- Joined
- Apr 19, 2015
- Messages
- 1,023
- Trophies
- 1
- Location
- Stuck in the PowerPC
- Website
- heyquark.com
- XP
- 3,909
- Country
Hey all!
It's been a little while since 5.5.2 came out now, and while everything's settled down from my point of view I'm still seeing a lot of misinformation flying around. I figured I'd try to clear the air a bit and lay out what we know, what's being worked on and what you can do about it.
The Update
Let's start off with the update itself. Released on the 17th of June, software version 5.5.2 changed the Internet Browser, the AOC Overlay application and ErrEula. This was a big deal for homebrew since the updates to the Internet Browser fixed browserhax, the exploit that many were using to start running homebrew code. The changes to the other titles were largely inconsequential for our purposes.
You'll notice that it didn't change any IOSU-side code; which means that flaws in that section of the OS are still there. No changes were made to title verification, which means haxchi and wupinstaller still work exactly as before. No addresses changed, so existing CFWs work without issue. Additionally, all our exploits (other than browserhax) still work. CBHC also still works.
All of these have been verified by several people. If you're having problems after the update, you should ask for help in the relevant thread. Keep in mind that there may not be much you can do until another entrypoint is found; but it never hurts to ask.
If you haven't updated yet, you can choose to take the update or avoid it, depending on your situation. There are numerous threads already on ways to handle both pathways, so I won't reiterate here. One thing that is worth noting is that online play still works fine on 5.5.1, and the firmware can be spoofed for eShop access.
DIY Exploits
Since browserhax's patching sunk in, some of you have started coming forward with ideas for new exploits that we could use. This is awesome, and it's been great (and vaugely humbling) to see ideas suggesting the exact thing I was looking into before reading them! That said, some of you need some more information for your ideas to be helpful. Please don't see this as discouragement! With a bit of background knowledge, your ideas are likely to be helpful and constructive, and avoid the ridicule that these things so often get. Let's get into it.
What's being done, and what can I do?
Here's a quick recap of the things I've noticed that are happening in the search for an entrypoint, with a few ideas for what you could do mixed in. This is just what I've seen, so if there's other stuff then please let me know.
Cool stuff, eh? Even if none of this appeals to you, you can still help out. Thrash through theories, look up CVEs (rule of thumb: if it's marked as Code Exec and higher than 7.5, it's good), follow what your devs are doing and offer support where you can. We can do this, and it'll be awesome. Shall we get started?
(This post's content was last updated on the 22nd of July 2017. This stuff gets old quick, so keep in mind that this may be outdated by the time you read it.)
It's been a little while since 5.5.2 came out now, and while everything's settled down from my point of view I'm still seeing a lot of misinformation flying around. I figured I'd try to clear the air a bit and lay out what we know, what's being worked on and what you can do about it.
The Update
Let's start off with the update itself. Released on the 17th of June, software version 5.5.2 changed the Internet Browser, the AOC Overlay application and ErrEula. This was a big deal for homebrew since the updates to the Internet Browser fixed browserhax, the exploit that many were using to start running homebrew code. The changes to the other titles were largely inconsequential for our purposes.
You'll notice that it didn't change any IOSU-side code; which means that flaws in that section of the OS are still there. No changes were made to title verification, which means haxchi and wupinstaller still work exactly as before. No addresses changed, so existing CFWs work without issue. Additionally, all our exploits (other than browserhax) still work. CBHC also still works.
All of these have been verified by several people. If you're having problems after the update, you should ask for help in the relevant thread. Keep in mind that there may not be much you can do until another entrypoint is found; but it never hurts to ask.
If you haven't updated yet, you can choose to take the update or avoid it, depending on your situation. There are numerous threads already on ways to handle both pathways, so I won't reiterate here. One thing that is worth noting is that online play still works fine on 5.5.1, and the firmware can be spoofed for eShop access.
DIY Exploits
Since browserhax's patching sunk in, some of you have started coming forward with ideas for new exploits that we could use. This is awesome, and it's been great (and vaugely humbling) to see ideas suggesting the exact thing I was looking into before reading them! That said, some of you need some more information for your ideas to be helpful. Please don't see this as discouragement! With a bit of background knowledge, your ideas are likely to be helpful and constructive, and avoid the ridicule that these things so often get. Let's get into it.
- Reading isn't controlling - Several applications on the Wii U get data from locations that we control - places like the Internet or the SD card. This doesn't necessarily mean that the code managing this is exploitable. Yes, it may be, but it isn't automatic. As an example, several applications read and write JPEG images to the SD. They'll either use a custom Nintendo library or the open source libjpeg-turbo to do this. While we can't know about the Nintendo library, libjpeg-turbo has only ever had two vulnerabilities serious enough for a CVE; neither of which achieve actual code execution. Thus, it's probably a waste of our time to try and blindly exploit this code that's been thoroughly checked by people trying to exploit it on PCs.
- Console-specific keys are everywhere - The USB and internal storage connected to a console is encrypted with a key from the OTP. This means that in order to read these drives, you need an OTP dump from the exact console that did the encryption. This is impossible for people on 5.5.2 to get hold of unless they dumped it before updating or currently have Haxchi installed. You can't share USBs between consoles, and PCs can only read them with programs still under development (more on that later)
- Don't withhold information - This isn't really about the Wii U itself - when you do end up bringing your idea forward, how you present it is important. If you make an entire thread about your idea, it's expected that you'll provide details, lest you be seen as faking it or crying for attention. We're all working together here, so there's no need yo be secretive. Don't worry about being technical - there are people here who will understand, and those who don't simply won't read the tough bits. Stating that you've found a 'sploit without any other information is a one-way ticket to ragetown.
What's being done, and what can I do?
Here's a quick recap of the things I've noticed that are happening in the search for an entrypoint, with a few ideas for what you could do mixed in. This is just what I've seen, so if there's other stuff then please let me know.
- Good Ol' WebKit - WebKit is the engine powering the Internet Browser. It's a complex mess, and Nintendo are terrible at keeping it up to date. Thus, there's plenty of bugs (well-documented by PC security researchers) that are ripe for the picking. At this point, I know of at least three people who are working away at WebKit flaws - there's this guy, who's been running the tests that the WebKit developers write to check for bugs (something you can try too!); there's someone who hasn't publicly said anything looking at Pegasus (of PegaSwitch fame) with promising results; and a third person who can't say anything (and thus I won't either). If you want to play with WebKit, have a look at the link posted by OP in that thread I just showed - it should have all you need to start looking for bugs.
- Other outdated things, mainly libpng - This is where I've been looking. WebKit isn't the only thing that goes without updates - the vast majority of the libraries Nintendo use are several years old. I've been deducing what version libraries in use by the console are and looking up their CVEs. There's been a few small leads. I've been posting updates on Twitter (link in my sig) but as a TL: DR; I'm currently on the lookout for any information about Sm4sh's use of PNGs (the screenshots are JPEGs). I'm also trying to figure out what the WebKit embedded into the Crunchyroll app is used for. Is there a browser hiding in there? If you can help with either of these things, please do!
- Haxchi as a Primary Entrypoint - This one's interesting - lots of ideas around on installing Haxchi without another exploit to run the installer with. These ideas involve things like modifying USB storage or system transfers. I hinted before that Wii U USB drives can actually be read from a PC - here's where that's being worked on. The implications in that post are a bit hard to read, but it seems to me that actually modifying a file is a while off yet. Even so, it's promising stuff; allowing any console with an OTP dump to install Haxchi no matter what Nintendo does in future.
Cool stuff, eh? Even if none of this appeals to you, you can still help out. Thrash through theories, look up CVEs (rule of thumb: if it's marked as Code Exec and higher than 7.5, it's good), follow what your devs are doing and offer support where you can. We can do this, and it'll be awesome. Shall we get started?
(This post's content was last updated on the 22nd of July 2017. This stuff gets old quick, so keep in mind that this may be outdated by the time you read it.)