HackMii Installer/Obfuscation
< HackMii Installer
| This is an old revision of this page, as edited by Hallowizer (talk | contribs) at 03:41, 22 August 2022. It may differ significantly from the current revision. |
The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers.
Exploit functions
v1.0 contains 3 possible paths to install BootMii-IOS when loading, all of which are deobfuscated in-place when needed.
IOS requests
The installer contains a large number (880) of ioctl and ioctlv calls to /dev/di, /dev/sdio, /dev/net/kd/request, /dev/stm/immediate, and /dev/es, most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code.
struct obfuscatedRequest {
u16 ioctlNum;
s8 rmNum; // 1 = di, 2 = sdio, 3 = kd, 4 = stm, 5 = es. Positive number means ioctl, negative number means ioctlv.
u8 inCount;
u8 ioCount;
u8 vecs[9]; // index into a vec pool
}