Hacking Wii U 5.1.2U JavaScript Browser Crash

[Mr. Mysterio]

This JavaScript code will crash the wii u internet browser on firmware 5.1.2U. This was taken from crashmybrowser.com Navigate here with the wii u browser, then select "Heap death of the blogoverse". I was so looking forward to modding Mario Kart 8 with the original browser exploit, but I carlessly updated my wii u to 5.1.2. Maybe some of the more expert hackers can turn this JS code into a way of running C code and eventually game hacking!

function Test_HeapDeath ()
{
(function () {
'use strict';

var i,
methods = [
'quote', 'substring', 'toLowerCase', 'toUpperCase', 'charAt',
'charCodeAt', 'indexOf', 'lastIndexOf', 'startsWith', 'endsWith',
'trim', 'trimLeft', 'trimRight', 'toLocaleLowerCase',
'toLocaleUpperCase', 'localeCompare', 'match', 'search',
'replace', 'split', 'substr', 'concat', 'slice'
],
methodCount = methods.length,
assignStringGeneric = function (methodName) {
var method = String.prototype[methodName];
String[methodName] = function (arg1) {
return method.apply(arg1, Array.prototype.slice.call(arguments, 1));
};
};

for (i = 0; i < methodCount; i++) {
assignStringGeneric(methods);
}
}());
x = '0123456789';
for ( i = 0; i < 22; i++ ) { x = x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256)) + x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256)); }
setInterval(_HeapDeath, 5);
}

function _HeapDeath ()
{
x = [x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256)), x.slice(0) + String.charCodeAt(Math.floor(Math.random() * 256))];
}

Test_HeapDeath();

 

[gypsynimrod]

Is anyone even actively working towards Wii U hacking? There was a guy who posted a picture, but he refused to record a video or actually show off how it was done leading people to believe it was all fake. Outside of that, has there really been anything?

 

[Jackall4BDN]

Is anyone even actively working towards Wii U hacking? There was a guy who posted a picture, but he refused to record a video or actually show off how it was done leading people to believe it was all fake. Outside of that, has there really been anything?

You didn´t watch the work MrBean35000vr and his pals done in the past months, did you? xD

 

[gypsynimrod]

You didn´t watch the work MrBean35000vr and his pals done in the past months, did you? xD

You mean the guys who have said multiple times that they have 0 plans of releasing their hacks?

 

[Jackall4BDN]

You mean the guys who have said multiple times that they have 0 plans of releasing their hacks?

they will release it, just won´t tell people how their code can be used for other things, and other hackers will figure that out by themselves eventually once their mods are out

 

[gypsynimrod]

they will release it, just won´t tell people how their code can be used for other things, and other hackers will figure that out by themselves eventually once their mods are out

They have said numerous times that they have no plans on releasing anything.

 

[Jackall4BDN]

They have said numerous times that they have no plans on releasing anything.

You seem quite sure about that, dunno where you got that idea.
They even ask in their streams what to work on next, just for entertainment, or what?
But i don´t wanna start an argument here. No fun behind it and also way to close a thread in minutes
so actually: nope

 

[FPSRussi4]

They have said numerous times that they have no plans on releasing anything.

That's what I've heard as well. Hey OP, was the crash handled or nah?

 

[Marionumber1]

I didn't look at this for very long, but to me, it just looks like they're trying to eat up as much memory as possible.

 

[Relys]

I didn't look at this for very long, but to me, it just looks like they're trying to eat up as much memory as possible.

Yeah, you're correct.

This thread takes a look a some of the examples on that site:
http://help.maxthon.com/thread-11532-1-1.html

 

[FusionGamer]

The neat thing about this (possible) exploit, is Nintendo can't patch it. (As it doesn't rely on a web engine like Webkit)

 

[Mr. Mysterio]

The screen does not go black like the original browser exploit. It just freezes on the current frame. Button pressing does no good. I have to do a hard reboot (unplug or hold power for 5 sec.). How does the original exploit crash the browser? Also, what makes a crash exploitable?

 

[FPSRussi4]

The screen does not go black like the original browser exploit. It just freezes on the current frame. Button pressing does no good. I have to do a hard reboot (unplug or hold power for 5 sec.). How does the original exploit crash the browser? Also, what makes a crash exploitable?

The exploit cannot be handled by the Wii U's security system. You should read the 5.1 browser crash results and compare it with yours.

 

[Marionumber1]

How does the original exploit crash the browser? Also, what makes a crash exploitable?

What makes a crash exploitable is whether it allows us to overwrite arbitrary memory that would give us control of the execution path. The 4.0.0-5.1.0 browser exploit was based off a use-after-free, which allowed us to fill memory that the browser thought was allocated, but in reality was free. Doing this let us point a object's vtable to a Javascript buffer we controlled. A vtable is a list of function addresses used to make virtual method calls in certain objects, so controlling the object's vtable allowed us to make the browser jump to wherever we wanted.

 

[WulfyStylez]

They have said numerous times that they have no plans on releasing anything.

No. Check the MK8 hacking thread, they have a specific plan for if and when they'll release what they have.

 

[Mr. Mysterio]

I think I understand how the original exploit works now (Thanks Marionumber1 ). I also understand now that because the crashmybrowser.com code froze the screen instead of turning it black, the entire system crashed and not just the browser.

Does anybody have any bright ideas? maybe:

Anti-Updating from 5.1.2 to 5.1.0.
Porting the original exploit to 5.1.2. (Maybe the addresses just got scrambled again?)
Maybe this crash will work: http://gbatemp.net/threads/crash-wiiu-via-browser-exploitable.370605/
De-encrypting the usb drive file system. (Possibly comparing the same file from multiple wii u systems to find a common key)

Please forgive my ignorance if some of these suggestions are absolutely impossible. I just want to help other unlucky people with 5.1.2 firmware. Also, please note that I do NOT support piracy and other illegal activities. I just want to make my games a little more interesting and eventually (maybe) write homebrew apps for the Wii U.

 

[gypsynimrod]

You seem quite sure about that, dunno where you got that idea.
They even ask in their streams what to work on next, just for entertainment, or what?
But i don´t wanna start an argument here. No fun behind it and also way to close a thread in minutes
so actually: nope

"None of this is in any state to be released at present, and it's unlikely that we ever will in the interest of preventing cheaters."



"Currently, this texture hack is not released. We don't have a good, copyright-free way to release it, and right now nobody could use it anyway even if we did."

It's not an argument if one side is stating facts while the other is basking in its own willful unknowing.

 

[Marionumber1]

They're talking about those specific projects, not all MK8 hacking.

 

[Mr. Mysterio]

Even if MrBean35000vr and Chadderz don't release their work, I'm sure that somebody else will figure it out. I have done a little Mario Kart Wii hacking using USB Gecko and I don't think that changing simple values in memory (like Moo Moo Meadows = Hello!) should be too hard once we have a kernel exploit.

 

[FusionGamer]

Even if MrBean35000vr and Chadderz don't release their work, I'm sure that somebody else will figure it out. I have done a little Mario Kart Wii hacking using USB Gecko and I don't think that changing simple values in memory (like Moo Moo Meadows = Hello!) should be too hard once we have a kernel exploit.

Plus, other groups will always find a way to dump games and thus their files. Meaning, that with or without Chadderz & Bean, we'll have MK8 mods either way.