Hacking Wii U Hacking & Homebrew Discussion

  • Thread starter Thread starter filfat
  • Start date Start date
  • Views Views 5,119,540
  • Replies Replies 21,104
  • Likes Likes 29
What the hell?
DarkFlare69, who I work on my website with, sent me this:
#define START_SECTION __attribute__ ((section (".text.start"), naked))
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif

int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;

int uvl_entry();

int START_SECTION
uvl_start ()
{
__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");
}

int
uvl_entry ()
{
unsigned int addr;
void *this = 0x08F10000;
int *written = 0x08F01000;
int *buf = 0x18410000;

unsigned int offset = 0;
unsigned int i;
unsigned int f;

svcSleepThread(0x400000LL);

//copy block of memory to buffer
addr = 0x1413B000;//This is the address we'll take memory from in the game
GSPGPU_FlushDataCache(addr, 0x10000);
GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(buf, 0x10000);

for (i = 0; i < 0x10000; i++)//Scan RAM for a constant value between regions
{
if ((buf == 0x00610064) && (buf[i + 1] == 0x00610074) && (buf[i + 2] == 0x002F003A) && (buf[i + 3] == 0x0073002F))
{
offset = i - 2291;

//Write screen buff so we know it worked
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
}
}

f = offset;

buf[f] = 0xFF0088B8;//Values for the hack

//flush back to memory and also write to file for debugging
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(buf, 0x10000);
GX_SetTextureCopy(buf, addr, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(addr, 0x10000);
//Write to RAM so the Wii U can read it;
svcSleepThread(0x400000LL);

return 0;
}

He said it was some sort of RAM hack for the wiiu. He's a bit of a..... don't want to say troll, but he's "off", so I doubt this is real, but could someone tell me what the hell this is?

Maybe is a dump of the RAM from GX2 (Wii U Main GPU) :unsure:
 
I don't need anything more than the ability to run homebrew for my porting stuff. I'm just fed up with those whining about "no possibility to run backups?" or "I want piracy". Don't they have some other problems...?


Lol, no one really cares, let people do what they will :P As long as the Wii U is hacked, what does it matter?:creep: Are you a hacker?:lol:
 
  • Like
Reactions: Kelton2
What the hell?
DarkFlare69, who I work on my website with, sent me this:
#define START_SECTION __attribute__ ((section (".text.start"), naked))
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif

int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;

int uvl_entry();

int START_SECTION
uvl_start ()
{
__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");
}

int
uvl_entry ()
{
unsigned int addr;
void *this = 0x08F10000;
int *written = 0x08F01000;
int *buf = 0x18410000;

unsigned int offset = 0;
unsigned int i;
unsigned int f;

svcSleepThread(0x400000LL);

//copy block of memory to buffer
addr = 0x1413B000;//This is the address we'll take memory from in the game
GSPGPU_FlushDataCache(addr, 0x10000);
GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(buf, 0x10000);

for (i = 0; i < 0x10000; i++)//Scan RAM for a constant value between regions
{
if ((buf == 0x00610064) && (buf[i + 1] == 0x00610074) && (buf[i + 2] == 0x002F003A) && (buf[i + 3] == 0x0073002F))
{
offset = i - 2291;

//Write screen buff so we know it worked
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
}
}

f = offset;

buf[f] = 0xFF0088B8;//Values for the hack

//flush back to memory and also write to file for debugging
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(buf, 0x10000);
GX_SetTextureCopy(buf, addr, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(addr, 0x10000);
//Write to RAM so the Wii U can read it;
svcSleepThread(0x400000LL);

return 0;
}

He said it was some sort of RAM hack for the wiiu. He's a bit of a..... don't want to say troll, but he's "off", so I doubt this is real, but could someone tell me what the hell this is?


This is 3DS code...
 
What the hell?
DarkFlare69, who I work on my website with, sent me this:
#define START_SECTION __attribute__ ((section (".text.start"), naked))
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif

int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;

int uvl_entry();

int START_SECTION
uvl_start ()
{
__asm__ volatile (".word 0xE1A00000");
uvl_entry();
__asm__ volatile ("bx lr");
}

int
uvl_entry ()
{
unsigned int addr;
void *this = 0x08F10000;
int *written = 0x08F01000;
int *buf = 0x18410000;

unsigned int offset = 0;
unsigned int i;
unsigned int f;

svcSleepThread(0x400000LL);

//copy block of memory to buffer
addr = 0x1413B000;//This is the address we'll take memory from in the game
GSPGPU_FlushDataCache(addr, 0x10000);
GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(buf, 0x10000);

for (i = 0; i < 0x10000; i++)//Scan RAM for a constant value between regions
{
if ((buf == 0x00610064) && (buf[i + 1] == 0x00610074) && (buf[i + 2] == 0x002F003A) && (buf[i + 3] == 0x0073002F))
{
offset = i - 2291;

//Write screen buff so we know it worked
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(0x18000000, 0x00038400);
GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svcSleepThread(0x400000LL);
}
}

f = offset;

buf[f] = 0xFF0088B8;//Values for the hack

//flush back to memory and also write to file for debugging
svcSleepThread(0x400000LL);
GSPGPU_FlushDataCache(buf, 0x10000);
GX_SetTextureCopy(buf, addr, 0x10000, 0, 0, 0, 0, 8);
GSPGPU_FlushDataCache(addr, 0x10000);
//Write to RAM so the Wii U can read it;
svcSleepThread(0x400000LL);

return 0;
}

He said it was some sort of RAM hack for the wiiu. He's a bit of a..... don't want to say troll, but he's "off", so I doubt this is real, but could someone tell me what the hell this is?

This is exploiting a gsp vuln for 3DS on ARM11.
http://pastebin.com/Exb98yWR
 
  • Like
Reactions: VinsCool
too late, I already did it, and MN1 says they are investigating the crash I found, not yes or no :)


Dang, because being connected to the internet on 5.2.0 is pretty damn risky in and of itself, if I was on 5.3.2 without any issues, I'd have done it.


Why is this not privately given to devs instead of offering it to nintendo via a public forum?

Good question, but, even if Nintendo found about it, they can't retroactively patch in older firmware.
 
It's okay, it's been dealt with, enough whining about how it should have happened, back on topic.
Kernel exploit takes priority because of how much more difficult it is to pull off, so I still say hold off on 5.3.1/5.3.2

But after Kernel exploit comes the new WebKit exploit (I think), and next you will develop a IOSU exploit?
 
But after Kernel exploit comes the new WebKit exploit (I think), and next you will develop a IOSU exploit?
As has been said before, no promises on anything after the kernel exploit is finished, not even a "homebrew launcher". We'll still release it and you can make it yourselves assuming we don't, but....
 
As has been said before, no promises on anything after the kernel exploit is finished, not even a "homebrew launcher". We'll still release it and you can make it yourselves assuming we don't, but....

OK! no problem with that!, you two had done a lot of work (even for free, we aren't paying), so we are very thankful all of you and MN1 did :) .
 
As has been said before, no promises on anything after the kernel exploit is finished, not even a "homebrew launcher". We'll still release it and you can make it yourselves assuming we don't, but....
OK! no problem with that!, you two had done a lot of work (even for free, we aren't paying), so we are very thankful all of you and MN1 did :) .

I would donate if there was a kickstarter or something in the name of Wii U hacking.
 
That's only a simple freeze, nothing more. You don't get any code dumps or exceptions, no error log at all.


Umm, this is exactly what the current webkit exploit browser crash does when you don't spray the heap and inject custom code. Try it.
 

Site & Scene News

Popular threads in this forum