Using the Wii U RPC Client

Discussion in 'Wii U - Hacking & Backup Loaders' started by NWPlayer123, Aug 6, 2014.

  1. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    Gonna make this now so it's out there.
    Q: How does this work?
    A: So basically, you're using your router as a gateway between your Wii U and computer. You specify what local address (IE 192.168.0.5) your Wii U should look for a connection for, and then your client accepts it and you're able to run stuff with it remotely.

    Requirements: cygwin (default packages), XAMPP, DevKitPPC, python 3.X.

    Okay, so, here's how I did my setup.
    1) Open up a command prompt and type in "ipconfig -all" and hit enter. Since I'm tethered to my router with an ethernet cable, mine's under Ethernet Adapter Ethernet, or yours might say something about Wireless. You're looking for the IPv4 address(for this example mine's assigned 192.168.0.28).

    2) Go to this website and convert that address to hex

    3) If you haven't already, download the repo here. Then open up src/socket.h in any text editor and change the line for #define PC_IP with the address you just converted.

    4) Time to compile it. open up cygwin (since I'm using windows) and navigate to the location (IE cd /cygdrive/d/ApplicationData/WiiUBuild) and then run ./build.sh rpc.c 510 (or whatever your version is) and it'll make a file called test500.html(or whatever your version is) in the same folder as the script. You want to copy that to (I just use XAMPP, so C:/xampp/htdocs) and also frame.html from that same folder.

    5) Then bootup the XAMPP control panel and let apache start up. (for whatever reason port 80 is being used so if you get an error, open up the command prompt as an admin and run "net stop was /y")

    6) Open up rpc.py in IDLE (python's built in text editor) and go to run > run module. (I added a line to print "listening" so I know it's working, before you do this just scroll down to __init__)
    Code:
    def __init__(self):
            self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) 
            self.data = []
            print("listening")
            self.listen('0.0.0.0', 12345)
    7) Boot up your Wii U and go into the Web Browser. Then go to the IP you had in the first step (IE 192.168.0.28). If you get an access denied error from xampp, then it's all working and connecting correctly. Then open up yourIP/test500.html (IE 192.168.0.28/test500.html) and if everything's working correctly it should print ("Connected by", someIPaddress). Then you can use that new window from IDLE to run all your commands. Example picture.
     
  2. FusionGamer

    FusionGamer GBAtemp Advanced Fan

    Member
    507
    367
    Jul 12, 2014
    United States
    Woah, when did this happen?

    We can presumably dump game files with this?

    Also, Chrome reports that the repo is a virus.
     
  3. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    Presumably, if you have a kernel exploit to disable the memory protection for anything not allocated to the browser :P
     
    TeamScriptKiddies likes this.
  4. FusionGamer

    FusionGamer GBAtemp Advanced Fan

    Member
    507
    367
    Jul 12, 2014
    United States

    Damn. Still gonna mod my Wii U though and wait it out for that kernel exploit. Also, what's that "MarioKart8-1.bin" file?

    Edit: Crap. Just when I thought any homebrew stuff wasn't going to be released, my Wii U auto-updated itself to 5.1.1 today. Next time I tell myself to block updates, I should actually do it. I am thankful this ain't Chadderz exploit though :)
     
  5. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    That's just a dump file for the data of the memory for that frame data chadderz found (I was doing some testing on it, see this post for more details)
     
  6. FusionGamer

    FusionGamer GBAtemp Advanced Fan

    Member
    507
    367
    Jul 12, 2014
    United States

    Thanks for the link.

    Looks like title screens are now bin files. That's quite an interesting change.
     
  7. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    Nah, my theory is that it's a screenshot for use in the browser when pressing X (I found out that hint earlier today). First we thought it was a framebuffer but it doesn't have the right properties to be a buffer, so it's probably an aforementioned screenshot. And they're not necessarily bin files, that's just what I saved it as (bin for binary data).
     
  8. FusionGamer

    FusionGamer GBAtemp Advanced Fan

    Member
    507
    367
    Jul 12, 2014
    United States

    Neat information. That's probably it too.
     
  9. ibooN

    ibooN Newbie

    Newcomer
    9
    4
    Aug 2, 2014
    Access denied and I am running cygwin64 terminal as administrator.
    And it made the test500.html empty (0 KB) in the repository, when I did this.

    Also converted my IP to hex and put it in src/socket.h under the #define PC_IP, but I don't think it is really necessary to this problem.

    Please tell me, if I am doing something completely wrong. :)
     
  10. NWPlayer123
    OP

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,233
    Feb 17, 2012
    United States
    The Everfree Forest
    looks like it doesn't like the first line in that python file(generate_html.py). 2 things: one, are you able to run RPC.py from IDLE? and two: How did you install python/what version?
     
  11. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States
    You need to have your Python directory in the PATH environment variable for the build script to work.
     
    TeamScriptKiddies likes this.
  12. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,794
    1,462
    Aug 2, 2014
    Germany
    Same issue and solutions:
    http://gbatemp.net/threads/how-to-setup-a-web-browser-exploit-site.369582/
     
    TeamScriptKiddies likes this.
  13. ibooN

    ibooN Newbie

    Newcomer
    9
    4
    Aug 2, 2014
    Now when, I go to my address 192.168.0.12/browserexploit/index.html on the Wii U gamepad, it loads my webpage fine and after some time, it says "Error connecting to RPC server" and my Python 2.7.8 Shell is empty on the PC, I included some picture below in the spoilers.

    test500.html is just renamed to index.html
     
  14. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    Sooo many compile errors! You should only have the one from devkitpro about the entry point.

    Actually it looks like you typed a w at the beginning of socket.h. Go backspace that and try compiling again?
     
    TeamScriptKiddies likes this.
  15. ibooN

    ibooN Newbie

    Newcomer
    9
    4
    Aug 2, 2014

    Thank you for pointing out that error, I feel very dumb now for not noticing that, but I finally got it working by installing the 64 bit version of python 2.7.8.
     
  16. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,794
    1,462
    Aug 2, 2014
    Germany
    My python shell won't react once it's supposed to connect to the Wii U.

    Here are my steps including pictures for you to follow and possibly find out the cause.
    Warning: Spoilers inside!
    It shows the white box but nothing else happens. The python console prints nothing.
     
  17. WulfyStylez

    WulfyStylez SALT/Bemani Princess

    Member
    1,149
    2,609
    Nov 3, 2013
    United States
    Didn't you say you were on 5.0.0? Because you built for 5.1.0.
     
    TeamScriptKiddies likes this.
  18. Marionumber1

    Marionumber1 GBAtemp Maniac

    Member
    1,234
    3,933
    Nov 7, 2010
    United States

    5.0.0 and 5.1.0's ROP chains are exactly the same.
     
    TeamScriptKiddies and filfat like this.
  19. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,794
    1,462
    Aug 2, 2014
    Germany
    Good point but building with the 500 argument doesn't change anything.
     
    TeamScriptKiddies likes this.
  20. ibooN

    ibooN Newbie

    Newcomer
    9
    4
    Aug 2, 2014
    Did you try to run XAMPP as administrator, because it even says in XAMPP, it can have some problem with the network or something and mine didn't work earlier aswell, but then I just ran XAMPP as administrator and it worked. :)

    That's the only thing left, I could see would work, if you are not already running it as administrator ofc.
     
    TeamScriptKiddies likes this.