Wii U: Smealum showcases unsigned code execution (Coldboothax, redNAND, homebrew)

Yesterday, popular 3DS hacker Smealum shared some work in progress hacks for the Wii U, through a video.

In the Video, Smealum shows he is able to hack the console at boot, then install and run homebrews. Specifically, the video shows a homebrew running on the second screen of the console.

As others have mentioned below, the video shows some hardware mod attached to the Wii U. Smealum gave details earlier this week that this hardware mod was required to unbrick his console, and it is not related to the Wii U hack showcased here.

The hack, named coldboothax, lets Smealum execute a Custom Firmware on the console, named redNAND. From there he is able to run homebrews.

Smealum mentions that there is no plan to release this at the time being. This is just some work in progress that he is sharing. He credits plutoo, naehrwert, yellows8 and derrek for their work on this ongoing project. Most of them were involved in hacks that broke the security of the 3DS, and contributed to reveal some of the Wii U’s encryption keys a few weeks ago.

Hykem has confirmed that this is not related to his own ongoing effort to hack IOSU.

Source: Smealum on Twitter

Wii U: Browserhax released for 5.5.0

The Wii U 5.5.1 update patched some critical vulnerabilities in libstagefright. This triggered two hack releases that rely on similar (if not the same?) exploits in the lib.Earlier Today, Mathew_Wi released an exploit for 5.4.0/5.5.0 that he described as “lazy” and is not directly usable by end users. But Yellows8 comes to the rescue with a Browserhax based on a libstagefright exploit as well. And yes, it also supports 5.4.0 and 5.5.0.

To be clear, both these exploits are patched with the new 5.5.1 firmware, and this is why both developers have decided to release their work on libstagefright.

Smealum described Yellows8’s hack as “super stable”. Incidentally, you might already know Yellows8 for his work on 3DS hacks, it’s great to see hackers work on several consoles, as it’s been proven countless times now that these devices all rely on similar security concepts, in particular from the same manufacturer.

To be clear, both these exploits are patched with the new 5.5.1 firmware, and this is why both developers have decided to release their work on libstagefright. Smealum described Yellows8’s hack as “super stable”. Incidentally, you might already know Yellows8 for his work on 3DS hacks, it’s great to see hackers work on several consoles, as it’s been proven countless times now that these devices all rely on similar security concepts, in particular from the same manufacturer.

You’ll need your own server to host the file, although I assume this can work with a basic apache server running on your local network (for those asking, you can set that up for free on your own computer, yes even on windows).

From the Readme:



---

To use this you must host the exploit script on a server, then you must setup wiiuhaxx_common as documented in that repo. If you’re going to use libwiiu with your payload binary, then you must use a coreinit.h which actually supports your system-version. The max size of the final payload(loader included) is 0x4000-bytes, so your input payload max size is a bit less than 0x4000-bytes(the script will throw an error if the size is too large). Once all setup, just access an URL like the below one where “browserhax_fright_tx3g_wiiu.php” is hosted, with the browseNote that issues occur when the final URL you use is too long, so you should keep it short like with the following: “http(s)://{server}/wiiuhaxx.php?sysver={version listed in wiiuhaxx_common}”. This hasn’t been debugged yet.

The only known time this exploit has ever failed pre-native-code-exec(on a supported system-version), was when the URL was too long as described above. However, this is mostly with testing with just one open tab(in particular with automatically loading the page).

Yellows8 credits plutoo for getting exception-dumps / memdumps, etc, on 5.3.2.

Download Yellows8’s Browserhax for Wii U 5.5.0

Download BrowserHax for Wii U 5.5.0 (a.k.a. WiiU_Browserhax_Fright) on the project’s github here

Via @Smealum

Breaking the 3DS: how the 3DS was hacked – Presentation by Smealum, Derrek, and Plutoo

Smealum, Derrek, and Plutoo had a Keynote at the Chaos Communication Congress (32C3), and the recording of the video is now online (embedded below)

In the talk, the 3 hackers explain how they broke the security of the Nintendo 3DS, which led to a lively 3DS Homebrew scene. They first describe an overview of the system (specifically details on the ARM11, and ARM9, the security CPU).

They then explain how they breach through the 4 levels of security (ARM11 Userland, ARM11 Kernel, ARM9 Userland, ARM9 Kernel), and how they involved the GPU to get access to the RAM. An interesting anecdote from Smealum is that in practice, the ARM9 Kernel has an unintentional syscall backdoor. One can feed it any operation pointer and it will run in Kernel Mode. ARM11 doesn’t have direct access to it, but anything in ARM9 can access it, meaning once a hacker gets Userland ARM9 access, it’s equivalent to getting Kernel access to that CPU. This makes the last layer of security pretty much moot.

The hackers added a few tongue-in-cheek pieces of advice for Nintendo and other console manufacturers, in particular “Secrets hidden in hardware are great, unless you leak them”, in reference to how they managed to extract encryption keys shared by the Wii U and the 3DS.

There’s alot being explained and I won’t summarize it all here. You can see the full presentation below. If you have interest in console security and hacking ( and if the words ROP, Webkit, NX don’t scare you), it’s a must see!

Note: the presentation actually starts 15 minutes into the video.

One important point from Smealum is that he believes the 3DS homebrew scene is lively and growing. He emphasized his disagreement with Fail0verflow’s statement a few years ago that console homebrew is dead. He showcased a cool screenshot if existing 3DS homebrew.

Last but not least, at the end of the presentation, Smealum announced the release of Browserhax, Ironhax, and Menuhax for the latest 3DS firmware 10.3. The release of at least Browserhax was made simultaneously with the Keynote. Details here.