Toggle sidebar

Hacking Testing WiiU Browser Exploit on 5.1.0

  • Thread starter Thread starter Tgames
  • Start date Start date
  • Views Views 15,283
  • Replies Replies 50
  • Likes Likes 3
FireGrey said:
You can't just take a picture of an exploit with a quality camera, where's all the blur and low resolution?
Click to expand...


If that means I'm the official exploit photographer, I can get Smealum's 3DS exploit right now, right? I could take nice photos.
 
WaryLouka said:
Sorry for double posting, but how does the expoit works? I never heard of it.1
Click to expand...

Basically, we exploit a bug in the web browser, which allows us to do some stuff in the memory, called a ROP (return oriented programming, you jump to a certain address in memory and then after running the code you want it jumps back to your control, basic assembly stuff) chain. That allows our compiled code to be executed, and then the system does whatever we tell it to :P The hello.c, for example, uses OSFatal. What that does is it shuts down everything, wipes the screen black/blank, and displays whatever text it was given, but you can only run it once, which sucks. That's as non-technical an explanation as I can offer :P
 
NWPlayer123 said:
Basically, we exploit a bug in the web browser, which allows us to do some stuff in the memory, called a ROP (return oriented programming, you jump to a certain address in memory and then after running the code you want it jumps back to your control, basic assembly stuff) chain. That allows our compiled code to be executed, and then the system does whatever we tell it to :P The hello.c, for example, uses OSFatal. What that does is it shuts down everything, wipes the screen black/blank, and displays whatever text it was given, but you can only run it once, which sucks. That's as non-technical an explanation as I can offer :P
Click to expand...


I saw some logs floating around online and it looks like it also reveals information about memory locations/names/functions as well so it's not like it's entirely useless of course; i don't know how you're going to be able to leverage that info right now but certainly better than being totally blind.. i get the feeling people, well some 'people' probably have been at this stage for a while and are trying to figure out a way to lock it down to themselves and make it connected to paid hardware (wii-u key seems.. well idk what is up with that but no doubt another solution could be thought up - tied to SD card? go to website for exploiting then the process ties it to your paid-for SD card or some other novel way to keep it private/paid for).

Ramhaxx seemed to lead to the whole 3DS progress and then flashcart, if the same is possibly happening for Wii-U then it's going to be a struggle for homebrew guys to try and work out all of the firmware's details from this or other browser exploits.. there's a lot of hints though so maybe someone smart will manage to find another vulnerable library or such that gives a bit more freedom, if that's even possible (or does the virtual memory sections on the Wii-U make all userland research difficult?).

Good luck and good work to the guys who have worked on this it's nice to see some of this happening on the temp, it's like the nintendo version of wololo at times now!
 
  • Like
Reactions: VinsCool
Huntereb said:
So it's safe to update to 5.1? I'm looking at you, Marionumber1.

Where is the discussion thread where all this information is being put out at?
Click to expand...


http://gbatemp.net/threads/wii-u-browser-exploit-updated-works-on-5-1-0.369436
Tgames said:
Specials thanks to :

  • Marionumber1 - ROP chain design/implementation
  • TheKit - WebKit bug finding, ROP chain implementation
  • Hykem - Finding ROP gadgets
  • bubba - Testing WebKit bug candidates
  • comex - Access to the coreinit and WebKit binaries
  • Chadderz - Blind memory dumping on 5.0.0
  • Relys - Testing exploits
To quick test the exploit use my server, i have compiled a hello world with the tools provided (from Marionumber1).


1) Start the Wii U (5.1.0 Version maximum)
2) Open the web browser
3) Got to http://tgames.fr/tgames/wiiu
4) Wait few seconds...
5) The Wii U launch the hello world
icon_e_wink.gif



Edit : The same but in english : http://tgames.fr/tgames/wiiu-eng
Click to expand...
That was very nice of you to include credits in the demo.
 
Marionumber1 said:
No, I tried opening it and got an access denied error, so the browser can't access it.
Click to expand...

Does the browser not write bookmarks/favorites?
I seem to recall fiercewaffle said something about sd card writing with 3ds dunno if it will help:

Source:
http://www.fiercewaffle.com/blogpost.php?id=1
"After a bit of brainstorming, we decided to change the permissions of the IOpen_File function to write/create(0x06) instead of the original read permissions(0x01).
When set to write/create, the 3DS would create the file we were attempting to dump if it didn't exist already. This meant we had a form of writing data to the SD card. Unfortunately this was also inefficent due to the restrictions of the _this(variable that holds info on the file used in alter functions such as read and write) for the IFileOpen command as well as the restrictions in the FAT32 filesystem. Because of these limitations, we were only capable of dumping 0x160 bytes at a time, 22 times before a reformat of the SD card was needed. Using the Unix dd command and a custom python script that analyzes FAT tables and looks for names not preassigned, we were able to view the raw data written to these filenames and give us very small pieces of RAM. Each of these dumps could then be stitched together to form a larger area of mem. The only problem being that strings are null terminated so any reoccurring 0's in these dumps could result in a fault dump. Do fix this we XOR-ed against 0x11(based off of the assumption that 0x11 wouldnt occur often) and would re-XOR it in the python script."
 
  • Like
Reactions: pelago
Is it possible to extract for example gamesaves with this exploit or are they stored away in an area of the Wii U that isn't reachable (yet)?
 
Too bad you can't acces the NAND. Would be awesome to set the Wii U in NTSC video mode since my capture card can't capture in PAL60. PAL50 however.
But the PAL quality sucks on my capture card so yeah, would need NTSC.
 
linuxares said:
Is it possible to extract for example gamesaves with this exploit or are they stored away in an area of the Wii U that isn't reachable (yet)?
Click to expand...


Not accessible just yet, but the code that writes the saves has to be accessible so maybe there's an awkward way of doing it there, thats what came to mind for me as well, changing a savegame. Except we got usermode access so it won't help out much i think besides a backup route?

I mean for a normal buffer overflow in savegames like the PSP ones its things like character names running out of bounds, so if you make your name searchme then find that in ram then maybe it will save to the inaccessible storages as your potential exploit name. Unless it breaks something else.. but people are modifying Mario Kart in ram no problems.
 
AFAIK it's treated like any other data - as a package/file. Just like it shows in data management in settings, it's a part of a certain game's package/folder, and it's probably a file like anything else. Still can't access the eMMC without a kernel/loader exploit, so you're out of luck until that happens. So there's no special "savegame read/write function", it's all just files and folders.
 
Each application is restricted to accessing its own part of the filesystem, which includes its resources and save data. This restriction is enforced by IOSU, which assigns each title an identity (a UID and GID, with the UID representing the title and the GID representing the vendor) and gives each file permissions that define which titles/vendors can access it. This mechanism is what allows for files to be restricted to only one title. By using GIDs, you can also share things like save files between multiple titles of the same vendor (like MKW finding out if you have a SMG save).
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Strange Blue Blinking Wii U

Hacking Homebrew Project  Modernized YouTube for Wii U

Feedback  Community Overclock Stats: A5X vs B1X Motherboards

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

Gaming Homebrew Misc Project  Roséverse - a 1:1 Miiverse revival by Project Rosé!

My dad's Wii U cannot install Aroma. HELP!!

Can the Wii u pro controller works for Wii games ?

I broken my wii u