Hacking Post your WiiU cheat codes here!

[skoolzout1]

I have a problem with Super Mario Maker. When I want to activate JGecko U, I get an error message on the TV screen.
It says: "Illegal command byte found: 0xe0 Server Version 04/16/2017".

I don't know if I have the latest codehandler and TCPGecko because I don't know where I can find them.
Furthermore, which Kernel Exploit should I run?

Thank you for your help!

yeah you need to update tcpgecko..

go to external tools in jgecko and click the TCP Gecko installer button and itll download the updated files for you, then just replace the files on your sd card with the new ones.

 

[Maq47]

if you decide you'd like the full 1.1.1 dump to see for yourself just let me know

I would like a dump of the 0x38000000 to 0x44000000 region of BotW US 1.2.0, please. Just make it 0x30000000-0x44000000 and trim the first 0x8000000 bytes off. Thanks.

 

[skoolzout1]

I would like a dump of the 0x38000000 to 0x44000000 region of BotW US 1.2.0, please. Just make it 0x30000000-0x44000000 and trim the first 0x8000000 bytes off. Thanks.

So would you prefer a bin file or a text file?

 

[Maq47]

So would you prefer a bin file or a text file?

bin would be smaller.

 

[skoolzout1]

bin would be smaller.

https://www.mediafire.com/?8gnuedz16ox4c18

from 38000000 - 44000000

 

[Maq47]

https://www.mediafire.com/?8gnuedz16ox4c18

from 38000000 - 44000000

Thanks! That should help me make some codes in CheatEngine.

 

[Megabyte918]

Okay I attempted making the "stasis unlimited objects" code, but it did not work. I think I have a pretty decent understanding of how it works now, I just can't seem to get it right.

I made an example out of javascript to help me better understand how I should make the code, here it is:

var storedValue = "43856CE8"; // 11020001
"43856CE8" = "FFFFFFFF"; // re-enable stasis by replacing object's OG value with FFFFFFFF

if (DpadDown) {
    // Different object or value is FFFFFFFF
    if (storedValue != "43856CE8") {
        storedValue++; // increment by 1 (11020002)
        storedValue = "43856CE8"; // create & store value within 11020002
    }
    // Same object was chosen
    if (storedValue == "43856CE8") {
        "43856CE8" = storedValue; // restore it's tangibility
    }
}

Breakdown of how I think something like this would work:
First object was stasis'd. The value of the address (43856CE8) is then set to FFFFFFFF to allow other objects to be stasis'd. A second object is then stasis'd, whatever variable the first object is using to store it's tangibility (storedValue) should not be affected, instead, add a new variable to hold the second object's value ("add" new variable by incrementing storedValue (11020001) by 1), then add the value of the second object to the new variable (a.k.a 11020002). If the first frozen object is selected to be un-frozn, check if the variable used to store it's value (storedValue) contains the same value as the first frozen object. And if it is, replace the object's value with the one within storedValue to make it un-freezable again.

I then tried porting it over to cafe code based off of different cafe code types:

11020001 43856CE8
00020000 43856CE8
FFFFFFFF 00000000
03010000 102F48AA
00000100 00000000
04020000 11020001
43856CE8 00000000
14040X00 00000001
00020000 11020001
43856CE8 00000000
03020000 11020001
43856CE8 00000000
00020000 43856CE8
11020001 00000000
D0000000 DEADCAFE

Here's a breakdown of how I did it:

// var storedValue = "43856CE8";
11020001 43856CE8

// "43856CE8" = "FFFFFFFF"
00020000 43856CE8
FFFFFFFF 00000000

// if (DpadDown)
03010000 102F48AA
00000100 00000000

// if (storedValue != "43856CE8")
04020000 11020001
43856CE8 00000000

// storedValue++;
14040R00 00000001 <-- Don't know what I was doing there

// storedValue = "43856CE8";
00020000 11020001
43856CE8 00000000

// if (storedValue == "43856CE8")
03020000 11020001
43856CE8 00000000

// "43856CE8" = storedValue;
00020000 43856CE8
11020001 00000000

But there are many things wrong with it, and I have so many questions :/

- How do I store two if-statements within one if statement (DpadDown) using cafe code?
- How do I increment an address by 1? For example, incrementing storedValue (11020001) by 1 or 00000001 to get 11020002. The regular integer operations confuse the hell outta me :/
- Where should I insert breakpoints? I know that you are supposed to use D0000000 DEADCAFE after an if statement, but where exactly should I place it in this scenario? Since there are two if statements nested within one (DpadDown).
- Are there any more errors or possible bugs/etc with my code or what im trying to do in general I should know about?

 

[skoolzout1]

Okay I attempted making the "stasis unlimited objects" code, but it did not work. I think I have a pretty decent understanding of how it works now, I just can't seem to get it right.

I made an example out of javascript to help me better understand how I should make the code, here it is:

var storedValue = "43856CE8"; // 11020001
"43856CE8" = "FFFFFFFF"; // re-enable stasis by replacing object's OG value with FFFFFFFF

if (DpadDown) {
    // Different object or value is FFFFFFFF
    if (storedValue != "43856CE8") {
        storedValue++; // increment by 1 (11020002)
        storedValue = "43856CE8"; // create & store value within 11020002
    }
    // Same object was chosen
    if (storedValue == "43856CE8") {
        "43856CE8" = storedValue; // restore it's tangibility
    }
}

Breakdown of how I think something like this would work:
First object was stasis'd. The value of the address (43856CE8) is then set to FFFFFFFF to allow other objects to be stasis'd. A second object is then stasis'd, whatever variable the first object is using to store it's tangibility (storedValue) should not be affected, instead, add a new variable to hold the second object's value ("add" new variable by incrementing storedValue (11020001) by 1), then add the value of the second object to the new variable (a.k.a 11020002). If the first frozen object is selected to be un-frozn, check if the variable used to store it's value (storedValue) contains the same value as the first frozen object. And if it is, replace the object's value with the one within storedValue to make it un-freezable again.

I then tried porting it over to cafe code based off of different cafe code types:

11020001 43856CE8
00020000 43856CE8
FFFFFFFF 00000000
03010000 102F48AA
00000100 00000000
04020000 11020001
43856CE8 00000000
14040X00 00000001
00020000 11020001
43856CE8 00000000
03020000 11020001
43856CE8 00000000
00020000 43856CE8
11020001 00000000
D0000000 DEADCAFE

Here's a breakdown of how I did it:

// var storedValue = "43856CE8";
11020001 43856CE8

// "43856CE8" = "FFFFFFFF"
00020000 43856CE8
FFFFFFFF 00000000

// if (DpadDown)
03010000 102F48AA
00000100 00000000

// if (storedValue != "43856CE8")
04020000 11020001
43856CE8 00000000

// storedValue++;
14040R00 00000001 <-- Don't know what I was doing there

// storedValue = "43856CE8";
00020000 11020001
43856CE8 00000000

// if (storedValue == "43856CE8")
03020000 11020001
43856CE8 00000000

// "43856CE8" = storedValue;
00020000 43856CE8
11020001 00000000

But there are many things wrong with it, and I have so many questions :/

- How do I store two if-statements within one if statement (DpadDown) using cafe code?
- How do I increment an address by 1? For example, incrementing storedValue (11020001) by 1 or 00000001 to get 11020002. The regular integer operations confuse the hell outta me :/
- Where should I insert breakpoints? I know that you are supposed to use D0000000 DEADCAFE after an if statement, but where exactly should I place it in this scenario? Since there are two if statements nested within one (DpadDown).
- Are there any more errors or possible bugs/etc with my code or what im trying to do in general I should know about?

Tbh, i do not understand your thought process lol.

I could be very wrong, but @CosmoCortney can correct me if i am.

i would recommend doing this in assembly since custom branches/"else if's" are not possible with any code type. The D0000000 DEADCAFE is effectively the "End If" statement, or like the closing curly brace "}" in C/C++. When the tested condition is false, the handler branches to the D0000000 DEADCAFE line.

To increment an address by One, you'd use a Load Register operation, then followed by a Math operation on the same register.

ie:

10000000 43856CE8 //Load R0 with value inside of that address.
14040000 00000001 //Direct Value operation of Adding 1 to R0
11000000 43856CE8 //Store contents of R0, into that address.


as for your First bullet point, and your third bullet point, as i was saying, you cant create "truly" nested if statements, but you can test multiple conditions in a row.

in pseudo code, this is the difference..:

In C/C++ (or really any other language)

if (condition1)
{
if (condition2)
{

}
if (condition3)
{

}
}

We know that this means, test the first condition.. if False, skip everything.
if condition1 = True, test condition2 and test condtion3.


in Cafe Code type it would look like:
03020000 COND1

03020000 COND2
D0000000 DEADCAFE


03020000 COND3
D0000000 DEADCAFE


D0000000 DEADCAFE


HOWEVER, this would not functionally work the same way.. The way the handler operates (again CosmoCortney can correct me) is that when the first condition is false, it branches to the first D00000000 DEADCAFE, and therefore would end up at the end of condtion2

which isnt what we want.

You'd have to do assembly to branch to specific locations:

for example

cmpwi Rx, Condition1
bne- END // Jump to Label "End" if false

cmpwi Rx, Condition2
bne- EndOfCond2 // jump to label "EndOfCond2" if false
//if true, do this

EndOfCond2: cmpwi Rx, Condition3
bne- EndOfCond3
//if true, do this
EndOfCond3: nop



END: nop







Also... i feel like there is an easier way to do it. Since the ID of the object can be found in its structure (i forget the offset), and since i found the address that points to your stasis object (and also your magnesis target) you could just test for a Button press while targetting a frozen object, and then go grab the objects ID and place it back into 43856CE8

plus i also found the "This Object is Currently Stasis'd" boolean within its class, and ive already made a code that stasis's as many enemies/objects you want.


so the way i would make the code using your way, would be something like:

Is the player targetting an object?
if so, is it stasis'd?
is the player pressing the button to release this object?
if Yes, go to objects Structure, Grab ID, place it inside 43856CE8
if No, Write FFFFFFFF to 43856CE8 to allow stasis to be used again.


EDIT: nvm. i think it would be better to just always write FFFFFFFF to 43856CE8, unless the player is targeting an enemy, then if a button is pressed, put the ID back into 43856CE8 to allow it to be unfrozen.

apologies for my bad explanations... id just make the code if i wasnt busy with finals


EDIT2: I also dont know how you got placing the ID back into 43856CE8 to allow you to use stasis again.. if you stasis another object while leaving the other object frozen, putting its ID back doesnt do anything for me. Were you doing something different?

 

[Linkovitcho81]

Hi i cant find cheats of pikmin 3 i do evry thing but i can t enabled the code. Help me plz

 

[Linkovitcho81]

There is a trainer pikmin 3 like zelda ww hd
Coz zelda trainer work 100% for me

 

[BullyWiiPlaza]

I'm actually working on a new code handler written in C/C++ so it will be a lot easier to maintain the logic and understand how the code handler stuff really works.
Here you can check it out: https://github.com/BullyWiiPlaza/code_handler
Of course it will support all existing codes so no changes should be necessary whenever it gets released for the TCP Gecko Installer.
Contributions are welcome. The code runs on PC Linux right now for easier debugging till I'm confident that it is nearly flawless to try it on the Wii U, lol.

It's about 50% done right now.

 

[skoolzout1]

I'm actually working on a new code handler written in C/C++ so it will be a lot easier to maintain the logic and understand how the code handler stuff really works.
Here you can check it out: https://github.com/BullyWiiPlaza/code_handler
Of course it will support all existing codes so no changes should be necessary whenever it gets released for the TCP Gecko Installer.
Contributions are welcome. The code runs on PC Linux right now for easier debugging till I'm confident that it is nearly flawless to try it on the Wii U, lol.

It's about 50% done right now.

Awesome :3

i made a "Follow Pointer" program in C++ designed for following pointers in the same format given by your Pointer Searcher, but from within Hex dumps.

Im probably the only person that ever wanted a program like this but nonetheless if anyone wants it you can get it here:

https://github.com/skoolzout1/HexDumpPointerFollower

(this is the first time ive used github soo i apologize if i left something out or something lol.)

im open to suggestions for improvements or optimizations if anyone wants to take the time to look it over.

There are probably many ways to break it, but i think ive covered every user based error to the best of my ability.

EDIT: I already had to fix something major even just after posting this XD

 

[Ned7000]

I found these codes in Smash Bros for Wii U (USA/eShop) version 1.1.6 (latest version as of 5/2017)
They can be used in Trophy Rush.
First start trophy rush and add money to set the timer to 30 seconds. Then use the following code to turn 30 seconds into 300 seconds. It won't show the change until you start the mini-game though.

Timer 300 sec (Trophy Rush)
11FA690C 00000258

Once in Trophy Rush, collect a piece of equipment (wrench icon). Then activate the following code to turn it into 8,000 pieces of equipment.

Collect Equipment (Trophy Rush)
135171D4 00000FFF

Once you've used both codes, you can exit Trophy Rush, or have fun and run out the clock. Afterward you'll collect an assortment of 8,000 items and custom moves.
It took me three times through to collect every custom move for every character. Setting it for more equipment seems to crash (0000FFFF was too much), although you might play with both values to see what works for you.

Using JGeckoU on a Mac, these codes seem to work most reliably when you edit the memory values directly instead of using the code handler. But I'm not very experienced (I'm a longtime reader on this thread, but never contribute). It might have to do with my setup. Still the code handler works just fine in all other cases.

 

[PandaOnSmack]

I found these codes in Smash Bros for Wii U (USA/eShop) version 1.1.6 (latest version as of 5/2017)
They can be used in Trophy Rush.
First start trophy rush and add money to set the timer to 30 seconds. Then use the following code to turn 30 seconds into 300 seconds. It won't show the change until you start the mini-game though.

Timer 300 sec (Trophy Rush)
11FA690C 00000258

Once in Trophy Rush, collect a piece of equipment (wrench icon). Then activate the following code to turn it into 8,000 pieces of equipment.

Collect Equipment (Trophy Rush)
135171D4 00000FFF

Once you've used both codes, you can exit Trophy Rush, or have fun and run out the clock. Afterward you'll collect an assortment of 8,000 items and custom moves.
It took me three times through to collect every custom move for every character. Setting it for more equipment seems to crash (0000FFFF was too much), although you might play with both values to see what works for you.

Using JGeckoU on a Mac, these codes seem to work most reliably when you edit the memory values directly instead of using the code handler. But I'm not very experienced (I'm a longtime reader on this thread, but never contribute). It might have to do with my setup. Still the code handler works just fine in all other cases.

Good opportunity to wrap them in a button activator so that you can set the values quickly without having to go back to jgecko u

 

[BullyWiiPlaza]

i made a "Follow Pointer" program in C++ designed for following pointers in the same format given by your Pointer Searcher, but from within Hex dumps.

Good idea but for me personally it's rather useless because I only make memory dumps for the pointer searcher and it does the following so I don't have to check manually.

 

[tastymeatball]

Here a code for The Legend of Zelda: Breath of the Wild

Always see monster HP (V 1.1.2)
00000000 43CA2F1C
00000001 00000000

This code lets you see the monster HP even if you don't have equipped the Champion's Tunic
@skoolzout1: Maybe you want to add this code your code list

 

[skoolzout1]

Here a code for The Legend of Zelda: Breath of the Wild

Always see monster HP (V 1.1.2)
00000000 43CA2F1C
00000001 00000000

This code lets you see the monster HP even if you don't have equipped the Champion's Tunic
@skoolzout1: Maybe you want to add this code your code list

I never ever thought to make a code like that. nice job. I don't think I'll add it to my paste bin just because it feels wrong to have a pastebin labelled "All of my BoTW codes, made by me" and then have other people's codes thrown in.

--------------------- MERGED ---------------------------

Good idea but for me personally it's rather useless because I only make memory dumps for the pointer searcher and it does the following so I don't have to check manually.

I've been using it solely to find addresses pointed to by pointers to use in your pointer searcher. I've been trying to find "Version Free" pointers for BoTW so that I don't have to update 100 codes every time the game updates lol. So I've been going through a bunch of dumps to test if pointers worked on older dumps, hence why I made this program

Hopefully you find the time to implement the 3 stage pointer search into your pointer searcher soon :3

 

[Maq47]

@skoolzout1 What's the highest in hex that BotW's RAM goes in 1.1.2? Is it 0x54720000 or something else?

Edit: never mind: https://www.reddit.com/r/cemu/comments/64qx6e/bypass_amiibo_day_limit/dg69r5p/

It is indeed 0x54720000.

 

[skoolzout1]

@skoolzout1 What's the highest in hex that BotW's RAM goes in 1.1.2? Is it 0x54720000 or something else?

Edit: never mind: https://www.reddit.com/r/cemu/comments/64qx6e/bypass_amiibo_day_limit/dg69r5p/

It is indeed 0x54720000.

Pretty sure it's only to 4C8A0000.

https://www.google.ca/amp/vgleaks.com/wii-u-memory-map/amp/

Application data is only 1GB which is 1024^3 bytes, which in hex is 40000000 so since application data starts at 10000000 that means the highest range a game can occupy is between 10000000-50000000

 

[Maq47]

Does anyone feel like porting @DarkFlare69's BotW 'Speed Modifier 2.0' code from 1.0.0 EUR to 1.1.2 USA (his offset doesn't work for me)? I think he used an unupdated EUR copy of BotW to make his codes.

Here is the original code:

Speed Modifier v2.0 [DarkFlare]
00020000 439BF514
XXXXXXXX 00000000

*XXXXXXXX = Speed (In Float)
*00000000 = 0x Speed (Frozen)
*3F800000 = 1x Speed (Default)
*40000000 = 2x Speed
*40800000 = 4x Speed
*41000000 = 8x Speed
*42000000 = 32x Speed