Going forward with 5.5.2 - What You Need to Know

Discussion in 'Wii U - Homebrew' started by QuarkTheAwesome, Jul 22, 2017.

  1. QuarkTheAwesome

    QuarkTheAwesome Working for Hugs

    Apr 19, 2015
    Stuck in the PowerPC
    Hey all!

    It's been a little while since 5.5.2 came out now, and while everything's settled down from my point of view I'm still seeing a lot of misinformation flying around. I figured I'd try to clear the air a bit and lay out what we know, what's being worked on and what you can do about it.

    The Update
    Let's start off with the update itself. Released on the 17th of June, software version 5.5.2 changed the Internet Browser, the AOC Overlay application and ErrEula. This was a big deal for homebrew since the updates to the Internet Browser fixed browserhax, the exploit that many were using to start running homebrew code. The changes to the other titles were largely inconsequential for our purposes.

    You'll notice that it didn't change any IOSU-side code; which means that flaws in that section of the OS are still there. No changes were made to title verification, which means haxchi and wupinstaller still work exactly as before. No addresses changed, so existing CFWs work without issue. Additionally, all our exploits (other than browserhax) still work. CBHC also still works.

    All of these have been verified by several people. If you're having problems after the update, you should ask for help in the relevant thread. Keep in mind that there may not be much you can do until another entrypoint is found; but it never hurts to ask.

    If you haven't updated yet, you can choose to take the update or avoid it, depending on your situation. There are numerous threads already on ways to handle both pathways, so I won't reiterate here. One thing that is worth noting is that online play still works fine on 5.5.1, and the firmware can be spoofed for eShop access.

    DIY Exploits
    Since browserhax's patching sunk in, some of you have started coming forward with ideas for new exploits that we could use. This is awesome, and it's been great (and vaugely humbling) to see ideas suggesting the exact thing I was looking into before reading them! That said, some of you need some more information for your ideas to be helpful. Please don't see this as discouragement! With a bit of background knowledge, your ideas are likely to be helpful and constructive, and avoid the ridicule that these things so often get. Let's get into it.
    • Reading isn't controlling - Several applications on the Wii U get data from locations that we control - places like the Internet or the SD card. This doesn't necessarily mean that the code managing this is exploitable. Yes, it may be, but it isn't automatic. As an example, several applications read and write JPEG images to the SD. They'll either use a custom Nintendo library or the open source libjpeg-turbo to do this. While we can't know about the Nintendo library, libjpeg-turbo has only ever had two vulnerabilities serious enough for a CVE; neither of which achieve actual code execution. Thus, it's probably a waste of our time to try and blindly exploit this code that's been thoroughly checked by people trying to exploit it on PCs.
    • Console-specific keys are everywhere - The USB and internal storage connected to a console is encrypted with a key from the OTP. This means that in order to read these drives, you need an OTP dump from the exact console that did the encryption. This is impossible for people on 5.5.2 to get hold of unless they dumped it before updating or currently have Haxchi installed. You can't share USBs between consoles, and PCs can only read them with programs still under development (more on that later)
    • Don't withhold information - This isn't really about the Wii U itself - when you do end up bringing your idea forward, how you present it is important. If you make an entire thread about your idea, it's expected that you'll provide details, lest you be seen as faking it or crying for attention. We're all working together here, so there's no need yo be secretive. Don't worry about being technical - there are people here who will understand, and those who don't simply won't read the tough bits. Stating that you've found a 'sploit without any other information is a one-way ticket to ragetown.
    I'll add more things to this list as I think of them, and I'm open to suggestions.

    What's being done, and what can I do?

    Here's a quick recap of the things I've noticed that are happening in the search for an entrypoint, with a few ideas for what you could do mixed in. This is just what I've seen, so if there's other stuff then please let me know.
    • Good Ol' WebKit - WebKit is the engine powering the Internet Browser. It's a complex mess, and Nintendo are terrible at keeping it up to date. Thus, there's plenty of bugs (well-documented by PC security researchers) that are ripe for the picking. At this point, I know of at least three people who are working away at WebKit flaws - there's this guy, who's been running the tests that the WebKit developers write to check for bugs (something you can try too!); there's someone who hasn't publicly said anything looking at Pegasus (of PegaSwitch fame) with promising results; and a third person who can't say anything (and thus I won't either). If you want to play with WebKit, have a look at the link posted by OP in that thread I just showed - it should have all you need to start looking for bugs.
    • Other outdated things, mainly libpng - This is where I've been looking. WebKit isn't the only thing that goes without updates - the vast majority of the libraries Nintendo use are several years old. I've been deducing what version libraries in use by the console are and looking up their CVEs. There's been a few small leads. I've been posting updates on Twitter (link in my sig) but as a TL: DR; I'm currently on the lookout for any information about Sm4sh's use of PNGs (the screenshots are JPEGs). I'm also trying to figure out what the WebKit embedded into the Crunchyroll app is used for. Is there a browser hiding in there? If you can help with either of these things, please do!
    • Haxchi as a Primary Entrypoint - This one's interesting - lots of ideas around on installing Haxchi without another exploit to run the installer with. These ideas involve things like modifying USB storage or system transfers. I hinted before that Wii U USB drives can actually be read from a PC - here's where that's being worked on. The implications in that post are a bit hard to read, but it seems to me that actually modifying a file is a while off yet. Even so, it's promising stuff; allowing any console with an OTP dump to install Haxchi no matter what Nintendo does in future.

    Cool stuff, eh? Even if none of this appeals to you, you can still help out. Thrash through theories, look up CVEs (rule of thumb: if it's marked as Code Exec and higher than 7.5, it's good), follow what your devs are doing and offer support where you can. We can do this, and it'll be awesome. Shall we get started?

    (This post's content was last updated on the 22nd of July 2017. This stuff gets old quick, so keep in mind that this may be outdated by the time you read it.)
  2. pwsincd

    pwsincd Garage Flower

    GBAtemp Patron
    pwsincd is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Dec 4, 2011
    Manchester UK
    nice post QTA ..
    vgmoose and QuarkTheAwesome like this.
  3. Boss69

    Boss69 Advanced Member

    Jul 6, 2017
    United States
    Well i'm toast i didn't get HaxChi when i was on 5.5.1. My brother left the console on after he was done playing super mario 3d world and it auto updated. ;(
  4. Isakill

    Isakill Newbie

    Mar 28, 2017
    United States
    Just a question, but if I go to factory reset my Wii, will it go back to 5.5.1? I'm doubting the answer will be favorable.

    My daughter watching netflix this morning let me know after the WiiU USB helper let me know of an update.
    Last edited by Isakill, Jul 22, 2017
  5. TheTechGenius

    TheTechGenius </Web Dev>

    Apr 7, 2017
    United States
    Nope. It will just reset your settings and things like that, the firmware version won't change.
    Dirtydubya likes this.
  6. Powerful

    Powerful GBAtemp Regular

    Dec 7, 2016
    United States
    I need some help figuring this issue I have out, I believe I have an odd error on my part, or they patched something else. This only has to do with rednand. I have CBHC on my sysnand, and rednand hooked up with mocha CFW. Both were on 5.5.1 since the exploit and homebrew apps were released. My set up was completely fine, until I updated to 5.5.2. My CBHC still works perfectly, my rednand boots up fine, but Mocha CFW no longer gives me patches on rednand after updating my sysnand to 5.5.2. I did update my rednand to 5.5.2 from 5.5.1, and this made no difference, it was when I updated my sysnand that this problem occurred. I restored my rednand as well, and messed with mocha over and over, but still no luck. Please let me know if Mocha CFW Rednand patching no longer works.
  7. JonahRinberg

    JonahRinberg Idiot

    Dec 18, 2016
    United States
    The Homebrew Ocean
    I'm so glad more entry points are being found. So many games I want to play but can't. Keep up the great work!
  8. Viri

    Viri GBAtemp Maniac

    Sep 13, 2009
    United States
    Hah, I actually thought of removing the DNS from my Wii-U due to being annoyed at the DNS sometimes going down. I figured, "eh, Nintendo has abandoned the console, they'll never update it"! Boy was I wrong, thank god I kept the DNS.
  9. pastini

    pastini Newbie

    Jul 19, 2017
    Amazing post! its nice to see someone taking care of informing the masses lol, keep it updated please!
  10. TheZander

    TheZander member

    Feb 1, 2008
    United States
    Hey at the risk of being a tad overbearing with this, do you know if you can update from 5.3.2 to 5.5.1 things where haxchi will work? A game update won't work because ( i think ) i installed the version bin with wupinstaller to 5.5.2
  11. TheTechGenius

    TheTechGenius </Web Dev>

    Apr 7, 2017
    United States
    To update to 5.5.1, you must have a physical copy of one of the games that have the 5.5.1 update on the disc, such as Zelda Breath of the Wild.

    Check out Kafluke's Noob Guide for a list of the games that have the 5.5.1 update. The game cannot be a downloaded/digital copy.
  12. Giodude

    Giodude GBAtemp's official rock

    GBAtemp Patron
    Giodude is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    May 17, 2015
    United States
    New York
    So if CBHC is installed, literally nothing changed?
    DarthDub and QuarkTheAwesome like this.
  13. Don Jon

    Don Jon GBAtemp Advanced Fan

    Nov 20, 2015
    United States
    No worries im sure the lying clown will pop up anytime soon and save the day...
    btw im on 5.5.1
    Subtle Demise likes this.
  14. TheZander

    TheZander member

    Feb 1, 2008
    United States
    yep i got a 551 game but it wont prompt, i think parly because the console is spoofed to 552
  15. TylerSwage

    TylerSwage Member

    Jun 22, 2016
    United States
    Seattle, WA
    (@QuarkTheAwesome) I have an idea here: https://gbatemp.net/threads/idea-for-wii-u-5-5-2-exploit.478401/
    Last edited by TylerSwage, Jul 23, 2017
  16. tivu100

    tivu100 GBAtemp Addict

    Jun 6, 2015
    United States
    Exploit doesn't work like that. I meant there needs to be an error with Wii U so we can "exploit". A bugged Mii on 3DS doesn't mean it's still bugged on Wii U. Let's have an example: Youtube app on 3ds was an entry point. Wii U youtube app was not any kind of exploit. Tubehax DNS is able to use on both 3DS & Wii U.

    The point is we need to find any bug on Wii U. Then developers may look into that to see whether that bug can possibly be an entry point.

    I am not saying there is no Mii bug (remember we can reenter Homebrew launcher from Mii Maker so there is possible), just saying there need to be a bug to begin with. Can't make Entry point from thin air or developer would create CBHC alternative with free app instead of paid app
    Last edited by tivu100, Jul 23, 2017
  17. raphamotta

    raphamotta GBAtemp Fan

    Jul 12, 2013
    What's the AOC Overlay application?
  18. Coc4tm

    Coc4tm WIP Nintendo hacker.

    Feb 12, 2016
    Add-On Content
    That's the DLC buying menu on some games like MK8
    Kleyon and Valery0p like this.
  19. Valery0p

    Valery0p GBAtemp Regular

    Jan 16, 2017
    Thanks! I was searching this everywhere...
    @QuarkTheAwesome do you know if unlegit DLC works on 5.5.2?
  20. Bobcivil86

    Bobcivil86 Newbie

    Jul 23, 2017
    United States
    So to be clear the virtual wiI won't be a help even if that has homebrew. I also assume that connecting a 3ds that is hacked won't work (through smash 4 control scheme).