afaik is dimok going to make the porting much easier, so I wouldn't put tooooo much effort in porting before the next release
If i have a little time, i will try to port to this 5.0.0 firmware alsoThanks a lot for the tutorial, ptitleray
I will try to get it working on 5.0.0
If anyone else is interested in trying to make it work for 5.0.0, here are the addresses to get started:
OSScreenInit is at: 0x1039AD8
socket_lib_init is at: 0x10BF2F4
GX2WaitForVsync is at: 0x1150868
VPADRead is at: 0x11283D0
SYSLaunchMiiStudio is at: 0xDEAAE68
Note that this is for 5.0.0 only.
Time to test for 5.0.0 firmware, look at the first postIf i have a little time, i will try to port to this 5.0.0 firmware also
Can you test the "homebrew" address here ?Looking forward to try it on my 4.0.2 wii-u, waiting for this since the first kexploit. http://wololo.net/2015/06/17/wii-u-native-hack-released/
Can you test the "homebrew" address here ?
I think that you need to run manually "payload400.html" for your firmware
Can you download "address.zip" at the bottom of the post i pointed you ?thanks a lot for this. I don't think i can port it to my fw though, never used IDA before.
Can you download "address.zip" at the bottom of the post i pointed you ?
Launch it on your WiiU and give me the result
what does IOSU hack provide? Also will Loadiiine games ever work with wifi and DLC? I'm really hoping they do in the future.It's for fw lower than 5.3.2.
It looks like those firmware are better for the future IOSU hack
For now, you must load loadiine in this order :Thanks ptitleray. I'm an usual lurker, but i want to post here for 2 reasons.
First: thanks for this great work.
Second: i've ordered today a 4.1.0 WiiU, and it's on the road.
For using 4.1.0 Loadiine i've to load first the Kernel Exploit, then the Loadiine, i'm right?
someone answer this please..what does IOSU hack provide? Also will Loadiiine games ever work with wifi and DLC? I'm really hoping they do in the future.
Wow that was fast! Thanks a lot!Time to test for 5.0.0 firmware, look at the first post
>olderI'm like half happy, and half guilty for updating my Wii U from 1.0.3 to 5.3.2! Once stuff starts being developed for older firmware, we're all going to get a tease!
Ah, I wish there was a payload for fw v5.2.0 in that address zip fileFor the story
I will try to explain my "method" for, why not, porting it to other firmware
I take some base the loadiine v3 (bf42d94) --> you can download it here
I'm not so smart and i don't know all of this work so i use the "method" of comparison (with IDA PRO), and some mathematics
Read all this post before download anything and if you feel capable of doing it ... try
1 - Download the "OS" for the firmware you want to port loadiine and 5.3.2 firmware (to compare)
- for this step, i used NUSgrabber from crediar --> download NUSgrabber here
- you can use Uwizard or NUSGrabberGUI if you prefer
- use NUSgrabber like this :
- now (if you use NUSgrabber), you must have a directory named "000500101000400A" in the same directory of NUSgrabberNUSgrabber 000500101000400A [OSv11 version]
[OSv11 version] must be replace by the version of firmware
Look at the line "OSv11" in the Wiiubrew Title Database
For example, on 5.3.2 firmware, it's v11464 so the line will be :
NUSgrabber 000500101000400A 11464
and in this directory, 2 others : 1 named "11464" (this one is the 5.3.2 "OS") and the other must fit the version of your "OS" firmware (ex. 5883 for 4.1.0 "OS")
2 - Extract the 2 "OS" version to compare
- in the 2 directory (11464 and the other for your firmware), use CDecrypt from crediar like this :
- if all is good, you must have a new directory named "code" on 11464 and the other (the one fit your firmware version)CDecrypt.exe title.tmd title.tik wiiucommonkey.bin
3 - Use IDA PRO (disassembler) to find address
- download IDA PRO --> don't ask me where to find it
- use aerosoul94 WiiU loader --> look here
- open "coreinit.rpl" in IDA, wait a little for the program to disassemble
- go to the "Exports" tab on IDA and you will see addresses in front of function's name
- for the 0x1xxxxxxx address, they're GOOD but for the 0x02xxxxxx, we must make some mathematics
4 - Some mathematics ...
- for the 0x02xxxxxx, we must find a base address for our calculations
- for this, you must use the payload ("address.zip") attached below (use it "directly", no need kernel exploit)
- it will display (if your WiiU is exploitable) some address :
- on my 4.1.0 WiiU, i have :OSScreenInit is at : 0xXXXXXXX --> will be the "base" for "coreinit.rpl"
socket_lib_init for "nsysnet.rpl"
GX2WaitForVsync for "gx2.rpl"
VPADRead for "vpad.rpl"
SYSLaunchMiiStudio for "sysapp.rpl"
- now back to "coreinit.rpl" in IDA, in "Exports" tab, search "OSScreenInit" functionOSScreenInit is at : 0x10352F8
socket_lib_init is at : 0x10B44D4
GX2WaitForVsync is at : 0x11454BC
VPADRead is at : 0x111D5DC
SYSLaunchMiiStudio is at : 0xDEAB888
For my 5883 "OS" version, i have 0x020196F8 in front of "OSScreenInit" function in IDA
So :
0x020196F8 - 0x10352F8 = 0xFE4400 ==> "MAGIC" number for "coreinit.rpl" for 4.1.0 firmware
With this "MAGIC" number, we may know all address of the functions present in "coreinit.rpl"
For example, address of FSAInit (which is in "coreinit.rpl") can be calculate by :
0x0203DF1C (IDA address) - 0xFE4400 ("MAGIC" coreinit number) = 0x1059B1C (REAL address of FSAInit for 410 firmware)- we can do the same for the others, to find all functions to replaces in loadiine sourceFor my 5883 "OS" version (4.1.0), i have 0x02000514 in front of "socket_lib_init" function in IDA
So :
0x02000514 - 0x10B44D4 = 0xF4C040 ==> "MAGIC" number for "nsysnet.rpl" for 4.1.0 firmware
With this "MAGIC" number, we may know all address of the functions present in "nsysnet.rpl"
For example, address of connect (which is in "nsysnet.rpl") can be calculate by :
0x02000A3C (IDA address) - 0xF4C040 ("MAGIC" coreinit number) = 0x10B49FC (REAL address of connect for 410 firmware)
(SOON) 5 - Make some address adjustment on some functions
On file launcher.c :
- change address in InstallMenu() function (done by compare with IDA in coreinit.rpl)
- change address in InstallLoader() function (done by compare with IDA in loader.elf)
...