Contenthax - a Vulnerability in Wii U File System Verification

Discussion in 'Wii U - Hacking & Backup Loaders' started by VinsCool, Nov 7, 2016.

  1. VinsCool
    OP

    VinsCool Comfortably Numb

    Member
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,851
    28,342
    Jan 7, 2014
    Canada
    Another World
    Contenthax
    [EDIT from December 25th: This thread is now obsolete, please look at official posts made by FIX94]

    Haxchi


    Haxchi 2.0 has been released by FIX94!
    It now comes with its own installer and does not need iosuhax, wupclient or any additional scripts anymore, just your wiiu, a DS VC game and a way to run the homebrew launcher.
    If you happen to have a DS VC title that is listed in this readme then go ahead and grab both haxchi .elf and .zip from here:
    https://github.com/FIX94/haxchi/releases
    The .elf goes into sd:/wiiu/apps and the .zip should just be extracted to sd:/haxchi with all its contents inside. That content right now just consists of a simple replacement icon, logo and replacing the game title with "Haxchi", its example config.txt will boot homebrew launcher by default and a fw.img on your sd card when holding A. The content of this haxchi folder can be changed to your liking - if you want to you can also add in an alternative bootSound.btsnd to replace the original which I did not do in this example haxchi folder.
    After setting up the content to your liking all you have to do is run the haxchi .elf in homebrew launcher, select the game you want to install it on and that is it!
    Please note, this will ONLY WORK WITH GAMES ON NAND, if you have a game on USB you want to use then please move it to your NAND first and ideally detach your usb device before using this installer .elf.


    haxchi demonstration from a console booting a hacked Brain Age Virtual Console game (thanks @FIX94 for the video)




    Haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi). It was originally made for Kirby Squeak Squad. Theorically, all DS virtual console games can be exploited. It is possible due to "contenthax", a vulnerability in the wii u's title integrity design: only code and critical descriptors are signed, with all other contents left at the mercy of attackers. this can be exploited simply by asking IOSU to copy over files in /content/ directories on either MLC or USB. contenthax can also be exploited from powerpc userland by using the MCP_CopyTitle command (not all processes have access, but for example home menu and system settings have it). as there is no integrity data for that content, CopyTitle cannot validate the malicious content and will therefore happily copy it from SD card to MLC or USB if asked.

    it is likely that virtually all apps can be exploited in some way through contenthax, due to developers being less likely to program defensively against content that they should be the only ones to have control over. the Nintendo DS virtual console app was selected for this exploit because it has the ability to dynamically emit executable code. as a nice bonus, hachihachi includes symbols for its code. haxchi exploits a bug in the emulator's rom loader, and basically gets it to perform arbitrary memcpy operations. from there, achieving code execution is trivial given that there is no ASLR in place.

    note that haxchi was smea's first time doing PPC ROP so... yeah


    credit

    smea, plutoo, yellows8, naehrwert, derrek, FIX94 and dimok



    Custom TGA files for nicer icons and splashscreens can be found here:
    https://filetrip.net/dl?AoRl1jO1KU

    Install process is similar to the rom upload using IOSUHAX and wupclient.py

    -----------------------------------------------------------------------

    Yellows8 added informations regarding contenthax for N64 Virtual Console games on WiiUbrew!

    N64 VC contenthax
    Present in system versions
    : N/A

    Publicly exploited: No

    Discovered by: yellows8 (Early 2016)

    The Wii U N64 VC emulator title("VESSEL") has two known vulns which can be attacked via contenthax. These vulns were tested on hardware, but actual exploitation wasn't tested.

    Note that this title can only write to codegen(JIT) via using OSCodegenCopy(), unlike other titles.

    Currently this is the only known VC platform(N64) which is affected by any of these VESSEL vulns(not all platforms were checked for this).

    The .ini loading occurs much earlier during title boot than the font loading. These vulns(or at least the .ini one) trigger while the system is still displaying the application spash-screen(from the title's meta/ directory).

    • Stack buffer overflow when handling BMFont "pages". The entire block is copied to stack using just the size, without checking the size. The loaded data is not checked either, other than converting uppercase to lowercase('A'..'Z' to 'a'..'z'). This string is used with sprintf + PNG texture loading afterwards.
    • Heap buffer overflow during .ini parsing with field-data string starting with '"'. The allocated heap buffer is 0x100-bytes, but the size is not checked when copying the value string into this buffer. During copying/etc this string content is not checked/modified, besides checking for the end of the string with '"'. For example: HAX = "LONGSTRINGHERE"
    Source :arrow:https://wiiubrew.org/w/index.php?title=Exploits

    I personally attempted to understand N64 VC vulnerabilities. Apart from replicable crashes and some minor memory manipulation, nothing of value has come out of it. Feel free to contact me if you are interested, because I am not very experienced in this sort of thing :)
     
    Last edited by VinsCool, Dec 25, 2016


  2. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,798
    2,161
    Jan 11, 2016
    Japan
    日本
    Finally <3~
     
    EpicMedz likes this.
  3. Wishi

    Wishi Rareware Gamer

    Member
    187
    149
    Nov 24, 2015
    Mexico
    NOTE: it is very easy to brick a wii u by messing with this file, so don't do it unless you really know what you're doing.

    Well nothing to do here
     
  4. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,798
    2,161
    Jan 11, 2016
    Japan
    日本
    this isn't for the general user, more those with hardmods.. if you didn't realise sooner.
     
  5. fatsquirrel

    fatsquirrel GBAtemp Advanced Maniac

    Member
    1,803
    1,269
    Nov 11, 2013
    I read through this but still something is bugging me, do we need a legit VC DS game from the eshop?
    Or does it simply use iosu for that execution?
     
    xstationbr and Azel like this.
  6. iAqua

    iAqua GBAtemp Addict

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,746
    2,244
    Dec 7, 2015
    Antarctica
    Brick wave incoming... glhf nerds.
     
    Last edited by iAqua, Nov 11, 2016
  7. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,798
    2,161
    Jan 11, 2016
    Japan
    日本
    "so don't do it unless you really know what you're doing."
     
    king_leo likes this.
  8. DeslotlCL

    DeslotlCL GBAtemp's official dragon look-alike axolotl

    Member
    1,933
    2,134
    Oct 28, 2015
    Chile
    under your bed
    It's always nice to see new stuff from developers! Thanks smea (even if it isn't for the end user)
     
  9. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,798
    2,161
    Jan 11, 2016
    Japan
    日本
    probably not in its current state but maybe eventually.
     
  10. Masterwin

    Masterwin GBAtemp Regular

    Member
    281
    184
    Jan 7, 2016
    yeah!!!
     
    buhdiego likes this.
  11. DeslotlCL

    DeslotlCL GBAtemp's official dragon look-alike axolotl

    Member
    1,933
    2,134
    Oct 28, 2015
    Chile
    under your bed
    I know, let's just wait patiently and see what happens :)
     
    proflayton123 likes this.
  12. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,798
    2,161
    Jan 11, 2016
    Japan
    日本
    Master! :3
     
    buhdiego and Masterwin like this.
  13. xtheman

    xtheman GBAtemp Guru

    Member
    5,847
    5,275
    Jan 28, 2016
    United States
    Good thing I bought mario kart ds over the dlc.
     
  14. Masterwin

    Masterwin GBAtemp Regular

    Member
    281
    184
    Jan 7, 2016
    00050000-101A5700 Kirby™: Mouse Attack EUR
    00050000-101A5600 Kirby™ Squeak Squad USA

    XD
     
  15. xtheman

    xtheman GBAtemp Guru

    Member
    5,847
    5,275
    Jan 28, 2016
    United States
    I think it is only refering to system.xml editing. Not installing the hack.
     
    AboodXD likes this.
  16. Kohmei

    Kohmei GBAtemp Advanced Fan

    Member
    771
    463
    Feb 17, 2013
    United States
    Does this lead to a boot time exploit?
     
  17. iAqua

    iAqua GBAtemp Addict

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,746
    2,244
    Dec 7, 2015
    Antarctica
    Yes.
     
    Masterwin likes this.
  18. proflayton123

    proflayton123 Undeclared Shitposter 2.1

    Member
    5,798
    2,161
    Jan 11, 2016
    Japan
    日本
    like arm9loaderhax for 3DS? Or similar, im not sure. Im thinking more coldboothax + redNAND? Oo
     
  19. Kohmei

    Kohmei GBAtemp Advanced Fan

    Member
    771
    463
    Feb 17, 2013
    United States
    So it might be a good idea to buy up a DS VC game? Which is the cheapest? :ninja:
     
  20. kprovost7314

    kprovost7314 GBAtemp's Official Bara Master

    Member
    1,691
    890
    Dec 24, 2014
    United States
    In that bara manga ( ͡° ͜ʖ ͡°)
    Brain Age.
     
    ManuelKoegler likes this.