OSDriver kernel exploit - a technical description

Discussion in 'Wii U - Hacking & Backup Loaders' started by Marionumber1, Aug 20, 2015.

  1. Mathew_Wi

    Mathew_Wi bye

    Member
    7
    Sep 29, 2009
    How about you show us yours?
     
  2. codychaosx

    codychaosx GBAtemp Advanced Fan

    Member
    6
    Mar 15, 2009
    United States
    Wisconsin
    [​IMG]
     
    josh87402, ant888, driverdis and 2 others like this.
  3. Don Jon

    Don Jon GBAtemp Maniac

    Member
    7
    Nov 20, 2015
    United States
    no need
    it has been confirmed already
     
    Last edited by Don Jon, Feb 13, 2016
  4. ScarletDreamz

    ScarletDreamz [Debug Mode]

    Member
    12
    Feb 16, 2015
    United States
    Localhost
    What has been confirmed, is it the same? s not the same? are you gonna release it? yes no? lol
     
  5. Net-KILLER

    Net-KILLER computer says no

    Member
    4
    Oct 22, 2009
    Saint Kitts and Nevis
    in a pineapple under the sea
    I guess thats robertorpg94s new account
     
    moops44 and Don Jon like this.
  6. shaneod

    shaneod GBAtemp Fan

    Member
    4
    Mar 3, 2011
    I'm surprised you bothered to reply.
    He thinks that if he pretends to have an exploit, you'll release yours.
     
  7. davetheshrew

    davetheshrew GBAtemp Advanced Fan

    Member
    5
    Jan 2, 2016
    I remember you saying recently that you modified 5.3.2 kernel to work on 5.5.1, now you're saying you 'bruteforced' the system to give up the kernel. Cmon man, stop lying all the time and admit it, you cant code for skittles.
     
  8. Mathew_Wi

    Mathew_Wi bye

    Member
    7
    Sep 29, 2009
    By who?
     
  9. oumoumad

    oumoumad GBAtemp Advanced Fan

    Member
    6
    Apr 20, 2015
    France
    This is the same guy who said last time he managed to make loadiine work on 5.5.1 using yellows8 exploit :) you can use the time of replying to him in something more productive Mathew ;).
     
    Garou and NexoCube like this.
  10. NexoCube

    NexoCube stop using piracy :(

    Member
    6
    Nov 3, 2015
    France
    Stack Pointer
    How did you find that the spinlock were sometimes unlocked ? @Marionumber1
     
  11. Voxel

    Voxel Master of moonjumps

    Member
    14
    GBAtemp Patron
    Voxel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Jun 27, 2015
    United Kingdom
    I just found out he's probably not going to get the time to reply to you until the end of Sunday night due to his CTF, Nexo... :(
     
    NexoCube likes this.
  12. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    17
    Feb 17, 2012
    United States
    The Everfree Forest
    Um, I don't remember how we started, I think either someone told us it existed and we tried to replicate it (I still remember it first working in February last year, "Race attack succeeded" and MN1 was shocked that it finally worked to some degree), and shortly after Bean and chadderz showed off that they had made their own using the userspace bug we released for 4.0 to 5.1, that's how chadderz originally made TCPGecko dotNet and Cafiine. I'm not actually sure they ever disclosed what their bug was. I also remember chadderz having some fun with MN1 to blindly get userspace working on 5.1, and we just kept using it up until it got patched in 5.5.0 (MN1 made the second one before this cause the OSDriver one was so unreliable)
     
  13. NexoCube

    NexoCube stop using piracy :(

    Member
    6
    Nov 3, 2015
    France
    Stack Pointer
    Okay ^^ But now how to find another bug that can exploit the kernel :c ?
     
  14. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    17
    Feb 17, 2012
    United States
    The Everfree Forest
    NexoCube likes this.
  15. NexoCube

    NexoCube stop using piracy :(

    Member
    6
    Nov 3, 2015
    France
    Stack Pointer
    So, if i understand everything, the ROP Chains's are just here to says to Core 0 and 2 to start, and freeing one of your "Driver" (The B one) ?

    And kern_read and kern_write syscalls are installed in DRVHAX (C) ?
     
    Last edited by NexoCube, Apr 14, 2016
  16. Droyd

    Droyd GBAtemp Regular

    Member
    2
    Jan 3, 2016
    Antarctica
    Why you do this lol, i thought something was released...
     
    NexoCube likes this.
  17. MisterJohnson87

    MisterJohnson87 Advanced Member

    Newcomer
    2
    Jan 12, 2015
    London
  18. Timthegangsta

    Timthegangsta Advanced Member

    Newcomer
    1
    Sep 19, 2015
    United States
  19. Cava

    Cava GBAtemp Advanced Fan

    Member
    6
    Jan 26, 2016
    Hungary
  20. Cava

    Cava GBAtemp Advanced Fan

    Member
    6
    Jan 26, 2016
    Hungary
    troylly likes this.
Quick Reply
Draft saved Draft deleted
Loading...