HackMii Installer/Obfuscation: Difference between revisions

From WiiBrew
Jump to navigation Jump to search
Newer edit →
Hallowizer (talk | contribs)
5,579 edits
←Created page with 'The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers. == Exploit functions == v1....'
(No difference)

Revision as of 02:41, 22 August 2022

The HackMii Installer has several layers of obfuscation, including the outermost WiiPax layer. This page aims to document other layers.

Exploit functions

v1.0 contains 3 possible paths to install BootMii-IOS when loading, all of which are deobfuscated in-place when needed.

IOS requests

The installer contains a large number (880) of ioctl and ioctlv calls to /dev/di, /dev/sdio, /dev/net/kd/request, /dev/stm/immediate, and /dev/es, most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code. 

struct obfuscatedRequest {
	u16 ioctlNum;
	s8 rmNum; // 1 = di, 2 = sdio, 3 = kd, 4 = stm, 5 = es. Positive number means ioctl, negative number means ioctlv.
	u8 inCount;
	u8 ioCount;
	u8 vecs[9]; // index into a vec pool
}
Retrieved from "https://wiibrew.org/w/index.php?title=HackMii_Installer/Obfuscation&oldid=118135"