Hacking Wii U audio dumping research thread

[WulfyStylez]

Alright, so I attempted another dump, however, there's a problem. Using NWPlayer123's code (See this post), it can dump, from time to time. However, the Wii U crashes are caused for some unknown reason. As soon as the "dumping" finished (It made a 0-byte sized BIN file), the Python console spit out this:

Traceback (most recent call last):
  File "<pyshell#0>", line 1, in <module>
    rpc.dump_img(0xE2C00000, 0x1400000, "TestDump-WWHD-02-Move.bin")
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host
>>> rpc.exit()
Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    rpc.exit()
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

The first one with the img_dump, that occurred just after finishing the dump and hitting 100%. All in all, nothing was actually dumped for some odd reason. rpc.exit() just fails because the Wii U has crashed by this point and has become completely unresponsive.

Did you try actually opening your files? Windows might show your file as 0KB, even though it's got data in it.

 

[loco365]

Did you try actually opening your files? Windows might show your file as 0KB, even though it's got data in it.

Yeah, I see. After closing the Python shell, it saved the file as it should.

 

[celcodioc]

Alright, so I attempted another dump, however, there's a problem. Using NWPlayer123's code (See this post), it can dump, from time to time. However, the Wii U crashes are caused for some unknown reason. As soon as the "dumping" finished (It made a 0-byte sized BIN file), the Python console spit out this:

Traceback (most recent call last):
  File "<pyshell#0>", line 1, in <module>
    rpc.dump_img(0xE2C00000, 0x1400000, "TestDump-WWHD-02-Move.bin")
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host
>>> rpc.exit()
Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    rpc.exit()
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

The first one with the img_dump, that occurred just after finishing the dump and hitting 100%. All in all, nothing was actually dumped for some odd reason. rpc.exit() just fails because the Wii U has crashed by this point and has become completely unresponsive.

NWPlayer123's code is based on my code which didn't work at the time. I've updated it and made a seperate .py for it, which you can place in the same directory as rpc.py, and then run these commands in the RPC shell:

import ramio
ram = ramio.RAMIO(rpc)
ram.dump_file("TestDump-WWHD-02-Move.bin", 0xE2C00000, 0x1400000)

I doubt you'll be able to find WWHD streams in there though. Just the music from while the game starts up.

 

[Bug_Checker_]

Alright, so I attempted another dump, however, there's a problem. Using NWPlayer123's code (See this post), it can dump, from time to time. However, the Wii U crashes are caused for some unknown reason. As soon as the "dumping" finished (It made a 0-byte sized BIN file), the Python console spit out this:

Traceback (most recent call last):
  File "<pyshell#0>", line 1, in <module>
    rpc.dump_img(0xE2C00000, 0x1400000, "TestDump-WWHD-02-Move.bin")
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host
>>> rpc.exit()
Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    rpc.exit()
ConnectionResetError: [WinError 10054] An existing connection was forcibly closed by the remote host

The first one with the img_dump, that occurred just after finishing the dump and hitting 100%. All in all, nothing was actually dumped for some odd reason. rpc.exit() just fails because the Wii U has crashed by this point and has become completely unresponsive.

Did you see my post?
http://gbatemp.net/threads/wii-u-hacking-discussion.367489/page-37#post-5066675
hint is in red in quote.
celcodioc and Marionumber1 got it.

Always better if you can figure/see it for yourself

Answer is here if you can't see a potential problem(try not to cheat only hurts in the long run)

Spoiler

http://gbatemp.net/threads/wii-u-hacking-discussion.367489/page-37#post-5066950

Oh nevermind celcodioc already posted/updated

 

[loco365]

NWPlayer123's code is based on my code which didn't work at the time. I've updated it and made a seperate .py for it, which you can place in the same directory as rpc.py, and then run these commands in the RPC shell:

import ramio
ram = ramio.RAMIO(rpc)
ram.dump_file("TestDump-WWHD-02-Move.bin", 0xE2C00000, 0x1400000)

I doubt you'll be able to find WWHD streams in there though. Just the music from while the game starts up.

So, I tried that with MK8, and got the following error:

>>> import ramio
>>> ram = ramio.RAMIO(rpc)
>>> ram.dump_file("Dump-MK8-02.bin", 0xE2C00000, 0x1400000)
Traceback (most recent call last):
  File "<pyshell#2>", line 1, in <module>
    ram.dump_file("Dump-MK8-02.bin", 0xE2C00000, 0x1400000)
  File "C:\Users\Jordan\Documents\uploads\exploit_dev\ramio.py", line 11, in dump_file
    while length - outputfile.tell() > 0:
ValueError: I/O operation on closed file

It dumped a file 500 bytes in size, though.

 

[celcodioc]

So, I tried that with MK8, and got the following error:

>>> import ramio
>>> ram = ramio.RAMIO(rpc)
>>> ram.dump_file("Dump-MK8-02.bin", 0xE2C00000, 0x1400000)
Traceback (most recent call last):
  File "<pyshell#2>", line 1, in <module>
    ram.dump_file("Dump-MK8-02.bin", 0xE2C00000, 0x1400000)
  File "C:\Users\Jordan\Documents\uploads\exploit_dev\ramio.py", line 11, in dump_file
    while length - outputfile.tell() > 0:
ValueError: I/O operation on closed file

It dumped a file 500 bytes in size, though.

Python indentation sucks. Re-download the file, I just corrected it.

 

[WulfyStylez]

Success!: https://dl.dropboxusercontent.com/u/17742474/mh3u.wav
So to dump game intro sounds, as has been said before, you dump some data from 0xE2C00000. I don't think we have to dump 0x1400000 bytes though, as the audio files are never that long and the Wii U will crash if you hit the end of that range.
Anyways, I was able to play this back by importing it into Audacity as a 16-bit signed big-endian PCM file with 48000hz sample rate. Then I cut some stuff off at the end since the dump was too long.

 

[Relys]

Success!: https://dl.dropboxusercontent.com/u/17742474/mh3u.wav
So to dump game intro sounds, as has been said before, you dump some data from 0xE2C00000. I don't think we have to dump 0x1400000 bytes though, as the audio files are never that long and the Wii U will crash if you hit the end of that range.
Anyways, I was able to play this back by importing it into Audacity as a 16-bit signed big-endian PCM file with 48000hz sample rate. Then I cut some stuff off at the end since the dump was too long.

Wohhh nice job! Also, great releases celcodioc.

 

[celcodioc]

Success!: https://dl.dropboxusercontent.com/u/17742474/mh3u.wav
So to dump game intro sounds, as has been said before, you dump some data from 0xE2C00000. I don't think we have to dump 0x1400000 bytes though, as the audio files are never that long and the Wii U will crash if you hit the end of that range.
Anyways, I was able to play this back by importing it into Audacity as a 16-bit signed big-endian PCM file with 48000hz sample rate. Then I cut some stuff off at the end since the dump was too long.

My dumps were up to 0x3A963C long. And yeah, going past 0xF6000000 would probably crash the system since you're going into the (unmapped?) system memory.

 

[WulfyStylez]

My dumps were up to 0x3A963C long. And yeah, going past 0xF6000000 would probably crash the system since you're going into the (unmapped?) system memory.

Derp yeah, didn't even notice that. And mine seems to end at about 0x34c000 length.

 

[NWPlayer123]

Huh, I was able to dump the entire part from 0xE2C00000 up to the last 20 bytes. On another note, here's New Super Luigi U and Wind Waker HD's intros.

 

[loco365]

Well, I'm going to work on getting a new ram dump, that is, once I can get the RPC client to stop crashing the entire console...

Edit: Back up and running, just needed to do some recompiling. Anyways, I got the same files that NWPlayer123 got, but no streams. I'm going to try MK8, although I doubt I'll get far. I'll use the same memory area, since I know that MK8's audio is all streamed in FWAV format. I'm sure that the entire stream is loaded to memory, seeing as the console has more than enough memory to support it, but if it doesn't, well, I'll be damned.

 

[Chadderz]

Ah, excellent I'm glad you've had some progress with this! I don't know if you ever get more than just the intro sounds as that's what my dumps have too, I only ever did dumps on the main menu. Still, a step in the right direction.

 

[loco365]

Ah, excellent I'm glad you've had some progress with this! I don't know if you ever get more than just the intro sounds as that's what my dumps have too, I only ever did dumps on the main menu. Still, a step in the right direction.

Yeah, it's nicely coming along, but I am not sure if the game streams the audio from the disc or not yet. If it does, then the only other option I'd have for dumping audio is to dump the filesystem off the disc via local wifi, which, I don't think can be done yet, and if it can, there's a very, very, very slim chance that'll ever go public.

 

[starerik]

As I understand it, MrBean and Chadderz got a hold of all the audio files in MK8 since they could replace them with custom music. How did they do that?

 

[Ryanrocks462]

As I understand it, MrBean and Chadderz got a hold of all the audio files in MK8 since they could replace them with custom music. How did they do that?

they have found PPC kernel access but aren't releasing it to the public because they don't want hacks/cheats online by them (its gonna happen eventually tho unfortunately

 

[loco365]

they have found PPC kernel access but aren't releasing it to the public because they don't want hacks/cheats online by them (its gonna happen eventually tho unfortunately

Well, with the state that things are now, they'll first have to find a way to get past the 5.1.1 barrier to be able to even get back online. Releasing the PPC hack right now would be harmless, that is, until someone finds a way to bypass the firmware requirement checks.

 

[Ryanrocks462]

Well, with the state that things are now, they'll first have to find a way to get past the 5.1.1 barrier to be able to even get back online. Releasing the PPC hack right now would be harmless, that is, until someone finds a way to bypass the firmware requirement checks.

thats true ^^

 

[Kargaroc]

Of course, once they break 5.11 it won't be harmless anymore.
That's like saying, "Hey, can I put a virus on your PC? It's harmless until next week!"

Damn, it really is the dark age of console hacking.

 

[Ryanrocks462]

Of course, once they break 5.11 it won't be harmless anymore.
That's like saying, "Hey, can I put a virus on your PC? It's harmless until next week!"

Damn, it really is the dark age of console hacking.

thats y i use macs