Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

Last update: Dec 17, 2022

Related tags

Miscellaneous bluubomb

Overview

BluuBomb

Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

For a more detailed write-up see WRITEUP.md.

Not to be confused with BlueBomb for the Wii and Wii Mini.

Requirements

A Wii U which is able to pair a Wii Remote
A PC with bluetooth
A PC or VM running a version of Linux which is able to run the custom build of BlueZ

How to use

Run sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev to install the required dependencies.
Clone https://github.com/rnconrad/WiimoteEmulator
Run source ./build-custom.sh to build BlueZ.
Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps.
Stop the already running bluetooth service sudo systemctl disable --now bluetooth
Run the custom built bluetoothd sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n
Download the bluubomb binary and the kernel binary of your choice from the releases page. Take a look at Kernel binaries for more information.
Make the bluubomb file executable by running sudo chmod +x bluubomb
Power on the Wii U and press the sync button.
Run sudo ./bluubomb arm_kernel.bin and wait for the pairing process to complete.
This might take a minute.
If you get a warning about Simple Pairing mode read the Simple Pairing mode section below.

Write down the Wii U's bd address that should be displayed after the pairing is complete.
You can now run sudo ./bluubomb arm_kernel.bin <bdaddr here> to connect directly to the Wii U and skip the pairing process.

Kernel binaries

arm_kernel_loadfile

Launches a launch.rpx from the root of your SD card on the next application launch.

arm_kernel_fw_launcher

Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings).

arm_kernel_region_free

Applies IOSU patches to temporarily remove region restrictions.
This should be helpful if you've locked yourself out of your applications due to permanent region modifications.

Simple Pairing mode

On some devices the simple pairing mode can't be disabled by bluubomb.
You can check the current Simple Pairing mode by running hciconfig hci0 sspmode.
Make sure it says Simple Pairing mode: Disabled.
If not run sudo hciconfig hci0 sspmode disabled and sudo hciconfig hci0 reset.
Then check the mode again.

Building

To build you need to have gcc and devkitARM installed.
Then run make.

Credits

GaryOderNichts - bluubomb
rnconrad for the WiimoteEmulator
dimok789 and everyone else who made mocha possible

Comments

Wup server modified files wont save on reboot

I have tried wupserver and ftpiiu for modifying files on the mlc but upon reboot none of them save regardless of if i use the wupserver binary or the loadrpx binary for ftpiiu everywhere. Even ftp by laf111 wont work.

opened by Aryamanee 5
Porting to Switch

You mentioned that they recently fixed this on the Switch; I still think a Switch version could be useful for supernagged 4.x units, and for 5.x-7.x units, since Deja Vu works up to 7.x.

opened by Hallowizer 1
Simple Pairing mode: Disabled

Not really an issue, but could not disable simple pairing.

Came here to say that the Bluetooth was part of the chipset and I was using VM of Linux.

Had to find a Bluetooth USB and add it to the VM, then disabling and enabling in Windows device manager.

This allowd me to disable simple pairing. Bit of a nightmare, but you saved my WiiU that was region broken.

opened by kestraly 0
Would you consider to add a payload?

In my JPN WiiU console, has freeze issue, so that I want to backup otp and seeprom from the console but can not.

I can use bluubomb to send payload. If has a new payload, once run this payload, can auto backup the otp and seeprom.bin to the sd, it will amazing. I think this can help a lot of issue console.

Thanks.

opened by nhldp 1
32 bit executable

The bluubomb release binary is a x86-64bit release only. Would it be possible to also make a x86 (32 bit) release?

Have some older laptops that I would like to use to run this on.

opened by Invictaz 2
failed to set up Bluetooth device

I am unable to pair the wii u. The first image is bluez, and the second is trying to run bluubomb.

Full bluez log

bluetoothd[30604]: Bluetooth daemon 4.101 bluetoothd[30604]: src/main.c:parse_config() parsing main.conf bluetoothd[30604]: src/main.c:parse_config() discovto=0 bluetoothd[30604]: src/main.c:parse_config() pairto=0 bluetoothd[30604]: src/main.c:parse_config() pageto=8192 bluetoothd[30604]: src/main.c:parse_config() auto_to=60 bluetoothd[30604]: src/main.c:parse_config() name=%h-%d bluetoothd[30604]: src/main.c:parse_config() class=0x000100 bluetoothd[30604]: src/main.c:parse_config() Key file does not have key “DeviceID” in group “General” bluetoothd[30604]: src/plugin.c:plugin_init() Loading builtin plugins bluetoothd[30604]: src/plugin.c:add_plugin() Loading network plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading hciops plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading mgmtops plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading formfactor plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading storage plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading adaptername plugin bluetoothd[30604]: src/plugin.c:plugin_init() Loading plugins /home/lividhen/Downloads/github/WiimoteEmulator/bluez-4.101/dist/lib/bluetooth/plugins bluetoothd[30604]: src/plugin.c:add_plugin() Loading wmemu plugin bluetoothd[30604]: network/manager.c:read_config() Config options: Security=true bluetoothd[30604]: plugins/hciops.c:hciops_init() bluetoothd[30604]: Bluetooth Management interface initialized bluetoothd[30604]: src/main.c:main() Entering main loop bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:read_version_complete() version 1 revision 14 bluetoothd[30604]: src/rfkill.c:rfkill_event() RFKILL event idx 0 type 1 op 0 soft 0 hard 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 13 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:add_controller() Added controller 0 bluetoothd[30604]: src/rfkill.c:rfkill_event() RFKILL event idx 1 type 1 op 0 soft 0 hard 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 289 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 addr 80:56:F2:B3:27:A8 version 7 manufacturer 69 class 0x000000 bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 settings bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 short name bluetoothd[30604]: plugins/mgmtops.c:mgmt_remove_uuid() index 0 bluetoothd[30604]: src/adapter.c:btd_adapter_ref() 0x55c16cdc8650: ref=1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_read_bdaddr() index 0 addr 80:56:F2:B3:27:A8 bluetoothd[30604]: src/sdpd-database.c:sdp_init_services_list() bluetoothd[30604]: network/manager.c:network_server_probe() path /org/bluez/30604/hci0 bluetoothd[30604]: src/adapter.c:btd_adapter_ref() 0x55c16cdc8650: ref=2 bluetoothd[30604]: network/server.c:server_register() Registered interface org.bluez.NetworkServer on path /org/bluez/30604/hci0 bluetoothd[30604]: plugins/adaptername.c:adaptername_probe() Setting name 'pop-os-0' for device 'hci0' bluetoothd[30604]: plugins/formfactor.c:formfactor_probe() Setting 0x00010c for major/minor device class bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_dev_class() index 0 major 1 minor 12 bluetoothd[30604]: plugins/mgmtops.c:mgmt_unblock_device() index 0 addr 00:00:00:00:00:00 bluetoothd[30604]: plugins/mgmtops.c:mgmt_load_link_keys() index 0 keys 0 debug_keys 0 bluetoothd[30604]: plugins/mgmtops.c:mgmtops_load_ltks() index 0 keys 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_get_conn_list() index 0 bluetoothd[30604]: src/manager.c:btd_manager_register_adapter() Adapter /org/bluez/30604/hci0 registered bluetoothd[30604]: src/adapter.c:btd_adapter_ref() 0x55c16cdc8650: ref=3 bluetoothd[30604]: plugins/mgmtops.c:update_settings() new settings ad2 bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() mgmtops setting name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_name() index 0, name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_dev_class() index 0 major 1 minor 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_powered() index 0 powered 1 pending_uuid 0 bluetoothd[30604]: src/adapter.c:btd_adapter_unref() 0x55c16cdc8650: ref=2 bluetoothd[30604]: src/rfkill.c:rfkill_event() RFKILL event idx 2 type 2 op 0 soft 1 hard 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() remove_uuid complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() set_dev_class complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 16 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() unblock_device complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 9 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() load_link_keys complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 9 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: Unknown command complete for opcode 19 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 269 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:set_local_name_complete() hci0 name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() set_dev_class complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 9 bytes from management socket bluetoothd[30604]: hci0: Set Powered (0x0005) failed: (0x12)

using pop!_os

opened by lividhen 3
Android version

Currently this is just speculation. If we were to use a Bluetooth HID profile, like joycon Droid does with the switch, could we use a phone or tablet as a virtual wiimote, and send the payload through that?

I don't know a whole lot about the pairing process, but bluez could be used a reference / starting point.

I also don't know a lot about android app development, but I would be happy to look into it!

opened by lividhen 6

Releases(v5)

v5(Mar 3, 2022)
Changelog:

The thread bluubomb is running on no longer deadlocks This means other controllers can still be used after running bluubomb

The console now powers off properly after running bluubomb The console no longer needs to be force powered off while bluubomb binaries are running

The loadrpx binary now provides codegen access to launched titles This allows launching PayloadFromRPX from any title, for example to launch the CustomRPXLoader and EnvironmentLoader

The Bluetooth adapter will now be restarted before sending data
This fixes issues with some adapters

Source code(tar.gz)
Source code(zip)
bluubomb(29.42 KB)
sd_kernels.zip(5.02 KB)
v4(Jan 15, 2022)
Changelog:

Cleaned up and removed unnecessary code. This increases stability and compatibility with some bluetooth adapters.

Add a longer delay between data transfers. This fixes an issue where bluubomb just did nothing on some bluetooth adapters.

Add a "install_wup" binary which installs valid signed WUP from the SD Card. Refer to the README for instructions.

Source code(tar.gz)
Source code(zip)
bluubomb(29.25 KB)
sd_kernels.zip(4.98 KB)
v3(Sep 14, 2021)
Changelog:

Bluubomb now loads kernel binaries from the SD Card. This allows for much larger kernel binaries with more possibilities.

Added wupserver binary (See README for more info).

The loadrpx binary (previously loadfile) now comes with region free patches and gives every application full cos.xml permissions.

Removed load fw.img binary. Use one of the other methods to recover your console and launch a fw.img with a proper fw launcher.

Don't set SSP mode if it's already disabled to avoid a warning (thanks @linkmauve).

Refer to the README for updated instructions.
Source code(tar.gz)
Source code(zip)
bluubomb(42.92 KB)
sd_kernels.zip(3.64 KB)
v2(May 17, 2021)

This release supports pairing with the Wii U on Intel Bluetooth chips.
Source code(tar.gz)
Source code(zip)
arm_kernel_fw_launcher.bin(836 bytes)
arm_kernel_loadfile.bin(782 bytes)
arm_kernel_region_free.bin(564 bytes)
bluubomb(43.09 KB)
v1(May 16, 2021)

Source code(tar.gz)
Source code(zip)
arm_kernel_fw_launcher.bin(836 bytes)
arm_kernel_loadfile.bin(782 bytes)
arm_kernel_region_free.bin(564 bytes)
bluubomb(42.98 KB)

Owner

GitHub

4HP through hole version of the HAGIWO FM/additive/chord oscillator with mode switch and gain input.

HAGIWO 019/022/023 Triple Oscillator (FM/CHORD/ADDITIVE) 4HP through hole version of the HAGIWO FM/additive/chord oscillator with mode switch and gain

18 Nov 27, 2022

Access USB devices from Ruby via libusb-1.x

Access USB devices from Ruby LIBUSB is a Ruby binding that gives Ruby programmers access to arbitrary USB devices. libusb is a library that gives full

148 Jan 2, 2023

Bluetooth Joystick : A wireless joystick with ESP-32 microcontroller and Dual Axis Joystick Module using the Bluetooth connectivity.

BluetoothJoystick Bluetooth Joystick : A wireless joystick with ESP-32 microcontroller and Dual Axis Joystick Module using the Bluetooth connectivity.

9 Feb 24, 2022

Install the Homebrew Channel to the vWii Menu from Wii U Mode.

Install a channel to the vWii Menu from Wii U Mode. In its current state, it simply installs the Homebrew Channel.

36 Jan 2, 2023

Source code for the Mario Kart Wii Tournament Museum mod

Mario Kart Wii Tournament Museum Source code for the MKWTM mod. Includes the rel source and the loader. Building To compile code you'll need: NXP 'Cod

12 Nov 29, 2022

Updates the Wii's current system time with the real world time.

Fix Wii System Time This is a homebrew tool I made for the Wii a while ago. It updates the current system time with the real world time via worldtimea

2 Nov 9, 2022

A simple 3D game engine for GameCube, Wii, 3DS, Windows, and Linux.

octave A Simple 3D Game Engine for GameCube, Wii, 3DS, Windows, and Linux Windows Setup Download and Install: Visual Studio Community 2017 (with C++ s

10 Dec 25, 2022

Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

32 Nov 19, 2022

Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Sealighter-TI Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed

58 Dec 26, 2022

A updated linora source with special exploits, always be updated to latest update

Fortnite-Bulletp-Internal A working vehicle Bullettp internal, will be always updated to latest fn update! my old github got termed LMAO If i see you

29 Jul 16, 2022

This repo contains demo exploits for CVE-2022-0185. There are two versions here.

CVE-2022-0185 This repo contains demo exploits for CVE-2022-0185. There are two versions here. The non-kctf version (fuse version) specifically target

348 Dec 24, 2022

A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

85 Dec 28, 2022

Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

Related tags

Overview

BluuBomb

Requirements

How to use

Kernel binaries

arm_kernel_loadfile

arm_kernel_fw_launcher

arm_kernel_region_free

Simple Pairing mode

Building

Credits

Comments

Wup server modified files wont save on reboot

Porting to Switch

Simple Pairing mode: Disabled

Would you consider to add a payload?

32 bit executable

failed to set up Bluetooth device

Android version

Releases(v5)

v5(Mar 3, 2022)

v4(Jan 15, 2022)

v3(Sep 14, 2021)

v2(May 17, 2021)

v1(May 16, 2021)

Owner

4HP through hole version of the HAGIWO FM/additive/chord oscillator with mode switch and gain input.

Access USB devices from Ruby via libusb-1.x

Bluetooth Joystick : A wireless joystick with ESP-32 microcontroller and Dual Axis Joystick Module using the Bluetooth connectivity.

Install the Homebrew Channel to the vWii Menu from Wii U Mode.

Source code for the Mario Kart Wii Tournament Museum mod

Updates the Wii's current system time with the real world time.

A simple 3D game engine for GameCube, Wii, 3DS, Windows, and Linux.

Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

A updated linora source with special exploits, always be updated to latest update

This repo contains demo exploits for CVE-2022-0185. There are two versions here.

A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

Two PoC of accessing process virtual memory via NT Kernel

This is a simple filter that will block any attempt to access streams beginning with

Corsair LL Access driver abuse

OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

FastPath_MP: An FPGA-based multi-path architecture for direct access from FPGA to NVMe SSD

Access to the native OS clipboard from NodeJS