Hacking Mario Kart 8 Mods

[uyjulian]

Got it, got the files from nus?

Yes, but the server uses HTTPS.

 

[gudenau]

How was the original ROP chain developed in the first place? Guess and check, mitm ram, reversing binarysomehow?

 

[Bug_Checker_]

Yes, I know that. But to port the browser exploit from 4.1->5.0 we need the 5.0 binaries.

I have the 4.1 binaries which were used to create the ROP chain:

Spoiler

If Chadderz releases his exploit this will allow us to start working on reverse engineering the system and develop an IOS exploit to gain access to the starbuck kernel where all the common keys are located. When we get the common keys we can decrypt the 5.0 binaries (the ones shown in the picture above, except for version 5.0) and port the exploits over to 5.0.

If I'm not clear enough, this is our current exploitation vector:

1. Wii U browser "use after free" memory exploit using heap spray
2. ROP chain in JIT code execution area to bypass Address Space Layout Randomization
3. Chadderz kernel exploit to escalate privilege level to gain access to the espresso kernel (Everything is theoretically possible on 4.1 now. The Wii U's security is toast).
4. IOS exploit to gain access to the starbuck kernel
5. Dump wii u common keys from starbuck
6. Decrypt 5.0 binaries from the Nintendo CDN
7. Port all exploits over to 5.0
8. Disable signature verification checks in CafeOS
9. Reverse engineer CafeOS to understand how to package our own channels
10. Create homebrew loader channel (which will require some home-aid libs for SD storage loading etc.)
11. Continue work on developing Wii U libs and documentation.

So where did the access to those original elfs:
Account Settings
Internet Browser
Nintendo TVii
Nintendo eShop
Miiverse
come from?

a ramdump?
Something that can be duplicated?
Were they posted somewhere?

 

[Relys]

Yes, but the server uses HTTPS.

Doesn't matter you still can grab the files. HTTPS has nothing to do with their encryption method. They are encrypted with the Wii U common key. The hash can be found in f0f's initial blog post https://fail0verflow.com/blog/2014/console-hacking-2013-omake.html

How was the original ROP chain developed in the first place? Guess and check, mitm ram, reversing binarysomehow?

Reversing the Webkit Binary for 4.1 and the Eshop binary from 4.1 for the 4.0.x port (Mario told me this). He built the ROP chain manually by looking at the binaries.

So where did the access to those original elfs:
Account Settings
Internet Browser
Nintendo TVii
Nintendo eShop
Miiverse
come from?

a ramdump?
Something that can be duplicated?
Were they posted somewhere?

They are still 0 day. They were downloaded from Nintendo's CDN (You can download them via your browser) and decrypted the with Wii U common key that was mentioned above by an f0f member who already has all the keys.

Marionumber1 is currently trying to get in touch with Chadderz. It would really be a nice gesture if Chadderz shared this exploit with Marionumber1 so we can continue to open up the Wii U to grab the keys from the Starbuck OTP. Once we have the keys we can decrypt the binaries which will allow porting to 5.0.

 

[PhyChris]

If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....

 

[Rinnux]

If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....

We're not screwed. The exploit still exists in the browser. Yes it will require more work to port over, however that does not mean anyone who updated to 5.0 is as you put it, SOL.

 

[Bladexdsl]

If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....

it still works on 5.0

 

[PhyChris]

yes the browser bug is still there but NOT exploited yet. why go through all the trouble to port a half-backed browser exploit, its a LOT of work. the next logical step is to 'use' the current exploit and get the keys... now I cant predict the future but a 5.0 port of the web exploit is a wast of time and i doubt we will see it.

 

[Rinnux]

yes the browser bug is still there but NOT exploited yet. why go through all the trouble to port a half-backed browser exploit, its a LOT of work. the next logical step is to 'use' the current exploit and get the keys... now I cant predict the future but a 5.0 port of the web exploit is a wast of time and i doubt we will see it.

From what I've seen over the past few days, the devs here have every intention of porting it to 5.0.

 

[PhyChris]

Like i said I can't predict the future. however I will give some advice if you are not a dev don't touch any exploit until things have matured to the point that you have good homebrew to run.. never before. thats how I got my wanko brick lol

 

[Bug_Checker_]

If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....

yes the browser bug is still there but NOT exploited yet. why go through all the trouble to port a half-backed browser exploit, its a LOT of work. the next logical step is to 'use' the current exploit and get the keys... now I cant predict the future but a 5.0 port of the web exploit is a wast of time and i doubt we will see it.

When one of the main developers of the browser exploit is accidentally locked out by his own brother updating the wiiu to 5.0, I can say with certainty that
"There WILL be a 5.0 browser exploit. Period."
Now nuttin' more to say on this topic. Move along.

 

[PhyChris]

my bet is keys before a port



edit: you are certain ... my bad.

 

[Chadderz]

Unfortunately, I really don't want my kernel exploit released to anyone. Normally, I'm big on open source, I release most stuff under MIT licesnse, but the trouble is, there is a lot more at stake here. The reaction to our video is quite rightly a mix of excitement and fear, because people worry about online cheating and I refuse to be the one responsible for that. I know I built on other people's work to do this and so I really would like to give something back, but I just can't trust anyone. Once the exploit leaves my possession I have no control, the only control I have is not to release. As I understand it the browser exploit was leaked in the first place, who's to say the same wouldn't happen again?

 

[the_randomizer]

Unfortunately, I really don't want my kernel exploit released to anyone. Normally, I'm big on open source, I release most stuff under MIT licesnse, but the trouble is, there is a lot more at stake here. The reaction to our video is quite rightly a mix of excitement and fear, because people worry about online cheating and I refuse to be the one responsible for that. I know I built on other people's work to do this and so I really would like to give something back, but I just can't trust anyone. Once the exploit leaves my possession I have no control, the only control I have is not to release. As I understand it the browser exploit was leaked in the first place, who's to say the same wouldn't happen again?

Very baffling indeed, this would be quite a predicament, if you will. Very odd that something would be showcased and not released. This would undeniably be a detriment to the Wii U hacking scene, would it not? I don't have the highest of hopes to be honest, Wii U interest is well, kinda no there, at least. not a lot. This exacerbates the issue IMHO.

Eh, I mean chadderz is good and all, but I don't think he was touched by the gods as the only one who could possibly find this exploit. Maybe he is tho.

Lesson is, this is how scenes die off. I know that they don't owe us, etc etc, but there really is no point in showing off something that'll never be leaked, right?? Just because something can be shown off, doesn't mean it should.

 

[headpie]

Eh, I mean chadderz is good and all, but I don't think he was touched by the gods as the only one who could possibly find this exploit. Maybe he is tho.

 

[the_randomizer]

The proverbial finger it would seem has been given The majority haxxors seem to be the same with the Wii U it seems. C'est la vie Some kind of trend?

 

[s-arash]

Unfortunately, I really don't want my kernel exploit released to anyone. Normally, I'm big on open source, I release most stuff under MIT licesnse, but the trouble is, there is a lot more at stake here. The reaction to our video is quite rightly a mix of excitement and fear, because people worry about online cheating and I refuse to be the one responsible for that. I know I built on other people's work to do this and so I really would like to give something back, but I just can't trust anyone. Once the exploit leaves my possession I have no control, the only control I have is not to release. As I understand it the browser exploit was leaked in the first place, who's to say the same wouldn't happen again?

if you dont release it , some else will do , like what happend to 3ds, neimod didnt released exploit , gateway 3ds did it (with money)
you cant prevent cheating,homebrew,piracy,... cause one day they'll happen, its just the matter of time

 

[Chadderz]

I know, I do genuinely feel really bad about this, but I would feel even worse if the work was used for bad purposes. As headpie says, if we can do it, someone else can, hopefully that will take matters out of my hands.

 

[Bug_Checker_]

I know, I do genuinely feel really bad about this, but I would feel even worse if the work was used for bad purposes. As headpie says, if we can do it, someone else can, hopefully that will take matters out of my hands.

Do you have complete control of the WiiU?
Or Do you just have control of the ppc?
Do you have any or all control of the arm?
Do you have any or all control of the DRH?
Do you have any or all control of the DMCU?
Do you have the ability you dump the full 2GB of ram?
Do you have the ability you dump the DRH firmware?

Can you take control of the WiiU before the system menu loads?

 

[Chadderz]

Just the PPC. For the record I know I sound like a complete arsehole in the video, but that's because it's part of a livestream in which we were being incredibly sarcastic. What's not shown is about an hour of me calling myself the biggest loser ever because the exploit wasn't working