hexFW - A custom firmware framework for the Wii U
C Python Assembly PHP Makefile HTML Other
Latest commit 092e481 Dec 6, 2016 @hexkyz committed on GitHub Update README.md
Permalink
Failed to load latest commit information.
firmware Implementing version 0.0.1 Dec 6, 2016
launcher Initial commit Nov 7, 2016
Makefile Initial commit Nov 7, 2016
README.md Update README.md Dec 6, 2016

README.md

hexFW

hexFW is an attempt to provide a user friendly CFW solution for the Wii U.

Summary

The code in this repository is divided into two main folders:

  • "firmware": IOSU patching framework
  • "launcher": exploit code chain responsible for injecting the patched IOSU image

Currently, iosuhax (by smealum) is the basis for the firmware patching framework. This project's goal is to build upon smealum's patching system to deliver a fully functional and customizable Wii U CFW. The exploit chain used to inject the firmware's code uses yellows8's wiiu_browserhax_fright and is a direct implementation of two distinct vulnerabilities documented by hykem, naehrwert and plutoo. The exploit is compiled using a stripped down version of the libwiiu project and is triggered from the Wii U's Web Browser.

Dependencies

Building

  • Place your retail "fw.img" file (encrypted or decrypted but with the header attached) inside the folder "firmware/img".
  • Copy "armips.exe" into the root of the "firmware" folder.
  • Edit "firmware/scripts/anpack.py" and manually replace the dummy ancast keys with the real ones.
  • Browse back to the main folder ("hexFW") and run "make" from a shell.

Usage

  • After building the project a new folder "bin" will be created in the root folder ("hexFW") as well as two sub-folders "www" and "sdcard".
  • Copy the "fw.img" file inside "sdcard" into the root of your SD card (FAT32 formatted, preferably).
  • Setup a server (e.g.: localhost:8080) and host the contents of "www". After inserting the SD card (with the firmware image) into the Wii U, browse to "wiiu_browserhax.php" and pass along your target system's version (e.g.: localhost:8080/wiiu_browserhax.php?sysver=550).
  • The launcher will run ("fwboot") and launch the firmware image from the SD card.

hexcore

hexcore is the default program distributed with hexFW. It's code is injected into IOS-MCP and runs in a dedicated thread, similar to how the old wupserver works. Upon launching the generated "fw.img", you will be presented with a barebones recovery console with the following options:

  • Dump OTP -> Dumps your console's OTP into the SD card
  • Dump SEEPROM -> Dumps your console's SEEPROM into the SD card
  • Dump SLC/SLCCMPT -> Dumps a raw image of the SLC and SLCCMPT into the SD card
  • Launch wupserver -> Sets up wupserver and proceeds with booting sysNAND
  • Shutdown -> Simply shuts the console down
  • Credits -> Displays the credits page for 10 seconds

You can browse the options' list by pressing the "Eject" button and confirm by pressing the "Power" button. Please note that this is still a work in progress and is meant to showcase the potential for a complete CFW solution. More functionalities will be added in time and the general mode of operation may change at any time.

Credits