Hacking [Development] Many, many memory questions

[NWPlayer123]

Where'd you get the assembly? That's pretty darn useful to have.
It definitely wouldn't be that hard to do something like that. One quick question though: How do you figure out the function signatures and the like for stuff that isn't in wiiubrew or anything like that?

Just download from NUS and there's a plugin for RPX/RPL files on here somewhere for IDA. The RPL libraries include symbols, they have to for OSDynLoad_FindExport to work. snd_core and snd_user are Sound-1, sndcore2 and snduser2 are Sound-2
http://wiiubrew.org/wiki/Cafe_OS#Libraries
http://wiiubrew.org/wiki/Title_database OSv10 000500101000400A v15702

 

[QuarkTheAwesome]

It's worth noting that I've managed to call AXQuit for Sound-1 successfully (AXIsInit starts responding with false), but AXInitWithParams is causing me no end of trouble.

 

[NWPlayer123]

It's worth noting that I've managed to call AXQuit for Sound-1 successfully (AXIsInit starts responding with false), but AXInitWithParams is causing me no end of trouble.

How are you calling it? http://wiiubrew.org/wiki/Sndcore2.rpl
Should allocate 12 bytes, and write 00 00 00 01 (AX_48K_RENDERER) 00 00 00 00 (AX_3MS_FRAME) 00 00 00 00 (AX_SINGLE_PIPELINE) and then pass in the pointer to the array you got back from OSAlloc

 

[QuarkTheAwesome]

How are you calling it? http://wiiubrew.org/wiki/Sndcore2.rpl
Should allocate 12 bytes, and write 00 00 00 01 (AX_48K_RENDERER) 00 00 00 00 (AX_3MS_FRAME) 00 00 00 00 (AX_SINGLE_PIPELINE) and then pass in the pointer to the array you got back from OSAlloc

Just dawned on me that I was trying to call it on Sound-1. Oops.
Will fix and report back tommorow.

 

[QuarkTheAwesome]

Gah. So far, I haven't been able to get a handle to sndcore2 despite Sound-1 reporting it's not initialised. I've also tried deallocating (OSDynLoad_Release) Sound-1, which works but doesn't change the Sound-2 situation. I suppose this means I could successfully use Sound-1 however.
It seems that the only way forward is, as suggested, doing a loop around OSDynLoad_IsModuleLoaded. The issue will be finding the browsers's handles and releasing them too so we can actually have the reference count hit zero; is there an OSDynLoad function for this? I would check but IDA's too bloody expensive (I swear I'm missing something here...)

 

[brienj]

Gah. So far, I haven't been able to get a handle to sndcore2 despite Sound-1 reporting it's not initialised. I've also tried deallocating (OSDynLoad_Release) Sound-1, which works but doesn't change the Sound-2 situation. I suppose this means I could successfully use Sound-1 however.
It seems that the only way forward is, as suggested, doing a loop around OSDynLoad_IsModuleLoaded. The issue will be finding the browsers's handles and releasing them too so we can actually have the reference count hit zero; is there an OSDynLoad function for this? I would check but IDA's too bloody expensive (I swear I'm missing something here...)

Well, at least I don't feel so dumb now, it is looking like it wasn't because I was doing something wrong, since you are getting similar results to what I was. I just got tired of walking up and down the stairs every time I tested. I really need to get a second Wii U, or move the thing from downstairs to the front room with my computer.

I've got all the fun stuff in the basement though, hooked up to the projector and 110" screen.

I just realized that I could steal my wife or daughter's laptop and put development stuff on them and just take that downstairs with me, but yeah, good luck on me being able to do that. Which now has me wondering, why the heck does my wife and daughter have a laptop, and I don't. Life just isn't fair, it's not fair, dammit.

 

[rw-r-r_0644]

Gah. So far, I haven't been able to get a handle to sndcore2 despite Sound-1 reporting it's not initialised. I've also tried deallocating (OSDynLoad_Release) Sound-1, which works but doesn't change the Sound-2 situation. I suppose this means I could successfully use Sound-1 however.
It seems that the only way forward is, as suggested, doing a loop around OSDynLoad_IsModuleLoaded. The issue will be finding the browsers's handles and releasing them too so we can actually have the reference count hit zero; is there an OSDynLoad function for this? I would check but IDA's too bloody expensive (I swear I'm missing something here...)

So to get an handle to sndcore1 this code should work?

OSDynload_Release("sndcore1.rpl");
unsigned int sndcore1_handle;
OSDynload_Acquire("sndcore1.rpl", sndcore1_handle);

 

[QuarkTheAwesome]

So to get an handle to sndcore1 this code should work?

OSDynload_Release("sndcore1.rpl");
unsigned int sndcore1_handle;
OSDynload_Acquire("sndcore1.rpl", sndcore1_handle);

My code didnt actually end up using OSDynLoad_Release while I was working with Sound-1. Instead, I messed around with stuff like AXQuit. I'll throw up a working example soon(tm).
In addition, I thought that OSDynLoad_Release took a handle (not the name of the lib)?
I'm also fairly sure that it's "snd-core.rpl".

 

[rw-r-r_0644]

My code didnt actually end up using OSDynLoad_Release while I was working with Sound-1. Instead, I messed around with stuff like AXQuit. I'll throw up a working example soon(tm).
In addition, I thought that OSDynLoad_Release took a handle (not the name of the lib)?
I'm also fairly sure that it's "snd-core.rpl".

Ok, thank you. You are right with OSDynload_Release, I just didn't find documentation on it. Also sorry for sndcore (that is snd-core as you told); I was writing a quick example code so I didn't look at wiiubrew.
Thank you for your work on a working example

EDIT: I found an OSDynload_Release example (elfloader) and it seems like it need the handle used to export the rpl so now if I'm not wrong I have to find the adress of the handle into the ram.

 

[QuarkTheAwesome]

Ok, thank you. You are right with OSDynload_Release, I just didn't find documentation on it. Also sorry for sndcore (that is snd-core as you told); I was writing a quick example code so I didn't look at wiiubrew.
Thank you for your work on a working example

EDIT: I found an OSDynload_Release example (elfloader) and it seems like it need the handle used to export the rpl so now if I'm not wrong I have to find the adress of the handle into the ram.

AFAIK if you want to use Sound-1 you don't need to release it at all. It's Sound-2 that needs Sound-1 released. You do seem to need to call AXQuit on Sound-1 before you can use it (AXIsAudioOutReady returns false when app is first started.)

 

[Se7ensinsMods]

I have fw.img decompress to .bin but Ida pro says rom to big what's the rom size. IDA Pro 6.6. Thanks.

 

[Net-KILLER]

Thanks.

your welcome

 

[QuarkTheAwesome]

I have fw.img decompress to .bin but Ida pro says rom to big what's the rom size. IDA Pro 6.6. Thanks.

I've never been much of a firmware hacker, but AFAIK the files you get from the NUS are encrypted with AES-128. You'll need the Starbuck Ancast key to decode them (can easily be found elsewhere, posting is against GBATemp rules.) You'll also need to clip off a header before it's really usable.

The information on the specifics of doing this is out there, I just don't really know where ;3

 

[brienj]

I've never been much of a firmware hacker, but AFAIK the files you get from the NUS are encrypted with AES-128. You'll need the Starbuck Ancast key to decode them (can easily be found elsewhere, posting is against GBATemp rules.) You'll also need to clip off a header before it's really usable.

The information on the specifics of doing this is out there, I just don't really know where ;3

These are the openssl commandlines to use, just fill in the keys -

openssl enc -d -aes-128-cbc -K <Espresso Wii U Ancast Key> -iv 0 -nopad -in kernel.img -out kernel.bin
openssl enc -d -aes-128-cbc -K <Starbuck Wii U Ancast Key> -iv 0 -nopad -in fw.img -out fw.bin

 

[NWPlayer123]

These are the openssl commandlines to use, just fill in the keys -

openssl enc -d -aes-128-cbc -K <Espresso Wii U Ancast Key> -iv 0 -nopad -in kernel.img -out kernel.bin
openssl enc -d -aes-128-cbc -K <Starbuck Wii U Ancast Key> -iv 0 -nopad -in fw.img -out fw.bin

Run those to decrypt, fw.img has an ELF inside, you wanna chop off everything before it in a hex editor (there's like a 0x100 before and then the .ELF magic, you want the magic as byte zero). I was playing around with disassembly params in IDA and I found one that makes it not do stupid stuff for once, I'll edit this later with it all or make a new post.
kernel.img is just a binary file, chop off the first 0x100 bytes and when you load in IDA as a binary put it at 0xFFE00100. I am literally in the process of making a .cfg of all the special purpose registers so I'd wait for that, the current PPC one is way off and is missing half of them :\

 

[QuarkTheAwesome]

Ok, thank you. You are right with OSDynload_Release, I just didn't find documentation on it. Also sorry for sndcore (that is snd-core as you told); I was writing a quick example code so I didn't look at wiiubrew.
Thank you for your work on a working example

EDIT: I found an OSDynload_Release example (elfloader) and it seems like it need the handle used to export the rpl so now if I'm not wrong I have to find the adress of the handle into the ram.

Welp, here's that example that seems to work on my WiiU.

This is the BARE MINIMUM to get AXIsInit on Sound-1 to start returning false (when run from an already-good program [IM_Close etc]):

    unsigned int soundOneHandle; //Get sound-1 handle
    OSDynLoad_Acquire("snd_core.rpl", &soundOneHandle);

    void (*AXQuit)(); //Get AXQuit();
    OSDynLoad_FindExport(soundOneHandle, 0, "AXQuit", &AXQuit);

    AXQuit(); //Run it

And here's a slightly tweaked version with a few more checks and balances:

    //printstr() is one of my functions. It just puts text on the screen.

    unsigned int soundOneHandle;
    OSDynLoad_Acquire("snd_core.rpl", &soundOneHandle);

    bool (*AXIsAudioOutReady)(); //Is Sound-1 ready to output audio?
    bool (*AXIsInit)(); //Has Sound-1 been started?
    OSDynLoad_FindExport(soundOneHandle, 0, "AXIsAudioOutReady", &AXIsAudioOutReady);
    OSDynLoad_FindExport(soundOneHandle, 0, "AXIsInit", &AXIsInit);

    if (AXIsInit()) {
        //Audio is still initialised from the browser, let's quit.
    
        if (AXIsAudioOutReady()) {
            //I'm not really sure if this matters for our purposes, but it's worth checking, I guess.
            //The way the browser leaves Sound-1 for us means that this check always returns false anyway.
            //Make sure to print out a warning if this code is run, just in case the browser's being weird.
            printstr(3, "Be worried!");
        }
    
        //Okay, all good. Let's quit.

        void (*AXQuit)();
        OSDynLoad_FindExport(soundOneHandle, 0, "AXQuit", &AXQuit);

        AXQuit();
    
        //We should be all good now, but I like to double-check stuff.
    
        if (AXIsInit()) {
            //Audio didn't quit. This is something to be worried about.
            printstr(2, "FATAL: Couldn't quit Sound-1!");
            while(1) {} //cheap and dirty way to stop a program ;3
        } else {
            //We're good! Everything has been quit.
            //You can throw your code that needs a fresh Sound-1 here.
            //I recommend starting a new thread so you can have a nice, big stack.
            printstr(2, "This all worked!");
        }
    } else {
        //Sound-1 wasn't running in the first place! This is not what we expect, to say the least.
        printstr(3, "ERROR: Sound-1 was never started???");
    }
    //If you want, you can also put your sound code here. I still recommend putting it inside the if statement however.

Well, there we go. Both of those snippets seem to work okay on my WiiU. Make sure to swap out the printstr() functions for something else if you want to try them (or write your own printstr ;3).

It's worth noting that in my tests, this does NOT fix the Sound-2 crash issue. I'm also unsure whether or not this allows us to use Sound-1 (no clue how it works), but I suspect it would.

Now gonna start working on that funky loop...

 

[NWPlayer123]

Finally done, full list of PPC Special Purpose Registers for the Espresso, some of them I couldn't find any documentation for even with the user manual for the 750CL that F0F has on their site so :\
The tables and lists for the disassembly functions in coreinit all match perfectly so I don't doubt this, it's just the full names. Starts at 10013328 in 5.5.1, just 4 byte number for the register (eg 0x110) then 4 byte pointer to the register name (eg sprg0)
Go edit /cfg/ppc.cfg in IDA, scroll to the bottom, and copypaste this in, and scroll to the top and change default to .wiiu if you want.
When you go to Processor options and hit Choose a device, wiiu should be listed, click it, ok, then ok again, I/O Ports and Interrupts should be on but Memory layout really needs to be off for kernel or stuff will break. If everything goes well, all the PPCmf and PPCmt functions in coreinit should have the correct sprs for the function name and kernel should be clean too.

Spoiler

.wiiu
SIMD=PAIRED
PROFILE=EMBEDDED
;--------------------------------------
; All registers for Wii U Espresso Processor
spr   xer     1         Integer Exception Register
spr   lr      8         Link Register
spr   ctr     9         Count Register
spr   dsisr   18        Data Storage Interrupt Status Register
spr   dar     19        Data Address Register
spr   dec     22        Decrementer
spr   sdr1    25        Storage Description Register 1
spr   srr0    26        Machine Status Save/Restore Register 0
spr   srr1    27        Machine Status Save/Restore Register 1
spr   utbl    0x10C     User-Mode Time Base Register (lower)
spr   utbu    0x10D     User-Mode Time Base Register (upper)
spr   sprg0   0x110     General Special Purpose Register 0
spr   sprg1   0x111     General Special Purpose Register 1
spr   sprg2   0x112     General Special Purpose Register 2
spr   sprg3   0x113     General Special Purpose Register 3
spr   ear     0x11A     External Access Register
spr   tbl     0x11C     Time Base Register (lower)
spr   tbu     0x11D     Time Base Register (upper)
spr   pvr     0x11F     Processor Version Register
spr   ibat0u  0x210     Instruction BAT Register 0 (upper)
spr   ibat0l  0x211     Instruction BAT Register 0 (lower)
spr   ibat1u  0x212     Instruction BAT Register 1 (upper)
spr   ibat1l  0x213     Instruction BAT Register 1 (lower)
spr   ibat2u  0x214     Instruction BAT Register 2 (upper)
spr   ibat2l  0x215     Instruction BAT Register 2 (lower)
spr   ibat3u  0x216     Instruction BAT Register 3 (upper)
spr   ibat3l  0x217     Instruction BAT Register 3 (lower)
spr   dbat0u  0x218     Data BAT Register 0 (upper)
spr   dbat0l  0x219     Data BAT Register 0 (lower)
spr   dbat1u  0x21A     Data BAT Register 1 (upper)
spr   dbat1l  0x21B     Data BAT Register 1 (lower)
spr   dbat2u  0x21C     Data BAT Register 2 (upper)
spr   dbat2l  0x21D     Data BAT Register 2 (lower)
spr   dbat3u  0x21E     Data BAT Register 3 (upper)
spr   dbat3l  0x21F     Data BAT Register 3 (lower)
spr   ibat4u  0x230     Instruction BAT Register 4 (upper)
spr   ibat4l  0x231     Instruction BAT Register 4 (lower)
spr   ibat5u  0x232     Instruction BAT Register 5 (upper)
spr   ibat5l  0x233     Instruction BAT Register 5 (lower)
spr   ibat6u  0x234     Instruction BAT Register 6 (upper)
spr   ibat6l  0x235     Instruction BAT Register 6 (lower)
spr   ibat7u  0x236     Instruction BAT Register 7 (upper)
spr   ibat7l  0x237     Instruction BAT Register 7 (lower)
spr   dbat4u  0x238     Data BAT Register 4 (upper)
spr   dbat4l  0x239     Data BAT Register 4 (lower)
spr   dbat5u  0x23A     Data BAT Register 5 (upper)
spr   dbat5l  0x23B     Data BAT Register 5 (lower)
spr   dbat6u  0x23C     Data BAT Register 6 (upper)
spr   dbat6l  0x23D     Data BAT Register 6 (lower)
spr   dbat7u  0x23E     Data BAT Register 7 (upper)
spr   dbat7l  0x23F     Data BAT Register 7 (lower)
spr   ugqr0   0x380     User-Mode Graphics Quantization Register 0
spr   ugqr1   0x381     User-Mode Graphics Quantization Register 1
spr   ugqr2   0x382     User-Mode Graphics Quantization Register 2
spr   ugqr3   0x383     User-Mode Graphics Quantization Register 3
spr   ugqr4   0x384     User-Mode Graphics Quantization Register 4
spr   ugqr5   0x385     User-Mode Graphics Quantization Register 5
spr   ugqr6   0x386     User-Mode Graphics Quantization Register 6
spr   ugqr7   0x387     User-Mode Graphics Quantization Register 7
spr   uhid2   0x388     User-Mode Hardware Implementation-Dependent Register 2
spr   uwpar   0x389     User-Mode Write Pipe Address Register
spr   udmau   0x38A     User-Mode Direct Memory Access Register (upper)
spr   udmal   0x38B     User-Mode Direct Memory Access Register (lower)
spr   gqr0    0x390     Graphics Quantization Register 0
spr   gqr1    0x391     Graphics Quantization Register 1
spr   gqr2    0x392     Graphics Quantization Register 2
spr   gqr3    0x393     Graphics Quantization Register 3
spr   gqr4    0x394     Graphics Quantization Register 4
spr   gqr5    0x395     Graphics Quantization Register 5
spr   gqr6    0x396     Graphics Quantization Register 6
spr   gqr7    0x397     Graphics Quantization Register 7
spr   hid2    0x398     Hardware Implementation-Dependent Register 2
spr   wpar    0x399     Write Pipe Address Register
spr   dma_u   0x39A     Direct Memory Access Register (upper)
spr   dma_l   0x39B     Direct Memory Access Register (lower)
spr   ummcr0  0x3A8     User-Mode Monitor Mode Control Register 0
spr   upmc1   0x3A9     User-Mode Performance-Monitor Counter Register 1
spr   upmc2   0x3AA     User-Mode Performance-Monitor Counter Register 2
spr   usia    0x3AB     User-Mode Sampled Instruction Address Register
spr   ummcr1  0x3AC     User-Mode Monitor Mode Control Register 1
spr   upmc3   0x3AD     User-Mode Performance-Monitor Counter Register 3
spr   upmc4   0x3AE     User-Mode Performance-Monitor Counter Register 4
spr   hid5    0x3B0     Hardware Implementation-Dependent Register 5
spr   pcsr    0x3B2
spr   scr     0x3B3
spr   car     0x3B4     Cache Address Register
spr   bcr     0x3B5
spr   wpsar   0x3B6
spr   mmcr0   0x3B8     Monitor Mode Control Register 0
spr   pmc1    0x3B9     Performance-Monitor Counter Register 1
spr   pmc2    0x3BA     Performance-Monitor Counter Register 2
spr   sia     0x3BB     Sampled Instruction Address Register
spr   mmcr1   0x3BC     Monitor Mode Control Register 1
spr   pmc3    0x3BD     Performance-Monitor Counter Register 3
spr   pmc4    0x3BE     Performance-Monitor Counter Register 4
spr   dcate   0x3D0
spr   dcatr   0x3D1
spr   dmatl0  0x3D8
spr   dmatu0  0x3D9
spr   dmatr0  0x3DA
spr   dmatl1  0x3DB
spr   dmatu1  0x3DC
spr   dmatr1  0x3DD
spr   pir     0x3EF     Processor ID Register
spr   hid0    0x3F0     Hardware Implementation-Dependent Register 0
spr   hid1    0x3F1     Hardware Implementation-Dependent Register 1
spr   iabr    0x3F2     Instruction Address Breakpoint Register
spr   hid4    0x3F3     Hardware Implementation-Dependent Register 4
spr   tdcl    0x3F4     Thermal Diode Calibration Register (Low?)
spr   dabr    0x3F5     Data Address Breakpoint Register
spr   l2cr    0x3F9     L2 Cache Control Register
spr   tdch    0x3FA     Thermal Diode Calibration Register (High?)
spr   ictc    0x3FB     Instruction Cache Throttling Control Register
spr   thrm1   0x3FC     Thermal Management Register 1
spr   thrm2   0x3FD     Thermal Management Register 2
spr   thrm3   0x3FE     Thermal Management Register 3

 

[QuarkTheAwesome]

Finally done, full list of PPC Special Purpose Registers for the Espresso, some of them I couldn't find any documentation for even with the user manual for the 750CL that F0F has on their site so :\
The tables and lists for the disassembly functions in coreinit all match perfectly so I don't doubt this, it's just the full names. Starts at 10013328 in 5.5.1, just 4 byte number for the register (eg 0x110) then 4 byte pointer to the register name (eg sprg0)
Go edit /cfg/ppc.cfg in IDA, scroll to the bottom, and copypaste this in, and scroll to the top and change default to .wiiu if you want.
When you go to Processor options and hit Choose a device, wiiu should be listed, click it, ok, then ok again, I/O Ports and Interrupts should be on but Memory layout really needs to be off for kernel or stuff will break. If everything goes well, all the PPCmf and PPCmt functions in coreinit should have the correct sprs for the function name and kernel should be clean too.

Spoiler

.wiiu
SIMD=PAIRED
PROFILE=EMBEDDED
;--------------------------------------
; All registers for Wii U Espresso Processor
spr   xer     1         Integer Exception Register
spr   lr      8         Link Register
spr   ctr     9         Count Register
spr   dsisr   18        Data Storage Interrupt Status Register
spr   dar     19        Data Address Register
spr   dec     22        Decrementer
spr   sdr1    25        Storage Description Register 1
spr   srr0    26        Machine Status Save/Restore Register 0
spr   srr1    27        Machine Status Save/Restore Register 1
spr   utbl    0x10C     User-Mode Time Base Register (lower)
spr   utbu    0x10D     User-Mode Time Base Register (upper)
spr   sprg0   0x110     General Special Purpose Register 0
spr   sprg1   0x111     General Special Purpose Register 1
spr   sprg2   0x112     General Special Purpose Register 2
spr   sprg3   0x113     General Special Purpose Register 3
spr   ear     0x11A     External Access Register
spr   tbl     0x11C     Time Base Register (lower)
spr   tbu     0x11D     Time Base Register (upper)
spr   pvr     0x11F     Processor Version Register
spr   ibat0u  0x210     Instruction BAT Register 0 (upper)
spr   ibat0l  0x211     Instruction BAT Register 0 (lower)
spr   ibat1u  0x212     Instruction BAT Register 1 (upper)
spr   ibat1l  0x213     Instruction BAT Register 1 (lower)
spr   ibat2u  0x214     Instruction BAT Register 2 (upper)
spr   ibat2l  0x215     Instruction BAT Register 2 (lower)
spr   ibat3u  0x216     Instruction BAT Register 3 (upper)
spr   ibat3l  0x217     Instruction BAT Register 3 (lower)
spr   dbat0u  0x218     Data BAT Register 0 (upper)
spr   dbat0l  0x219     Data BAT Register 0 (lower)
spr   dbat1u  0x21A     Data BAT Register 1 (upper)
spr   dbat1l  0x21B     Data BAT Register 1 (lower)
spr   dbat2u  0x21C     Data BAT Register 2 (upper)
spr   dbat2l  0x21D     Data BAT Register 2 (lower)
spr   dbat3u  0x21E     Data BAT Register 3 (upper)
spr   dbat3l  0x21F     Data BAT Register 3 (lower)
spr   ibat4u  0x230     Instruction BAT Register 4 (upper)
spr   ibat4l  0x231     Instruction BAT Register 4 (lower)
spr   ibat5u  0x232     Instruction BAT Register 5 (upper)
spr   ibat5l  0x233     Instruction BAT Register 5 (lower)
spr   ibat6u  0x234     Instruction BAT Register 6 (upper)
spr   ibat6l  0x235     Instruction BAT Register 6 (lower)
spr   ibat7u  0x236     Instruction BAT Register 7 (upper)
spr   ibat7l  0x237     Instruction BAT Register 7 (lower)
spr   dbat4u  0x238     Data BAT Register 4 (upper)
spr   dbat4l  0x239     Data BAT Register 4 (lower)
spr   dbat5u  0x23A     Data BAT Register 5 (upper)
spr   dbat5l  0x23B     Data BAT Register 5 (lower)
spr   dbat6u  0x23C     Data BAT Register 6 (upper)
spr   dbat6l  0x23D     Data BAT Register 6 (lower)
spr   dbat7u  0x23E     Data BAT Register 7 (upper)
spr   dbat7l  0x23F     Data BAT Register 7 (lower)
spr   ugqr0   0x380     User-Mode Graphics Quantization Register 0
spr   ugqr1   0x381     User-Mode Graphics Quantization Register 1
spr   ugqr2   0x382     User-Mode Graphics Quantization Register 2
spr   ugqr3   0x383     User-Mode Graphics Quantization Register 3
spr   ugqr4   0x384     User-Mode Graphics Quantization Register 4
spr   ugqr5   0x385     User-Mode Graphics Quantization Register 5
spr   ugqr6   0x386     User-Mode Graphics Quantization Register 6
spr   ugqr7   0x387     User-Mode Graphics Quantization Register 7
spr   uhid2   0x388     User-Mode Hardware Implementation-Dependent Register 2
spr   uwpar   0x389     User-Mode Write Pipe Address Register
spr   udmau   0x38A     User-Mode Direct Memory Access Register (upper)
spr   udmal   0x38B     User-Mode Direct Memory Access Register (lower)
spr   gqr0    0x390     Graphics Quantization Register 0
spr   gqr1    0x391     Graphics Quantization Register 1
spr   gqr2    0x392     Graphics Quantization Register 2
spr   gqr3    0x393     Graphics Quantization Register 3
spr   gqr4    0x394     Graphics Quantization Register 4
spr   gqr5    0x395     Graphics Quantization Register 5
spr   gqr6    0x396     Graphics Quantization Register 6
spr   gqr7    0x397     Graphics Quantization Register 7
spr   hid2    0x398     Hardware Implementation-Dependent Register 2
spr   wpar    0x399     Write Pipe Address Register
spr   dma_u   0x39A     Direct Memory Access Register (upper)
spr   dma_l   0x39B     Direct Memory Access Register (lower)
spr   ummcr0  0x3A8     User-Mode Monitor Mode Control Register 0
spr   upmc1   0x3A9     User-Mode Performance-Monitor Counter Register 1
spr   upmc2   0x3AA     User-Mode Performance-Monitor Counter Register 2
spr   usia    0x3AB     User-Mode Sampled Instruction Address Register
spr   ummcr1  0x3AC     User-Mode Monitor Mode Control Register 1
spr   upmc3   0x3AD     User-Mode Performance-Monitor Counter Register 3
spr   upmc4   0x3AE     User-Mode Performance-Monitor Counter Register 4
spr   hid5    0x3B0     Hardware Implementation-Dependent Register 5
spr   pcsr    0x3B2
spr   scr     0x3B3
spr   car     0x3B4     Cache Address Register
spr   bcr     0x3B5
spr   wpsar   0x3B6
spr   mmcr0   0x3B8     Monitor Mode Control Register 0
spr   pmc1    0x3B9     Performance-Monitor Counter Register 1
spr   pmc2    0x3BA     Performance-Monitor Counter Register 2
spr   sia     0x3BB     Sampled Instruction Address Register
spr   mmcr1   0x3BC     Monitor Mode Control Register 1
spr   pmc3    0x3BD     Performance-Monitor Counter Register 3
spr   pmc4    0x3BE     Performance-Monitor Counter Register 4
spr   dcate   0x3D0
spr   dcatr   0x3D1
spr   dmatl0  0x3D8
spr   dmatu0  0x3D9
spr   dmatr0  0x3DA
spr   dmatl1  0x3DB
spr   dmatu1  0x3DC
spr   dmatr1  0x3DD
spr   pir     0x3EF     Processor ID Register
spr   hid0    0x3F0     Hardware Implementation-Dependent Register 0
spr   hid1    0x3F1     Hardware Implementation-Dependent Register 1
spr   iabr    0x3F2     Instruction Address Breakpoint Register
spr   hid4    0x3F3     Hardware Implementation-Dependent Register 4
spr   tdcl    0x3F4     Thermal Diode Calibration Register (Low?)
spr   dabr    0x3F5     Data Address Breakpoint Register
spr   l2cr    0x3F9     L2 Cache Control Register
spr   tdch    0x3FA     Thermal Diode Calibration Register (High?)
spr   ictc    0x3FB     Instruction Cache Throttling Control Register
spr   thrm1   0x3FC     Thermal Management Register 1
spr   thrm2   0x3FD     Thermal Management Register 2
spr   thrm3   0x3FE     Thermal Management Register 3

Awesome stuff ;3
Finally got myself a copy of IDA, are there any essentials (other than this and the RPL loader) you'd recommend? I feel like it doesn't quite know what it's looking at yet.

 

[NWPlayer123]

Awesome stuff ;3
Finally got myself a copy of IDA, are there any essentials (other than this and the RPL loader) you'd recommend? I feel like it doesn't quite know what it's looking at yet.

I have a bunch of stuff added, I'd recommend PPC2C but it doesn't cover all simplified instructions (for example I spent the last while figuring out how tf clrlslwi works), you're better off getting IDAPython working, I plan to make a script some time to make it loads easier.
I also use IDASkins to make the GUI black and then use ida-consonance to change text color for an all black layout, and I have findcrypt from http://www.hexblog.com/?p=28, which isn't particularly useful if there aren't any crypto algorithms, and I've also been using bindiff which Google released for free to compare databases between OS versions http://www.zynamics.com/bindiff.html
Other then that, it works fine, just make sure you're using an IDA version of something like 6.3+ since they added official opcode support for paired singles which the Gamecube, Wii, and Wii U use (and I see several chunks in the kernel that contain them), which you can find in Processor Options -> PS

~~~~~~~ General stuff ~~~~~~~
IDA likes doing stupid stuff to databases, if you're editing ppc.cfg with these registers, you need to put it at the very top, right before the .ppc section starts, putting it as the default still doesn't make it use it for databases, so if you close and reopen it'll start using the first entry again until you go to Options -> General -> Analysis -> Processor specific options -> change device back to wiiu

clrlslwi is clear left and shift left word immediate, if you have r12, r12, a, b (eg 30, 18) it clears bits 0 up to a, so it isolates the last 2 bits, then shifts it left 18 bits
they get the value from the pir special register for which core called the function (need 2 bits for core 2), then shifts left 18 bits and adds to 0xFFE04000 to get the kernel memory region for each core, 0xFFE04000, 0xFFE440000, or 0xFFE84000. Putting this here in case someone retraces my steps. clrlwi is just clear left, so clear bits 0 to a-1.

For a python equivalent, r12 &= ((1 << (32 - 30)) - 1);r12 <<= 18, which shifts 1 left one more bit then we need, then subtracts 1 to get 1 bits on all the ones we want to keep, then AND to clear the other bits, then shift left 18 and store

 

[QuarkTheAwesome]

Back on the topic of memory, I've managed to adapt FIX94's "heapcreate" project from libwiiu to work on 5.5, and it allocates me a nice 168MB. Not quite 411MB I know, but it's a huge improvement on what we had before. It seems that the browser opts to allocate a ton of small heaps rather than one big one. Kinda annoying...

I'm now working on getting that code into a workable state (it's kind of a mess) and looking into cleaning up the bucket memory (0xE - 0xE4, currently 3KB allocatable, I know we can do better than that)

I'm also struggling with GX2SetTVBuffer which doesn't seem to like either userspace or MEM2. I bloody hope it's a MEM2 issue ;3