Hacking Wii U Hacking & Homebrew Discussion

[Onion_Knight]

Anyone know what the high and low order memory ranges are inside the userspace of the browser?

 

[NWPlayer123]

https://dl.dropboxusercontent.com/u/56043942/RandomPics/ProductionWiiUMemoryRange.png
From the Cafe SDK itself.

 

[Relys]

https://dl.dropboxusercontent.com/u/56043942/RandomPics/ProductionWiiUMemoryRange.png
From the Cafe SDK itself.

The browser ends at something like 0x27800000

0x0200000-0x1000000 is browser code range.

0x10000000-0x27800000 is browser data range

There is an area of the RAM (0xE0000000-0xE4000000) that is shared between all programs and appears to be used for communication with hardware devices such as the graphics card. I noticed that while the game is running, an RGBA32 copy of the screen buffer existed in this area (plus a separate copy for the gamepad). I also noticed that 16bit PCM audio data existed in this area, which when I decoded was the opening sound effects of MK8 (at 0xE2C00000). This is not the file format used on the disk, this is clearly the decoded data that is being sent to the audio interface and out to the speakers. I have no idea if this is always true, or if all the games sound is stored there, but I suspect so. If all you want to do is rip the audio, then this may be a good line of investigation.

0xE0000000-0xE4000000 is shared memory space. Look for framebuffer here if you want to write stuff to the screen.

EDIT: Looking at the picture above it might be 0xE0000000-0xF4000000.

 

[TheLoneWolfe]

So I've been exploring the VPAD library a bit today, and I had a question: the hex values for all the individual buttons are in the SDK, in "vpadbase.h" but can anyone tell me how to go about detecting multiple buttons being held at the same time, save for going and writing in the unique hex values for every possible button combination? Doing that would obviously be incredibly tedious and I'd like to avoid it if at all possible, haha.

 

[Marionumber1]

So I've been exploring the VPAD library a bit today, and I had a question: the hex values for all the individual buttons are in the SDK, in "vpadbase.h" but can anyone tell me how to go about detecting multiple buttons being held at the same time, save for going and writing in the unique hex values for every possible button combination? Doing that would obviously be incredibly tedious and I'd like to avoid it if at all possible, haha.

Each button value is a power of 2, and the value given to you by VPADRead() is a bitwise-or of each present value, so you can use two bitmasks, one for each button.

 

[filfat]

So, the http://wiiu-hb.com/ needs to be updated, right?

i will update the site in the next coming days, im currently out of town XD

 

[TeamScriptKiddies]

i will update the site in the next coming days, im currently out of town XD

You're Alive!!!!!!!!!

 

[Goku Junior]

i will update the site in the next coming days, im currently out of town XD

OK, thanks for that! currently NWplayer123 has compiled and it works fine with 5.0.0!

 

[WulfyStylez]

You guys have a crapton of undocumented stuff in rpc.py, plan on adding that to the documentation eventually?

 

[Onion_Knight]

You guys have a crapton of undocumented stuff in rpc.py, plan on adding that to the documentation eventually?

All the .rpls are in the SDK along with their associated functions and parameters. The documentation there is very good.

 

[WulfyStylez]

All the .rpls are in the SDK along with their associated functions and parameters. The documentation there is very good.

Not what I meant. I was referring to stuff like dma_copy_mem_and_read and get_logs that aren't documented but work in rpc.py.

 

[cherryduck]

Just out of interest, the try.c source file in the web exploit, what is that? Because "Relys_Wii_U_4.1_Kernel_Exploit_Version_0.2.c" would appear to suggest a kernel exploit but we'd have heard about that by now if it were!

 

[WulfyStylez]

Marionumber1 Relys You guys should put some sorta brief synopsis of the kernel exploit somewhere, even if it's just the pseudocode you guys are basing it off of with a few comments.
Kinda hard to follow for the completely uninformed.

 

[Marionumber1]

Marionumber1 Relys You guys should put some sorta brief synopsis of the kernel exploit somewhere, even if it's just the pseudocode you guys are basing it off of with a few comments.
Kinda hard to follow for the completely uninformed.

Well, it was an attempt that sadly didn't go anywhere.

 

[WulfyStylez]

Well, it was an attempt that sadly didn't go anywhere.

As in your exploit doesn't work, or your implementation doesn't?

 

[the_randomizer]

Well, it was an attempt that sadly didn't go anywhere.

Oh man..I'm so sorry That has to be frustrating...

 

[Marionumber1]

As in your exploit doesn't work, or your implementation doesn't?

The exploit.

 

[the_randomizer]

The exploit.

Ugh...that..sucks....damn... What happens now?


Edit: Addendum, I have since been corrected regarding the matter.

 

[Kargaroc]

I assume the exploit never worked at all?
If yes, time to find another exploit.

How would've it worked?

 

[Marionumber1]

Ugh...that..sucks....damn... What happens now?

Uh, it's not like we have no way to do a kernel exploit now. It was one idea that Relys and I were trying.