If i have a little time, i will try to port to this 5.0.0 firmware alsoThanks a lot for the tutorial, ptitleray
I will try to get it working on 5.0.0
If anyone else is interested in trying to make it work for 5.0.0, here are the addresses to get started:
OSScreenInit is at: 0x1039AD8
socket_lib_init is at: 0x10BF2F4
GX2WaitForVsync is at: 0x1150868
VPADRead is at: 0x11283D0
SYSLaunchMiiStudio is at: 0xDEAAE68
Note that this is for 5.0.0 only.
Last edited by ptitleray,
Time to test for 5.0.0 firmware, look at the first postIf i have a little time, i will try to port to this 5.0.0 firmware also
Can Modo change the Title to "[BETA] Loadiine (v3) for WiiU 4.1.0 or 5.0.0 ONLY" ?
Last edited by ptitleray,
Looking forward to try it on my 4.0.2 wii-u, waiting for this since the first kexploit. http://wololo.net/2015/06/17/wii-u-native-hack-released/
thanks a lot for this. I don't think i can port it to my fw though, never used IDA before.
hey guys, forgot my old nick here, but long time member...
i just checked my wiiu. thought it would be on 4.1.0e but it´s on 4.0.0e. is someone of you capable in porting it to that fw? or does someone know (from any chat) if naehrwert is going to pull his iosu down to 4.0.0e users that didn´t update to 5.3.2?
i just checked my wiiu. thought it would be on 4.1.0e but it´s on 4.0.0e. is someone of you capable in porting it to that fw? or does someone know (from any chat) if naehrwert is going to pull his iosu down to 4.0.0e users that didn´t update to 5.3.2?
Can you download "address.zip" at the bottom of the post i pointed you ?
Launch it on your WiiU and give me the result
Oh thanks, will do it tonight.
Thanks ptitleray. I'm an usual lurker, but i want to post here for 2 reasons.
First: thanks for this great work.
Second: i've ordered today a 4.1.0 WiiU, and it's on the road.
For using 4.1.0 Loadiine i've to load first the Kernel Exploit, then the Loadiine, i'm right?
First: thanks for this great work.
Second: i've ordered today a 4.1.0 WiiU, and it's on the road.
For using 4.1.0 Loadiine i've to load first the Kernel Exploit, then the Loadiine, i'm right?
Wow that was fast! Thanks a lot!Time to test for 5.0.0 firmware, look at the first post
I tried launching the kernel exploit and then tcpgecko, but tcpgecko just freezes on a white screen after the "success. Press any button to return to wiiu menu".
If I try to run just loadiine without tcpgecko, it just returns to the wiiu menu and nothing happens.
Anyway, I will try different stuff and see if I can get it working.
Ah, I wish there was a payload for fw v5.2.0 in that address zip fileFor the story
I will try to explain my "method" for, why not, porting it to other firmware
I take some base the loadiine v3 (bf42d94) --> you can download it here
I'm not so smart and i don't know all of this work so i use the "method" of comparison (with IDA PRO), and some mathematics
Read all this post before download anything and if you feel capable of doing it ... try
1 - Download the "OS" for the firmware you want to port loadiine and 5.3.2 firmware (to compare)
- for this step, i used NUSgrabber from crediar --> download NUSgrabber here
- you can use Uwizard or NUSGrabberGUI if you prefer
- use NUSgrabber like this :
- now (if you use NUSgrabber), you must have a directory named "000500101000400A" in the same directory of NUSgrabberNUSgrabber 000500101000400A [OSv11 version]
[OSv11 version] must be replace by the version of firmware
Look at the line "OSv11" in the Wiiubrew Title Database
For example, on 5.3.2 firmware, it's v11464 so the line will be :
NUSgrabber 000500101000400A 11464
and in this directory, 2 others : 1 named "11464" (this one is the 5.3.2 "OS") and the other must fit the version of your "OS" firmware (ex. 5883 for 4.1.0 "OS")
2 - Extract the 2 "OS" version to compare
- in the 2 directory (11464 and the other for your firmware), use CDecrypt from crediar like this :
- if all is good, you must have a new directory named "code" on 11464 and the other (the one fit your firmware version)CDecrypt.exe title.tmd title.tik wiiucommonkey.bin
3 - Use IDA PRO (disassembler) to find address
- download IDA PRO --> don't ask me where to find it
- use aerosoul94 WiiU loader --> look here
- open "coreinit.rpl" in IDA, wait a little for the program to disassemble
- go to the "Exports" tab on IDA and you will see addresses in front of function's name
- for the 0x1xxxxxxx address, they're GOOD but for the 0x02xxxxxx, we must make some mathematics
4 - Some mathematics ...
- for the 0x02xxxxxx, we must find a base address for our calculations
- for this, you must use the payload ("address.zip") attached below (use it "directly", no need kernel exploit)
- it will display (if your WiiU is exploitable) some address :
- on my 4.1.0 WiiU, i have :OSScreenInit is at : 0xXXXXXXX --> will be the "base" for "coreinit.rpl"
socket_lib_init for "nsysnet.rpl"
GX2WaitForVsync for "gx2.rpl"
VPADRead for "vpad.rpl"
SYSLaunchMiiStudio for "sysapp.rpl"
- now back to "coreinit.rpl" in IDA, in "Exports" tab, search "OSScreenInit" functionOSScreenInit is at : 0x10352F8
socket_lib_init is at : 0x10B44D4
GX2WaitForVsync is at : 0x11454BC
VPADRead is at : 0x111D5DC
SYSLaunchMiiStudio is at : 0xDEAB888
For my 5883 "OS" version, i have 0x020196F8 in front of "OSScreenInit" function in IDA
So :
0x020196F8 - 0x10352F8 = 0xFE4400 ==> "MAGIC" number for "coreinit.rpl" for 4.1.0 firmware
With this "MAGIC" number, we may know all address of the functions present in "coreinit.rpl"
For example, address of FSAInit (which is in "coreinit.rpl") can be calculate by :
0x0203DF1C (IDA address) - 0xFE4400 ("MAGIC" coreinit number) = 0x1059B1C (REAL address of FSAInit for 410 firmware)- we can do the same for the others, to find all functions to replaces in loadiine sourceFor my 5883 "OS" version (4.1.0), i have 0x02000514 in front of "socket_lib_init" function in IDA
So :
0x02000514 - 0x10B44D4 = 0xF4C040 ==> "MAGIC" number for "nsysnet.rpl" for 4.1.0 firmware
With this "MAGIC" number, we may know all address of the functions present in "nsysnet.rpl"
For example, address of connect (which is in "nsysnet.rpl") can be calculate by :
0x02000A3C (IDA address) - 0xF4C040 ("MAGIC" coreinit number) = 0x10B49FC (REAL address of connect for 410 firmware)
(SOON) 5 - Make some address adjustment on some functions
On file launcher.c :
- change address in InstallMenu() function (done by compare with IDA in coreinit.rpl)
- change address in InstallLoader() function (done by compare with IDA in loader.elf)
...
- No one is chatting at the moment.
-
@
Psionic Roshambo:
It's not the movies or games downloads that I would worry about, like breaking into networks, downloading encrypted things, spying on network traffic. I have seen so many "Top Secret" seals on files when I was a kid -
@
Psionic Roshambo:
I was obsessed with finding UFOs, a surprising amount of US files where stashed on computers in other countries, China back in the early 90s omg sooo much
-
@
BigOnYa:
Yea that crazy, I've never tried hack into anything, I just pirate, and my ISP have send me 3-4 letters, so had to VPN it -
@
Psionic Roshambo:
Ship to ship communication software for the Navy although without access to the encrypting chips it was mostly useless
-
@
Psionic Roshambo:
I bet now a 4090 could probably crack it? Hmmm maybe not even back then I'm pretty sure they where using like 1024 bit encryption
-
-
-
-
-
-
-
-
-
-
@
Psionic Roshambo:
I remember one time I downloaded like a 500MB ISO file on 56K and that literally took like 2 days
-
-
-
-
-
-
-
-
-
-
