In memory of Ben “bushing” Byer, who passed away on Monday, February 8th, 2016.

Changes

Jump to navigation Jump to search

HackMii Installer/Obfuscation (view source)

Revision as of 00:56, 28 August 2022

1,162 bytes added ,  00:56, 28 August 2022
added info on timing and the error global
Line 5: Line 5:     
== IOS requests ==
 
== IOS requests ==
 +
=== IOS_Ioctl/IOS_Ioctlv requests ===
 
The installer contains a large number (880) of ioctl and ioctlv calls to [[:/dev/di]], [[:/dev/sdio]], [[:/dev/net/kd/request]], [[:/dev/stm/immediate]], and [[:/dev/es]], most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code.
 
The installer contains a large number (880) of ioctl and ioctlv calls to [[:/dev/di]], [[:/dev/sdio]], [[:/dev/net/kd/request]], [[:/dev/stm/immediate]], and [[:/dev/es]], most of which are invalid. It is likely that a few of the calls in this list are responsible for exploits, since no other code to trigger an exploit exists before post-exploit code.
   Line 16: Line 17:  
}
 
}
 
</pre>
 
</pre>
 +
 +
=== Timing ===
 +
Each request is given 40000000 [[Broadway]] clock cycles to complete before a security error is flagged. Depending on whether the error occurs during the IOS_Open or IOS_Ioctl phase, a different value is stored in the IPC error global (which gets printed as <code>failed to install BootMii/IOS for the installer (2, RET, IPC_ERROR)</code>).
 +
 +
For the IOS_Open phase, this is the error global format:
 +
 +
{| class="wikitable"
 +
! Bit(s)
 +
! Description
 +
|-
 +
| 0
 +
| Summary timing error
 +
|-
 +
| 1
 +
| Summary IOS error
 +
|-
 +
| 2-19
 +
| Should be 0
 +
|-
 +
| 19
 +
| [[:/dev/sdio/slot0]] IOS error
 +
|-
 +
| 20
 +
| [[:/dev/stm/immediate]] IOS error
 +
|-
 +
| 21
 +
| [[:/dev/net/kd/request]] IOS error
 +
|-
 +
| 22
 +
| [[:/dev/di]] IOS error
 +
|-
 +
| 23
 +
| [[:/dev/es]] IOS error
 +
|-
 +
| 24-26
 +
| Should be 0
 +
|-
 +
| 27
 +
| [[:/dev/sdio/slot0]] timing error
 +
|-
 +
| 28
 +
| [[:/dev/stm/immediate]] timing error
 +
|-
 +
| 29
 +
| [[:/dev/net/kd/request]] timing error
 +
|-
 +
| 30
 +
| [[:/dev/di]] timing error
 +
|-
 +
| 31
 +
| [[:/dev/es]] timing error
 +
|}
 +
 +
For IOS_Ioctl errors, the format is simpler:
 +
 +
{| class="wikitable"
 +
! Bit(s)
 +
! Description
 +
|-
 +
| 0-15
 +
| Signed RM index
 +
|-
 +
| 16-31
 +
| Ioctl number
 +
|}
Hallowizer
5,579

edits

Retrieved from "https://wiibrew.org/wiki/Special:MobileDiff/118177"

Navigation menu