[WIP] 'Cafe Code Types' for Wii U cheats + PPC code handler

Discussion in 'Wii U - Hacking & Backup Loaders' started by CosmoCortney, Feb 13, 2016.

  1. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Use the Cheat Code Thread for further information. Now as the code handler is working quite well this thread becomes redundant.

    Introduction:
    Allow me to introduce the Cafe Code Types. It's the equivalent of the Wii's Gecko-, or GCN's Action Replay code types, just for the Wii U! As you will see below the scheme is very different. This is because there's no free space next to the initial address of the cheat. So each code type has its own 4Bytes which actually brings a lot of advantages compared to the Gecko- and Action Replay Code Types: No need for an extra code type to include pointers and code types can offer more options now which reduces the total amount of code types to keep a keen view about them. 8bit conditional codes will return!
    Besides this there will be totally new code types (and maybe another alternative for pointers).​

    To be fixed:
    The hook is a bit unreliable. Sometimes cheats become disabled (WWHD) or pretty much never work (MK8). Going to try to fix this soon.​

    Further information:
    Well, I have this idea for quite a few months but didn't work on it because I was waiting for Mr. Mysterio's code type design before coding a PPC based code handler. But he has been away for long time now :(
    so I started writing down some code a few days ago.
    HOWEVER: It is still in an early state of development. @BullyWiiPlaza has started developing a clone of TCP Gecko dNET, called JGecko U (written in Java) which can install my code handler :)
    He had the idea to save the code handler in .bin files which his program can use. I'm sure that this format could be use in future projects once IOSU exploit is out and we have a sort of cheat code loader like Gecko OS.
    If you're interested in how the code type works you can take a look at the PPC code here on my Git (It's PPC only because it's the only language I know).​

    Code Type Documentation:
    currently supported:
    1. RAM writes (pointer and pointer-in-pointer)
    2. patch/string writes (also pointered. No pointer-in-pointer)
    3. Slider/skip writes (also pointered. No pointer-in-pointer)
    4. If Equal, unequal, greater than, lower than, greater or equal, less than or equal (also pointered. No pointer-in-pointer)
    5. no operation
    6. termination
    Cafe Code Type Documentation

    How to use:
    (The following steps will change during development). Doesn't work with Splatoon. It freezes on boot screen.
    - Launch the modified version of the kernel exploit that mirrors range 00 to A0: http://cosmocortney.ddns.net/wiiustuff
    - Then run the "old_pygecko". (these exploits are not made by me. Credits go to the kexploit devs)
    - Open TCP Gecko dNET.
    - TCP Gecko dNET has no cheat code manager so you need to poke the cheat codes per hand.
    - Change to the Memory viewer and go to address 10015000. Now poke all your cheat codes line by line starting at 10015000. (It is important not to skip 00000000 of a code). The next cheat comes without any space between the previous one. (To help you to orientate; a following cheat code will always start at XXXXXXX0 or XXXXXXX8)
    - Once all cheats are stored close TCP Gecko dNET.
    - Download the code handler here
    - Now you will need Bully's JGecko U to install the code handler.
    - Open it with Winrar and go into the folder called "codehandler"
    - Delete the content and drag and drop the latest code handler into there.
    - Run JGecko U and hit "connect"
    Once it tells you the code handler has been installed, the cheats should be active.​

    Demonstrations:
    A demo video of a jokered Moon Jump code:
    https://twitter.com/CosmoCortney/status/699987611872530432

    and here you can see an 8bit, a 16bit and a 32bit code being managed:
    cafe codes.png
     
    Last edited by CosmoCortney, Mar 12, 2016


  2. GOT4N

    GOT4N GBAtemp Regular

    Member
    289
    147
    Sep 13, 2009
    Antigua and Barbuda
    Interesting Cosmo. :)
    But, yeah, it doesn't work on 5.5.1 right? :P
     
  3. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    I don't think so because you need to patch the kernel to install TCP Gecko Installer
     
    eco95 and GOT4N like this.
  4. GOT4N

    GOT4N GBAtemp Regular

    Member
    289
    147
    Sep 13, 2009
    Antigua and Barbuda
    Yeah shouldn't then :P
    Thanks for anwsering!
    (maybe you should add that, else some people will ask :P)
     
  5. Deathwing Zero

    Deathwing Zero GBAtemp Regular

    Member
    162
    73
    May 22, 2010
    Canada
    Can-uh-duh
    Have you talked with Skiller about it at all? He may have some ideas, though I don't know how good he is with programming outside of ASM.
     
  6. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    I can make an application that stores the code handler code to the memory automatically. I already have a project I'm slowly working on which is this one. Let me know the addresses and values to write and I can make it happen. Just create a binary file with all the assembly in it. We don't need to modify the pyGecko installer for this and it will cause no delay :P

    A question I have is this. Aren't we supposed to program in C and use the compiled assembly instead of writing the assembly manually? It should be more convenient or maybe not. It's C after all :P
     
    Last edited by BullyWiiPlaza, Feb 13, 2016
    SuperAce20, eco95 and CosmoCortney like this.
  7. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    That'd be awesome :D
    Well, I don't know any C.. But I am very familiar with PPC. I need to search the best entry point for this and write some more asm to be able to use as many registers as possible. give me some time^^

    should the asm be in asm (blr) or hex (4E800020)?
     
    Last edited by CosmoCortney, Feb 13, 2016
    eco95 likes this.
  8. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    If you have an assembler to translate the code to hex then the source is enough :P
    PyiiASMH? ;)

    It would be best if you make a very simple code handler and instructions on how to install it so that I can build it into the tool.
     
    Last edited by BullyWiiPlaza, Feb 14, 2016
    eco95 and CosmoCortney like this.
  9. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Ok, I can give it to you as hex. BUT it uses different areas in the memory and it is important the last one in the file is written last.
    Also while enabling a cheat code the value at A114F820 must be 83A10354 and after all cheats are sent it must be 4805E9E0 again. otherwise the system will try to write at a forbidden memory range.

    here's the code:
    code

    Forgot to tell that all cheats must be stored at 0x10015000. It is important it starts there and there are no gabs between the cheats. Otherwise it will be sipped. Mind that a 8bit RAM write without pointers starts with 00000000 and some codes end with 00000000. (ram writes are always 16/0x10 Bytes long
     
    Last edited by CosmoCortney, Feb 14, 2016
    eco95 and BullyWiiPlaza like this.
  10. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Good news: Pointers do work now!
    I have included a range check to make sure pointers don't freeze the game during loading sequences.
    A pointer RAM write looks lie this:
    001S0000 LLLLLLLL
    R_START_ R_END___
    QQQQQQQQ VVVVVVVV


    S: Size. 0 = 8bit, 1 = 16bit, 2 = 32bit
    LLLLLLLL: Address where the pointer is stored in memory
    R_START_: Minimun range (10000000 will most likely fine to prevent the system writing into a forbidden area, but I recommend setting it about 0x10000 below one of the aim address)
    R_END___: Maximum range (4C000000 will most likely be fine but I recommend setting it about 0x10000 above the aim address)
    QQQQQQQQ: Offset. If the offset is negative it must be written as unsigned hex (-0x10 = 0xFFFFFFFE, need to do more testing on this)
    VVVVVVVV: Value

    One example: Stretching Link ([1097648C] + 6a30 ~ 43000000)
    00120000 1097648C
    48600000 48800000
    00006A30 43000000

    next up: pointer-in-pointer
     
    Thomas83Lin and BullyWiiPlaza like this.
  11. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    @CosmoCortney
    I made my application inject your handler so try it out. It works for me and I can put basic cheat codes in the memory. This could turn into something big really fast when I also implement some cheat code tab :)
     
    Last edited by BullyWiiPlaza, Feb 14, 2016
    Thomas83Lin and CosmoCortney like this.
  12. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    This is awesome :D
    Pointer-in-pointers work too now. My github is updated. need to get the hex though
     
    BullyWiiPlaza likes this.
  13. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    You can edit the files in the JAR so you can keep changing the code handler without me changing the application. But you can only change the file contents so far (not the file names). Adding new files has no effect too ;)

    Warning: Spoilers inside!
     
    Last edited by BullyWiiPlaza, Feb 15, 2016
    CosmoCortney likes this.
  14. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    This is even better :D
    Very easy to extract the hex!
    In the attachment is the updated code handler ^^
    EDIT:
    I have updated the code handler again. In v4 are now Fill/Patch writes possible (this was tricky to write in asm... took me over 3 hours to get it working). v3 is also fixed. I have accidentally copied a wrong file into there. my bad if it caused freezes to you
    @BullyWiiPlaza v4 uses a fifth file now. You'd need to update JGeckoU :P
     

    Attached Files:

    Last edited by CosmoCortney, Feb 15, 2016
    Mega-Mew and BullyWiiPlaza like this.
  15. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    Updated. Now you can add and delete binary files freely. They will all be recognized :P
     
    CosmoCortney likes this.
  16. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    awesome, thanks :3
     
  17. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    @BullyWiiPlaza for some reason the latest JGeckoU freezes the system when it loads the newest code handler which has 5 files. Did you maybe miss something in your code or forgot that A114F820.bin must be loaded last?
    I will also have a look verifying nothing's wrong with the code handler
     
  18. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    Ah, it doesn't verify that. I will make it do that
     
    Last edited by BullyWiiPlaza, Feb 16, 2016
    CosmoCortney likes this.
  19. CosmoCortney
    OP

    CosmoCortney The Hacker Furry

    Member
    1,512
    1,443
    Apr 18, 2013
    Germany
    on the cool side of the pillow
    Oh ok, take your time :P

    @Cyan could you possibly change the title to: [WIP] 'Cafe Code Types' for Wii U cheats + PPC code handler ? As a normal member I can't edit it
     
  20. BullyWiiPlaza

    BullyWiiPlaza Nintendo Hacking <3

    Member
    1,603
    1,319
    Aug 2, 2014
    Gambia, The
    Already done. Now the addresses are written from highest to smallest :)
    Code:
    codehandler\A11B1000.bin
    codehandler\A11B0E00.bin
    codehandler\A11B0C00.bin
    codehandler\A11AE200.bin
    codehandler\A114F820.bin
     
    Last edited by BullyWiiPlaza, Feb 16, 2016
    CosmoCortney likes this.