Toggle sidebar

Hacking Wii U Hacking & Homebrew Discussion

  • Thread starter Thread starter filfat
  • Start date Start date
  • Views Views 5,103,245
  • Replies Replies 21,104
  • Likes Likes 29
Giodude said:
Oh yea, I remember there was an exploit conceptualized a while back. It involved using vwii homebrew To exploit the wii u boot. It could only be patched through hardware. Has this ever seen the light of the day? Is this the iosu? Because I still have no idea what that entry point will be.
Click to expand...
That was the SRESET/HRESET hack Fail0verflow spoke about in their 30c3 talk, that was like the first thing MN1 and I worked on lmao, gave us the Espresso Ancast key so we could theoretically decrypt the kernel if we could get a binary from just userspace, this was like 2 years ago before we even made the 4.0.0-5.1.0 WebKit exploit and started libwiiu
 
i don't know why,i'm extracting smash U with DDD, it seems to work,the value increased from
1460890667-sans-titre-1.jpg


to
1460893622-sans-titre-2.jpg


but now the kb value is stopped,the only value who continue to change is the kb/s

is it a freeze or i just must wait ?
 
Compiled binaries for loadiine_gx2, homebrew_launcher, saviine, and tcpgecko/pyGecko, straight from git clone; make, for latest commits from dimok for hbl and gx2 and maschell for saviine, as of this posting
I'll probably have to rewrite most of cafiine's source since porting to 5.5.0 I made a gigantic mess of it, if anyone on lower firmwares wants to help with addresses, feel free to like...pm me or something
it'll probably be a bit before I get back cause I'll want to reverse engineer all the fs functions from coreinit so I can compare changes between versions, not that it matters too much besides personal interest since it's been done thrice over
I should also figure out how to generate accurate memmaps just from the OS so I can get them myself
https://mega.nz/#!WdYSiYwL!GNjtOc32l47kH2ihH-2IayRVeDF6R4QLGG6W82jVwDs
 
  • Like
Reactions: paulloeduardo, VinsCool, LawnMeower and 7 others
NWPlayer123 said:
Compiled binaries for loadiine_gx2, homebrew_launcher, saviine, and tcpgecko/pyGecko, straight from git clone; make, for latest commits from dimok for hbl and gx2 and maschell for saviine, as of this posting
I'll probably have to rewrite most of cafiine's source since porting to 5.5.0 I made a gigantic mess of it, if anyone on lower firmwares wants to help with addresses, feel free to like...pm me or something
it'll probably be a bit before I get back cause I'll want to reverse engineer all the fs functions from coreinit so I can compare changes between versions, not that it matters too much besides personal interest since it's been done thrice over
I should also figure out how to generate accurate memmaps just from the OS so I can get them myself
https://mega.nz/#!WdYSiYwL!GNjtOc32l47kH2ihH-2IayRVeDF6R4QLGG6W82jVwDs
Click to expand...

Leak the exploit 5.5 y_y
 
Hi , can someone tell me if going to the wrong way please ?

my goal here is to get all the adresses of the GX2Functions.
first i don't know yet how to print them in hexa to see with ida if they match or not.

i run 3 test to see if they are the same , and they are.

test 1:
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972

test 2:
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972

test 3 :
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972


code :

__os_snprintf(adresse ,255,"adress of GX2Init is %d and it's at %d", &GX2Init,GX2Init);
__os_snprintf(adresse2,255,"l'adress of GX2ShutDown is %d and it's at %d",&GX2Shutdown,GX2Shutdown);
 
ryuutseku85 said:
Hi , can someone tell me if going to the wrong way please ?

my goal here is to get all the adresses of the GX2Functions.
first i don't know yet how to print them in hexa to see with ida if they match or not.

i run 3 test to see if they are the same , and they are.

test 1:
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972

test 2:
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972

test 3 :
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972


code :

__os_snprintf(adresse ,255,"adress of GX2Init is %d and it's at %d", &GX2Init,GX2Init);
__os_snprintf(adresse2,255,"l'adress of GX2ShutDown is %d and it's at %d",&GX2Shutdown,GX2Shutdown);
Click to expand...

If you replace the %d in your snprintf statements with %x or %X it should print in proper hex (lowercase x for lowercase hex, uppercase X for my favorite - uppercase hex.)

Also, you probably won't need to print &GX2Init/&GX2Shutdown, since that will print the address of the variable that holds the address of the function. :wacko:
It's hard to explain, but imagine you have a piece of paper with the location of the GX2Init function written on it. You don't want the location of the paper (&GX2Init), you want what is actually written on the paper (GX2Init).

As for IDA, I'm unsure why you'd want to cross-reference them like this but I suppose it could be done fairly easily. Just get the address of the function (for example, let's say it's 0x1500) then get the address of the library itself (I think this is the same as the value returned by OSDynLoad_Acquire. Let's say it's 0x1000.) Subtracting the two should give you how far into the library your function is (0x500 in my example.) This address should match up with IDA.

I should mention that this is all my speculation on what should work. I see no reason why it wouldn't work, but hey, I've been wrong before ;3

Just out of curiosity, why are you checking?
 
Last edited by QuarkTheAwesome,
  • Like
Reactions: AHP_person
QuarkTheAwesome said:
If you replace the %d in your snprintf statements with %x or %X it should print in proper hex (lowercase x for lowercase hex, uppercase X for my favorite - uppercase hex.)

Also, you probably won't need to print &GX2Init/&GX2Shutdown, since that will print the address of the variable that holds the address of the function. :wacko:
It's hard to explain, but imagine you have a piece of paper with the location of the GX2Init function written on it. You don't want the location of the paper (&GX2Init), you want what is actually written on the paper (GX2Init).

As for IDA, I'm unsure why you'd want to cross-reference them like this but I suppose it could be done fairly easily. Just get the address of the function (for example, let's say it's 0x1500) then get the address of the library itself (I think this is the same as the value returned by OSDynLoad_Acquire. Let's say it's 0x1000.) Subtracting the two should give you how far into the library your function is (0x500 in my example.) This address should match up with IDA.

I should mention that this is all my speculation on what should work. I see no reason why it wouldn't work, but hey, I've been wrong before ;3

Just out of curiosity, why are you checking?
Click to expand...
I know the difference between &something and something . I just want to see if the wiiu put everytime something at the same place .

I want to cross ref with Ida to see if Ida use the correct address ( I think it's not ) .

Why do I do this ? Two reason :
First get more familiar with coding .
Second get the address so we can directly point to and define the address later to more easily use the function ( I guess )

But honestly I just ... do it

PS: when I want to init gx2 it's ask for an args ( void gx2Init (void *args))

What is the arg it ask for ?
 
Last edited by ryuutseku85,
ryuutseku85 said:
I know the difference between &something and something . I just want to see if the wiiu put everytime something at the same place .

I want to cross ref with Ida to see if Ida use the correct address ( I think it's not ) .

Why do I do this ? Two reason :
First get more familiar with coding .
Second get the address so we can directly point to and define the address later to more easily use the function ( I guess )

But honestly I just ... do it

PS: when I want to init gx2 it's ask for an args ( void gx2Init (void *args))

What is the arg it ask for ?
Click to expand...

GX2Init's arguments seem to change depending on who you ask. All of Dimok's GX2 stuff I've seen uses an array of various things to get started (link), but it seems that the libwiiu example gets away with passing nothing at all (link). You'll have to figure out which approach to use depending on what you need.
Wouldn't it also be easier to stick to OSDynLoad_FindExport rather than hard-coding addresses? It'd be compatible with more firmware versions that way (addresses change each update.) Although if hard-coding's what you want to do, that's fine by me. ;D
 
QuarkTheAwesome said:
GX2Init's arguments seem to change depending on who you ask. All of Dimok's GX2 stuff I've seen uses an array of various things to get started (link), but it seems that the libwiiu example gets away with passing nothing at all (link). You'll have to figure out which approach to use depending on what you need.
Wouldn't it also be easier to stick to OSDynLoad_FindExport rather than hard-coding addresses? It'd be compatible with more firmware versions that way (addresses change each update.) Although if hard-coding's what you want to do, that's fine by me. ;D
Click to expand...
Honestly I don't know I was hard coding them :D.
I just want to know what is where I don't think of findexport .
That's could lead me nowhere but I think it's a good exercise .
 
  • Like
Reactions: QuarkTheAwesome
ryuutseku85 said:
Hi , can someone tell me if going to the wrong way please ?

my goal here is to get all the adresses of the GX2Functions.
first i don't know yet how to print them in hexa to see with ida if they match or not.

i run 3 test to see if they are the same , and they are.

test 1:
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972

test 2:
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972

test 3 :
adress of GX2Init es 448122200 and is at 18180984
adress of GX2ShutDown es 448122196 and is at 18182972


code :

__os_snprintf(adresse ,255,"adress of GX2Init is %d and it's at %d", &GX2Init,GX2Init);
__os_snprintf(adresse2,255,"l'adress of GX2ShutDown is %d and it's at %d",&GX2Shutdown,GX2Shutdown);
Click to expand...
You can use RPC to get the addresses easily too.
 
thekarter104 said:
They'll probably do in a year or so, or when there are barely <= 5.4.0 Wii Us out there.
Click to expand...
5.3.2/5.4.0 Wii U's are getting pretty rare now. I went to a few stores on Friday. I was using the Wii U Serial database to try and find a Wii U on 5.3.2 or 5.4.0. Unfortunately, I couldn't find any. I even asked the employees if they can check the back. They claimed they couldn't find any with those specific serial numbers.

I ended up buying a Wii U on 5.5.0.
 
Supster131 said:
5.3.2/5.4.0 Wii U's are getting pretty rare now. I went to a few stores on Friday. I was using the Wii U Serial database to try and find a Wii U on 5.3.2 or 5.4.0. Unfortunately, I couldn't find any. I even asked the employees if they can check the back. They claimed they couldn't find any with those specific serial numbers.

I ended up buying a Wii U on 5.5.0.
Click to expand...
Ebay
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew Project  Modernized YouTube for Wii U

[discussion] what game do you wanna see next?

[discussion] Paper Mario Wii U or Mario Kart 64 wii u?

Wii Games Performance on Wii U (vWii C2W Overclock) – Community Testing & Results Sharing

[PRERELEASE] Sonic 3 A.I.R. (finally) Wii U

Can the Wii u pro controller works for Wii games ?

Homebrew Misc  Wii U Homebrew — accessing certain apps causes 160-0103 error, uncertain if Homebrew attempt is responsible

Sonic Advance 2 Wii U (another release, this time it's playable)