Hacking Wii U Hacking & Homebrew Discussion

[filfat]

About the website
Hi, I've been working on the website for a little while setting up the Bitbucket page and i where wondering if any of you guys who know PHP wants to help createing a system for the Application list where user can submit a new application and already accepted applications will render in a list.html file. When that is done i only need to finalize the website and markdown files and press the publish button to make everybody able to contribute with their apps hello world i guess

 

[WulfyStylez]

It seems like most of the people with the capacity to develop homebrew are focused on further reverse engineering... Is there anyone out there playing around and trying to just make apps in userspace?

 

[filfat]

It seems like most of the people with the capacity to develop homebrew are focused on further reverse engineering... Is there anyone out there playing around and trying to just make apps in userspace?

I cant see anyone in my little corner...

XD

 

[loco365]

Ok, so I have everything set up and working, including the RPC client. I'm looking at the RAM Dumping code, and I'm wondering two things:

1. What's the lowest offset I can start at, and
2. What's the maximum amount of RAM I can dump before encountering errors?

I'm currently running a game in the background, and apparently from what Chadderz said, there's a small portion of memory that's shared that I will probably make use of.

There is an area of the RAM (0xE0000000-0xE4000000) that is shared between all programs and appears to be used for communication with hardware devices such as the graphics card. I noticed that while the game is running, an RGBA32 copy of the screen buffer existed in this area (plus a separate copy for the gamepad). I also noticed that 16bit PCM audio data existed in this area, which when I decoded was the opening sound effects of MK8 (at 0xE2C00000). This is not the file format used on the disk, this is clearly the decoded data that is being sent to the audio interface and out to the speakers. I have no idea if this is always true, or if all the games sound is stored there, but I suspect so. If all you want to do is rip the audio, then this may be a good line of investigation.

I assume I just edit that stuff in and run the dumper then, correct? (Start offset would be 0xE0000000 and length would be 4000000)

 

[Relys]

Ok, so I have everything set up and working, including the RPC client. I'm looking at the RAM Dumping code, and I'm wondering two things:

1. What's the lowest offset I can start at, and
2. What's the maximum amount of RAM I can dump before encountering errors?

I'm currently running a game in the background, and apparently from what Chadderz said, there's a small portion of memory that's shared that I will probably make use of.

I assume I just edit that stuff in and run the dumper then, correct? (Start offset would be 0xE0000000 and length would be 4000000)

Yep, look at top of page: http://gbatemp.net.prx2.unblocksit.es/threads/wii-u-hacking-discussion.367489/page-29

 

[loco365]

Yep, look at top of page: http://gbatemp.net.prx2.unblocksit.es/threads/wii-u-hacking-discussion.367489/page-29

Yeah, I'm playing with the code a bit to get it to dump, I'm not having any luck as of yet. Here's hoping I can get this working nicely soon.

 

[celcodioc]

Yeah, I'm playing with the code a bit to get it to dump, I'm not having any luck as of yet. Here's hoping I can get this working nicely soon.

You can use my code which should work

 

[WulfyStylez]

I've had it crash on certain memory ranges, for what it's worth. It's a learning experience.

 

[loco365]

You can use my code which should work

I used the adaptation of your code in this post, however, it only dumped 0x7AA worth of data, the rest is nothing but 00s. Based on what Chadderz said, there should be much more in there. Looks like I'll have to investigate more.

Edit: After starting a digital copy of MK8, there's only 0x7AA bytes of data for some reason, even when I have "rpc.dump_img(0xE0000000, 4000000, "TestDump-MarioKart8-01.bin")" as my command.

 

[Bug_Checker_]

This is my code for dumping memory. I haven't tested it after I last modified it, but it should still work. Copy everything into Notepad, change the values you need to, and paste the changed script into the interactive Python shell.

However, there is one problem with it (or maybe it's just my computer), which is that thefile.write writes the buffer 4 times to the file. I had to write a Windows program (FileFixer from this archive) that creates a fixed dump from one that has that problem (drag and drop the dump into FileFixer).


adr = 0xE3500000 #change this (starting address)
btr = 0x00384000 #this (number of bytes to read)
curb = 0

thefile = open("outputram.bin", "wb") #and this (output file)

while btr - curb > 0:
if btr - curb >= 500:
numbytes = 500
else:
numbytes = btr - curb

buf = rpc.read32(adr + curb, numbytes)
for item in buf:
uselessval = thefile.write(struct.pack(">I", item))

thefile.flush()
curb += numbytes

if curb % 100000 == 0 or btr == curb:
print(str(curb) + " / " + str(btr) + " (" + str(round(curb / btr * 10000) / 100) + "%)")

thefile.close()

So if I understand correctly, your numbytes is actually num_u32.

 

[VinsCool]

I actually want the console to die and be hacked to bits, even though I spent over $400 total on it + games.

I agree with you for this point. Let's the talented devs here be our savior! (p.s. you guys are doing some hard and impressive work, continue this way! I am on your side! Even if I am not really someone who have coding experience, everyone has been noob once).

 

[Deleted User]

A dreamcast emulator would be amazing. The gamepad could be used as a VMU

 

[WulfyStylez]

Anyone know if there's a way to clear the system log without rebooting?

 

[Marionumber1]

Anyone know if there's a way to clear the system log without rebooting?

Not that I know of, why do you ask?

 

[WulfyStylez]

Not that I know of, why do you ask?

Playing around with OSConsoleWrite, it would be nice to have a clean log with one dump in it at a time.

 

[Marionumber1]

Playing around with OSConsoleWrite, it would be nice to have a clean log with one dump in it at a time.

It shouldn't be that hard to extract what you need when you know how many bytes you dumped.

 

[WulfyStylez]

It shouldn't be that hard to extract what you need when you know how many bytes you dumped.

Yep, just lazy is all.

 

[celcodioc]

So if I understand correctly, your numbytes is actually num_u32.

Crap, I just realized that... it's called read32

adr = 0xE3500000 #change this (starting address)
btr = 0x00384000 #this (number of bytes to read)

thefile = open("outputram.bin", "wb") #and this (output file)

while btr - thefile.tell() > 0:
    if btr - thefile.tell() >= 125:
        numwords = 125
    else:
        numwords = btr - thefile.tell()
    
    buf = rpc.read32(adr + thefile.tell(), numwords)
    for item in buf:
        uselessval = thefile.write(struct.pack(">I", item))
    
    thefile.flush()
    
    if thefile.tell() % 100000 == 0 or btr == thefile.tell():
        print(str(thefile.tell()) + " / " + str(btr) + " (" + str(round(thefile.tell() / btr * 10000) / 100) + "%)")

thefile.close()

This should work. FileFixer is no longer needed ^^

Edit: Here's my ramio.py file, with RAM dumping and uploading functions. It might be messy/buggy since I just started with Python, plus I'm not very experienced in programming overall.

 

[celcodioc]

Windows tools updated with a new SARC (new .arc, .sarc, .pack) unpacker. You can either drag & drop the packages into it, or use it in the command prompt:

SARCUnpack myfile.arc

Recursive:

SARCUnpack myfile.arc r

None of the .arc tools I tried managed to open these, so I assume it's a new format.

Edit: Just found a bug, so no link...

Edit 2: Here it is

 

[filfat]

...
Edit: Just found a bug, so no link...

Alrighty I will add the link to the op when you're done