Hacking Awesome WiiU hacking theories!

[officialjunk]

smash stack works fine.

did you update your wii online, crediar?

 

[Cyan]

Wondering the same thing. I'm dying to know what HCVA and HCUx are, but I'd bet one is the "Wii Menu Manual" and the other that orange "Wii System Transfer" channel seen on the vWii menu. (Picture)

HCVA = Return to WiiU
HCUx = Wii menu Manual

http://wiiubrew.org/wiki/Title_database


Edit:
Crediar is in Europe, no WiiU yet for us.

 

[KingVamp]

I guess this is the place to talk about it. You think you can use the wii u controller for the PC?

 

[Arras]

I guess this is the place to talk about it. You think you can use the wii u controller for the PC?

Speaking of which, how does the controller communicate with the console? Bluetooth? Wifi? I'm guessing the latter.

 

[SifJar]

If you want, you can download the titles with NUS Downloader. The encryption key is different though, so you can't unpack them yet or otherwise do anything meaningful. We're probably going to have to wait until either someone dumps them in decrypted form off a vWii, or until we know what the key is.

My guess would be that they are still encrypted with the same key as the Wii (otherwise, the key for the WiiMode would be different, and Wii games wouldn't work), but then re-encrypted with a WiiU key. These things are installed from the WiiU side of things, not directly in WiiMode right? So the WiiU would decrypt it's layer and then pass it on to the WiiMode to install.

But of course, that's just a guess. I'm sure far more knowledgeable individuals will unravel the secrets soon enough.

 

[crediar]

Speaking of which, how does the controller communicate with the console? Bluetooth? Wifi? I'm guessing the latter.

The WiiU has two wlan modules and one is dedicated for the gamepad.

 

[Arras]

The WiiU has two wlan modules and one is dedicated for the gamepad.

Yeah, I think I read something to that effect in a quick teardown. A separate 802.11n for the pad. What I do not know is how this affects it's ability to be used on a PC. Does that mean it's possible with normal wireless cards as long as they are not currently being used (so no laptops currently using Wifi)? As long as someone actually takes the time to write drivers, of course (which will probably take a pretty long time).

 

[mumitroll]

I was so free to create a wiiubrew logo for the wiki - hope u like it ^^;

 

[techboy]

HCVA = Return to WiiU
HCUx = Wii menu Manual

http://wiiubrew.org/wiki/Title_database

That answers that. When I checked that site yesterday, there weren't any pages besides the front page and a bunch of "To be populated".

Where's that "Wii System Transfer" channel come from though, built into the menu? I wonder how it'd behave if that were installed onto a Wii and then used. I suspect it'd either crash or spit out an error, but it'd be interesting to try nonetheless.

A syscheck log of a vWii would be interesting, but IIRC the app needs extra rights.

My guess would be that they are still encrypted with the same key as the Wii (otherwise, the key for the WiiMode would be different, and Wii games wouldn't work), but then re-encrypted with a WiiU key. These things are installed from the WiiU side of things, not directly in WiiMode right? So the WiiU would decrypt it's layer and then pass it on to the WiiMode to install.

If that's the case, we'll be better off extracting them once the vWii is hacked, at least until in-roads are made on the Wii U side.

That brings up another question...will AHBPROT still work on a vWii to get "Direct sandbox access"? I'm thinking not, since there was no legitimate use for it on a Wii outside the factory.

 

[flouri]

what if it's possible for a movable (from wii to wii U) channel to be hacked/created from a versatile-proven Wii to take advantage of a loophole on the Wii U when it is copied during the moving process?

 

[techboy]

what if it's possible for a movable (from wii to wii U) channel to be hacked/created from a versatile-proven Wii to take advantage of a loophole on the Wii U when it is copied during the moving process?

The Wii U transfer app validates titles before moving them. If you modify the channel in an effort to pack something funny inside, the signature becomes invalid. The transfer app won't even try to move it if it's been messed with.

 

[RocketRobz]

Anybody try stack smash yet? Also, even if we find an exploit that works, I'm guessing we will need a new version of the HackMii installer just like we have for the last two or three Wii updates. The most interesting thing at this point we be to see if they somehow segregated the NAND, or if the Wii mode could dump the whole thing.

Smash Stack DOES work on Wii U.

 

[Supercool330]

Has anybody tried to use Smash Stack to launch Casper to launch BootMii to launch the Hackmii Installer (MINI version) to install the HBC? As soon as I find an SD card that works I will give this a shot.

 

[Cyan]

What about Riivolution ? Someone tested it? It doesn't require ahbprot from HBC (I already used it with HBC1.0.6)
It's using official IOS 37 (though, depending how riivolution is working, it may need a rebuild, to match new ios folder's name, or new IOS version)

Maybe it need to decrypt/resign it, in which case it will not work.
(I don't know enough about Riivolution internals, I'm just wondering which homebrew are working or not).

 

[Supercool330]

The real roadblock is that the IOS exploit that the Hackmii installer was using is blocked. From what I understand, Riivolution and Casper use a different IOS exploit (the same one apparently). Unfortunately the plan I posted above won't work as the Wii U has no reset button (Marcan's joke wasn't totally wrong). The real question is if Riivolution or Casper will launch at all. If they do, then we will at least know that the IOS exploit they use is still present. Fortunately, I'm a moron sometimes, and I forgot that MINI jus loads the PPC elf by name.

Also, did anybody ever find anything interesting using a fileystem browser? It wasn't able to see any of the Wii U stuff was it?

 

[SifJar]

You don't need the reset button. Take the boot_mini.elf file and rename it "ppcboot.elf", replace the one in the "BootMii" folder with that one, and as soon as you load Casper it should load HackMii Installer. (By doing this, you replace the BootMii GUI ["Ceiling Cat"] with the HackMii Installer).

I think Riivolution is hardcoded to only use specific revisions of IOS37, so it will probably give some error. I'm not sure about Casper.

 

[Supercool330]

Oh right, I was thinking you had to use the launch thing inside bootmii, but your right, simply replacing the ppc elf loaded by MINI is a way better plan.

OK, so somebody that has a working SD card should give this a shot.
Download Smash Stack and put the private directory at the root of your SD card (like normal)
Download Hackmii Installer and put bootmini.elf at SD :/bootmii/ppcboot.elf
Download Casper and put casper_X.Y.elf (where X and Y are version numbers) at SD :/boot.elf
Download MINI (armboot.bin) and put it at SD :/bootmii_ios.bin
Then, load up super smash bros and run the exploit like normal.
I will run by my local computer store and grab a couple SD cards later today to give this a shot.
I would be surprised if this works, but not overly so.

Note: SD paths have an extra space in them to prevent smiley substitution.

 

[chyyran]

Anyone tried installing a wad to their vWii with WAD manager?

 

[Cyan]

And how would wad manager get access to NAND without a vulnerable IOS, or AHBPROT access?
Without access to the NAND, you can't install anything yet.

 

[techboy]

Anyone tried installing a wad to their vWii with WAD manager?

Unsigned stuff will fail because the signature bug does not exist.

As for official stuff...that's a good question. Anyone tried installing an Internet Channel or Wii Speak Channel wad downloaded from NUS? Those shouldn't need any patched IOS or special permissions since they're signed correctly.