Difference between revisions of "HackMii Installer/Obfuscation"
Hallowizer (talk | contribs) (←Created page with 'The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers. == Exploit functions == v1....') |
Hallowizer (talk | contribs) (added info on timing and the error global) |
||
| Line 5: | Line 5: | ||
== IOS requests == | == IOS requests == | ||
| + | === IOS_Ioctl/IOS_Ioctlv requests === | ||
The installer contains a large number (880) of ioctl and ioctlv calls to [[:/dev/di]], [[:/dev/sdio]], [[:/dev/net/kd/request]], [[:/dev/stm/immediate]], and [[:/dev/es]], most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code. | The installer contains a large number (880) of ioctl and ioctlv calls to [[:/dev/di]], [[:/dev/sdio]], [[:/dev/net/kd/request]], [[:/dev/stm/immediate]], and [[:/dev/es]], most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code. | ||
| Line 16: | Line 17: | ||
} | } | ||
</pre> | </pre> | ||
| + | |||
| + | === Timing === | ||
| + | Each request is given 40000000 [[Broadway]] clock cycles to complete before a security error is flagged. Depending on whether the error occurs during the IOS_Open or IOS_Ioctl phase, a different value is stored in the IPC error global (which gets printed as <code>failed to install BootMii/IOS for the installer (2, RET, IPC_ERROR)</code>). | ||
| + | |||
| + | For the IOS_Open phase, this is the error global format: | ||
| + | |||
| + | {| class="wikitable" | ||
| + | ! Bit(s) | ||
| + | ! Description | ||
| + | |- | ||
| + | | 0 | ||
| + | | Summary timing error | ||
| + | |- | ||
| + | | 1 | ||
| + | | Summary IOS error | ||
| + | |- | ||
| + | | 2-19 | ||
| + | | Should be 0 | ||
| + | |- | ||
| + | | 19 | ||
| + | | [[:/dev/sdio/slot0]] IOS error | ||
| + | |- | ||
| + | | 20 | ||
| + | | [[:/dev/stm/immediate]] IOS error | ||
| + | |- | ||
| + | | 21 | ||
| + | | [[:/dev/net/kd/request]] IOS error | ||
| + | |- | ||
| + | | 22 | ||
| + | | [[:/dev/di]] IOS error | ||
| + | |- | ||
| + | | 23 | ||
| + | | [[:/dev/es]] IOS error | ||
| + | |- | ||
| + | | 24-26 | ||
| + | | Should be 0 | ||
| + | |- | ||
| + | | 27 | ||
| + | | [[:/dev/sdio/slot0]] timing error | ||
| + | |- | ||
| + | | 28 | ||
| + | | [[:/dev/stm/immediate]] timing error | ||
| + | |- | ||
| + | | 29 | ||
| + | | [[:/dev/net/kd/request]] timing error | ||
| + | |- | ||
| + | | 30 | ||
| + | | [[:/dev/di]] timing error | ||
| + | |- | ||
| + | | 31 | ||
| + | | [[:/dev/es]] timing error | ||
| + | |} | ||
| + | |||
| + | For IOS_Ioctl errors, the format is simpler: | ||
| + | |||
| + | {| class="wikitable" | ||
| + | ! Bit(s) | ||
| + | ! Description | ||
| + | |- | ||
| + | | 0-15 | ||
| + | | Signed RM index | ||
| + | |- | ||
| + | | 16-31 | ||
| + | | Ioctl number | ||
| + | |} | ||
Latest revision as of 00:56, 28 August 2022
The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers.
Exploit functions
v1.0 contains 3 possible paths to install BootMii-IOS when loading, all of which are deobfuscated in-place when needed.
IOS requests
IOS_Ioctl/IOS_Ioctlv requests
The installer contains a large number (880) of ioctl and ioctlv calls to /dev/di, /dev/sdio, /dev/net/kd/request, /dev/stm/immediate, and /dev/es, most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code.
struct obfuscatedRequest {
u16 ioctlNum;
s8 rmNum; // 1 = di, 2 = sdio, 3 = kd, 4 = stm, 5 = es. Positive number means ioctl, negative number means ioctlv.
u8 inCount;
u8 ioCount;
u8 vecs[9]; // index into a vec pool
}
Timing
Each request is given 40000000 Broadway clock cycles to complete before a security error is flagged. Depending on whether the error occurs during the IOS_Open or IOS_Ioctl phase, a different value is stored in the IPC error global (which gets printed as failed to install BootMii/IOS for the installer (2, RET, IPC_ERROR)).
For the IOS_Open phase, this is the error global format:
| Bit(s) | Description |
|---|---|
| 0 | Summary timing error |
| 1 | Summary IOS error |
| 2-19 | Should be 0 |
| 19 | /dev/sdio/slot0 IOS error |
| 20 | /dev/stm/immediate IOS error |
| 21 | /dev/net/kd/request IOS error |
| 22 | /dev/di IOS error |
| 23 | /dev/es IOS error |
| 24-26 | Should be 0 |
| 27 | /dev/sdio/slot0 timing error |
| 28 | /dev/stm/immediate timing error |
| 29 | /dev/net/kd/request timing error |
| 30 | /dev/di timing error |
| 31 | /dev/es timing error |
For IOS_Ioctl errors, the format is simpler:
| Bit(s) | Description |
|---|---|
| 0-15 | Signed RM index |
| 16-31 | Ioctl number |