothax can be installed by downloading system.xml as so: | ||
``` | ||
w.dl("/vol/system/config/system.xml") | ||
``` | ||
modifying it, and then uploading it back: | ||
``` | ||
w.up("system.xml", "/vol/system/config/system.xml") | ||
w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/10179C00/content/0010/rom.zip") | ||
``` | ||
|
||
## contents | ||
|
||
* haxchi_code: basic demo (native code) | ||
* haxchi_rop.s: hachihachi process ROP which will emit haxchi_code as executable | ||
* hbl_loader: a loader which will load up the homebrew launcher from sd card | ||
* haxchi_rop.s: hachihachi process ROP which will emit hbl_loader as executable | ||
* haxchi.s: generates a malicious SRL file | ||
|
||
## credit | ||
|
||
smea, plutoo, yellows8, naehrwert and derrek | ||
smea, plutoo, yellows8, naehrwert, derrek, FIX94 and dimok | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.