This exploit possibly has been fixed by big N with the release of firmware 4.0. There's a thread on this board where someone already found the / an exploit within the Wii U's web browser:
http://gbatemp.net/index.php?threads/355308/
This exploit possibly has been fixed by big N with the release of firmware 4.0. There's a thread on this board where someone already found the / an exploit within the Wii U's web browser:
http://gbatemp.net/index.php?threads/355308/
So condorstrike is someone who can make games with surprisingly good graphics but utterly trivial gameplay. On top of that he makes themes. Now that sounds like he's just got the right skillset to work on a homebrew SDK!
The right way to approach that is to create another wiki where no one of us hangs out to correct the crap this team writes. Obviously you need to includes ads. And preferably also a donation button.
(For those of you who don't get sarcasms: He might be a homebrew developer, but he clearly isn't capable of doing low-level SDK work yet)
Finally someone who gets it :-) Wanna grab a beer sometime?
Shutup, Ray.
The right way to approach that is to create another wiki where no one of us hangs out to correct the crap this team writes. Obviously you need to includes ads. And preferably also a donation button.
(For those of you who don't get sarcasms: He might be a homebrew developer, but he clearly isn't capable of doing low-level SDK work yet)
Finally someone who gets it :-) Wanna grab a beer sometime?
Shutup, Ray.
Comex essentially gave all the steps to find WebKit vulnerabilities. Yes the latest update has a newer version of WebKit, but it still has a few use after free vulnerabilities iirc.
Unfortunately web hacking is not exactly my strong suit so I have next to no idea as to how to actually leverage the exploits. I intend to do some research over the next month or so though.
In other news, I acquired a Wii U this holiday season and I intend to start doing some serious exploring. Hopefully wind waker HD only provides a minimal distraction.
-bravest
Unfortunately web hacking is not exactly my strong suit so I have next to no idea as to how to actually leverage the exploits. I intend to do some research over the next month or so though.
In other news, I acquired a Wii U this holiday season and I intend to start doing some serious exploring. Hopefully wind waker HD only provides a minimal distraction.
-bravest
Going after web-based vulns shouldn't be your first priority, f0f made that pretty clear in their talk. You need to know what to do once you break out of webkit before you can do anything useful. Else you've just got a bunch of ways to crash the browser.
I hope a personable and talented individual/group will come along. I cannot figure out a benevolent reason to post on a site when one makes fun of members who are supposedly ignorant. This is "gbafail" and there is irc and other websites out there. I can see reasons for some people being comfortable in here. Anyone have actual news? Tweets made it seem caw is done now also.
Just a suggestion. I'm new to console hacking so while I know a bit on web hacking(if I do say so myself), I'm completely new to what comes after. All I can do is help locate vulnerabilities, I have no idea what you'd need to do to create an exploit after that.
They said that WebKit was updated to the late 2012 version to be exact. Also they said that the bugs we're not allowed to see are more interesting.
Also here's an idea we should focus on one step at a time. This should be called the Current Focus Step. Where we all focus on the current step and do the same for next step after the last one's done. I hope Maxternal adds this to the starting post. By the way I haven't seen him in a while. I think he's away so he can get a Wii U. Also we're at 74% of progress. Does that mean Maxternal is 26% closer to getting a Wii U or are we 26% closer to getting homebrew on the Wii U?
So you might find a bug in webkit that causes it to do something unexpected.
You think some magic will happen next?
You will need understanding of the running code on the system to find a way to convince it to run something unsigned.
That will require reverse engineering of that code which is a giant task.
One of the problems is the fact that it's a ppc architecture which is not used very frequently.
This might limit the number of interested experts.
So I would say we are getting 0.026% closer to running homebrew. I might even be optimistic.
You think some magic will happen next?
You will need understanding of the running code on the system to find a way to convince it to run something unsigned.
That will require reverse engineering of that code which is a giant task.
One of the problems is the fact that it's a ppc architecture which is not used very frequently.
This might limit the number of interested experts.
So I would say we are getting 0.026% closer to running homebrew. I might even be optimistic.
Focussing on the current step is like walking down a road not knowing were it leads to.
So basically, we need a roadmap to define our steps first.
Some of us see the roadmap as:
1. Backup nand and Emmc so that it's possible to revert to older firmware
2. Find exploit in firmware
3. Use exploit to create backup loader.
This is pretty much the equivalent as taking a map of Europe and describing that you need to pass France to go from Brussels to Barcelona.
While it's totally correct, it's not very helpfull.
Team F0f presentation at 30C3 describes another roadmap. (The one they took)
- Create some hardware to allow bidirectional debugging (Lolserial, Ghettohci or GpioGecko)
- Lolserial is slow and only output direction like printf debug messages
- Ghettohci is bidirectional but still only 115200 baud
- GpioGecko needs an original Usb Gecko whicj is no longer in production
- Create software to get your debugging device going.
- Exploit vwii mode with the Wii exploit.
- Decrypt the Ancast files with the race attack and dump them.
- Reverse engineer those and see if anything usefull comes out of it.
- Use the soft reset method to obtain the PPC bootrom code.
- Reverse the PPC bootrom code to understand how it obtains it's keys
- Enable the EXI boot area to get the Wiiu boot 0 code
- Reverse the Wiiu boot 0 code and see if anything usefull comes out of it
- Use the hard reset drunken cat glitch to obtain the keys
- Dump the Emmc and dump the vWii and Wiiu nand parts.
- Examine the Emmc datasheets to figure out if there are read protected areas that might need a password to become accessible.
- Find some rich guy willing to sacrisfy his wiiu to check if restoring previous contents is possible.
- Check if downgrading the wiiu with that method is possible.
- Decrypt the dumps with the keys and try to figure out if there is a filing system and how it works so that you can separate files from the image
(no, photorec can't be used for that)
- Extract Cafe2Wii and reverse it to figure out the undocumented registers and bits that switch the system to wii compatibility code .
- Set up a webserver for testing existing bugs in webkit.
- Try to find and trigger some of those bugs. Try to figure out in webkit source what happens when they are triggered.
- Try to figure out if what happens could be used as an exploit.
- Find the Wiiu sdk and use it to create stuff. It might help in reversing code snippets and understanding executable file regions.
- Find a Wiiu devkit and reverse the system to figure out if it makes you any wiser.
(It's the easier (lazy) (faster) way. It's not a contest in beating Team F0f considering hacking skills.)
- ......
- ......
Is this one complete? Likely not.
Is it correct? Likeky not either.
Some of you more talented might even figure out something is missing that makes it a little of topic.
Hint: A step that was worked on for almost 9 months isn't in the picture.
So basically, we need a roadmap to define our steps first.
Some of us see the roadmap as:
1. Backup nand and Emmc so that it's possible to revert to older firmware
2. Find exploit in firmware
3. Use exploit to create backup loader.
This is pretty much the equivalent as taking a map of Europe and describing that you need to pass France to go from Brussels to Barcelona.
While it's totally correct, it's not very helpfull.
Team F0f presentation at 30C3 describes another roadmap. (The one they took)
- Create some hardware to allow bidirectional debugging (Lolserial, Ghettohci or GpioGecko)
- Lolserial is slow and only output direction like printf debug messages
- Ghettohci is bidirectional but still only 115200 baud
- GpioGecko needs an original Usb Gecko whicj is no longer in production
- Create software to get your debugging device going.
- Exploit vwii mode with the Wii exploit.
- Decrypt the Ancast files with the race attack and dump them.
- Reverse engineer those and see if anything usefull comes out of it.
- Use the soft reset method to obtain the PPC bootrom code.
- Reverse the PPC bootrom code to understand how it obtains it's keys
- Enable the EXI boot area to get the Wiiu boot 0 code
- Reverse the Wiiu boot 0 code and see if anything usefull comes out of it
- Use the hard reset drunken cat glitch to obtain the keys
- Dump the Emmc and dump the vWii and Wiiu nand parts.
- Examine the Emmc datasheets to figure out if there are read protected areas that might need a password to become accessible.
- Find some rich guy willing to sacrisfy his wiiu to check if restoring previous contents is possible.
- Check if downgrading the wiiu with that method is possible.
- Decrypt the dumps with the keys and try to figure out if there is a filing system and how it works so that you can separate files from the image
(no, photorec can't be used for that)
- Extract Cafe2Wii and reverse it to figure out the undocumented registers and bits that switch the system to wii compatibility code .
- Set up a webserver for testing existing bugs in webkit.
- Try to find and trigger some of those bugs. Try to figure out in webkit source what happens when they are triggered.
- Try to figure out if what happens could be used as an exploit.
- Find the Wiiu sdk and use it to create stuff. It might help in reversing code snippets and understanding executable file regions.
- Find a Wiiu devkit and reverse the system to figure out if it makes you any wiser.
(It's the easier (lazy) (faster) way. It's not a contest in beating Team F0f considering hacking skills.)
- ......
- ......
Is this one complete? Likely not.
Is it correct? Likeky not either.
Some of you more talented might even figure out something is missing that makes it a little of topic.
Hint: A step that was worked on for almost 9 months isn't in the picture.
Fully agreed. This shows, that the most people have no clue what they're talking about, especially when their nicks is ... you know who I mean
First priority should be to have a working tricore linux, so that we have a homebrew sdk.
I'm beginning to doubt that the Wii U will ever have homebrew of any kind. We just lack the skills and there's no existing way to gain them fast enough to matter, and finding someone who has interest and is capable of doing this is almost certainly impossible. GG, Nintendo wins. 
Well this is classic scenario but many of us pro reverse engineers typically only work "If president would call, say you would get million dollars and say it was matter of national security".
The thing is myself, I code 8 hours at work monday-friday. Do you think I have interest in working on these things on my free time. There are some lower level reversers who have more time because they are at school or unemployed. They have time 24/7 to reverse like I did when I was younger.
These people are the heroes of homebrew community, they have the time and passion to learn and learn. In my age, you only care about money once you have broken so many protections that you can't even remember them all.
However if there was bitcoin donations for this kind of project, I would work on it for sure. That is if I didn't have to work on my current job anymore.
The thing is myself, I code 8 hours at work monday-friday. Do you think I have interest in working on these things on my free time. There are some lower level reversers who have more time because they are at school or unemployed. They have time 24/7 to reverse like I did when I was younger.
These people are the heroes of homebrew community, they have the time and passion to learn and learn. In my age, you only care about money once you have broken so many protections that you can't even remember them all.
However if there was bitcoin donations for this kind of project, I would work on it for sure. That is if I didn't have to work on my current job anymore.
- Joined
- Dec 12, 2012
- Messages
- 110
- Trophies
- 1
- Location
- http://playstationhax.it/
- Website
- playstationhax.it
- XP
- 216
- Country
For the people crying about Condorstrikes team "monetizing through ad's", that is not true, the "wiki" was created with Wikia, those ad's are forced upon people creating a Wiki on the site, you are using their servers for free, so have no say about the ad's they show.
So to sum it up for those who don't understand, Condor and his team, nor anyone who creates a wiki on Wikia see's any money from ad's.
So to sum it up for those who don't understand, Condor and his team, nor anyone who creates a wiki on Wikia see's any money from ad's.
So the espresso bootrom code is running when the espresso is getting a proper hard reset...
It can be dumped by generating a soft reset after the cache got invalidated...
It likely is used for wiiu as well as vwii.
It's purpose is to check the ppc ancast binary hashes and to decrypt them.
Where does it come from?
Is it a part of the espresso chip or does it come from the eMMC or Nand?
I really have no idea at all how you could influence on it's security. Maybe I shoud try a roadmap for that....
-
The Real Jdbye
*is birb* -
Materia_tofu
-
-
-
-
-
-
@
Xdqwerty:
ik its an old news but cmon+1
https://twitter.com/vesinfiltro?ref...cloud-luego-que-juan-guaido-difundiera-audio/ -
-
-
@
Psionic Roshambo:
Ken do you think any of them asked for a different tattoo? Like could I get a star of David instead of these numbers? Lol -
-
-
-
-
-
-
@
The Real Jdbye:
if i was female i would be a lesbian cause the lesbian flag has all my favorite colors in it
-
-
-
-
-
-
-
-
-
