Hacking Wii U Bug?

If you tried this, did it lock up your Wii U?

  • Yes

    Votes: 2 100.0%
  • No

    Votes: 0 0.0%

  • Total voters
    2

TiMeBoMb4u2

Well-Known Member
OP
Member
Joined
Oct 25, 2008
Messages
1,550
Trophies
0
Location
Hyrule
XP
1,198
Country
United States
I've managed to find a way to consistently lock up my Wii U.
I'm not sure if it will help the Homebrew scene, but I'm willing to share.

What I did...
I was testing various types of streaming videos in the Wii U Internet Browser, and one of them happened to be on an Apple Developer HTTP Live Streaming Examples test page, HERE.
On that page, clicking the "View advanced stream" link will load a page with a test video file.
Clicking on the Play arrow will start the video playback.
BUT... If you try to scrub the video to another point in time, it will lock up.
Any attempt to go to another page, close the tab, or go back to the Wii U Home Menu will fail.
I had to pull the power cable on my Wii U to get it to load again.

Again... I'm not sure if this will help the scene, or if this is an exploit that can be used, but I'm pretty sure that it is a bug.

P.S. ~ It might be a good idea for someone else to test this, just to make sure it isn't just some fluke with my Wii U.


Cheers! :P
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,115
Country
United States
Hmm, that is simply an h264 video inside an m3u container. On a side note, I didn't see any h264 codec on the credits for the browser channel, which means it is possible that Nintendo rolled their own, which could very have bugs in it. If these bugs (assuming they exist) are exploitable or not is an entirely different question.
 

Rydian

Resident Furvert™
Member
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
36
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
9,111
Country
United States
Here's a copy of the contents of the file that sets up the stream.

Code:
#EXTM3U

#EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="bipbop_audio",LANGUAGE="eng",NAME="BipBop Audio 1",AUTOSELECT=YES,DEFAULT=YES
#EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="bipbop_audio",LANGUAGE="eng",NAME="BipBop Audio 2",AUTOSELECT=NO,DEFAULT=NO,URI="alternate_audio_aac/prog_index.m3u8"

#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="English",DEFAULT=YES,AUTOSELECT=YES,FORCED=NO,LANGUAGE="eng",URI="subtitles/eng/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="English (Forced)",DEFAULT=YES,AUTOSELECT=NO,FORCED=YES,LANGUAGE="eng",URI="subtitles/eng_forced/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="Français",DEFAULT=YES,AUTOSELECT=YES,FORCED=NO,LANGUAGE="fra",URI="subtitles/fra/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="Français (Forced)",DEFAULT=YES,AUTOSELECT=NO,FORCED=YES,LANGUAGE="fra",URI="subtitles/fra_forced/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="Español",DEFAULT=YES,AUTOSELECT=YES,FORCED=NO,LANGUAGE="spa",URI="subtitles/spa/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="Español (Forced)",DEFAULT=YES,AUTOSELECT=NO,FORCED=YES,LANGUAGE="spa",URI="subtitles/spa_forced/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="日本人",DEFAULT=YES,AUTOSELECT=YES,FORCED=NO,LANGUAGE="jpn",URI="subtitles/jpn/prog_index.m3u8"
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="日本人 (Forced)",DEFAULT=YES,AUTOSELECT=NO,FORCED=YES,LANGUAGE="jpn",URI="subtitles/jpn_forced/prog_index.m3u8"

#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=263851,CODECS="mp4a.40.2, avc1.4d400d",RESOLUTION=416x234,AUDIO="bipbop_audio",SUBTITLES="subs"
gear1/prog_index.m3u8
#EXT-X-I-FRAME-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=28451,CODECS="avc1.4d400d",URI="gear1/iframe_index.m3u8"

#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=577610,CODECS="mp4a.40.2, avc1.4d401e",RESOLUTION=640x360,AUDIO="bipbop_audio",SUBTITLES="subs"
gear2/prog_index.m3u8
#EXT-X-I-FRAME-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=181534,CODECS="avc1.4d401e",URI="gear2/iframe_index.m3u8"

#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=915905,CODECS="mp4a.40.2, avc1.4d401f",RESOLUTION=960x540,AUDIO="bipbop_audio",SUBTITLES="subs"
gear3/prog_index.m3u8
#EXT-X-I-FRAME-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=297056,CODECS="avc1.4d401f",URI="gear3/iframe_index.m3u8"

#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1030138,CODECS="mp4a.40.2, avc1.4d401f",RESOLUTION=1280x720,AUDIO="bipbop_audio",SUBTITLES="subs"
gear4/prog_index.m3u8
#EXT-X-I-FRAME-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=339492,CODECS="avc1.4d401f",URI="gear4/iframe_index.m3u8"

#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1924009,CODECS="mp4a.40.2, avc1.4d401f",RESOLUTION=1920x1080,AUDIO="bipbop_audio",SUBTITLES="subs"
gear5/prog_index.m3u8
#EXT-X-I-FRAME-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=669554,CODECS="avc1.4d401f",URI="gear5/iframe_index.m3u8"

#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=41457,CODECS="mp4a.40.2",AUDIO="bipbop_audio",SUBTITLES="subs"
gear0/prog_index.m3u8
It does set up multi-language subtitles and junk... so I can't really say what's up here.
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,115
Country
United States
Not entirely true, freezing can be caused by stack corruption. I run into this with code written by idiots less skilled programmers at work all the time, however it is usually keeping a freed pointer around (or reference to deleted object), which is far less exploitable then an unsafe strcpy or sprintf.
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
If you find a way to reproduce a console crash/reset (like Wii exploits), that may be useful.
Fixed. Reproducible crashes aren't necessarily useful. It depends on the crash (what function crashes, why it crashes etc.).

For example, if the program crashes because a buffer has been overflowed, influencing a register, and the program then tries to read the memory at the address stored in the influenced register, but can't because it's an invalid address (this is when it crashes), it's unlikely to be exploitable. (Although it could be possible to exploit code later in the program by setting the register to a valid address so that the attempt to read memory succeeds).

But finding a reproducible crash, which is caused by something you can influence (e.g. opening a particular file, hacking a save game etc.) is a good start. (As opposed to finding that if you enter the settings menu 23 times then press a 52 button combo on the gamepad or something like that, it'll crash; in this case you don't have influence over things, so it's no use [obviously this isn't a genuine observation, it's an exaggerated example to show that not every crash found is worth investigating]).
 

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,115
Country
United States
Ok, there seems to be some confusion here. Whenever a function is called, the current address of the code being executed is pushed on to the stack (so that the application knows where to continue executing when the function returns). Most exploits work by overwriting this value (on the stack) so that when the current function returns, instead of actually returning, the execution pointer (stored in a register) is set to an arbitrary location in memory. However, you also need to make sure that there is executable code at this location which does something useful (usually a very small loader). The most common way to ensure that the return pointer (on the stack) and that the desired code is memory is to write past the end of a buffer. This type of attack is known as a buffer overflow. Because the stack is built downward in memory, local variables in a function are actually stored in memory before the arguments and return pointer of the function. This means that if you know the distance between the vulnerable local variable and the return pointer, setting it to an arbitrary location is a simple matter. Setting it to a specific location where you have been able to load your code is much more complicated. You can't actually change the values in registers simply change the values in memory such that the values loaded into registers by the existing code is something different. Furthermore there are lots of ways this can be done. On the Wii it was a save file as this is relatively simple (user loads a file, done), whereas on the PSP and 1st get iPhone it was a PNG (srsly, I can't beleive how long people were using the old versions of libpng that had that comment exploit). However sometimes you can't load a save file and you have to do some crazy button pushing stuff (like this hack which uses the buying and selling of items in Pokemon yellow to write executable code into memory and then execute it). Anything that gets the system into a funky state (like loading a specific video file or even opening the settings menu 23 times and then pressing a 52 button combo) is potentially exploitable, but without being able to read the code being executed (which would require either some insane hardware exploit or the common key, NAND key, and a NAND dump) it is very difficult to figure out how to exploit any bug.
 
  • Like
Reactions: redact and Cyan

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,175
Country
Not every crash is exploitable. The example I gave was perhaps a bad one (it was rather late at night, I wasn't thinking too carefully) as you are influencing things. But there are numerous other examples of crashes where you don't have influence, and it is not exploitable, even if it does happen repeatedly. The example you linked seems from my brief read quite an isolated instance, and also an extremely laborious process. The hardware security on current consoles is also much better than it was in the GBC days, so figuring out this sort of thing would be much harder, if not impossible.

And I never said that loading a specifc video wouldn't be useful; I was just saying that just because a crash is reproducible doesn't mean it's useful (which Cyan had said was the case).

Although I don't remember there ever being a PNG based exploit for the PSP; a few different TIFF based ones though.
 

FierceDeity_

Member
Newcomer
Joined
Nov 21, 2012
Messages
7
Trophies
0
Age
32
XP
44
Country
Gambia, The
Hmm, that is simply an h264 video inside an m3u container. On a side note, I didn't see any h264 codec on the credits for the browser channel, which means it is possible that Nintendo rolled their own, which could very have bugs in it. If these bugs (assuming they exist) are exploitable or not is an entirely different question.

M3U isn't a container, it's a playlist file. The container used is MPEG2 TS.

HTTP LS? I had thought that didn't work, unless that was something else I was thinking of.
Yeah, it does. Even with h.264 and AAC. See my guide on this forum (http://gbatemp.net/threads/guide-li...re-video-formats-the-browser-supports.338481/)
 

redact

‮҉
Member
Joined
Dec 2, 2007
Messages
3,161
Trophies
0
Location
-
XP
674
Country
Mauritania

Supercool330

Well-Known Member
Member
Joined
Sep 28, 2008
Messages
752
Trophies
1
XP
1,115
Country
United States
And I never said that loading a specifc video wouldn't be useful; I was just saying that just because a crash is reproducible doesn't mean it's useful (which Cyan had said was the case).
Absolutely. I have done application security stuff professionally (as in when crashes are reported in our code base I analyze their security severity), and only a small percent of crashes are actually exploitable. Keeping dead references alive (which in my experience causes the majority of crashes) is very rarely exploitable, race conditions are occasionally exploitable except they usually require control over timings to exploit (which is definitely doable, but usually hard), uncaught exceptions aren't exploitable since it is actually normal error handling that is aborting the software, unsafe reads of any type of data are almost always exploitable, and so on. My point was that if we want to find an exploit for the Wii U, we should try to find as many crashes or things that cause weird behaver has possible. Heck even just figuring out places where they system or pre-installed software load data can be useful, but without a way to look at the assembly for the running code, it would be very hard to find if anything is actually exploitable or not (much less create an exploit). I wasn't trying to say that this is definitely an exploit (it likely isn't), I was just trying to convey that you really can't dismiss any crash based on its cause until you understand the mechanism of the crash (which can sometimes be inferred from the cause).
 

9thSage

Well-Known Member
Member
Joined
Aug 8, 2008
Messages
457
Trophies
0
XP
587
Country
United States
Yeah, it does. Even with h.264 and AAC. See my guide on this forum (http://gbatemp.net/threads/guide-li...re-video-formats-the-browser-supports.338481/)
Huh. I hope that Plex (this media server I've been using for video) fixes their web client...in theory if HLS DOES work it should work there too, but doesn't.

*edit*
Not to get off topic, but I see a forum thread on their website about this that wasn't there before, apparently they are working on figuring out why it's having an issue...assuming it's fixed eventually, it would be a decent option for those wanting to stream/transcode video to their WiiU.
 

TiMeBoMb4u2

Well-Known Member
OP
Member
Joined
Oct 25, 2008
Messages
1,550
Trophies
0
Location
Hyrule
XP
1,198
Country
United States
Sorry, guys... I didn't mean to start a war. I was just making sure that everyone was aware of the possibility.
I know from past experiences that the first step to exploiting is finding things that don't work as they should or are causing problems.
Investigating these avenues normally leads no where, but it only takes that one exception to create a breakthrough!
Has anyone else tested to see if it locks up their Wii U, also?
 

9thSage

Well-Known Member
Member
Joined
Aug 8, 2008
Messages
457
Trophies
0
XP
587
Country
United States
Plex is the reason that I was testing various streams on the Wii U in the first place! :D

Ah ok....it was really irritating me that their web client wasn't working too. :P Plex is actually why I thought HLS didn't work. Heh, that's sort of funny.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    K3Nv2 @ K3Nv2: https://www.the-sun.com/news/10907833/self-checkout-complaints-new-target-dollar-general-policies...