WiiBrew

HackMii Installer/Obfuscation

Page Discussion
< HackMii Installer
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers.

Exploit functions

v1.0 contains 3 possible paths to install BootMii-IOS when loading, all of which are deobfuscated in-place when needed.

IOS requests

IOS_Ioctl/IOS_Ioctlv requests

The installer contains a large number (880) of ioctl and ioctlv calls to /dev/di, /dev/sdio, /dev/net/kd/request, /dev/stm/immediate, and /dev/es, most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code. 

struct obfuscatedRequest {
	u16 ioctlNum;
	s8 rmNum; // 1 = di, 2 = sdio, 3 = kd, 4 = stm, 5 = es. Positive number means ioctl, negative number means ioctlv.
	u8 inCount;
	u8 ioCount;
	u8 vecs[9]; // index into a vec pool
}

Timing

Each request is given 40000000 Broadway clock cycles to complete before a security error is flagged. Depending on whether the error occurs during the IOS_Open or IOS_Ioctl phase, a different value is stored in the IPC error global (which gets printed as failed to install BootMii/IOS for the installer (2, RET, IPC_ERROR)).

For the IOS_Open phase, this is the error global format:

Bit(s) Description
0 Summary timing error
1 Summary IOS error
2-19 Should be 0
19 /dev/sdio/slot0 IOS error
20 /dev/stm/immediate IOS error
21 /dev/net/kd/request IOS error
22 /dev/di IOS error
23 /dev/es IOS error
24-26 Should be 0
27 /dev/sdio/slot0 timing error
28 /dev/stm/immediate timing error
29 /dev/net/kd/request timing error
30 /dev/di timing error
31 /dev/es timing error

For IOS_Ioctl errors, the format is simpler:

Bit(s) Description
0-15 Signed RM index
16-31 Ioctl number
Retrieved from "https://wiibrew.org/w/index.php?title=HackMii_Installer/Obfuscation&oldid=118177"