Hacking Wii U Hacking & Homebrew Discussion

[YugamiSekai]

Why exploit it when you can just use the kernel exploit and web browser :/ Always overcomplicating things

To find more holes in the system. If Nintendo finds a way to stop one, we'll have more.

 

[uyjulian]

emmc is still a nand! so im sure it doesnt really matter tbh

There's a BIG difference between eMMC http://en.wikipedia.org/wiki/eMMC and NAND http://en.wikipedia.org/wiki/NAND_flash

 

[FM360]

Well hopefully there is an exploit for Smash 4 but we can only hope.

Smash 4 is not exploitable in anyway accept the picures menu. But the game will check to see if the pictures are actual pictures. Plus, Nintendo learned from there mistakes and the Smash 4 stage builder can no longer access the SD card so we are fucked if we try to exploit that game. (sad violen plays)

 

[YugamiSekai]

Smash 4 is not exploitable in anyway accept the picures menu. But the game will check to see if the pictures are actual pictures. Plus, Nintendo learned from there mistakes and the Smash 4 stage builder can no longer access the SD card so we are fucked if we try to exploit that game. (sad violen plays)

If there was a way to manipulate the security to not check the pictures..... WHO KNOWS HOW STAGE BUILDER WAS EXPLOITED?!?!!?

 

[VinsCool]

If there was a way to manipulate the security to not check the pictures..... WHO KNOWS HOW STAGE BUILDER WAS EXPLOITED?!?!!?

They has to match a checksum (or something like that) of their following .bin files.

 

[jammybudga777]

There's a BIG difference between eMMC http://en.wikipedia.org/wiki/eMMC and NAND http://en.wikipedia.org/wiki/NAND_flash

i never said they were the same or had simularitys in how they work. my point was they wont get mixed up in conversation

 

[FM360]

They has to match a checksum (or something like that) of their following .bin files.

I can attempt to find an exploit in the pictures

 

[VinsCool]

I can attempt to find an exploit in the pictures

Good luck. TSK tried, but he aborted, because of some sort of "md5 encryption" (I mean, what O.o, how is this possible?)

 

[uyjulian]

Maybe if Smash bros gets disassembled and we find out what creates the hash, it might be possible to find another entrypoint later on

 

[Mr. Mysterio]

Maybe if Smash bros gets disassembled and we find out what creates the hash, it might be possible to find another entrypoint later on

It should be possible to disassemble the RPX either from the ROM or Wii U RAM. The ROM RPX would probably be easier to get, but observing the Wii U RAM might give more insight into the algorithms.

 

[Pyrii]

Isn't smash bros one of the few titles that actually gets updates? I'd have thought it'd only be a vector for short-term exploits, ones that allow hackers entry to the system to find something more long-term.

I also don't seem to see people pointing out to these people wanting a single exploit that hakers usually don't want to disclose so they can keep an exploit wild. Having a working exploit allows access to the system and makes it much easier to find other exploits. You don't want to play hand and end up losing all your cards. So I suppose that's one reason for no open vectors yet. Plus finding something that Nintendo can't patch out is a challenge.

 

[NWPlayer123]

Tried and failed to reverse engineer the TexConv2 algos. If anyone else wants to try, I'll gladly contribute what I know. The important things are the pitch, swizzle, and tile mode. Tile mode (at least for BFLIM files) is always 4, which is 8x8x1 tiles. If you want to convert ^l files (what I was using to test) which are just RGBA32 blocks. So each block is 8*8*4 bytes, which is 256 or 0x100. Nice big chunk to work with. I'm unsure of if it needs pipe and bank swizzles or just the individual swizzle (which depending on where in the program is either multiplied by 0x100 or just a plain number (IE 0x700 or 7, which is also the highest a swizzle can be)). The important function is GX2CopySurfaceSW which comes from TC2ConvertTiling which is from TexConvert.cpp from the SDK (line 856). I got to AddrComputeSurfaceAddrFromCoord from there with the x and y loops for each pixel/tile. You'll also need http://lists.freedesktop.org/archives/mesa-dev/2015-April/082255.html which is the whole of AddrLib. the Z index needs to be 0 for the first chunk at 0x0 to be hit (otherwise it's 1). Sorry if this is arranged terribly, it's just everything I've spent the last 6 freaking hours staring at. Not gonna try to mess with this anymore.

 

[VinsCool]

Tried and failed to reverse engineer the TexConv2 algos. If anyone else wants to try, I'll gladly contribute what I know. The important things are the pitch, swizzle, and tile mode. Tile mode (at least for BFLIM files) is always 4, which is 8x8x1 tiles. If you want to convert ^l files (what I was using to test) which are just RGBA32 blocks. So each block is 8*8*4 bytes, which is 256 or 0x100. Nice big chunk to work with. I'm unsure of if it needs pipe and bank swizzles or just the individual swizzle (which depending on where in the program is either multiplied by 0x100 or just a plain number (IE 0x700 or 7, which is also the highest a swizzle can be)). The important function is GX2CopySurfaceSW which comes from TC2ConvertTiling which is from TexConvert.cpp from the SDK (line 856). I got to AddrComputeSurfaceAddrFromCoord from there with the x and y loops for each pixel/tile. You'll also need http://lists.freedesktop.org/archives/mesa-dev/2015-April/082255.html which is the whole of AddrLib. the Z index needs to be 0 for the first chunk at 0x0 to be hit (otherwise it's 1). Sorry if this is arranged terribly, it's just everything I've spent the last 6 freaking hours staring at. Not gonna try to mess with this anymore.

I don't understand, but thank you

 

[Mr. Mysterio]

Tried and failed to reverse engineer the TexConv2 algos. If anyone else wants to try, I'll gladly contribute what I know. The important things are the pitch, swizzle, and tile mode. Tile mode (at least for BFLIM files) is always 4, which is 8x8x1 tiles. If you want to convert ^l files (what I was using to test) which are just RGBA32 blocks. So each block is 8*8*4 bytes, which is 256 or 0x100. Nice big chunk to work with. I'm unsure of if it needs pipe and bank swizzles or just the individual swizzle (which depending on where in the program is either multiplied by 0x100 or just a plain number (IE 0x700 or 7, which is also the highest a swizzle can be)). The important function is GX2CopySurfaceSW which comes from TC2ConvertTiling which is from TexConvert.cpp from the SDK (line 856). I got to AddrComputeSurfaceAddrFromCoord from there with the x and y loops for each pixel/tile. You'll also need http://lists.freedesktop.org/archives/mesa-dev/2015-April/082255.html which is the whole of AddrLib. the Z index needs to be 0 for the first chunk at 0x0 to be hit (otherwise it's 1). Sorry if this is arranged terribly, it's just everything I've spent the last 6 freaking hours staring at. Not gonna try to mess with this anymore.

Where can I find TexConv2?

 

[NWPlayer123]

Where can I find TexConv2?

It's in TexHaxU, it's in all of the leaked SDKs, it's also in IEA's texture conversion package (http://www.vg-resource.com/thread-26692.html)

 

[ma777]

Just had an interesting Idea. Has anyone reverse engineered the Game pad protocol to stream TO a laptop? E.g. use your laptop to control the Wii U. I know it has been done the other way around. If we can inject code through pictures(like the PSP TIFF expliot) couldn't we just use a webcam to do the same? In Nintendo Land you can put up a PIP of yourself playing. If we can't get the Wii U to connect to a laptop, we could take the game pad apart. Reverse engineer how the camera works and send a modified image or whatever through it? A little bit hardware/software exploit. I doubt the front facing camera would have security checks.

Or maybe you could force the game pad to send some unsupported resolution and point to somewhere else?

 

[AboodXD]

it's in all of the leaked SDKs

Doesn't that mean it's copyrighted or illegal to use?

 

[Mr. Mysterio]

Doesn't that mean it's copyrighted or illegal to use?

Yes. That's why NWPlayer123 is trying to reverse engineer TexConv2. If he understands the algorithms, then he can write his own non-copyrighted version.

 

[Deleted User]

Just had an interesting Idea. Has anyone reverse engineered the Game pad protocol to stream TO a laptop? E.g. use your laptop to control the Wii U.

You mean like this?

 

[ma777]

You mean like this?

yea exactly. Could you use a program like that to send a corrupt/modified image through the front facing camera and open up a vulnerability?