Hacking Wii U Hacking & Homebrew Discussion

[NWPlayer123]

Yeah.... even with gathering data, since we're basically doing everything over the network, it gets really tedious when you have to get a bunch of data so I think we should wait until we have SD/USB access before we do anything major with that(not that we have any other choice considering in usermode it has a ton of memory protection anyways).

 

[WulfyStylez]

Yeah.... even with gathering data, since we're basically doing everything over the network, it gets really tedious when you have to get a bunch of data so I think we should wait until we have SD/USB access before we do anything major with that(not that we have any other choice considering in usermode it has a ton of memory protection anyways).

It's a very solid exploit for uh... finding more exploits, I guess. The fact that we're able to do RPC with such little effort and over the network is also super nice.

 

[Marionumber1]

I'm pretty sure that even once we get Cafe OS kernel access, IOSU will prevent us from getting SD access. crediar told me that titles have some associated metadata which says whether it can use the SD card. Since titles get parsed started by IOSU, and IOSU also controls the SD card, this makes me believe that IOSU access is needed to access the SD card. Either that or patching an app with SD access to do what we want.

 

[WulfyStylez]

I'm pretty sure that even once we get Cafe OS kernel access, IOSU will prevent us from getting SD access. crediar told me that titles have some associated metadata which says whether it can use the SD card. Since titles get parsed started by IOSU, and IOSU also controls the SD card, this makes me believe that IOSU access is needed to access the SD card. Either that or patching an app with SD access to do what we want.

I feel like a lot of those types of protections will be mostly nullified with kernel-level access. We'll see once we get there, though.

 

[Marionumber1]

I feel like a lot of those types of protections will be mostly nullified with kernel-level access. We'll see once we get there, though.

IOSU's protections will still be enforced against the PowerPC, since IOSU controls its access to most hardware. That said, I do find it somewhat weird that the kernel can access files for the OS title, even though it's simply running under another title, so the picture isn't completely clear yet as you said.

 

[WulfyStylez]

IOSU's protections will still be enforced against the PowerPC, since IOSU controls its access to most hardware. That said, I do find it somewhat weird that the kernel can access files for the OS title, even though it's simply running under another title, so the picture isn't completely clear yet as you said.

Right, but we'd probably be able to inherit an app's permissions by executing code as it, right? That'd skirt around it quite a bit.

 

[Marionumber1]

Right, but we'd probably be able to inherit an app's permissions by executing code as it, right? That'd skirt around it quite a bit.

Yeah, that's why I suggested patching an app with SD access, though I'm not sure if there actually are any to begin with.

 

[NWPlayer123]

Miiverse or the shop channel might, but if not then there's always the option of getting lucky and being able to install our own apps with the permissions we need, but that's kind of a stretch for now, considering how little we know of the inner workings(that's documented, at least).

 

[Marionumber1]

Miiverse or the shop channel might, but if not then there's always the option of getting lucky and being able to install our own apps with the permissions we need, but that's kind of a stretch for now, considering how little we know of the inner workings(that's documented, at least).

Installing our own apps would require being able to sign them, which is impossible without Nintendo's private key. That or finding some horrible bug in their RSA implementation again.

 

[WulfyStylez]

I think filesystem access may prove quite useful if we can't get SD access. And who knows, maybe some app will have SD permissions that doesn't need it?

 

[filfat]

I've taken the browser exploit toolkit and modified it to use only one python script to manage the building process. No more sh scripts and cygwin.
Tested in Windows and Linux, python 2 or 3. Download here.

Any chance of a update?

 

[TeamScriptKiddies]

About the website
Hi, I've been working on the website for a little while setting up the Bitbucket page and i where wondering if any of you guys who know PHP wants to help createing a system for the Application list where user can submit a new application and already accepted applications will render in a list.html file. When that is done i only need to finalize the website and markdown files and press the publish button to make everybody able to contribute with their apps hello world i guess

Unfortunately I'm not familiar with PHP. I know basic html, but as far as web development goes, thats all the coding I know . Otherwise I would offer to help out

 

[TeamScriptKiddies]

filfat I'm more of an assembly guy XD, and I'm obsessed with linux . Btw i love your signature hahha.

 

[filfat]

Yet about that damn website nobody cares about
I have just made the repo public, check it out at: https://bitbucket.org/filfat/wii-u-homebrew-website
Btw the website is long way from done

 

[gudenau]

This should help.

0x01000000 - 0x01800000 Read only OS Code (Usermode)
0x01800000 - 0x02000000 JIT code buffer (Either read write, or read execute, never read write executed)
0x0d800000 - 0x10000000 Read only browser code
0x10000000 - 0x10?????? OS Data (Usermode)
0x10?????? - 0x27800000 Browser data
0xe0000000 - 0xe4000000 Some sort of hardware communication area.
0xf4000000 - 0xf6000000 Don't know
0xf6000000 - 0xf6800000 Don't know
0xf8000000 - 0xfb000000 Read only shared data (system fonts mostly).

 

[Marionumber1]

0xf6000000 - 0xf6800000 Don't know

There's a copy of nsyshid.rpl there, which appears to be some sort of library for HID (Human Interface Device) drivers.

 

[WulfyStylez]

Anyone dug into ancast images at all? I'm trying to figure out if they have static or per-file IVs.

 

[filfat]

This should help.

0x01000000 - 0x01800000 Read only OS Code (Usermode)
0x01800000 - 0x02000000 JIT code buffer (Either read write, or read execute, never read write executed)
0x0d800000 - 0x10000000 Read only browser code
0x10000000 - 0x10?????? OS Data (Usermode)
0x10?????? - 0x27800000 Browser data
0xe0000000 - 0xe4000000 Some sort of hardware communication area.
0xf4000000 - 0xf6000000 Don't know
0xf6000000 - 0xf6800000 Don't know
0xf8000000 - 0xfb000000 Read only shared data (system fonts mostly).

That is more than helpful, that is golden

On a unrelated note, shouldn't we start filling out the wiiubrew wiki with our findings?

 

[Chadderz]

This should help.

0x01000000 - 0x01800000 Read only OS Code (Usermode)
0x01800000 - 0x02000000 JIT code buffer (Either read write, or read execute, never read write executed)
0x0d800000 - 0x10000000 Read only browser code
0x10000000 - 0x10?????? OS Data (Usermode)
0x10?????? - 0x27800000 Browser data
0xe0000000 - 0xe4000000 Some sort of hardware communication area.
0xf4000000 - 0xf6000000 Don't know
0xf6000000 - 0xf6800000 Don't know
0xf8000000 - 0xfb000000 Read only shared data (system fonts mostly).

I think it's considered polite to credit your sources

Yeah, that's why I suggested patching an app with SD access, though I'm not sure if there actually are any to begin with.

Yes, you're quite right, we've run into this problem. No app we've tested has SD access, so we can't access it despite the PPC Kernel exploit. That said, we haven't finished our IPC experiments, we've not yet successfully impresonated the system, which may have sufficient privilege.

 

[FusionGamer]

I think it's considered polite to credit your sources

Uh oh.

Yes, you're quite right, we've run into this problem. No app we've tested has SD access, so we can't access it despite the PPC Kernel exploit. That said, we haven't finished our IPC experiments, we've not yet successfully impresonated the system, which may have sufficient privilege.

Well, the settings app for sure has SD access as it's the only place to copy Wii U saves to the SD card.