Wii U: Browserhax released for 5.5.0
The Wii U 5.5.1 update patched some critical vulnerabilities in libstagefright. This triggered two hack releases that rely on similar (if not the same?) exploits in the lib.
Earlier Today, Mathew_Wi released an exploit for 5.4.0/5.5.0 that he described as “lazy” and is not directly usable by end users. But Yellows8 comes to the rescue with a Browserhax based on a libstagefright exploit as well. And yes, it also supports 5.4.0 and 5.5.0.
To be clear, both these exploits are patched with the new 5.5.1 firmware, and this is why both developers have decided to release their work on libstagefright.
Smealum described Yellows8’s hack as “super stable”. Incidentally, you might already know Yellows8 for his work on 3DS hacks, it’s great to see hackers work on several consoles, as it’s been proven countless times now that these devices all rely on similar security concepts, in particular from the same manufacturer.
since it was patched yesterday, yellows8 has made available his wii u browserhax ! super stable, works on 5.5.0 https://t.co/LAm8qkcDL5
— smea (@smealum) January 12, 2016
You’ll need your own server to host the file, although I assume this can work with a basic apache server running on your local network (for those asking, you can set that up for free on your own computer, yes even on windows).
From the Readme:
To use this you must host the exploit script on a server, then you must setup wiiuhaxx_common as documented in that repo. If you’re going to use libwiiu with your payload binary, then you must use a coreinit.h which actually supports your system-version. The max size of the final payload(loader included) is 0x4000-bytes, so your input payload max size is a bit less than 0x4000-bytes(the script will throw an error if the size is too large). Once all setup, just access an URL like the below one where “browserhax_fright_tx3g_wiiu.php” is hosted, with the browser.
Note that issues occur when the final URL you use is too long, so you should keep it short like with the following: “http(s)://{server}/wiiuhaxx.php?sysver={version listed in wiiuhaxx_common}”. This hasn’t been debugged yet.
The only known time this exploit has ever failed pre-native-code-exec(on a supported system-version), was when the URL was too long as described above. However, this is mostly with testing with just one open tab(in particular with automatically loading the page).
Yellows8 credits plutoo for getting exception-dumps / memdumps, etc, on 5.3.2.
Download Yellows8’s Browserhax for Wii U 5.5.0
Download BrowserHax for Wii U 5.5.0 (a.k.a. WiiU_Browserhax_Fright) on the project’s github here
Via @Smealum
Keep it coming
Naww sweet now just need loadline support while waiting for a better game launcher
If I understand it correctly, just Apache won’t cut it, as the Hack uses a PHP script, so you need at least also PHP along with your Apache installation. It’s not too hard to setup though, and there a also bundles such as WAMPServer available for easy installation.
I am lost. I have 5.5.0 and have blocked updates. What do I need to do to run backups?
i’ve the same probleme as u , Please tell me if u solved the puzzule
As I understand this isn’t a kernel exlpoit. So Loadiine on 5.5.0 is not possible with this Exploit.
All console scenes are doing fine it seems.
Andere now a user friendly rejuvenate would be the Cherry on top
All console scenes are doing fine it seems.
And now a user friendly rejuvenate would be the Cherry on top
Git? Seriously? Count the days it’s up, because repo is going down really quick.
Interesting… I wonder if the PS4 is also vulnerable to the stagefright exploit as both the Wii U and PS4 use webkit and both were vulnerable to the previous webkit exploit that was patched in fw 2.00 on the PS4.
hope for a tutorial soon cause i don’t understand how to host on my own server the script…what it means?
It doesn’t mean anything for the average end user. Wait on something useful to be released for mass consumption
Be happy we have these exploits charlie.
Still waiting for this ‘fake’ iosu exploit. There are nothing but rumors. I think iosu exploit isnt real. Hycem didnt posted any proof of a working one and all others are useless for us 5.5.0 users.
Alexis this 5.5.0 maybe the same exploit but…no reason to cRiticize. Pluto, Derek, and smea spoke of the wiiU at their 3ds explanation, and yellows8 is responsible for menuhax as well as browserhax. He is a reputable Nintendo hacker so don’t diss what you don’t know. Give it some time!
So…once you have the php file on a web server (assuming I got that all setup correctly) – Then what…I browse to the server and put in the php file name and sysversion=5.5.0 blah – Is that enough to setup homebrew? That doesn’t seem like a complete package…I assume there are other steps that need to be taken to install the homebrew channel and other stuff no?
Thanks!
Based on the Blog Post, I’ve downloaded the PHP file and put it on my server for everyone’s convenience:
http://thec0de.com/wiiuhaxx.php?sysver={your version like 5.5.0}
(Example: http://thec0de.com/wiiuhaxx.php?sysver=5.5.0)
I haven’t tested this on my WiiU yet…but you folks are welcome to try it. E-Mail me with feedback (not support) greekhacker@hotmail.com
Can’t do jack with this yet – devs need to do their magic first it seems. It’s a userland exploit for those wondering…which is kinda useless at the moment unfortunately as far as running loadiine and what not..
According to the repo it works on 5.5.1 as they misread some code.
what does this release allow you to do exactly?
This is only to see “Hello world” message, this is not usefull to us endusers.