Wii U hack detailed by Fail0verflow (and lessons learned for Vita hacking)

wiiu_failOver the Christmas holiday I had the opportunity to watch fail0verflow’s presentation on how they hacked the Wii U in 30 days (I didn’t have a working internet connection while I was away, but had managed to download a copy of their video before leaving). The video of their presentation (below) is interesting in itself, and I strongly recommend you watch it (and the accompanying blog post) if you have an interest in hacking in general, and console hacking in particular.

But you’ve probably read everything there is to know about Fail0verflow’s presentation by now, especially if you’re in the Wii U scene. After all, their presentation was 2 weeks ago, that’s aeons ago in the hacking community. But I’d like to discuss some of the points they made, that I think can easily relate to Vita hacking.

0. That was fast!

It is of course impressive that a “next gen” console was hacked so fast: the Vita has been out for more than 2 years and is still majorly undefeated, the PS3 was out for more than 4 years before it got seriously hacked, and more recently, both the PS4 and the XBox One have been out for several months, and there are no signs of them being even scratched (ok, there was a NAND dump of the PS4, and we have a few instructions on how to play with a proxy on the PS4 to tinker with the PSN, but that’s basically it).

A fairly old but detailed timeline of consoles hacking can be found below, extracted from this 2010 blog post. As you can see, a hack within a month is on the “fast end” of the spectrum.

console_hacking_history

 

1. Knowledge of the previous consoles was critical for the Wii U hack.

the fail0verflow team emphasizes how the Wii U is nothing more than a hardware upgrade of the Wii, itself an upgrade of the Gamecube. Their knowledge of the Wii and them having some undisclosed exploits for the Wii were extremely valuable entry points into hacking the Wii U. They were even able to reuse some of their Wii hardware toolkits on the Wii U eventually.

The PS Vita is *not* an upgrade of the PSP, it is a totally new device. And even though the knowledge of the PSP has let us essentially control everything in the PSP emulator on the Vita, that doesn’t give us much flexibility into going any further down the Vita itself. Kermit seems to be the only communication bridge between the PSP emulator and the Vita, while the Wii mode on the Wii U seemed to be more connected to the Wii itself.

 

2. Hardware knowledge was useful to hack/dump/observe the Wii U behavior

wiiu_readerI’ve stated it countless times, but treating the Vita as a black box from only a software point of view is extremely difficult, given that we have close to no entry point. We can’t analyze a crash easily, etc… Fail0verflow explain how some of their first steps involved being able to come up with a system that could read/write to the Wii U. It is interesting/sad that we don’t have that much attention from hardware hackers on the vita (besides Yifan Lu’s recent work), but the fail0verflow presentation confirms that a good console hack involves both Hardware and software work.

 

3. NX and ASLR

Modern operating systems and CPUs have good hacking mitigation techniques. For those of you familiar with PSP hacking, implementing a PSP usermode exploit is usually 3 “simple” steps: find a bug, find a position to write our code, and jump to it. Typically with our buffer overflow exploits, we’d write our code in a game’s savedata, find where it gets loaded in the RAM (that position, on the PSP, is always the same, on all devices, and only depends on the game), and jump there. NX (No execute) prevents the CPU from loading code that would be in the “data” section of the memory, while ASLR (Address Space Layout randomization) makes the position of our payload (and the libraries it might want to call) impossible to predict.

These two mitigation techniques are implemented on the Vita (they did not exist on the PSP). There exist methods to bypass them, but that would require exploits as well. In other word, a single exploit on the Vita would require not only the initial exploit (our typical “buffer overflow” on the PSP), but also 2 additional exploits/bugs to bypass NX and ASLR.

What was different on the Wii U? First, it doesn’t seem to implement ASLR at all (a big mistake on any modern computer system), and the Fail0verflow team found a limitation in the NX implementation, that I will describe below.

 

4. Go for the browser

This might be the most essential point we can relate to in the Vita hacking scene: The browser today is likely to be one of the most vulnerable parts of the PS Vita. It is webkit-based, which means there exists a huge and documented database of critical bugs for it, and that the source can be accessed. It could be “reasonably” easy to find crashes in the browser. As far as analyzing them is concerned though, I think here again, nobody would go very far without a (hardware?) way to read the contents of the Ram real-time.

Another interesting point made by Fail0verflow is how, on the Wii U, the NX bit was disabled for the browser! There’s a possibility this is true on the Vita as well, who knows… That would be one less obstacle to bypass in order to get an exploit running.

 

The Wii U keys dumped by the Fail0verflow team

The Wii U keys dumped by the Fail0verflow team

5. Is homebrew still relevant?

As a conclusion to their presentation, the Fail0Verflow team re-stated that to them, the interest for Homebrew on consoles in 2013 (now 2014) is not the same as it was back when the Wii, PSP, etc… were the latest big thing. Today, if you’re a tinkerer, a gamer, or a developer, there exist plenty of ways for you to code your own game, or to play any emulator, or mod anything you want, on devices that are way more open, and sometimes more powerful than these consoles. You can plug any Android box (Ouya, etc…) to your TV, and any decent phone today let’s you run fanmade games or emulators on the go. Sure, few of them have the awesome screen and controls of the Vita, but that’s another story.

They also emphasize that given today’s consoles complexity, developing an entire SDK for homebrew from scratch would be quite complex, while in comparison enabling piracy once an exploit is made public, would be much easier (patch a few things in Ram here and there). Which raised concerns around the outcome of releasing their hack…

The above is something they had already stated back in May this year

Fail0verflow’s video:

  1. trunk208’s avatar

    Epic :O

    Reply

  2. L2SSnake’s avatar

    Dear God, great idea for browser,i like this article, sharp and super smart. I wish this guys go on ps vita next

    Reply

  3. BakaOsaka’s avatar

    Pretty interesting stuff. Although their stance on the WiiU hasn’t changed, it’s understandable. They’ve given enough information to let any skilled developer find and create an exploit, I’m sure. This, along with Delroth’s development, shows that it’s probably not important to exploit the WiiU now.

    Reply

  4. mma jedi’s avatar

    If the Vita doesn’t get hacked, it is only bc the right person doesn’t have the interest. What I say next is indesputable..world wide.

    EVERY action has an EQUAL and OPPOSITE reaction.

    In today’s gaming society, there is more interest than ever in system mods, more people actually trying it and more courses available to learn about vital issues related to progamming. Personally, I feel it will happen, but maybe several more years ahead.

    Reply

    1. L2SSnake’s avatar

      I agree, time will tell

      Reply

    2. 110706’s avatar

      Yea few more years ahead. Tegra K1 already caused a stir with the latest benchmark, showing how it smokes apple a7 and QC snapdraggon latest chips. And it beat even laptop’s integrated gpu’s. With 5 watts.

      A chip that will end up in mobile devices :). And this is only the beggining. The devs will realize there is no point at all developing for Vita anyway when you have chips like Tegra K1 coming out and far more accessible than Sony’s own proprietary pile of mess.

      In a few more years Vita is D.E.A.D. And i wont be surprised to see it go down still “locked”. Mark my post.

      Reply

  5. get real guys’s avatar

    vita is not getting hacked its only a valuable system if you live in japan where there is actual content regularly released for it. in the rest of the world its being droped as a support device for the PS4 via remote play and playstation now they will not release new western games on it I 100% know this as fact and literaly just becoming a peripheral to the PS4 if for some reason a dev really wants WiiU controls on a PS4.

    seeing as you can use playstation now on any device seriously the vita is so fucking dead.

    guys give up already its not going to happen.

    Reply

    1. 110706’s avatar

      “seeing as you can use playstation now on any device seriously the vita is so fucking dead.” Probably SONY realised Vita’s situation and thats their backup plan.

      Reply

      1. John’s avatar

        From what I saw PS NOW is for PS 1-3. The Vita is another story. How exactly are you going to use the rear touch on any other system?

        Reply

  6. Brett’s avatar

    Now, hopefully since the hack of the wii U was explained, maybe other hackers can play around with the 3ds hardware to find a hack ;) they could have similarities that may help

    Reply

    1. nero’s avatar

      there is a hack for the 3ds. its called gateway 3ds, they’re releasing multi rom support for 3ds games soon!

      Reply

      1. Brett’s avatar

        I’m not to sure that gateway 3DS is a hack, it’s a flashcart… Which is not a hack, it’s a cart that plays Roms. Also if it was a hack it would be down immediately seeming that if you charge someone for a hack that is illegal and could get them into a lot of trouble! That’s why our ps vita , psp , wii , ps3 hacks were free. ( shall I say CFW)

        Reply

        1. Quicksilver88’s avatar

          Actually the Gateway 3DS is both a hack and a Flash cart. The team has actually done quite a bit with the system nand directly including having complete kernel level control.

          Because only 4.5 and below 3DS are exploitable the team has created a way to run a shadow (or they call Emulated Nand_ from the SD card. This is actually quite impressive as it loads a 7.x firmware on top of 4.5 and then implements their patches as well that allow using their cart and backing up/restore their cart’s eeprom save data to the 3DS SD card. They have also already implemented region free and have a mix of online features including MiiVerse and Eshop working as well as local play and spot/street pass but not true network game play. Also you can boot in two mode Gateway/Classic….Classic lets you run retail carts so you can play your newer games in EmuNand. Full Homebrew is possible on 3DS but there are no SDK and little documented information so it is going to take a while to get the tools for anyone to make something worthwhile in homebrew. Honestly Gateway could probably work out running roms from the 3DS’s SD card but why would they do that when that would prevent them from selling their hardware….someday later in the 3DS life I am sure we will get an open source EmuNand with those capabilities….but the question is will anything past 4.5 (just like 3.55 on ps3) ever be exploitable.

          Reply

  7. Yukon’s avatar

    I qonder how long it would take for them to crack the Vita.

    Reply

  8. squiggs’s avatar

    I really like the feature and analysis and I think there should be more of them.

    Reply

  9. LMAO’s avatar

    Now it’s just a matter of days ’til skfu caughts a wind of this… And he’ll be like “AGAIN”;
    I just successfully reversed the Wii U, controls for backwards/reverse makes everything go forward.

    Reply

  10. Yifan Lu’s avatar

    If you want to know the status of Vita hacking, just watch the 30c3 console hacking presentation and every time they talk about some weakness in the WiiU and the audience applauds, replace “WiiU” with “Vita” and “success” with “we tried and it didn’t work.”

    For example:
    * Vita has KASLR everywhere and ASLR in most places
    * Vita does not have JS JIT compiling or NX disabled in browser
    * Vita does not have RAM lines exposed for sniffing
    * Vita does not have any symbols compiled in retail (AFAIK)
    * Vita has strict virtual memory protection and page level security (and no separate CPU to hijack)
    * Vita has all keys and decryption routines stored in a secure co-processor (above kernel mode)
    and on and on…

    Reply

    1. wololo’s avatar

      Thanks. Could you clarify some of the points above, to the extent that you don’t need to disclose anything critical? For example, I can see how a reasonably quick look at the motherboard lets you see that RAM lines are not exposed, or that previous sony hardware pretty much guarantees that a co-processor is used to store the keys, but how do you know for example that NX is not disabled in the browser?
      In other words, could you source/prove all of the points you mention above?

      Reply

      1. Yifan Lu’s avatar

        Webkit source and playing around with known exploits shows that there’s no JIT in browser.
        I have not seen any symbols in the stuff I dumped.
        ASLR is easy to see in usermode.
        KASLR will require you to jump through a couple of hoops to observe (kernel pointer bouncing around)
        I guess technically there isn’t a co-processor, but it’s easier to think about it that way (unless ARM has really screw up somewhere or sony has screwed up implementing ARM’s designs).

        Reply

    2. Thrawn’s avatar

      Hmmm, you sure have seen those six piplines going into the left side of the CXD5315GG? They subsurface onto the other side of the Mainboard and go behind the emi shield into the direction of the NAND. They subsurface again and crop up onto the other side with conveniently placed test points, then again vanish behind the edge of the emi shield, I believe they go into the smd parts located right beneath the NAND, and then into the NAND itself.
      A NAND without test points would be major inconvenient for manifacturing, as devices are only tested after being solderd together. After that they are programmed in conjunction with the devices unique cpu key so they would need some open spots for automated software injection.
      Just an observation I stumbled upon.

      Reply

      1. Yifan Lu’s avatar

        http://yifan.lu/2013/12/22/random-observations-on-vita-logic-board/
        “The unfilled pads next to the eMMC has something to do with video. The direction of the trace goes from the SoC to the video connector.”

        If you think about it that way, it makes sense. The angle of the traces with those exposed pads are directed towards the video connector and would make it far too awkward to move into the eMMC. Also, I’ve tested every single exposed pad and connector on the front and back of the board. The only exposed lines for the eMMC are those 150ohm signal integrity resistors found near the SoC.

        Reply

        1. Thrawn’s avatar

          Hmm… looking at those ps vita video out mod which is using those pins I suspected to go into the NAND, that looks so strange, it makes no sense, regardless.

          The mystery chip (SCEI 1148KM458 or 1144KM427) you mention on your blog, it could be related to the ps vita proprietary game cartridge, I have seen no direct lines to the CXD5315GG plus this strange chip sits directly on the opposite side of the slot, this would vouch for some kind of controller or a security chip.
          On techinsights.com they speculate this chip to be an AKM magnetic compass, but this is in my opinion bullsh*t as there is already the gyro (st? 3GA51H) and the 3 axis mems (Kionix KXTC9). Also why would a magnetic compass need to be emi shielded? This limits its capabilities.
          Plus there is another strange chip (st 32P10SoE / GK09093) which could possibly be the magnetic compass.

          Reply

    3. mylvein’s avatar

      i’m both glad and sad.

      Reply

  11. Reynkz’s avatar

    You can’t compare Nintendo console to Sony(security wise), Nintendo was never big on security in the first place; the NDS, 3DS, and Wii were easily hacked & modded. Whereas PS3 took quite sometime, Sony learned from their mistakes with PS3 ad PSP, PS Vita is going to take sometime for native hack(No security perfect :).

    Reply

    1. wololo’s avatar

      Why can’t we compare them? They are both running the same type of business and both need to protect the same data. The fact that Nintendo is not as good as Sony in terms of security is very relevant, but that doesn’t prevent a comparison… this is exactly the same business to protect, so the things at stake are exactly the same. If anything, this brings even more questions about why Nintendo think they don’t need to invest the same amount of time and energy in protecting their assets that Sony does.

      Reply

      1. CycloneFox’s avatar

        like Reynkz already said, Sony has made experience with the mistakes of the previous generation and altercated alot with hackers like geohot, for example. That’s why they have this hell of protection on their new systems in this generation (I suppose it’s the same for the PS4 as for the Vita already, awaiting confirmation for that guess).
        Plus, the Playstation has another, more mature target group of customers. That also influences the will to hack a device.
        Plus, Playstation hardware tends to be more powerful (or has nicer displays, touchscreens, two native analogsticks, etc.), which is more interesting for potential hackers. Of course, this itme arround, smartphones blur the interest of hackers in a Vita.
        Plus Sony invests more into third-party-support. So they advertise/sell their brand to publishers alot more than Nintendo. Secururity is a good argument for this case, of course.

        Reply

        1. wololo’s avatar

          All your arguments are invalid except maybe the last one about third party developers. For the rest, none of your points apply:
          - Nintendo also experienced hacking with their previous generations, so they should behave the same as sony
          - The “mature” audience point is invalid, both companies get their consoles hacked
          - Again, both companies hardware gets hacked, and arguably the wii was much more interesting than other devices to hack because of the wiimote

          Reply

          1. Reynkz’s avatar

            I was going off of their past security mistake not the company as whole which is why I said security wise, I know they are in the same business which means they are in the same boat and both have had their console hacked. I meant more so their reaction and implementation of security, Sony and Nintendo. It does raise a question or two why Nintendo doesn’t step their game up but then again they sold way more 3DS than Vita’s .

          2. sathriel’s avatar

            Wii sold more way more than PS3 and 3DS trumps VITA on the same field. Of course that is no proof that being hackable makes a console more desirable but it is also not very likely that Wii or 3DS would sell any better if they were better protected from hacking.

          3. mylvein’s avatar

            It’s simply because Nintendo never sell console at a loss and mainly selling 1st&2nd party games. They don’t care to invest on security because their digital and online infrastructure is suck so bad.

  12. tokia’s avatar

    in 1hr i learning now!.

    Reply

  13. wiinotvita’s avatar

    wiiu is not hacked yet.. its the wii mode thats hacked. same with vita .. it can play psp iso but not vita roms.

    Reply

    1. wololo’s avatar

      You need to watch the Fail0verflow conference again it seems

      Reply

    2. mylvein’s avatar

      its hacked to the core, just none interested in WiiU anymore, haha.. no offense.

      Reply

  14. oxMUDxo’s avatar

    So this can be fixed by Nintendo with a software update right?

    Or is this just like the Wii and Nintendo is screwed again. :/

    Just Hope they don’t end up like Sega.

    Reply

    1. Shinny’s avatar

      Look at Pokemon X&Y sales, and how the new Zelda game is doing… i doubt they will give up at all.. Nintendo has a huge fan base and really decent games on their systems so income is pretty much huge.. While SEGA was destroyed by PS2 and GameCube in some parts, and lacked games (Yes the library was pretty small compared to PS2). But yeah its a pity that SEGA gave up :/

      Reply

    2. Thrawn’s avatar

      Since when was nintendo screwed with it’s wii?
      Yeah it had extensive piracy, but in the end of the day, it was last gens dominant system with most hardware and software sales, roughly 100 million sold wiis do not lie.

      Even the software did sell out, good wii games sold out immediately, the only thing you’ll still find in stores are those bad shovelware abominations from certain producers which I do not want to name.

      Reply

      1. mylvein’s avatar

        Would you name some ? i couldn’t find any good game for Wii

        Reply

        1. Thrawn’s avatar

          Conduit 1 + 2, house of the dead overkill, Zelda twilight princess, xenoblade chronicles, madworld, the last story, no more heroes 1 + 2, disaster day, rune factory frontier, muramasa, metroid prime 3 or metroid trilogy, smash bros brawl, tales of symphonia dawn of the new world, fire emblem radiant dawn, Mario galaxy (sorry:), Zelda skyward sword, resident evil 4 and dark side chronicles + zero, pandoras tower, okami, project zero 2, geometry wars galaxies, eldar saga, monster hunter tri (you mentioned that), Metroid other M, sakura wars so long, overlord dark legend, dragon quest swords, samurai warriors 3, tomb raider underworld, call of duty black ops, sin and punishment, little kings story, red steel 2, dead space extraction, bully, silent hill shattered, star wars force unleashed 1 + 2, soulcalibur legends, call of duty 3, splinter cell double agent, enclave, ff crystal chronicles bearers and echos of time, onechanbara bikini zombie slayers, ghost squad, rygar battle of argus,… want me to continue?

          Now, not all of those are exclusives but the most of’em, I did not include all those Mario and party game stuff. Only real, enjoyable titles.

          Reply

          1. tryrush deppy’s avatar

            did you just copy those titles from your ext.hdd of .wbfs? ;)

      2. mylvein’s avatar

        except Monster Hunter Tri

        Reply

  15. 110706’s avatar

    When you need PS4 to carry PS Vita from the ditch it fallen into (thanks to SONY), you know the situation is FUBAR for Vita.

    Reply

  16. John’s avatar

    Yay. No vita hack. There’s still hope for a come back…minor as it may be.
    Although hacked system will most likely be unable to play online. hahaha.

    Reply

  17. John’s avatar

    I hate Reggie.
    He seems like such a cocky asshole.

    Reply

  18. riddle43’s avatar

    Ok hacking the vita will happen if for one reason Only for the fun and to be the one to do it I mean I had my psp when it first came out and all I wanted was snes and nes this kind of want will definitely smart and clever hackers working towards a goal of running unsigned code on the vita even if it comes after the life of the System. I wouldnt doubt it that someone has already they just dont want to share for fear of it being patched in future updates but only time will tell ive been in the scene for to long to give up now…..k

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>