Wii U Bug?

Discussion in 'Wii U - Hacking & Backup Loaders' started by TiMeBoMb4u2, Nov 30, 2012.

?

If you tried this, did it lock up your Wii U?

  1. Yes

    2 vote(s)
    100.0%
  2. No

    0 vote(s)
    0.0%
Nov 30, 2012

Wii U Bug? by TiMeBoMb4u2 at 11:41 PM (2,763 Views / 0 Likes) 18 replies

  1. TiMeBoMb4u2
    OP

    Member TiMeBoMb4u2 GBAtemp Maniac

    Joined:
    Oct 25, 2008
    Messages:
    1,169
    Country:
    United States
    I've managed to find a way to consistently lock up my Wii U.
    I'm not sure if it will help the Homebrew scene, but I'm willing to share.

    What I did...
    I was testing various types of streaming videos in the Wii U Internet Browser, and one of them happened to be on an Apple Developer HTTP Live Streaming Examples test page, HERE.
    On that page, clicking the "View advanced stream" link will load a page with a test video file.
    Clicking on the Play arrow will start the video playback.
    BUT... If you try to scrub the video to another point in time, it will lock up.
    Any attempt to go to another page, close the tab, or go back to the Wii U Home Menu will fail.
    I had to pull the power cable on my Wii U to get it to load again.

    Again... I'm not sure if this will help the scene, or if this is an exploit that can be used, but I'm pretty sure that it is a bug.

    P.S. ~ It might be a good idea for someone else to test this, just to make sure it isn't just some fluke with my Wii U.


    Cheers! :P
     
  2. 9thSage

    Member 9thSage GBAtemp Fan

    Joined:
    Aug 8, 2008
    Messages:
    387
    Country:
    United States
    HTTP LS? I had thought that didn't work, unless that was something else I was thinking of.
     
  3. TiMeBoMb4u2
    OP

    Member TiMeBoMb4u2 GBAtemp Maniac

    Joined:
    Oct 25, 2008
    Messages:
    1,169
    Country:
    United States
    The basic stream seemed to play fine.
    The advanced stream froze the system.
     
  4. Supercool330

    Member Supercool330 GBAtemp Advanced Fan

    Joined:
    Sep 28, 2008
    Messages:
    659
    Country:
    United States
    Hmm, that is simply an h264 video inside an m3u container. On a side note, I didn't see any h264 codec on the credits for the browser channel, which means it is possible that Nintendo rolled their own, which could very have bugs in it. If these bugs (assuming they exist) are exploitable or not is an entirely different question.
     
  5. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Here's a copy of the contents of the file that sets up the stream.

    Warning: Spoilers inside!
    It does set up multi-language subtitles and junk... so I can't really say what's up here.
     
  6. Cyan

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,417
    Location:
    Engine room, learning
    Country:
    France
    Freezing doesn't help hacking or homebrew.
    If you find a way to reproduce a console crash/reset (like Wii exploits), that will be useful.
     
  7. Supercool330

    Member Supercool330 GBAtemp Advanced Fan

    Joined:
    Sep 28, 2008
    Messages:
    659
    Country:
    United States
    Not entirely true, freezing can be caused by stack corruption. I run into this with code written by idiots less skilled programmers at work all the time, however it is usually keeping a freed pointer around (or reference to deleted object), which is far less exploitable then an unsafe strcpy or sprintf.
     
  8. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Fixed. Reproducible crashes aren't necessarily useful. It depends on the crash (what function crashes, why it crashes etc.).

    For example, if the program crashes because a buffer has been overflowed, influencing a register, and the program then tries to read the memory at the address stored in the influenced register, but can't because it's an invalid address (this is when it crashes), it's unlikely to be exploitable. (Although it could be possible to exploit code later in the program by setting the register to a valid address so that the attempt to read memory succeeds).

    But finding a reproducible crash, which is caused by something you can influence (e.g. opening a particular file, hacking a save game etc.) is a good start. (As opposed to finding that if you enter the settings menu 23 times then press a 52 button combo on the gamepad or something like that, it'll crash; in this case you don't have influence over things, so it's no use [obviously this isn't a genuine observation, it's an exaggerated example to show that not every crash found is worth investigating]).
     
  9. Supercool330

    Member Supercool330 GBAtemp Advanced Fan

    Joined:
    Sep 28, 2008
    Messages:
    659
    Country:
    United States
    Ok, there seems to be some confusion here. Whenever a function is called, the current address of the code being executed is pushed on to the stack (so that the application knows where to continue executing when the function returns). Most exploits work by overwriting this value (on the stack) so that when the current function returns, instead of actually returning, the execution pointer (stored in a register) is set to an arbitrary location in memory. However, you also need to make sure that there is executable code at this location which does something useful (usually a very small loader). The most common way to ensure that the return pointer (on the stack) and that the desired code is memory is to write past the end of a buffer. This type of attack is known as a buffer overflow. Because the stack is built downward in memory, local variables in a function are actually stored in memory before the arguments and return pointer of the function. This means that if you know the distance between the vulnerable local variable and the return pointer, setting it to an arbitrary location is a simple matter. Setting it to a specific location where you have been able to load your code is much more complicated. You can't actually change the values in registers simply change the values in memory such that the values loaded into registers by the existing code is something different. Furthermore there are lots of ways this can be done. On the Wii it was a save file as this is relatively simple (user loads a file, done), whereas on the PSP and 1st get iPhone it was a PNG (srsly, I can't beleive how long people were using the old versions of libpng that had that comment exploit). However sometimes you can't load a save file and you have to do some crazy button pushing stuff (like this hack which uses the buying and selling of items in Pokemon yellow to write executable code into memory and then execute it). Anything that gets the system into a funky state (like loading a specific video file or even opening the settings menu 23 times and then pressing a 52 button combo) is potentially exploitable, but without being able to read the code being executed (which would require either some insane hardware exploit or the common key, NAND key, and a NAND dump) it is very difficult to figure out how to exploit any bug.
     
    mercluke and Cyan like this.
  10. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    Not every crash is exploitable. The example I gave was perhaps a bad one (it was rather late at night, I wasn't thinking too carefully) as you are influencing things. But there are numerous other examples of crashes where you don't have influence, and it is not exploitable, even if it does happen repeatedly. The example you linked seems from my brief read quite an isolated instance, and also an extremely laborious process. The hardware security on current consoles is also much better than it was in the GBC days, so figuring out this sort of thing would be much harder, if not impossible.

    And I never said that loading a specifc video wouldn't be useful; I was just saying that just because a crash is reproducible doesn't mean it's useful (which Cyan had said was the case).

    Although I don't remember there ever being a PNG based exploit for the PSP; a few different TIFF based ones though.
     
  11. FierceDeity_

    Newcomer FierceDeity_ Newbie

    Joined:
    Nov 21, 2012
    Messages:
    7
    Country:
    Germany
    M3U isn't a container, it's a playlist file. The container used is MPEG2 TS.

    Yeah, it does. Even with h.264 and AAC. See my guide on this forum (http://gbatemp.net/threads/guide-li...re-video-formats-the-browser-supports.338481/)
     
  12. mercluke

    Member mercluke ‮҉

    Joined:
    Dec 2, 2007
    Messages:
    3,161
    Location:
    Perth
    Country:
    Australia
    in case you were interested... http://www.toc2rta.com/?q=node/4
     
  13. Supercool330

    Member Supercool330 GBAtemp Advanced Fan

    Joined:
    Sep 28, 2008
    Messages:
    659
    Country:
    United States
    Absolutely. I have done application security stuff professionally (as in when crashes are reported in our code base I analyze their security severity), and only a small percent of crashes are actually exploitable. Keeping dead references alive (which in my experience causes the majority of crashes) is very rarely exploitable, race conditions are occasionally exploitable except they usually require control over timings to exploit (which is definitely doable, but usually hard), uncaught exceptions aren't exploitable since it is actually normal error handling that is aborting the software, unsafe reads of any type of data are almost always exploitable, and so on. My point was that if we want to find an exploit for the Wii U, we should try to find as many crashes or things that cause weird behaver has possible. Heck even just figuring out places where they system or pre-installed software load data can be useful, but without a way to look at the assembly for the running code, it would be very hard to find if anything is actually exploitable or not (much less create an exploit). I wasn't trying to say that this is definitely an exploit (it likely isn't), I was just trying to convey that you really can't dismiss any crash based on its cause until you understand the mechanism of the crash (which can sometimes be inferred from the cause).
     
  14. 9thSage

    Member 9thSage GBAtemp Fan

    Joined:
    Aug 8, 2008
    Messages:
    387
    Country:
    United States
    Huh. I hope that Plex (this media server I've been using for video) fixes their web client...in theory if HLS DOES work it should work there too, but doesn't.

    *edit*
    Not to get off topic, but I see a forum thread on their website about this that wasn't there before, apparently they are working on figuring out why it's having an issue...assuming it's fixed eventually, it would be a decent option for those wanting to stream/transcode video to their WiiU.
     
  15. TiMeBoMb4u2
    OP

    Member TiMeBoMb4u2 GBAtemp Maniac

    Joined:
    Oct 25, 2008
    Messages:
    1,169
    Country:
    United States
    Hmm... It's funny that you should mention "Plex".
    :rolleyes:
     
  16. 9thSage

    Member 9thSage GBAtemp Fan

    Joined:
    Aug 8, 2008
    Messages:
    387
    Country:
    United States
    I guess that I'm missing something?
     
  17. TiMeBoMb4u2
    OP

    Member TiMeBoMb4u2 GBAtemp Maniac

    Joined:
    Oct 25, 2008
    Messages:
    1,169
    Country:
    United States
    Sorry, guys... I didn't mean to start a war. I was just making sure that everyone was aware of the possibility.
    I know from past experiences that the first step to exploiting is finding things that don't work as they should or are causing problems.
    Investigating these avenues normally leads no where, but it only takes that one exception to create a breakthrough!
    Has anyone else tested to see if it locks up their Wii U, also?
     
  18. TiMeBoMb4u2
    OP

    Member TiMeBoMb4u2 GBAtemp Maniac

    Joined:
    Oct 25, 2008
    Messages:
    1,169
    Country:
    United States
    Plex is the reason that I was testing various streams on the Wii U in the first place! :D
     
  19. 9thSage

    Member 9thSage GBAtemp Fan

    Joined:
    Aug 8, 2008
    Messages:
    387
    Country:
    United States
    Ah ok....it was really irritating me that their web client wasn't working too. :P Plex is actually why I thought HLS didn't work. Heh, that's sort of funny.
     

Share This Page