Hacking Wii U Hacking & Homebrew Discussion

JaceCearK1

Well-Known Member
Member
Joined
May 18, 2015
Messages
540
Trophies
0
Age
26
XP
415
Country
Gambia, The
Not to spoil your fun but you can just download the title that has all the .rpls from NUS, including coreinit.rpl ( 00050010-1000400A ).
And with that IDA plugin for RPX/IPLs you can load it with symbols and everything.
But the system has to call these functions as well so I assume the system RPLs are installed in the Wii U!?
(accessible at the offset @NWPlayer123 wrote a little above?)
 

SWS90

Well-Known Member
Member
Joined
Jan 6, 2014
Messages
147
Trophies
0
XP
596
Country
United States
I was hoping to try out the browser exploit, but as soon as my WiiU booted up, I was forced to update to 5.4.0. :/
Is there a ETA for the 5.4.0 browser exploit?
 

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,145
Country
Antarctica
Out of curiosity, is the GX2 example supposed to print NULL (i.e. 0x00000000)? I know the code says it's supposed to print the address of the framebuffer, but it sounds like it doesn't quite work on my Wii U, sadly.
 

Marionumber1

Well-Known Member
Member
Joined
Nov 7, 2010
Messages
1,234
Trophies
3
XP
4,034
Country
United States
Out of curiosity, is the GX2 example supposed to print NULL (i.e. 0x00000000)? I know the code says it's supposed to print the address of the framebuffer, but it sounds like it doesn't quite work on my Wii U, sadly.

Either I reverse-engineered gx2.rpl wrong or they don't set up a framebuffer.
 
  • Like
Reactions: daxtsu

Adr990

To boldly go where no man has gone before!
Member
Joined
Apr 22, 2007
Messages
1,567
Trophies
0
Location
The Netherlands
Website
www.hyrule.net
XP
737
Country
Netherlands
Good to see some messing around, thanks to the exploit, already.

To get everyone who's down about stability issue's back up and happy, I've added bubbles to wiiulib.arndroid.nl, whoop. :P
Of course, these bubbles are based upon the HBC on the Wii. I tried to include the same variety of bubbles as we have on the Wii HBC, but without images, and being light-weight enough for the WiiU's browser.

Also, I made the WiiU page accessible via PC now. So it's easier to figure out what's wrong via the PC. (CTRL+U/Inspect element stuff for structure issue's, by others, if there are any?)
And so there is no more need for crappy pictures, haha.

From the other thread it seems the exploits are generally more unstable from a remote host. But doing: "Delete cookies ,Close and re-open the browser, have only one opened tab." seems to improve your chances.
 

DarkKaine

Well-Known Member
Member
Joined
Dec 1, 2014
Messages
366
Trophies
0
Age
34
XP
1,183
Country
Netherlands
Alright, I got some code to boot that I had my head scratching over for the past hours.
What I did:

1) Open the Internet Browser.
2) Edit a bookmark to your exploit URL.
3) Visit a couple websites in 3 different tabs. (I used IGN, YouTube and N4G not like it matters)
4) Open a 4th tab, but don't visit any website.
5) Power off your Wii U normally.
6) Boot your Wii U back up and open the Internet Browser.
7) Hit the bookmark and pray.

Edit: To make sure it wasn't just a fluke I attempted to run the same code multiple times and it seems very consistent now.
 
Last edited by DarkKaine,

AlexeySinitsyn

Well-Known Member
Newcomer
Joined
Nov 16, 2011
Messages
73
Trophies
1
XP
1,210
Alright, I got some code to boot that I had my head scratching over for the past hours.
What I did:

1) Open the Internet Browser.
2) Edit a bookmark to your exploit URL.
3) Visit a couple websites in 3 different tabs. (I used IGN, YouTube and N4G not like it matters)
4) Open a 4th tab, but don't visit any website.
5) Power off your Wii U normally.
6) Boot your Wii U back up and open the Internet Browser.
7) Hit the bookmark and pray.

Edit: To make sure it wasn't just a fluke I attempted to run the same code multiple times and it seems very consistent now.
This helps. Actually i think "5) Power off your Wii U normally." does the thing. After that, both crediar's and NWplayer123 examples work everytime.
 

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,145
Country
Antarctica
Anything related to graphics or anything that uses recv()

I actually got some graphics-esque stuff to work (e.g. clearing the framebuffer to white), using commit 85176959030cccf3c8cfadd20901952832d57fb9.

Using the osscreen template as a beginning template, I removed the thread count/waiting stuff since that seems to freeze the console. It hangs after entering the entryPoint though, no clue where.

Code:
#include "loader.h"

void _start()
{
    /****************************>            Fix Stack            <****************************/
    //Load a good stack
    asm(
        "lis %r1, 0x1ab5 ;"
        "ori %r1, %r1, 0xd138 ;"
        );
    /****************************>           Get Handles           <****************************/
    //Get a handle to coreinit.rpl
    unsigned int coreinit_handle;
    OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
    /****************************>       External Prototypes       <****************************/
    //OSScreen functions
    void(*OSScreenInit)();
    unsigned int(*OSScreenGetBufferSizeEx)(unsigned int bufferNum);
    unsigned int(*OSScreenSetBufferEx)(unsigned int bufferNum, void * addr);
    //OS Thread functions
    long(*OSCheckActiveThreads)();
    //Misc OS functions
    void(*OSRestartGame)();
    //OS Memory functions
    void(*DCFlushRange)(void *buffer, uint32_t length);
    /****************************>             Exports             <****************************/
    //OSScreen functions
    OSDynLoad_FindExport(coreinit_handle, 0, "OSScreenInit", &OSScreenInit);
    OSDynLoad_FindExport(coreinit_handle, 0, "OSScreenGetBufferSizeEx", &OSScreenGetBufferSizeEx);
    OSDynLoad_FindExport(coreinit_handle, 0, "OSScreenSetBufferEx", &OSScreenSetBufferEx);
    //OSThread functions
    OSDynLoad_FindExport(coreinit_handle, 0, "OSCheckActiveThreads", &OSCheckActiveThreads);
    //Misc OS functions
    OSDynLoad_FindExport(coreinit_handle, 0, "OSRestartGame", &OSRestartGame);
    //OS Memory functions
    OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
    /****************************>          Initial Setup          <****************************/
    //Restart the web browser. This stops active threads for browser. Browser GUI thread runs on CPU0.
    OSRestartGame();

    //Call the Screen initilzation function.
    OSScreenInit();
    //Grab the buffer size for each screen (TV and gamepad)
    int buf0_size = OSScreenGetBufferSizeEx(0);
    int buf1_size = OSScreenGetBufferSizeEx(1);
    //Set the buffer area.
    OSScreenSetBufferEx(0, (void *)0xF4000000);
    OSScreenSetBufferEx(1, (void *)0xF4000000 + buf0_size);
    //Clear both framebuffers.
    int ii = 0;
    for (ii; ii < 2; ii++)
    {
        fillScreen(255,255,255,255);
        flipBuffers();
    }
    //Jump to entry point.
    _entryPoint();
}

Edit: It's not very consistent though..a race condition maybe, since I'm not cleaning up the browser? The helloworld works for me every time, for example.
 
Last edited by daxtsu,
General chit-chat
Help Users
    SylverReZ @ SylverReZ: I think I'd be dead if I take too many. Lol.