I get it nowthose are userspace hax, and cause games have no JIT to copy code into and then execute, it has to run entirely with return oriented chains, it's the same on both 3DS and Wii U
All the Wii U userspace hax (first HTML sploit for 4.0.0-5.1.0, second HTML sploit for 5.1.1-5.3.2, MP4 stagefright sploit for 5.4.0-5.5.1) have been through the web browser cause it's eons easier to work with, nice static address (0x01800000) and no having to fit pieces together from existing code (well, you do to copy it into JIT but that's immensely simplified)
any kind of kernel hax deals strictly after we get code running from this first part, and the basic idea is still to get something with the right permission to write somewhere where it's not supposed to, copy data into the syscall table or into the heap or overwrite a kernel structure to change what it's doing or something, the hard part is seeing what has the right permissions, not many actually deal with r/w, we've gotten lucky these first few times
thanks for the answer