Hacking A channel-less, sd-less entry point: str2hax

[Fullmetal5]

I am using connection 1, wired.

However because I use a static IP address (required in my network, no DHCP), I cannot use auto DNS (the button is disabled in the network config). Do you think you could mod your exploit so it sets the DNS to 8.8.8.8 / 8.8.4.4 when it detects that auto DNS is not possible?

Well that explains it. When making it I was debating which I should do. Set it to 8.8.8.8/4.4.4.4 or use Auto DNS. I choose Auto DNS because I couldn't think of any reason for it to fail. I didn't think about it not working with no DHCP.
I'll switch the network loader over to setting it to manual DNS with 8.8.8.8/4.4.4.4 as the settings.

EDIT: Ok, the site had been updated to use manual dns now.

 

[leseratte]

Thanks, just tested it again and now it works. Pretty cool exploit, looking forward to the source release so we can make a version for Wiimmfi.

Do you know if the EULA display thing supports links? Then the server could theoretically send a web page with a few links for the user to select what binary to download and run ...

EDIT: Uuh, you do know that google's 2nd DNS is 8.8.4.4 and that 4.4.4.4 (the one you use as 2nd one) doesn't exist?

 

[Fullmetal5]

Thanks, just tested it again and now it works. Pretty cool exploit, looking forward to the source release so we can make a version for Wiimmfi.

Do you know if the EULA display thing supports links? Then the server could theoretically send a web page with a few links for the user to select what binary to download and run ...

It's very weird. I only messed around with a few aspects of user interaction with the page and some of it seems broken.
Don't try to have the page redirect or use iframe's or doing ANYTHING that isn't in the directory it's hosted on. Even loading pictures like <img src="../example.png"> will fail. If you want user interaction I would have buttons that run javascript to load the right payload.png then triggers the exploit.
Also DON'T use XMLHttpRequest. It's broken and will just crash the browser. (Doesn't seem exploitable)
Another option is to build a app that lets the user select stuff and just always load it to get around all the weird restrictions of the browser.

You may experiment more with user interaction on the page as I didn't do much. Just make sure you set the page title to "End User License Agreement" or the wii will just throw an error at you.

 

[leseratte]

OK, then I will definitely mess around with this some more when it's released.

Well it wouldn't even need to be released, I can just have two links to the same payload in different paths. I'll let you know if I happen to get it to work.

 

[Fullmetal5]

OK, then I will definitely mess around with this some more when it's released.

Well it wouldn't even need to be released, I can just have two links to the same payload in different paths. I'll let you know if I happen to get it to work.

The network loader has been uploaded to https://github.com/Fullmetal5/WiiNetworkLoader if you want to mess with it.
You MUST change the Makefile line "include $(DEVKITPPC)/wii_rules" to a location where you have built libogc with -Os or you will get too big a binary for this to work.

If you make any changes to elf loading then you have copy the updated elf_loader.h file from elf_loader to source to build the loader with it.

 

[XFlak]

What firmwares does this work on? I tested it on 4.2E yesterday and it worked so it's definitely working on more than just 4.3

 

[Fullmetal5]

What firmwares does this work on? I tested it on 4.2E yesterday and it worked so it's definitely working on more than just 4.3

It depends on what version of the EULA "app" that firmware has. I'm not sure when they updated the app so I'm not really sure what versions it works on.

 

[XFlak]

Oh in that case it may have worked on my 4.2 wii because I know I have the latest eula installed... So it's not confirmed working on 4.2, my bad. Further testing/research will be needed.

 

[Deleted member 466238]

Has anyone tested this on vWii?

 

[FancyNintendoGamer567]

I doubt this would work on vWii, like the other non-Ingame exploits (Letterbomb, FlashHax).
@Zurdonx

 

[Saimo]

Fuck you, update 4.3 kill boot2

 

[XFlak]

Fuck you, update 4.3 kill boot2

You are mistaken. A vulnerable boot1 is what allows someone to install bootmii as boot2. So an update to boot2 doesn't block anything. Boot1 cannot be updated either so any wii capable of installing bootmii as boot2 should always be able to do so regardless of anything Nintendo does after the fact.

 

[XFlak]

@Cyan should this be stickied instead of (or in addition to) Flashhax?

 

[XFlak]

How much work would be involved to have this exploit launch not only elf's but dol's too?

 

[leseratte]

I'd imagine the coding itself shouldn't be that hard, the question is if there is enough space left, because the available space for the custom code is pretty limited. It is probably easier for the users to convert their DOL to the ELF format.

 

[XFlak]

Converting dols to elfs hasn't worked for other exploits like banner bomb for example. I'm not sure what exactly breaks it, I've just been a tester on this, so my knowledge is limited. Native dol support for an exploit would be ideal it possible.

 

[leseratte]

Hm, you are right, I tried converting a DOL to an ELF, with a few changes to the converter to fix some obviously missing parts, but it still doesn't work for some reason. As soon as all the writeups and code are released and I can recompile and test everything I might try adding DOL support (if there is enough space).

 

[Fullmetal5]

Converting dols to elfs hasn't worked for other exploits like banner bomb for example. I'm not sure what exactly breaks it, I've just been a tester on this, so my knowledge is limited. Native dol support for an exploit would be ideal it possible.

Out of curiosity, why do you want dol loading? Were some old homebrew apps only distributed as dols or something?

My two-cents:
Ideally, more things should just be elf files not dols. It's a much more limited format and I don't really see why people started making putting their homebrew into it. (Besides technical reasons)

 

[leseratte]

Yes, some homebrews are being distributed as DOL file only and would need to be recompiled to get an ELF file. ELF is indeed superior as it contains more data (and function names and such, unless stripped) and DOLs just contain the raw code and data segments, but there are still DOL files out there and being able to load them would be cool.
Do you know how much space is left for code to be added to the binary? The DOL format is pretty simple so adding support for it shouldn't be too hard, if there is space for the code.

If there isn't, maybe one could compile two different versions, one with ELF and one with DOL loading, and let the user pick, if I can get links or different buttons on the EULA web page to work.

And, is there any ETA for the write-up and the scripts I'd need to convert the compiled network loader to the image file to be embedded into the HTML page?

 

[Fullmetal5]

Yes, some homebrews are being distributed as DOL file only and would need to be recompiled to get an ELF file.
Do you know how much space is left for code to be added to the binary? The DOL format is pretty simple so adding support for it shouldn't be too hard, if there is space for the code.
And, is there any ETA for the write-up and the scripts I'd need to convert the compiled network loader to the image file to be embedded into the HTML page?

An ETA for the writeup is by the end of tomorrow. I have enough time to go back and cleanup some of the hacky or broken things that were used to build the exploit.
As for a space, I never took exact measurements but it's somewhere around 512K give or take a little. I ended up deflate'ing the network loader to get it to fit. Lucky dol is an extremely simple file format and code to load it should be minimal. I'm sure it can fit.