Kernel Keys for Wii U IOSU 5.5.1 revealed

Developer Hykem has generated some controversy with his upcomingIOSU exploit, but published additional proof that the exploit is real: Wii U Kernel keys. The release date for Hykem’s IOSU exploit has been delayed a few times. Some people have been doubting that the exploit even exists, but knowing Hykem’s history on pretty much all gaming consoles, it’s safe to say naysayers couldn’t be more wrong.

Nevertheless, to shut people off, Hykem published a screenshot showing the Wii U ancast and vWii common keys, or at least a huge part of them. Accompanying the picture was a “happy bruteforcing” message, a way to say that people with the right tools and knowledge will be able to confirm his keys are the real deal, with some level of effort.

Developer Crediar has published the full keys on his twitter account on reply to Hykem, who acknowledged the result with a smiley.

This is also Hykem’s confirmation that his IOSU exploit works on the recently released Wii U firmware 5.5.1.



All my Wii keys are belong to U… pic.twitter.com/y4hePde2Rn

— Hykem (@hykemthedemon) January 18, 2016

Hykem has recently followed up on his release on GBATemp. He hadrecently promised a release by end of January, but it seems this might get delayed again, as he is looking for ways to obfuscate his code, in an attempt to delay Nintendo patching the exploit. Hykem also decided to use Yellows8’s recently released MP4 exploit, which has been confirmed to work up to the latest firmware 5.5.1. This allows Hykem to keep his own userland exploit for future use.

Hykem advises people to not update their Wii U and block future update from Nintendo, as they will most likely implement patches in their next firmware update. Blocking updates is done by blocking some specific IP addresses at your router level, this is easier than it sounds and you can google for it.

Hykem’s full statement:



In case you were afraid to deduce it from the screen I posted, yes, the hack works up to 5.5.1. However, I strongly recommend everyone to start blocking updates. That’s why I announced I was working on IOSU in the first place, to raise awareness.
I reached IOSU in 5.5.1 using a different bug (another lame UAF in WebKit) than yellows8‘s, but the libstagefright one is much more reliable and it’s already public. Which means that the release for 5.5.1 will be using yellows8‘s exploit while I keep the crappy one I used private.

Beware that Nintendo will likely push a big update to the Internet Browser anytime soon (I believe it’s logical to deduce that), which will quite likely patch (properly) both the libstagefright bugs and other previously unpatched WebKit bugs (the one I mentioned included).

Marionumber1 also made a solid point about investigating userland bugs in areas not related to the browser (like Mii data, for example), which is something we will likely investigate soon.

Aside from all that, the exploit just needs obfuscation to be released. Like I stated before, the obfuscation layers will be complex which will take time to implement properly. If any delays follow, they will be strictly related to the obfuscation of the exploit.
Also, I mentioned that my “vacations” are extended to the end of February, but that doesn’t mean the exploit will only be released by then. I’m guessing it will be done quite before that, but right now it’s just a matter of getting it right so Nintendo won’t patch it as soon as it comes out.

Sources: Hykem, GBATemp

Upcoming Wii U hack for firmware 5.5.0 announced for Christmas

And here I was, complaining that this year’s Christmas hacks were not coming. Now we’ve got announces of a Kernel exploit on the PS4, Black-fin on the PS Vita, and today, an IOSU exploit release on the Wii U.

Hykem, known for his hacking work on many, many consoles, just confirmed he’ll try to release a Christmas present for Wii U owners. He’s clarified today on GBATemp that he has an exploit running on IOSU, up to firmware 5.5.0, the latest and greates Wii U Firmware.

Wait, what’s IOSU on the Wii U?

Alright, for those of us not familiar with Wii U hacking, IOSU is basicallly the operating system of the Wii U when it runs in Wii U mode. It’s what we could compare to the “native” world on the PS Vita per opposition to the PSP Emu. In particular, IOSU is responsible for security checks on the Wii U, verifying that you’re not trying to run unsigned code, etc.

So yep, having compromised IOSU is a big deal.

Hykem’s exploit on Wii U 5.5.0

Hykem confirmed he compromised IOSU, and that his exploit works up to firmware 5.5.0. His exploit does not require PPC Kernel access, which means kernel exploits won’t need to be revealed for this one to work. (in other words, the Wii U scene has several aces up its sleeves and won’t need to reveal all of them at once).

Hykem wants to release the exploit for Christmas, but he points out there is still lots of work to do, specifically:

• Port the exploit to all firmwares where it makes sense (I’d say that it’s most important to release it for the latest firmware first?)
• Obfuscate the exploit so that Nintendo have a hard(er) time patching it, giving more time for users to be aware of the exploit release.
• Add mechanisms to the exploit so that people don’t update by mistake. This probably means an option set by default to block auto updates and block specific Nintendo addresses such as nus.c.shop.nintendowifi.net

So, at this point there’s no guarantee this will be released exactly on December 24, but Hykem’s confirmed the exploit and his intent to meet this deadline. His full statement:

---

Time to clear the air again. 

The following statements are facts:

– I have successfully compromised the Wii U’s IOSU;

– The exploit being used works from 2.0.0 up to 5.5.0, but it obviously needs to be ported for each firmware;

– The exploit doesn’t need PPC kernel access, so the new kernel exploit won’t have to be released.

I want to do some kind of Christmas surprise yes, but take that with a grain of salt. I can’t promise I will have the time to get everything ready by then and I’m not disclosing what will be released.

Keep in mind that releasing the exploit “as-is” is pointless, so it will have to be ported first and most likely obfuscated so it will take a little longer to patch. It’s also worth noting that I will have to develop an easy way to block updates so no one updates past 5.5.0 by accident.

If you don’t believe in anything stated above, that’s not my problem. The best (and easiest) thing to do is wait and see.

Thanks to makak1984 and gameboydl for the heads up!