IOSU exploit details released for pre-5.2 systems

Discussion in 'Wii U - Hacking & Backup Loaders' started by QuarkTheAwesome, May 3, 2016.

  1. QuarkTheAwesome
    OP

    QuarkTheAwesome Working for Hugs

    Member
    785
    1,921
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    https://nwert.wordpress.com/2016/05/03/ioctlvhax/

    Well, this will be interesting.

    It's worth noting that this bug may still be exploitable on newer systems through the use of SysCall 0x2E, which changes the limit on the amount of vectors we can pass in. However, we need IOSU userland access to run it. And if we've already got IOSU userland access, what use is an exploit that gives us userland access? ;D
     
    Last edited by QuarkTheAwesome, May 4, 2016
  2. Olmectron

    Olmectron GBAtemp Addict

    Member
    2,093
    1,288
    Dec 31, 2012
    Mexico
    A game
    TotalInsanity4 likes this.
  3. Intronaut

    Intronaut An star maker

    Member
    726
    432
    Nov 18, 2014
    Cote d'Ivoire
    The fun thing is almost every homebrew user is on 5.3.2-5.5.1. We need a way to donwgrade to 5.1.0
     
  4. QuarkTheAwesome
    OP

    QuarkTheAwesome Working for Hugs

    Member
    785
    1,921
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    Syscall 0x2E, eh? It's funny that Nintendo added a call so we can re-enable a bug they think they fixed.

    Yeah, all those people saying that there's "no reason to no update to 5.3.2" are going to be embarrassed ;3
     
    TotalInsanity4 likes this.
  5. davetheshrew

    davetheshrew GBAtemp Advanced Fan

    Member
    535
    577
    Jan 2, 2016
    perhaps they added a call so that they can re-enable when doing fw updates etc then repatch. It might be important so they noobishly 'fixed' a sploit to a function they need at times.
     
    TotalInsanity4 likes this.
  6. leonmagnus99

    leonmagnus99 GBAtemp Addict

    Member
    2,373
    581
    Apr 2, 2013
    Seinegald
    it would be nice if we could get the exploit stick permanent and maybe (rednand? /usbloader) ;-;

    loading up the kexploit loadiine alone is so hassly, it works once out of 10 tries ( deleting cookies doesnt help ,its a matter of luck XD ) .

    that aside, can the tubehax dns affect the hax somehow?
     
    TotalInsanity4 likes this.
  7. Bug_Checker_

    Bug_Checker_ GBAtemp Advanced Fan

    Member
    950
    444
    Jun 10, 2006
    United States
  8. lefthandsword

    lefthandsword GBAtemp Fan

    Member
    337
    205
    Apr 6, 2015
    Hong Kong
    root
    It only gives you userland ROP on Starbuck, to gain full control you will need an iosu kernel exploit
     
  9. FenrirWolf

    FenrirWolf GBAtemp Psycho!

    Member
    4,347
    329
    Nov 19, 2008
    United States
    Sandy, UT
    I'm guessing IOSU doesn't have a handy "execute this code with kernel permissions" function like arm9 does for 3DS?
     
  10. andriy921

    andriy921 GBAtemp Regular

    Member
    267
    97
    Dec 1, 2015
    and for permanent exploit you'll need a boot-time entrypoint
     
  11. lefthandsword

    lefthandsword GBAtemp Fan

    Member
    337
    205
    Apr 6, 2015
    Hong Kong
    root
    Yeah, you can notice the exploit without too much effort if you compare the code diff between 5.1 and 5.2+ OSv10 (some 3DS sysmodule vulns were found this way)
     
  12. Net-KILLER

    Net-KILLER computer says no

    Member
    610
    365
    Oct 22, 2009
    Saint Kitts and Nevis
    in a pineapple under the sea
    Well I updated from 5.0.0 to 5.3.2 a few months ago.
    If I can't use iosu now it's ok for me.
    Loadiine and the others tools were worth it.
     
  13. SirByte

    SirByte GBAtemp Fan

    Member
    494
    191
    Dec 30, 2012
    Canada
    No you don't, my o3DS firmware 4.1.0U is working right fine with a 10.7.0U EmuNAND. That's all you need; an exploitable firmware to gain access which you can keep perpetually, but you need to be able to run a RedNAND/EmuNAND which means you need both Kernel and IOSU exploits.
     
    Last edited by SirByte, May 4, 2016 - Reason: typo
  14. andriy921

    andriy921 GBAtemp Regular

    Member
    267
    97
    Dec 1, 2015
    You didn't understand what he means by permanent.
     
  15. QuarkTheAwesome
    OP

    QuarkTheAwesome Working for Hugs

    Member
    785
    1,921
    Apr 19, 2015
    Australia
    Stuck in the PowerPC
    Worth noting that the syscall mentioned in the article is an IOSU call (set_device_state to be specific) which we can only access from the IOSU.
    To sum up, this is an exploit that allows us to access IOSU userland that was patched. We can unpatch it with Syscall 0x2E but that is only accessible from IOSU userland, which we don't have, but this exploit will give us, but needs Syscall 0x2E, which needs IOSU userland, which we don't have...

    At least <5.2 users can be happy.