Hacking Using the Wii U RPC Client

[yahoo]

I'm looking at the sdk v1.7 and can't find some apparently key things you guys are using in the rpc client. For example, how do you know nsysnet.rpl exists? The sdk index (system/docs/man/en_us/index.html) doesn't mention it. There is mention of SORecv, SOSocket, SOConnect, SOSend, which match the signatures of the nsysnet.rpl symbols the rpc server uses, but I think I am missing something.

Well it looks like I found the answer:

We found the different functions in various ways. Filesystem and IOS functions were inside coreinit, which comex gave to me to help me build the ROP chain. I believe nsysnet was found in the Cafe OS system log, along with the names of all the other loaded libraries. Some could be guessed, like gx2.rpl for the graphics library.

I should note that we don't actually have permission in the web browser to access external storage or any part of the internal filesystem outside of the browser's area. This is another reason why a kernel or loader exploit is useful. Let it be said that we're working on it.

I've dumped the logs via rpc, and do see mention of it, but again, I don't see the methods (recv, send, connect, socket) mentioned at all. How did you find the method signatures for these? Any chance that you can share the coreinit binary, perhaps via PM?

 

[pwsincd]

excuse my ignorance , but havent you found and are working on kernal exploit ? or is there a fair bit of smoke and mirrors around these parts ? im referring in the main to the other thread on WiiU hacking you seem to be prevalent in , referring to the exploit coming along "slowly" and maybe releasing things etc etc.. . i only say this with regards to contradictions " We could if we had a kernel or loader exploit" etc etc..

 

[yahoo]

excuse my ignorance , but havent you found and are working on kernal exploit ? or is there a fair bit of smoke and mirrors around these parts ? im referring in the main to the other thread on WiiU hacking you seem to be prevalent in , referring to the exploit coming along "slowly" and maybe releasing things etc etc.. . i only say this with regards to contradictions " We could if we had a kernel or loader exploit" etc etc..

This isn't the right thread, but they've said many times that the exploit is in development. Like any piece of software, there's a lot of work before it is in a state that is releasable for others to use. The raw exploit alone, without a framework to load homebrew etc, wouldn't be useful to anyone except developers. I think they are actually planning to release something that everyone will find useful, so just be patient

 

[pwsincd]

oh i wont use it , just enjoy reading about it ..

 

[Marionumber1]

Well it looks like I found the answer:



I've dumped the logs via rpc, and do see mention of it, but again, I don't see the methods (recv, send, connect, socket) mentioned at all. How did you find the method signatures for these? Any chance that you can share the coreinit binary, perhaps via PM?

I'm not quite sure how we found those methods existed (NeKit originally did), but it's possible we just guessed it would support the BSD socket API.

 

[yahoo]

I'm not quite sure how we found those methods existed (NeKit originally did), but it's possible we just guessed it would support the BSD socket API.

Turns out I was looking at an older sdk (v1.7). The newer one that was leaked (v2.09) contains nsysnet.rpl

 

[wolf_]

hello im having problems compiling for 5.0.0 im getting /usr/bin/env: python No such file or directory any ideas I have python 3.4.2 installed

 

[NWPlayer123]

You need to have it added to your path so it can find the python executable

 

[wolf_]

You need to have it added to your path so it can find the python executable

ok so I need to edit the build.sh with the path to my pyth executable?

 

[NWPlayer123]

ok so I need to edit the build.sh with the path to my pyth executable?

That would be the way to hardcode it, yes, but if you're using windows, go to control panel, search "advanced system settings", environment variables, in System Variables scroll down to path, make sure there's a semicolon at the end and then add the path to your python directory (I assume C:/python34) and another semicolon

 

[TeamScriptKiddies]

Can't we just dump CafeOS from our consoles? Do you know how to do that?

Im working on doing that with hardware, but the NAND/eMMC contents are encrypted so even if i manage to dump it, theres currently no way to view or modify the contents. We would need the console specific private key(s) for that...

 

[wolf_]

That would be the way to hardcode it, yes, but if you're using windows, go to control panel, search "advanced system settings", environment variables, in System Variables scroll down to path, make sure there's a semicolon at the end and then add the path to your python directory (I assume C:/python34) and another semicolon

thank you all I did was open build.sh and it was looking for python32 so I just changed it to 34 and it worked thank you for your help

 

[wolf_]

well I got everything compiled and working but I cant get the wii u to connect to the computer

 

[Marionumber1]

well I got everything compiled and working but I cant get the wii u to connect to the computer

Did you make sure to change PC_IP in socket.h, and verify that you're allowing port 12345 through the firewall?

 

[wolf_]

Did you make sure to change PC_IP in socket.h, and verify that you're allowing port 12345 through the firewall?

yeah I just verified it again and I even disabled my firewall and antivirus (ps: I did convert the ip to the hex using the website on the main page also

 

[wolf_]

yeah I just verified it again and I even disabled my firewall and antivirus (ps: I did convert the ip to the hex using the website on the main page also

I got it loading the test500.html and im getting the little white box in the upper right corner of the browser but im not getting no listening info coming thru python