Hacking Using the Wii U RPC Client

[NWPlayer123]

Oh, something's not configured right in XAMPP or something was changed, it shouldn't pop up with that screen with all the options, it should give you an error about Access Denied because it's not local (IE being accessed on the computer it's running on). Did you have it installed before now?

 

[mariosonicds]

So i compiled it, but my python does not get Wii U. I got address thing changed and every thing. The only error i got was (C:\devkitPro\devkitPPC\bin\powerpc-eabi-ld.exe: warning: cannot find entry symbol _start; defaulting to 01800000)
My Wii U firmware is 5.0.0, I have tried what the Tgames one and it just locked up, while this just doesn't let me do anything except look at browser.

 

[ibooN]

So i compiled it, but my python does not get Wii U. I got address thing changed and every thing. The only error i got was (C:\devkitPro\devkitPPC\bin\powerpc-eabi-ld.exe: warning: cannot find entry symbol _start; defaulting to 01800000)
My Wii U firmware is 5.0.0, I have tried what the Tgames one and it just locked up, while this just doesn't let me do anything except look at browser.

What version of python do you have?

 

[mariosonicds]

I'm using 2.7 for path but i have 3.3 too.

 

[Goku Junior]

Thank you very much, I will read it and try to understand it, I will try something next week!.

 

[NWPlayer123]

yeah, I'm using 2.7 for the RPC (as you can see by the picture in the first post) and AFAIK python 2.7 is the main one I have setup to be used, but I also have 3.2 for stuff that needs v3.

 

[Kliffcom]

What do I wrong?

 

[NWPlayer123]

Oh, looks like you need DevKitPPC (DevKitPro). I forgot to add that to the requirements on my post. Updating.

 

[ChrisX930]

what could we do with this?
And will it work on Wii U 5.1.2(E)?

 

[NWPlayer123]

Not much at the moment, that's why we're working on a kernel exploit to allow for better homebrew. Also, no, the bug was fixed in 5.1.1, so anything after that is broken as well.

 

[ChrisX930]

Not much at the moment, that's why we're working on a kernel exploit to allow for better homebrew. Also, no, the bug was fixed in 5.1.1, so anything after that is broken as well.

okay, thank you

 

[yahoo]

Boot up your Wii U and go into the Web Browser. Then go if everything's working correctly it should print ("Connected by", someIPaddress). Then you can use that new window from IDLE to run all your commands.

My IDLE session properly displays the "connected by" line with the local ip of my wii u, but I seem to be running into two issues:
1. My wii u is frozen. It can only be turned off by holding the power button on the console itself. None of the UI on the game pad is responsive and the power button on the gamepad only powers off the game pad. Does this sound right?
2. All rpc.* commands I run in the IDLE session have an error saying "broken pipe." There is a stack trace, if that would be helpful, but I'm not in front of my computer right now.
Any ideas? I appreciate your help!

 

[yahoo]

Turns out it was working, but once you make an erroneous call, the connection breaks and all subsequent calls fail. Still looks like the wii u can only be turned off by holding the power button on the console itself and it freezes if I try to exit the browser. Is that expected?

 

[NWPlayer123]

Turns out it was working, but once you make an erroneous call, the connection breaks and all subsequent calls fail. Still looks like the wii u can only be turned off by holding the power button on the console itself and it freezes if I try to exit the browser. Is that expected?

Yes

 

[yahoo]

Yes

Ah. Thanks. How do I go about finding the signatures and offsets of other coreinit methods?

 

[NWPlayer123]

Ah. Thanks. How do I go about finding the signatures and offsets of other coreinit methods?

If you want to know/access all the functions/methods, use OSDynLoad_Acquire and OSDynLoad_FindExport, or get_symbol from the RPC client. If you really wanna go deep, try finding and downloading one of the SDKs, they're out there. The documentation has anything you could ever want to know.

 

[yahoo]

If you want to know/access all the functions/methods, use OSDynLoad_Acquire and OSDynLoad_FindExport, or get_symbol from the RPC client. If you really wanna go deep, try finding and downloading one of the SDKs, they're out there. The documentation has anything you could ever want to know.

Can't we just dump CafeOS from our consoles? Do you know how to do that?

 

[Marionumber1]

Can't we just dump CafeOS from our consoles? Do you know how to do that?

We could if we had a kernel or loader exploit. I believe the symbol table is also in memory, but I don't know exactly where it is.

 

[yahoo]

If you want to know/access all the functions/methods, use OSDynLoad_Acquire and OSDynLoad_FindExport, or get_symbol from the RPC client. If you really wanna go deep, try finding and downloading one of the SDKs, they're out there. The documentation has anything you could ever want to know.

We could if we had a kernel or loader exploit. I believe the symbol table is also in memory, but I don't know exactly where it is.

do either of you know of a way to power off the console via rpc?
nevermind rpc.exit() accomplishes what i wanted

 

[yahoo]

If you want to know/access all the functions/methods, use OSDynLoad_Acquire and OSDynLoad_FindExport, or get_symbol from the RPC client. If you really wanna go deep, try finding and downloading one of the SDKs, they're out there. The documentation has anything you could ever want to know.

I'm looking at the sdk v1.7 and can't find some apparently key things you guys are using in the rpc client. For example, how do you know nsysnet.rpl exists? The sdk index (system/docs/man/en_us/index.html) doesn't mention it. There is mention of SORecv, SOSocket, SOConnect, SOSend, which match the signatures of the nsysnet.rpl symbols the rpc server uses, but I think I am missing something.