Hacking A channel-less, sd-less entry point: str2hax

[Kirbeast]

@urmum_69 and @Larsenv are really good, they do great work. They where willing to answer my homebrew development questions. If either of you see this, thank you. Your knowledge really helped me out.

 

[WiiNewbie2021]

Would it be possible to have someone upload the Site.zip file with the networkloader payload? Compiling this so so beyond me. I can set the dns and install the apache but the rest is above my pay grade.

 

[DEFYREALITY]

hello i got hanging message
str2hax

We may have smashed it

Hanging..

What do I do

 

[Vila_]

hello i got hanging message
str2hax

We may have smashed it

Hanging..

What do I do

can you describe the error more thoroughly? like what you have on screen, etc.

 

[DEFYREALITY]

can you describe the error more thoroughly? like what you have on screen, etc.

It fixed itself

 

[Vmac_attack]

Just to get this out of the way: THIS DOES NOT WORK ON THE MINI

Alright, so with Nintendo shutting down the E-Shop there won't be a way of getting the Internet Channel anymore which means no more FlashHax.
So we need another exploit that works without sd cards and now only works with whatever default channels are installed on the Wii.
So what's the attack surface for the default channels?
Well luckily for us Nintendo decided to have their EULA for the Wii be updatable, and they decided to do this by making the EULA view actually just be Opera pointed at the page "http://cfh.wapp.wii.com/eula/XXX/YY.html".
Where XXX is the country code and YY is the language.
And since they get the page over http that means if we change the dns servers then we can switch the page out for whatever we want.
See below for the write-up.

How to setup str2hax:
1. Go to the Wii's settings the under Internet select Connection Settings and choose your currently active connection.
2. Select Change settings and scroll to the right until you get to Auto-Obtain DNS
3. Select No then select Advanced Settings.
4. Change the Primary DNS to 97.74.103.14 and the Secondary DNS to 173.201.71.14.
5. Select Confirm and then Save, you will be told you must run a connection test. (Select No to the system update prompt)
If the connection test doesn't work try running it one more time and if it still fails leave a post about it. (Please make sure you have a working internet connection in the first place.)
6. Back out to the Internet panel and choose User Agreements. Select Yes to the question about the Wii Shop Channel/WiiConnect24.
7. You will be taken to a screen telling you to review the User Agreements for the Wii. Select Next.
If you see a pony on screen telling you to wait then you have done everything correctly. The exploit takes 1-2 minutes (1:25 is usually how long mine takes), if it takes longer than 2 minutes then it probably failed. Just turn off your Wii and start again from step 6.

After a minute or two you should be booted into the HackMii Installer. If the Wii freezes on a with a bunch of white text on it please take a LEGIBLE picture of the screen. I can't help you if I can't read it.

So how does str2hax work?

Well, it's actually CVE-2009-0689 as you may have guessed if you looked at the source from the page and found this "parseFloat" as the last function call.
So what exactly is CVE-2009-0689?
It's a heap based buffer overflow that happens when attempting to convert large ascii decimals to IEEE754 decimals.
This occurs in the popular dtoa.c library by David M. Gay.
The Opera team made some changes to it but a close match for it can be found here (https://websvn.kde.org/branches/KDE/4.3/kdelibs/kjs/dtoa.cpp?revision=986143&view=markup)

With the source code in hand we can get a much better idea of what's happening here.
First we need to know why things crash when we pass in large ascii decimals, but first we need to explain how dtoa manages its memory.
And yes, dtoa is the one managing its memory.
dtoa needs to expand the ascii decimal given to its full value to be able to perform the necessary math and ensure correctness.
To do this it allocs large structs call Bigints, these blocks are stored in a linked list based on the size of the decimal they can hold. (The sizes are in powers of 2)
The format of a Bigint is given on line 463 and looks like this:

struct Bigint {
struct Bigint *next;
int k, maxwds, sign, wds;
ULong x[1];
};

You can see the next variable which will be a pointer to the next free Bigint in the list when not in use, the k variable which indicates how big of a number can be stored in it, the maxwds, sign, and wds which are used to keep track of how many words of data represent the number as well as its sign, and finally the actual number follows in the array x.
So now we know how numbers are stored we need to see how these bigints are kept when not in use.
You can see on line 471 that an array of bigints is declared called freelist and is given a size of Kmax+1, Kmax is defined to be 15 here so that means there are 16 slots for bigints to occupy.
Each index in the array points to the first bigint in the linked list of free bigints of size K.


Kmax is used to indicate what the maximum K value a number can be before the library can't handle it.
When getting these bigint dtoa uses a wrapper function called Bmalloc.
Bmalloc takes an int k and checks to see if there are any free bigints in the freelist of size k by simply checking freelist[k] for a pointer and if not it allocs one with malloc as normal.

So what happens if we pass in a number that results in K being above Kmax?
Well, things go wrong.
When you index past the end of an array you will get whatever is in memory directly after it.
Luckily for us freelist is stored in the bss section since it's a global variable and therefore the next global variable is probably what the compiler decided to put after freelist.
This turns out to be correct and the next global variable in dtoa is the p5s array which is used by pow5mult.
So what is in p5s? It's more pointers to bigint actually. But very critically, it's pointers to bigints of a much smaller size (2 in this case).
So, when asked for a bigint of size Kmax+1, instead you get back a bigint of size 2. Oops

Unfortunately dtoa is quite complicated so I've only traced a small step of events that lead to the buffer overflow.
When attempting to diff two large bigints diff tries to allocate a return bigint that will be passed back. This return bigint attempts to allocate a K of size 17 which is one above the maximum and thus accidentally grabs from p5s which at the time has a bigint of size 2 sitting in it.
diff then effectively copies ~50K of the decimal passed to it into the smaller bigint. (Actually it is a diff of our original decimal and a small decimal I can't seem to figure out's meaning.) (Also it copies much more than 50K but that's all that's usable before it starts hitting the smaller decimal and things stop being predictable.)
So that means that ~50K of our decimal ends up smashing threw the much small bigint (only allocated to something like 0x20 bytes) and we can control all 50K.

So now we need to figure out what to overwrite with our 50K of data.
Unfortunately it's to big of an overwrite to ever return back to javascript (you might be able to but I choose not to), so instead I decided to overwrite another bigint and use it's k value to get an arbitrary write off.
When dtoa wants to "free" a bigint it calls a function Bfree which actually never free's it but instead adds it to the linked list we saw above. This is how bigints are recycled.
To do this it attempts to write a pointer to the bigint to freelist[v->k] which means that it will take K from the bigint, multiply it by 4, then add it to the memory location of freelist and write a pointer to the bigint there.
Unfortunately it also writes the current value at that address as the next pointer in the bigint which happens to be the first value.
To make matters worse the next field after Next happens to be the K value which means our K value will be tied to the Next value written.
This becomes very annoying later.

So since we control the k value of the bigint, we can direct the write to any 4 byte aligned address. Luckly for us this version of Opera doesn't appear to use and aslr/dep so I choose to overwrite a return address on the stack with it.
This results in the Bigint struct being jumped to and it's fields being interpreted as code.
As you may have guessed that means we need to find a return address that not only has stored in it a valid powerpc instruction but whose address results in a K that is also valid since we won't get code execution until both fields have been executed first.
Very luckily just 2 layers deep in the stack a return address happens to decode to a valid load instruction with a register that is a valid address at return time and has a K value that is safe. This means we will safely pass over it.

Here is a more visual representation of the bigint struct we overwrite.

uint32_t chain_layout[] = {
marker, // Beginning of bigint x region
0x00000000, // End of bigint x region
0x00000000, // Heap padding
0x00000000, // Heap padding
heap_header, // Heap header for next bigint block
bigint_next, // next pointer for the following bigint
bigint_k, // k size of the following bigint
relative_jump, // A relative jump forward (overlaps maxwds)
0x00000000, // sign
0x00000000 // wds
};

With all this done we can now just insert a relative instruction in the maxwds field safely slide down the chain of jump instructions (several fake bigints were created incase we don't align things probably with heap feng shui) until we hit our payload.

In this case the payload is savezelda that has had SD/gecko support removed and really just servers as a egg hunter for a bigger payload downloaded in memory.
Due to browser memory restrictions the whole page can't be very big (~512K) and we already take up white a big with the ascii decimal.
To workarounds this the payload is DEFLATE'd and uncompressed by savezelda with a very small deflate implementation by Rich Geldreich (Thank you VERY much).

The payload that str2hax currently boots is a small network loader that download the HackMii Installer and launches it.
Random thingy: Also I didn't disable the framebuffer so you get a nice view into ram while HackMii is booting which is why you see all the glitchy green mess

How Do I Build It:
0. Grab the source code from here: https://github.com/Fullmetal5/str2hax
1. Copy your payload (MUST BE VERY SMALL, you should probably just use the network loader) into the payload folder
2. Run ./make_is.sh YOUR_PAYLOAD.elf
This will give you a payload.png
3. Run ./create.sh in the main directory
4. It will create a site.zip file with everything you need. (Apache is required for the redirects)
5. To test this you will need to setup a dns server (dnsmasq works great) and redirect cfh.wapp.wii.com to your site.

This might sound weird, but have you ever thought of the name "str2hax" somehow meaning "straight to hacks" by thinking of "STRaight 2-(to) HA-cks"? or is it just me?

 

[XFlak]

I think this is what he was going for. I'd be surprised if there were many people who DON'T interpret it as "straight to hacks"

 

[KoopTheKoopa]

I may already homebrewed my Wii. But I am testing this to see if it works still.
And it doesn't... I guess.

I did the correct DNS settings and my wifi is really good but... Error 220602 "Unable to connect" error on loading EULA...
well it did take long to connect when I did a test connection (which does not happen before I did this exploit)

 

[ca032769]

I may already homebrewed my Wii. But I am testing this to see if it works still.
And it doesn't... I guess.

I did the correct DNS settings and my wifi is really good but... Error 220602 "Unable to connect" error on loading EULA...
well it did take long to connect when I did a test connection (which does not happen before I did this exploit)

Use the ModMii link below in my signature. It never fails.

 

[Alexander1970]

Good Morning.

The str2hax Exploit / Internet Connection (Error Code 52231) is actual not working.
Can someone please confirm this ?

Also: Is this correct ?

• Type in 18.188.135.9 as the primary DNS.
• Type in 18.188.135.9 as the secondary DNS.

https://wii.guide/str2hax

Thank you.

 

[XFlak]

DNS looks right to me

 

[Fullmetal5]

Sorry, issue on the server end with new host. (I put the wrong hostname in for the conntest url, oops)
Should be fixed now, let me know if it still doesn't work.

 

[Alexander1970]

Sorry, issue on the server end with new host. (I put the wrong hostname in for the conntest url, oops)
Should be fixed now, let me know if it still doesn't work.

Thank you very much,I will try it and give you Feedback.

 

[Alexander1970]

Sorry, issue on the server end with new host. (I put the wrong hostname in for the conntest url, oops)
Should be fixed now, let me know if it still doesn't work.

Works again,thank you very much !

 

[Leosake]

Hello, I just got ahold of a wii and for the life of me I can't get any mod or hack version to work. When I tried this version of the hcak (or any hackmii) I keep getting this error after I click yes to install The Homebrew Channel. I followed the instructions to a t and idk, Any ideas on what's going on and what I can do to get this to work for me?

 

[XFlak]

are you running the latest version of the hackmii installer?

If the hackmii installer is running, and you successfully pressed 1 to continue, proceeded to the part about installing the hbc, and that's where it fails, then it has nothing to do with the exploit, str2hax is finished doing it's job once the hackmii installer loads.

What IOS is the hackmii installer running off of? Depending on your answer, trying ModMii's hackmii solutions wizard might help you solve this.

Also, is there an existing HBC installed by any chance? Could be an older or a custom version? I know the hackmii installer will remove older versions of the HBC if detected before installing it's built-in version. And I know that there are some hidden forwarder channels like haxx-to-jodi or similar that you could have installed and not even really be aware of it; it shouldn't be causing this issue, but it's something else to check and to think about.

edit: you could try finding a game disk with an update on it and do the update and try again (do not do this if there are signs that your Wii was originally Korean and region changed, it may 003 brick - updating with ModMii is always safe though)

edit2: there is always the extreme option that should almost certainly work, but it has a bit of risk (mostly risk of power loss during nand restore). It also probably requires a GC controller (unless you were able to install bootmii as boot2 from the hackmii installer, u only mentioned the HBC, but what happens with bootmii?).

Look inside modmii's support folder and run Casper2Bootmii.bat, after running Casper2Bootmii.bat and saving files to sd, when you launch an exploit u will be taken to bootmii. Proceed to make a nand backup. Then grab ohneschwanzenegger, feed it your nand backup and tell it to get "4.2x" or "4.3x" next to where it says get it (where X is your region letter). It will build a new nand, name it nand.bin and save it to the root of your sd card, then restore it to your console

Here's a video of ohneschwanzenegger running, it might be helpful

 

[Leosake]

are you running the latest version of the hackmii installer?

If the hackmii installer is running, and you successfully pressed 1 to continue, proceeded to the part about installing the hbc, and that's where it fails, then it has nothing to do with the exploit, str2hax is finished doing it's job once the hackmii installer loads.

What IOS is the hackmii installer running off of? Depending on your answer, trying ModMii's hackmii solutions wizard might help you solve this.

Also, is there an existing HBC installed by any chance? Could be an older or a custom version? I know the hackmii installer will remove older versions of the HBC if detected before installing it's built-in version. And I know that there are some hidden forwarder channels like haxx-to-jodi or similar that you could have installed and not even really be aware of it; it shouldn't be causing this issue, but it's something else to check and to think about.

edit: you could try finding a game disk with an update on it and do the update and try again (do not do this if there are signs that your Wii was originally Korean and region changed, it may 003 brick - updating with ModMii is always safe though)

edit2: there is always the extreme option that should almost certainly work, but it has a bit of risk (mostly risk of power loss during nand restore). It also probably requires a GC controller (unless you were able to install bootmii as boot2 from the hackmii installer, u only mentioned the HBC, but what happens with bootmii?).

Look inside modmii's support folder and run Casper2Bootmii.bat, after running Casper2Bootmii.bat and saving files to sd, when you launch an exploit u will be taken to bootmii. Proceed to make a nand backup. Then grab ohneschwanzenegger, feed it your nand backup and tell it to get "4.2x" or "4.3x" next to where it says get it (where X is your region letter). It will build a new nand, name it nand.bin and save it to the root of your sd card, then restore it to your console

Here's a video of ohneschwanzenegger running, it might be helpful

So, my gf got it brand new back when it was released and only used it for a short time before retiring it. It hasn't had any other soft mods or hbc instaled at all. I do have skyward sword which seems to update the wii to 4.3u (even though ther wii already has that update) It seems to always do this error as I try to install hbc regardless of what exploit i do, ( I've done letter bomb, blue bomb using and SD card, str2hax does the same error) I have also tried ModMii but once I get through to use the SD card method i get a MD5 verification error, deletes re-downloads then no network path? I'll try too find the hbc version, although I would imagine that str2hax would have the latest version and be fine installing from them so idk what else to do.

 

[XFlak]

Known bug in 6.6.3, it's mentioned in a few places u may have missed it. Either use modmii classic and not modmii skin, or don't set a drive letter as the sd path and leave it as default copy_to_sd or any relative path

 

[ReeRee457]

I've been trying to get this working on my Wii with my mobile hotspot but it doesn't work, it always gives me 'if_config: -24'

 

[ElCronista]

Hello. I have a problem

The DNS it's not working. At least not for me. I did all the steps, but it still doesn't show me the pony instead of the EULA. I tried everything: Changing the lenguage, the country and the hours. Erasing and creating de conection. It doesn't work, and I'm desesperate.

Please help me