| FlashHax | |
|---|---|
 | |
| General | |
| Author | Fullmetal5 |
| Type | Exploits |
| Version | 2018 |
| License | GPL-3.0 |
| Last Updated | 2018/04/01 |
| Links | |
| Download | |
| Website | |
| Source | |
FlashHax is a method to enable homebrew on a Wii without the need for any hardware modifications. It is achieved by using the Wii's Internet Channel to download and run the HackMii Installer. This exploit requires that the Internet Channel be present on the Wii.
User guide
Requirements:
- A broadband connection.
- The Internet Channel.
Instructions:
- Go to the Internet Channel, then go to flashhax.com.
- Select your region..
- Bookmark the page and open the bookmark for FlashHax.
- The Wii will download the HackMii Installer. After that, the the rest is simple, assuming you know how to use the HackMii Installer.
- Your Wii may freeze during this step, and you will have to try again.
How it works
FlashHax is a exploit that takes advantage of a bug in Flash that allows modifying a property after it has been released from memory. This is done by placing the property on a text field, attempting to decode it to something else, and having an event listener to detect when the property is modified. When it is modified, the event listener is called, which deletes the text field and releases all memory associated with it, including the property. This allows for a new value to be placed in the freed memory.
This exploit may seem insignificant at first, as allocated memory often has junk values before it is initialized. However, when memory is freed in Flash, it is overwritten with a pointer to the next object that must be freed. If this value is overwritten after it enters the freeing queue, the garbage collection thread can be redirected to another location.
FlashHax uses this ability to redirect the garbage collection thread to a specific memory address, allowing any memory address to be modified by pointing the next pointer there. However, it is important to ensure that the chain does not go past the desired location, as the garbage collector will also attempt to follow the "pointer" at the previous value.
The exploit then chooses an address to overwrite, such as a pointer to an OSThread, which allows for control of the OSContext and potentially the program counter and link register. However, the exploit is limited to using up to two ROP gadgets, as the stack pointer is stored in a register that is overwritten by the garbage collector and can't be controlled. The goal is then to find a way to place the stack pointer at a controlled location.
Media
[Wii] How To Use Flashhax (SD-Less Homebrew Install) (DarkFlare)
Changelog
3.0 2018/04/01
- Supports all regions (hopefully).
- ROP chain doesn't depend on region anymore.
- Payload should be able to be arbitrary sizes now.
- Landing page looks much better.
External Links
- Official website - https://flashhax.com/
- GitHub - https://github.com/Fullmetal5/FlashHax
- WiiBrew - https://wiibrew.org/wiki/FlashHax