- Joined
- Nov 26, 2012
- Messages
- 2,567
- Trophies
- 2
- Location
- United States
- Website
- sites.google.com
- XP
- 3,873
- Country
Got it, got the files from nus?
Yes, but the server uses HTTPS.
Got it, got the files from nus?
Yes, I know that. But to port the browser exploit from 4.1->5.0 we need the 5.0 binaries.
I have the 4.1 binaries which were used to create the ROP chain:
If Chadderz releases his exploit this will allow us to start working on reverse engineering the system and develop an IOS exploit to gain access to the starbuck kernel where all the common keys are located. When we get the common keys we can decrypt the 5.0 binaries (the ones shown in the picture above, except for version 5.0) and port the exploits over to 5.0.
If I'm not clear enough, this is our current exploitation vector:
- Wii U browser "use after free" memory exploit using heap spray
- ROP chain in JIT code execution area to bypass Address Space Layout Randomization
- Chadderz kernel exploit to escalate privilege level to gain access to the espresso kernel (Everything is theoretically possible on 4.1 now. The Wii U's security is toast).
- IOS exploit to gain access to the starbuck kernel
- Dump wii u common keys from starbuck
- Decrypt 5.0 binaries from the Nintendo CDN
- Port all exploits over to 5.0
- Disable signature verification checks in CafeOS
- Reverse engineer CafeOS to understand how to package our own channels
- Create homebrew loader channel (which will require some home-aid libs for SD storage loading etc.)
- Continue work on developing Wii U libs and documentation.
Yes, but the server uses HTTPS.
How was the original ROP chain developed in the first place? Guess and check, mitm ram, reversing binarysomehow?
So where did the access to those original elfs:
Account Settings
Internet Browser
Nintendo TVii
Nintendo eShop
Miiverse
come from?
a ramdump?
Something that can be duplicated?
Were they posted somewhere?
If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....
it still works on 5.0If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....
yes the browser bug is still there but NOT exploited yet. why go through all the trouble to port a half-backed browser exploit, its a LOT of work. the next logical step is to 'use' the current exploit and get the keys... now I cant predict the future but a 5.0 port of the web exploit is a wast of time and i doubt we will see it.
If you are on 5.0+ then you are screwed for the browser exploit (i'm on 5.0)... I have seen this happen meany times in the past with different console/handheld scenes
anyone who is working on getting the needed keys have what they need, a pre-5.0 wiiu, there is no reason to port it. so like me whoever is on 5.0 is SOL until the needed keys are found....
When one of the main developers of the browser exploit is accidentally locked out by his own brother updating the wiiu to 5.0, I can say with certainty thatyes the browser bug is still there but NOT exploited yet. why go through all the trouble to port a half-backed browser exploit, its a LOT of work. the next logical step is to 'use' the current exploit and get the keys... now I cant predict the future but a 5.0 port of the web exploit is a wast of time and i doubt we will see it.
Unfortunately, I really don't want my kernel exploit released to anyone. Normally, I'm big on open source, I release most stuff under MIT licesnse, but the trouble is, there is a lot more at stake here. The reaction to our video is quite rightly a mix of excitement and fear, because people worry about online cheating and I refuse to be the one responsible for that. I know I built on other people's work to do this and so I really would like to give something back, but I just can't trust anyone. Once the exploit leaves my possession I have no control, the only control I have is not to release. As I understand it the browser exploit was leaked in the first place, who's to say the same wouldn't happen again?
Eh, I mean chadderz is good and all, but I don't think he was touched by the gods as the only one who could possibly find this exploit. Maybe he is tho.
Unfortunately, I really don't want my kernel exploit released to anyone. Normally, I'm big on open source, I release most stuff under MIT licesnse, but the trouble is, there is a lot more at stake here. The reaction to our video is quite rightly a mix of excitement and fear, because people worry about online cheating and I refuse to be the one responsible for that. I know I built on other people's work to do this and so I really would like to give something back, but I just can't trust anyone. Once the exploit leaves my possession I have no control, the only control I have is not to release. As I understand it the browser exploit was leaked in the first place, who's to say the same wouldn't happen again?
Do you have complete control of the WiiU?I know, I do genuinely feel really bad about this, but I would feel even worse if the work was used for bad purposes. As headpie says, if we can do it, someone else can, hopefully that will take matters out of my hands.