Hacking Using the Wii U RPC Client

[NWPlayer123]

Gonna make this now so it's out there.
Q: How does this work?
A: So basically, you're using your router as a gateway between your Wii U and computer. You specify what local address (IE 192.168.0.5) your Wii U should look for a connection for, and then your client accepts it and you're able to run stuff with it remotely.

Requirements: cygwin (default packages), XAMPP, DevKitPPC, python 3.X.

Okay, so, here's how I did my setup.
1) Open up a command prompt and type in "ipconfig -all" and hit enter. Since I'm tethered to my router with an ethernet cable, mine's under Ethernet Adapter Ethernet, or yours might say something about Wireless. You're looking for the IPv4 address(for this example mine's assigned 192.168.0.28).

2) Go to this website and convert that address to hex

3) If you haven't already, download the repo here. Then open up src/socket.h in any text editor and change the line for #define PC_IP with the address you just converted.

4) Time to compile it. open up cygwin (since I'm using windows) and navigate to the location (IE cd /cygdrive/d/ApplicationData/WiiUBuild) and then run ./build.sh rpc.c 510 (or whatever your version is) and it'll make a file called test500.html(or whatever your version is) in the same folder as the script. You want to copy that to (I just use XAMPP, so C:/xampp/htdocs) and also frame.html from that same folder.

5) Then bootup the XAMPP control panel and let apache start up. (for whatever reason port 80 is being used so if you get an error, open up the command prompt as an admin and run "net stop was /y")

6) Open up rpc.py in IDLE (python's built in text editor) and go to run > run module. (I added a line to print "listening" so I know it's working, before you do this just scroll down to __init__)

def __init__(self):
        self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 
        self.data = []
        print("listening")
        self.listen('0.0.0.0', 12345)

7) Boot up your Wii U and go into the Web Browser. Then go to the IP you had in the first step (IE 192.168.0.28). If you get an access denied error from xampp, then it's all working and connecting correctly. Then open up yourIP/test500.html (IE 192.168.0.28/test500.html) and if everything's working correctly it should print ("Connected by", someIPaddress). Then you can use that new window from IDLE to run all your commands. Example picture.

 

[FusionGamer]

Woah, when did this happen?

We can presumably dump game files with this?

Also, Chrome reports that the repo is a virus.

 

[NWPlayer123]

Presumably, if you have a kernel exploit to disable the memory protection for anything not allocated to the browser

 

[FusionGamer]

Presumably, if you have a kernel exploit to disable the memory protection for anything not allocated to the browser

Damn. Still gonna mod my Wii U though and wait it out for that kernel exploit. Also, what's that "MarioKart8-1.bin" file?

Edit: Crap. Just when I thought any homebrew stuff wasn't going to be released, my Wii U auto-updated itself to 5.1.1 today. Next time I tell myself to block updates, I should actually do it. I am thankful this ain't Chadderz exploit though

 

[NWPlayer123]

That's just a dump file for the data of the memory for that frame data chadderz found (I was doing some testing on it, see this post for more details)

 

[FusionGamer]

That's just a dump file for the data of the memory for that frame data chadderz found (I was doing some testing on it, see this post for more details)

Thanks for the link.

Looks like title screens are now bin files. That's quite an interesting change.

 

[NWPlayer123]

Nah, my theory is that it's a screenshot for use in the browser when pressing X (I found out that hint earlier today). First we thought it was a framebuffer but it doesn't have the right properties to be a buffer, so it's probably an aforementioned screenshot. And they're not necessarily bin files, that's just what I saved it as (bin for binary data).

 

[FusionGamer]

Nah, my theory is that it's a screenshot for use in the browser when pressing X (I found out that hint earlier today). First we thought it was a framebuffer but it doesn't have the right properties to be a buffer, so it's probably an aforementioned screenshot. And they're not necessarily bin files, that's just what I saved it as (bin for binary data).

Neat information. That's probably it too.

 

[ibooN]

Access denied and I am running cygwin64 terminal as administrator.
And it made the test500.html empty (0 KB) in the repository, when I did this.

Also converted my IP to hex and put it in src/socket.h under the #define PC_IP, but I don't think it is really necessary to this problem.

Please tell me, if I am doing something completely wrong.

 

[NWPlayer123]

looks like it doesn't like the first line in that python file(generate_html.py). 2 things: one, are you able to run RPC.py from IDLE? and two: How did you install python/what version?

 

[Marionumber1]

You need to have your Python directory in the PATH environment variable for the build script to work.

 

[BullyWiiPlaza]

Image (cygwin):

Spoiler

Access denied and I am running cygwin64 terminal as administrator.
And it made the test500.html empty (0 KB) in the repository, when I did this.

Also converted my IP to hex and put it in src/socket.h under the #define PC_IP, but I don't think it is really necessary to this problem.

Please tell me, if I am doing something completely wrong.

Same issue and solutions:
http://gbatemp.net/threads/how-to-setup-a-web-browser-exploit-site.369582/

 

[ibooN]

Now when, I go to my address 192.168.0.12/browserexploit/index.html on the Wii U gamepad, it loads my webpage fine and after some time, it says "Error connecting to RPC server" and my Python 2.7.8 Shell is empty on the PC, I included some picture below in the spoilers.

test500.html is just renamed to index.html

 

[WulfyStylez]

Now when, I go to my address 192.168.0.12/browserexploit/index.html on the Wii U gamepad, it loads my webpage fine and after some time, it says "Error connecting to RPC server" and my Python 2.7.8 Shell is empty on the PC, I included some picture below in the spoilers.

test500.html is just renamed to index.html

IMAGES:
image1 = What the cygwin looked like, when I ran the build command

Spoiler

Sooo many compile errors! You should only have the one from devkitpro about the entry point.

Actually it looks like you typed a w at the beginning of socket.h. Go backspace that and try compiling again?

 

[ibooN]

Sooo many compile errors! You should only have the one from devkitpro about the entry point.

Actually it looks like you typed a w at the beginning of socket.h. Go backspace that and try compiling again?

Thank you for pointing out that error, I feel very dumb now for not noticing that, but I finally got it working by installing the 64 bit version of python 2.7.8.

 

[BullyWiiPlaza]

My python shell won't react once it's supposed to connect to the Wii U.

Here are my steps including pictures for you to follow and possibly find out the cause.

Spoiler

Cmd "ipconfig -all" command:

IP conversion

Edited socket.h file

Cygwin compilation

Frame.html and test500.html copied to the htdocs folder

XAMPP Apache launched

rpc.py edited source (listening print added)

Run -> Run Module F5

Visiting the url http://192.168.2.110/ using the Wii U web browser

Visiting the url http://192.168.2.110/test500.html/

It shows the white box but nothing else happens. The python console prints nothing.

 

[WulfyStylez]

My python won't react once it's supposed to connect to the Wii U.

Here are my steps including pictures for you to follow and possibly find why out it's not working.

Spoiler

Cmd "ipconfig -all" command:

IP conversion

Edited socket.h file

Cygwin compilation

XAMPP Apache launched

rpc.py edited source (listening print added)

Run -> Run Module F5

Visiting the url http://192.168.2.110/ using the Wii U web browser

Visiting the url http://192.168.2.110/test500.html/

It shows the white box but nothing else happens. The python console prints nothing and the web browser affected in any way.

Didn't you say you were on 5.0.0? Because you built for 5.1.0.

 

[Marionumber1]

Didn't you say you were on 5.0.0? Because you built for 5.1.0.

5.0.0 and 5.1.0's ROP chains are exactly the same.

 

[BullyWiiPlaza]

Good point but building with the 500 argument doesn't change anything.

 

[ibooN]

Good point but building with the 500 argument doesn't change anything.

Did you try to run XAMPP as administrator, because it even says in XAMPP, it can have some problem with the network or something and mine didn't work earlier aswell, but then I just ran XAMPP as administrator and it worked.

That's the only thing left, I could see would work, if you are not already running it as administrator ofc.