Hacking [BETA] Loadiine (v3) for WiiU 4.1.0 & 5.0.0 ONLY

[Maschell]

afaik is dimok going to make the porting much easier, so I wouldn't put tooooo much effort in porting before the next release

 

[ptitleray]

Thanks a lot for the tutorial, ptitleray
I will try to get it working on 5.0.0
If anyone else is interested in trying to make it work for 5.0.0, here are the addresses to get started:

OSScreenInit is at: 0x1039AD8
socket_lib_init is at: 0x10BF2F4
GX2WaitForVsync is at: 0x1150868
VPADRead is at: 0x11283D0
SYSLaunchMiiStudio is at: 0xDEAAE68

Note that this is for 5.0.0 only.

If i have a little time, i will try to port to this 5.0.0 firmware also

 

[ptitleray]

If i have a little time, i will try to port to this 5.0.0 firmware also

Time to test for 5.0.0 firmware, look at the first post

Can Modo change the Title to "[BETA] Loadiine (v3) for WiiU 4.1.0 or 5.0.0 ONLY" ?

 

[reprep]

Looking forward to try it on my 4.0.2 wii-u, waiting for this since the first kexploit. http://wololo.net/2015/06/17/wii-u-native-hack-released/

 

[ptitleray]

Looking forward to try it on my 4.0.2 wii-u, waiting for this since the first kexploit. http://wololo.net/2015/06/17/wii-u-native-hack-released/

Can you test the "homebrew" address here ?
I think that you need to run manually "payload400.html" for your firmware

 

[reprep]

Can you test the "homebrew" address here ?
I think that you need to run manually "payload400.html" for your firmware

thanks a lot for this. I don't think i can port it to my fw though, never used IDA before.

 

[ptitleray]

thanks a lot for this. I don't think i can port it to my fw though, never used IDA before.

Can you download "address.zip" at the bottom of the post i pointed you ?
Launch it on your WiiU and give me the result

 

[ganjamann]

hey guys, forgot my old nick here, but long time member...
i just checked my wiiu. thought it would be on 4.1.0e but it´s on 4.0.0e. is someone of you capable in porting it to that fw? or does someone know (from any chat) if naehrwert is going to pull his iosu down to 4.0.0e users that didn´t update to 5.3.2?

 

[reprep]

Can you download "address.zip" at the bottom of the post i pointed you ?
Launch it on your WiiU and give me the result

Oh thanks, will do it tonight.

 

[fixx1983]

Thanks ptitleray. I'm an usual lurker, but i want to post here for 2 reasons.

First: thanks for this great work.
Second: i've ordered today a 4.1.0 WiiU, and it's on the road.
For using 4.1.0 Loadiine i've to load first the Kernel Exploit, then the Loadiine, i'm right?

 

[obs123194]

Just curious what's so special about this version of loadiiine?

 

[fixx1983]

It's for fw lower than 5.3.2.

It looks like those firmware are better for the future IOSU hack

 

[obs123194]

It's for fw lower than 5.3.2.

It looks like those firmware are better for the future IOSU hack

what does IOSU hack provide? Also will Loadiiine games ever work with wifi and DLC? I'm really hoping they do in the future.

 

[pLaYeR^^]

I need for firmware 4.0.0 lol

 

[ptitleray]

Thanks ptitleray. I'm an usual lurker, but i want to post here for 2 reasons.

First: thanks for this great work.
Second: i've ordered today a 4.1.0 WiiU, and it's on the road.
For using 4.1.0 Loadiine i've to load first the Kernel Exploit, then the Loadiine, i'm right?

For now, you must load loadiine in this order :
1- loadiine kernel
2- TCPgecko <-- need because of a bug in curl function (see the first post)
3- loadiine3

 

[obs123194]

what does IOSU hack provide? Also will Loadiiine games ever work with wifi and DLC? I'm really hoping they do in the future.

someone answer this please..

 

[smid]

Time to test for 5.0.0 firmware, look at the first post

Wow that was fast! Thanks a lot!
I tried launching the kernel exploit and then tcpgecko, but tcpgecko just freezes on a white screen after the "success. Press any button to return to wiiu menu".
If I try to run just loadiine without tcpgecko, it just returns to the wiiu menu and nothing happens.
Anyway, I will try different stuff and see if I can get it working.

 

[henn64]

I'm like half happy, and half guilty for updating my Wii U from 1.0.3 to 5.3.2! Once stuff starts being developed for older firmware, we're all going to get a tease!

>older
>5.4.0 & 5.5.0
Ur brekkin me hart

 

[Myth]

How would I go about installing this on a 4.1 wii u?

Thanks for the port!

 

[piratesephiroth]

For the story

I will try to explain my "method" for, why not, porting it to other firmware
I take some base the loadiine v3 (bf42d94) --> you can download it here

I'm not so smart and i don't know all of this work so i use the "method" of comparison (with IDA PRO), and some mathematics
Read all this post before download anything and if you feel capable of doing it ... try

1 - Download the "OS" for the firmware you want to port loadiine and 5.3.2 firmware (to compare)
- for this step, i used NUSgrabber from crediar --> download NUSgrabber here
- you can use Uwizard or NUSGrabberGUI if you prefer
- use NUSgrabber like this :

Spoiler: NUSgrabber

NUSgrabber 000500101000400A [OSv11 version]

[OSv11 version] must be replace by the version of firmware

Look at the line "OSv11" in the Wiiubrew Title Database
For example, on 5.3.2 firmware, it's v11464 so the line will be :
NUSgrabber 000500101000400A 11464

- now (if you use NUSgrabber), you must have a directory named "000500101000400A" in the same directory of NUSgrabber
and in this directory, 2 others : 1 named "11464" (this one is the 5.3.2 "OS") and the other must fit the version of your "OS" firmware (ex. 5883 for 4.1.0 "OS")

2 - Extract the 2 "OS" version to compare
- in the 2 directory (11464 and the other for your firmware), use CDecrypt from crediar like this :

Spoiler: CDecrypt

CDecrypt.exe title.tmd title.tik wiiucommonkey.bin

- if all is good, you must have a new directory named "code" on 11464 and the other (the one fit your firmware version)

3 - Use IDA PRO (disassembler) to find address
- download IDA PRO --> don't ask me where to find it
- use aerosoul94 WiiU loader --> look here
- open "coreinit.rpl" in IDA, wait a little for the program to disassemble
- go to the "Exports" tab on IDA and you will see addresses in front of function's name
- for the 0x1xxxxxxx address, they're GOOD but for the 0x02xxxxxx, we must make some mathematics

4 - Some mathematics ...
- for the 0x02xxxxxx, we must find a base address for our calculations
- for this, you must use the payload ("address.zip") attached below (use it "directly", no need kernel exploit)
- it will display (if your WiiU is exploitable) some address :

Spoiler: Address

OSScreenInit is at : 0xXXXXXXX --> will be the "base" for "coreinit.rpl"
socket_lib_init for "nsysnet.rpl"
GX2WaitForVsync for "gx2.rpl"
VPADRead for "vpad.rpl"
SYSLaunchMiiStudio for "sysapp.rpl"

- on my 4.1.0 WiiU, i have :

Spoiler: Address for 4.1.0

OSScreenInit is at : 0x10352F8
socket_lib_init is at : 0x10B44D4
GX2WaitForVsync is at : 0x11454BC
VPADRead is at : 0x111D5DC
SYSLaunchMiiStudio is at : 0xDEAB888

- now back to "coreinit.rpl" in IDA, in "Exports" tab, search "OSScreenInit" function

Spoiler: coreinit.rpl MAGIC number

For my 5883 "OS" version, i have 0x020196F8 in front of "OSScreenInit" function in IDA
So :
0x020196F8 - 0x10352F8 = 0xFE4400 ==> "MAGIC" number for "coreinit.rpl" for 4.1.0 firmware
With this "MAGIC" number, we may know all address of the functions present in "coreinit.rpl"
For example, address of FSAInit (which is in "coreinit.rpl") can be calculate by :
0x0203DF1C (IDA address) - 0xFE4400 ("MAGIC" coreinit number) = 0x1059B1C (REAL address of FSAInit for 410 firmware)

Spoiler: nsysnet.rpl MAGIC number

For my 5883 "OS" version (4.1.0), i have 0x02000514 in front of "socket_lib_init" function in IDA
So :
0x02000514 - 0x10B44D4 = 0xF4C040 ==> "MAGIC" number for "nsysnet.rpl" for 4.1.0 firmware
With this "MAGIC" number, we may know all address of the functions present in "nsysnet.rpl"
For example, address of connect (which is in "nsysnet.rpl") can be calculate by :
0x02000A3C (IDA address) - 0xF4C040 ("MAGIC" coreinit number) = 0x10B49FC (REAL address of connect for 410 firmware)

- we can do the same for the others, to find all functions to replaces in loadiine source

(SOON) 5 - Make some address adjustment on some functions
On file launcher.c :
- change address in InstallMenu() function (done by compare with IDA in coreinit.rpl)
- change address in InstallLoader() function (done by compare with IDA in loader.elf)
...

Ah, I wish there was a payload for fw v5.2.0 in that address zip file