Monday, November 7, 2016

Anatomy of a Wii U: hexFW

As I mentioned in my last post, in parallel to researching the Vita's kernel I decided to research the Wii U and see what I could come up with.

For all this to make any sense, we must go back to the beginning and waste a couple minutes looking into the Wii U hacking scene's history.
It all began back in 2013 when team fail0verflow made a presentation at 30C3 describing their journey in hacking the Wii U.
For quite some time they became the reference in terms of research and documentation for the Wii U's internals and even set up a wiki for this purpose: http://wiiubrew.org/wiki/Main_Page
However, they had no intention to release their exploits or talk about any vulnerabilities. This led to a community-driven effort to recreate their steps and hack this system.

Attempts to exploit the vWii date from late 2013, but it wasn't until mid 2014 that Wii U userspace code execution was achieved. This was done originally by what would become the libwiiu team.
One year later, the same team achieved the first PowerPC kernel exploit (a TOCTOU involving the OSDriver structures) and opened the doors for homebrew (with some restrictions).
The libwiiu project became a very valuable framework to write, compile and execute code from within the Wii U's Web Browser and it kept being used across firmware changes.
Other projects were developed during this time frame and eventually branched away from libwiiu (e.g.: Loadiine, homebrew_launcher).

Later that year, the first reports of someone being able to break into the Wii U's secure processor (IOP, running a custom operating system called IOS and dubbed IOSU by the community) showed up. The hacker and developer hykem claimed that had defeated IOSU around December of 2015.
This was shortly followed by another team claiming the same feat. This time it came from smealum, plutoo, naehrwert, derrek and yellows8, all very well known video game console hackers from the 3DS (and PS3 in naehrwert's case) scene.
The 3DS group wasn't planning a release while hykem, on the other hand, revealed that was working on a CFW-like setup for a public release.
During the following weeks, hykem massively documented his findings on the wiiubrew wiki, but ended up disappearing before releasing his announced project.
Then came an awkward period of drama and mystery that marked the Wii U hacking scene for good.
Eventually, smealum announced he had no plans on developing further for the Wii U and released "iosuhax", a collection of patches for the IOSU that would, in theory, create a CFW-like environment (privileged memory access and direct communication with the IOSU in a RPC setup). However, no one released an actual exploit to take over the system and allow for firmware patching.
Earlier this year, someone documented two vulnerabilities found by hykem, naehrwert and plutoo in the wiiubrew wiki and yet again, a community-driven effort began to build an exploit based on these bugs.

This led us to today. The current state of the Wii U hacking scene is a fragmented playground with two dominant groups using this now public information to build an exploit chain and achieve the goal of building a CFW for the Wii U:
- Team SALT: a collective of hackers/developers mainly active on the 3DS scene that began working on a CFW solution quite early this year. They are developing everything in private and share a few details occasionally on their progress.
- Team wiiubru: formed under the public eye by early contributors and developers of the PowerPC homebrew scene that sparked after libwiiu. They develop everything in public and have achieved popularity among the community.

After learning about all this, I still felt motivated to research and work by myself for quite a few reasons:
 - The Wii U's security scheme is nowhere near the Vita's and is much easier to take down;
 - Public vulnerabilities already exist and there's plenty of documentation out there as well;
 - My vision conflicts with team SALT's and team wiiubru's.

That last point is crucial. Team SALT chose to work privately, which is understandable when dealing with something that can potentially brick your console, but it's not possible to evaluate what they have accomplished thus far. Also, one of their members was allegedly responsible for leaking team libwiiu's OSDriver exploit which doesn't inspire much trust in the group.
On the other hand, team wiiubru is doing everything in public, but using low standards in terms of code quality and organization, which is to be expected when working in large groups.

Not satisfied with either groups' approaches, I decided to come up with my own: hexFW.
The name may not be very original, but to be honest, I didn't put much effort into making it up.

So, in order to build a CFW of my own, I made two important decisions: use smealum's iosuhax as the base for IOSU patching and implement my own exploit chain.
In my opinion, iosuhax does the job fairly well. It's a set of patches and a script that replaces sections of a firmware image and re-encrypts it back to be run on the Wii U. The idea is to start with smealum's code base and evolve from there.

But that only covers the process of creating a CFW image, the hard part is to exploit the system and make it load this image.
I looked into wiiubru's public implementation of the two publicly disclosed bugs, but found many issues with it.
By far, what seemed to make less sense in their implementation was the fact that the exploit is launched using the "homebrew_launcher" (or HBL). This felt like an overkill: why exploit the PPC kernel and run userspace code to exploit the IOSU when the disclosed bugs can be used without kernel privileges?
After playing around with the bugs for a while I finally understood their point: it's really hard to pull this off solely from the browser.

Hacker yellows8 released a stagefright exploit compatible with the Wii U a long time ago which became the standard for userspace code execution under the most recent firmware versions (the bugs libwiiu had used in the past have all been patched). It's code is quite clean and does the job perfectly, so I decided to use it as the main entry point to achieve userspace code execution.
For compiling the code I resorted to libwiiu for it's simplicity and began writing the exploit chain from scratch. Soon enough I came across an issue that might have been why wiiubru decided to ditch direct code execution and resort to HBL and ELF loading: the userspace payload's size is limited due to the nature of the stagefright exploit.

Nonetheless, I came up with some creative ways of squeezing all the necessary steps into a single payload and managed to get it working.
This means hexFW is launched solely from the browser without the need for installing or using HBL!
Of course, this came with a small cost: it's very likely that running the exploit will crash once. This is due to how I'm locating a target thread inside the IOSU to modify it's stack pointer. However, if you reset the console it is guaranteed to launch the second time. After the launcher runs, the actual CFW will be booted into the system from the SD card.

I have released a preview version of hexFW on Github: https://github.com/hexkyz/hexFW
It contains my own exploit chain ("fwboot") and a copy of smealum's original iosuhax minus the filesystem patches (IOS-FS). This is merely to demonstrate it's usage, but the overall structure is very likely to stay the same. The following commits will consist in the actual firmware patches that make hexFW a CFW (SLC/MLC/OTP/SEEPROM dumping with/without compression, redNAND, USB read/write/install, coldboot, etc.).
If you're familiar with iosuhax, you can setup hexFW and it will generate a patched firmware image that contains smealum's wupserver. You can then communicate with it using the wupclient.py script and play around with it.

In the next days I'll be pushing several components of hexFW I've been working on. My next post will be a detailed write-up on the two vulnerabilities exploited and how I constructed the exploit chain from scratch.

Stay tuned!

29 comments:

  1. Truly amazing! Have you heard about coldboothax? Smea released a "tech demo" using this. You may want to look at this for your future works:
    https://github.com/smealum/haxchi

    ReplyDelete
  2. Good stuff. Really excited, and it is good to have more devs onboard. Promising stuff and indeed, one main problem in Wii U scene is fragmentation and in future, the very different employments of many different things. Much like with 3DS until there was quite a few unifying things and mostly differences now are the CFW's themselves and what they are for, where there is quite a few options depending what you want to do.

    For Wii U something so superior that it'd become standard would be amazing, no matter who does it or how. I tested currently available stuff and I am left wanting, the CFW really does not do much currently, and team salt being silent and in secret does not reassure people much on anything.

    All I hope doing it alone does not strain you too much. Good luck and stuff.

    ReplyDelete
  3. Thank you! We need more devs supporting Wiiu Scene!

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. There is two kernel exploits for the wii u, the osdriver one (patched in 5.4) and the gx2 (still unpatched). Are you using the second one for trigger the ISOU? Or its from userland?

    ReplyDelete
  6. well done, this is great :D
    good luck :)

    ReplyDelete
  7. Hope you keep working on this. Looks pretty awesome.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Hi, just wanted to say, I loved this post. It was practical. Keep on posting!
    It's awesome designed for me to have a web site, which is helpful designed for my knowledge. thanks admin
    일본야동

    ReplyDelete
  10. Awesome write-up. I am a regular visitor of your site and appreciate you taking the time to maintain the excelent site.i will be a frequent visitor for really long time

    바카라사이트
    카지노
    카지노사이트


    ReplyDelete
  11. 토토사이트
    토토
    토토게임

    Wow, that’s what I was seeking for, what a information! present here at
    this weblog, thanks admin of this site.

    ReplyDelete
  12. 토토사이트
    스포츠토토
    해외스포츠중계

    I know this if off topic but I’m looking into starting my own weblog and was curious what all is needed to get setup?

    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet smart so I’m not 100% certain.
    Any suggestions or advice would be greatly appreciated.
    Appreciate it

    ReplyDelete
  13. 스포츠토토
    사설토토
    프로토


    Your style is so unique compared to other folks I have read stuff from.
    Many thanks for posting when you’ve got the opportunity, Guess I’ll just bookmark this page.

    ReplyDelete
  14. Play with the big website new wave web slots Get service that is more satisfying than anyone. Because we have developed the web to understand the players as much as possible. สล็อต

    ReplyDelete
  15. Hope I'll get such posts in future too.

    ReplyDelete
  16. I am happy to find this post very useful for me, as it contains lot of information.

    ReplyDelete
  17. hexFW is an in-depth examination of the internal firmware and software structure of Nintendo's Wii U gaming console. It delves into the hexFW firmware, dissecting its components and functionality, providing insights into the inner workings of this unique gaming platform. appealing a protective order in virginia

    ReplyDelete
  18. Thanks a lot my dear. I think this is an informative post and it is very beneficial and knowledgeable.

    ReplyDelete
  19. Its an amazing website, I really enjoy reading your articles.

    ReplyDelete
  20. I’d like to thank you for the efforts you have put in penning this website.

    ReplyDelete
  21. Aw, this was an extremely nice post. Taking a few minutes and actual effort to generate a top
    notch article.

    ReplyDelete
  22. Such an amazing and helpful post. I really really love it.

    ReplyDelete
  23. Many thanks for posting when you’ve got the opportunity, Guess I’ll just bookmark this page

    ReplyDelete
  24. Interesting post to read. It was an interesting read until the finish.prince william county criminal attorney

    ReplyDelete