[RELEASE] drxtool - gamepad+drh firmware hacking utility

Discussion in 'Wii U - Hacking & Backup Loaders' started by WulfyStylez, Dec 14, 2016.

  1. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    Hey! I finally got around to rewriting this and making it more useful. Hopefully this will inspire and assist with some useful hacks and research. From the readme:

    drxtool enables extraction, modification, and rebuilding of drc (gamepad) and drh (host) firmware binaries, including actual firmware (e.g. drc_fw.bin, drh_fw.bin) as well as language data (lang_00.bin, etc.) this subsequently allows for firmware RE and patching, switching out graphics, enabling debug modes, etc.
    drop a binary onto drxtool to extract it to [filename]_extracted. it will be split into its components, including separate sections for firmwares. language files are a big blob since their layout is determined per-firmware-version.
    drop an extracted folder onto drxtool to rebuild it to [foldername].bin.
    in both cases, drxtool can be invoked from command line/terminal for additional debug output.

    this has been tested and is working on all DRC, DRH, and language data dating back to the very first external beta builds for near-final gamepad hardware (v16, though v15 likely ran on this hardware as well). earlier hardware uses a different update format (the hw has all likely been destroyed by now.)

    to flash binaries with ios-level hax, try bumping up the first big-endian u32 in blob_header.bin by 1, as well as bumping up the version in app.xml. updating VER_.bin isn't necessary as the gamepad and drh don't care what version they're on, only IOS.
    other update methods include potentially using libdrc to push an update directly to the gamepad (strip the first 0x10 as this is a big-endian header used by IOS) or by writing the payload directly to the serial eeprom (strip the first 0x10+0x1000+0x4000), which is useful for unbricking.

    good luck, and try not to brick!

    changelog:
    2.0 - 12/14/2016:
    - initial public release
    1.0 - 08/10/2016:
    - it lives!


    downloads (v2.0):
    MEDIAFIRE
    MEGA
     

    Attached Files:

    Last edited by WulfyStylez, Dec 14, 2016 - Reason: minor clarification


  2. Psi-hate

    Psi-hate GBATemp's Official Psi-Hater

    Member
    1,649
    1,047
    Dec 14, 2014
    United States
    Houston
    Thank you based wulfy
     
    Mrrraou and Dazzozo like this.
  3. Naendow

    Naendow Brick-Master

    Member
    287
    96
    Jan 4, 2016
    Germany
    Looks like it could be useful anytime. Thx for this :)
     
  4. Daggot

    Daggot GBAtemp Fan

    Member
    479
    297
    Aug 3, 2015
    United States
    Thanks dude.
     
  5. asper

    asper GBAtemp Advanced Fan

    Member
    622
    321
    May 14, 2010
    United States
    The files your tool (good tool!) supports are updates binaries.

    In the full DRC firmware (32MBs - you can obtain it by hardware-dumping) 1st release, with no updates (so i suppose v5128):
    ERR starts at: 0x1D2D8E
    IMG starts at: 0x245830
    INDX starts at: 0x100000
    LVC starts at: 0x100070
    UMI starts at: 0x23EEEE
    VER starts at: 0x100070
    WIFI starts at: 0x195AD8

    The section in which they are located in the full firmware is 0x0100000 (8.388.608 bytes).
     
    Last edited by asper, Dec 14, 2016
  6. pietempgba

    pietempgba GBAtemp Advanced Fan

    Member
    815
    133
    Jun 9, 2016
    United States
    This might eventually make the gamepad region free
     
  7. huma_dawii

    huma_dawii GBAtemp Advanced Maniac

    Member
    1,602
    509
    Apr 3, 2014
    United States
    Florida
    What is this for?
     
  8. pietempgba

    pietempgba GBAtemp Advanced Fan

    Member
    815
    133
    Jun 9, 2016
    United States
    this is for extracting the gamepad firmware drc_fw.bin drh_fw.bin and all the other stuff on the gamepad firmware
     
  9. TotalInsanity4

    TotalInsanity4 GBAtemp Supreme Overlord

    Member
    7,240
    7,355
    Dec 1, 2014
    United States
    Under a rock
    Is it not already?
     
  10. xtheman

    xtheman GBAtemp Guru

    Member
    5,847
    5,275
    Jan 28, 2016
    United States
    It isn't It still needs to be the same region as the base console to connect so JPN drc won't link to USA wii u.
     
  11. WulfyStylez
    OP

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    Yep, modifications to allow stuff like region unlocking/changing and enabling the DK Menu (not that you need it on retail, but...) are possible now. I'd check out libdrc's RE docs for a crash course on firmware format and gamepad internals, since there's quite a lot going on.
    As an example, you can tear into the main ARM processor's firmware by loading LVC_.bin as ARM little-endian at address 0x0 in your tool of choice.

    EDIT: I do have plans to release something allowing people to change boot screens too, as was demonstrated in the past. At the moment that tool's still in proof-of-concept state (haven't touched it since I made that video) and needs a rework, so expect to see it eventually.
     
    Last edited by WulfyStylez, Dec 14, 2016
  12. TotalInsanity4

    TotalInsanity4 GBAtemp Supreme Overlord

    Member
    7,240
    7,355
    Dec 1, 2014
    United States
    Under a rock
    I hate to ask, since this is a question that ALWAYS gets ask, but is it possible (in the future) to develop this to a point where you could stream the gamepad screen to a PC window?
     
    yuyuyup likes this.
  13. xtheman

    xtheman GBAtemp Guru

    Member
    5,847
    5,275
    Jan 28, 2016
    United States
    It is already been done. Linux only

     
    AboodXD likes this.
  14. TotalInsanity4

    TotalInsanity4 GBAtemp Supreme Overlord

    Member
    7,240
    7,355
    Dec 1, 2014
    United States
    Under a rock
    I'm fully aware of the existence of that, which is exactly why I'm asking if it's possible with this XD
     
  15. xtheman

    xtheman GBAtemp Guru

    Member
    5,847
    5,275
    Jan 28, 2016
    United States
    You can do it without this.
     
  16. TotalInsanity4

    TotalInsanity4 GBAtemp Supreme Overlord

    Member
    7,240
    7,355
    Dec 1, 2014
    United States
    Under a rock
    I know. I've tried it, I couldn't even get it to compile, and I have yet to meet someone on this website who's successfully gotten it working
     
    I pwned U! likes this.
  17. Antonio Ricardo

    Antonio Ricardo GBAtemp Fan

    Member
    358
    230
    Apr 29, 2013
    Brazil
    Rio de Janeiro
    I think most dificult is the touch screen gamepad, i dont know if a gamepad stream on pc would be good.
    @WulfyStylez we can control a game with Pro Controller and use a touch screen gamepad on other device?
    Because Gamepad will not last forever, one day will broke. @Maschell is doing a great work with HID but we have to look a way to substitute touch screen, i dont know if this is possible.
     
    Last edited by Antonio Ricardo, Dec 14, 2016
    TotalInsanity4 likes this.
  18. TotalInsanity4

    TotalInsanity4 GBAtemp Supreme Overlord

    Member
    7,240
    7,355
    Dec 1, 2014
    United States
    Under a rock
    Don't wanna play, just want to record :P
     
  19. driverdis

    driverdis I am Justice

    Member
    2,408
    917
    Sep 21, 2011
    United States
    1.048596β
    I thought the problem was that it could link up and work normally until an update tries to apply, which will fail as the gamepad region does not match the console region.
     
  20. emmanu888

    emmanu888 6 years and still going strong

    Member
    1,283
    411
    Jan 25, 2009
    Canada
    Victoriaville,Québec
    Does this means that in the near future. We could have region free Wii U's and region free Gamepad's?