Hacking Wii U Hacking & Homebrew Discussion

[Goku Junior]

What the hell?
DarkFlare69, who I work on my website with, sent me this:

Spoiler

#define START_SECTION __attribute__ ((section (".text.start"), naked))
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif

int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;

int uvl_entry();

int START_SECTION
uvl_start ()
{
__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");
}

int
uvl_entry ()
{
unsigned int addr;
void *this = 0x08F10000;
int *written = 0x08F01000;
int *buf = 0x18410000;

unsigned int offset = 0;
unsigned int i;
unsigned int f;

svcSleepThread(0x400000LL);

//copy block of memory to buffer
addr = 0x1413B000;//This is the address we'll take memory from in the game
GSPGPU_FlushDataCache(addr, 0x10000);
GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(buf, 0x10000);

for (i = 0; i < 0x10000; i++)//Scan RAM for a constant value between regions
{
if ((buf == 0x00610064) && (buf[i + 1] == 0x00610074) && (buf[i + 2] == 0x002F003A) && (buf[i + 3] == 0x0073002F))
{
offset = i - 2291;

//Write screen buff so we know it worked
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
}
}

f = offset;

buf[f] = 0xFF0088B8;//Values for the hack

//flush back to memory and also write to file for debugging
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(buf, 0x10000);
GX_SetTextureCopy(buf, addr, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(addr, 0x10000);
//Write to RAM so the Wii U can read it;
svcSleepThread(0x400000LL);

return 0;
}

He said it was some sort of RAM hack for the wiiu. He's a bit of a..... don't want to say troll, but he's "off", so I doubt this is real, but could someone tell me what the hell this is?

Maybe is a dump of the RAM from GX2 (Wii U Main GPU)

 

[the_randomizer]

I don't need anything more than the ability to run homebrew for my porting stuff. I'm just fed up with those whining about "no possibility to run backups?" or "I want piracy". Don't they have some other problems...?

Lol, no one really cares, let people do what they will As long as the Wii U is hacked, what does it matter? Are you a hacker?

 

[Marionumber1]

What the hell?
DarkFlare69, who I work on my website with, sent me this:

Spoiler

#define START_SECTION __attribute__ ((section (".text.start"), naked))
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif

int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;

int uvl_entry();

int START_SECTION
uvl_start ()
{
__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");
}

int
uvl_entry ()
{
unsigned int addr;
void *this = 0x08F10000;
int *written = 0x08F01000;
int *buf = 0x18410000;

unsigned int offset = 0;
unsigned int i;
unsigned int f;

svcSleepThread(0x400000LL);

//copy block of memory to buffer
addr = 0x1413B000;//This is the address we'll take memory from in the game
GSPGPU_FlushDataCache(addr, 0x10000);
GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(buf, 0x10000);

for (i = 0; i < 0x10000; i++)//Scan RAM for a constant value between regions
{
if ((buf == 0x00610064) && (buf[i + 1] == 0x00610074) && (buf[i + 2] == 0x002F003A) && (buf[i + 3] == 0x0073002F))
{
offset = i - 2291;

//Write screen buff so we know it worked
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
}
}

f = offset;

buf[f] = 0xFF0088B8;//Values for the hack

//flush back to memory and also write to file for debugging
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(buf, 0x10000);
GX_SetTextureCopy(buf, addr, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(addr, 0x10000);
//Write to RAM so the Wii U can read it;
svcSleepThread(0x400000LL);

return 0;
}

He said it was some sort of RAM hack for the wiiu. He's a bit of a..... don't want to say troll, but he's "off", so I doubt this is real, but could someone tell me what the hell this is?

This is 3DS code...

 

[Goku Junior]

I knew it was fake when I readed he can run backups :v ...

 

[Relys]

What the hell?
DarkFlare69, who I work on my website with, sent me this:

Spoiler

#define START_SECTION __attribute__ ((section (".text.start"), naked))
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif

int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;

int uvl_entry();

int START_SECTION
uvl_start ()
{
__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");
}

int
uvl_entry ()
{
unsigned int addr;
void *this = 0x08F10000;
int *written = 0x08F01000;
int *buf = 0x18410000;

unsigned int offset = 0;
unsigned int i;
unsigned int f;

svcSleepThread(0x400000LL);

//copy block of memory to buffer
addr = 0x1413B000;//This is the address we'll take memory from in the game
GSPGPU_FlushDataCache(addr, 0x10000);
GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(buf, 0x10000);

for (i = 0; i < 0x10000; i++)//Scan RAM for a constant value between regions
{
if ((buf == 0x00610064) && (buf[i + 1] == 0x00610074) && (buf[i + 2] == 0x002F003A) && (buf[i + 3] == 0x0073002F))
{
offset = i - 2291;

//Write screen buff so we know it worked
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
}
}

f = offset;

buf[f] = 0xFF0088B8;//Values for the hack

//flush back to memory and also write to file for debugging
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(buf, 0x10000);
GX_SetTextureCopy(buf, addr, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(addr, 0x10000);
//Write to RAM so the Wii U can read it;
svcSleepThread(0x400000LL);

return 0;
}

He said it was some sort of RAM hack for the wiiu. He's a bit of a..... don't want to say troll, but he's "off", so I doubt this is real, but could someone tell me what the hell this is?

This is exploiting a gsp vuln for 3DS on ARM11.
http://pastebin.com/Exb98yWR

 

[nitr8]

IT'S HAPPENING

That's only a simple freeze, nothing more. You don't get any code dumps or exceptions, no error log at all. And the second point is that I have never said your purpose for hacking the Wii U is piracy.

 

[Relys]

isn't that one of the flaws used in ninjhax?

That is correct. It's the Stage 2 GPU DMA attack: http://smealum.net/

 

[the_randomizer]

I assume this means that updating to 5.3.2 is a big no-no.

 

[VinsCool]

Why is this not privately given to devs instead of offering it to nintendo via a public forum?

 

[the_randomizer]

too late, I already did it, and MN1 says they are investigating the crash I found, not yes or no

Dang, because being connected to the internet on 5.2.0 is pretty damn risky in and of itself, if I was on 5.3.2 without any issues, I'd have done it.

Why is this not privately given to devs instead of offering it to nintendo via a public forum?

Good question, but, even if Nintendo found about it, they can't retroactively patch in older firmware.

 

[FPSRussi4]

Well for Kernel exploit, don't update. Dunno if anything's available after that.

Also yeah, stop announcing things dude.

 

[the_randomizer]

Kelton2 I'd remove that video link on here as well.

 

[Goku Junior]

Why is this not privately given to devs instead of offering it to nintendo via a public forum?

Don't worry, Nintendo don't know what bug are we talking now, there are a lot of them .

 

[NWPlayer123]

It's okay, it's been dealt with, enough whining about how it should have happened, back on topic.
Kernel exploit takes priority because of how much more difficult it is to pull off, so I still say hold off on 5.3.1/5.3.2

 

[Goku Junior]

It's okay, it's been dealt with, enough whining about how it should have happened, back on topic.
Kernel exploit takes priority because of how much more difficult it is to pull off, so I still say hold off on 5.3.1/5.3.2

But after Kernel exploit comes the new WebKit exploit (I think), and next you will develop a IOSU exploit?

 

[NWPlayer123]

But after Kernel exploit comes the new WebKit exploit (I think), and next you will develop a IOSU exploit?

As has been said before, no promises on anything after the kernel exploit is finished, not even a "homebrew launcher". We'll still release it and you can make it yourselves assuming we don't, but....

 

[Goku Junior]

As has been said before, no promises on anything after the kernel exploit is finished, not even a "homebrew launcher". We'll still release it and you can make it yourselves assuming we don't, but....

OK! no problem with that!, you two had done a lot of work (even for free, we aren't paying), so we are very thankful all of you and MN1 did .

 

[IbbyPlays]

As has been said before, no promises on anything after the kernel exploit is finished, not even a "homebrew launcher". We'll still release it and you can make it yourselves assuming we don't, but....

OK! no problem with that!, you two had done a lot of work (even for free, we aren't paying), so we are very thankful all of you and MN1 did .

I would donate if there was a kickstarter or something in the name of Wii U hacking.

 

[VinsCool]

I would donate if there was a kickstarter or something in the name of Wii U hacking.

oh god please not a kickstarter....

 

[yahoo]

That's only a simple freeze, nothing more. You don't get any code dumps or exceptions, no error log at all.

Umm, this is exactly what the current webkit exploit browser crash does when you don't spray the heap and inject custom code. Try it.