Wii system flaws/Untested: Difference between revisions
Jump to navigation
Jump to search
Hallowizer (talk | contribs) removed disproved bug and added IOS_CreateHeap bug |
Hallowizer (talk | contribs) added the wii u IOS_CreateMessageQueue hack |
||
| Line 23: | Line 23: | ||
| IOS kernel code execution | | IOS kernel code execution | ||
| {{User|Hallowizer}} | | {{User|Hallowizer}} | ||
|- | |||
| IOS | |||
| IOS_CreateMessageQueue does not limit the number of messages. By specifying 2^30 messages, the buffer size would be 0 (2^32), so no memory range would be verified. The target address could then be written to with IOS_SendMessage. | |||
This flaw was originally discovered for the Wii U in 2016. | |||
| Arbitrary write as IOS kernel | |||
| {{User|Hallowizer}}; derrek, nedwill and naehrwert (Wii U) | |||
|} | |} | ||
Revision as of 03:17, 17 June 2022
These flaws have been identified but not yet tested.
| Location | Description | Uses of this bug | Discovered by |
|---|---|---|---|
| boot0 | boot0 has a common panic routine that runs under a number of scenarios, one of which is when the boot1 hash check fails. For unknown reasons, there is an extra jump to the normal boot1 loading code after panic returns (offset FFFF04E0), despite panic never having any possibility of returning. It may be possible to time a voltage attack correctly to skip over the jump-to-panic instruction, allowing for certain recovery software. | In theory, it should be possible to boot recovery software on IOS-bricked consoles that lack a NAND backup. | Hallowizer |
| System Menu | Attempting to copy Bannerbomb to the NAND (either through Data Management or the SD Card Menu) triggers the "/boot.dol not found" dialog. This has not been tested when a boot.dol is actually present, but Bannerbomb normally gives a prompt asking to confirm running the exploit before showing that screen. This is most likely some form of buffer overflow.
Interestingly, this does not work with Bannerbomb v1 on System Menu 4.2 or System Menu 4.3 (where the ? mark dummy banner shows instead); it is not clear if this is due to the Bannerbomb exploit being responsible for this, or due to the Wii automatically giving an error when copying any channel with a ? banner. |
Making stuff look like channels in the SD Menu, and copyable to NAND. | Hallowizer |
| IOS | IOS_CreateHeap initializes a HeapBlockHeader at the beginning of the heap when it is called, consisting of the words { 0xBABE0000, size - 0x10, 0x00000000, 0x00000000 }. However, it does not ensure that 0x10 bytes are available in the heap before doing so. By passing 0 for the size, the words { 0xBABE0000, 0xFFFFFFF0, 0x00000000, 0x00000000 } can be written to any address. By setting the beginning of the heap to 0xFFFE0034 or 0xFFFE0038, the main kernel thread's PC is set to 0, likely causing privileged execution in an area already controllable.
|
IOS kernel code execution | Hallowizer |
| IOS | IOS_CreateMessageQueue does not limit the number of messages. By specifying 2^30 messages, the buffer size would be 0 (2^32), so no memory range would be verified. The target address could then be written to with IOS_SendMessage.
This flaw was originally discovered for the Wii U in 2016. |
Arbitrary write as IOS kernel | Hallowizer; derrek, nedwill and naehrwert (Wii U) |