Jump to content


45 archivos

  1. SDCafiine Plugin

    La principal característica de SDCafiine Plugin es la sustitución de archivos sobre la marcha, que puede utilizarse para cargar contenidos modificados desde medios externos (SD).
    Se conecta a las funciones del sistema de archivos de la Wii U. Cada vez que se accede a un archivo, SDCafiine comprueba si existe una versión (modificada) en la tarjeta SD, y redirige las operaciones de archivo si es necesario.
    Uso de SDCafiine
    La ruta de SDCafiine ha cambiado a sd:/wiiu/sdcafiine
    A través del menú de configuración del plugin (pulsa L, DPAD Down y Minus en el gamepad) puedes configurar el plugin. Las opciones disponibles son las siguientes:
    Configuración: Habilitar SDCafiine: Con esta opción puedes activar/desactivar globalmente SDCafiine. Si estás ejecutando un juego, debes reiniciarlo para que esta opción tenga efecto. Configuración avanzada: Aplicar automáticamente el modpack si sólo existe un modpack: Omite la pantalla de selección de mods si el título actual sólo tiene un modpack para elegir. Para arrancar el juego sin mods, tienes que pulsar X mientras se muestra "Preparando modpack" en la pantalla. Omitir la pantalla "Preparando modpack... Omite la pantalla "Preparando modpack..." que aparece cuando se activa el arranque automático en un único modpack para un título. Para ejecutar el juego sin mods es necesario desactivar esta opción. Instalación de los mods
    Antes de poder cargar los mods, es necesario copiarlos en una tarjeta SD. A continuación, "root:/" corresponde a la raíz de tu tarjeta SD. La estructura básica de la ruta de archivos es la siguiente
    root:/wiiu/sdcafiine/[TITLEID]/[MODPACK]/content/ <-- para los archivos del juego. Se asigna a /vol/content/ root:/wiiu/sdcafiine/[TITLEID]/[MODPACK]/aoc/ <-- para los archivos DLC. Mapas a /vol/aoc/ Reemplaza lo siguiente:
    "[TITLEID]" necesita ser reemplazado el TitleID de los juegos que deben ser modded. Una lista de ids de títulos se puede encontrar aquí (sin el "-"). Ejemplo para SSBU "0005000010145000". Asegúrese de utilizar el ID del juego completo y no el ID del título de actualización. "[MODPACK]" nombre del modpack. Ejemplo de ruta para la versión EUR de SuperSmashBros para Wii U:
    root:/wiiu/sdcafiine/0005000010145000/SpecialChars/content/ <-- para los archivos del juego. Se asigna a /vol/content/ root:/wiiu/sdcafiine/0005000010145000/SpecialChars/aoc/ <-- para archivos de DLC. Mapas a /vol/aoc/ Para reemplazar el archivo /vol/content/movie/intro.mp4, pon un archivo modificado en:
    root:/wiiu/sdcafiine/0005000010145000/SpecialChars/content/movie/intro.mp4 Manejo de múltiples paquetes de mods
    SDCafiine admite varios mods diferentes para un mismo juego en la misma tarjeta SD. Cada modpack tiene su propio subdirectorio. Ejemplo:
    sd:/wiiu/sdcafiine/0005000010145000/ModPack1/content/ sd:/wiiu/sdcafiine/0005000010145000/ModPack2/content/ "Borrar" archivos a través de SDCafiine
    Si un juego ya no debe ver o acceder a un archivo, es posible "borrarlo"/"ocultarlo" del juego sin eliminarlo realmente. El proceso es similar al de redirigir un archivo. Pero en lugar de crear un archivo de reemplazo con el mismo nombre, se crea un archivo vacío con el prefijo .deleted_.
    Si quieres evitar que un juego acceda a /vol/content/assets/tree.bin tienes que crear este archivo en tu modpack.
    root:/wiiu/sdcafiine/[TITLEID]/[MODPACK]/contenido/activos/.deleted_tree.bin  
  2. Aroma

    Aroma es una colección de herramientas para usar homebrew en la Wii U.
    Características
    Las herramientas, módulos y plugins de Aroma son modulares, lo que significa que se pueden añadir o eliminar características fácilmente.
    Una instancia de Aroma por defecto viene con las siguientes características:
    Compatibilidad con el último firmware (5.5.5/5.5.6). Punto de entrada libre y persistente (incluyendo un instalador + opción de coldboot) Compatible con los puntos de entrada existentes (browser exploit) Fácil configuración y actualización: sólo hay que copiar los archivos en la tarjeta SD. Compatibilidad incorporada con los módulos Integración incorporada del sistema de plugins de Wii U Todos los módulos y plugins utilizan un montón de memoria independiente para mejorar la estabilidad Los plugins y las aplicaciones homebrew pueden utilizarse al mismo tiempo. Uso
    Extrae los archivos a la raíz de tu tarjeta sd Inicia el entorno a través del EnvironmentLoader. Es posible que tengas que mantener la tecla X mientras lanzas el EnvironmentLoader para forzar la apertura del menú. Aroma es una aplicación creada por Maschell.
  3. UDPIH Nintendo Switch Payload

    Esto es un payload para cargar UDPIH desde una Nintendo Switch sin parchear.
    Instrucciones
    Descargue el último udpih_nxpayload.bin e inyéctelo utilizando un inyector de carga útil. Inicie el gadget seleccionando Ejecutar el gadget UDPIH con el botón POWER. Créditos
    Esto es básicamente una versión muy reducida de hekate con soporte para el gadget udpih, por lo que todos los créditos para la carga útil NX van a @CTCaer y todos los demás colaboradores de hekate.
    Aplicación creada por GaryOderNichts.
  4. USB Descriptor Parsing Is Hard (UDPIH)

    Aprovecha el análisis del descriptor de la pila del host USB de la Wii U. Se pronuncia como "mud pie" sin la M.
    Requisitos
    Una Wii U Uno de los dispositivos enumerados a continuación Nota: Cualquier otro dispositivo linux capaz de emular dispositivos USB también debería funcionar. Las versiones e instrucciones preconstruidas sólo están disponibles para la Pico y la Zero. Más adelante añadiré más dispositivos cuyo funcionamiento está confirmado. Dispositivos compatibles:
    Una Raspberry Pi Pico o Zero Una Nintendo Switch sin parches capaz de ejecutar udpih_nxpayload Instrucciones
    Pico
    Descarga la última versión de UDPIH. Mantén pulsado el botón BOOTSEL de la placa y conecta el Pico a tu PC. Su PC detectará la Pi como un dispositivo de almacenamiento. Copie el archivo .uf2 en el Pico. Se desconectará después de unos segundos. El Pico está ahora flasheado y puede ser usado para udpih. Continúa con "Arrancando el recovery_menu" a continuación. Raspberry Pi Zero (Linux)
    Instale las dependencias necesarias: sudo apt install build-essential raspberrypi-kernel-headers Clona el repo: git clone https://github.com/GaryOderNichts/udpih.git cd udpih  
    Descarga el último arm_kernel.bin.h de la página de versiones y cópialo en el directorio arm_kernel. Ahora construye el módulo del kernel:
    cd linux make  
    Ahora puedes ejecutar sudo insmod udpih.ko para insertar el módulo del kernel en el kernel. El Cero está ahora listo para ser usado por udpih. Tenga en cuenta que tendrá que insertar el módulo de nuevo después de reiniciar la Zero. Necesitarás dos cables USB, uno para alimentar la Zero y otro para conectarla a la Wii U. Continúa con "Arrancar el recovery_menu" a continuación. Arrancar el menú de recuperación
    ⚠️ Notas importantes para que esto funcione: Asegúrate de que no hay otros dispositivos USB conectados a la consola. Utilice únicamente los puertos USB de la parte frontal de la consola, los puertos traseros no funcionarán. Si tu consola tiene activado el modo de espera, desconecta el enchufe y enciéndela desde un estado de arranque en frío completo. Copia la última versión del recovery_menu a la raíz de tu tarjeta SD formateada en FAT32. Inserta la tarjeta SD en la consola y enciéndela. En cuanto veas el logotipo de "Wii U" en el televisor o en el Gamepad, conecta tu Zero/Pico. Este momento es importante. Si ya estás en el menú, la hazaña no funcionará. Después de unos segundos deberías estar en el menú de recuperación. Aplicación creada por GaryOderNichts.
  5. YouTube Video SWF Wii WAD Injector

    YouTube Video SWF Wii WAD Injector es una aplicación que nos permite inyectar vídeos de Youtube (convertidos a Shockwave Flash (SWF) en WADS (el formato de los canales de Nintendo Wii)
    Recuerda: Asegúrate de que el vídeo que intentas inyectar no supere los 5 minutos de duración. Los más largos o mayores de 15MBs no funcionarán.
    Cuidado! Algunos antivirus pueden detectar este programa como un virus. Si lo hace, es un falso-positivo. No hay virus ni malware en este programa.
    YouTube Video SWF Wii WAD Injector es una aplicación creada por mrt84.
  6. Bloopair

    Bloopair permite conectar controladores de otras consolas como los controladores nativos de Wii U Pro en la Wii U, aplicando temporalmente parches al módulo IOS-PAD responsable de las conexiones del controlador Bluetooth.
    Características
    Conecte hasta 4 controladores de forma inalámbrica a través de Bluetooth Soporte para vibración Niveles de batería Controladores compatibles
    Mando Pro de Nintendo Switch Nintendo Switch Joy-Con Controlador Microsoft Xbox One S / X Controlador Sony Dualsense
    Instalación
    Descargar la aplicación y extraerla en el directorio raíz de la tarjeta SD. Uso
    Ejecute Bloopair desde WiiU Homebrew Launcher Una vez lanzado, debería abrirse el menú de Wii U Una vez de vuelta en el menú de Wii U, presione el botón SYNC en su consola y controlador Espere hasta que el controlador esté conectado Si un controlador se había emparejado en el pasado, simplemente enciéndalo nuevamente y debería volver a conectarse.
    Después de reiniciar la consola o salir de la Configuración del sistema, reinicie Bloopair.
    Aplicación creada por  GaryOderNichts.
  7. WUP Installer GX2

    Esta aplicación puede instalar juegos, actualizaciones de juegos o contenidos descargables a la memoria del sistema de nuestra Wii U (NAND) o a un dispositivo USB.
    WUP Installer GX2 está basada en la aplicación "WUP Installer y Mod" creada por Yardape, mientras que la interfaz gráfica está tomada del código fuente de "Loadiine GX2".
    Existen 3 versiones de WUP Instlaler GX2:
    La primera funciona con HBL y HBL Channel. La segunda funciona solo con HBL Channel. La tercera es el canal instalable de WUP Installer GX2.
    Agradecimientos:
     Al equipo de Loadiine GX2 por el código fuente de la interfaz gráfica. A Yardape por el código fuente del instalador. A brienj por el soporte rpx. Aplicación creada por  djskual.
  8. Wiimote Emulator

    Emulates a Bluetooth Wii controller in software.
    Features
    Emulate the Wiimote's many features and extensions Allows use of different input devices (keyboard etc.)
    Build/Install
    The following dependencies/packages are required (if not already installed):
    libdbus-1-dev libglib2.0-dev libsdl1.2-dev Run the build script (in the project directory):
    source ./build-custom.sh
    Using the Emulator
    Stop any running Bluetooth service, e.g.:
    sudo service bluetooth stop
    Start the custom Bluetooth stack (e.g. from the project directory):
    sudo ./bluez-4.101/dist/sbin/bluetoothd
    Run the emulator (in the project directory):
    ./wmemulator With no arguments, the emulator will listen for incoming connections (similar to syncing a real Wiimote). Pressing the sync button on a Wii should cause it to connect.
    You can also supply the address of a Wii to directly connect to it as long as you have connected to it before (or you change your device's address to the address of a trusted Wiimote).
    ./wmemulator XX:XX:XX:XX:XX:XX
    You will need to run the custom Bluetooth stack (as described above) whenever using the emulator (it won't persist after e.g. a device restart). Also, the custom stack generally won't be useful for anything besides Wiimote emulation.
    To stop the custom stack and restore the original Bluetooth service, e.g.:
    sudo killall bluetoothd sudo service bluetooth start by mconrad.
  9. BluuBomb

    BluuBomb es un exploit para Wii U que aprovecha el stack bluetooth para obtener acceso al kernel de IOSU a través de bluetooth.
    No confundir con , que es paraBlueBomb Wii y Wii Mini.
    Requisitos
    Una Wii U capaz de emparejarse con un Wii Remote Un PC con Bluetooth Un PC o una máquina virtual ejecutando una versión de Linux capaz de ejecutar una build personalizada de BlueZ. Como usar
    Run sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev to install the required dependencies. Download Wiimote Emulator. Run source ./build-custom.sh to build BlueZ. Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps. Stop the already running bluetooth service sudo systemctl disable --now bluetooth Run the custom built bluetoothd sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n Download the bluubomb from here (kernel binaries included). Make the bluubomb file executable by running sudo chmod +x bluubomb. Power on the Wii U and press the sync button. Run sudo ./bluubomb arm_kernel.bin and wait for the pairing process to complete. This might take a minute. If you get a warning about Simple Pairing mode read the Simple Pairing mode section below. Write down the Wii U's bd address that should be displayed after the pairing is complete.
    You can now run sudo ./bluubomb arm_kernel.bin <bdaddr here> to connect directly to the Wii U and skip the pairing process.
    Kernel binaries
    arm_kernel_loadfile Launches a launch.rpx from the root of your SD card on the next application launch. arm_kernel_fw_launcher Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings). arm_kernel_region_free Applies IOSU patches to temporarily remove region restrictions. This should be helpful if you've locked yourself out of your applications due to permanent region modifications. Simple Pairing mode
    On some devices the simple pairing mode can't be disabled by bluubomb. You can check the current Simple Pairing mode by running hciconfig hci0 sspmode. Make sure it says Simple Pairing mode: Disabled. If not run sudo hciconfig hci0 sspmode disabled and sudo hciconfig hci0 reset. Then check the mode again. BluuBomb ha sido creada por GaryOderNichts.
  10. Wii DVD Channel

    This channel has the OFFICIAL DVD icon the Wii uses, it spins around like on the Disc Channel and stuff.
    I don't have pictures yet, I just got back on GBAtemp from a 2 month hiatus and realized I hadn't even released a beta yet..
    I think the channel forwards to USBLoaderGX.
    Feel free to extract the brlyt & brlans and modify & give credit 🙂
    Thanks to @JGSHEW & Dariuz Wolf for helping me troubleshoot, and crediting Draconic NEO for having a similar idea.
    by NewGBAXXL.
  11. FF Viewer Legacy

    Allows you to edit .ff Files or Mod Menu's!!!!

    This works for all .FF Files including for Wii COD Games.
    by ShadowTheAmazing.
  12. WUPDownloader

    WUPDownloader es uina aplicación que permite descargar contenido instalable desde NUS, directamente a una tarjeta SD conectada a WiiU.
    Esta aplicación no ofrece soporte para piratería. Solo descarga juegos que ya has comprado antes!
    Características de WUPDownloader:
    Download titles from Nintendo's servers (NUS) on the SD Card (SD:/install/) Create fake tickets at the start of a download if not found on the NUS Shows the download speed for any title Also, generate fake tickets for other downloaded titles on SD:/install/ folder (To fix missing ticket downloads) WiiU Software Keyboard library support (SWKBD) Can download System/vWii titles Complete HOME Menu support for channel version Downloaded titles can be installed with WUP Installer Download app hashes support (.h3) Custom folder names for downloaded titles Usage
    To download a title, search on a Title Database for a title ID (Ex: WiiUBrew's database)
    To create a fake ticket, you will need the title ID and the encryption key (Avaible on 'That title key site')
    To install the app, download and unzip the contents of the latest release and depending on how you will run the app, follow the next steps:
    Homebrew Launcher
    Move the folder to (SD:/wiiu/apps/) Run the app from HBL through Haxchi, Browserhax or any exploit you want Home Menu
    Move the folder to (SD:/install/) and install it with WUPInstaller Run it from the HOME Menu (With a CFW) by Pokes303.
  13. NUSspli

    NUSspli es una aplicación que nos permite instalar contenido directamente desde los servidores de actualización de Nintendo a nuestra WiiU.
    Características:
    Descargar juegos desde los servidores de Nintendo (NUS). Instalar juiegos descargados tanto en el almacenamiento interno de la consola como en una memoria externa. Buscar tickets en NUS y "esa web de juegos". Crear tickets fake a voluntad o si no los encuentra. Mostrar la velocidad de descarga. Teclado en pantalla. Es capaz de descargar cualquier cosa disponible en NUS. Soporte completo para el menú HOME. Nombres de carpeta personalizados para los juegos descargados.
    Cómo usar NUSspli
    Para descargar un juego, realiza la búsqueda en "Title Database" por el ID de un juego (por ejemplo: base de datos WiiUBrew) Para crear un ticket fake necesitarás el Title ID y la clave de encriptación (disponible en "ese sitio de claves de juegos"). Para instalar la aplicación, descárgala desde esta misma página, descomprime el archivo y, dependiendo de donde vayas a ejecutar la aplicación, sigue los siguientes pasos:
    Homebrew Launcher
    Mueve la carpeta a SD:/wiiu/apps/ Ejecuta la aplicación desde el HBL a través de Haxchi, Browserhax o cualquier otro exploit compatible. Home Menu
    Instala un Custom Firmware. Mueve la carpeta a SD:/install e instalalá con WUPInstaller. Ejecútala desde el menú HOME. Info
    NUSspli está basada en WUPDownloader de Poke303.
    La aplicación ha sido creada por V10lator.
  14. vWii Nand Restorer

    Restore your vWii NAND backups from your Wii U.
    How to use
    Copy your nand backup to sd:/vwiinandrestorer/slccmpt.bin and place your keys.bin/otp.bin in the same folder Copy the .elf to sd:/wiiu/apps Run cfw (mocha or haxchi) I recommend doing a slccmpt + otp backup with Wii U Nand dumper before using this tool.
    Please make sure that the keys.bin/otp.bin are from the console where the NAND Backup is from or else decryption will fail!
    Restore NAND
    This will clear your SLCCMPT, extract the nand backup to your slccmpt and fix permissions
    Additional Options:
    Extract NAND
    Extracts your NAND to sd:/vwiinandrestorer/extracted Clear SLCCMPT
    This clears your SLCCMPT Copy extracted NAND to SLCCMPT
    Copies everything from sd:/vwiinandrestorer/extracted to your SLCCMPT This can be useful if you have an already extracted NAND Backup that you want to restore Fix modes
    This fixes the modes of your SLCCMPT Needed after copying file to the SLCCMPT by GaryOderNichts.
  15. Payload Loader

    This is a generic payload loader for the Wii U to load arbitrary from the SD Card.
    Currently it's hardcoded to loads a .elf file from sd:/wiiu/payload.elf.
    Preconditions
    This loader expects:
    to be able to run at 0x011DD000 (and copied to this place and then executed). to be running inside Mii Maker (for the SD card access), the common kern_write (0x35) and kern_read (0x34) syscalls installed (hooks on 0x0xFFF02234 (write) / 0x0xFFF02214 (read) on FW 5.5.0+) the 0x09 syscall installed which is expected to be a function manipulate IBAT0 (extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);) Running in any other application with sd access may also work, the IBAT0 setup may be to be adjusted though (set back to orignal values at the end)
    Usage
    A common usage for this would be to exploit an application, do a kernel exploit to be able to have kernel read/write, somehow copy the sections of the payload loader .elf file to the expected destination in memory fulfill the mentioned preconditions.
    After that, simply put the .elf to be loaded in sd:/wiiu/payload.elf
    The loaded .elf needs to be statically linked somewhere between 0x00800000 and 0x0‭1000000‬. This whole area is has rwx for both, user and supervisor (kernel) mode and can be used.
    This mapping only lasts for this exeuction! As soon as you leave the running application (in this case the Mii Maker), the mapping will be reset and you will loose access to the 0x00800000 region.
    Compiling
    In order to be able to compile this, you need to have installed devkitPPC with the following pacman packages installed.
    pacman -Syu devkitPPC
    Make sure the following environment variables are set:
    DEVKITPRO=/opt/devkitpro DEVKITPPC=/opt/devkitpro/devkitPPC Technical details
    This payload loader is supposed to loaded somewhere between 01000000..01800000 (virtual address), 0x011DD000...0x011E0000 should be free to use. The 0x09 syscall is used to set IBAT0 to map 01000000..01800000 (virtual address) to 32000000..32800000 (physical address) with r/w for user and kernel. This includes the region where payload loader is, and allows us to register and execute kernel syscall. This setting is meant to match the orignal IBAT0 values (at least in Mii Maker), but with r/w for the kernel. Resetting is not needed when using the Mii Maker, but may be needed to be adjusted. Afterwards it's possible to register an own syscall (we use 0x36 as it's unused) to setup IBAT4 and DBAT5 to make 00800000..01000000 (virtual address) to 30800000..31000000 (physical address) with r/w for user and supervisor. This allows full user/kernel access to this region, for data and code. The mapping is done for all 3 cores. Credits
    orboditilt dimok789: Most parts (especially sd loading, elf copying) are based on the homebrew launcher sd loader. by wiiu-env.
  16. Mario Kart 8 primary userland exploit for the WiiU

    Actual implementation (base ROP chain to ACE) of the exploit Kinnay found in the WiiU version of Mario Kart 8. Running this will boot the homebrew launcher.
    Requirements
    A WiiU Two NNIDs logged into your WiiU A computer logged on the same network than the console README, for real
    The exploit may not work on the first try (~85% success rate) Do not run any homebrew using memory before launching MK8 (like TCPGecko, Cafiine or Diibugger) How to use
    Edit exploit.py and fill in your Nintendo Network IDs + console informations Edit main_exploit.py and edit the local computer IP Run make to build the payload0 binary (you need devkitPro + devkitPPC) Go on your WiiU, log on the victim NNID Open MK8, go online and host a private match, stay in the "earth menu", make sure you're alone in the room Start stage0.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER Wait for the game to reboot and rehost a private match, stay in the "earth menu", make sure you're alone in the room Start stage1.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER It should open the HOME Menu, return to the WiiU Menu, and tadaa, magic, you're on the HBL Credits
    Kinnay for the Nintendo Clients library that allows use to communicate with NEX game servers and its protocols. Maschell for working with me on this exploit (and being as addicted as i was doing this), there was a lot of co-operation Rambo6Glaz / NexoCube / TheBrick for working on this, and all the chains here. wiiu-env for the payload_loader that's inside payload0/main_hook.h by NexoDevelopment.
  17. Mario Kart 8 Exploit Payload

    This is an example payload for the Mario Kart 8 Exploit. It simply copies a given statically linked payload (main_hook/main_hook.elf) into memory and executes it.
    Usage
    This payload meant to be used with Mario Kart 8 Exploit, a exploit for the Wii U (tested with latest european version of the game, v64 on EU Wii U with 5.5.4). Copy the created code.bin into the Mario Kart 8 Exploit folder and run the exploit according to the readm. Read the README of the repository for more information.
    The game will switch to Mii Maker and run your main_hook.elf. From now your payload will be loaded every time you switch to another application.
    Overwrite the address 0x0101c56c (our main entry hook) with 0x4E800421 (= bctrl) to override this behaviour. Note This address is not writeable from user/kernel, you need to either set up a DBAT or disable memory translation temporarily. Then disabling the memory translation, make sure to use physical addresses, OSEffectiveToPhysical might help there.
    Building
    Place the a project with Makefile into a subfolder /main_hook that creates a main_hook.elf. Using a .elf directly requires changes on the Makefile. This repository provides a generic .elf as submodule, see it's README for detailed information and usage.
    Clone via git init --recursive URL.
    In order to be able to compile this, you need to have installed devkitPPC with the following pacman packages installed.
    pacman -Syu devkitPPC Make sure the following environment variables are set:
    DEVKITPRO=/opt/devkitpro DEVKITPPC=/opt/devkitpro/devkitPPC
    The command make should produce a code.bin, meant to be used with Mario Kart 8 Exploit.
    Technical details
    This payload expects:
    To be run inside the Mii Maker The Syscall 0x25 to be a memcpy with kernel privileges This payload does:
    A small function to modify IBAT0 is copied to kernel space and registers as syscall 0x09 The declaration of this function is extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);. Copies the embedded main_hook.elf to the address where it's statically linked to. Currently these sections are supported. .text, .rodata, .data and .bss. In theory this could be placed anywhere, but keep in mind that the memory area may be cleared (like the codegen area, or the whole heap), and needs to be executable in user mode (even after switching the application). Due to size limits it need to be somewhere between 0x011DD000...0x011DE200 or in a completly different region (0x011DE200...0x011E0000 is used by this payload) Afterwards the main entry hook is set up to jump to this position on every application switch. You also may have to modify this if the jump turns out to be too big. The entrypoint of themain_hook.elf will be called directly as we are already in Mii Maker. What this payload offers to the loaded .elf
     
    The loaded main_hook.elf can expect:
    To be called everytime the application switches. (Mii Maker has sd access!) Syscall 0x09 to be available. Declaration: extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower); , call via asm. This function can be used to set IBAT0 to allow the kernel to execute new created syscall (the kernel has for example no access to 0x011DD000...0x011E0000). Syscall 0x34 (kern_read) and 0x35 (kern_write) to be available. Use the following functions to use them: /* Read a 32-bit word with kernel permissions */ uint32_t __attribute__ ((noinline)) kern_read(const void *addr) {     uint32_t result;     asm volatile (         "li 3,1\n"         "li 4,0\n"         "li 5,0\n"         "li 6,0\n"         "li 7,0\n"         "lis 8,1\n"         "mr 9,%1\n"         "li 0,0x3400\n"         "mr %0,1\n"         "sc\n"         "nop\n"         "mr 1,%0\n"         "mr %0,3\n"         :    "=r"(result)         :    "b"(addr)         :    "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10",         "11", "12"     );     return result; } /* Write a 32-bit word with kernel permissions */ void __attribute__ ((noinline)) kern_write(void *addr, uint32_t value) {     asm volatile (         "li 3,1\n"         "li 4,0\n"         "mr 5,%1\n"         "li 6,0\n"         "li 7,0\n"         "lis 8,1\n"         "mr 9,%0\n"         "mr %1,1\n"         "li 0,0x3500\n"         "sc\n"         "nop\n"         "mr 1,%1\n"         :         :    "r"(addr), "r"(value)         :    "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10",         "11", "12"     ); }
    Credits
    orboditilt: Putting everything together. dimok789: This is based on the Wii U Homebrew Launcher. by wiiu-env.
  18. RPX Gadget Finder

    Needed for use Mario Kart 8 Exploit.
    by wiiu-env.
  19. Mario Kart 8 Exploit

    A implementation of the Mario Kart 8 exploit which allows abritrary Userland code execution and read/write with kernel permissions.
    Preparation
    Before using the ROP-chain, some files need to be generated, you can do it with make.
    The makefile expects some binaries/files.
    Download RPX Gadget Finder (requires Java) tmp/550/coreinit.rpl from 00050010-1000400A OSv10 v15702 tmp/550/gx2.rpl from 00050010-1000400A OSv10 v15702 tmp/Turbo.rpx the binary of the Mario Kart 8 version you want to exploit (only tested with EUR v64) When you have all needed files, you can use make.
    On success, you can now find the following files:
    ropgadget_addr.py The default ropgadget_addr.py can be used with the EUR V64 of Mario Kart on EUR 5.5.x consoles.
    Usage
    Download Nintendo Clients. Checkout commit d044b3f9717e096862517b060c2370627a4bcf56 or rewrite exploit.py to be compatible with the latest commit. Fill in the required information, like your device id and serial number in the config.py. Make sure have a valid ropgadget_addr.py with the needed gadgets addresses. Create a friend room in Mario Kart 8 and run do_memory_mapping.py. If everything went right, the game should restart. Create an other friend room in Mario Kart 8 and run run_codebin_loader_ropchain.py. If everything went right, the given payload should be executed. Technical details
    The exploit itself allows to abritrary 4 byte writes which is enough to get a (size limited) rop chain execution by carefully overriding a vtable. This allows us to remotely execute rop chain < ~1000 bytes. 1000 bytes are enough to create a new thread on the main core and implement a small TCP client which receives a bigger payload that will be copied into memory. With the help of a stack pivot this new (and bigger) rop chain can be executed. From now on it's possible execute a bigger rop chain (as long as it fits in one TCP packet) which can be used to:
    Perform a kernel exploit to get read/write with kernel priviliges Which is enough to restart the game with a different memory mapping, which allows modifcations of executable memory, effectively bypasing the NX-Bit. After the restart the exploit will be executed again with a different payload which copies a code.bin into memory and executes it. => This leads to: userland code execution with a usable kernel memcpy syscall (0x25) (for copying data with kernel priviliges). Credits
    Maschell: Ideas, testing, rop chain implementation, adding serveral rop gadgets, implementing all other rop chains NexoCube: Ideas, testing, rop chain implementation and creating the rop chain to load bigger one via TCP Kinnay: Discovery and initial implementation of the exploit
  20. CBHC

    Installing just Haxchi is perfectly safe and will give you simple channel access to other homebrew programs without the need of the browser exploit anymore.
    Installing CBHC though is FAR, FAR more dangerous but will allow coldboot into patched menu/homebrew.
    WARNING
    Please ONLY INSTALL THIS if you already have the normal Haxchi installed and know that it works perfectly, just install it over your existing Haxchi installation, again, DO NOT INSTALL IT from a freshly downloaded, never started/tested game or you may brick. Also ONLY INSTALL THIS IF THE DS VC IS BOUGHT FROM THE ESHOP ON THAT CONSOLE AND ON NAND AND YOU HAVE NO USB CONNECTED WHEN USING THE INSTALLER.
    If a new CBHC version comes out you can just run the installer again and let it overwrite the existing CBHC installation, same rules as on the first installation still apply.
    Infos
    Installing this will execute the DS VC of your choice directly on system boot - giving you a direct coldboot exploit, the features you have after installing it are explained down below.
    After installing it you better go ahead and set up some DNS server protection to block potential future system updates, while CBHC will fake the system version to 99.99.99 it still adds another safety factor just in case Disable standby for extra safety, again just in case NEVER try to delete/install over the DS VC you used to install since it is now basically your system menu so if you break it your console bricks too, there are several protections against overwriting, moving to usb and deleting, but you should still not try your luck and trigger that protection over and over again, just generally be smart about it, I am not responsible for your dead wiiu because of user error. Do NOT do a system format while CBHC is installed and autoboots your system or you will brick because you delete CBHC in the process Do NOT delete the user profile you used to buy the DS VC since that will make it not properly licensed anymore on your console. Also there still is a myth going around it will brick if you move its icon in the menu or put the icon into a folder; that is false and is perfectly safe as it is only a visual change in the system menu. Features
    Anyways, enough of that - what can this actually do when installed?
    It offers a basic menu from which you can boot into:
    The system menu which will get full signature and region patching and support this ftpiiu-everywhere version; CBHC comes with its own sysnand CFW included. You can boot into the .elf version of homebrew launcher. You can boot a fw.img or Mocha CFW on your sd card which could be useful for rednand and if you really need to connect to wupserver from a pc, but thats really only interesting as a developer. For pretty much anyone the system menu setting (which uses the included CBHC CFW) is enough, on top of that using Mocha or fw.img for sysnand can lead to bootup problems and takes far longer to boot so please just dont do it, I dont know how often I can repeat that point anymore. You can boot into the vWii system menu or the vWii homebrew channel, also if you hold down B on boot you will automatically boot into the vWii system menu as the menu originally did If after installing CBHC no menu pops up when you turn on your console then you may have run into the very rare case in which CBHC did not properly install and your Haxchi installation still runs, in this case just go back into the homebrew launcher and try installing it again.
    Autoboot
    If you want to automatically go to any of these options just enable the autoboot option for it.
    The menu controls are very simplistic, up/down to move the cursor and A to either select the option or change the autoboot option, you can control it using the gamepad or any wiimote, classic controller or wiiu pro controller OR if you are really desperate the the "sync" button on the console itself will work too - click once to move the cursor down and double click to simulate what A does normally.
    Once autoboot is set up you can easily cancel it by pressing the home/sync button while the "Autobooting..." message is shown to get back into the little menu and change your settings or launch something different from there.
    by FIX94.
  21. wudump

    Dump raw images from a wiiu game disc.
    Usage
    Download and run the .elf from homebrew launcher with a fat32 sd card/usb device or NTFS usb device inserted that has at least 23.3gb free.
    On fat32 devices the files will be dumped in 2gb parts, you will have to merge them yourself afterwards if you need the full game.wud. On NTFS devices it will be dumped into a single file.
    A full dump can take a little over one and a half hours.
    After it has been dumped the wud, common.key and game.key will be in a "wudump" folder on your sd card/usb device.
    Merging the wud parts on FAT32 devices
    This step is not needed, when the file was dumped to a ntfs device.
    To get the full game.wud with FAT32 devices you will have to merge them.
    If you are on windows you can use something like this for example to merge them into a game.wud on a "wudump" folder on your C drive from a cmd in the sd/usb folder:
    copy /b game_part1.wud + game_part2.wud + game_part3.wud + game_part4.wud + game_part5.wud + game_part6.wud + game_
    If you would just like to install your game using wupinstaller then grab wud2app.
    If you dont want to merge all .wud files you can put wud2app into a folder on your pc and run it from a cmd with the wudump folder path as argument, for example if the sd/usb folder happens to be in "P:\wudump\WUP-P-TEST" on windows you can just run wud2app like:
    wud2app "P:\wudump\WUP-P-TEST"
    If you do have all .wud files merged then put wud2app into the folder of the merged .wud and run it like run it like:
    wud2app common.key game.key game.wud Make sure to copy the common.key and game.key into that folder as well if you use that method.
    The folder it creates can just be installed by wupinstaller.
    by FIX94.
  22. 64Inject

    64Inject is a program that allows you to inject games into the Nintendo 64 virtual console of the Wii U. Focused on streamlining the testing of different combination of ROM, ".ini" configuration file and base game.
    Features
    Two modes of use, graphic and by commands. Contextual help and two languages, English and Spanish. Virtual console configuration, easily disable the dark filter, aspect ratio and display scale of the game. Simplify the incorporation of the ".ini" configuration file for the game. Support for ROM formats *.z64, *.n64, *.v64 and *.u64 Support images *.png, *.jpg and *.bmp The Title ID reflects if you have used the same combination of ROM, ".ini" configuration file and base game. Multiple options through the command window, you can define each thing or simply an input folder and an output folder, or combine.

    by phacoxcll.

  23. NKit

    NKit is a Nintendo ToolKit that can Recover and Preserve Wii and GameCube disc images
    Recovery is the ability to rebuild source images to match the known good images verified by Redump
    Preserve is the ability to shrink any image and convert it back to the source iso
    NKit can convert to ISO and NKit format. The NKit format is designed to shrink an image to it's smallest while ensuring it can be restored back to the original source data. NKit images are also playable by Dolphin
    by nanook.
  24. Ultimate Wii U Hack Script

    This is a set of batch scripts that automate many things.
    Features
    Wiivc Injector Script
    Injection of Wii games, Gamecube, Wii homebrews and Wiivc Chan Booter thanks to a modified version of Wiivc Injector Script 2.2.6. Backup, restore and reset various parameters. Create a blacklist to prevent an injection from having the same Title ID. Injectiine
    Injection of games NES, SNES, GBA, N64 and NDS thanks to a modified version of Injectiine. Backup, restore and reset various parameters. Create a blacklist to prevent an injection from having the same Title ID. Other features
    Installation of required elements while using scripts (Java 8). Set up the necessary files for the basic Wii U hack, the v-wii hack, the Haxchi installation or the CBHC installation. For more information, see this page of the documentation. Creation of a web server to host the browser exploit locally for system versions 5.5.0, 5.5.1 and 5.5.2 of the Wii U. Unbrick the V-wii part, see this page of the documentation for more information. Block or allow the console firmware update by deleting / restoring the correct folder via Wup_server, see this page for more information on the changed folder. Known bugs:
    The injection of a game via Wiivc Injector Script will crash or give a game that does not work if it is run from a medium formatted in FAT, FAT16 or FAT32. This problem can not be corrected because a temporary file is obligatorily more than 4 GB during the injection and therefore poses a problem on media formatted in FAT, FAT16 or FAT32. Using quotation marks or exclamation points in user input causes the script to crash. When a console output made by an "echo" is performed, this produces an error in the log file. The UTF-8 encoding seems to be the cause of this problem but I have not found how to solve it for now. In Wiivc Injector Script, if the Wii game is splited (except for "wbfs" files) and its path or name contains an accent or any other symbols refused by Wit, the script will not work, even with the attempted fix. errors. For now, the script for extracting the MLC dump from Wii U nand does not allow extraction to a folder in a path with spaces and is forced to manipulate files that should not not be necessary but Wfs-extract does not seem to want paths with spaces, I'm looking for a solution. Credits:
     
    There is really too much to thank for all the projects included in this script but I thank each contributor of these projects because without them this script could not even exist (some are credit in the documentation). I also thank all those who help me to test the scripts and those who suggest me new features.
    by shadow2560.
  25. JsTypeHax

    It loads WiiU Homebrew Launcher, I successfully haxchied a 5.5.2 ;)
    Currently in beta test, you can follow this guide to use it:
    Prepare the needed files
    Prepare your FAT32 SD card with Homebrew launcher, and preferably Haxchi installer to get a persistent and more stable entry point for homebrew.Extract the homebrew launcher 1.4 on your SD card. 
    sd:/wiiu/apps/homebrew_launcher/homebrew_launcher.elf
    If you plan to install Haxchi, be sure you already have a compatible NDS game installed on NAND. Prepare any other homebrew you want to use, for example Homebrew App Store. Find a web host or create your own
    Visit a website hosting it, like http://dlae.life/, http://wiiu.insanenutter.com, http://www.wiiubru.com/x or http://u.drg.li/ or host the sources on your computer. If it's on your computer, you need python installed, and launch "startServer.bat" on windows, or use any other webserver you want. Run the browser hack on WiiU
    Clear your browser's data, launch the browser again. Open the server's URL in your browser, or your computer's IP if you are hosting it yourself. select Exploit If it freezes, shutdown and try this step again. It can be quick if you are lucky, or taking hours of retries... If it works, use that opportunity to install haxchi, it will be more stable. Note: As it is still in beta test phase, http://u.drg.li/ is hosting different versions of that exploit. You should prefer it over other currently available web hosts, and select exploits from delta 0 to 4 until one works (2 seems to be the one is working the most).
    If your screen goes grey-white but your console freezes, that's the correct delta, so keep trying that exploit number.
    by JmpCallPoo.

×
×
  • Crear nuevo...