Just Curious... How do these exploits and Loadiine work, vaguely?

Discussion in 'Wii U - Hacking & Backup Loaders' started by CaiusGT, Feb 14, 2016.

  1. CaiusGT
    OP

    CaiusGT Member

    Newcomer
    21
    5
    Feb 11, 2016
    United States
    Title says it all lol, looking to hear it from someone who understand the concept and can relay it to me in a few idiot-proof sentences :)

    I think what confuses me the most is Loadiine, a program..is it running off a cloud lol?
    Thanks in advance for the light reading.
     
  2. WekkinsWiiU

    WekkinsWiiU GBAtemp Regular

    Member
    165
    48
    Feb 13, 2016
    United States
    Well it hacks into the Wii U and runs decrypted roms off the sd card ;p
     
  3. CaiusGT
    OP

    CaiusGT Member

    Newcomer
    21
    5
    Feb 11, 2016
    United States
    :D i know that much lol
     
  4. Garou

    Garou GBAtemp Advanced Fan

    Member
    534
    164
    Jan 13, 2015
    this is for the OSDriver explanation https://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/

    as for loadiine, pretty much like this
    you can read the source code if you want here https://github.com/dimok789/loadiine
     
    CaiusGT and sup3rgh0st like this.
  5. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    17,639
    8,221
    Oct 27, 2002
    France
    Engine room, learning
    it's running "of a cloud" because the exploit is on the browser application, and it can access internet.
    if it was another application, you would be limited to its possible access (lan, sd, nand, mii, saves, etc.)
    being a vulnerability on the browser opens the door more easily, as you only need to load a file into memory by visiting an URL.

    The OSDriver above is only the second layer in the full exploit. it's the one which patch the kernel level access.
    Before that, you need to patch the user level access.

    see it like 3 walls around the main CPU functions. the IOS wall, the kernel and user wall.
    the IOS is responsible for hardware access, it's grants applications the access to specific hardware based on their needs (sd, usb, network, gamepad, etc.)
    the kernel is responsible for the memory access, it allows or block specific memory area to prevent an application from accessing restricted memory and data.
    The user level is "all the other function" an application can use to create the game/interface, a game don't need to manage the memory and the hardware, it only access what the IOS and kernel provides him. the user level is enough for a lot of application and homebrew, like games, emulators, mediaplayer, etc.
    Then, there's the end user level : Us, the players. we don't have access to functions, only to input/output (tv, gamepad, sometime SD, sometime network and internet)

    But you are limited in what the IOS or kernel let you access.
    For example, loadiine is using Smash Bros as "host game" because it's one of the two disc based games (with Art academy) which the IOS grant SD access.
    As IOS exploit is not public yet, we can't edit the hardware rights and are limited in what we can access based on the "host" we are using.


    So, we come back to the browser exploit :
    The browser has network access granted by the IOS, so it's a thing we can use to break the first wall and get the "user level" where we can run our own functions.
    The first wall vulnerability in the browser is : JSStringJoiner heap overflow (up to 5.3.2) and StageFright (up to 5.5.0 and I think still not patched in 5.5.1)
    http://wiiubrew.org/wiki/Exploits

    it's using an overflow vulnerability, which means that the program (the browser here) is not correctly checking the length of its variables when writing into memory, and if you write a bigger variable than expected, you are "overflowing" into another memory area/bank.
    by doing that, you can write a function in that area, and the browser will run it when it will load that area : the kernel provided that area to the browser, and the browser has user access allowing it to run "non kernel related" functions here.

    The function we are loading here is the "entry point" into loading another program : the payload (your homebrew).
    a tiny overflow lets you continue execution to another functions.


    This is the "user level" access. You can now run safe functions here. safe functions are all the non-kernel functions, the ones not trying to access or modify the memory, or file system.
    The issue here is that the browser has a limited memory area it can use to store your homebrew (few Kb), and if you need more memory you need to get kernel access to give the browser more memory!

    this is now the OSDriver job.
    that exploit is explained in the link posted by Garou.
    That explanation is a lot more technical, it's explaining how it really works and not just providing the general idea.


    Like said above, the kernel level is needed to get more memory, but also to get access to File system functions (to rewrite and redirect access from NAND to SD, for loadiine or saviine) or to access and edit the memory (TCPGecko), or rewrite the read/write rights of each memory area (BAT).

    By using a vulnerability in the "kernel wall" the same way we exploited one in the "user wall", we can write functions in the kernel level and the kernel will run them for us.

     
    giga502, josamilu, CaiusGT and 4 others like this.
  6. FunThomas

    FunThomas GBAtemp Fan

    Member
    404
    82
    Jan 10, 2016
    Gambia, The
    real nice explanation :bow:
     
  7. isamudyson

    isamudyson Member

    Newcomer
    19
    5
    Jan 23, 2016
    Iceland
    J'ai tout compris...avec toutefois quelques réserves bien légitimes sur l'avenir des versions 5.5.x puisqu'intiment lié à la disponibilité de l'exploit IOSU.
    I understood it all....There are still legitimate worries about the future of 5.5.X versions; those updates remain tightly linked to the avalaibility of IOSU exploit.
    Where is the so-expected exploit ?
     
  8. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    17,639
    8,221
    Oct 27, 2002
    France
    Engine room, learning
    the exploit exists, and is used by developers who need it in order to give users something to use when it's released.
    Releasing the IOS exploit alone is not very useful to end users.
    Of course, releasing it will let more developers to use it instead of the current limited circle.

    Seeing how the majority of the users here acted toward Hykem, it doesn't provide will or interest to release it. only criticism and attack..
    Like we say : don't bite the hand of your feeder.

    he is still working on it, just wait until it's released.
    It works on 5.5.0, and will still work on 5.5.0 in ten years. there's no rush in releasing it.
    just don't update if you want to use it one day. wait patiently, it will be released when he decides it's time for public release.

    IOS is not the only vulnerability and usable exploit.
    it's not because "IOS exploit" exists, that no more exploit will be found or released. see how the Stagefright exploit was released to 5.5.x users.
     
    CaiusGT likes this.
  9. NexoCube

    NexoCube stop using piracy :(

    Member
    1,184
    587
    Nov 3, 2015
    France
    Stack Pointer
    Maybe should i write a Loadiine Technical Explanation x)
     
  10. CaiusGT
    OP

    CaiusGT Member

    Newcomer
    21
    5
    Feb 11, 2016
    United States
    @Cyan and @Garou thanks for the explanations appreciate the time and effort :)

    Thanks again for the read! (feeling less noobish already lol)
     
    Last edited by CaiusGT, Feb 15, 2016
  11. link270

    link270 GBAtemp Regular

    Member
    116
    72
    Jul 15, 2009
    United States
    Thanks for everyone on the explanations! I am a collage student working on my computer science degree and would love to be able to dive into some home-brew and coding for this type of thing in the nearish future, so the explanations are very interesting to read and to get into.

    Thanks!
     
  12. Dust2dust

    Dust2dust GBAtemp Advanced Fan

    Member
    598
    231
    Jun 17, 2010
    Canada
    The majority of users? Somehow, I find that hard to believe. Being a mod, Cyan, you can probably tell the total number of users on GBATemp, and then count how many users posted hostile comments toward Hykem. I'd be impressed if it reached even just 3%. People shouldn't let a minority of trolls represent the general consensus. I'm glad the thread in question is closed. Don't give a tribune to trolls.
     
  13. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    17,639
    8,221
    Oct 27, 2002
    France
    Engine room, learning
    I meant the majority of the users who posted.
    I was only referring to the active users who wrote comments in his thread and in the general wiiu hacking thread, about all the impatient users expecting a release and acting like if they deserved something.

    Of course there are good users waiting patiently, understanding his work, and I know there are a lot, some who never posted, or even some who don't even have an account here.
    the fact is that most (not all) posts that we notice the more often are the ones from impatient users asking again and again every weeks if 5.5.0 and IOS are released. it's just "notice" because there are others too, we just got a lot of same posts already answered, and users who don't read re-post the same thing. I didn't say there's no legit comments.
     
  14. supermalloch

    supermalloch GBAtemp Regular

    Member
    135
    68
    Apr 1, 2011
    A Sunken Pirate Ship
    So, also curious (maybe slightly off topic) what would need changing in the 5.3.2 JSStringJoiner heap overflow payload to make it work with 5.2? Just memory addresses? According to http://wiiubrew.org/wiki/Exploits the OSDriver race attack code should still work.. ?