Wii U 5.1.2U JavaScript Browser Crash

Discussion in 'Wii U - Hacking & Backup Loaders' started by Mr. Mysterio, Sep 16, 2014.

  1. Mr. Mysterio
    OP

    Mr. Mysterio Super Genius

    Member
    661
    856
    Sep 16, 2014
    United States
    Rosalina's Comet Observatory
    This JavaScript code will crash the wii u internet browser on firmware 5.1.2U. This was taken from crashmybrowser.com Navigate here with the wii u browser, then select "Heap death of the blogoverse". I was so looking forward to modding Mario Kart 8 with the original browser exploit, but I carlessly updated my wii u to 5.1.2. :sad: Maybe some of the more expert hackers can turn this JS code into a way of running C code and eventually game hacking!:)

    function Test_HeapDeath ()
    {
    (function () {
    'use strict';

    var i,
    methods = [
    'quote', 'substring', 'toLowerCase', 'toUpperCase', 'charAt',
    'charCodeAt', 'indexOf', 'lastIndexOf', 'startsWith', 'endsWith',
    'trim', 'trimLeft', 'trimRight', 'toLocaleLowerCase',
    'toLocaleUpperCase', 'localeCompare', 'match', 'search',
    'replace', 'split', 'substr', 'concat', 'slice'
    ],
    methodCount = methods.length,
    assignStringGeneric = function (methodName) {
    var method = String.prototype[methodName];
    String[methodName] = function (arg1) {
    return method.apply(arg1, Array.prototype.slice.call(arguments, 1));
    };
    };

    for (i = 0; i < methodCount; i++) {
    assignStringGeneric(methods);
    }
    }());
    x = '0123456789';
    for ( i = 0; i < 22; i++ ) { x = x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256)) + x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256)); }
    setInterval(_HeapDeath, 5);
    }

    function _HeapDeath ()
    {
    x = [x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256)), x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256))];
    }

    Test_HeapDeath();
     


  2. gypsynimrod

    gypsynimrod Banned

    Banned
    368
    154
    Sep 2, 2014
    Fiji
    Is anyone even actively working towards Wii U hacking? There was a guy who posted a picture, but he refused to record a video or actually show off how it was done leading people to believe it was all fake. Outside of that, has there really been anything?
     
  3. Jackall4BDN

    Jackall4BDN Haunter of Daydreams and Nightmares

    Member
    767
    358
    Nov 8, 2013
    Gambia, The
    Within your Mind
    You didn´t watch the work MrBean35000vr and his pals done in the past months, did you? xD
     
  4. gypsynimrod

    gypsynimrod Banned

    Banned
    368
    154
    Sep 2, 2014
    Fiji
    You mean the guys who have said multiple times that they have 0 plans of releasing their hacks?
     
  5. Jackall4BDN

    Jackall4BDN Haunter of Daydreams and Nightmares

    Member
    767
    358
    Nov 8, 2013
    Gambia, The
    Within your Mind
    they will release it, just won´t tell people how their code can be used for other things, and other hackers will figure that out by themselves eventually once their mods are out
     
    Ray Lewis likes this.
  6. gypsynimrod

    gypsynimrod Banned

    Banned
    368
    154
    Sep 2, 2014
    Fiji
    They have said numerous times that they have no plans on releasing anything.
     
    Huntereb and Ray Lewis like this.
  7. Jackall4BDN

    Jackall4BDN Haunter of Daydreams and Nightmares

    Member
    767
    358
    Nov 8, 2013
    Gambia, The
    Within your Mind
    You seem quite sure about that, dunno where you got that idea.
    They even ask in their streams what to work on next, just for entertainment, or what?
    But i don´t wanna start an argument here. No fun behind it and also way to close a thread in minutes
    so actually: nope
     
  8. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    That's what I've heard as well. Hey OP, was the crash handled or nah?
     
  9. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    I didn't look at this for very long, but to me, it just looks like they're trying to eat up as much memory as possible.
     
  10. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States

    Yeah, you're correct.

    This thread takes a look a some of the examples on that site:
    http://help.maxthon.com/thread-11532-1-1.html
     
  11. FusionGamer

    FusionGamer GBAtemp Advanced Fan

    Member
    507
    367
    Jul 12, 2014
    United States
    The neat thing about this (possible) exploit, is Nintendo can't patch it. (As it doesn't rely on a web engine like Webkit)
     
  12. Mr. Mysterio
    OP

    Mr. Mysterio Super Genius

    Member
    661
    856
    Sep 16, 2014
    United States
    Rosalina's Comet Observatory
    The screen does not go black like the original browser exploit. It just freezes on the current frame. Button pressing does no good. I have to do a hard reboot (unplug or hold power for 5 sec.). How does the original exploit crash the browser? Also, what makes a crash exploitable?
     
  13. FPSRussi4

    FPSRussi4 Clean up your act and cut the crap.

    Member
    670
    419
    Dec 1, 2013
    Laos
    The exploit cannot be handled by the Wii U's security system. You should read the 5.1 browser crash results and compare it with yours.
     
  14. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    What makes a crash exploitable is whether it allows us to overwrite arbitrary memory that would give us control of the execution path. The 4.0.0-5.1.0 browser exploit was based off a use-after-free, which allowed us to fill memory that the browser thought was allocated, but in reality was free. Doing this let us point a object's vtable to a Javascript buffer we controlled. A vtable is a list of function addresses used to make virtual method calls in certain objects, so controlling the object's vtable allowed us to make the browser jump to wherever we wanted.
     
    Obveron likes this.
  15. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,608
    Nov 3, 2013
    United States
    No. Check the MK8 hacking thread, they have a specific plan for if and when they'll release what they have.
     
  16. Mr. Mysterio
    OP

    Mr. Mysterio Super Genius

    Member
    661
    856
    Sep 16, 2014
    United States
    Rosalina's Comet Observatory
    I think I understand how the original exploit works now (Thanks Marionumber1 :)). I also understand now that because the crashmybrowser.com code froze the screen instead of turning it black, the entire system crashed and not just the browser. :sad:

    Does anybody have any bright ideas? maybe:

    Anti-Updating from 5.1.2 to 5.1.0.
    Porting the original exploit to 5.1.2. (Maybe the addresses just got scrambled again?)
    Maybe this crash will work: http://gbatemp.net/threads/crash-wiiu-via-browser-exploitable.370605/
    De-encrypting the usb drive file system. (Possibly comparing the same file from multiple wii u systems to find a common key)

    Please forgive my ignorance if some of these suggestions are absolutely impossible. I just want to help other unlucky people with 5.1.2 firmware. Also, please note that I do NOT support piracy and other illegal activities. I just want to make my games a little more interesting and eventually (maybe) write homebrew apps for the Wii U.
     
  17. gypsynimrod

    gypsynimrod Banned

    Banned
    368
    154
    Sep 2, 2014
    Fiji



    "None of this is in any state to be released at present, and it's unlikely that we ever will in the interest of preventing cheaters."



    "Currently, this texture hack is not released. We don't have a good, copyright-free way to release it, and right now nobody could use it anyway even if we did."

    It's not an argument if one side is stating facts while the other is basking in its own willful unknowing.
     
    Huntereb and Fpsrussia117 like this.
  18. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    They're talking about those specific projects, not all MK8 hacking.
     
  19. Mr. Mysterio
    OP

    Mr. Mysterio Super Genius

    Member
    661
    856
    Sep 16, 2014
    United States
    Rosalina's Comet Observatory
    Even if MrBean35000vr and Chadderz don't release their work, I'm sure that somebody else will figure it out. I have done a little Mario Kart Wii hacking using USB Gecko and I don't think that changing simple values in memory (like Moo Moo Meadows = Hello!) should be too hard once we have a kernel exploit.
     
  20. FusionGamer

    FusionGamer GBAtemp Advanced Fan

    Member
    507
    367
    Jul 12, 2014
    United States

    Plus, other groups will always find a way to dump games and thus their files. Meaning, that with or without Chadderz & Bean, we'll have MK8 mods either way.