Hacking WiiU new error bsod

[JaapDaniels]

mp _raid level vs mp_carrier level? so it's not completely the same... just a noob question, can we setup a faik multiplayer server so we can make a massive attack of data for these games? i mean for what i hear it's too much multiplayer data to handle for the games. maybe we can retrigger the effect this way, or all join the same channel (don't know the game so can't really help).

 

[Master0fBlunt]

On a semi-related note, there are people online who can control lobbies so I'd love to look more into that.

Not sure how they do it but they "fill" your team with empty user slots so the teams are unbalanced. I think theres a working host control glitch/bug also, but thats more speculative assumption than fact.

 

[FPSRussi4]

On a semi-related note, there are people online who can control lobbies so I'd love to look more into that.

Not sure how they do it but they "fill" your team with empty user slots so the teams are unbalanced. I think theres a working host control glitch/bug also, but thats more speculative assumption than fact.

You mean bots?

 

[Master0fBlunt]

Nope, they trick the server (i guess) into leaving two or more user slots open, or filling said slots with null data, thus leaving victim team more susceptible to spawn camping or w/e. Once again this is speculation also bc I cant prove it, but im fairly sure thats what i was seeing. Could be coincidence.

 

[FPSRussi4]

Nope, they trick the server (i guess) into leaving two or more user slots open, or filling said slots with null data, thus leaving victim team more susceptible to spawn camping or w/e. Once again this is speculation also bc I cant prove it, but im fairly sure thats what i was seeing. Could be coincidence.

oh you mean legitimate empty slots, I thought you meant they would reserve slots or place bots into those slots to unbalance the teams. I think what they could potentially do is have bots join their side to take up space, then make them leave as soon as the match starts, since COD doesn't have team balancing I don't think anymore. It makes sense but I'm sure there's a better way to do it.

Emulating a server, forget it. Man in the middle attack or packet replacement/injection; possibly. If there was a packet saver of sorts or a live data transfer monitoring tool you could theoretically set up the network utility, then power on the wii u, play a match, power it off, then see what conversations occur between client and server, ports, packet headers, any repeated data, etc. Even if you dont break the encryption you might be able to hex a value, repackage a packet, and insert it via mitm attack and see what happens...

there's a tool called WireShark that can do that packet sniffing, but I doubt you'll get much; they're most likely encrypted.

 

[Master0fBlunt]

mp _raid level vs mp_carrier level? so it's not completely the same... just a noob question, can we setup a faik multiplayer server so we can make a massive attack of data for these games? i mean for what i hear it's too much multiplayer data to handle for the games. maybe we can retrigger the effect this way, or all join the same channel (don't know the game so can't really help).

Emulating a server, forget it. Man in the middle attack or packet replacement/injection; possibly. If there was a packet saver of sorts or a live data transfer monitoring tool you could theoretically set up the network utility, then power on the wii u, play a match, power it off, then see what conversations occur between client and server, ports, packet headers, any repeated data, etc. Even if you dont break the encryption you might be able to hex a value, repackage a packet, and insert it via mitm attack and see what happens...

 

[Marionumber1]

Regardless of how feasible it is to reproduce this crash, a game-based exploit is much harder to turn into a kernel or IOSU exploit. All Wii U applications, with the exception of WebKit apps, have strict NX enabled, meaning that it's impossible to set any memory region as executable. The browser and other WebKit apps have a JIT area that can be made executable, which is one reason why it's a very good exploitation target (the other being the relative openness of WebKit). So I think that community efforts would be better spent looking for a browser exploit.

 

[Master0fBlunt]

Regardless of how feasible it is to reproduce this crash, a game-based exploit is much harder to turn into a kernel or IOSU exploit. All Wii U applications, with the exception of WebKit apps, have strict NX enabled, meaning that it's impossible to set any memory region as executable. The browser and other WebKit apps have a JIT area that can be made executable, which is one reason why it's a very good exploitation target (the other being the relative openness of WebKit). So I think that community efforts would be better spent looking for a browser exploit.

Valid point. But has anyone been able to dump a Wii U? This handler/error has to call a log, or get a report (the data displayed onscreen/see images), and the crash itself causes a call for the handler(whatever reads data and displays it during bsod).

I mean what/where are those addresses? "Backend"? "Worker0"? Are they RAM or assigned/permanent?

Can we play with, perverse, or even record any chatter or get a nand or ram dump after these crashes? As in do we know exactly whats happening before we give up on it? Is this data/crash user unique (the addresses), or are these generic? Is there a pattern?

I mean the fact that several people have stumbled on this must mean its not rare. wish more blops people were interested or would read and post their screens too. Might see a pattern, heck might even have an epiphany just by lookin at the pic i dont know. Still feel like more interest from players to report screens, and more interest from the mod scene to use the info... might make a diff....

Theres something here, even if its just data and not a result. If it truly does not work, and we know EXACTLY why, then in the future we would know what DOESNT work and where NOT to look. I feel like exploring even just for fun. Im going to pick at it until someone can explain start to finish what causes it, what it does, the info, hardware, firm/software involved, the data affected/used/ran, etc, and actual ripped/recorded/discovered/referred data. I wish somebody "closer in the circle" would respond. Im really curious about this lol.

Well Im just thinking out loud, better end this lol. Gunna do some thinking and research...

 

[Master0fBlunt]

Heres another:

"THE NUMBERS MASON, WHAT DO THEY MEAN?!"

LMFAO

But no really...

 

[Marionumber1]

Valid point. But has anyone been able to dump a Wii U? This handler/error has to call a log, or get a report (the data displayed onscreen/see images), and the crash itself causes a call for the handler(whatever reads data and displays it during bsod).

I mean what/where are those addresses? "Backend"? "Worker0"? Are they RAM or assigned/permanent?

The browser exploit and our subsequent exploration gave us a fairly good idea of the Cafe OS architecture. We figured out that it's possible for the application to trap exceptions and fall through to a special handler. This handler can then print out the application's state before it occurred, using OSFatal(). In fact, we've used this same technique before ourselves. My guess is that "Backend" and "Worker0" are thread names, so there are stack traces being printed for every thread.

Can we play with, perverse, or even record any chatter or get a nand or ram dump after these crashes? As in do we know exactly whats happening before we give up on it? Is this data/crash user unique (the addresses), or are these generic? Is there a pattern?

NAND dumps would not help, being encrypted, and RAM dumps are impossible without a kernel exploit (working on it) or special hardware (also working on it). We would need to look at RAM dumps before actually deducing the cause of the crash.

I mean the fact that several people have stumbled on this must mean its not rare. wish more blops people were interested or would read and post their screens too. Might see a pattern, heck might even have an epiphany just by lookin at the pic i dont know. Still feel like more interest from players to report screens, and more interest from the mod scene to use the info... might make a diff....

Theres something here, even if its just data and not a result. If it truly does not work, and we know EXACTLY why, then in the future we would know what DOESNT work and where NOT to look. I feel like exploring even just for fun. Im going to pick at it until someone can explain start to finish what causes it, what it does, the info, hardware, firm/software involved, the data affected/used/ran, etc, and actual ripped/recorded/discovered/referred data. I wish somebody "closer in the circle" would respond. Im really curious about this lol.

Well Im just thinking out loud, better end this lol. Gunna do some thinking and research...

If we had a way to look at the RAM of the game along with these crash dumps, some pattern might emerge. It's unlikely that we'd get this by just reading crash dumps, unless the exact same crash occurs twice. It's not worthless to look into this, but still far less useful than a WebKit exploit.

 

[Master0fBlunt]

I need a beer and some thinking time... But I think webkiting is gunna be one hell of a rabbit chase also, still leaps and bounds ahead. Gunna go back to the drawing board and mull about where to divert my interest and resources... Need to get contact info for a few peeps also.... Thanks for the input.

 

[FPSRussi4]

I need a beer and some thinking time... But I think webkiting is gunna be one hell of a rabbit chase also, still leaps and bounds ahead. Gunna go back to the drawing board and mull about where to divert my interest and resources... Need to get contact info for a few peeps also.... Thanks for the input.

Well, they have the userland exploit already, are working on developing the kernel exploit, and have plans to port the browser(or kernel?) exploit to newer versions. I'd say this is also the best place to divert your interest to.

 

[Master0fBlunt]

The game is sandboxed, but the data is referrenced to outside of actually loading or playing the disc. I.e. the icon at the Home menu.... The encryption part is giving me a migraine...

Call the ambulance....
WiiuWiiuWiiuWiiuWiiuWiiu.....

 

[NWPlayer123]

I've posted this before, this is directly from the SDK, laying out where everything is in memory. Hope this satisfies your curiosity.

 

[Marionumber1]

Well, they have the userland exploit already, are working on developing the kernel exploit, and have plans to port the browser(or kernel?) exploit to newer versions. I'd say this is also the best place to divert your interest to.

We can't just port the WebKit exploit, as Nintendo patched the bug we were using. Now we have to look for a new WebKit bug, which was actually more time consuming than writing the exploit, if I recall correctly. We spent about 2 months on the original browser exploit, and more than half of that was finding a usable WebKit bug.

 

[FPSRussi4]

We can't just port the WebKit exploit, as Nintendo patched the bug we were using. Now we have to look for a new WebKit bug, which was actually more time consuming than writing the exploit, if I recall correctly. We spent about 2 months on the original browser exploit, and more than half of that was finding a usable WebKit bug.

My point was that the browser is a much better place to locate an exploit, but thanks for telling me exactly what I should have said.

 

[mixelpixx]

I guess this thread is another that baffles me. One, you guys completely shit on someone TRYING to post data, even one of GBATEMPs mods got in on the shit talking.

Mario may be right, but I think since code injection at the router is as simple as an app on your android phone -- that would be a worthy attempt. JS injection is easy.
The other avenue is to find someone on original FW, and restore it to out of box, and then dump the damn flash. Then proceed with working on browser exploit.
Why this isn't being looked into more. Not to mention the controller on the eMMc is an 8051, which has been hacked to oblivion and back.


If it has code on it, dump it. Without doing that you are just throwing shit at the wall an hoping something sticks.

 

[Marionumber1]

I guess this thread is another that baffles me. One, you guys completely shit on someone TRYING to post data, even one of GBATEMPs mods got in on the shit talking.

I was simply pointing out two things. First of all, this crash isn't useful to us until we can determine exactly what's causing it and reproduce it in a controlled fashion. Second, game-based exploits are inherently less useful (due to NX) and more difficult to create (thanks to being closed-source) than browser exploits.

The other avenue is to find someone on original FW, and restore it to out of box, and then dump the damn flash. Then proceed with working on browser exploit.
Why this isn't being looked into more. Not to mention the controller on the eMMc is an 8051, which has been hacked to oblivion and back.


If it has code on it, dump it. Without doing that you are just throwing shit at the wall an hoping something sticks.

Dumping the flash won't help with hacking, since the contents of the flash are encrypted with console-specific keys. If we got flash dumping and restoration to work, that could be used for downgrade purposes, but nothing more. One of my real-life friends is actually planning to look into Wii U hardware hacks, including that.

 

[mixelpixx]

Wasn't talking about you being an Ass Mario. Others.. people who don't contribute.

My point about flash (and we still have no tools for it (check that, I have no tools for it)) is to dump an original unit with 4.x on it, with the hopes of being able to downgrade,
in order to use the browser exploit. That isn't only feasible, but doable. Since I have no tools to analyze my flash or verify I have dumped it correctly -- i can't speak to everything being encrypted, is that what you are telling me though, NO plaintext, no serial numbers, no user info, nothing, entire thing is encrypted?

 

[mixelpixx]

This is what I use for INJECTION.


dSploit


Requirements:

• ARM
• Your device must have an ARM cpu.
• Gingerbread
• An Android device with at least the 2.3 ( Gingerbread ) version of the OS.
• Root
• The device must be rooted.
• BusyBox
• The device must have a BusyBox full install, this means with every utility installed ( not the partial installation )

Features:

• WiFi Scanning & Common Router Key Cracking
• Deep Inspection
• Vulnerability Search
• Multi Protocol Login Cracker
• Packet Forging with Wake On Lan Support
• HTTPS/SSL Support ( SSL Stripping + HTTPS -> Redirection )
• MITM Realtime Network Stats
• MITM Multi Protocol Password Sniffing
• MITM HTTP/HTTPS Session Hijacking
• MITM HTTP/HTTPS Hijacked Session File Persistance
• MITM HTTP/HTTPS Realtime Manipulation

Simple Sniff: Redirect target's traffic through this device and show some stats while dumping it to a pcap file.

Password Sniffer: Sniff passwords of many protocols such as http, ftp, imap, imaps, irc, msn, etc from the target.

Session Hijacker: Listen for cookies on the network and hijack sessions.

Kill Connections: Kill connections preventing the target to reach any website or server.

Redirect: Redirect all the http traffic to another address.

Replace Images: Replace all images on webpages with the specified one.

Replace Videos: Replace all youtube videos on webpages with the specified one.

Script Injection: Inject a javascript in every visited webpage.

Custom Filter: Replace custom text on webpages with the specified one.

Replace Videos: Replace all youtube videos on webpages with the specified one.

Script Injection: Inject a javascript in every visited webpage.

Custom Filter: Replace custom text on webpages with the specified one.



dSPloit - Nightly

h**ps://www.mediafire.com/?4m45k89o0n7t5to