Hacking Could this be exploitable?

[CosmoCortney]

Hi,
I've found a way to turn off the music/make the game unable to load the music. I simply inserted an SD card into a card reader and plugged in the card reader into my Wii U. Then I moved a game to the SD card and started it. While being in a stage i removed the SD card to have a look what will happen. Surprisingly the game was running quite well. But very soon the music turned off (no more data in the buffer/cache). Funny but nothing meaningful.
But as I cleared the stage the game pseudo-freezed. As soon as I reinserted the SD card the game continued running. I can also insert another SD card to make the console loading foreign data (I could see this because the card reader's LED was blinking). But it logically crashed the system.
My idea was to use this to read/run any unsigned code.. Unfortunately I don't have enough hacking experience to guess if this could be exploitable or not.
Well, if not, then please never mind.

here's a video where the game pseudo-freezes unles I reinsert the SD card (go to 07:01)

 

[yusuo]

I'll come out and say that im also no expert but i don't think this will result in much purely for the fact that I used to do this with the wii as well as the ps2 and the flashing light only means its trying to read the next logical part of the data, regardless of whether it exists or not.

I could be wrong however and I kinda hope I am.

Thanks for contributing though, all it takes it one little crash to swing those doors wide open

 

[BvanBart]

Funny that it restarted the game when you reinserted the game SD.
Made you wonder if you would edit some files and reinsert the game what would happen

 

[FPSRussi4]

That sounds a lot like taking the disc out of a PS2 Slim while it's running. Then again, that led to the game swap trick, so it does have potential. I agree with yusuo, it sounds like it was just reading the next logical part of the data, but again, the PS2 laser worked in the same way, and we got an exploit out of it. So I hope to see something out of this. Are you on 5.1.2?

 

[CosmoCortney]

nope..
i'm on 4.0.2

 

[FPSRussi4]

nope..
i'm on 4.0.2

Well there's already an exploit for that firmware, if someone could replicate this using current firmware that would be good.

 

[CosmoCortney]

Well there's already an exploit for that firmware, if someone could replicate this using current firmware that would be good.

yes, i had the same thought. but i am afraid i'd miss anything useful if i update to the latest fw

 

[Kippykip]

Wasn't the web browser the only way for kernel control or something?

 

[FPSRussi4]

yes, i had the same thought. but i am afraid i'd miss anything useful if i update to the latest fw

I'm in the same boat, I'm on the most recent firmware that can still be exploited.

 

[duffmmann]

Funny that it restarted the game when you reinserted the game SD.
Made you wonder if you would edit some files and reinsert the game what would happen

This kinda makes me think of the original Twilight Hack. In a game where you save your character's name, perhaps you give it a normal name, take out the sd card, take another SD card with the same game on it, but with the save data hacked to have a much too long name for the game to handle and forcing a code dump when you talk to someone that says your name.

I dunno, I'm not well versed in this stuff, but it seems like if this really works, then maybe that could do it.

 

[NWPlayer123]

Wasn't the web browser the only way for kernel control or something?

You're thinking of that whole discussion on NX (No Execute), but that's only for the current exploit method (running code in memory), there are definitely other ways to do it.

 

[FPSRussi4]

This kinda makes me think of the original Twilight Hack. In a game where you save your character's name, perhaps you give it a normal name, take out the sd card, take another SD card with the same game on it, but with the save data hacked to have a much too long name for the game to handle and forcing a code dump when you talk to someone that says your name.

I dunno, I'm not well versed in this stuff, but it seems like if this really works, then maybe that could do it.

How so? All you did was copy over a save from the SDto SysMenu,and it worked by causing a buffer overflow, that was correct. Seeing as they had the game on the SD, and took it out and tried to replace it with another SD card, it's a lot more like disc swapping. If you took out the SD with the game and inserted in the same game that has modified code without the system recognizing it, this could work.

 

[VinsCool]

That is really interesthing If that lead to an exploit, that would be awesome!

 

[WulfyStylez]

USB storage would need to be exploited before this would be useful. Also, since we're still able to use webkit exploits, there's no real reason to develop an exploit that would take much more time to develop and affect much fewer people.

 

[FPSRussi4]

USB storage would need to be exploited before this would be useful. Also, since we're still able to use webkit exploits, there's no real reason to develop an exploit that would take much more time to develop and affect much fewer people.

/thread

 

[duffmmann]

How so? All you did was copy over a save from the SDto SysMenu,and it worked by causing a buffer overflow, that was correct. Seeing as they had the game on the SD, and took it out and tried to replace it with another SD card, it's a lot more like disc swapping. If you took out the SD with the game and inserted in the same game that has modified code without the system recognizing it, this could work.

I just meant it could be similar in how you could use it to exploit it. In the Twilight Hack, epona's name had been changed to bee too long, perhaps a similar method could be used here. I'm well aware that the method of making such an exploit happen would differ, but the way in game it causes a buffer overflow could be similar, that's all.

 

[FPSRussi4]

I just meant it could be similar in how you could use it to exploit it. In the Twilight Hack, epona's name had been changed to bee too long, perhaps a similar method could be used here. I'm well aware that the method of making such an exploit happen would differ, but the way in game it causes a buffer overflow could be similar, that's all.

That's fair, I agree. I wonder what game it was.

 

[CosmoCortney]

I have found something new. I swapped the SD card while being in the menu. But the icons from the games stored in the previous SD card were still being displayed. So I told the console to launch one of those games. Then the console tried to install an update (what failed because my Wii U isn't online), I have no idea why. Then, if I go to the Memory and USB storage manager the console partly crashes. There was an error message being displayed. I could still use the scrollbar bar even the rest of the system crashed.
So... this way allows us to insert an unformatted SD card without the Wii U asking to format it. In the USB storage manager it also tries to read data from it.

 

[The_Frag_Man]

This sounds like it has some potential. Thanks for posting about it.

 

[gudenau]

That is pretty undefined behavior, I will give it a good 20%.