Hacking Wii U Hacking & Homebrew Discussion

[TotalInsanity4]

Anyone who has the time/skill to uncover browser exploits, PLEASE KEEP DOING SO. It really does help the scene. However, what does not help the scene is telling the whole world that you found an exploit and showing them what it is. If you are only doing this for the scene, congratulations on being humble. If you are doing it for credit (Kelton2), don't jump the gun. I guarantee you will get credit for your work when the entire exploit package is released. PM the exploit to MarioNumber1 and/or NWPlayer123 and do what they tell you. Nobody (and I mean nobody) at this point benefits from a leaked exploit if Nintendo finds out about it

 

[PhyChris]

Anyone who has the time/skill to uncover browser exploits, PLEASE KEEP DOING SO. It really does help the scene. However, what does not help the scene is telling the whole world that you found an exploit and showing them what it is. If you are only doing this for the scene, congratulations on being humble. If you are doing it for credit (Kelton2), don't jump the gun. I guarantee you will get credit for your work when the entire exploit package is released. PM the exploit to MarioNumber1 and/or NWPlayer123 and do what they tell you. Nobody (and I mean nobody) at this point benefits from a leaked exploit if Nintendo finds out about it

Sure but people should pick another thread for finding ways to crash the wiiu's web browser and leave this one for discussing hacks

 

[PhyChris]

That's a hack....

no my friend, a 'crash' is a long way from running code.

 

[FPSRussi4]

It's stage 1 though. You run code through the rop chain which you trigger with the crash.

(I'm going to turn into Bug_Checker for a sec) NO, not all crashes/bugs lead to execution. What you're saying IS true, but this does NOT mean all crashes give us code execution of any kind. In any case, if you want credit for finding the right bug, you'll get it once you do and we can make something out of it.

 

[PhyChris]

It's stage 1 though. You run code through the rop chain which you trigger with the crash.

99.9% of 'crashes' are useless and any idiot can find them and spam up this forum with useless info. so people should only post a crash here if they can show useful memory read/write.

I used to read this thread until youngsters started spamming the hell out of it with crash talk and basic networking questions. If you cant setup your network to block ip's, mac's ext. then you defiantly cant contribute anything usefull in this thread

 

[TotalInsanity4]

...However, what does not help the scene is telling the whole world that you found an exploit and showing them what it is...
...PM the exploit to MarioNumber1 and/or NWPlayer123 and do what they tell you...

Would like to reinforce this, as it will solve the problem entirely... Keep it clean, gents

 

[ShonenJump]

<snip>
Anyway on topic: marionumber1 or nwplayer when the exploit is released would you guys also make a demo homebrew?

 

[raulpica]

Removed off-topic.

Please don't derail the thread, thanks.

 

[ShonenJump]

Removed off-topic.

Please don't derail the thread, thanks.

But i also asked a question to marionumber1 and nwplayer

 

[raulpica]

But i asked a question to marionumber1 and nwplayer

But you also had some off-topic in it, and editing manually a bunch of posts just to save the on-topic part steals way too much time to us mods.

Anyway, post restored with off-topic removed.

 

[endoverend]

It's stage 1 though. You run code through the rop chain which you trigger with the crash.

You my friend, are SO hung up over the damn browser exploits. We get it. Webkit isn't secure. Does EVERY crash that ever happens mean a hack? NO! This type of thing is why nothing gets done in this scene.

 

[Heran Bago]

*tries to load a page with way too many advertisements*

*crappy browser can't handle it*

"Guys I hacked the Wii U!"

 

[yahoo]

*tries to load a page with way too many advertisements*

*crappy browser can't handle it*

"Guys I hacked the Wii U!"

Who are you mocking? FYI, kelton2 is actually doing it the same way that fail0verflow did, by going through fixed webkit security bugs. Looks like he's one of the only ones trying to help port the webkit exploit to a more recent firmware version.

 

[endoverend]

Who are you mocking? FYI, kelton2 is actually doing it the same way that fail0verflow did, by going through fixed webkit security bugs. Looks like he's one of the only ones trying to help port the webkit exploit to a more recent firmware version.

Who is he mocking? How about Kelton2 and every other person who thinks that stupid browser crashes are the way to "hack teh wii u"?

 

[Onion_Knight]

Just to get this back on track, what is the return call for PPC? In x86 Assembly its C3 and there is an awesome tool called OptiRop that you can use to help you locate ROP gadgets.

 

[WulfyStylez]

Just to get this back on track, what is the return call for PPC? In x86 Assembly its C3 and there is an awesome tool called OptiRop that you can use to help you locate ROP gadgets.

PPC only has branches. Branches to a subroutine generally use bl, and returns use blr.

 

[Onion_Knight]

PPC only has branches. Branches to a subroutine generally use bl, and returns use blr.

Thanks for that, next question. Assuming you had found a vulnerability that was unhandled in the web browser and you had the exploit code developed, how would you dump the memory in 5.3.2 to go ROP hunting? Entirely theoretical of course.

 

[Marionumber1]

Thanks for that, next question. Assuming you had found a vulnerability that was unhandled in the web browser and you had the exploit code developed, how would you dump the memory in 5.3.2 to go ROP hunting? Entirely theoretical of course.

We can definitely get the loader and coreinit from NUS, since the common key is now out. Since those are the first two binaries loaded, their addresses are easy to determine. coreinit contains enough ROP gadgets for us to dump the rest of the memory. Chadderz and I did this semi-blindly for 5.0.0, allowing us to port the browser exploit to 5.0.0 and 5.1.0, but now doing it blindly isn't needed.

 

[Onion_Knight]

We can definitely get the loader and coreinit from NUS, since the common key is now out. Since those are the first two binaries loaded, their addresses are easy to determine. coreinit contains enough ROP gadgets for us to dump the rest of the memory. Chadderz and I did this semi-blindly for 5.0.0, allowing us to port the browser exploit to 5.0.0 and 5.1.0, but now doing it blindly isn't needed.

Thanks for the info. So I would need to sniff the NUS traffic, decode it with the common key, and than hunt for ROPs? Did you a tool xrop to dump your ROP gadgets or did you do it manually? Just curious as to whether it would be more beneficial to use a tool or manual dumping.

 

[WulfyStylez]

Thanks for the info. So I would need to sniff the NUS traffic, decode it with the common key, and than hunt for ROPs? Did you a tool xrop to dump your ROP gadgets or did you do it manually? Just curious as to whether it would be more beneficial to use a tool or manual dumping.

No need to sniff anything, just check an update digest and grab files over http. That or build the modified NUS Downloader that someone tweaked for Wii U.