Hacking [idea] Browser downgrading

[asper]

I just extracted my slc (wiiu sysnand) dumps from 5.5.1 and 5.5.2 looking for something that manage the installed titles version check; i found that in slc\sys\security\ there are 2 files:

digest.bin
versions.bin

The 1st file contains 80 bytes ASCII: the 1st 32 are different between 5.5.1 and 5.5.2;
versions.bin contains all the available titles versions (DLC seems to be excluded) in this 16 bytes format (example):

00050000101087000000FFFF00000010

8 bytes titleID
2 bytes unknown (seems to be always 0000)
4 bytes unknown (may change)
2 bytes : it seems that if there is an update this is the latest update title version (stored in hex, need to convert that value to decimal to see the same version listed here)
2 bytes : it seems that if there is not an update this is the latest title version (stored in hex, need to convert that value to decimal to see the same version listed here); if there is an update it should be 0000 but there are some exceptions: youtube and netflix are respectively 00C100C1 and 00B000B0: the version number is in both locations.

Is there a way to verify if this is the file used by the system to check the installed title versions and to see if "tampering" it may cause a brick ? (no hardmod to test).

 

[Pokezuculento]

Interesting...

 

[C0mm4nd_]

I just extracted my slc (wiiu sysnand) dumps from 5.5.1 and 5.5.2 looking for something that manage the installed titles version check; i found that in slc\sys\security\ there are 2 files:

digest.bin
versions.bin

The 1st file contains 80 bytes ASCII: the 1st 32 are different between 5.5.1 and 5.5.2;
versions.bin contains all the available titles versions (DLC seems to be excluded) in this 16 bytes format (example):

00050000101087000000FFFF00000010

8 bytes titleID
2 bytes unknown (seems to be always 0000)
4 bytes unknown (may change)
2 bytes : it seems that if there is an update this is the latest update title version (stored in hex, need to convert that value to decimal to see the same version listed here)
2 bytes : it seems that if there is not an update this is the latest title version (stored in hex, need to convert that value to decimal to see the same version listed here); if there is an update it should be 0000 but there are some exceptions: youtube and netflix are respectively 00C100C1 and 00B000B0: the version number is in both locations.

Is there a way to verify if this is the file used by the system to check the installed title versions and to see if "tampering" it may cause a brick ? (no hardmod to test).

.bin files shouldn't be sigchecked
(btw, MCP has some cool functions to handle versions, if you understand ARM ASM you can disassemble the IOSU image and look for those methods in IOS-MCP)

 

[piratesephiroth]

So you edit the file and the next time you connect online it gets regenerated.
What now?

 

[asper]

So you edit the file and the next time you connect online it gets regenerated.
What now?

If the file Is checked offline you can edit it ans install a lower browser version if this is the "seed" of the version check..

 

[piratesephiroth]

If the file Is checked offline you can edit it ans install a lower browser version if this is the "seed" of the version check..

This system checks the version in the tmd of every title before launching and if it's lower than what it expects it requests a game/system update.
I bet this file is updated very often.

This would be only useful if you could stop this file from being updated.

 

[Trumpasaurus]

This system checks the version in the tmd of every title before launching and if it's lower than what it expects it requests a game/system update.
I bet this file is updated very often.

This would be only useful if you could stop this file from being updated.

It would prompt update of the browser, but who cares? You can still launch apps without updating. Right?

 

[piratesephiroth]

It would prompt update of the browser, but who cares? You can still launch apps without updating. Right?

nope, I'm pretty sure it would request a system update, locking you out of the eshop. It would download the new browser in the background and install it by force.

Of course you could avoid that by blocking updates with a DNS but then youu could just keep your console on 5.5.1.

 

[Trumpasaurus]

nope, I'm pretty sure it would request a system update, locking you out of the eshop. It would download the new browser in the background and install it by force.

Of course you could avoid that by blocking updates with a DNS but then youu could just keep your console on 5.5.1.

What a pain in the ass. F Nintendo.

 

[OrGoN3]

If you need access to Wii U file system to do this, how would this be helpful? If someone is on 5.5.2, they'd need iosuhax for this to work, right? Which would mean they need an entrypoint, which was the browser. If they already have full access to their system, their system is modded and they don't need the lower version browser.

 

[Trumpasaurus]

If you need access to Wii U file system to do this, how would this be helpful? If someone is on 5.5.2, they'd need iosuhax for this to work, right? Which would mean they need an entrypoint, which was the browser. If they already have full access to their system, their system is modded and they don't need the lower version browser.

I think people wanted to restore the browser as an option in case they needed to remove Haxchi for whatever reason. They just want to undo the damage that 5.5.2 did, if that makes sense.
I know a lot of people who were inadvertently updated that would prefer to have the exploitable browser even if they have Haxchi.

 

[jbuck1975]

Correct for me.

 

[godreborn]

afaik, the system can't check the integrity of system files. I read something about this on wiiubrew, so it may be as simple as overwriting the files. does the browser contain a ticket?

 

[piratesephiroth]

afaik, the system can't check the integrity of system files. I read something about this on wiiubrew, so it may be as simple as overwriting the files. does the browser contain a ticket?

Yeah, the browser has a ticket just like all other apps.

While the system doesn't check the integrity of EVERYTHING, the filesystem has its quirks like owners and permissions and ftpiiu can't handle that properly yet.

If you change something in a way the system doesn't like, you may break everything and you won't be able to undo it without a hardmod.

 

[jbuck1975]

I tried deleting new browser files and installing old. It just froze on the browser screen.

 

[piratesephiroth]

I tried deleting new browser files and installing old. It just froze on the browser screen.

With ftpiiu, if you delete files and add new ones I think it won't work anywhere because the new files will have wrong permissions/users/whatever.
You should try to let ftpiiu replace them automatically, overwriting the original files. I think that keeps the original metadata (or at least some of it)

 

[jbuck1975]

tried that too

With ftpiiu, if you delete files and add new ones I think it won't work anywhere because the new files will have wrong permissions/users/whatever.
You should try to let ftpiiu replace them automatically, overwriting the original files. I think that keeps the original metadata (or at least some of it)

 

[piratesephiroth]

tried that too

yeah we can replace everything in content and meta folders but we can't replace executables (rpx, and probably rpl too)

 

[Shadowfied]

What a pain in the ass. F Nintendo.

Yeah, what a bunch of assholes. How dare they protect their products (using protect loosely cause they suck shit at doing it). Honestly they should just send a copy of everything they produce to every address in the world for free.

 

[jbuck1975]

maybe there's a way to create a channel for the old browser, like the channels created for flappy bird, Wup Installer, etc.. ??