Hacking rw-r-r-0644 found a boot1 coldboot exploit for the Wii U

huma_dawii · Apr 11, 2021

People need to see this as a way to fix or unbrick Wii Us not to see if its faster than Aroma or Haxchi... open your minds.

ploggy · Apr 11, 2021

huma_dawii said:
People need to see this as a way to fix or unbrick Wii Us not to see if its faster than Aroma or Haxchi... open your minds.

I think it was stated by rw that this wont fix already bricked WiiU's?

huma_dawii · Apr 11, 2021

ploggy said:
I think it was stated by rw that this wont fix already bricked WiiU's?

Already bricked are gone forever unless a "different" nand copy can be written to the flash memory via hardmod... this will be useful for all the people from release date forward!

Aheago · Apr 11, 2021

Brawl345 said:
I haven't tried it (way to annoying to set up), but I read from other testers that it works but the HOME menu is currently broken. Should be easy to fix. Every RPX that runs as channel should also work.

Funny because I think developers couldn't care less about the Switch. There are no big projects atm besides Scires Atmosphère reimplementation. At least we don't have the constant shitflinging between CFW and SX users

Mission control is a pretty big project. Getting other console controllers working on the system natively and with potential motion controls in the future too? What’s not to love?

NinStar · Apr 11, 2021

Magnus87 said:
I would love to believe this is a breakthrough for the WiiU Homebrew community however we are in 2021 and not 2012, most developers are busy with the Nintendo Switch.

I think it's more about accessibility, but I don't know how many Switch consoles are exploitable nowadays compared to Wii U.

Aheago · Apr 11, 2021

MarioSilva said:
I think it's more about accessibility, but I don't know how many Switch consoles are exploitable nowadays compared to Wii U.

Any/all launch consoles from the first year or so are exploitable. So it’s not that hard

rw-r-r_0644 · Apr 12, 2021

Hey, cool to see a thread about this!
Just don't get too much excited, okay?

This won't be released soon. I posted the vulnerability after bricking my remaining wiiu, so if I end up loosing interest or taking way too much time, other developers can potentially work on it; just in case here are a couple of technical notes (https://pastebin.com/G2jMGD2u). For now I'm having quite a bit of fun/learning while working on the exploit

The Aroma environment will still provide all the cool features of interest to users and developers, such as plugins, patches, apps and more, it won't be replaced by this exploit; FailST could theoretically be replaced, but keeping it in place removes the need for signature patches. Compared to simply using FailST as a boot title, it doesn't offer significant advantages other than potentially a slightly faster boot (since Aroma wouldn't have to run a kernel/iosu exploit).

The vulnerability might not be as dangerous as I originally thought, it seems that IOS-FS will panic before attempting to repair/write back the superblock, and by creating additional disallowed FST entries (such as a file inode with the first cluster >0xfffb) we can also provoke an IOS-FS superblock sanity check to fail; however that was only tested in an emulator so far, and I still don't know how the exploit interacts with OSv255 or other firmwares. Still probably a very good idea to only ever boot patched firmwares, though.
A system update can easily fix the boot1 bug which causes this vulnerability, so update blocking patches are also important (as a boot1 update with the exploit installed would probably result in a brick). There is no hardware protection against downgrades, so ultimately it'll always be possible to restore a vulnerable boot1 version.

In theory with isfshax installed, it should be possible to delete all the files in slc or slccmpt and still be able to recover via software from a backup; it won't save wiius if the boot1 blocks or the superblock where the exploit is installed are accidentally overwritten or damaged.

As others already pointed out in this thread it also unfortunately doesn't allow previously bricked wiius to be restored. The superblock is authenticated with a sha1 hmac saved in the nand spare area, which requires the 20 byte per-console slc hmac key from otp to be generated. Assuming the key is randomly generated (this might also not be the case), it's unfeasible to bruteforce its 20 bytes.

The exploit does not give access to anything that wasn't previously accessible, it only allows us to gain execution at an earlier time during the boot process. This is nice for projects such as linux-wiiu, and could potentially allow recovery tools or custom firmwares to be loaded early on startup.
However, I don't have the energy to work on creating or maintaining a proper custom firmware or other useful tools to go along with this exploit, so if anything does ever get released it'll probably only be the entrypoint and a minimal set of patches that still allow IOSU to boot with the exploit installed.

tfocosta · Apr 12, 2021

That's amazing news!

rw-r-r_0644 · Apr 12, 2021

Adding the exploit to the wiiubrew wiki was probably a mistake on my part. I expected people to ignore it for the most (mostly potentially interesting some developers), or consider it a cool curiosity more than anything else. FailST is already an excellent coldboot solution, and should satisfy everyone that has been waiting for a free or faster Haxchi alternative; that's probably what you should look forward to, rather than isfshax.
I have underestimated years of waiting for a boot1 coldboot exploit to come and somehow revive the wiiu scene, sorry about this

mitcha · Apr 12, 2021

rw-r-r_0644 said:
Adding the exploit to the wiiubrew wiki was probably a mistake on my part. I expected people to ignore it for the most (mostly potentially interesting some developers), or consider it a cool curiosity more than anything else. FailST is already an excellent coldboot solution, and should satisfy everyone that has been waiting for a free or faster Haxchi alternative; that's probably what you should look forward to, rather than isfshax.
I have underestimated years of waiting for a boot1 coldboot exploit to come and somehow revive the wiiu scene, sorry about this

ppl tell the wiiu is a flop , but ppl are interested 10 years later , i loved my wiiu and still

Alexander1970 · Apr 12, 2021

mitcha said:
ppl tell the wiiu is a flop , but ppl are interested 10 years later , i loved my wiiu and still

Yes,completely true.

I am curious.Where are now the "Wii U is dead" Party ?
We had enough unnecessarily bloated Threads about this Topic from so called Homebrew Experts (not really,ey ?)
...and now ? Huuuhuuuu......no ones there from that Fraction.

Deleted member 323844 · Apr 12, 2021

Looks interesting. Considering the Wii U is probably the slowest console of all time to reach the main menu, the earlies it can trigger the patches the best, I guess.

mitcha · Apr 12, 2021

alexander1970 said:
Yes,completely true.View attachment 257727

I am curious.Where are now the "Wii U is dead" Party ?
We had enough unnecessarily bloated Threads about this Topic from so called Homebrew Experts (not really,ey ?)
...and now ? Huuuhuuuu......no ones there from that Fraction.View attachment 257726

mostly there was Games magasines and Games TV's who killed the WiiU by a bullet in the head , the first bullet shooted by Nintendo (the name of the wiiu=wii)
this is i think what kills the wiiu.
we got zelda Botw

and that's how miyamoto/aonuma honor it.

duwen · Apr 12, 2021

alexander1970 said:
I am curious.Where are now the "Wii U is dead" Party ?

Yeah, I don't understand the mindset of any of those that think only exploits/hacks/homebrew for current systems are worthwhile... personally, I'm loving all the recent work being done in the PS/PS2/Vita/WiiU scenes more than anything for newer systems.

I spent most of this past weekend testing all of my legit PS1 import disks with Tonyhax on my PS2 and had a great time! Ended up on ebay buying more PS1 memory cards!

whitezombie · Apr 12, 2021

Fantastic news! Really excited to see what gets developed!

wolf-snake · Apr 13, 2021

Aheago said:
Any/all launch consoles from the first year or so are exploitable. So it’s not that hard

Ehhh i had better luck getting a ps5 than an exploitable Switch.

BaamAlex · Apr 13, 2021

wolf-snake said:
Ehhh i had better luck getting a ps5 than an exploitable Switch.

Getting an exploitable switch is easy af.

wolf-snake · Apr 13, 2021

BaamAlex said:
Getting an exploitable switch is easy af.

Not if the guy who's selling it knows exactly why you want it and wants to charge you up the ass for it. Would be easier if i had access to the US but... You know.

tivu100 · Apr 14, 2021

BaamAlex said:
Getting an exploitable switch is easy af.

wolf-snake said:
Not if the guy who's selling it knows exactly why you want it and wants to charge you up the ass for it. Would be easier if i had access to the US but... You know.

It all boils down to the demand and supply.

In Mexico, perhaps since PS5 is not exploitable, its (black market) price peak, as not as much demand. It's riskier for scalpers to hold on to expensive PS5 that depreciate once more consoles become available.

On the other hand, in US, the market for unexploitable console is always big. Not only now due to the pandemic. This however makes second hand exploitable Switch consoles more available, as people would "upgrade" (not worth it), so they want to rid themselves of older version. Many are unaware of the exploitable value of their old Switch.

Magnus Hydra · Apr 16, 2021

Nice find!

Hacking rw-r-r-0644 found a boot1 coldboot exploit for the Wii U

Well-Known Member

WAKA! WAKA!

Well-Known Member

Well-Known Member

Ny'hrarr ♂

Well-Known Member

Well-Known Member

GBAtemp Z-Warrior

Well-Known Member

مجاهد صنديد مقاتل عنيد

XP not matters.

Well-Known Member

مجاهد صنديد مقاتل عنيد

Old Man Toad

Well-Known Member

Well-Known Member

UDE GA NARU ZE!

Well-Known Member

Well-Known Member

It’s rare for me to be here.

Similar threads

Popular threads in this forum