Hacking Mario Kart 8 Mods

[Bug_Checker_]

Just the PPC. For the record I know I sound like a complete arsehole in the video, but that's because it's part of a livestream in which we were being incredibly sarcastic. What's not shown is about an hour of me calling myself the biggest loser ever because the exploit wasn't working

I saw the full live stream. The only part that was "annoying" was the rather loud yelling(right in to the mic) at times when I had volume maxed to hear the other person not quite on mic(in background).

 

[Chadderz]

Sorry about that! We were actually both away from the mic, but it's quite sensitive and Bean is more softly spoken.

 

[Bug_Checker_]

Sorry about that! We were actually both away from the mic, but it's quite sensitive and Bean is more softly spoken.

So some of what was I missed was: Were you dumping parts of the ram(in game) or complete ram dumps in real time?
Can you dump the FULL 2GB of ram or only the userspace(1GB)?
Where was the ram being dumped to wifi/lan/serial/usb/sd card/sd card w/wifi(Am I leaving something out)?

Do you now believe that the problem of taking control of Mario Kart (from the browser) was a timing or race condition problem? A network latency problem or user error?

 

[Bladexdsl]

yes the browser bug is still there but NOT exploited yet. why go through all the trouble to port a half-backed browser exploit, its a LOT of work. the next logical step is to 'use' the current exploit and get the keys... now I cant predict the future but a 5.0 port of the web exploit is a wast of time and i doubt we will see it.

than you've never seen this thread than. there are guys in there working on it.

 

[Chadderz]

So some of what was I missed was: Were you dumping parts of the ram(in game) or complete ram dumps in real time?
Can you dump the FULL 2GB of ram or only the userspace(1GB)?
Where was the ram being dumped to wifi/lan/serial/usb/sd card/sd card w/wifi(Am I leaving something out)?

Do you now believe that the problem of taking control of Mario Kart (from the browser) was a timing or race condition problem? A network latency problem or user error?

We're using the same old RPC client from the browser exploit, just with address protection on the full 2gig disabled, so we can read/write anywhere. The RPC client allows us to dump and edit RAM over the network.
The problem was that my exploit only worked when the kernel state was exactly right, which 9 times out of 10 it wasn't. Now that we can see the kernel code, I've been able to fix this so that its 100% reliable, as I can force the kernel into the right state.

 

[Bug_Checker_]

We're using the same old RPC client from the browser exploit, just with address protection on the full 2gig disabled, so we can read/write anywhere. The RPC client allows us to dump and edit RAM over the network.
The problem was that my exploit only worked when the kernel state was exactly right, which 9 times out of 10 it wasn't. Now that we can see the kernel code, I've been able to fix this so that its 100% reliable, as I can force the kernel into the right state.

That is AWESOME news! I could not take another 45 minutes of unique-features-2 (aka curtains). I would rather take a bullet to the brain(maybe next time just boobs for 45 minutes. a lot less complaints).
Also I think you should give some serious consideration to maybe opening up a thread called
"Chadderz's and Mr Bean's Hot and Cold game"
I could see it easily getting over 10,000 replies and a 1 million plus views.

I'll go 1st I think you setup a server to act like Nintendo's, funneled it back into the WiiU's internet browser and took control of Mario Kart. perhaps, with something from the sdk like the tcp server from the network stack demos.
Your choices are:
ice cold/frigid
cold/colder
room temperature
hot
hotter
On fire/scalding

 

[Chadderz]

I'll go 1st I think you setup a server to act like Nintendo's, funneled it back into the WiiU's internet browser and took control of Mario Kart. perhaps, with something from the sdk like the tcp server from the network stack demos.
Your choices are:
ice cold/frigid
cold/colder
room temperature
hot
hotter
On fire/scalding

Too many categories. How about we play Chadderz's wrong/right game.
That's wrong.

 

[Bug_Checker_]

Too many categories. How about we play Chadderz's wrong/right game.
That's wrong.

You made me laugh. I didn't see how a game of "Hot n' Cold" could end so quickly.
Recalculating thread statistics:
Only 2 replies and ton of views and a lot of laughs. Then dreaded thread lock(out of kindness so thread isn't resurrected in 2 years by some noob who won't read stickies or any other thread but somehow will find yours and want to play) .

 

[Bug_Checker_]

We're using the same old RPC client from the browser exploit, just with address protection on the full 2gig disabled, so we can read/write anywhere. The RPC client allows us to dump and edit RAM over the network.
The problem was that my exploit only worked when the kernel state was exactly right, which 9 times out of 10 it wasn't. Now that we can see the kernel code, I've been able to fix this so that its 100% reliable, as I can force the kernel into the right state.

So did you guys just assume that HW_AHBPROT (0x0d800064) would behave similarly on the WiiU since boot0 was similarly accessible on the wii/wiiu?

 

[the_randomizer]

Why are people discussing an exploit that won't even be released now? This confuses me greatly. I'd have sworn Chadderz just said nothing was being released...? I get the impression I'm missing something here...

 

[Ninja_Carver]

Why are people discussing an exploit that won't even be released now? This confuses me greatly. I'd have sworn Chadderz just said nothing was being released...? I get the impression I'm missing something here...

sit back and relax, my man. everything will be just fine. <3

 

[the_randomizer]

sit back and relax, my man. everything will be just fine. <3

Easier said than done, man, I don't have the highest hopes. You see something I don't, and I wish I knew what that something was. Just not feeling it, that's all. How I wish I had the confidence you had. Guess I have a hard time having hope that something can be done.

 

[Ninja_Carver]

Easier said than done, man, I don't have the highest hopes. You see something I don't, and I wish I knew what that something was. Just not feeling it, that's all. How I wish I had the confidence you had. Guess I have a hard time having hope that something can be done.

I can see the light at the end of the tunnel, don't you? Let's say the exploit was released here and now, what can you do with it? absolutely nothing. You should be able to rest easy knowing that there is a working POC of the exploit in action, as can be seen in the video posted by Chadderz. Pressuring people is not going to get you a public release any sooner. As if the past 12 months haven't already been a testament to that...

 

[the_randomizer]

I can see the light at the end of the tunnel, don't you? Let's say the exploit was released here and now, what can you do with it? absolutely nothing. You should be able to rest easy knowing that there is a working POC of the exploit in action, as can be seen in the video posted by Chadderz. Pressuring people is not going to get you a public release any sooner. As if the past 12 months haven't already been a testament to that...

That's true, pressuring them does no good at all, I agree. I just don't want to see what could be a step in the right direction for Wii U hacking to simply die off and be forgotten

WiiU is gone, but never forgotten.

Ninja_Carver Addendum: Wii U hacking*, don't want to see Wii U hacking die off.

 

[Ninja_Carver]

That's true, pressuring them does no good at all, I agree. I just don't want to see what could be a step in the right direction for Wii U to simply die off and be forgotten

WiiU is gone, but never forgotten.

 

[TeamScriptKiddies]

Ya everyone should back off of Chadderz and Beanz. As much as I'd love to see this exploit released to the masses, if they don't want it out there, then leave it be. The fact that they have a working Kernel Exploit is enough to tell us that it is possible to achieve Kernel Access via the Webkit/Browser exploit. Its just a matter of figuring out how. Others will surely figure this out, its only a matter of time...

 

[LinuxPoser]

I'm all for leaving them alone, but I don't understand how merely taunting everyone makes them feel better.

"We figured it out! But we'll feel better if we make it take X days, X weeks, or X months longer for everyone else to have it! Thanks for laying the ground work!"

The discovery of the exploit is inevitable, why not make everyone happy and just release it, instead of getting mass pm's from piratefags begging them to release it.

If they wanted to be left alone they wouldn't have released a video showing they had done it.

I get that you don't support piracy, that's fine, but delaying it doesn't do anything but frustrate people. Delaying it isn't going to make honest men from the pirates.

 

[Arras]

I'm all for leaving them alone, but I don't understand how merely taunting everyone makes them feel better.

"We figured it out! But we'll feel better if we make it take X days, X weeks, or X months longer for everyone else to have it! Thanks for laying the ground work!"

The discovery of the exploit is inevitable, why not make everyone happy and just release it, instead of getting mass pm's from piratefags begging them to release it.

If they wanted to be left alone they wouldn't have released a video showing they had done it.

I get that you don't support piracy, that's fine, but delaying it doesn't do anything but frustrate people. Delaying it isn't going to make honest men from the pirates.

People wouldn't be happy if they just released it because it's basically useless at the moment anyway and eventually it'll flood online with cheaters. It'll be released eventually when it can be used for something productive. "delaying" doesn't mean "we're going to release it exactly the way we have it now, but in several months to be annoying", delaying means they still want to work on it before releasing anything. It's like asking a company to just release a half-finished game now instead of "taunting" people with trailers while they work on it.

 

[uyjulian]

I think they don't want to be spattered all over the press 'cause they made piracy possible. (Guess what, the video they made is on Kotaku)

 

[keine]

Its amazing to think that the same RPC client I got up and running is capable of so much, [if i knew more about the subject]. That RPC client being the work of Marionumber1 and company.
Awesome work Chadderz and company.


Exciting developments like this renew my interests in reverse engineeering. I started reading Shellcoders Handbook in an attempt to learn more about the original exploit.