Toggle sidebar

Hacking Wii U Hacking & Homebrew Discussion

  • Thread starter Thread starter filfat
  • Start date Start date
  • Views Views 5,063,078
  • Replies Replies 21,104
  • Likes Likes 29
That looks kind of like a DS/3DS NWPlayer123. What are they up to? Hmm
 
celcodioc said:
How about posting a mutated Rayman Legends 3D World screenshot to Miiverse?!


Just kidding. Unfortunately, this proves that my random theory was right and there is no framebuffer in that area of the memory. Sorry Chadderz :(

NWPlayer123, these screenshots are also used in the browser, so yes.
Click to expand...

Could you describe the process of how you got those pictures ripped/rendered because I'm dumping from the same region of memory (I'm on 5.1.0), and getting nowhere near the same results, both with the actual data (and IDK how to render it properly)
 
NWPlayer123 said:
Could you describe the process of how you got those pictures ripped/rendered because I'm dumping from the same region of memory (I'm on 5.1.0), and getting nowhere near the same results, both with the actual data (and IDK how to render it properly)
Click to expand...

Okay, first download these 2 tools and extract them in the same folder as your ramdump: https://dl.dropboxusercontent.com/u/72562253/CWRT_v1.zip

You may have to fix your ramdump first using the FileFixer application you downloaded first (drag and drop into it), which exports a file with the same name but with the .fixed extension. In my case I had to, whenever I used the file write function in Python it wrote the input (a buffer of 500 bytes) 4 times. It could have been that I was doing something wrong though.

Next, drag either the original or the .fixed file into FileToBitmap (if one gives strange results, try the other). It will ask you for input addresses and length. You can either use the values from my earlier post (without the 0x, also don't forget to subtract 0xE0000000 from them assuming your memory dump starts there), or just push enter without typing anything to read the entire dump (the images will be shifted though). Use 1280 for the output width to render the TV images properly.

When it's done, the output file will be saved as a .bmp and open automatically!

(Edit: just updated the tools to fix a bug)
 
Are you all just dumping with rpc.py? Cause when I try to do a dump of that memory region (and about 3MB in size), it just takes ages and never returns for me. I do see network activity, though.
 
WulfyStylez said:
Are you all just dumping with rpc.py? Cause when I try to do a dump of that memory region (and about 3MB in size), it just takes ages and never returns for me. I do see network activity, though.
Click to expand...

Dump in chuncks and cat them.
 
WulfyStylez said:
Are you all just dumping with rpc.py? Cause when I try to do a dump of that memory region (and about 3MB in size), it just takes ages and never returns for me. I do see network activity, though.
Click to expand...

This is my code for dumping memory. I haven't tested it after I last modified it, but it should still work. Copy everything into Notepad, change the values you need to, and paste the changed script into the interactive Python shell.

However, there is one problem with it (or maybe it's just my computer), which is that thefile.write writes the buffer 4 times to the file. I had to write a Windows program (FileFixer from this archive) that creates a fixed dump from one that has that problem (drag and drop the dump into FileFixer).

Code: 
adr = 0xE3500000 #change this (starting address)
btr = 0x00384000 #this (number of bytes to read)
curb = 0
 
thefile = open("outputram.bin", "wb") #and this (output file)
 
while btr - curb > 0:
    if btr - curb >= 500:
        numbytes = 500
    else:
        numbytes = btr - curb
 
    buf = rpc.read32(adr + curb, numbytes)
    for item in buf:
        uselessval = thefile.write(struct.pack(">I", item))
 
    thefile.flush()
    curb += numbytes
 
    if curb % 100000 == 0 or btr == curb:
        print(str(curb) + " / " + str(btr) + " (" + str(round(curb / btr * 10000) / 100) + "%)")
 
thefile.close()
 
Hmm, that's the way I'm doing it (mostly), but it just gives me garbage data(not exactly garbage but grey striped nonsense). Are you using a disc or something on your Wii U? Because all I've been doing is
1) Turn on and click my profile
2) Click on the icon of the app on the menu to get it to load
3) Wait till I can switch apps then press the home button and click Web Browser(IE not going back to the menu)
4) Run the RPC script and dump data from that section
5) ???
6) FAILURE


Code: 
img1 = rpc.read32(0xE3500000, 921600)
 
import struct
file = open("img1.bin", "wb")
for x in xrange(len(img1)):
    file.write(struct.pack(">I", img1[x]))
 
file.close()
This is the kinda stuff I'm getting.
 
celcodioc said:
This is my code for dumping memory. I haven't tested it after I last modified it, but it should still work. Copy everything into Notepad, change the values you need to, and paste the changed script into the interactive Python shell.

However, there is one problem with it (or maybe it's just my computer), which is that thefile.write writes the buffer 4 times to the file. I had to write a Windows program (FileFixer from this archive) that creates a fixed dump from one that has that problem (drag and drop the dump into FileFixer).

Code: 
import datetime
 
adr = 0xE3500000 #change this (starting address)
btr = 0x00384000 #this (number of bytes to read)
curb = 0
 
thefile = open("outputram.bin", "wb") #and this (output file)
 
while btr - curb > 0:
    if btr - curb >= 500:
        numbytes = 500
    else:
        numbytes = btr - curb
 
    buf = rpc.read32(adr + curb, numbytes)
    for item in buf:
        uselessval = thefile.write(struct.pack(">I", item))
 
    thefile.flush()
    curb += numbytes
 
    if curb % 100000 == 0 or btw == curb:
        print(str(curb) + " / " + str(btr) + " (" + str(round(curb / btr * 10000) / 100) + "%)")
 
thefile.close()
Click to expand...
2014-08-05_15-55-32.png
I keep getting this upon running either code snippet. I assume the forum is mangling the formatting? Python's awful with indentation, I've learned.
 
NWPlayer123 said:
Hmm, that's the way I'm doing it (mostly), but it just gives me garbage data(not exactly garbage but grey striped nonsense). Are you using a disc or something on your Wii U? Because all I've been doing is

1) Turn on and click my profile
2) Click on the icon of the app on the menu to get it to load
3) Wait till I can switch apps then press the home button and click Web Browser(IE not going back to the menu)
4) Run the RPC script and dump data from that section
5) ???
6) FAILURE


Code: 
img1 = rpc.read32(0xE3500000, 921600)
 
import struct
file = open("img1.bin", "wb")
for x in xrange(len(img1)):
    file.write(struct.pack(">I", img1[x]))
 
file.close()
This is the kinda stuff I'm getting.
Click to expand...

Have you tried my script? By the way, I'm on 5.1.0 if that matters.

WulfyStylez said:
2014-08-05_15-55-32.png
I keep getting this upon running either code snippet. I assume the forum is mangling the formatting? Python's awful with indentation, I've learned.
Click to expand...

Hmm, I did have a typo in the code which I just corrected, but I have no idea why you get that. Try pasting it into Notepad, then from there into the shell?
 
Line-by-line was a bit boring so I actually just integrated celcodioc's method into rpc.py itself and...
outputram.bin.fixed1.png
My TV only takes 1080i, thus why the image appears a bit garbled. Still neat though.
 
  • Like
Reactions: celcodioc
WulfyStylez said:
Line-by-line was a bit boring so I actually just integrated celcodioc's method into rpc.py itself and...
outputram.bin.fixed1.png
My TV only takes 1080i, thus why the image appears a bit garbled. Still neat though.
Click to expand...

I think you'll have to render it with a width of 1280 for it to look normal. ;)
 
It worked....somewhat. So I just added it as a command to the RPC script, and it worked like a charm....except for fhe fact that it didn't dump even close to what I was thinking it would. i loaded up MK8, and like half of Mario's kart from the title screen and that was it, which was really weird. i can post my version in an hour and a half or so. But....it's progress!
 
So I assume what we're dumping is the images the menu and browser use for backgrounds and screenshots respectively? There's no way this is the framebuffer.
 
It appears that the GX2 library provides functions to change the TV and Gamepad framebuffers, GX2SetTVBuffer() and GX2SetDRCBuffer() respectively. A while ago, I managed to find an example usage of GX2SetDRCBuffer() in a presentation given by a fail0verflow member. Go down to the slide titled "WiiU DRC", it shows how to allocate and then set the framebuffer for the Gamepad. We could probably use this same method.
 
Okay, figured out all the data.
Code: 
    def dump_img(self, addr, size, output="img.bin"):
        curb = 0
 
        thefile = open(output, "wb")
 
        while size - curb > 0:
            if size - curb >= 500:
                numbytes = 500
            else:
                numbytes = size - curb
 
            buf = rpc.read32(addr + curb, numbytes)
            for item in buf:
                uselessval = thefile.write(struct.pack(">I", item))
 
            thefile.flush()
            curb += numbytes
 
            if curb % 100000 == 0 or size == curb:
                print(str(curb) + " / " + str(size) + " (" + str(round(curb / size * 10000) / 100) + "%)")
 
        thefile.close()
Add that to rpc.py as a new definition for class WiiURpc().
rpc.dump_img(0xE3500000, 3686400, "MarioKart8-1.bin")
rpc.dump_img(0xE38C0000, 1720320, "MarioKart8-2.bin")
This eventually got me to a correct dump. Ran it through FileFixer as the default (500), then ran it through FileToBitmap with 1280 and 896. Yes, 896, the image is in the right place but for whatever reason it has 42 pixels of padding on one side. It's still 854x480 without the border. Note that both images will also have an extra layer of junk at the bottom (a 721st/481st row), but just clip it off in Photoshop (had to run it through Paint because it didn't want to recognize it), and it's perfect!
https://dl.dropboxusercontent.com/u/56043942/RandomPics/MarioKart8-1.png
https://dl.dropboxusercontent.com/u/56043942/RandomPics/MarioKart8-2.png
TADA!
 
  • Like
Reactions: VinsCool and Ryanrocks462

Site & Scene News

Go to forum More news

Popular threads in this forum

Strange Blue Blinking Wii U

Hacking Homebrew Project  Modernized YouTube for Wii U

Struggling to get WiiFlow/USBLoaderGX to recognize USB sticks

Feedback  Community Overclock Stats: A5X vs B1X Motherboards

Sonic 3 AIR Wii U teaser screenshot

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

My dad's Wii U cannot install Aroma. HELP!!

Gaming Homebrew Misc Project  Roséverse - a 1:1 Miiverse revival by Project Rosé!