Hacking [beta]Wii U Hax Server

[gudenau]

Over the past couple weeks I have been working on a
simple server to serve Wii U exploits from a fairly lightweight program. This is the current result, please tell me if you find a problem with it!

Please keep in mind that this only supports userland code execution inside the context of the Wii U web browser!

Supported versions:

• US 5.5.1
• US 5.5.0
• US 5.4.0
• US 5.3.2
• EU 5.5.1
• EU 5.5.0
• EU 5.4.0
• EU 5.3.2
• JP 5.5.1
• JP 5.4.0
• JP 5.3.2

Used exploits:

• stageFright, thanks Yellows8! (5.3.2, 5.4.0, 5.5.0, 5.5.1)

To run this execute "java -jar haxServer.jar" from the command line, in order for it to work you will need to provide the code and loaders for the server to serve; in payloads and loaders respectively. If you need to serve a normal file put it inside data. Then browse to "http://[pc ip]/[anything legal string]?codeName" to serve the correct payload for the Wii U's detected browser with "codeName.bin" as the payload that the loader will use.

Loaders:

Spoiler: Stagefright

In order to use the stagefright vuln you will need to compile the loader from here and name it "stagefright.bin" and place it in the loaders directory.

Keep in mind, this is beta; expect bugs and please report any you find, please no "it no work, you dumb" type posts. Logs or I can not help.

You will need java 8+ to run this.
Download, last updated on 5/4/2016

I recommend using this, makes development easier.

 

[cimmanonroll]

So, what really can run through this?

This looks great, by the way.

 

[gudenau]

So, what really can run through this?

This looks great, by the way.

Anything that works on the listed firmwares and is not to large.

 

[MrRean]

(could host the ELF loader to bypass the size limit)

 

[gudenau]

(could host the ELF loader to bypass the size limit)

That did just get finished, I'll add more direct support later.

 

[darrin41]

great job

 

[cimmanonroll]

Do you mean those small little homebrew apps that are a couple kb? Or are we talking the programs that people keep begging for IOSU over?

Either way, I just want to help somehow.

 

[NWPlayer123]

Do you mean those small little homebrew apps that are a couple kb? Or are we talking the programs that people keep begging for IOSU over?

Either way, I just want to help somehow.

There's not really any benefits to having kernel or IOSU if you're just making self-contained homebrew, you can do basically everything with just userspace, since that's all normal programs can access anyways. IOSU + something like redNAND is just a convenience since it's permanent and you can install titles instead of having reboot through the browser.

 

[cimmanonroll]

There's not really any benefits to having kernel or IOSU if you're just making self-contained homebrew, you can do basically everything with just userspace, since that's all normal programs can access anyways. IOSU + something like redNAND is just a convenience since it's permanent and you can install titles instead of having reboot through the browser.

So, basically, we can run the same programs as 5.3.2 users?
Regardless, I can't wait to see what other things will come out of this.

 

[NWPlayer123]

So, basically, we can run the same programs as 5.3.2 users?
Regardless, I can't wait to see what other things will come out of this.

With the ELF loader, yeah, the memory area of where things are actually changes very little between versions, there's 0x01800000-0x03800000 which is 32MB of JIT, for code, and then data all goes in the 0x10000000-0x50000000(?) area (depends on app, not sure about the browser), and the ELF loader will copy it to the same place. loadiine GX2, minus needing kernel, is a really good example, you can make a "custom" Wii U Menu with graphics and fonts and music and everything a normal app would.

 

[cimmanonroll]

With the ELF loader, yeah, the memory area of where things are actually changes very little between versions, there's 0x01800000-0x03800000 which is 32MB of JIT, for code, and then data all goes in the 0x10000000-0x50000000(?) area (depends on app, not sure about the browser), and the ELF loader will copy it to the same place. loadiine GX2, minus needing kernel, is a really good example, you can make a "custom" Wii U Menu with graphics and fonts and music and everything a normal app would.

That's great news! I'll be waiting for any progression on this ELF loader. <3

 

[Deleted User]

The .jar file doesnt work for me . ( i am on linux deepin )

 

[gudenau]

The .jar file doesnt work for me . ( i am on linux deepin )

What is the error?

 

[Deleted User]

What is the error?

peggy@peggy-pc:~/Téléchargements$ sudo java -jar HaxServer.2.jar
Mot de passe [sudo] de peggy :
Exception in thread "main" java.lang.UnsupportedClassVersionError: com/gudenau/haxserver/HaxServer : Unsupported major.minor version 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)

 

[gudenau]

peggy@peggy-pc:~/Téléchargements$ sudo java -jar HaxServer.2.jar
Mot de passe [sudo] de peggy :
Exception in thread "main" java.lang.UnsupportedClassVersionError: com/gudenau/haxserver/HaxServer : Unsupported major.minor version 52.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:482)

Looks like your Java is outdated.

 

[BullyWiiPlaza]

>java -jar HaxServer.2.jar
Could not bind port 80, are you using Skype?

I do use Skype but it's not running.

 

[gudenau]

>java -jar HaxServer.2.jar
Could not bind port 80, are you using Skype?

I do use Skype but it's not running so this is an issue.

If there anything bound to port 80?

 

[BullyWiiPlaza]

If there anything bound to port 80?

Nevermind, I was running WampServer still

 

[gudenau]

Nevermind, I was running WampServer still

I'll try to see if there is a way to get the executable that is bound at some point. Probably after I do a GUI.

 

[mustafag32g]

soo loadiine doesnt work on this ?