A channel-less, sd-less entry point: str2hax

Discussion in 'Wii - Hacking' started by Fullmetal5, Nov 14, 2018.

  1. Fullmetal5
    OP

    Fullmetal5 Advanced Member

    Newcomer
    4
    Dec 10, 2017
    United States
    Well that explains it. When making it I was debating which I should do. Set it to 8.8.8.8/4.4.4.4 or use Auto DNS. I choose Auto DNS because I couldn't think of any reason for it to fail. I didn't think about it not working with no DHCP.
    I'll switch the network loader over to setting it to manual DNS with 8.8.8.8/4.4.4.4 as the settings.

    EDIT: Ok, the site had been updated to use manual dns now.
     
    Last edited by Fullmetal5, Dec 1, 2018
  2. leseratte

    leseratte GBAtemp Regular

    Member
    4
    Jun 2, 2012
    Germany
    Thanks, just tested it again and now it works. Pretty cool exploit, looking forward to the source release so we can make a version for Wiimmfi.

    Do you know if the EULA display thing supports links? Then the server could theoretically send a web page with a few links for the user to select what binary to download and run ...

    EDIT: Uuh, you do know that google's 2nd DNS is 8.8.4.4 and that 4.4.4.4 (the one you use as 2nd one) doesn't exist?
     
    Last edited by leseratte, Dec 1, 2018
  3. Fullmetal5
    OP

    Fullmetal5 Advanced Member

    Newcomer
    4
    Dec 10, 2017
    United States
    It's very weird. I only messed around with a few aspects of user interaction with the page and some of it seems broken.
    Don't try to have the page redirect or use iframe's or doing ANYTHING that isn't in the directory it's hosted on. Even loading pictures like <img src="../example.png"> will fail. If you want user interaction I would have buttons that run javascript to load the right payload.png then triggers the exploit.
    Also DON'T use XMLHttpRequest. It's broken and will just crash the browser. (Doesn't seem exploitable)
    Another option is to build a app that lets the user select stuff and just always load it to get around all the weird restrictions of the browser.

    You may experiment more with user interaction on the page as I didn't do much. Just make sure you set the page title to "End User License Agreement" or the wii will just throw an error at you.
     
  4. leseratte

    leseratte GBAtemp Regular

    Member
    4
    Jun 2, 2012
    Germany
    OK, then I will definitely mess around with this some more when it's released.

    Well it wouldn't even need to be released, I can just have two links to the same payload in different paths. I'll let you know if I happen to get it to work.
     
  5. Fullmetal5
    OP

    Fullmetal5 Advanced Member

    Newcomer
    4
    Dec 10, 2017
    United States
    The network loader has been uploaded to https://github.com/Fullmetal5/WiiNetworkLoader if you want to mess with it.
    You MUST change the Makefile line "include $(DEVKITPPC)/wii_rules" to a location where you have built libogc with -Os or you will get too big a binary for this to work.

    If you make any changes to elf loading then you have copy the updated elf_loader.h file from elf_loader to source to build the loader with it.
     
    Last edited by Fullmetal5, Dec 1, 2018
    barronwaffles likes this.
  6. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    What firmwares does this work on? I tested it on 4.2E yesterday and it worked so it's definitely working on more than just 4.3
     
  7. Fullmetal5
    OP

    Fullmetal5 Advanced Member

    Newcomer
    4
    Dec 10, 2017
    United States
    It depends on what version of the EULA "app" that firmware has. I'm not sure when they updated the app so I'm not really sure what versions it works on.
     
  8. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    Oh in that case it may have worked on my 4.2 wii because I know I have the latest eula installed... So it's not confirmed working on 4.2, my bad. Further testing/research will be needed.
     
  9. Zurdonx

    Zurdonx Member

    Newcomer
    1
    Oct 2, 2018
    Venezuela
    Has anyone tested this on vWii?
     
  10. FancyNintendoGamer567

    FancyNintendoGamer567 GBAtemp Advanced Fan

    Member
    4
    Feb 13, 2017
    United States
    I doubt this would work on vWii, like the other non-Ingame exploits (Letterbomb, FlashHax).
    @Zurdonx
     
    E1ite007 and Zurdonx like this.
  11. Saimo

    Saimo Newbie

    Newcomer
    1
    Dec 1, 2018
    Algeria
    Fuck you, update 4.3 kill boot2
     
  12. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    You are mistaken. A vulnerable boot1 is what allows someone to install bootmii as boot2. So an update to boot2 doesn't block anything. Boot1 cannot be updated either so any wii capable of installing bootmii as boot2 should always be able to do so regardless of anything Nintendo does after the fact.
     
  13. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    @Cyan should this be stickied instead of (or in addition to) Flashhax?
     
  14. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    How much work would be involved to have this exploit launch not only elf's but dol's too?
     
  15. leseratte

    leseratte GBAtemp Regular

    Member
    4
    Jun 2, 2012
    Germany
    I'd imagine the coding itself shouldn't be that hard, the question is if there is enough space left, because the available space for the custom code is pretty limited. It is probably easier for the users to convert their DOL to the ELF format.
     
  16. XFlak

    XFlak Wiitired but still kicking

    Member
    8
    Sep 12, 2009
    Canada
    Ontario
    Converting dols to elfs hasn't worked for other exploits like banner bomb for example. I'm not sure what exactly breaks it, I've just been a tester on this, so my knowledge is limited. Native dol support for an exploit would be ideal it possible.
     
  17. leseratte

    leseratte GBAtemp Regular

    Member
    4
    Jun 2, 2012
    Germany
    Hm, you are right, I tried converting a DOL to an ELF, with a few changes to the converter to fix some obviously missing parts, but it still doesn't work for some reason. As soon as all the writeups and code are released and I can recompile and test everything I might try adding DOL support (if there is enough space).
     
  18. Fullmetal5
    OP

    Fullmetal5 Advanced Member

    Newcomer
    4
    Dec 10, 2017
    United States
    Out of curiosity, why do you want dol loading? Were some old homebrew apps only distributed as dols or something?

    My two-cents:
    Ideally, more things should just be elf files not dols. It's a much more limited format and I don't really see why people started making putting their homebrew into it. (Besides technical reasons)
     
  19. leseratte

    leseratte GBAtemp Regular

    Member
    4
    Jun 2, 2012
    Germany
    Yes, some homebrews are being distributed as DOL file only and would need to be recompiled to get an ELF file. ELF is indeed superior as it contains more data (and function names and such, unless stripped) and DOLs just contain the raw code and data segments, but there are still DOL files out there and being able to load them would be cool.
    Do you know how much space is left for code to be added to the binary? The DOL format is pretty simple so adding support for it shouldn't be too hard, if there is space for the code.

    If there isn't, maybe one could compile two different versions, one with ELF and one with DOL loading, and let the user pick, if I can get links or different buttons on the EULA web page to work.

    And, is there any ETA for the write-up and the scripts I'd need to convert the compiled network loader to the image file to be embedded into the HTML page?
     
    Last edited by leseratte, Dec 17, 2018
  20. Fullmetal5
    OP

    Fullmetal5 Advanced Member

    Newcomer
    4
    Dec 10, 2017
    United States
    An ETA for the writeup is by the end of tomorrow. I have enough time to go back and cleanup some of the hacky or broken things that were used to build the exploit.
    As for a space, I never took exact measurements but it's somewhere around 512K give or take a little. I ended up deflate'ing the network loader to get it to fit. Lucky dol is an extremely simple file format and code to load it should be minimal. I'm sure it can fit.
     
    Last edited by Fullmetal5, Dec 17, 2018
Loading...