Wii U hack detailed by Fail0verflow (and lessons learned for Vita hacking)

wololo

We are constantly looking for guest bloggers at wololo.net. If you like to write, and have a strong interest in the console hacking scene, contact me either with a comment here, or in a PM on /talk!

You may also like...

47 Responses

  1. trunk208 says:

    Epic :O

  2. L2SSnake says:

    Dear God, great idea for browser,i like this article, sharp and super smart. I wish this guys go on ps vita next

  3. BakaOsaka says:

    Pretty interesting stuff. Although their stance on the WiiU hasn’t changed, it’s understandable. They’ve given enough information to let any skilled developer find and create an exploit, I’m sure. This, along with Delroth’s development, shows that it’s probably not important to exploit the WiiU now.

  4. mma jedi says:

    If the Vita doesn’t get hacked, it is only bc the right person doesn’t have the interest. What I say next is indesputable..world wide.

    EVERY action has an EQUAL and OPPOSITE reaction.

    In today’s gaming society, there is more interest than ever in system mods, more people actually trying it and more courses available to learn about vital issues related to progamming. Personally, I feel it will happen, but maybe several more years ahead.

    • L2SSnake says:

      I agree, time will tell

    • 110706 says:

      Yea few more years ahead. Tegra K1 already caused a stir with the latest benchmark, showing how it smokes apple a7 and QC snapdraggon latest chips. And it beat even laptop’s integrated gpu’s. With 5 watts.

      A chip that will end up in mobile devices :). And this is only the beggining. The devs will realize there is no point at all developing for Vita anyway when you have chips like Tegra K1 coming out and far more accessible than Sony’s own proprietary pile of mess.

      In a few more years Vita is D.E.A.D. And i wont be surprised to see it go down still “locked”. Mark my post.

  5. Brett says:

    Now, hopefully since the hack of the wii U was explained, maybe other hackers can play around with the 3ds hardware to find a hack ;) they could have similarities that may help

    • nero says:

      there is a hack for the 3ds. its called gateway 3ds, they’re releasing multi rom support for 3ds games soon!

      • Brett says:

        I’m not to sure that gateway 3DS is a hack, it’s a flashcart… Which is not a hack, it’s a cart that plays Roms. Also if it was a hack it would be down immediately seeming that if you charge someone for a hack that is illegal and could get them into a lot of trouble! That’s why our ps vita , psp , wii , ps3 hacks were free. ( shall I say CFW)

        • Quicksilver88 says:

          Actually the Gateway 3DS is both a hack and a Flash cart. The team has actually done quite a bit with the system nand directly including having complete kernel level control.

          Because only 4.5 and below 3DS are exploitable the team has created a way to run a shadow (or they call Emulated Nand_ from the SD card. This is actually quite impressive as it loads a 7.x firmware on top of 4.5 and then implements their patches as well that allow using their cart and backing up/restore their cart’s eeprom save data to the 3DS SD card. They have also already implemented region free and have a mix of online features including MiiVerse and Eshop working as well as local play and spot/street pass but not true network game play. Also you can boot in two mode Gateway/Classic….Classic lets you run retail carts so you can play your newer games in EmuNand. Full Homebrew is possible on 3DS but there are no SDK and little documented information so it is going to take a while to get the tools for anyone to make something worthwhile in homebrew. Honestly Gateway could probably work out running roms from the 3DS’s SD card but why would they do that when that would prevent them from selling their hardware….someday later in the 3DS life I am sure we will get an open source EmuNand with those capabilities….but the question is will anything past 4.5 (just like 3.55 on ps3) ever be exploitable.

  6. Yukon says:

    I qonder how long it would take for them to crack the Vita.

  7. squiggs says:

    I really like the feature and analysis and I think there should be more of them.

  8. LMAO says:

    Now it’s just a matter of days ’til skfu caughts a wind of this… And he’ll be like “AGAIN”;
    I just successfully reversed the Wii U, controls for backwards/reverse makes everything go forward.

  9. Yifan Lu says:

    If you want to know the status of Vita hacking, just watch the 30c3 console hacking presentation and every time they talk about some weakness in the WiiU and the audience applauds, replace “WiiU” with “Vita” and “success” with “we tried and it didn’t work.”

    For example:
    * Vita has KASLR everywhere and ASLR in most places
    * Vita does not have JS JIT compiling or NX disabled in browser
    * Vita does not have RAM lines exposed for sniffing
    * Vita does not have any symbols compiled in retail (AFAIK)
    * Vita has strict virtual memory protection and page level security (and no separate CPU to hijack)
    * Vita has all keys and decryption routines stored in a secure co-processor (above kernel mode)
    and on and on…

    • wololo says:

      Thanks. Could you clarify some of the points above, to the extent that you don’t need to disclose anything critical? For example, I can see how a reasonably quick look at the motherboard lets you see that RAM lines are not exposed, or that previous sony hardware pretty much guarantees that a co-processor is used to store the keys, but how do you know for example that NX is not disabled in the browser?
      In other words, could you source/prove all of the points you mention above?

      • Yifan Lu says:

        Webkit source and playing around with known exploits shows that there’s no JIT in browser.
        I have not seen any symbols in the stuff I dumped.
        ASLR is easy to see in usermode.
        KASLR will require you to jump through a couple of hoops to observe (kernel pointer bouncing around)
        I guess technically there isn’t a co-processor, but it’s easier to think about it that way (unless ARM has really screw up somewhere or sony has sc*** up implementing ARM’s designs).

    • Thrawn says:

      Hmmm, you sure have seen those six piplines going into the left side of the CXD5315GG? They subsurface onto the other side of the Mainboard and go behind the emi shield into the direction of the NAND. They subsurface again and crop up onto the other side with conveniently placed test points, then again vanish behind the edge of the emi shield, I believe they go into the smd parts located right beneath the NAND, and then into the NAND itself.
      A NAND without test points would be major inconvenient for manifacturing, as devices are only tested after being solderd together. After that they are programmed in conjunction with the devices unique cpu key so they would need some open spots for automated software injection.
      Just an observation I stumbled upon.

      • Yifan Lu says:

        http://yifan.lu/2013/12/22/random-observations-on-vita-logic-board/
        “The unfilled pads next to the eMMC has something to do with video. The direction of the trace goes from the SoC to the video connector.”

        If you think about it that way, it makes sense. The angle of the traces with those exposed pads are directed towards the video connector and would make it far too awkward to move into the eMMC. Also, I’ve tested every single exposed pad and connector on the front and back of the board. The only exposed lines for the eMMC are those 150ohm signal integrity resistors found near the SoC.

        • Thrawn says:

          Hmm… looking at those ps vita video out mod which is using those pins I suspected to go into the NAND, that looks so strange, it makes no sense, regardless.

          The mystery chip (SCEI 1148KM458 or 1144KM427) you mention on your blog, it could be related to the ps vita proprietary game cartridge, I have seen no direct lines to the CXD5315GG plus this strange chip sits directly on the opposite side of the slot, this would vouch for some kind of controller or a security chip.
          On techinsights.com they speculate this chip to be an AKM magnetic compass, but this is in my opinion bullsh*t as there is already the gyro (st? 3GA51H) and the 3 axis mems (Kionix KXTC9). Also why would a magnetic compass need to be emi shielded? This limits its capabilities.
          Plus there is another strange chip (st 32P10SoE / GK09093) which could possibly be the magnetic compass.

    • mylvein says:

      i’m both glad and sad.

  10. Reynkz says:

    You can’t compare Nintendo console to Sony(security wise), Nintendo was never big on security in the first place; the NDS, 3DS, and Wii were easily hacked & modded. Whereas PS3 took quite sometime, Sony learned from their mistakes with PS3 ad PSP, PS Vita is going to take sometime for native hack(No security perfect :).

    • wololo says:

      Why can’t we compare them? They are both running the same type of business and both need to protect the same data. The fact that Nintendo is not as good as Sony in terms of security is very relevant, but that doesn’t prevent a comparison… this is exactly the same business to protect, so the things at stake are exactly the same. If anything, this brings even more questions about why Nintendo think they don’t need to invest the same amount of time and energy in protecting their assets that Sony does.

      • CycloneFox says:

        like Reynkz already said, Sony has made experience with the mistakes of the previous generation and altercated alot with hackers like geohot, for example. That’s why they have this heck of protection on their new systems in this generation (I suppose it’s the same for the PS4 as for the Vita already, awaiting confirmation for that guess).
        Plus, the Playstation has another, more mature target group of customers. That also influences the will to hack a device.
        Plus, Playstation hardware tends to be more powerful (or has nicer displays, touchscreens, two native analogsticks, etc.), which is more interesting for potential hackers. Of course, this itme arround, smartphones blur the interest of hackers in a Vita.
        Plus Sony invests more into third-party-support. So they advertise/sell their brand to publishers alot more than Nintendo. Secururity is a good argument for this case, of course.

        • wololo says:

          All your arguments are invalid except maybe the last one about third party developers. For the rest, none of your points apply:
          – Nintendo also experienced hacking with their previous generations, so they should behave the same as sony
          – The “mature” audience point is invalid, both companies get their consoles hacked
          – Again, both companies hardware gets hacked, and arguably the wii was much more interesting than other devices to hack because of the wiimote

          • Reynkz says:

            I was going off of their past security mistake not the company as whole which is why I said security wise, I know they are in the same business which means they are in the same boat and both have had their console hacked. I meant more so their reaction and implementation of security, Sony and Nintendo. It does raise a question or two why Nintendo doesn’t step their game up but then again they sold way more 3DS than Vita’s .

          • sathriel says:

            Wii sold more way more than PS3 and 3DS trumps VITA on the same field. Of course that is no proof that being hackable makes a console more desirable but it is also not very likely that Wii or 3DS would sell any better if they were better protected from hacking.

          • mylvein says:

            It’s simply because Nintendo never sell console at a loss and mainly selling 1st&2nd party games. They don’t care to invest on security because their digital and online infrastructure is suck so bad.

  11. tokia says:

    in 1hr i learning now!.

  12. wiinotvita says:

    wiiu is not hacked yet.. its the wii mode thats hacked. same with vita .. it can play psp iso but not vita roms.

  13. oxMUDxo says:

    So this can be fixed by Nintendo with a software update right?

    Or is this just like the Wii and Nintendo is sc*** again. :/

    Just Hope they don’t end up like Sega.

    • Shinny says:

      Look at Pokemon X&Y sales, and how the new Zelda game is doing… i doubt they will give up at all.. Nintendo has a huge fan base and really decent games on their systems so income is pretty much huge.. While SEGA was destroyed by PS2 and GameCube in some parts, and lacked games (Yes the library was pretty small compared to PS2). But yeah its a pity that SEGA gave up :/

    • Thrawn says:

      Since when was nintendo sc*** with it’s wii?
      Yeah it had extensive piracy, but in the end of the day, it was last gens dominant system with most hardware and software sales, roughly 100 million sold wiis do not lie.

      Even the software did sell out, good wii games sold out immediately, the only thing you’ll still find in stores are those bad shovelware abominations from certain producers which I do not want to name.

      • mylvein says:

        Would you name some ? i couldn’t find any good game for Wii

        • Thrawn says:

          Conduit 1 + 2, house of the dead overkill, Zelda twilight princess, xenoblade chronicles, madworld, the last story, no more heroes 1 + 2, disaster day, rune factory frontier, muramasa, metroid prime 3 or metroid trilogy, smash bros brawl, tales of symphonia dawn of the new world, fire emblem radiant dawn, Mario galaxy (sorry:), Zelda skyward sword, resident evil 4 and dark side chronicles + zero, pandoras tower, okami, project zero 2, geometry wars galaxies, eldar saga, monster hunter tri (you mentioned that), Metroid other M, sakura wars so long, overlord dark legend, dragon quest swords, samurai warriors 3, tomb raider underworld, call of duty black ops, sin and punishment, little kings story, red steel 2, dead space extraction, bully, silent hill shattered, star wars force unleashed 1 + 2, soulcalibur legends, call of duty 3, splinter cell double agent, enclave, ff crystal chronicles bearers and echos of time, onechanbara bikini zombie slayers, ghost squad, rygar battle of argus,… want me to continue?

          Now, not all of those are exclusives but the most of’em, I did not include all those Mario and party game stuff. Only real, enjoyable titles.

      • mylvein says:

        except Monster Hunter Tri

  14. 110706 says:

    When you need PS4 to carry PS Vita from the ditch it fallen into (thanks to SONY), you know the situation is FUBAR for Vita.

  15. John says:

    Yay. No vita hack. There’s still hope for a come back…minor as it may be.
    Although hacked system will most likely be unable to play online. hahaha.

  16. riddle43 says:

    Ok hacking the vita will happen if for one reason Only for the fun and to be the one to do it I mean I had my psp when it first came out and all I wanted was snes and nes this kind of want will definitely smart and clever hackers working towards a goal of running unsigned code on the vita even if it comes after the life of the System. I wouldnt doubt it that someone has already they just dont want to share for fear of it being patched in future updates but only time will tell ive been in the scene for to long to give up now…..k

  17. Paladinrja says:

    And yet nothing noteworthy came outta this hacking of the Wii U, dumping security keys that cycle every update is pointless but I’m fine with this, its just a shame there is no way to get deep into the system on a specific level to see exactly whats in it.

    PS4 was cracked before Christmas fanboys, sorry. Sony’s patented security device designed to prevent unlocking the console is only aimed at its webservices, now that theres a paywall. You can already run ISO’s off of it. Why is no one talking about it? You can already do everything on PS4 for free and do it better on PC. No one wants you to buy a paywall driven box that’ll have unsecured access to its games cast directly to Sony the minute you attempt online. Thus no one wants to promote you buying a Sony platform until you can actually do something with it. I ran Spellforce on the stupid thing and it nearly died, I think. So really you are only going to be getting streamlined FPS style games and pretty much can forget any real game logic. I mean c’mon, did any of you really think that Jaguar (kabini) was gonna amount to anything more than a grouped set of DSP dependant cores 25% better than bobcat thrashing around like a freshly pulled trout on oodles of fast high latency RAM? Use yer heads.

    The Wii U is a different story, Nintendo provide free devkits and webframework to put as many apps as you want on the system. The webservices are free so unless you are looking into piracy theres no point in cracking the system really. The only thing of interest is the MCM and its locked up tighter than roll of dried wet toilet paper. You can only get very superficial knowledge of it.

  18. John says:

    From what I saw PS NOW is for PS 1-3. The Vita is another story. How exactly are you going to use the rear touch on any other system?

  1. June 20, 2014

    […] get your hopes too high: Fail0verflow had explained a while ago that the reason such exploits can run on the Wii U is because the NX bit is not set within the […]

  2. July 18, 2014

    […] Si os interesa y queréis saber más acerca del hacking de consolas, Wololo hizo un artículo en su blog muy interesante sobre ello, espero que os guste: http://wololo.net/2014/01/15/wii-u-hack-detailed-by-fail0verflow-and-lessons-learned-for-vita-hackin… […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>