Well, since it got leaked, I
released the source on Github. For those wondering how it works, it's similar to gspwn on the 3DS. The Wii U GPU (the GX2) has direct access to RAM for various operations, and we can send it commands that make it write to RAM. Nintendo attempted to block some addresses from GPU access, but they forgot the PPC kernel heap. So I used a GX2 memory write to redirect the heap into userspace. That way, when a new OSDriver gets created, it gets made in userspace, and I can then just set its save area to the kernel syscall table. From then, it proceeds
as the OSDriver exploit did.