Could this be exploitable?

Discussion in 'Wii U - Hacking & Backup Loaders' started by CosmoCortney, Sep 23, 2014.

  1. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,579
    1,490
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Hi,
    I've found a way to turn off the music/make the game unable to load the music. I simply inserted an SD card into a card reader and plugged in the card reader into my Wii U. Then I moved a game to the SD card and started it. While being in a stage i removed the SD card to have a look what will happen. Surprisingly the game was running quite well. But very soon the music turned off (no more data in the buffer/cache). Funny but nothing meaningful.
    But as I cleared the stage the game pseudo-freezed. As soon as I reinserted the SD card the game continued running. I can also insert another SD card to make the console loading foreign data (I could see this because the card reader's LED was blinking). But it logically crashed the system.
    My idea was to use this to read/run any unsigned code.. Unfortunately I don't have enough hacking experience to guess if this could be exploitable or not.
    Well, if not, then please never mind.

    here's a video where the game pseudo-freezes unles I reinsert the SD card (go to 07:01)
     
    DinohScene likes this.
  2. yusuo

    yusuo GBAtemp Addict

    Member
    2,565
    916
    Oct 19, 2006
    I'll come out and say that im also no expert but i don't think this will result in much purely for the fact that I used to do this with the wii as well as the ps2 and the flashing light only means its trying to read the next logical part of the data, regardless of whether it exists or not.

    I could be wrong however and I kinda hope I am.

    Thanks for contributing though, all it takes it one little crash to swing those doors wide open
     
    CheatFreak47 and CosmoCortney like this.
  3. B4rtj4h

    B4rtj4h Gaming addict #2 and some

    Member
    554
    99
    Apr 16, 2007
    Netherlands
    Bikini Bottom
    Funny that it restarted the game when you reinserted the game SD.
    Made you wonder if you would edit some files and reinsert the game what would happen :P
     
  4. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    That sounds a lot like taking the disc out of a PS2 Slim while it's running. Then again, that led to the game swap trick, so it does have potential. I agree with yusuo, it sounds like it was just reading the next logical part of the data, but again, the PS2 laser worked in the same way, and we got an exploit out of it. So I hope to see something out of this. Are you on 5.1.2?
     
  5. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,579
    1,490
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    nope..
    i'm on 4.0.2
     
  6. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    Well there's already an exploit for that firmware, if someone could replicate this using current firmware that would be good.
     
  7. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,579
    1,490
    Apr 18, 2013
    Germany
    on the cool side of the pillow

    yes, i had the same thought. but i am afraid i'd miss anything useful if i update to the latest fw :(
     
    Fpsrussia117 likes this.
  8. Kippykip

    Kippykip D E L E T T H I S

    Member
    514
    143
    Mar 30, 2013
    Wasn't the web browser the only way for kernel control or something?
     
  9. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    I'm in the same boat, I'm on the most recent firmware that can still be exploited.
     
  10. duffmmann

    duffmmann GBAtemp Psycho!

    Member
    3,813
    1,579
    Mar 11, 2009
    United States

    This kinda makes me think of the original Twilight Hack. In a game where you save your character's name, perhaps you give it a normal name, take out the sd card, take another SD card with the same game on it, but with the save data hacked to have a much too long name for the game to handle and forcing a code dump when you talk to someone that says your name.

    I dunno, I'm not well versed in this stuff, but it seems like if this really works, then maybe that could do it.
     
  11. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    You're thinking of that whole discussion on NX (No Execute), but that's only for the current exploit method (running code in memory), there are definitely other ways to do it.
     
    Fpsrussia117 and Kippykip like this.
  12. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    How so? All you did was copy over a save from the SDto SysMenu,and it worked by causing a buffer overflow, that was correct. Seeing as they had the game on the SD, and took it out and tried to replace it with another SD card, it's a lot more like disc swapping. If you took out the SD with the game and inserted in the same game that has modified code without the system recognizing it, this could work.
     
  13. VinsCool

    VinsCool Disgusted

    Member
    GBAtemp Patron
    VinsCool is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    11,974
    28,917
    Jan 7, 2014
    Canada
    An Alternate Reality
    That is really interesthing :) If that lead to an exploit, that would be awesome!
     
  14. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    USB storage would need to be exploited before this would be useful. Also, since we're still able to use webkit exploits, there's no real reason to develop an exploit that would take much more time to develop and affect much fewer people.
     
  15. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    /thread
     
  16. duffmmann

    duffmmann GBAtemp Psycho!

    Member
    3,813
    1,579
    Mar 11, 2009
    United States

    I just meant it could be similar in how you could use it to exploit it. In the Twilight Hack, epona's name had been changed to bee too long, perhaps a similar method could be used here. I'm well aware that the method of making such an exploit happen would differ, but the way in game it causes a buffer overflow could be similar, that's all.
     
    Fpsrussia117 likes this.
  17. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    That's fair, I agree. I wonder what game it was.
     
  18. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,579
    1,490
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    I have found something new. I swapped the SD card while being in the menu. But the icons from the games stored in the previous SD card were still being displayed. So I told the console to launch one of those games. Then the console tried to install an update (what failed because my Wii U isn't online), I have no idea why. Then, if I go to the Memory and USB storage manager the console partly crashes. There was an error message being displayed. I could still use the scrollbar bar even the rest of the system crashed.
    So... this way allows us to insert an unformatted SD card without the Wii U asking to format it. In the USB storage manager it also tries to read data from it.
     
  19. The_Frag_Man

    The_Frag_Man Member

    Newcomer
    47
    2
    Sep 2, 2014
    This sounds like it has some potential. Thanks for posting about it.
     
  20. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    That is pretty undefined behavior, I will give it a good 20%.