Hacking Wii U Hacking & Homebrew Discussion

[VinsCool]

I mentioned before that it should be possible for the browser to use the SAVE API to request/create new files to store, would anyone be interested in testing that out so that code can just read ELF files locally once it gets a payload going instead of over the network? Obviously we can't be too greedy cause you only have 8/32GB of space minus how much the system keeps and how much you're using, but it should be able to store something like the entire loadiine ELF file and/or homebrew launcher ELF file to get into Mii Maker to use SD. Of course we can't automatically execute that without making an exploit of the main save it uses but it'd save some network capacity

That's interesting.

 

[NWPlayer123]

@NWPlayer123 although this may sound very dull of me, can we process zlib through the browser. I'm having a little trouble getting the U browser to do what I want. Server side is perfect, it's been in place for a few years and maintained regular (no issues with any sites of projects I host and php reports it working fine). Not sure why U is having trouble with compression.

I dunno, they give you zlib125.rpl but I've never tried to use it :\ It should work fine as long as you're using the right calls, https://github.com/madler/zlib/tree/9712272c78b9d9c93746d9c8e156a3728c65ca72

 

[ARVI80]

Wow, cheers for the quick reply.
I think I will double check size limits first then maybe tweak zlib source and recompile. I'm sure calls are fine.
Do you ever sleep? lol

 

[NWPlayer123]

Working on nsysccr some more, got one subsection done, still got CCRCFG, CCRCDC, and CCRHID functions which should be loads of fun with more Ioctl calls
http://wiiubrew.org/wiki/Nsysccr.rpl

Wow, cheers for the quick reply.
I think I will double check size limits first then maybe tweak zlib source and recompile. I'm sure calls are fine.
Do you ever sleep? lol

Occasionally, I actually slept till 2PM today oops

 

[Giodude]

Also does the wii u web browser gui crash for anyone else?

 

[joacosur15]

I mentioned before that it should be possible for the browser to use the SAVE API to request/create new files to store, would anyone be interested in testing that out so that code can just read ELF files locally once it gets a payload going instead of over the network? Obviously we can't be too greedy cause you only have 8/32GB of space minus how much the system keeps and how much you're using, but it should be able to store something like the entire loadiine ELF file and/or homebrew launcher ELF file to get into Mii Maker to use SD. Of course we can't automatically execute that without making an exploit of the main save it uses but it'd save some network capacity

Interesting, one question, is possible with the browser in userland, access to other app/games saves? For backup them and using in loadiine in another console, like saviine but in userland..

 

[NWPlayer123]

Interesting, one question, is possible with the browser in userland, access to other app/games saves? For backup them and using in loadiine in another console, like saviine but in userland..

Theoretically, it also has functions to open Dirs and Files from other apps, I never got anything conclusive out of it, would have to go reverse engineer that code too

 

[rw-r-r_0644]

-snip-

 

[davetheshrew]

I mentioned before that it should be possible for the browser to use the SAVE API to request/create new files to store, would anyone be interested in testing that out so that code can just read ELF files locally once it gets a payload going instead of over the network? Obviously we can't be too greedy cause you only have 8/32GB of space minus how much the system keeps and how much you're using, but it should be able to store something like the entire loadiine ELF file and/or homebrew launcher ELF file to get into Mii Maker to use SD. Of course we can't automatically execute that without making an exploit of the main save it uses but it'd save some network capacity

Im up for it, where do I sign?

 

[Pikachuk]

when i try homebrew launcher on my wii u with my new sd card,i've always "race attack failed"

 

[EmceeKerser]

when i try homebrew launcher on my wii u with my new sd card,i've always "race attack failed"

Keep trying and read the stickies

 

[Pikachuk]

Keep trying and read the stickies

i know this problem is known but it's really always,not sometimes...

 

[JaceCearK1]

Does anyone know a Thread on GBATemp that discusses/collects information on file formats/file headers of various games? (Hyrule Warriors' .gz archives in this case)

This time it's the right Thread! ^^

 

[NWPlayer123]

Does anyone know a Thread on GBATemp that discusses/collects information on file formats/file headers of various games? (Hyrule Warriors' .gz archives in this case)

This time it's the right Thread! ^^

um not on GBAtemp but you can probably find it with relatively little digging, there's probably a QuickBMS script for it or I can send you a tool later, I remember poking at it, standard gzip/zlib but they have multiple compressed sections with each 0x10000 bytes of a file in each chunk until it runs out of data to compress, starts at like 0x80 with a word for the compressed section size, pass that into zlib and move file position past it, align to 16 bytes, read next word, repeat, the header probs has a value for number of sections too

 

[JaceCearK1]

um not on GBAtemp but you can probably find it with relatively little digging, there's probably a QuickBMS script for it or I can send you a tool later, I remember poking at it, standard gzip/zlib but they have multiple compressed sections with each 0x10000 bytes of a file in each chunk until it runs out of data to compress, starts at like 0x80 with a word for the compressed section size, pass that into zlib and move file position past it, align to 16 bytes, read next word, repeat, the header probs has a value for number of sections too

Thanks!
Yes, a few things I found out using a Hexeditor but I'm still not so sure how to decompress the compressed areas.

In case someone can make use of it:

Spoiler

0x0: (always?) 0x00010000 // unsure about purpose
0x4: n // number of sections
0x8: unknown value // checksum or part of en-/decryption?
0xC: 30 32bit values // n of which contain the size of the areas+4; else is 0
0x80: First section // Each section seems to be aligned to 0x80 (after a section ends the file's filled with zeros until the next section)
0x0: u32 sizeof(compressedData)
0x4-end: compressedData

 

[NWPlayer123]

Thanks!
Yes, a few things I found out using a Hexeditor but I'm still not so sure how to decompress the compressed areas.

In case someone can make use of it:

Spoiler

0x0: (always?) 0x00010000 // unsure about purpose
0x4: n // number of sections
0x8: unknown value // checksum or part of en-/decryption?
0xC: 30 32bit values // n of which contain the size of the areas+4; else is 0
0x80: First section // Each section seems to be aligned to 0x80 (after a section ends the file's filled with zeros until the next section)
0x0: u32 sizeof(compressedData)
0x4-end: compressedData

Well, that was incredibly easy, here, should work with both python 2 and 3, edit it to use import sys; f = open(sys.argv[1], "rb"); out = open(sys.argv[1].rstrip(".gz"), "wb") if you wanna pass in via command line or batch

Spoiler

from zlib import decompress
from struct import unpack

def int(data):
    return unpack(">I", data)[0]
def align(size, pad):
    return size + (pad - (size % pad))
f = open("C_GHIRAHIM_SWORD.bin.gz", "rb")
out = open("C_GHIRAHIM_SWORD.bin", "wb")
assert int(f.read(4)) == 0x10000 #Uncompressed chunk size
count = int(f.read(4)) #Number of sections
size = int(f.read(4)) #Size of uncompressed file
chunksizes = []
for i in range(count):
#Each word after is size of compressed chunk with size word
    chunksizes.append(int(f.read(4)))

#Jump to first chunk
f.seek(align(f.tell(), 0x80)) #Align to 0x80, not always at just 0x80
for i in range(count): #Read all chunks
    assert int(f.read(4)) == chunksizes[i] - 4
    out.write(decompress(f.read(chunksizes[i] - 4)))
    f.seek(align(f.tell(), 0x80)) #Align to 0x80 for next chunk
out.close()
f.close()

 

[JaceCearK1]

@NWPlayer123
LGTM! ^^
Another thing; about your RPL/RPX symbol extractor:
Is it just me, or doesn't it work on RPXs? Or is there a newer version than on your Github?

 

[NWPlayer123]

@NWPlayer123
LGTM! ^^
Another thing; about your RPL/RPX symbol extractor:
Is it just me, or doesn't it work on RPXs? Or is there a newer version than on your Github?

lmao that is incredibly badly made, the symbols section isn't always at that address so you might have to run rpl2elf, use something like 7zip to extract the elf, then look for the symbols section file in the folder it makes, then you can do some fancy hex editing to make it a text file, Ctrl+R or Ctrl+H to replace, replace 0000 to 00 a few times to remove duplicate null bytes between strings, then replace 00 to 0d0a (\r\n for carriage return and then newline) and save as a .txt

 

[JaceCearK1]

lmao that is incredibly badly made, the symbols section isn't always at that address so you might have to run rpl2elf, use something like 7zip to extract the elf, then look for the symbols section file in the folder it makes, then you can do some fancy hex editing to make it a text file, Ctrl+R or Ctrl+H to replace, replace 0000 to 00 a few times to remove duplicate null bytes between strings, then replace 00 to 0d0a (\r\n for carriage return and then newline) and save as a .txt

I'll see what I can do, thank you very much for all of the advice!

Spoiler

TIL that ELFs can be extracted by 7zip!

 

[Giodude]

Oh yea, I remember there was an exploit conceptualized a while back. It involved using vwii homebrew To exploit the wii u boot. It could only be patched through hardware. Has this ever seen the light of the day? Is this the iosu? Because I still have no idea what that entry point will be.