Hacking Wii U Hacking & Homebrew Discussion

F

FPSRussi4

Well-Known Member
Member
Level 5
Joined
Dec 1, 2013
Messages
671
Trophies
0
XP
609
Country
Laos
Regarding Kernel Exploit benefits-would this mean I'm able to use third party adapters for Wii U games, like Mayflash 3-in-1 Joybox to play SSB4 and whatnot?
 
Mr. Mysterio

Mr. Mysterio

Super Genius
Member
Level 7
Joined
Sep 16, 2014
Messages
661
Trophies
0
Age
24
Location
Rosalina's Comet Observatory
XP
1,124
Country
United States
I know it is possible to "replace" the NUS server within a local network. It's as simple as designating the correct IP address to an alternate device, then disconnecting the local network from the internet.

I would suggest the following procedure to trick the Wii U into updating to an old version:
- Capture the data sent between the Wii U and NUS during a system update.
- Create a website on a local network that responds with the recorded data from NUS.
- Test if a Wii U with a higher firmware can downgrade using this fake update server. (There may be some unforeseen problems here.)

Hopefully the data sent from NUS is statically encrypted. It could be that each time the Wii U connects to NUS the data is encrypted differently.
 
L

leorod199

Active Member
Newcomer
Level 4
Joined
Jun 8, 2014
Messages
37
Trophies
0
Age
37
XP
427
Country
Brazil
Friends , I use mikrotik in my house , it has a tool that captures all the connections of a specific device. I put the IP WiiU and captured all connections to update and eshop .






principal.png
 
  • Like
Reactions: dojafoja, TeamScriptKiddies and Mr. Mysterio
7

75mak

Well-Known Member
Member
Level 3
Joined
Nov 10, 2011
Messages
395
Trophies
0
XP
313
Country
Will having a kernel exploit make finding an IOSU exploit or finding ancast key any easier.

And will having the ancast key allow for custom IOSUs? And modified firmwares that dont update from nintendos servers? doing such (if possible) would probably rule out online play i assume.

If Ancast key is important, do you think team f0f would kindly leak that key in the case of a kernel exploit becoming available and a homebrew / linux framework is created, like they requested two years ago
 
O

Onion_Knight

Well-Known Member
Member
Level 6
Joined
Feb 6, 2014
Messages
878
Trophies
0
Age
45
XP
997
Country
75mak said:
Will having a kernel exploit make finding an IOSU exploit or finding ancast key any easier.

And will having the ancast key allow for custom IOSUs? And modified firmwares that dont update from nintendos servers? doing such (if possible) would probably rule out online play i assume.

If Ancast key is important, do you think team f0f would kindly leak that key in the case of a kernel exploit becoming available and a homebrew / linux framework is created, like they requested two years ago
Click to expand...

Both Vwii and Wii U ancast keys are out. Important keys remaining are Wii U private key, drive key and boot 1 key, I believe
 
  • Like
Reactions: TeamScriptKiddies and Fpsrussia117
TehLexinator

TehLexinator

Well-Known Member
Member
Level 2
Joined
Jun 1, 2009
Messages
101
Trophies
0
XP
180
Country
United States
I've been messing around with this. It's quite simple to forward that address to whatever you want with a good router, or even by editing your hosts file. But I haven't been able to get it to even see an update on my machine.

Best I got was the thing saying my system is up to date, even though it's not.

I'm gonna putz around with it some more, but its not looking promising.
 
SirByte

SirByte

Well-Known Member
Member
Level 7
Joined
Dec 30, 2012
Messages
524
Trophies
1
XP
1,059
Country
Canada
Mr. Mysterio said:
I know it is possible to "replace" the NUS server within a local network. It's as simple as designating the correct IP address to an alternate device, then disconnecting the local network from the internet.

I would suggest the following procedure to trick the Wii U into updating to an old version:
- Capture the data sent between the Wii U and NUS during a system update.
- Create a website on a local network that responds with the recorded data from NUS.
- Test if a Wii U with a higher firmware can downgrade using this fake update server. (There may be some unforeseen problems here.)

Hopefully the data sent from NUS is statically encrypted. It could be that each time the Wii U connects to NUS the data is encrypted differently.
Click to expand...

NUSDownloader is able to do this; with Kelton2 saying all firmwares are still downloadable I should set it up in the weekend. The "problem" is usually that the updater, which runs on the device (Wii U), checks not only whether the update is digitally signed, but it also compares the version number to the version already installed. If the current one is higher it will not work. On the PSP I had to install a newer firmware once, but my CFW faked it as 9.90 to prevent updates; turned out it was as simple as editing the version string in flash0:/vsh/etc/version.txt

So it won't be as easy as that on the WiiU, but maybe you are on to something. Perhaps there is a way if the updater somehow checks with the NUS for the version numbers, and when it requests a certain file we can feed it another one instead which will still have a correct digital signature, only a different version than expected. My Wii U has never been connected to the Internet (and won't be for a while) so I can't test this.

Marcan's Wiimpersonator does stuff like this:
[check] INFO: Wiimpersonator: Check invoked for dev wiiu region USA
[soap] INFO: Checking for updates...
[soap] INFO: Title ID Version FsSize
[soap] INFO: 00050010-10000100 20b9 131072

so the trick for our NUS emulator would be to reply Version 20ba but with the FsSize (Filesystem Size?) of the older version. The Wii U will think it's an update and retrieve it. What happens from there I don't know.
 
  • Like
Reactions: Mr. Mysterio and TeamScriptKiddies
O

Onion_Knight

Well-Known Member
Member
Level 6
Joined
Feb 6, 2014
Messages
878
Trophies
0
Age
45
XP
997
Country
SirByte said:
NUSDownloader is able to do this; with Kelton2 saying all firmwares are still downloadable I should set it up in the weekend. The "problem" is usually that the updater, which runs on the device (Wii U), checks not only whether the update is digitally signed, but it also compares the version number to the version already installed. If the current one is higher it will not work. On the PSP I had to install a newer firmware once, but my CFW faked it as 9.90 to prevent updates; turned out it was as simple as editing the version string in flash0:/vsh/etc/version.txt

So it won't be as easy as that on the WiiU, but maybe you are on to something. Perhaps there is a way if the updater somehow checks with the NUS for the version numbers, and when it requests a certain file we can feed it another one instead which will still have a correct digital signature, only a different version than expected. My Wii U has never been connected to the Internet (and won't be for a while) so I can't test this.

Marcan's Wiimpersonator does stuff like this:
[check] INFO: Wiimpersonator: Check invoked for dev wiiu region USA
[soap] INFO: Checking for updates...
[soap] INFO: Title ID Version FsSize
[soap] INFO: 00050010-10000100 20b9 131072

so the trick for our NUS emulator would be to reply Version 20ba but with the FsSize (Filesystem Size?) of the older version. The Wii U will think it's an update and retrieve it. What happens from there I don't know.
Click to expand...


It will probably brick it if you try downgrading from 5.3 to anything below since they implemented amiibo's with that update. You'll have all sorts of issues. It would actually be easier to just find a new userland exploit than try what you're suggesting.
 
  • Like
Reactions: TeamScriptKiddies
TeamScriptKiddies

TeamScriptKiddies

Licensed Nintendo (indie) Game Developer
Member
Level 9
Joined
Apr 3, 2014
Messages
1,970
Trophies
0
Age
36
Location
Planet Earth :P
XP
1,703
Country
United States
Onion_Knight said:
It will probably brick it if you try downgrading from 5.3 to anything below since they implemented amiibo's with that update. You'll have all sorts of issues. It would actually be easier to just find a new userland exploit than try what you're suggesting.
Click to expand...


There's no doubting there's a huge risk of bricking during something like this. Even if you were to use an NUS emulator like this for an actual upgrade, what's to say something isn't missed or your code is buggy/faulty and it leads to a brick anyways, never mind a downgrade, then things could get even hairier.

As much as I'd love to see something like this work, unless somebody is willing to risk a FULL BRICK its not going to happen. Anybody who decides to play around with the firmware/NAND/eMMC needs to realize that these are very untreaded waters and we really have know idea exactly what could happen (good or bad). Just keep this in mind...
 
Mr. Mysterio

Mr. Mysterio

Super Genius
Member
Level 7
Joined
Sep 16, 2014
Messages
661
Trophies
0
Age
24
Location
Rosalina's Comet Observatory
XP
1,124
Country
United States
SirByte said:
NUSDownloader is able to do this; with Kelton2 saying all firmwares are still downloadable I should set it up in the weekend. The "problem" is usually that the updater, which runs on the device (Wii U), checks not only whether the update is digitally signed, but it also compares the version number to the version already installed. If the current one is higher it will not work. On the PSP I had to install a newer firmware once, but my CFW faked it as 9.90 to prevent updates; turned out it was as simple as editing the version string in flash0:/vsh/etc/version.txt

So it won't be as easy as that on the WiiU, but maybe you are on to something. Perhaps there is a way if the updater somehow checks with the NUS for the version numbers, and when it requests a certain file we can feed it another one instead which will still have a correct digital signature, only a different version than expected. My Wii U has never been connected to the Internet (and won't be for a while) so I can't test this.

Marcan's Wiimpersonator does stuff like this:
[check] INFO: Wiimpersonator: Check invoked for dev wiiu region USA
[soap] INFO: Checking for updates...
[soap] INFO: Title ID Version FsSize
[soap] INFO: 00050010-10000100 20b9 131072

so the trick for our NUS emulator would be to reply Version 20ba but with the FsSize (Filesystem Size?) of the older version. The Wii U will think it's an update and retrieve it. What happens from there I don't know.
Click to expand...

I agree that downgrading with this method would be VERY risky. Maybe the right approach is for the NUS emulator to trick the console into "updating" to the same version it already has, but modify one file in the update. If the modified file is the OS boot code, it would have total access to all the hardware and fully elevated privileges! The console shouldn't brick if it just re-installs the same files (except one carefully modified file).

PS How do I use the NUS downloader to download the Wii U updates? (Or is that even the right tool?)
 
  • Like
Reactions: TeamScriptKiddies
Damieh79

Damieh79

Member
Newcomer
Level 1
Joined
Jan 29, 2015
Messages
19
Trophies
0
Age
33
Location
Ontario
XP
130
Country
Canada
Mr. Mysterio said:
I agree that downgrading with this method would be VERY risky. Maybe the right approach is for the NUS emulator to trick the console into "updating" to the same version it already has, but modify one file in the update. If the modified file is the OS boot code, it would have total access to all the hardware and fully elevated privileges! The console shouldn't brick if it just re-installs the same files (except one carefully modified file).

PS How do I use the NUS downloader to download the Wii U updates? (Or is that even the right tool?)
Click to expand...

I believe there's no way you can do that since the update will definitely be both encrypted by RSA *AND* signed by a hash (probably SHA-X).

However, I think that the just-downgrade approach might work. The problem is that we need to find someone who's willing to risk bricking his WiiU just for a humble "might".
 
  • Like
Reactions: TeamScriptKiddies
WulfyStylez

WulfyStylez

SALT/Bemani Princess
Member
Level 12
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,877
Country
United States
Mr. Mysterio said:
I agree that downgrading with this method would be VERY risky. Maybe the right approach is for the NUS emulator to trick the console into "updating" to the same version it already has, but modify one file in the update. If the modified file is the OS boot code, it would have total access to all the hardware and fully elevated privileges! The console shouldn't brick if it just re-installs the same files (except one carefully modified file).
Click to expand...

Totally not possible due to plenty of checks. If it was this easy, literally every system out right now would be hacked to bits.

NUS emulation is going to be impossible due to SSL, probably. Network traffic isn't encrypted with the common key... Even if you could, the updater probably does checks to the version title to make sure it's older than the one specified in the update manifest. Aaaaand actually that being said, you probably can't create your own update manifest, either. There's no reason update manifests wouldn't be RSA secured.
 
7

75mak

Well-Known Member
Member
Level 3
Joined
Nov 10, 2011
Messages
395
Trophies
0
XP
313
Country
Damieh79 said:
I believe there's no way you can do that since the update will definitely be both encrypted by RSA *AND* signed by a hash (probably SHA-X).

However, I think that the just-downgrade approach might work. The problem is that we need to find someone who's willing to risk bricking his WiiU just for a humble "might".
Click to expand...
I could find plenty of wii u's ready to try that on. As long as the process doesnt involve opening up the hardware, i could easily experiment with something like that if i had all the neccessary things in place.
 
  • Like
Reactions: TeamScriptKiddies
WulfyStylez

WulfyStylez

SALT/Bemani Princess
Member
Level 12
Joined
Nov 3, 2013
Messages
1,149
Trophies
0
XP
2,877
Country
United States
75mak said:
I could find plenty of wii u's ready to try that on. As long as the process doesnt involve opening up the hardware, i could easily experiment with something like that if i had all the neccessary things in place.
Click to expand...

Even if it were possible, toying with downgrading is something you'd want dumps of emmc and system nand for, both of which would require hardware mods at this point.
 
  • Like
Reactions: TeamScriptKiddies

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  SDUSB - The modern way to play Wii U games from SD - at full speed

Very annoying that Nintendo never fixed this bug

Pretendo not working with updated games?!

Unable to dump OTP.bin

Hacking Emulation Homebrew  Could you explain to me why there are no standalone emulators on Wiiu using aroma?

Hacking Homebrew Tutorial  How to get Nintendo TVii icon back without downgrading + extras

Wii U (bricked) Mii Maker

Installing a dumped Disc Title as digital on Wii U?

General chit-chat
Help Users
  • BakerMan
    I rather enjoy a life of taking it easy. I haven't reached that life yet though.
    BakerMan @ BakerMan: (and the joke here is that i misheard pride month as bread month)