BluUbomb - WiiU Bluetooth Exploit

GaryoderNichts hat einen WiiU Exploit gefunden, über den man IOSU-Kernel-Zugriff bekommt.

BluUBomb

Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

For a more detailed write-up see WRITEUP.md.

Not to be confused with BlueBomb for the Wii and Wii Mini.

Requirements

• A Wii U which is able to pair a Wii Remote
• A PC with bluetooth
• A PC or VM running a version of Linux which is able to run the custom build of BlueZ
  I recommend using Debian 10, BlueZ 4 just crashes for me on Ubuntu 20.04

How to use

1. Run sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev to install the required dependencies.
2. Clone https://github.com/rnconrad/WiimoteEmulator
3. Run source ./build-custom.sh to build BlueZ. Don't worry if building the emulator itself fails.
4. Stop the already running bluetooth service sudo systemctl disable --now bluetooth
5. Run the custom built bluetoothd sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n
6. Download the bluubomb binary and the kernel binary of your choice from the releases page. Take a look at Kernel binaries for more information.
7. Power on the Wii U and press the sync button.
8. Run sudo ./bluubomb arm_kernel.bin and wait for the pairing process to complete.
   This might take a minute.

Write down the Wii U's bd address that should be displayed after the pairing is complete.

You can now run sudo ./bluubomb arm_kernel.bin <bdaddr here> to connect directly to the Wii U and skip the pairing process.

Kernel binaries

arm_kernel_loadfile

Launches a launch.rpx from the root of your SD card on the next application launch.

arm_kernel_fw_launcher

Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings).

arm_kernel_region_free

Applies IOSU patches to temporarily remove region restrictions.

This should be helpful if you've locked yourself out of your applications due to permanent region modifications.

Building

To build you need to have gcc and devkitARM installed.

Then run make.

Credits

• GaryOderNichts - bluubomb
• rnconrad for the WiimoteEmulator
• dimok789 and everyone else who made mocha possible

Quelle: https://gbatemp.net/threads/bl…int-via-bluetooth.588522/

Changelog:

Release 4:

• Cleaned up and removed unnecessary code.
  This increases stability and compatibility with some bluetooth adapters.
• Add a longer delay between data transfers.
  This fixes an issue where bluubomb just did nothing on some bluetooth adapters.
• Add a "install_wup" binary which installs valid signed WUP from the SD Card.
  Refer to the README for instructions.

Release 3:

• Bluubomb now loads kernel binaries from the SD Card.
  This allows for much larger kernel binaries with more possibilities.
• Added wupserver binary (See README for more info).
• The loadrpx binary (previously loadfile) now comes with region free patches and gives every application full cos.xml permissions.
• Removed load fw.img binary.
  Use one of the other methods to recover your console and launch a fw.img with a proper fw launcher.
• Don't set SSP mode if it's already disabled to avoid a warning (thanks @linkmauve).
  Refer to the README for updated instructions.

Release 2:

• Fix pairing on Intel Bluetooth chips
  This release supports pairing with the Wii U on Intel Bluetooth chips.

Release 1:

• Initial release

Diese Exploit gab es auch bei der Switch aber er wurde mit den aktuellen Update Switch Firmware 12.0.2 released behoben.

BluUbomb ist ein alternativer Exploit. Diesen kann man, wie Baamalex schrieb, benutzen wenn man keinen Zugriff auf den Browser oder Miimaker hat.