Hacking Coding vWii 3-core support - everything you need to know.

  • Thread starter Thread starter Maxternal
  • Start date Start date
  • Views Views 242,119
  • Replies Replies 1,263
  • Likes Likes 13
The purpose of this Thread was 3 core linux.
The purpose of 3 core linux was getting the exploit so that 3 core linux could be used in wiiu mode (Specially the extra memory is needed for fluid linux)

So, are we (or someone with higher expertise) supposed to find the exploit in the wiiu webbrowser?
Comex told on 30C3 he found one he used to dump the data (not the code as the instruction bat wasn't setup)
I believe he also told that once Marcan got the keys, it made his work unneccessairy.
Didn't he mention that latest firmwares used a newer webkit codebase?
Could that mean that the exploit he initially used was patched?

Besides the webbrowser, another thing that can be exploitable are gamesaves.
As those are signed by the game itself, the key to sign them exists on the console.
Once their encryption key and signing key is known, they can be corrupted and perhaps used to run unsigned code.
As wiiu uses it's own cafe os, it's very well possible code execution isn't possible like that....
Remember on 30C3 that there was a code execution exception for the webbrowser to allow git execution....

This exploit possibly has been fixed by big N with the release of firmware 4.0. There's a thread on this board where someone already found the / an exploit within the Wii U's web browser:

http://gbatemp.net/index.php?threads/355308/
 
So condorstrike is someone who can make games with surprisingly good graphics but utterly trivial gameplay. On top of that he makes themes. Now that sounds like he's just got the right skillset to work on a homebrew SDK!
The right way to approach that is to create another wiki where no one of us hangs out to correct the crap this team writes. Obviously you need to includes ads. And preferably also a donation button.

(For those of you who don't get sarcasms: He might be a homebrew developer, but he clearly isn't capable of doing low-level SDK work yet)

Reversing is an art that takes years to master. I have been reversing since 2002 and still I am not master of all platforms.

You cannot just come and "do" something no matter how much you would want it. I was almost throwing my computer out of window on many occasions when I was younger and learning.

Also there is no school of reverse engineer as far as I know of. You just learn more and more tricks in your bag as the years go by when you are reversing all sort of different things for fun or for some company you are working for.

Finally someone who gets it :-) Wanna grab a beer sometime?

I want a log from irc #wiidevu chat. Anyone have it?

I only heard people say caw is cool. He does not seem arrogant. "We want experienced people involved" they say...then apparently talk garbage when somebody does show interest. Is caw horrible or what am I missing? Lol, again, I've seen that and other channels (different names and IP as well). Some must have the log. Copy/paste to me in pm please.


Shutup, Ray.
 
Comex essentially gave all the steps to find WebKit vulnerabilities. Yes the latest update has a newer version of WebKit, but it still has a few use after free vulnerabilities iirc.

Unfortunately web hacking is not exactly my strong suit so I have next to no idea as to how to actually leverage the exploits. I intend to do some research over the next month or so though.

In other news, I acquired a Wii U this holiday season and I intend to start doing some serious exploring. Hopefully wind waker HD only provides a minimal distraction.

-bravest
 
  • Like
Reactions: Maxternal
Haven't tested it, but does the WiiU have Flash and/or Java plugins? A lot of exploits/vulnerabilities lie in there. Apologize if this has already been thought of.
 
Going after web-based vulns shouldn't be your first priority, f0f made that pretty clear in their talk. You need to know what to do once you break out of webkit before you can do anything useful. Else you've just got a bunch of ways to crash the browser.
 
I hope a personable and talented individual/group will come along. I cannot figure out a benevolent reason to post on a site when one makes fun of members who are supposedly ignorant. This is "gbafail" and there is irc and other websites out there. I can see reasons for some people being comfortable in here. Anyone have actual news? Tweets made it seem caw is done now also.
 
Going after web-based vulns shouldn't be your first priority, f0f made that pretty clear in their talk. You need to know what to do once you break out of webkit before you can do anything useful. Else you've just got a bunch of ways to crash the browser.

Just a suggestion. I'm new to console hacking so while I know a bit on web hacking(if I do say so myself), I'm completely new to what comes after. All I can do is help locate vulnerabilities, I have no idea what you'd need to do to create an exploit after that.
 
Comex essentially gave all the steps to find WebKit vulnerabilities. Yes the latest update has a newer version of WebKit, but it still has a few use after free vulnerabilities iirc.

Unfortunately web hacking is not exactly my strong suit so I have next to no idea as to how to actually leverage the exploits. I intend to do some research over the next month or so though.

They said that WebKit was updated to the late 2012 version to be exact. Also they said that the bugs we're not allowed to see are more interesting.

Also here's an idea we should focus on one step at a time. This should be called the Current Focus Step. Where we all focus on the current step and do the same for next step after the last one's done. I hope Maxternal adds this to the starting post. By the way I haven't seen him in a while. I think he's away so he can get a Wii U. Also we're at 74% of progress. Does that mean Maxternal is 26% closer to getting a Wii U or are we 26% closer to getting homebrew on the Wii U?
 
  • Like
Reactions: Fpsrussia117
So you might find a bug in webkit that causes it to do something unexpected.
You think some magic will happen next?
You will need understanding of the running code on the system to find a way to convince it to run something unsigned.
That will require reverse engineering of that code which is a giant task.
One of the problems is the fact that it's a ppc architecture which is not used very frequently.
This might limit the number of interested experts.

So I would say we are getting 0.026% closer to running homebrew. I might even be optimistic.
 
Wasn't it possible to dump the keys from vWii mode via getting boot0? Or at least some of the keys?
 
Focussing on the current step is like walking down a road not knowing were it leads to.
So basically, we need a roadmap to define our steps first.

Some of us see the roadmap as:
1. Backup nand and Emmc so that it's possible to revert to older firmware
2. Find exploit in firmware
3. Use exploit to create backup loader.

This is pretty much the equivalent as taking a map of Europe and describing that you need to pass France to go from Brussels to Barcelona.
While it's totally correct, it's not very helpfull.

Team F0f presentation at 30C3 describes another roadmap. (The one they took)

- Create some hardware to allow bidirectional debugging (Lolserial, Ghettohci or GpioGecko)
- Lolserial is slow and only output direction like printf debug messages
- Ghettohci is bidirectional but still only 115200 baud
- GpioGecko needs an original Usb Gecko whicj is no longer in production
- Create software to get your debugging device going.
- Exploit vwii mode with the Wii exploit.
- Decrypt the Ancast files with the race attack and dump them.
- Reverse engineer those and see if anything usefull comes out of it.
- Use the soft reset method to obtain the PPC bootrom code.
- Reverse the PPC bootrom code to understand how it obtains it's keys
- Enable the EXI boot area to get the Wiiu boot 0 code
- Reverse the Wiiu boot 0 code and see if anything usefull comes out of it
- Use the hard reset drunken cat glitch to obtain the keys
- Dump the Emmc and dump the vWii and Wiiu nand parts.
- Examine the Emmc datasheets to figure out if there are read protected areas that might need a password to become accessible.
- Find some rich guy willing to sacrisfy his wiiu to check if restoring previous contents is possible.
- Check if downgrading the wiiu with that method is possible.
- Decrypt the dumps with the keys and try to figure out if there is a filing system and how it works so that you can separate files from the image
(no, photorec can't be used for that)
- Extract Cafe2Wii and reverse it to figure out the undocumented registers and bits that switch the system to wii compatibility code .
- Set up a webserver for testing existing bugs in webkit.
- Try to find and trigger some of those bugs. Try to figure out in webkit source what happens when they are triggered.
- Try to figure out if what happens could be used as an exploit.
- Find the Wiiu sdk and use it to create stuff. It might help in reversing code snippets and understanding executable file regions.
- Find a Wiiu devkit and reverse the system to figure out if it makes you any wiser.
(It's the easier (lazy) (faster) way. It's not a contest in beating Team F0f considering hacking skills.)
- ......
- ......

Is this one complete? Likely not.
Is it correct? Likeky not either.
Some of you more talented might even figure out something is missing that makes it a little of topic.
Hint: A step that was worked on for almost 9 months isn't in the picture.
 
  • Like
Reactions: pelago
Focussing on the current step is like walking down a road not knowing were it leads to.
So basically, we need a roadmap to define our steps first.

Some of us see the roadmap as:
1. Backup nand and Emmc so that it's possible to revert to older firmware
2. Find exploit in firmware
3. Use exploit to create backup loader.

This is pretty much the equivalent as taking a map of Europe and describing that you need to pass France to go from Brussels to Barcelona.
While it's totally correct, it's not very helpfull.

Fully agreed. This shows, that the most people have no clue what they're talking about, especially when their nicks is ... you know who I mean :rolleyes:
First priority should be to have a working tricore linux, so that we have a homebrew sdk.
 
I'm beginning to doubt that the Wii U will ever have homebrew of any kind. We just lack the skills and there's no existing way to gain them fast enough to matter, and finding someone who has interest and is capable of doing this is almost certainly impossible. GG, Nintendo wins. :(
 
Well this is classic scenario but many of us pro reverse engineers typically only work "If president would call, say you would get million dollars and say it was matter of national security".

The thing is myself, I code 8 hours at work monday-friday. Do you think I have interest in working on these things on my free time. There are some lower level reversers who have more time because they are at school or unemployed. They have time 24/7 to reverse like I did when I was younger.

These people are the heroes of homebrew community, they have the time and passion to learn and learn. In my age, you only care about money once you have broken so many protections that you can't even remember them all.

However if there was bitcoin donations for this kind of project, I would work on it for sure. That is if I didn't have to work on my current job anymore.
 
It's actually a lot easier:

Break some security like the Espresso bootrom? Lots of fun, quick rewards.

Write a fully fledged homebrew SDK and port Linux? Boooooooring as fuck, no rewards until you put in 3+ months of work or so.
 
  • Like
Reactions: obcd
For the people crying about Condorstrikes team "monetizing through ad's", that is not true, the "wiki" was created with Wikia, those ad's are forced upon people creating a Wiki on the site, you are using their servers for free, so have no say about the ad's they show.

So to sum it up for those who don't understand, Condor and his team, nor anyone who creates a wiki on Wikia see's any money from ad's.
 
Break some security like the Espresso bootrom? Lots of fun, quick rewards.

So the espresso bootrom code is running when the espresso is getting a proper hard reset...
It can be dumped by generating a soft reset after the cache got invalidated...
It likely is used for wiiu as well as vwii.
It's purpose is to check the ppc ancast binary hashes and to decrypt them.

Where does it come from?
Is it a part of the espresso chip or does it come from the eMMC or Nand?

I really have no idea at all how you could influence on it's security. Maybe I shoud try a roadmap for that....
 

Site & Scene News

Popular threads in this forum