Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

Overview

BluuBomb

Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

For a more detailed write-up see WRITEUP.md.

Not to be confused with BlueBomb for the Wii and Wii Mini.

Requirements

  • A Wii U which is able to pair a Wii Remote
  • A PC with bluetooth
  • A PC or VM running a version of Linux which is able to run the custom build of BlueZ

How to use

  1. Run sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev to install the required dependencies.
  2. Clone https://github.com/rnconrad/WiimoteEmulator
  3. Run source ./build-custom.sh to build BlueZ.
    Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps.
  4. Stop the already running bluetooth service sudo systemctl disable --now bluetooth
  5. Run the custom built bluetoothd sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n
  6. Download the bluubomb binary and the kernel binary of your choice from the releases page. Take a look at Kernel binaries for more information.
  7. Make the bluubomb file executable by running sudo chmod +x bluubomb
  8. Power on the Wii U and press the sync button.
  9. Run sudo ./bluubomb arm_kernel.bin and wait for the pairing process to complete.
    This might take a minute.
    If you get a warning about Simple Pairing mode read the Simple Pairing mode section below.

Write down the Wii U's bd address that should be displayed after the pairing is complete.
You can now run sudo ./bluubomb arm_kernel.bin <bdaddr here> to connect directly to the Wii U and skip the pairing process.

Kernel binaries

arm_kernel_loadfile

Launches a launch.rpx from the root of your SD card on the next application launch.

arm_kernel_fw_launcher

Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings).

arm_kernel_region_free

Applies IOSU patches to temporarily remove region restrictions.
This should be helpful if you've locked yourself out of your applications due to permanent region modifications.

Simple Pairing mode

On some devices the simple pairing mode can't be disabled by bluubomb.
You can check the current Simple Pairing mode by running hciconfig hci0 sspmode.
Make sure it says Simple Pairing mode: Disabled.
If not run sudo hciconfig hci0 sspmode disabled and sudo hciconfig hci0 reset.
Then check the mode again.

Building

To build you need to have gcc and devkitARM installed.
Then run make.

Credits

  • GaryOderNichts - bluubomb
  • rnconrad for the WiimoteEmulator
  • dimok789 and everyone else who made mocha possible
Comments
  • Wup server modified files wont save on reboot

    Wup server modified files wont save on reboot

    I have tried wupserver and ftpiiu for modifying files on the mlc but upon reboot none of them save regardless of if i use the wupserver binary or the loadrpx binary for ftpiiu everywhere. Even ftp by laf111 wont work.

    opened by Aryamanee 5
  • Porting to Switch

    Porting to Switch

    You mentioned that they recently fixed this on the Switch; I still think a Switch version could be useful for supernagged 4.x units, and for 5.x-7.x units, since Deja Vu works up to 7.x.

    opened by Hallowizer 1
  • Simple Pairing mode: Disabled

    Simple Pairing mode: Disabled

    Not really an issue, but could not disable simple pairing.

    Came here to say that the Bluetooth was part of the chipset and I was using VM of Linux.

    Had to find a Bluetooth USB and add it to the VM, then disabling and enabling in Windows device manager.

    This allowd me to disable simple pairing. Bit of a nightmare, but you saved my WiiU that was region broken.

    opened by kestraly 0
  • Would you consider to add a payload?

    Would you consider to add a payload?

    In my JPN WiiU console, has freeze issue, so that I want to backup otp and seeprom from the console but can not.

    I can use bluubomb to send payload. If has a new payload, once run this payload, can auto backup the otp and seeprom.bin to the sd, it will amazing. I think this can help a lot of issue console.

    Thanks.

    opened by nhldp 1
  • 32 bit executable

    32 bit executable

    The bluubomb release binary is a x86-64bit release only. Would it be possible to also make a x86 (32 bit) release?

    Have some older laptops that I would like to use to run this on.

    opened by Invictaz 2
  • failed to set up Bluetooth device

    failed to set up Bluetooth device

    I am unable to pair the wii u. The first image is bluez, and the second is trying to run bluubomb.

    Full bluez log

    bluetoothd[30604]: Bluetooth daemon 4.101 bluetoothd[30604]: src/main.c:parse_config() parsing main.conf bluetoothd[30604]: src/main.c:parse_config() discovto=0 bluetoothd[30604]: src/main.c:parse_config() pairto=0 bluetoothd[30604]: src/main.c:parse_config() pageto=8192 bluetoothd[30604]: src/main.c:parse_config() auto_to=60 bluetoothd[30604]: src/main.c:parse_config() name=%h-%d bluetoothd[30604]: src/main.c:parse_config() class=0x000100 bluetoothd[30604]: src/main.c:parse_config() Key file does not have key “DeviceID” in group “General” bluetoothd[30604]: src/plugin.c:plugin_init() Loading builtin plugins bluetoothd[30604]: src/plugin.c:add_plugin() Loading network plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading hciops plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading mgmtops plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading formfactor plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading storage plugin bluetoothd[30604]: src/plugin.c:add_plugin() Loading adaptername plugin bluetoothd[30604]: src/plugin.c:plugin_init() Loading plugins /home/lividhen/Downloads/github/WiimoteEmulator/bluez-4.101/dist/lib/bluetooth/plugins bluetoothd[30604]: src/plugin.c:add_plugin() Loading wmemu plugin bluetoothd[30604]: network/manager.c:read_config() Config options: Security=true bluetoothd[30604]: plugins/hciops.c:hciops_init() bluetoothd[30604]: Bluetooth Management interface initialized bluetoothd[30604]: src/main.c:main() Entering main loop bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:read_version_complete() version 1 revision 14 bluetoothd[30604]: src/rfkill.c:rfkill_event() RFKILL event idx 0 type 1 op 0 soft 0 hard 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 13 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:add_controller() Added controller 0 bluetoothd[30604]: src/rfkill.c:rfkill_event() RFKILL event idx 1 type 1 op 0 soft 0 hard 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 289 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 addr 80:56:F2:B3:27:A8 version 7 manufacturer 69 class 0x000000 bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 settings bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() hci0 short name bluetoothd[30604]: plugins/mgmtops.c:mgmt_remove_uuid() index 0 bluetoothd[30604]: src/adapter.c:btd_adapter_ref() 0x55c16cdc8650: ref=1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_read_bdaddr() index 0 addr 80:56:F2:B3:27:A8 bluetoothd[30604]: src/sdpd-database.c:sdp_init_services_list() bluetoothd[30604]: network/manager.c:network_server_probe() path /org/bluez/30604/hci0 bluetoothd[30604]: src/adapter.c:btd_adapter_ref() 0x55c16cdc8650: ref=2 bluetoothd[30604]: network/server.c:server_register() Registered interface org.bluez.NetworkServer on path /org/bluez/30604/hci0 bluetoothd[30604]: plugins/adaptername.c:adaptername_probe() Setting name 'pop-os-0' for device 'hci0' bluetoothd[30604]: plugins/formfactor.c:formfactor_probe() Setting 0x00010c for major/minor device class bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_dev_class() index 0 major 1 minor 12 bluetoothd[30604]: plugins/mgmtops.c:mgmt_unblock_device() index 0 addr 00:00:00:00:00:00 bluetoothd[30604]: plugins/mgmtops.c:mgmt_load_link_keys() index 0 keys 0 debug_keys 0 bluetoothd[30604]: plugins/mgmtops.c:mgmtops_load_ltks() index 0 keys 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_get_conn_list() index 0 bluetoothd[30604]: src/manager.c:btd_manager_register_adapter() Adapter /org/bluez/30604/hci0 registered bluetoothd[30604]: src/adapter.c:btd_adapter_ref() 0x55c16cdc8650: ref=3 bluetoothd[30604]: plugins/mgmtops.c:update_settings() new settings ad2 bluetoothd[30604]: plugins/mgmtops.c:read_info_complete() mgmtops setting name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_name() index 0, name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_dev_class() index 0 major 1 minor 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_set_powered() index 0 powered 1 pending_uuid 0 bluetoothd[30604]: src/adapter.c:btd_adapter_unref() 0x55c16cdc8650: ref=2 bluetoothd[30604]: src/rfkill.c:rfkill_event() RFKILL event idx 2 type 2 op 0 soft 1 hard 0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() remove_uuid complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() set_dev_class complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 16 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() unblock_device complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 9 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() load_link_keys complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 9 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: Unknown command complete for opcode 19 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 269 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:set_local_name_complete() hci0 name pop-os-0 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 12 bytes from management socket bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() bluetoothd[30604]: plugins/mgmtops.c:mgmt_cmd_complete() set_dev_class complete bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() cond 1 bluetoothd[30604]: plugins/mgmtops.c:mgmt_event() Received 9 bytes from management socket bluetoothd[30604]: hci0: Set Powered (0x0005) failed: (0x12)

    image image

    using pop!_os

    opened by lividhen 3
  • Android version

    Android version

    Currently this is just speculation. If we were to use a Bluetooth HID profile, like joycon Droid does with the switch, could we use a phone or tablet as a virtual wiimote, and send the payload through that?

    I don't know a whole lot about the pairing process, but bluez could be used a reference / starting point.

    I also don't know a lot about android app development, but I would be happy to look into it!

    opened by lividhen 6
Releases(v5)
Owner
null
4HP through hole version of the HAGIWO FM/additive/chord oscillator with mode switch and gain input.

HAGIWO 019/022/023 Triple Oscillator (FM/CHORD/ADDITIVE) 4HP through hole version of the HAGIWO FM/additive/chord oscillator with mode switch and gain

null 18 Nov 27, 2022
Access USB devices from Ruby via libusb-1.x

Access USB devices from Ruby LIBUSB is a Ruby binding that gives Ruby programmers access to arbitrary USB devices. libusb is a library that gives full

Lars Kanis 148 Jan 2, 2023
Bluetooth Joystick : A wireless joystick with ESP-32 microcontroller and Dual Axis Joystick Module using the Bluetooth connectivity.

BluetoothJoystick Bluetooth Joystick : A wireless joystick with ESP-32 microcontroller and Dual Axis Joystick Module using the Bluetooth connectivity.

null 9 Feb 24, 2022
Install the Homebrew Channel to the vWii Menu from Wii U Mode.

Install a channel to the vWii Menu from Wii U Mode. In its current state, it simply installs the Homebrew Channel.

Puzzle 36 Jan 2, 2023
Source code for the Mario Kart Wii Tournament Museum mod

Mario Kart Wii Tournament Museum Source code for the MKWTM mod. Includes the rel source and the loader. Building To compile code you'll need: NXP 'Cod

Puzzle 12 Nov 29, 2022
Updates the Wii's current system time with the real world time.

Fix Wii System Time This is a homebrew tool I made for the Wii a while ago. It updates the current system time with the real world time via worldtimea

Puzzle 2 Nov 9, 2022
A simple 3D game engine for GameCube, Wii, 3DS, Windows, and Linux.

octave A Simple 3D Game Engine for GameCube, Wii, 3DS, Windows, and Linux Windows Setup Download and Install: Visual Studio Community 2017 (with C++ s

Martin Holtkamp 10 Dec 25, 2022
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Alisa Esage 32 Nov 19, 2022
Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Sealighter-TI Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed

pat_h/to/file 58 Dec 26, 2022
A updated linora source with special exploits, always be updated to latest update

Fortnite-Bulletp-Internal A working vehicle Bullettp internal, will be always updated to latest fn update! my old github got termed LMAO If i see you

NotSimcraftLOL 29 Jul 16, 2022
This repo contains demo exploits for CVE-2022-0185. There are two versions here.

CVE-2022-0185 This repo contains demo exploits for CVE-2022-0185. There are two versions here. The non-kctf version (fuse version) specifically target

Crusaders of Rust CTF Team 348 Dec 24, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 85 Dec 28, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 160 Dec 30, 2022
Two PoC of accessing process virtual memory via NT Kernel

ProcessVmAccess Two PoC of accessing process virtual memory via NT Kernel Detail You've never interested in accessing process virtual memory through N

Kento Oki 16 Aug 11, 2022
This is a simple filter that will block any attempt to access streams beginning with

Triggering the notification only requires that you visit a particular path on an NTFS volume.

OSR Open Systems Resources, Inc. 73 Nov 1, 2022
Corsair LL Access driver abuse

CorsairLLeak Map physical addresses into userspace (RW), read/write MSRs, send/recieve data on I/O ports, and query/set bus configuration data with th

Arush Agarampur 21 Jun 27, 2022
OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

offensiveph OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. Usage Comp

Red Section 291 Dec 29, 2022
FastPath_MP: An FPGA-based multi-path architecture for direct access from FPGA to NVMe SSD

FastPath_MP Description This repository stores the source code of FastPath_MP, an FPGA-based multi-path architecture for direct access from FPGA to NV

Beehive lab 21 Sep 12, 2022
Access to the native OS clipboard from NodeJS

Read / Write from the native OS clipboard in Node.js Features Simple API usage and Error Handling Fast / Direct OS Calls using C Full Unicode Support

Caden Parker 5 Oct 13, 2022