Toggle sidebar

Hacking wii u sdk leaked

  • Thread starter Thread starter zecoxao
  • Start date Start date
  • Views Views 77,383
  • Replies Replies 190
  • Likes Likes 4
Marionumber1 said:
The APIs provided by Cafe OS are exposed to games as the SDK. The SDK literally is just a set of libraries that makes calls to Cafe OS to manage the hardware. You have the Cafe OS kernel running in privileged mode on the PowerPC, the SDK to communicate with the Cafe OS kernel, and games running in user mode on the PowerPC that talk to Cafe OS through the SDK. Cafe OS itself delegates some hardware access to IOS. If you wanted direct access to the hardware, you'd need a way to run code on the PowerPC in privileged mode and a way to disable AHBPROT, as you said.
Click to expand...

Ah, okay. SDK is just the library for communication between Cafe OS and the game, if I understand correctly.
 
It would probably be more accurate to call the stuff installed on the Wii U itself system libraries rather than an SDK. A full SDK still has a lots of other tools for creating programs, debugging, asset packaging, etc. Not just program libraries.
 
  • Like
Reactions: tmv_josue
Mario, thanks for your clarifications! You seem to really know what you're talking about. So, if I understand this correctly, we need to first run code in the userspace, then compromise the security further from userspace to rewrite the Cafe OS portion with a replacement SDK, and from there we would have limited access to some of the hardware, to gain full access, we would also need to compromise the IOS kernel(s). If we can manage to figure out how to just get an SDK on a retail Wii U by gaining access to the Cafe OS section via the Userspace, this would be a good start.... Hmmmmm...... From that point on, we could theoretically create an exploit to gain access to the IOS Kernel to unlock its full potential....

Does the Wii U have a dedicated Hypervisor like 360/one and ps3/ps4? If not, we might be able to simply gain access to (at least some portions) using a "large enough" buffer overflow. The only question, is how would we create one, without being able to run custom code in the first place.... Perhaps through a modified gamesave? This would be super easy for Nintendo to stamp out, but it might be a good place to start... Sorry just thinking outloud :P
 
TeamScriptKiddies said:
Mario, thanks for your clarifications! You seem to really know what you're talking about. So, if I understand this correctly, we need to first run code in the userspace, then compromise the security further from userspace to rewrite the Cafe OS portion with a replacement SDK, and from there we would have limited access to some of the hardware, to gain full access, we would also need to compromise the IOS kernel(s). If we can manage to figure out how to just get an SDK on a retail Wii U by gaining access to the Cafe OS section via the Userspace, this would be a good start.... Hmmmmm...... From that point on, we could theoretically create an exploit to gain access to the IOS Kernel to unlock its full potential....
Click to expand...

Yes, that's all correct. Rewriting Cafe OS with a replacement SDK is similar to what fail0verflow wanted us to do with porting Linux. However, doing that isn't actually needed, since we can use the SDK in userspace and get access to all the hardware. It won't be direct access, but it will be sufficient for homebrew, and actually better than direct access since the SDK abstracts it all away into a clean interface.

Does the Wii U have a dedicated Hypervisor like 360/one and ps3/ps4? If not, we might be able to simply gain access to (at least some portions) using a "large enough" buffer overflow. The only question, is how would we create one, without being able to run custom code in the first place.... Perhaps through a modified gamesave? This would be super easy for Nintendo to stamp out, but it might be a good place to start... Sorry just thinking outloud :P
Click to expand...

The Wii U does not have a hypervisor in the strictest sense, but one could argue that IOS is somewhat similar to a hypervisor. For your next point, a userspace exploit can only be done through the web browser, not save files. This is because there's no way to modify save files on an external drive and copy them back to your Wii U.
 
  • Like
Reactions: the_randomizer, markehmus and TeamScriptKiddies
TeamScriptKiddies said:
So we would need to achieve a buffer overflow from within the web browser then and hope the IOS doesn't pick up on it? lol
Click to expand...

I said IOS is somewhat similar to a hypervisor, not the same thing. It does not prevent unsigned code from running on the PowerPC through an exploit. What it does prevent is unsigned code from being installed on the console.

markehmus said:
sounds very promising , anyone working on this ?
Click to expand...

Me.
 
  • Like
Reactions: TeamScriptKiddies, tmv_josue, uyjulian and 2 others
Marionumber1 said:
I said IOS is somewhat similar to a hypervisor, not the same thing. It does not prevent unsigned code from running on the PowerPC through an exploit. What it does prevent is unsigned code from being installed on the console.



Me.
Click to expand...

Hmmmmm very interesting. This reminds me of the days when the only way to run homebrew on the original wii was by running the "Twilight Hack" every single time you wanted to run a homebrew app. Hahahaha that good ol' days XD
 
jammybudga777 said:
but if we have a custom firmware then there wouldnt be any need for a homebrew channel (or as much after time) :)
Click to expand...

A custom firmware has almost no chance of happening without somehow obtaining Nintendo's private keys for signing boot1, IOS, or the kernel. Unlike on the Wii, the entire boot process has a real chain of trust, making it impossible to change. All titles (games and applications) are also signed with a hash tree so that you can't modify any part of one or install your own. That would make a homebrew channel impossible too.
 
Marionumber1 said:
A custom firmware has almost no chance of happening without somehow obtaining Nintendo's private keys for signing boot1, IOS, or the kernel. Unlike on the Wii, the entire boot process has a real chain of trust, making it impossible to change. All titles (games and applications) are also signed with a hash tree so that you can't modify any part of one or install your own. That would make a homebrew channel impossible too.
Click to expand...
Wii and PS3 supposed to have this too but Wii had a strncmp bug, and PS3 was hacked with an interesting USB driver bug.
Also PSP and 3DS have virtual CFW.
 
Marionumber1 said:
A custom firmware has almost no chance of happening without somehow obtaining Nintendo's private keys for signing boot1, IOS, or the kernel. Unlike on the Wii, the entire boot process has a real chain of trust, making it impossible to change. All titles (games and applications) are also signed with a hash tree so that you can't modify any part of one or install your own. That would make a homebrew channel impossible too.
Click to expand...


we need to intercept firwmare when wii u download it.
 
  • Like
Reactions: TeamScriptKiddies
Marionumber1 said:
A custom firmware has almost no chance of happening without somehow obtaining Nintendo's private keys for signing boot1, IOS, or the kernel. Unlike on the Wii, the entire boot process has a real chain of trust, making it impossible to change. All titles (games and applications) are also signed with a hash tree so that you can't modify any part of one or install your own. That would make a homebrew channel impossible too.
Click to expand...


So then, what good would this exploit do then? If homebrew is impossible, why are people bothering at all do help use this exploit? Seems pretty trivial IMHO.


McHaggis said:
He didn't say homebrew was impossible, just a virtually no chance of a permanently installed homebrew channel. It's still possible an exploit could be made easy enough to load a homebrew loader.
Click to expand...
Ah, okay, that makes more sense. Thanks for the clarification.
 
the_randomizer said:
So then, what good would this exploit do then? If homebrew is impossible, why are people bothering at all do help use this exploit? Seems pretty trivial IMHO.
Click to expand...

He didn't say homebrew was impossible, just a virtually no chance of a permanently installed homebrew channel. It's still possible an exploit could be made easy enough to load a homebrew loader.
 
  • Like
Reactions: the_randomizer

Site & Scene News

Go to forum More news

Popular threads in this forum

Strange Blue Blinking Wii U

Hacking Homebrew Project  Modernized YouTube for Wii U

Feedback  Community Overclock Stats: A5X vs B1X Motherboards

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

Gaming Homebrew Misc Project  Roséverse - a 1:1 Miiverse revival by Project Rosé!

Can the Wii u pro controller works for Wii games ?

My dad's Wii U cannot install Aroma. HELP!!

[discussion] Paper Mario Wii U or Mario Kart 64 wii u?