HackMii Installer/Obfuscation
The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers.
Exploit functions
v1.0 contains 3 possible paths to install BootMii-IOS when loading, all of which are deobfuscated in-place when needed.
IOS requests
IOS_Ioctl/IOS_Ioctlv requests
The installer contains a large number (880) of ioctl and ioctlv calls to /dev/di, /dev/sdio, /dev/net/kd/request, /dev/stm/immediate, and /dev/es, most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code.
struct obfuscatedRequest {
u16 ioctlNum;
s8 rmNum; // 1 = di, 2 = sdio, 3 = kd, 4 = stm, 5 = es. Positive number means ioctl, negative number means ioctlv.
u8 inCount;
u8 ioCount;
u8 vecs[9]; // index into a vec pool
}
Timing
Each request is given 40000000 Broadway clock cycles to complete before a security error is flagged. Depending on whether the error occurs during the IOS_Open or IOS_Ioctl phase, a different value is stored in the IPC error global (which gets printed as failed to install BootMii/IOS for the installer (2, RET, IPC_ERROR)).
For the IOS_Open phase, this is the error global format:
| Bit(s) | Description |
|---|---|
| 0 | Summary timing error |
| 1 | Summary IOS error |
| 2-19 | Should be 0 |
| 19 | /dev/sdio/slot0 IOS error |
| 20 | /dev/stm/immediate IOS error |
| 21 | /dev/net/kd/request IOS error |
| 22 | /dev/di IOS error |
| 23 | /dev/es IOS error |
| 24-26 | Should be 0 |
| 27 | /dev/sdio/slot0 timing error |
| 28 | /dev/stm/immediate timing error |
| 29 | /dev/net/kd/request timing error |
| 30 | /dev/di timing error |
| 31 | /dev/es timing error |
For IOS_Ioctl errors, the format is simpler:
| Bit(s) | Description |
|---|---|
| 0-15 | Signed RM index |
| 16-31 | Ioctl number |