Master boot record exploit?

Discussion in 'Wii U - Hacking & Backup Loaders' started by julialy, Sep 10, 2013.

  1. julialy

    julialy Homebrewer

    Nov 26, 2012
    United States
    United States
    On startup, the Wii U checks for a HDD, and attempts to find a Master Boot Record.
    What if the Master Boot Record is replaced with an exploit..?
  2. Fishaman P

    Fishaman P Speedrunner

    Jan 2, 2010
    United States
    That depends on its MBR-finding code. If I were the Nintendo programmer, I'd just check to see if the bytes in the expected location looked valid; I wouldn't even know how to try and execute code from there.
  3. edwardbirkholz05

    edwardbirkholz05 Advanced Member

    Nov 23, 2011
    United States
    The only executable code a regular MBR contains is x86 bootstrap code, why would a wiiu even try to run it?
  4. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    Oct 27, 2002
    Engine room, learning
    to run an exploit, you usually need to overflow the buffer size defined by the developer to write your own code in another part of the memory which will be executed by the console without knowing it's not the correct function anymore.
    there's no way to overflow the MBR verification process, as they are reading the sector 0 themselves, using their own defined size.

    they create a buffer with a fixed size (usually of the size of one sector, so either 512byte, or 4k).
    they Read the first sector's data and store it into the buffer up to the specified size (it will not overflow, they specifically tell how many byte to read/write, the console will not continue to write more data outside of the buffer)
    they check the buffer's bytes 511 and 512 to see if they match what they expect. (you cant code anything in two byte, it's only 2 characters, and it's doing a comparison, not executing any part of the MBR's data)
    osaka35 and Ray Lewis like this.
  5. Ray Lewis

    Ray Lewis Banned

    Dec 30, 2012
    United States
    Ahhh, then some games have "situations" that this stuff happens in. I recall some interesting "hacks." 360 needed reset glitch after JTAG was locked down. Then install a file (general terms) using flashing and off you went. Remember PSP 1000? Open battery, cut one pin, then boot with SD card;-)

    I love reading stuff like this. A long time ago, a guy proposed reset glitch on an xbox360 specific site. I was in that thread, some wrote it off until later on it was shown to be true. NOT sure that was where it originated though. I really note everything I see. Marcan said sandboxing is Wii U approach. Some proposed internet exploits (HIGHLY possible) but Marcan shot that down. People have lied or tricked me in private before but if true, I believe I know ONE of the games. Not even sure about DELIVERY but game alone may be true;-) Some proposed reading/writing emmc like 3ds is now doing, and using it to DOWNGRADE which basically should expose to previous exploits.

    Take system update and then cut out auto updates, and there you go with SDK. If we could write any update to nand like 3ds (one you backed up) then basically any exploits COULD NOT be patched . Might have efuse type of security but I don't know about:-( I like the thinking on this type of stuff.

    Seriously, if Wii U can be downgraded like 3ds then patching won't matter. This was why I wanted a way to at least read/write to the eMMC of the Wii U. Some laughed, but look at 3ds now. Downgrading with a backup you make basically makes updates futile. If we had a way to get keys, sign/decrypt/mod those reads, then basically there is a FULL hack right there. I spent a lot of time in technical forums but only READING. I think Cyan knows his stuff. Thanks for sharing that Cyan.
  6. julialy

    julialy Homebrewer

    Nov 26, 2012
    United States
    United States
    Looks like we'll have to wait for more games that use the SD card, and see if there are any possible exploits...
  7. Pepois

    Pepois GBAtemp Fan

    Aug 24, 2013
    Very interesting guys!!!