Hacking OSDriver kernel exploit - a technical description

M

Mathew_Wi

bye
Member
Level 7
Joined
Sep 29, 2009
Messages
233
Trophies
0
XP
1,111
Country
Don Jon said:
so ive got a question
ive found a working kernel exploit for firmware 5.5.1 through the process of brute forcing

my intentions are to either release it with a working emulator
or release it alone and let someone finish it

the thing is that I am fairly new to the community(was a microsoft guy)
and i would hate to release something that has already been discovered?
could I check @DeVS your exploit and compare
if they are different
there is no reason for holding back if it turns out mine is different

btw I AM open for donations
Click to expand...
How about you show us yours?
 
  • Like
Reactions: Phantom90, josh87402, nonameboy and 3 others
codychaosx

codychaosx

Well-Known Member
Member
Level 6
Joined
Mar 15, 2009
Messages
589
Trophies
0
Location
Wisconsin
XP
778
Country
United States
Don Jon said:
btw I AM open for donations
Click to expand...
61266408.jpg
 
  • Like
Reactions: josh87402, ant888, driverdis and 2 others
D

davetheshrew

Well-Known Member
Member
Level 5
Joined
Jan 2, 2016
Messages
562
Trophies
0
Age
41
XP
671
Country
Don Jon said:
so ive got a question
ive found a working kernel exploit for firmware 5.5.1 through the process of brute forcing

my intentions are to either release it with a working emulator
or release it alone and let someone finish it

the thing is that I am fairly new to the community(was a microsoft guy)
and i would hate to release something that has already been discovered?
could I check @DeVS your exploit and compare
if they are different
there is no reason for holding back if it turns out mine is different

btw I AM open for donations
Click to expand...
I remember you saying recently that you modified 5.3.2 kernel to work on 5.5.1, now you're saying you 'bruteforced' the system to give up the kernel. Cmon man, stop lying all the time and admit it, you cant code for skittles.
 
NWPlayer123

NWPlayer123

Well-Known Member
Member
Level 17
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
NexoCube said:
How did you find that the spinlock were sometimes unlocked ? @Marionumber1
Click to expand...
Um, I don't remember how we started, I think either someone told us it existed and we tried to replicate it (I still remember it first working in February last year, "Race attack succeeded" and MN1 was shocked that it finally worked to some degree), and shortly after Bean and chadderz showed off that they had made their own using the userspace bug we released for 4.0 to 5.1, that's how chadderz originally made TCPGecko dotNet and Cafiine. I'm not actually sure they ever disclosed what their bug was. I also remember chadderz having some fun with MN1 to blindly get userspace working on 5.1, and we just kept using it up until it got patched in 5.5.0 (MN1 made the second one before this cause the OSDriver one was so unreliable)
 
  • Like
Reactions: NexoCube, Deleted User, paulloeduardo and 1 other person
N

NexoCube

Well-Known Member
Member
Level 8
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
29
Location
France
XP
1,340
Country
France
NWPlayer123 said:
Um, I don't remember how we started, I think either someone told us it existed and we tried to replicate it (I still remember it first working in February last year, "Race attack succeeded" and MN1 was shocked that it finally worked to some degree), and shortly after Bean and chadderz showed off that they had made their own using the userspace bug we released for 4.0 to 5.1, that's how chadderz originally made TCPGecko dotNet and Cafiine. I'm not actually sure they ever disclosed what their bug was. I also remember chadderz having some fun with MN1 to blindly get userspace working on 5.1, and we just kept using it up until it got patched in 5.5.0 (MN1 made the second one before this cause the OSDriver one was so unreliable)
Click to expand...

Okay ^^ But now how to find another bug that can exploit the kernel :c ?
 
N

NexoCube

Well-Known Member
Member
Level 8
Joined
Nov 3, 2015
Messages
1,222
Trophies
0
Age
29
Location
France
XP
1,340
Country
France
So, if i understand everything, the ROP Chains's are just here to says to Core 0 and 2 to start, and freeing one of your "Driver" (The B one) ?

And kern_read and kern_write syscalls are installed in DRVHAX (C) ?
 
Last edited by NexoCube,

Site & Scene News

Go to forum More news

Popular threads in this forum

Hardware Tutorial  MLC2SD - A Wii U NAND (eMMC) Replacement Interposer

A really, REALLY old browser exploit (for 5.3.2)?

Gaming  Online services for the 3DS and Wii U have been shutdown. Here is how to get back online!

Wii U after try to change region has no video signal, and no game pad synced

Hacking Hardware  Wii U No Display (Logs dumped)

Homebrew  Huevo's Vault | Wii U Themes

Hacking Gaming  Xenoblade Chronicles X - Lifeline and Enhancement Mod

Watch videos on Wii U, offline, saved on SD?

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: https://youtu.be/MddR6PTmGKg?si=mU2EO5hoE7XXSbSr