Hacking IDA Pro Wii U Loader

[CosmoCortney]

Already have The OSDriver exploit remaps coreinit and the loader to R/W

Which one is it? Totally missed that
The first of the more reliable exploits still freezes when I try to write to the range of the .rpx (that starts with nop, nop, blr)

 

[NWPlayer123]

Which one is it? Totally missed that
The first of the more reliable exploits still freezes when I try to write to the range of the .rpx (that starts with nop, nop, blr)

https://github.com/wiiudev/libwiiu/blob/master/kernel/osdriver/src/loader.c#L315-L320
These specific lines, maps it to a physical address that happens to mirror to the 0xA0000000 range.

 

[gamesquest1]

would be good to have a de/recompressor though for manual editing.....figure that would be the best way to go about snes/nes rom injections, i found the rom in the prx and already know how to replace in ram, but i guess injecting it in the prx would make the emulator load up the correct settings properly from the nes header assuming they aren't hard coded for each rom

 

[VinsCool]

would be good to have a de/recompressor though for manual editing.....figure that would be the best way to go about snes/nes rom injections, i found the rom in the prx and already know how to replace in ram, but i guess injecting it in the prx would make the emulator load up the correct settings properly from the nes header assuming they aren't hard coded for each rom

I tried to find the rom in the rpx, but didn't. Have you used IDA for that?
I went to direct hex viewer xD

 

[gamesquest1]

yeah in ida, the rom is compressed in the prx

 

[VinsCool]

yeah in ida, the rom is compressed in the prx

Ok thanks

Even though, NES and SFC strings are findable in the rpx of each nes snes VC I got

 

[CosmoCortney]

https://github.com/wiiudev/libwiiu/blob/master/kernel/osdriver/src/loader.c#L315-L320
These specific lines, maps it to a physical address that happens to mirror to the 0xA0000000 range.

The game freezes when I try to read range 0xA0000000
May it be PyGecko's fault?

 

[NWPlayer123]

The game freezes when I try to read range 0xA0000000
May it be PyGecko's fault?

Nah, I've poked at it a bunch, you just need to know what you're doing, what are you trying to do? You basically need to edit the sections it mirrors to.

 

[CosmoCortney]

Nah, I've poked at it a bunch, you just need to know what you're doing, what are you trying to do? You basically need to edit the sections it mirrors to.

I've entered A0000000 into the disassembler's address box to view the mirrored ASM. I wanted to find a permanently executed instruction to replace it by a branch-instruction to execute my own code (successfully did this to GCN and Wii games). But the attempt to view the ASM at 0xA0000000 froze the game

 

[NWPlayer123]

I've entered A0000000 into the disassembler's address box to view the mirrored ASM. I wanted to find a permanently executed instruction to replace it by a branch-instruction to execute my own code (successfully did this to GCN and Wii games). But the attempt to view the ASM at 0xA0000000 froze the game

Depends on what, TCPGecko patching 0xA101C55C is basically coreinit at 0x0101C400 + 0x15C, mirrored to the 0xA0 range, just open up 0x01 and find what you're looking for. If you need more in-depth for stuff after that, I think I still have all my notes lying around.

 

[CosmoCortney]

Depends on what, TCPGecko patching 0xA101C55C is basically coreinit at 0x0101C400 + 0x15C, mirrored to the 0xA0 range, just open up 0x01 and find what you're looking for. If you need more in-depth for stuff after that, I think I still have all my notes lying around.

I see
Viewing 0xA101C55C gave me a freeze again.

just open up 0x01 and find what you're looking for

Do you mean 0x0101C55C by that? I can tell a specific instruction I'm looking for because I need to find on my own which on is permanently executed. If the game immediately freezes I know it might be useful. It will most likely be an stw or lwz instruction.

If you need more in-depth for stuff after that, I think I still have all my notes lying around.

This would probably be really useful

 

[wj44]

I've entered A0000000 into the disassembler's address box to view the mirrored ASM. I wanted to find a permanently executed instruction to replace it by a branch-instruction to execute my own code (successfully did this to GCN and Wii games). But the attempt to view the ASM at 0xA0000000 froze the game

You have to disable the Splatoon patches.

 

[CosmoCortney]

You have to disable the Splatoon patches.

Do you mean the PyGecko that works with Splatoon?

 

[wj44]

Do you mean the PyGecko that works with Splatoon?

Yes, You have to use an older version.

 

[CosmoCortney]

Yes, You have to use an older version.

Oh, where can I find it? I don't have it anymore

 

[wj44]

Oh, where can I find it? I don't have it anymore

http://gbatemp.net/threads/wii-u-hacking-homebrew-discussion.367489/page-455#post-5627482

 

[NWPlayer123]

I see
Viewing 0xA101C55C gave me a freeze again.
Do you mean 0x0101C55C by that? I can tell a specific instruction I'm looking for because I need to find on my own which on is permanently executed. If the game immediately freezes I know it might be useful. It will most likely be an stw or lwz instruction.
This would probably be really useful

Yes, load the 0x01 range, the dNet client should let you dump the whole thing, there's a whole tab dedicated to it. I'll see what I can dig up later, need sleep badly lmao

 

[CosmoCortney]

Yes, load the 0x01 range, the dNet client should let you dump the whole thing, there's a whole tab dedicated to it. I'll see what I can dig up later, need sleep badly lmao

It's working now
thank you

 

[NexoCube]

That's crazy, i added it into the loaders directory and when i want to load coreinit.rpl it give me some error, is there a writed or a video tutorial ?

 

[NexoCube]

Fixed, only works with 32bit version xD