Hacking Wii U Hacking & Homebrew Discussion

[TeamScriptKiddies]

I looked around, and I can't seem to find any options for blocking specific IP's with your router. Since you have the router itself, your best bet is to explore on your own, but if you can't find anything, you'll have to get a new one to gain access to that kind of feature. In the mean time, when your console starts an update, just power off your device.

Only shut it off if it says "Preparing to update," once the actual update process has begun, if you shut it off (or cut off the power source) you risk bricking your Wii U entirely. Just want to make that clear.

 

[filfat]

(Sorry if this is a dumb question)
Upon closer examination of stack410.txt I can't seem to understand
0x0C 0x0E0D6D8C
What the first adress is for,
By my understanding its the "Real" address and the longer one is the one that changes upon recompiling etc.
And the long one is the one that gets called when we actually run the ROP chain,
Or am,I totally out of my mind now? (Again sorry fit his is a dumb question, I'm still in the low-level learning curves XD)

 

[Marionumber1]

(Sorry if this is a dumb question)
Upon closer examination of stack410.txt I can't seem to understand
0x0C 0x0E0D6D8C
What the first adress is for,
By my understanding its the "Real" address and the longer one is the one that changes upon recompiling etc.
And the long one is the one that gets called when we actually run the ROP chain,
Or am,I totally out of my mind now? (Again sorry fit his is a dumb question, I'm still in the low-level learning curves XD)

The ROP chain is based on a heap buffer, which we control from the Javascript code. Our WebKit bug allows us to take control of some memory that belonged to an object and then freed for use by other code, but ends up being used again by WebKit. At the beginning of our Javascript code, we trigger this bug and then start allocating tons of Javascript heap buffers with a certain value in them (this is what dsm() does). Since we're allocating so much data, it's almost guaranteed to end up taking up the memory that previously belonged to the object. The special thing about the value that we sprayed is that it points to the heap buffer I mentioned earlier. Later on, the WebKit code will attempt to make a virtual method call to what it thinks is the object, but is actually the address of our buffer repeated over and over. The WebKit code will look up an address inside our buffer and jump to it, giving us control of the browser's execution.

stack.txt is simply a human-readable way to describe the layout of our buffer. The build system transforms it into a Javascript array. This buffer is interesting, because it serves as our fake vtable (vtable is a table containing addresses of virtual methods) for WebKit, a stack, and the buffer containing our shellcode. The way stack.txt is organized is that there's an offset in the buffer (like 0x0C) followed by the data (like 0x0E0D6D8C). When WebKit calls the virtual function controlled by our buffer, control is passed to the address at 0x54C. This is our first gadget, which serves to point the stack at our buffer. Once it returns, the address at 0x50C is jumped to, which returns into the stack (actually our buffer) and starts executing ROP gadgets #1-14. These gadgets copy our shellcode from the buffer into the special JIT area and then run it. Our shellcode is a simple code loader that searches for a second Javascript buffer and reruns the ROP chain to copy code from there.

 

[naxil]

how to write more line on OSFATAL? is possible? i want make a funny ASCII pic with REGGIE..... Just for fun..
and , where is command documentation? who can post that doc?

 

[Marionumber1]

how to write more line on OSFATAL? is possible? i want make a funny ASCII pic with REGGIE..... Just for fun..
and , where is command documentation? who can post that doc?

You can use the '\n' character to add more lines. For example, OSFatal("Hello\nWorld") will print "Hello" on one line and "World" on the next line.

 

[loco365]

I looked around, and I can't seem to find any options for blocking specific IP's with your router. Since you have the router itself, your best bet is to explore on your own, but if you can't find anything, you'll have to get a new one to gain access to that kind of feature. In the mean time, when your console starts an update, just power off your device.

Yeah. Unless one can extract the NAND, decrypt it, and get the addresses it accesses for updates, I'm screwed. I've disabled the downloads and whatnot on the console side of things so far, but I might simply remove my internet settings for now until a workaround is made.

 

[filfat]

-snip-

 

[filfat]

So, lets say that we got 0x6f, so that's the "function", the 0x0E67DF67 would be the data we pass to that "function"?

 

[filfat]

-snip-

 

[Marionumber1]

So, lets say that we got 0x6f, so that's the "function", the 0x0E67DF67 would be the data we pass to that "function"?

No, 0x6F is the offset in the buffer and 0x0E67DF67 is the data at offset 0x6F. Not that you'd normally store something at an unaligned offset, as most memory accesses are aligned to 4 bytes.

One other question too, what value does r30 hold in 410's chain?
EDIT: correction, I meant values as it changes upon runtime

r30 isn't used at all in the ROP chain for 4.1.0, I noted that the value there goes into r30 in case I ever needed to use it.

 

[filfat]

-snip-

 

[filfat]

-snip-

 

[naxil]

You can use the '\n' character to add more lines. For example, OSFatal("Hello\nWorld") will print "Hello" on one line and "World" on the next line.

Thank u very much MArionumber1, what kind of commands i can write? only OSfatal? or i can use other kind of command?

 

[Marionumber1]

Thank u very much MArionumber1, what kind of commands i can write? only OSfatal? or i can use other kind of command?

There are many functions in the SDK libraries, the trick is finding out about them.

 

[Marionumber1]

Alright, so if we are going to try to get something to happen blindly I suppose we just type in random numbers and hope that something funny happen.
Or do you have a better suggestion

NeKit and I have a semi-plan which is quite complicated to explain here.

 

[EarthBound 2]

What about Android/iOS devices,PS3 and PS4 hacking discussion thread?your answer is no?

 

[Relys]

Hey Marionumber1 and friends congratulations! I purchased a Wii U last month and have been following you and Max for the past week. I have experience in PowerPC ASM from my DEX PS3 and C/C++ and would love to get a development environment set up so I'm hoping that the offsets are found for 5.0 soon.

You seem a lot more mature than some of the other scene devs I've followed and are very good at explaining the process. Never change man.

 

[GorTesK]

What about Android/iOS devices,PS3 and PS4 hacking discussion thread?your answer is no?

how about we let them do the wiiu first, before we send them on the heroic quest to save humanity from the attack of the evil uncracked consoles

 

[WulfyStylez]

Well, I think I'm gonna duck out of the scene for a while. There's not a lot I can help with at the moment. Good luck everyone! Hopefully I'll be back sooner rather than later.

 

[the_randomizer]

Well, I think I'm gonna duck out of the scene for a while. There's not a lot I can help with at the moment. Good luck everyone! Hopefully I'll be back sooner rather than later.

What happened?