If that means I'm the official exploit photographer, I can get Smealum's 3DS exploit right now, right? I could take nice photos.
If that means I'm the official exploit photographer, I can get Smealum's 3DS exploit right now, right? I could take nice photos.
It exploits a bug in WebKit, giving us control of the PPC's execution and allowing us to run unsigned code. If you want a really detailed and technical description, read here.
- Joined
- Jan 7, 2014
- Messages
- 14,600
- Trophies
- 4
- Location
- Another World
- Website
- www.gbatemp.net
- XP
- 25,218
- Country
No, I tried opening it and got an access denied error, so the browser can't access it.
Basically, we exploit a bug in the web browser, which allows us to do some stuff in the memory, called a ROP (return oriented programming, you jump to a certain address in memory and then after running the code you want it jumps back to your control, basic assembly stuff) chain. That allows our compiled code to be executed, and then the system does whatever we tell it to
The hello.c, for example, uses OSFatal. What that does is it shuts down everything, wipes the screen black/blank, and displays whatever text it was given, but you can only run it once, which sucks. That's as non-technical an explanation as I can offer 
Basically, we exploit a bug in the web browser, which allows us to do some stuff in the memory, called a ROP (return oriented programming, you jump to a certain address in memory and then after running the code you want it jumps back to your control, basic assembly stuff) chain. That allows our compiled code to be executed, and then the system does whatever we tell it to
I saw some logs floating around online and it looks like it also reveals information about memory locations/names/functions as well so it's not like it's entirely useless of course; i don't know how you're going to be able to leverage that info right now but certainly better than being totally blind.. i get the feeling people, well some 'people' probably have been at this stage for a while and are trying to figure out a way to lock it down to themselves and make it connected to paid hardware (wii-u key seems.. well idk what is up with that but no doubt another solution could be thought up - tied to SD card? go to website for exploiting then the process ties it to your paid-for SD card or some other novel way to keep it private/paid for).
Ramhaxx seemed to lead to the whole 3DS progress and then flashcart, if the same is possibly happening for Wii-U then it's going to be a struggle for homebrew guys to try and work out all of the firmware's details from this or other browser exploits.. there's a lot of hints though so maybe someone smart will manage to find another vulnerable library or such that gives a bit more freedom, if that's even possible (or does the virtual memory sections on the Wii-U make all userland research difficult?).
Good luck and good work to the guys who have worked on this it's nice to see some of this happening on the temp, it's like the nintendo version of wololo at times now!
http://gbatemp.net/threads/wii-u-browser-exploit-updated-works-on-5-1-0.369436
That was very nice of you to include credits in the demo.Specials thanks to :
To quick test the exploit use my server, i have compiled a hello world with the tools provided (from Marionumber1).
- Marionumber1 - ROP chain design/implementation
- TheKit - WebKit bug finding, ROP chain implementation
- Hykem - Finding ROP gadgets
- bubba - Testing WebKit bug candidates
- comex - Access to the coreinit and WebKit binaries
- Chadderz - Blind memory dumping on 5.0.0
- Relys - Testing exploits
1) Start the Wii U (5.1.0 Version maximum)
2) Open the web browser
3) Got to http://tgames.fr/tgames/wiiu
4) Wait few seconds...
5) The Wii U launch the hello world
Edit : The same but in english : http://tgames.fr/tgames/wiiu-eng
Does the browser not write bookmarks/favorites?
I seem to recall fiercewaffle said something about sd card writing with 3ds dunno if it will help:
Source:
http://www.fiercewaffle.com/blogpost.php?id=1
"After a bit of brainstorming, we decided to change the permissions of the IOpen_File function to write/create(0x06) instead of the original read permissions(0x01).
When set to write/create, the 3DS would create the file we were attempting to dump if it didn't exist already. This meant we had a form of writing data to the SD card. Unfortunately this was also inefficent due to the restrictions of the _this(variable that holds info on the file used in alter functions such as read and write) for the IFileOpen command as well as the restrictions in the FAT32 filesystem. Because of these limitations, we were only capable of dumping 0x160 bytes at a time, 22 times before a reformat of the SD card was needed. Using the Unix dd command and a custom python script that analyzes FAT tables and looks for names not preassigned, we were able to view the raw data written to these filenames and give us very small pieces of RAM. Each of these dumps could then be stitched together to form a larger area of mem. The only problem being that strings are null terminated so any reoccurring 0's in these dumps could result in a fault dump. Do fix this we XOR-ed against 0x11(based off of the assumption that 0x11 wouldnt occur often) and would re-XOR it in the python script."
Too bad you can't acces the NAND. Would be awesome to set the Wii U in NTSC video mode since my capture card can't capture in PAL60. PAL50 however.
But the PAL quality sucks on my capture card so yeah, would need NTSC.
But the PAL quality sucks on my capture card so yeah, would need NTSC.
no i dont want it for piracy. i want the hack to save my laser and back up my games and be able to import other games
D
Deleted User
Guest
Not accessible just yet, but the code that writes the saves has to be accessible so maybe there's an awkward way of doing it there, thats what came to mind for me as well, changing a savegame. Except we got usermode access so it won't help out much i think besides a backup route?
I mean for a normal buffer overflow in savegames like the PSP ones its things like character names running out of bounds, so if you make your name searchme then find that in ram then maybe it will save to the inaccessible storages as your potential exploit name. Unless it breaks something else.. but people are modifying Mario Kart in ram no problems.
AFAIK it's treated like any other data - as a package/file. Just like it shows in data management in settings, it's a part of a certain game's package/folder, and it's probably a file like anything else. Still can't access the eMMC without a kernel/loader exploit, so you're out of luck until that happens. So there's no special "savegame read/write function", it's all just files and folders.
Each application is restricted to accessing its own part of the filesystem, which includes its resources and save data. This restriction is enforced by IOSU, which assigns each title an identity (a UID and GID, with the UID representing the title and the GID representing the vendor) and gives each file permissions that define which titles/vendors can access it. This mechanism is what allows for files to be restricted to only one title. By using GIDs, you can also share things like save files between multiple titles of the same vendor (like MKW finding out if you have a SMG save).
Similar threads
-
K3Nv2
-
Xdqwerty
what are you looking at? -
Psionic Roshambo
-
BakerMan
I rather enjoy a life of taking it easy. I haven't reached that life yet though.
-
-
-
@
BakerMan:
anyways, that's my new l4d2 team, you have seen the old one, but in case you forgot, it's dedede, sonic, tails and kirby
-
-
-
-
-
-
-
-
-
-
-
@
BakerMan:
psi, I don't want to give you guys ammunition for the wario jokes, but i'd smash all except nester, that's a child
-
-
-
-
-
-
-
-
-
-
-
