Hacking Contenthax - a Vulnerability in Wii U File System Verification

[rw-r-r_0644]

I was talking about contenthax:
"The Wii U's data management system does not include provisions to validate the integrity of most title contents after installation. Any title contents using hash tables for verification (content type 0x0002 in tmd, using *.h3 files) are vulnerable. Generally, all contents are vulnerable apart from those in /code.
As such, any game or app's contents may be altered by attackers."

And I really know what I'm talking about

*sigh* *sigh* *sigh* *sigh*
I guess you don't know what you're talking about...
What we did before was replacing fs functions pointers so when a program would call fs functions, instead of calling system functions it would call our patched functions (a function hook) that would load files from network/sd instead of the mounted title partitions. But, when a title is started, title folders are checked and then mounted. To load files from that partitions though, the title uses fs functions that we patched (in a TEMPORARY WAY).
But contenthax is A LOT different as we're NOT patching functions. We're patching files on the "/content" folder that isn't completly checked when mounted, so that way we don't need to patch fs functions and we directly edit system files (so this way the edit is PERMANENT)

 

[AboodXD]

You have no idea what you're talking about...

I give up.

You seem to not want to understand my point on purpose.

 

[NexoCube]

Because it's kinda the same thing.
I wasn't comparing anyway...

Think about it.
Cafiine wouldn't have worked without sig patched if the Wii U checks the hashes of the game files.
Isn't that what contenthax is? Replacing files because the Wii U doesn't check the hashes?

Except contenthax a vulnerable.

What the fuck, Cafiine isn't the same thing at all

Haxchi contains ROP and .srl/.nds generation
It have nothing to see with cafiine

That was very hard to be able to exit the game and boot HBl @FIX94 spends +11 hours to make it works
And ROP gadget/ pointer address is different for each game/region

So, go and make NSMBUHax or stfu

 

[KiiWii]

I give up.

You seem to not want to understand my point on purpose.

Dude, Maschell is very knowledgeable in this area. I wouldn't doubt anything he says.

 

[NexoCube]

What the fuck, Cafiine isn't the same thing at all

Haxchi contains ROP and .srl/.nds generation
It have nothing to see with cafiine

That was very hard to be able to exit the game and boot HBl @FIX94 spends +11 hours to make it works
And ROP gadget/ pointer address is different for each game/region

So, go and make NSMBUHax or stfu

Even if you weren't talking about the "technical" part of the sploit

 

[Maschell]

I give up.

You seem to not want to understand my point on purpose.

If you still think it's the same, think about how loadiine 1.0 handled the RPX files (not affected by the contenthax vulnerable)
Did you even look at the cafiine code and saw how it works? I guess not.

 

[Kohmei]

For the .nds files at https://github.com/FIX94/haxchi/releases

Do I need to rename them? Or can I just rename the zip file to rom.zip?

 

[NexoCube]

For the .nds files at https://github.com/FIX94/haxchi/releases
https://github.com/FIX94/haxchi/releases
Do I need to rename them? Or can I just rename the zip file to rom.zip?

Download the .zip corresponding to the game you have then rename it "rom.zip" and upload

 

[asutoroUmario]

lol my Contenthax HBL.

 

[nolimits59]

guys i don't understand... did everything correctly, it changed the metas, name images ect, but the exploit don't load Oo, just the normal game... brain age EUR... happened to someone ?

 

[Supster131]

View attachment 68510 View attachment 68511
lol my Contenthax HBL.

xD Now invite some friends over to "play" Breath of The Wild

 

[xXDungeon_CrawlerXx]

xD Now invite some friends over to "play" Breath of The Wild

Friends would see that you're playing "???" instead of your Custom Title, unfortunately.
Tried that with my Unity Game Demo.

 

[Supster131]

Friends would see that you're playing "???" instead of your Custom Title, unfortunately.
Tried that with my Unity Game Demo.

I meant locally Invite friends to your house.

As for your friends list, yeah. Both people would need to have it installed so it shows the actual title and icon on the friends list.

 

[AboodXD]

What the fuck, Cafiine isn't the same thing at all

Haxchi contains ROP and .srl/.nds generation
It have nothing to see with cafiine

That was very hard to be able to exit the game and boot HBl @FIX94 spends +11 hours to make it works
And ROP gadget/ pointer address is different for each game/region

So, go and make NSMBUHax or stfu

For the billion time, I'm talking about contenthax, not Haxchi.

Dude, Maschell is very knowledgeable in this area. I wouldn't doubt anything he says.

I know, I wouldn't doubt him either, so I'm confused ATM.

If you still think it's the same, think about how loadiine 1.0 handled the RPX files (not affected by the contenthax vulnerable)
Did you even look at the cafiine code and saw how it works? I guess not.

Hmm, then mind clearing that up for me?

You see, if I have said something wrong, you could have at least corrected me instead of making fun.

 

[NexoCube]

For the billion time, I'm talking about contenthax, not Haxchi.

I know, I wouldn't doubt him either, so I'm confused ATM.

Hmm, then mind clearing that up for me?

You see, if I have said something wrong, you could have at least corrected me instead of making fun.

Yeah sorry I was talking about haxchi and had no clue why

 

[xtheman]

For the billion time, I'm talking about contenthax, not Haxchi.

Haxchi is just contenthax for ds games.
By editing system.xml you can make coldboot.

 

[AboodXD]

Haxchi is just contenthax for ds games.
By editing system.xml you can make coldboot.

It's not like that, Haxchi is a whole new exploit, contenthax is the vulnerable.

 

[NexoCube]

By editing system.xml you can make coldboot.

This is absolutely bullshit, i just bricked my Wii U yesterday by editing that damn system.xml

So please maybe the owner of the thread could add it to the main thread ?

(some people made it working on redNAND)

 

[xtheman]

This is absolutely bullshit, i just bricked my Wii U yesterday by editing that damn system.xml

So please maybe the owner of the thread could add it to the main thread ?

(some people made it working on redNAND)

I'm just going by the first post. (I read you bricked)

coldboothax can be installed by downloading system.xml as so:

w.dl("/vol/system/config/system.xml")

modifying it, and then uploading it back:

w.up("system.xml", "/vol/system/config/system.xml")

s

 

[VinsCool]

This is absolutely bullshit, i just bricked my Wii U yesterday by editing that damn system.xml

So please maybe the owner of the thread could add it to the main thread ?

(some people made it working on redNAND)

It's already stated that someone could brick very easily with this.