Hacking Wii U Hacking & Homebrew Discussion

[ryuutseku85]

We don't need a lot of user , we need some user who want to learn how to make homebrew , exploit , and want to learn how the system work .
Actually I got some time to look into the fw.img and my head gonna explode ( I am learning ) , those things need time and a lot lot lot of patience , but I think if more users try to understand what they can , we can make it , we don't especially need a exploit bis or the iosu right now , we have userland access and it's stable , wait the time that it's necessary won't kill anybody . So stop crying and go coding please .

 

[catgroove62913]

It's been forever since I looked back at this thread. What achievements have you all done so far, because there's no way in hell that I'm going back over 500 pages.

 

[iAqua]

It's been forever since I looked back at this thread. What achievements have you all done so far, because there's no way in hell that I'm going back over 500 pages.

Uhh.... Hykem is gonna release his exploit with emuNand etc.

 

[Datalogger]

We don't need a lot of user , we need some user who want to learn how to make homebrew , exploit , and want to learn how the system work .
Actually I got some time to look into the fw.img and my head gonna explode ( I am learning ) , those things need time and a lot lot lot of patience , but I think if more users try to understand what they can , we can make it , we don't especially need a exploit bis or the iosu right now , we have userland access and it's stable , wait the time that it's necessary won't kill anybody . So stop crying and go coding please .

If you are seriously interested in learning how BOOT1/BOOT0, the FW.IMG's KERNEL and other modules work there needs to be a place to openly discuss it and share progress without interruptions.

It looks confusing as you learn, but having a serious "Kid Free" place so someone can teach you what we are looking for would help.
Unfortunately, as I have already discovered, this is not it.


I have a fully decoded and cross-linked IDA Pro 6.8 database of 15702 (FW 5.5.1) and would be more than willing to share progress with others that are taking to task labeling the more than 35,000 functions. (well, labeling the ones that are important to CFW anyways)


Example: Here's the function in IOS_MCP(D_R) to process the boots.
Ref: D_R = debug and recovery mode

Spoiler

               CMP             R0, #0
IOS_MCP(D_R):0510E58E                 BEQ             Process_Boots
IOS_MCP(D_R):0510E590                 B               loc_510E6A8
IOS_MCP(D_R):0510E592 ; ---------------------------------------------------------------------------
IOS_MCP(D_R):0510E592
IOS_MCP(D_R):0510E592 Process_Boots                                                                   ; CODE XREF: sub_510E56C+22j
IOS_MCP(D_R):0510E592                 MOVS            R1, R7
IOS_MCP(D_R):0510E594                 ADDS            R1, #0x44
IOS_MCP(D_R):0510E596                 MOVS            R0, #4
IOS_MCP(D_R):0510E598                 BL              sub_504197C
IOS_MCP(D_R):0510E59C                 MOVS            R1, R7
IOS_MCP(D_R):0510E59E                 ADDS            R1, #0x40
IOS_MCP(D_R):0510E5A0                 MOVS            R0, #5
IOS_MCP(D_R):0510E5A2                 BL              sub_504197C
IOS_MCP(D_R):0510E5A6                 MOVS            R1, R7
IOS_MCP(D_R):0510E5A8                 ADDS            R1, #0x38
IOS_MCP(D_R):0510E5AA                 MOVS            R0, #6
IOS_MCP(D_R):0510E5AC                 BL              sub_504197C
IOS_MCP(D_R):0510E5B0                 MOVS            R1, R7
IOS_MCP(D_R):0510E5B2                 ADDS            R1, #0x3C
IOS_MCP(D_R):0510E5B4                 MOVS            R0, #7
IOS_MCP(D_R):0510E5B6                 BL              sub_504197C
IOS_MCP(D_R):0510E5BA                 LDR             R0, =(aIosShutdownDur+0x1C)                     ; "\n"
IOS_MCP(D_R):0510E5BC                 BL              sub_5059140
IOS_MCP(D_R):0510E5C0                 LDR             R0, [R7,#0x48+var_4]
IOS_MCP(D_R):0510E5C2                 BL              sub_50596E0
IOS_MCP(D_R):0510E5C6                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E5CA                 BL              sub_5056C88
IOS_MCP(D_R):0510E5CE                 LDR             R4, =aBoot0MainDMs                              ; "boot0 main       %d(ms)\n"
IOS_MCP(D_R):0510E5D0                 MOVS            R1, R0
IOS_MCP(D_R):0510E5D2                 MOVS            R0, R4
IOS_MCP(D_R):0510E5D4                 BL              sub_5059140
IOS_MCP(D_R):0510E5D8                 LDR             R0, [R7,#0x48+var_8]
IOS_MCP(D_R):0510E5DA                 BL              sub_50596E0
IOS_MCP(D_R):0510E5DE                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E5E2                 BL              sub_5056C88
IOS_MCP(D_R):0510E5E6                 LDR             R4, =aBoot0ReadDMs                              ; "boot0 read       %d(ms)\n"
IOS_MCP(D_R):0510E5E8                 MOVS            R1, R0
IOS_MCP(D_R):0510E5EA                 MOVS            R0, R4
IOS_MCP(D_R):0510E5EC                 BL              sub_5059140
IOS_MCP(D_R):0510E5F0                 LDR             R0, [R7,#0x48+var_10]
IOS_MCP(D_R):0510E5F2                 BL              sub_50596E0
IOS_MCP(D_R):0510E5F6                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E5FA                 BL              sub_5056C88
IOS_MCP(D_R):0510E5FE                 LDR             R4, =aBoot0VerifyDMs                            ; "boot0 verify     %d(ms)\n"
IOS_MCP(D_R):0510E600                 MOVS            R1, R0
IOS_MCP(D_R):0510E602                 MOVS            R0, R4
IOS_MCP(D_R):0510E604                 BL              sub_5059140
IOS_MCP(D_R):0510E608                 LDR             R0, [R7,#0x48+var_C]
IOS_MCP(D_R):0510E60A                 BL              sub_50596E0
IOS_MCP(D_R):0510E60E                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E612                 BL              sub_5056C88
IOS_MCP(D_R):0510E616                 LDR             R4, =aBoot0DecryptDM                            ; "boot0 decrypt    %d(ms)\n"
IOS_MCP(D_R):0510E618                 MOVS            R1, R0
IOS_MCP(D_R):0510E61A                 MOVS            R0, R4
IOS_MCP(D_R):0510E61C                 BL              sub_5059140
IOS_MCP(D_R):0510E620                 MOVS            R1, R7
IOS_MCP(D_R):0510E622                 ADDS            R1, #0x44
IOS_MCP(D_R):0510E624                 MOVS            R0, #0
IOS_MCP(D_R):0510E626                 BL              sub_504197C
IOS_MCP(D_R):0510E62A                 MOVS            R1, R7
IOS_MCP(D_R):0510E62C                 ADDS            R1, #0x40
IOS_MCP(D_R):0510E62E                 MOVS            R0, #1
IOS_MCP(D_R):0510E630                 BL              sub_504197C
IOS_MCP(D_R):0510E634                 MOVS            R1, R7
IOS_MCP(D_R):0510E636                 ADDS            R1, #0x38
IOS_MCP(D_R):0510E638                 MOVS            R0, #2
IOS_MCP(D_R):0510E63A                 BL              sub_504197C
IOS_MCP(D_R):0510E63E                 MOVS            R1, R7
IOS_MCP(D_R):0510E640                 ADDS            R1, #0x3C
IOS_MCP(D_R):0510E642                 MOVS            R0, #3
IOS_MCP(D_R):0510E644                 BL              sub_504197C
IOS_MCP(D_R):0510E648                 LDR             R0, [R7,#0x48+var_4]
IOS_MCP(D_R):0510E64A                 BL              sub_50596E0
IOS_MCP(D_R):0510E64E                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E652                 BL              sub_5056C88
IOS_MCP(D_R):0510E656                 LDR             R4, =aBoot1MainDMs                              ; "boot1 main       %d(ms)\n"
IOS_MCP(D_R):0510E658                 MOVS            R1, R0
IOS_MCP(D_R):0510E65A                 MOVS            R0, R4
IOS_MCP(D_R):0510E65C                 BL              sub_5059140
IOS_MCP(D_R):0510E660                 LDR             R0, [R7,#0x48+var_8]
IOS_MCP(D_R):0510E662                 BL              sub_50596E0
IOS_MCP(D_R):0510E666                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E66A                 BL              sub_5056C88
IOS_MCP(D_R):0510E66E                 LDR             R4, =aBoot1ReadDMs                              ; "boot1 read       %d(ms)\n"
IOS_MCP(D_R):0510E670                 MOVS            R1, R0
IOS_MCP(D_R):0510E672                 MOVS            R0, R4
IOS_MCP(D_R):0510E674                 BL              sub_5059140
IOS_MCP(D_R):0510E678                 LDR             R0, [R7,#0x48+var_10]
IOS_MCP(D_R):0510E67A                 BL              sub_50596E0
IOS_MCP(D_R):0510E67E                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E682                 BL              sub_5056C88
IOS_MCP(D_R):0510E686                 LDR             R4, =aBoot1VerifyDMs                            ; "boot1 verify     %d(ms)\n"
IOS_MCP(D_R):0510E688                 MOVS            R1, R0
IOS_MCP(D_R):0510E68A                 MOVS            R0, R4
IOS_MCP(D_R):0510E68C                 BL              sub_5059140
IOS_MCP(D_R):0510E690                 LDR             R0, [R7,#0x48+var_C]
IOS_MCP(D_R):0510E692                 BL              sub_50596E0
IOS_MCP(D_R):0510E696                 MOVS            R1, #0x3E8
IOS_MCP(D_R):0510E69A                 BL              sub_5056C88
IOS_MCP(D_R):0510E69E                 LDR             R4, =aBoot1DecryptDM                            ; "boot1 decrypt    %d(ms)\n"
IOS_MCP(D_R):0510E6A0                 MOVS            R1, R0
IOS_MCP(D_R):0510E6A2                 MOVS            R0, R4
IOS_MCP(D_R):0510E6A4                 BL              sub_5059140
IOS_MCP(D_R):0510E6A8
IOS_MCP(D_R):0510E6A8 loc_510E6A8                                                                     ; CODE XREF: sub_510E56C+24j
IOS_MCP(D_R):0510E6A8                 LDR             R5, =dword_50711A8
IOS_MCP(D_R):0510E6AA                 LDR             R2, =aServiceStartup                            ; "\nService startup began at %u ms\n"
IOS_MCP(D_R):0510E6AC                 STR             R2, [R7,#0x48+var_28]
IOS_MCP(D_R):0510E6AE                 LDR             R0, [R5,#(dword_50711D0 - 0x50711A8)]
IOS_MCP(D_R):0510E6B0                 LDR             R1, [R5,#(dword_50711D4 - 0x50711A8)]
IOS_MCP(D_R):0510E6B2                 LDR             R2, =0
IOS_MCP(D_R):0510E6B4                 LDR             R3, =0x3E8
IOS_MCP(D_R):0510E6B6                 BL              sub_505711C
IOS_MCP(D_R):0510E6BA                 LDR             R0, [R7,#0x48+var_28]
IOS_MCP(D_R):0510E6BC                 BL              sub_5059140
IOS_MCP(D_R):0510E6C0                 LDR             R4, =dword_5072F38
IOS_MCP(D_R):0510E6C2                 LDR             R3, =aIosStartupDura                            ; "IOS startup duration %u ms\n"
IOS_MCP(D_R):0510E6C4                 STR             R3, [R7,#0x48+var_2C]
IOS_MCP(D_R):0510E6C6

It doesn't start out being named "Process_Boots", but reading the string variables gives you the idea what this section of code does.




.
.

 

[ryuutseku85]

If you agree to teach me i will help

 

[davetheshrew]

big update tonight/tomorrow, get on tubehax, dont say I didnt warn..

 

[Deleted User]

big update tonight/tomorrow, get on tubehax, dont say I didnt warn..

proof plz.

 

[TotalInsanity4]

big update tonight/tomorrow, get on tubehax, dont say I didnt warn..

proof plz.

Yeah, what makes you say that??

 

[ShadowOne333]

I'd switch to Tubehax if the thing didn't actually BLOCK YouTube.
I use the Wii U as my main Internet Browser, I don't even use a PC anymore.

I am okay by entering my router's settings and block the Domains manually instead.

 

[Maximilious]

I'd switch to Tubehax if the thing didn't actually BLOCK YouTube.
I use the Wii U as my main Internet Browser, I don't even use a PC anymore.

I am okay by entering my router's settings and block the Domains manually instead.

Same here. And no quickboot enabled and good to go.

 

[DeslotlCL]

proof plz.

well it is a possibility, but im not saying its true... remember that this week is scheduled with a lot of maintenance, not sure if the wiiu one (plus log in with a nnid) already took place or not.

 

[punderino]

Hello,
Qlutoo on Twitter :
Introducing a new unit -- one gbatemp: 1 kernel exploit found per 100 000 users

What does it mean ?

Someone found a new 3DS kernel exploit a few days ago. That's what he was referencing too.

 

[brienj]

big update tonight/tomorrow, get on tubehax, dont say I didnt warn..

I would never put the fate of my Wii U in the hands of someone else that runs a DNS server, and that could turn it off or change it if they wanted to.

My advice to everybody, block the updates yourself, never rely on anyone else.

 

[ldeveraux]

I use the Wii U as my main Internet Browser, I don't even use a PC anymore.

That's sad, pathetic, and just plain ridiculous

 

[ShadowOne333]

That's sad, pathetic, and just plain ridiculous

No it's not.
I use the Wii U to watch videos in my HD TV, which is why TubeHax is such a pain for me.
I don't see anything sad or pathetic about that, much less ridiculous.

 

[Sephirosu]

No it's not.
I use the Wii U to watch videos in my HD TV, which is why TubeHax is such a pain for me.
I don't see anything sad or pathetic about that, much less ridiculous.

Probably the part where you said you don't use a PC anymore rubbed him the wrong way because come on let's be honest. The Wii u's browser isn't the greatest but I do agree that using it for YouTube on a nonesmart TV causes less hazels than hooking up a PC.

 

[TotalInsanity4]

Probably the part where you said you don't use a PC anymore rubbed him the wrong way because come on let's be honest. The Wii u's browser isn't the greatest but I do agree that using it for YouTube on a nonesmart TV causes less hazels than hooking up a PC.

It's also a nice Netflix machine

It's basically the best price/performance HTPC on the market... or at least would be if it was opened

 

[Sephirosu]

or at least would be if it was opened

Asking for an open OS from the company that is so closed minded (just look at its long history of censures as an example) will get you nowhere sadly. Hope homebrew fixes that... I really want a way to decensure and undub some games without the need of TcGecko.

 

[ShadowOne333]

Probably the part where you said you don't use a PC anymore rubbed him the wrong way because come on let's be honest. The Wii u's browser isn't the greatest but I do agree that using it for YouTube on a nonesmart TV causes less hazels than hooking up a PC.

Well yeah if you go to a PC for video entertainment, the Wii U pretty much covers it.
If you use the PC for other stuff like documentation, work, etc, then of course you'll need one.

My point is that, as far as browsing the web randomly and watching vids, the Wii U satisfies such needs for me.
Not only YouTube videos, but streams and movies too.

 

[TotalInsanity4]

Asking for an open OS from the company that is so closed minded (just look at its long history of censures as an example) will get you nowhere sadly. Hope homebrew fixes that... I really want a way to decensure and undub some games without the need of TcGecko.

Honestly a decent homebrew base for the Wii U is all that I could really ask for. It has/(d) the potential to be three times the homebrew machine the Wii ever was, if it weren't for a niche user base and even more niche hacking community