IOS Reboot POC by Hilary Clinton - Homebrew App Store (wiiu)
Back

App Store IconHomebrew App Store (wiiu)

IOS Reboot POC
by Hilary Clinton

IOS Reboot POC icon
    Version1.0
    Zip size13 KiB
    Licensenone
    Updated30/01/2025
    Downloads2,030
    MD56808c0c7f409b673ebd5b9d65e65624e

App Details


Hi guys. Below is an implementation of the userland IOSU exploit on the wiki. It demonstrates a simple ROP chain which will call the shutdown syscall from within IOS_USB and restart your console. (5.5.1 only.) I'm posting this here in the hope that someone might build on this and get privileged execution on the ARM, perhaps by implementing the IOS_CreateThread exploit that is detailed on the wiki, and then share it publicly.

How this works is described in detail on the wiki but you might like to know that the ROP chain overwrites the return address for the subroutine at 0x1011D968. The return address is at 0x1016AD40. The thread's stack is within the range [0x1015AE50, 0x1016AE50). You might also like to know that MEM1 is mapped R/W on the PPC side at 0xF4000000 and on the ARM side at 0x00000000.

Changelog

n/a