From WiiUBrew
Revision as of 00:00, 12 November 2020 by Hallowizer2 (talk | contribs) (Created this page.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Uhshax is a package that can be loaded by homebrew apps to gain root access and make system-level changes. It is used in Wuphax and Haxchi.

How it works

Uhshax exploits a bug where fetching a USB hub checks to make sure the USB hub index is no greater than 2, but there is no lower bound, allowing negative numbers to point to arbitrary locations. This is exploited by creating a fake hub to be stored in memory, then making a request to deactivate that hub, with a flag claiming it was activated before. The system then tries to deactivate this fake hub, but ends up writing a value to an address, both of which are controlled by the fake hub. This is used to replace a return address on a USB hub manager, throwing code execution back to the program, but with kernel access.

Uhshax then replaces the system call handlers with its own, which responds to most system calls normally, but provides extra access to IOCtl calls, allowing root code to be run from the homebrew being run.