Hacking [WIP] 'Cafe Code Types' for Wii U cheats + PPC code handler

[CosmoCortney]

Use the Cheat Code Thread for further information. Now as the code handler is working quite well this thread becomes redundant.

Introduction:

Allow me to introduce the Cafe Code Types. It's the equivalent of the Wii's Gecko-, or GCN's Action Replay code types, just for the Wii U! As you will see below the scheme is very different. This is because there's no free space next to the initial address of the cheat. So each code type has its own 4Bytes which actually brings a lot of advantages compared to the Gecko- and Action Replay Code Types: No need for an extra code type to include pointers and code types can offer more options now which reduces the total amount of code types to keep a keen view about them. 8bit conditional codes will return!
Besides this there will be totally new code types (and maybe another alternative for pointers).​

To be fixed:

The hook is a bit unreliable. Sometimes cheats become disabled (WWHD) or pretty much never work (MK8). Going to try to fix this soon.​

Further information:

Well, I have this idea for quite a few months but didn't work on it because I was waiting for Mr. Mysterio's code type design before coding a PPC based code handler. But he has been away for long time now
so I started writing down some code a few days ago.
HOWEVER: It is still in an early state of development. @BullyWiiPlaza has started developing a clone of TCP Gecko dNET, called JGecko U (written in Java) which can install my code handler
He had the idea to save the code handler in .bin files which his program can use. I'm sure that this format could be use in future projects once IOSU exploit is out and we have a sort of cheat code loader like Gecko OS.
If you're interested in how the code type works you can take a look at the PPC code here on my Git (It's PPC only because it's the only language I know).​

Code Type Documentation:
currently supported:

1. RAM writes (pointer and pointer-in-pointer)
2. patch/string writes (also pointered. No pointer-in-pointer)
3. Slider/skip writes (also pointered. No pointer-in-pointer)
4. If Equal, unequal, greater than, lower than, greater or equal, less than or equal (also pointered. No pointer-in-pointer)
5. no operation
6. termination

Spoiler: Cafe Code Type Documentation

CC: Code Type. 00 = RAM write, 01 - Patch/String Write, 02 = Slide/Skipp Write,
P: Pointer. 0 = No pointer, 1 = Pointer, 2 = Pointer-In-Pointer
LLLLLLLL = Address/Location (If more addresses are involved the next one will be indicated by the next alphabetical letter (MMMMMMMM, ...))
VVVVVVVV = Value. 8bit/1Byte values must be written on the right. The 3 Bytes before must be 00 (000000VV). 16bit/2Byte: 0000VVVV, 32bit/4Bytes: VVVVVVVV.
The other zeros must be kept. They are used to fill unused space to ensure the codehandler works properly and/or will possibly be replaced by future functions.
QQQQQQQQ: Offset between where the pointer points at and the value you want to modify. If the offset is negative you must change it to a signless integer (-0x2130 -> 0xFFFFDED0). You can do this with any hex calculator by substracting 0 by your offset.
Pointered codes will require a defined memory range. This is used to avoid inevitable freezes while loading another level/menu/cutscene.
The beginning of the range will most likely be 10000000 and the end 4C000000. But you can pick one possible value-location of a pointer code and add and substract 0x00100000 to it to reduce the size of the range. This can enhance the avoidation of possible freezes even more.
(example: Possible final location: 3738E0CC. 3738E0CC - 00100000 = 3728E0CC; 3738E0CC + 00100000 = 3748E0CC. Range of 3738E0CC ~ 3748E0CC.

Pointer-In-Pointer are only supported in RAM writes.


RAM writes (00)
General scheme:
00PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
00000000 LLLLLLLL
000000VV 00000000

16bit:
00010000 LLLLLLLL
0000VVVV 00000000

32bit:
00020000 LLLLLLLL
VVVVVVVV 00000000

Example:
infinite health in Wind Waker HD
00000000 15073BC3
00000050 00000000


Pointered RAM Writes:
8bit:
00100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
00110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
00120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
Wind Waker HD - Stretch Link ([1097648C] + 6a30 0x43000000)
00120000 1097648C
48600000 48800000
00006A30 43000000


Pointer-In-Pointer:
8bit:
00200000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 00000000
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
00210000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 00000000
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
00220000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 00000000
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
00210000 20367528
38000000 39000000
00001250 00000000
3E000000 3F000000
0035842C 00001234



Patch/String writes (01)
01P0NNNN LLLLLLLL
VVVVVVVV VVVVVVVV
VVVV0000 000000FF

NNNN = The amount of bytes to write starting at address LLLLLLLL.
Every line must have 2 blocks consisting of 8 hex digits each. If the value (VV) does not fill a line you will have to fill the empty space with zeros and the last two with FF (VVVV0000 000000FF). If only the last byte of a line is unused simply fill it with FF (VVVVVVVV VVVVVVFF). If your value fills all 16 hex digits then but 00000000 000000FF beneath it
(VVVVVVVV VVVVVVVV
00000000 000000FF)

Example:
01000012 40232004
11221122 11221122
11221122 11221122
11220000 000000FF

This writes a hex string of
11221122 11221122 11221122 11221122 1122 starting at 0x40232004 (without spaces, duh).

Pointered:
0110NNNN LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 00000000
VVVVVVVV VVVVVVVV
VVVVVVVV VVVV00FF

Example:
01100014 13501688
20100000 20200000
00232020 00000000
11331133 11331133
11331133 11331133
11331133 000000FF

No pointer-in-pointer support




Slide/Skip (02)
02PSNNNN LLLLLLLL
VVVVVVVV XXXXXXXX
IIIIIIII 00000000

NNNN: Amount of slides/skips (first is assumed)
XXXXXXXX: Offset between each write/offset to skip/slide
IIIIIIII: Value increment for each slide. Leave it as 00000000 if not wanted.

8bit:
0200NNNN LLLLLLLL
000000VV XXXXXXXX
000000II 00000000

16bit:
0201NNNN LLLLLLLL
0000VVVV XXXXXXXX
0000IIII 00000000

32bit:
8bit:
0202NNNN LLLLLLLL
VVVVVVVV XXXXXXXX
IIIIIIII 00000000

Example:
02020064 423E0DC4
00100000 00001000
00000100 00000000


Pointered:
021PNNNN LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV
XXXXXXXX IIIIIIII

8bit:
0210NNNN LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV
XXXXXXXX 000000II

16bit:
0211NNNN LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV
XXXXXXXX 0000IIII

32bit:
0210NNNN LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV
XXXXXXXX IIIIIIII

Example:
0210012C 1987EDC8
45200000 45500000
000202EC 00000010
00002000 00000001


Terminator (DE)
This code MUST be placed behind conditional codes. So the code handler

knows which codes NOT to enable when a condition is false.

DE000000 DEADCAFE

Cinditionals

If Equal (03)
03PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
03000000 LLLLLLLL
000000VV 00000000

16bit:
03010000 LLLLLLLL
0000VVVV 00000000

32bit:
03020000 LLLLLLLL
VVVVVVVV 00000000

Example:
03010000 12364872
00001200 00000000
.
.
.
DE000000 DEADCAFE

Pointered
8bit:
03100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
03110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
03120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
03120000 31549860
RANGE_ST RANGE_EN
00035480 01000000
.
.
.
DE000000 DEADCAFE

____________________

If Not Equal (04)
04PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
04000000 LLLLLLLL
000000VV 00000000

16bit:
04010000 LLLLLLLL
0000VVVV 00000000

32bit:
04020000 LLLLLLLL
VVVVVVVV 00000000

Example:
04010000 12364872
00001200 00000000
.
.
.
DE000000 DEADCAFE

Pointered
8bit:
04100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
04110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
04120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
04120000 31549860
RANGE_ST RANGE_EN
00035480 01000000
.
.
.
DE000000 DEADCAFE

_________________



If Greater Than (05)
05PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
05000000 LLLLLLLL
000000VV 00000000

16bit:
05010000 LLLLLLLL
0000VVVV 00000000

32bit:
05020000 LLLLLLLL
VVVVVVVV 00000000

Example:
05010000 12364872
00001200 00000000
.
.
.
DE000000 DEADCAFE

Pointered
8bit:
05100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
05110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
05120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
05120000 31549860
RANGE_ST RANGE_EN
00035480 01000000
.
.
.
DE000000 DEADCAFE

_________________




If Less Than (06)
06PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
06000000 LLLLLLLL
000000VV 00000000

16bit:
06010000 LLLLLLLL
0000VVVV 00000000

32bit:
06020000 LLLLLLLL
VVVVVVVV 00000000

Example:
06010000 12364872
00001200 00000000
.
.
.
DE000000 DEADCAFE

Pointered
8bit:
06100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
06110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
06120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
06120000 31549860
RANGE_ST RANGE_EN
00035480 01000000
.
.
.
DE000000 DEADCAFE

_________________

If Greater Than or Equal (07)
07PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
07000000 LLLLLLLL
000000VV 00000000

16bit:
07010000 LLLLLLLL
0000VVVV 00000000

32bit:
07020000 LLLLLLLL
VVVVVVVV 00000000

Example:
07010000 12364872
00001200 00000000
.
.
.
DE000000 DEADCAFE

Pointered
8bit:
07100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
07110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
07120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
07120000 31549860
RANGE_ST RANGE_EN
00035480 01000000
.
.
.
DE000000 DEADCAFE

_________________


If Greater Than or Equal (08)
08PS0000 LLLLLLLL
VVVVVVVV 00000000

8bit:
08000000 LLLLLLLL
000000VV 00000000

16bit:
08010000 LLLLLLLL
0000VVVV 00000000

32bit:
08020000 LLLLLLLL
VVVVVVVV 00000000

Example:
08010000 12364872
00001200 00000000
.
.
.
DE000000 DEADCAFE

Pointered
8bit:
08100000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 000000VV

16bit:
08110000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ 0000VVVV

32bit:
08120000 LLLLLLLL
RANGE_ST RANGE_EN
QQQQQQQQ VVVVVVVV

Example:
08120000 31549860
RANGE_ST RANGE_EN
00035480 01000000
.
.
.
DE000000 DEADCAFE

_________________


No Operation (DF)
DFZZZZZZ DEADC0DE
Simply does nothing. Most likely used by the code handler to overwrite

cheat codes that will only be performed once. You probably won't ever

need it in a cheat code, but you could use it as a visual separator

between a lot of codes. So I decided to document it here, too! You can

write down any hexadecimal number for ZZZZZZ.
This is NOT to be confused with the Terminator

Example:
DF000001 DEADC0DE
00020000 13655ECC
3FC00000 00000000
DF000002 DEADC0DE
00020000 13655ED0
3FC00000 00000000
DF000003 DEADC0DE
00020000 13655ED4
3FC00000 00000000

________________________________


TODO:
Conditionals (&&, ||, value between), Floating point operations, Integer operations, load and store value, insert ASM, Search value and store address somewhere, Corruptor (replace values), Corruptor (add value).

How to use:

(The following steps will change during development). Doesn't work with Splatoon. It freezes on boot screen.
- Launch the modified version of the kernel exploit that mirrors range 00 to A0: http://cosmocortney.ddns.net/wiiustuff
- Then run the "old_pygecko". (these exploits are not made by me. Credits go to the kexploit devs)
- Open TCP Gecko dNET.
- TCP Gecko dNET has no cheat code manager so you need to poke the cheat codes per hand.
- Change to the Memory viewer and go to address 10015000. Now poke all your cheat codes line by line starting at 10015000. (It is important not to skip 00000000 of a code). The next cheat comes without any space between the previous one. (To help you to orientate; a following cheat code will always start at XXXXXXX0 or XXXXXXX8)
- Once all cheats are stored close TCP Gecko dNET.
- Download the code handler here
- Now you will need Bully's JGecko U to install the code handler.
- Open it with Winrar and go into the folder called "codehandler"
- Delete the content and drag and drop the latest code handler into there.
- Run JGecko U and hit "connect"
Once it tells you the code handler has been installed, the cheats should be active.​

Demonstrations:

A demo video of a jokered Moon Jump code:
https://twitter.com/CosmoCortney/status/699987611872530432

and here you can see an 8bit, a 16bit and a 32bit code being managed:
​

 

[GOT4N]

Interesting Cosmo.
But, yeah, it doesn't work on 5.5.1 right?

 

[CosmoCortney]

Interesting Cosmo.
But, yeah, it doesn't work on 5.5.1 right?

I don't think so because you need to patch the kernel to install TCP Gecko Installer

 

[GOT4N]

I don't think so because you need to patch the kernel to install TCP Gecko Installer

Yeah shouldn't then
Thanks for anwsering!
(maybe you should add that, else some people will ask )

 

[Deathwing Zero]

Have you talked with Skiller about it at all? He may have some ideas, though I don't know how good he is with programming outside of ASM.

 

[BullyWiiPlaza]

I can make an application that stores the code handler code to the memory automatically. I already have a project I'm slowly working on which is this one. Let me know the addresses and values to write and I can make it happen. Just create a binary file with all the assembly in it. We don't need to modify the pyGecko installer for this and it will cause no delay

A question I have is this. Aren't we supposed to program in C and use the compiled assembly instead of writing the assembly manually? It should be more convenient or maybe not. It's C after all

 

[CosmoCortney]

I can make an application that stores the code handler code to the memory automatically. I already have a project I'm slowly working on which is this one. Let me know the addresses and values to write and I can make it happen. Just create a binary file with all the assembly in it. We don't need to modify the pyGecko installer for this and it will cause no delay

A question I have is this. Aren't we supposed to program in C and use the compiled assembly instead of writing the assembly manually? It should be more convenient or maybe not. It's C after all

That'd be awesome
Well, I don't know any C.. But I am very familiar with PPC. I need to search the best entry point for this and write some more asm to be able to use as many registers as possible. give me some time^^

should the asm be in asm (blr) or hex (4E800020)?

 

[BullyWiiPlaza]

should the asm be in asm (blr) or hex (4E800020)?

If you have an assembler to translate the code to hex then the source is enough
PyiiASMH?

It would be best if you make a very simple code handler and instructions on how to install it so that I can build it into the tool.

 

[CosmoCortney]

If you have an assembler to translate the code to hex then the source is enough
PyiiASMH?

It would be best if you make a very simple code handler and instructions on how to install it so that I can build it into the tool.

Ok, I can give it to you as hex. BUT it uses different areas in the memory and it is important the last one in the file is written last.
Also while enabling a cheat code the value at A114F820 must be 83A10354 and after all cheats are sent it must be 4805E9E0 again. otherwise the system will try to write at a forbidden memory range.

here's the code:

Spoiler: code

A11AE200:
83A10354
3CA0A11A
60A5E100
90050000
90250004
90450008
9065000C
90850010
90A50014
90C50018
90E5001C
D0050020
D0250024
D0450028
D065002C
3CC01001
60C65000
3CE01001
60E77000
7C063800
40800014
88260000
88460004
7C011000
40820008
48002B9C
2C010000
41822D94
48002B90


A11B0E00:
80050000
80250004
80450008
8065000C
80850010
80A50014
80C50018
80E5001C
C0050020
C0250024
C0450028
C065002C
4BF9E9F4                         

A11B1000:
88460001
60000000
60000000
60000000
60000000
2C020000
41820010
2C020001
4182001C
4800002C
80660004
8886000B
98830000
38C60010
4BFFD20C
80660004
A086000A
B0830000
38C60010
4BFFD1F8
80660004
80860008
90830000
38C60010
4BFFD1E4                         



A114F820:
4805E9E0

Forgot to tell that all cheats must be stored at 0x10015000. It is important it starts there and there are no gabs between the cheats. Otherwise it will be sipped. Mind that a 8bit RAM write without pointers starts with 00000000 and some codes end with 00000000. (ram writes are always 16/0x10 Bytes long

 

[CosmoCortney]

Good news: Pointers do work now!
I have included a range check to make sure pointers don't freeze the game during loading sequences.
A pointer RAM write looks lie this:
001S0000 LLLLLLLL
R_START_ R_END___
QQQQQQQQ VVVVVVVV

S: Size. 0 = 8bit, 1 = 16bit, 2 = 32bit
LLLLLLLL: Address where the pointer is stored in memory
R_START_: Minimun range (10000000 will most likely fine to prevent the system writing into a forbidden area, but I recommend setting it about 0x10000 below one of the aim address)
R_END___: Maximum range (4C000000 will most likely be fine but I recommend setting it about 0x10000 above the aim address)
QQQQQQQQ: Offset. If the offset is negative it must be written as unsigned hex (-0x10 = 0xFFFFFFFE, need to do more testing on this)
VVVVVVVV: Value

One example: Stretching Link ([1097648C] + 6a30 ~ 43000000)
00120000 1097648C
48600000 48800000
00006A30 43000000

next up: pointer-in-pointer

 

[BullyWiiPlaza]

@CosmoCortney
I made my application inject your handler so try it out. It works for me and I can put basic cheat codes in the memory. This could turn into something big really fast when I also implement some cheat code tab

 

[CosmoCortney]

@CosmoCortney
I made my application inject your handler so try it out. It works for me and I can put basic cheat codes in the memory. This could turn into something big really fast when I also implement some cheat code tab

This is awesome
Pointer-in-pointers work too now. My github is updated. need to get the hex though

 

[BullyWiiPlaza]

This is awesome
Pointer-in-pointers work too now. My github is updated. need to get the hex though

You can edit the files in the JAR so you can keep changing the code handler without me changing the application. But you can only change the file contents so far (not the file names). Adding new files has no effect too

Spoiler

 

[CosmoCortney]

You can edit the files in the JAR so you can keep changing the code handler without me changing the application. But you can only change the file contents so far (not the file names). Adding new files has no effect too

Spoiler

This is even better
Very easy to extract the hex!
In the attachment is the updated code handler ^^
EDIT:
I have updated the code handler again. In v4 are now Fill/Patch writes possible (this was tricky to write in asm... took me over 3 hours to get it working). v3 is also fixed. I have accidentally copied a wrong file into there. my bad if it caused freezes to you
@BullyWiiPlaza v4 uses a fifth file now. You'd need to update JGeckoU

 

[BullyWiiPlaza]

You'd need to update JGeckoU

Updated. Now you can add and delete binary files freely. They will all be recognized

 

[CosmoCortney]

Updated. Now you can add and delete binary files freely. They will all be recognized

awesome, thanks :3

 

[CosmoCortney]

@BullyWiiPlaza for some reason the latest JGeckoU freezes the system when it loads the newest code handler which has 5 files. Did you maybe miss something in your code or forgot that A114F820.bin must be loaded last?
I will also have a look verifying nothing's wrong with the code handler

 

[BullyWiiPlaza]

@BullyWiiPlaza for some reason the latest JGeckoU freezes the system when it loads the newest code handler which has 5 files. Did you maybe miss something in your code or forgot that A114F820.bin must be loaded last?

Ah, it doesn't verify that. I will make it do that

 

[CosmoCortney]

Ah, it doesn't verify that. I will make it do that

Oh ok, take your time

@Cyan could you possibly change the title to: [WIP] 'Cafe Code Types' for Wii U cheats + PPC code handler ? As a normal member I can't edit it

 

[BullyWiiPlaza]

Oh ok, take your time

Already done. Now the addresses are written from highest to smallest

codehandler\A11B1000.bin
codehandler\A11B0E00.bin
codehandler\A11B0C00.bin
codehandler\A11AE200.bin
codehandler\A114F820.bin