Regarding Kernel Exploit benefits-would this mean I'm able to use third party adapters for Wii U games, like Mayflash 3-in-1 Joybox to play SSB4 and whatnot?
Yes, you would be able to.
EDIT: Assuming you disassemble the game and code it in manually.
Will having a kernel exploit make finding an IOSU exploit or finding ancast key any easier.
And will having the ancast key allow for custom IOSUs? And modified firmwares that dont update from nintendos servers? doing such (if possible) would probably rule out online play i assume.
If Ancast key is important, do you think team f0f would kindly leak that key in the case of a kernel exploit becoming available and a homebrew / linux framework is created, like they requested two years ago
Both Vwii and Wii U ancast keys are out. Important keys remaining are Wii U private key, drive key and boot 1 key, I believe
I know it is possible to "replace" the NUS server within a local network. It's as simple as designating the correct IP address to an alternate device, then disconnecting the local network from the internet.
I would suggest the following procedure to trick the Wii U into updating to an old version:
- Capture the data sent between the Wii U and NUS during a system update.
- Create a website on a local network that responds with the recorded data from NUS.
- Test if a Wii U with a higher firmware can downgrade using this fake update server. (There may be some unforeseen problems here.)
Hopefully the data sent from NUS is statically encrypted. It could be that each time the Wii U connects to NUS the data is encrypted differently.
NUSDownloader is able to do this; with Kelton2 saying all firmwares are still downloadable I should set it up in the weekend. The "problem" is usually that the updater, which runs on the device (Wii U), checks not only whether the update is digitally signed, but it also compares the version number to the version already installed. If the current one is higher it will not work. On the PSP I had to install a newer firmware once, but my CFW faked it as 9.90 to prevent updates; turned out it was as simple as editing the version string in flash0:/vsh/etc/version.txt
So it won't be as easy as that on the WiiU, but maybe you are on to something. Perhaps there is a way if the updater somehow checks with the NUS for the version numbers, and when it requests a certain file we can feed it another one instead which will still have a correct digital signature, only a different version than expected. My Wii U has never been connected to the Internet (and won't be for a while) so I can't test this.
Marcan's Wiimpersonator does stuff like this:
[check] INFO: Wiimpersonator: Check invoked for dev wiiu region USA
[soap] INFO: Checking for updates...
[soap] INFO: Title ID Version FsSize
[soap] INFO: 00050010-10000100 20b9 131072
so the trick for our NUS emulator would be to reply Version 20ba but with the FsSize (Filesystem Size?) of the older version. The Wii U will think it's an update and retrieve it. What happens from there I don't know.
It will probably brick it if you try downgrading from 5.3 to anything below since they implemented amiibo's with that update. You'll have all sorts of issues. It would actually be easier to just find a new userland exploit than try what you're suggesting.
NUSDownloader is able to do this; with Kelton2 saying all firmwares are still downloadable I should set it up in the weekend. The "problem" is usually that the updater, which runs on the device (Wii U), checks not only whether the update is digitally signed, but it also compares the version number to the version already installed. If the current one is higher it will not work. On the PSP I had to install a newer firmware once, but my CFW faked it as 9.90 to prevent updates; turned out it was as simple as editing the version string in flash0:/vsh/etc/version.txt
So it won't be as easy as that on the WiiU, but maybe you are on to something. Perhaps there is a way if the updater somehow checks with the NUS for the version numbers, and when it requests a certain file we can feed it another one instead which will still have a correct digital signature, only a different version than expected. My Wii U has never been connected to the Internet (and won't be for a while) so I can't test this.
Marcan's Wiimpersonator does stuff like this:
[check] INFO: Wiimpersonator: Check invoked for dev wiiu region USA
[soap] INFO: Checking for updates...
[soap] INFO: Title ID Version FsSize
[soap] INFO: 00050010-10000100 20b9 131072
so the trick for our NUS emulator would be to reply Version 20ba but with the FsSize (Filesystem Size?) of the older version. The Wii U will think it's an update and retrieve it. What happens from there I don't know.
I agree that downgrading with this method would be VERY risky. Maybe the right approach is for the NUS emulator to trick the console into "updating" to the same version it already has, but modify one file in the update. If the modified file is the OS boot code, it would have total access to all the hardware and fully elevated privileges! The console shouldn't brick if it just re-installs the same files (except one carefully modified file).
PS How do I use the NUS downloader to download the Wii U updates? (Or is that even the right tool?)
I agree that downgrading with this method would be VERY risky. Maybe the right approach is for the NUS emulator to trick the console into "updating" to the same version it already has, but modify one file in the update. If the modified file is the OS boot code, it would have total access to all the hardware and fully elevated privileges! The console shouldn't brick if it just re-installs the same files (except one carefully modified file).
I could find plenty of wii u's ready to try that on. As long as the process doesnt involve opening up the hardware, i could easily experiment with something like that if i had all the neccessary things in place.I believe there's no way you can do that since the update will definitely be both encrypted by RSA *AND* signed by a hash (probably SHA-X).
However, I think that the just-downgrade approach might work. The problem is that we need to find someone who's willing to risk bricking his WiiU just for a humble "might".
I could find plenty of wii u's ready to try that on. As long as the process doesnt involve opening up the hardware, i could easily experiment with something like that if i had all the neccessary things in place.