Wii system flaws/Untested: Difference between revisions

From WiiBrew
Jump to navigation Jump to search
← Older editNewer edit →
Hallowizer (talk | contribs)
5,579 edits
someone please test this immediately, i think my suspicion was correct
Hallowizer (talk | contribs)
5,579 edits
removed disproved bug and added IOS_CreateHeap bug
Line 10: Line 10:
| [[boot0]] has a common panic routine that runs under a number of scenarios, one of which is when the [[boot1]] hash check fails. For unknown reasons, there is an extra jump to the normal boot1 loading code after panic returns ([[boot0/Code dump|offset FFFF04E0]]), despite panic never having any possibility of returning. It may be possible to time a voltage attack correctly to skip over the jump-to-panic instruction, allowing for certain recovery software.
| [[boot0]] has a common panic routine that runs under a number of scenarios, one of which is when the [[boot1]] hash check fails. For unknown reasons, there is an extra jump to the normal boot1 loading code after panic returns ([[boot0/Code dump|offset FFFF04E0]]), despite panic never having any possibility of returning. It may be possible to time a voltage attack correctly to skip over the jump-to-panic instruction, allowing for certain recovery software.
| In theory, it should be possible to boot recovery software on IOS-bricked consoles that lack a NAND backup.
| In theory, it should be possible to boot recovery software on IOS-bricked consoles that lack a NAND backup.
| {{User|Hallowizer}}
|-
| [[IOS]]
| Using content type 0x2 probably disables verification of the hash tree. Must work on retail units, since 122E runs under a retail IOS9. Normally only present on dev TMDs, but dev TMDs have been released before (like 123J, 0000dead, 121J, 122E); these TMDs have hash <code>456767b68bd91a7a000000000000000000000000</code>, which is <code>Egg....z............</code>.
| Could possibly allow disc modifications, or even BootMii on newer Wiis. Note that BootMii won’t work with this alone, since [[boot1]] checks that the TMD's ID is 1-1, and none of the exploitable TMDs have that ID.
| {{User|Hallowizer}}
| {{User|Hallowizer}}
|-
|-
Line 22: Line 17:
Interestingly, this does not work with Bannerbomb v1 on [[System Menu 4.2]] or [[System Menu 4.3]] (where the ? mark dummy banner shows instead); it is not clear if this is due to the Bannerbomb exploit being responsible for this, or due to the Wii automatically giving an error when copying any channel with a ? banner.
Interestingly, this does not work with Bannerbomb v1 on [[System Menu 4.2]] or [[System Menu 4.3]] (where the ? mark dummy banner shows instead); it is not clear if this is due to the Bannerbomb exploit being responsible for this, or due to the Wii automatically giving an error when copying any channel with a ? banner.
| Making stuff look like channels in the SD Menu, and copyable to NAND.
| Making stuff look like channels in the SD Menu, and copyable to NAND.
| {{User|Hallowizer}}
|-
| [[IOS]]
| IOS_CreateHeap initializes a [[IOS/Kernel#Memory allocation|HeapBlockHeader]] at the beginning of the heap when it is called, consisting of the words <code>{ 0xBABE0000, size - 0x10, 0x00000000, 0x00000000 }</code>. However, it does not ensure that 0x10 bytes are available in the heap before doing so. By passing 0 for the size, the words <code>{ 0xBABE0000, 0xFFFFFFF0, 0x00000000, 0x00000000 }</code> can be written to any address. By setting the beginning of the heap to 0xFFFE0034 or 0xFFFE0038, the main kernel thread's PC is set to 0, likely causing privileged execution in an area already controllable.
| IOS kernel code execution
| {{User|Hallowizer}}
| {{User|Hallowizer}}
|}
|}

Revision as of 04:19, 7 June 2022

These flaws have been identified but not yet tested.

Location Description Uses of this bug Discovered by
boot0 boot0 has a common panic routine that runs under a number of scenarios, one of which is when the boot1 hash check fails. For unknown reasons, there is an extra jump to the normal boot1 loading code after panic returns (offset FFFF04E0), despite panic never having any possibility of returning. It may be possible to time a voltage attack correctly to skip over the jump-to-panic instruction, allowing for certain recovery software. In theory, it should be possible to boot recovery software on IOS-bricked consoles that lack a NAND backup. Hallowizer
System Menu Attempting to copy Bannerbomb to the NAND (either through Data Management or the SD Card Menu) triggers the "/boot.dol not found" dialog. This has not been tested when a boot.dol is actually present, but Bannerbomb normally gives a prompt asking to confirm running the exploit before showing that screen. This is most likely some form of buffer overflow.

Interestingly, this does not work with Bannerbomb v1 on System Menu 4.2 or System Menu 4.3 (where the ? mark dummy banner shows instead); it is not clear if this is due to the Bannerbomb exploit being responsible for this, or due to the Wii automatically giving an error when copying any channel with a ? banner.

Making stuff look like channels in the SD Menu, and copyable to NAND. Hallowizer
IOS IOS_CreateHeap initializes a HeapBlockHeader at the beginning of the heap when it is called, consisting of the words { 0xBABE0000, size - 0x10, 0x00000000, 0x00000000 }. However, it does not ensure that 0x10 bytes are available in the heap before doing so. By passing 0 for the size, the words { 0xBABE0000, 0xFFFFFFF0, 0x00000000, 0x00000000 } can be written to any address. By setting the beginning of the heap to 0xFFFE0034 or 0xFFFE0038, the main kernel thread's PC is set to 0, likely causing privileged execution in an area already controllable. IOS kernel code execution Hallowizer
Retrieved from "https://wiibrew.org/w/index.php?title=Wii_system_flaws/Untested&oldid=117216"