Just a quick explanation of the whole PPC=/=IOSU thing for the uninformed among us. This is heavily oversimplified.
In essence, the Wii U has two processors (well, technically three but the third one is boring and has to do with emulating a specific, obscure bit of the vWii). Anyway! Two processors - The PowerPC (what we can run code on using browserhax/take full control of with kernel) and the ARM (IOSU). These are completely separate entities, but they can communicate. This isn't like the Wii, however - the IOSU watches the PowerPC like a hawk and halts the system if the code falls out of line. This is done through a permissions system - The IOSU "knows" what app is running (Mii Maker, Internet Browser, retail disc etc.) and changes the conditions appropriately. For example, the Internet Browser has limited memory, so if we try to use memory that the Internet Browser can't use under browserhax the IOSU rather firmly stops that. Loadiine works by loading Mii Maker and quietly replacing it with a game. The IOSU still thinks Mii Maker is running (and applies limits as such - No USB, limited internet etc) while the PowerPC is actually running something completely different.
The point of all this is that while we can fool the IOSU, there's no simple way to modify it. Mii Maker will never need to fiddle with system settings or poke around the system's boot code, so the IOSU doesn't allow it. Since most homebrew runs under Mii Maker now, these restrictions apply to us as well. (And no, there isn't another app we can inject into to get around this. Someone public would have figured it out by now.)
There's another thing worth noting: Yes, the PowerPC can directly communicate with the IOSU (IPCK_ functions for all you aspiring developers). In fact, we even got a nice example of such communication straight from MN1 himself (Link). However, this does not immediately give us full access - Communication is not control. I can communicate with one of Google's servers, but I can't take control of it. The server decides which of my instructions it obeys or denies based on my access rights. The same principle applies to the IOSU - It decides whether it follows my commands based on which app I am (Mii Maker most of the time).
So to answer the OP, the IOSU is stopping us from hacking the IOSU. Even though we have full control of the PowerPC via the kernel, the IOSU still expects it to stay within certain boundaries and any attempts to get out of them (modifying the IOSU for instance) are quickly stopped.
What do we need then? Simply put, we need an exploit which appears normal enough to the IOSU right up until we take control of it. Whether that means covertly doing stuff it doesn't notice or abusing existing, perfectly normal functions, I don't know. It may even involve something unimaginable right now (Say what you will about the more infamous devs, but there's no denying that abusing the graphics card (!) to write to protected memory to replace a syscall with one that allows unrestricted PowerPC code is absolute genius).
If you're up for it, grab yourself a copy of fw.img from the NUS and the files that will literally tell you everything about it (Link). If you show interest, you'll soon find out about the place where the progress is being made (not GBATemp!) and hopefully we can all move towards getting a public exploit out there. There's a few awesome people working on this and they'd be damn happy to have another person on the team (You know who you are, we really appreciate all your work and the time you've sacrificed towards this!)
Wow, this turned out waaay longer than I was hoping... Hope you guys don't mind! I'm open to questions - I don't bite ;3
Thank you for writing this
