Hacking IOSU exploit details released for pre-5.2 systems

[QuarkTheAwesome]

https://nwert.wordpress.com/2016/05/03/ioctlvhax/

Well, this will be interesting.

It's worth noting that this bug may still be exploitable on newer systems through the use of SysCall 0x2E, which changes the limit on the amount of vectors we can pass in. However, we need IOSU userland access to run it. And if we've already got IOSU userland access, what use is an exploit that gives us userland access? ;D

 

[Olmectron]

https://nwert.wordpress.com/2016/05/03/ioctlvhax/

Well, this will be interesting.

In fact. It reveals a way that could lead to exploitation even after the vector fix in 5.2.

 

[Intronaut]

The fun thing is almost every homebrew user is on 5.3.2-5.5.1. We need a way to donwgrade to 5.1.0

 

[QuarkTheAwesome]

In fact. It reveals a way that could lead to exploitation even after the vector fix in 5.2.

Syscall 0x2E, eh? It's funny that Nintendo added a call so we can re-enable a bug they think they fixed.

The fun thing is almost every homebrew user is on 5.3.2-5.5.1. We need a way to donwgrade to 5.1.0

Yeah, all those people saying that there's "no reason to no update to 5.3.2" are going to be embarrassed ;3

 

[davetheshrew]

perhaps they added a call so that they can re-enable when doing fw updates etc then repatch. It might be important so they noobishly 'fixed' a sploit to a function they need at times.

 

[leonmagnus99]

it would be nice if we could get the exploit stick permanent and maybe (rednand? /usbloader) ;-;

loading up the kexploit loadiine alone is so hassly, it works once out of 10 tries ( deleting cookies doesnt help ,its a matter of luck XD ) .

that aside, can the tubehax dns affect the hax somehow?

 

[Bug_Checker_]

When I posted this information 15 minutes before this thread was spawned, it was low key because of the fact there is much work to do.
I hope everyone keeps this in mind. It maybe closer to weeks and months for a true working final exploit rather than hours or days.

https://gbatemp.net/threads/wii-u-hacking-homebrew-discussion.367489/page-961#post-6311748

 

[lefthandsword]

It only gives you userland ROP on Starbuck, to gain full control you will need an iosu kernel exploit

 

[FenrirWolf]

I'm guessing IOSU doesn't have a handy "execute this code with kernel permissions" function like arm9 does for 3DS?

 

[andriy921]

and for permanent exploit you'll need a boot-time entrypoint

 

[lefthandsword]

Yeah, all those people saying that there's "no reason to no update to 5.3.2" are going to be embarrassed ;3

Yeah, you can notice the exploit without too much effort if you compare the code diff between 5.1 and 5.2+ OSv10 (some 3DS sysmodule vulns were found this way)

 

[Net-KILLER]

Syscall 0x2E, eh? It's funny that Nintendo added a call so we can re-enable a bug they think they fixed.



Yeah, all those people saying that there's "no reason to no update to 5.3.2" are going to be embarrassed ;3

Well I updated from 5.0.0 to 5.3.2 a few months ago.
If I can't use iosu now it's ok for me.
Loadiine and the others tools were worth it.

 

[SirByte]

and for permanent exploit you'll need a boot-time entrypoint

No you don't, my o3DS firmware 4.1.0U is working right fine with a 10.7.0U EmuNAND. That's all you need; an exploitable firmware to gain access which you can keep perpetually, but you need to be able to run a RedNAND/EmuNAND which means you need both Kernel and IOSU exploits.

 

[andriy921]

No you don't, my o3DS firmware 4.1.0U is working right fine with a 10.7.0U EmuNAND. That's all you need; an exploitable firmware to gain access which you can keep perpetually, but you need to be able to run a RedNAND/EmuNAND which means you need both Kernel and IOSU exploits.

You didn't understand what he means by permanent.

 

[QuarkTheAwesome]

Worth noting that the syscall mentioned in the article is an IOSU call (set_device_state to be specific) which we can only access from the IOSU.
To sum up, this is an exploit that allows us to access IOSU userland that was patched. We can unpatch it with Syscall 0x2E but that is only accessible from IOSU userland, which we don't have, but this exploit will give us, but needs Syscall 0x2E, which needs IOSU userland, which we don't have...

At least <5.2 users can be happy.