Wii U
46 archivos
-
64Inject
64Inject is a program that allows you to inject games into the Nintendo 64 virtual console of the Wii U. Focused on streamlining the testing of different combination of ROM, ".ini" configuration file and base game.
Features
Two modes of use, graphic and by commands. Contextual help and two languages, English and Spanish. Virtual console configuration, easily disable the dark filter, aspect ratio and display scale of the game. Simplify the incorporation of the ".ini" configuration file for the game. Support for ROM formats *.z64, *.n64, *.v64 and *.u64 Support images *.png, *.jpg and *.bmp The Title ID reflects if you have used the same combination of ROM, ".ini" configuration file and base game. Multiple options through the command window, you can define each thing or simply an input folder and an output folder, or combine.
by phacoxcll.
-
Aroma
Aroma es una colección de herramientas para usar homebrew en la Wii U.
Características
Las herramientas, módulos y plugins de Aroma son modulares, lo que significa que se pueden añadir o eliminar características fácilmente.
Una instancia de Aroma por defecto viene con las siguientes características:
Compatibilidad con el último firmware (5.5.5/5.5.6). Punto de entrada libre y persistente (incluyendo un instalador + opción de coldboot) Compatible con los puntos de entrada existentes (browser exploit) Fácil configuración y actualización: sólo hay que copiar los archivos en la tarjeta SD. Compatibilidad incorporada con los módulos Integración incorporada del sistema de plugins de Wii U Todos los módulos y plugins utilizan un montón de memoria independiente para mejorar la estabilidad Los plugins y las aplicaciones homebrew pueden utilizarse al mismo tiempo. Uso
Extrae los archivos a la raíz de tu tarjeta sd Inicia el entorno a través del EnvironmentLoader. Es posible que tengas que mantener la tecla X mientras lanzas el EnvironmentLoader para forzar la apertura del menú. Aroma es una aplicación creada por Maschell.
-
Bloopair
Bloopair permite conectar controladores de otras consolas como los controladores nativos de Wii U Pro en la Wii U, aplicando temporalmente parches al módulo IOS-PAD responsable de las conexiones del controlador Bluetooth.
Características
Conecte hasta 4 controladores de forma inalámbrica a través de Bluetooth Soporte para vibración Niveles de batería Controladores compatibles
Mando Pro de Nintendo Switch Nintendo Switch Joy-Con Controlador Microsoft Xbox One S / X Controlador Sony Dualsense
Instalación
Descargar la aplicación y extraerla en el directorio raíz de la tarjeta SD. Uso
Ejecute Bloopair desde WiiU Homebrew Launcher Una vez lanzado, debería abrirse el menú de Wii U Una vez de vuelta en el menú de Wii U, presione el botón SYNC en su consola y controlador Espere hasta que el controlador esté conectado Si un controlador se había emparejado en el pasado, simplemente enciéndalo nuevamente y debería volver a conectarse.
Después de reiniciar la consola o salir de la Configuración del sistema, reinicie Bloopair.
Aplicación creada por GaryOderNichts.
-
BluuBomb
BluuBomb es un exploit para Wii U que aprovecha el stack bluetooth para obtener acceso al kernel de IOSU a través de bluetooth.
No confundir con , que es paraBlueBomb Wii y Wii Mini.
Requisitos
Una Wii U capaz de emparejarse con un Wii Remote Un PC con Bluetooth Un PC o una máquina virtual ejecutando una versión de Linux capaz de ejecutar una build personalizada de BlueZ. Como usar
Run sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev to install the required dependencies. Download Wiimote Emulator. Run source ./build-custom.sh to build BlueZ. Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps. Stop the already running bluetooth service sudo systemctl disable --now bluetooth Run the custom built bluetoothd sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n Download the bluubomb from here (kernel binaries included). Make the bluubomb file executable by running sudo chmod +x bluubomb. Power on the Wii U and press the sync button. Run sudo ./bluubomb arm_kernel.bin and wait for the pairing process to complete. This might take a minute. If you get a warning about Simple Pairing mode read the Simple Pairing mode section below. Write down the Wii U's bd address that should be displayed after the pairing is complete.
You can now run sudo ./bluubomb arm_kernel.bin <bdaddr here> to connect directly to the Wii U and skip the pairing process.
Kernel binaries
arm_kernel_loadfile Launches a launch.rpx from the root of your SD card on the next application launch. arm_kernel_fw_launcher Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings). arm_kernel_region_free Applies IOSU patches to temporarily remove region restrictions. This should be helpful if you've locked yourself out of your applications due to permanent region modifications. Simple Pairing mode
On some devices the simple pairing mode can't be disabled by bluubomb. You can check the current Simple Pairing mode by running hciconfig hci0 sspmode. Make sure it says Simple Pairing mode: Disabled. If not run sudo hciconfig hci0 sspmode disabled and sudo hciconfig hci0 reset. Then check the mode again. BluuBomb ha sido creada por GaryOderNichts.
-
CBHC
Installing just Haxchi is perfectly safe and will give you simple channel access to other homebrew programs without the need of the browser exploit anymore.
Installing CBHC though is FAR, FAR more dangerous but will allow coldboot into patched menu/homebrew.
WARNING
Please ONLY INSTALL THIS if you already have the normal Haxchi installed and know that it works perfectly, just install it over your existing Haxchi installation, again, DO NOT INSTALL IT from a freshly downloaded, never started/tested game or you may brick. Also ONLY INSTALL THIS IF THE DS VC IS BOUGHT FROM THE ESHOP ON THAT CONSOLE AND ON NAND AND YOU HAVE NO USB CONNECTED WHEN USING THE INSTALLER.
If a new CBHC version comes out you can just run the installer again and let it overwrite the existing CBHC installation, same rules as on the first installation still apply.
Infos
Installing this will execute the DS VC of your choice directly on system boot - giving you a direct coldboot exploit, the features you have after installing it are explained down below.
After installing it you better go ahead and set up some DNS server protection to block potential future system updates, while CBHC will fake the system version to 99.99.99 it still adds another safety factor just in case Disable standby for extra safety, again just in case NEVER try to delete/install over the DS VC you used to install since it is now basically your system menu so if you break it your console bricks too, there are several protections against overwriting, moving to usb and deleting, but you should still not try your luck and trigger that protection over and over again, just generally be smart about it, I am not responsible for your dead wiiu because of user error. Do NOT do a system format while CBHC is installed and autoboots your system or you will brick because you delete CBHC in the process Do NOT delete the user profile you used to buy the DS VC since that will make it not properly licensed anymore on your console. Also there still is a myth going around it will brick if you move its icon in the menu or put the icon into a folder; that is false and is perfectly safe as it is only a visual change in the system menu. Features
Anyways, enough of that - what can this actually do when installed?
It offers a basic menu from which you can boot into:
The system menu which will get full signature and region patching and support this ftpiiu-everywhere version; CBHC comes with its own sysnand CFW included. You can boot into the .elf version of homebrew launcher. You can boot a fw.img or Mocha CFW on your sd card which could be useful for rednand and if you really need to connect to wupserver from a pc, but thats really only interesting as a developer. For pretty much anyone the system menu setting (which uses the included CBHC CFW) is enough, on top of that using Mocha or fw.img for sysnand can lead to bootup problems and takes far longer to boot so please just dont do it, I dont know how often I can repeat that point anymore. You can boot into the vWii system menu or the vWii homebrew channel, also if you hold down B on boot you will automatically boot into the vWii system menu as the menu originally did If after installing CBHC no menu pops up when you turn on your console then you may have run into the very rare case in which CBHC did not properly install and your Haxchi installation still runs, in this case just go back into the homebrew launcher and try installing it again.
Autoboot
If you want to automatically go to any of these options just enable the autoboot option for it.
The menu controls are very simplistic, up/down to move the cursor and A to either select the option or change the autoboot option, you can control it using the gamepad or any wiimote, classic controller or wiiu pro controller OR if you are really desperate the the "sync" button on the console itself will work too - click once to move the cursor down and double click to simulate what A does normally.
Once autoboot is set up you can easily cancel it by pressing the home/sync button while the "Autobooting..." message is shown to get back into the little menu and change your settings or launch something different from there.
by FIX94.
-
CDecrypt
Aplicación para Windows que nos permite desencriptar el contenido de los archivos NUS.
-
DiscU
A Windows Tool that can Extract and Decrypt Wii U Game Images in WUD Format
New in this Release:
Fixes wrong IV in sys part Adds content extraction for WUP install Few other minor changes & fixes. -
Dumpling
Dumpling es un simple y completo volcador de archivos para Wii U. Desarrollado con la intención de hacer el volcado de juegos y otros archivos (para emuladores como Cemu) más rápido y fácil.
Principales características
¡Vuelca todo lo relacionado con tus juegos! El juego, las actualizaciones, los DLC y las partidas guardadas se vuelcan a través de una sencilla interfaz gráfica de usuario. Vuelca tanto los juegos de disco como los digitales en un formato extraído, facilitando el modding y el uso con Cemu. Crea copias 1:1 de los datos con los metadatos adecuados. Permite volcar a una memoria SD o USB (debe estar formateada como fat32). Permite volcar también las aplicaciones del sistema. Función para volcar rápidamente todo lo necesario para jugar online con Cemu, ¡incluyendo el otp.bin y el seeprom.bin! También vuelca archivos de compatibilidad extra para Cemu cuando se vuelcan archivos online. Dispone de funciones para volcar el juego base, la actualización, el DLC y los archivos de guardado por separado. Ahora también permite volcar fácilmente juegos vWii (requiere nfs2iso2nfs para convertir juegos vWii a .iso). Cómo instalarlo
Descarga el archivo desde aquí mismo, descomprímelo y copia el contenido a la carpeta raíz de la tarjeta SD.
Cómo usarlo
No necesitas ejecutar/tener Mocha CFW o Haxchi, simplemente lanza Dumpling desde el Homebrew Launcher.
Dumpling es una aplicación creada por Crementif.
-
FF Viewer Legacy
Allows you to edit .ff Files or Mod Menu's!!!!
This works for all .FF Files including for Wii COD Games.
by ShadowTheAmazing.
-
fuse-wiiu
fuse-wiiu is an easy way to extract data from Wii U titles in various formats. It's compatible to:
Title in the installable format (.tmd, .app, .h3 etc.) Multiple versions of a title in the installable format (.tmd, .app, .h3 etc.) Wii U disc images (WUD, WUX and splitted WUD), including kiosk discs fuse-wiiu requires Java 8 and fuse implementation thats compatible to you OS and CPU architecture.
-
Haxchi
This is the continuation of the POC Haxchi exploit by smea.
It features compatibility with a lot of DS VC and can be easly installed and further configured.
Installation
Just extract the contents of it onto your sd card. The "haxchi" folder right now just consists of a simple replacement icon, logo and replacing the game title with "Haxchi", its example config.txt will boot homebrew launcher by default and a fw.img on your sd card when holding A. For a full list of all compatible buttons that you can use for the config.txt go here.
The content of this haxchi folder can be changed to your liking - if you want to you can also add in an alternative bootSound.btsnd to replace the original startup sound which I did not do in this example haxchi folder.
After setting up the content to your liking all you have to do is run the Haxchi Installer in homebrew launcher, select the game you want to install it on and that is it! If you ever want to make changes to the content folder it installed to then just re-run the Haxchi Installer and install it again, you dont have to reinstall the game beforehand, it'll just overwrite the previous haxchi installation with your new data.
Please note, this will ONLY WORK WITH DS VC GAMES ON NAND, if you have a ds vc game on USB you want to use then please move it to your NAND first and ideally detach your usb device before using this installer .elf, if you dont remove your usb devices it may freeze up on exiting or not install properly.
This also ONLY LOADS THE .ELF VERSION OF THE HOMBEBREW LAUNCHER which as of right now is v1.4 so make sure to keep that on your sd card or you will just get error -5 when starting your haxchi channel. Once you are in the homebrew launcher it is also perfectly compatible with loading .rpx files, you just cant use haxchi itself to load .rpx files.
Credits
smea, plutoo, yellows8, naehrwert, derrek, FIX94 and dimok
by FIX94.
-
Homebrew App Store
Description
Homebrew App Store allows you to download homebrew apps for HBL directly in the app. Installed apps can also be reinstalled, updated, or deleted. It is an attempt at a poor man's Cydia for Wii U!
Apps featured within HBAS are made by other homebrew developers. If anyone takes an issue with their work being distributed in this manner, contact the respective repository owner.
Although "store" is in the name, the apps within are all free-- If a specific homebrew developer wants to charge for their app, they would have to do so outside of HBAS. The name just refers to the concept of an App Store.
Requirements
- Internet connection - SD card - A way to run HBL (see stickies) How to Use Unzip the "appstore" folder from the zip at the above download link. This is the bundled HBAS app. Place this folder inside the /apps/wiiu/ folder on your SD card. After this, run HBL and select it from the menu.
Once the app launches, press A or touch the screen to dismiss the splash screen. You can scroll with either stick, the D-pad or the touch screen. To download an app, touch its icon and choose "GET".
Guide:
LOCAL - An app that is only on your SD card INSTALLED - An app on your SD card and the server UPDATE - An app on your SD card and the server, with a different version number GET - An app only on the server Changelog
It's been a while, but here's the second release of the HBAS!
In particular, the 1.5 release seeks to address major crashing/freezing issues as well as a way to help sift through the growing number of apps on the store.
There are a lot of much needed changes in this build:
Icons are cached and no longer load asynchronously (#20 and #6) Categories added based on web frontend (#13) App loading restructured, more Stabiity™ (#14) "Random" button added to help discover new apps App re-themed to mimic the new wiiubru.com Elf is 35% smaller Minor text fixes -
JsTypeHax
It loads WiiU Homebrew Launcher, I successfully haxchied a 5.5.2 ;)
Currently in beta test, you can follow this guide to use it:
Prepare the needed files
Prepare your FAT32 SD card with Homebrew launcher, and preferably Haxchi installer to get a persistent and more stable entry point for homebrew.Extract the homebrew launcher 1.4 on your SD card.
sd:/wiiu/apps/homebrew_launcher/homebrew_launcher.elf
If you plan to install Haxchi, be sure you already have a compatible NDS game installed on NAND. Prepare any other homebrew you want to use, for example Homebrew App Store. Find a web host or create your own
Visit a website hosting it, like http://dlae.life/, http://wiiu.insanenutter.com, http://www.wiiubru.com/x or http://u.drg.li/ or host the sources on your computer. If it's on your computer, you need python installed, and launch "startServer.bat" on windows, or use any other webserver you want. Run the browser hack on WiiU
Clear your browser's data, launch the browser again. Open the server's URL in your browser, or your computer's IP if you are hosting it yourself. select Exploit If it freezes, shutdown and try this step again. It can be quick if you are lucky, or taking hours of retries... If it works, use that opportunity to install haxchi, it will be more stable. Note: As it is still in beta test phase, http://u.drg.li/ is hosting different versions of that exploit. You should prefer it over other currently available web hosts, and select exploits from delta 0 to 4 until one works (2 seems to be the one is working the most).
If your screen goes grey-white but your console freezes, that's the correct delta, so keep trying that exploit number.
by JmpCallPoo.
-
JWUDTool
Here is just a simple program that uses the Jnuslib. The usage should be pretty self explaining.
STILL EXPERIMENTAL. Bugs may occur, please report them!
Features
Compressing .wud and splitted wud files into .wux Decompressing a .wux back to .wud Extracting from the GI or GM partition Extracting .app/-h3/.tmd/.cert/.tik files from a .wud/.wux or splitted .wud Extracting just the contents/hashes/ticket. Decrypting the full game partition from a .wud/.wux or splitted .wud Decrypting specific files the game partition from a .wud/.wux or splitted .wud Verify a image / Compare two images (for example a .wud with .wux to make sure its legit) Usage
Optional:
Copy the common.key into the folder next to the .jar or provide the key via the command line Copy the game.key into the folder next to the wud image or provide the key via the command line usage: -commonkey <WiiU common key> Optional. HexString. Will be used if no "common.key" in the folder of this .jar is found -dev Required when using discs without a titlekey. -compress Compresses the input to a .wux file. -decompress Decompresses the input to a .wud file. -decrypt Decrypts full the game partition of the given wud. -decryptFile <regular expression> Decrypts files of the game partition that match the regular expression of the given wud. -extract <all|content|ticket|hashes> Extracts files from the game partition of the given wud (Arguments optional) -help shows this text -in <input file> Input file. Can be a .wux, .wud or a game_part1.wud -noVerify Disables verification after (de)compressing -out <output path> The path where the result will be saved -overwrite Optional. Overwrites existing files -titlekey <WUD title key> Optional. HexString. Will be used if no "game.key" in the folder of the wud image is found -verify <wudimage1|wudimage2> Compares two WUD images to find differences Examples
Getting .app files from an Wii U Image:
Extract .app etc. from a WUD:
Get .app files from "game.wud" to the folder "extracted" with game.key in the same folder
java -jar JWUDTool.jar -in "game.wud" -out "extracted" -extract all Extract .app etc. from a WUX (compressed WUD):
Get .app files from "game.wux" to the folder "extracted" with game.key in the same folder
java -jar JWUDTool.jar -in "game.wux" -out "extracted" -extract all Extract .app etc. from a splitted WUD (dump with wudump):
Get .app files from "game_part1.wud" to the folder "extracted" with game.key in the same folder
java -jar JWUDTool.jar -in "game_part1.wud" -out "extracted" -extract all Compressing into .wux examples:
Compress a .wud to .wux:[/B]
Compress a "game.wud" to "game.wux"
java -jar JWUDTool.jar -in "game.wud" -compress Compress a splitted game_part1.wud to .wux:
Compress a "game_part1.wud" from a wudump dump to "game.wux"
java -jar JWUDTool.jar -in "game_part1.wud" -compress Decryption game files examples:
Decrypt a WUD image to game files
Input can be a .wud, game_part1.wud or a .wux. This decrypted the full game partition. Given a game.key and common.key in the same folder.
java -jar JWUDTool.jar -in "game.wud" -decrypt //WUD java -jar JWUDTool.jar -in "game.wux" -decrypt //WUX java -jar JWUDTool.jar -in "game_part1.wud" -decrypt //game_part1 Decrypt a single file from an WUD
Input can be a .wud, game_part1.wud or a .wux. This decrypted the full game partition. Given a game.key and common.key in the same folder.
Extracting the code/app.xml file.
java -jar JWUDTool.jar -in "game.wud" -decryptFile /code/app.xml java -jar JWUDTool.jar -in "game.wux" -decryptFile /code/app.xml java -jar JWUDTool.jar -in "game_part1.wud" -decryptFile /code/app.xml Extracting all .bfstm files.
java -jar JWUDTool.jar -in "game.wud" -decryptFile /.*.bfstm java -jar JWUDTool.jar -in "game.wux" -decryptFile /.*.bfstm java -jar JWUDTool.jar -in "game_part1.wud" -decryptFile /.*.bfstm Extracting the folder /content/Sound
java -jar JWUDTool.jar -in "game.wud" -decryptFile /content/Sound/.* java -jar JWUDTool.jar -in "game.wux" -decryptFile /content/Sound/.* java -jar JWUDTool.jar -in "game_part1.wud" -decryptFile /content/Sound/.* Compiling
clean assembly:single package
Credits
Maschell
Thanks to:
Crediar for CDecrypt
All people who have contributed to vgmtoolbox
Exzap for the .wux file format
FIX94 for wudump
The creators of lombok.
-
Loadiine
RPX/RPL and File Replacement Tool.
- 1......Requirements
- 2......How to Use
- 3......Preparing the SD Card
/******************************************************************************/
/* Requirements */
/******************************************************************************/
Wii U FW 5.3.2 SD(HC) Card Super Smash Bros for Wii U (Disc or EShop version) - optional but may be needed for some games
/******************************************************************************/
/* How to Use */
/******************************************************************************/
- 1. Setup your SD Card (see below)
- 2. In the Internet Browser, launch the included kernel exploit (www/kexploit)
(You need a modified kernel exploit that sets 0xA0000000 virtual memory range to 0x10000000 physical memory address)
- 3. Relaunch the Internet Browser
- 4. Insert your SD Card into the Wii U, if it's not already done.
- 5. Launch loadiine (www/loadiine)
- Press A to install loadiine
or
- Press X to install loadiine with server enabled (use it for debug purpose, the server must be running before pressing X).
- 6. The loadiine menu should open. Now, Select your App/Game using the D-Pad.
- Press A to use Smash Bros mode and launch directly the disk
- Note : auto-launch does not work for everyone, launch manually Smash Bros instead
- Note : if you are using Smash Bros EShop version, press Y instead, it returns to Home Menu, then launch Smash Bros.
or
- Press X to use Mii Maker mode (Smash Bros disk is not needed)
- The game should start
- 7. Enjoy
- Note: When exiting the Game/Application, you must relaunch the Mii Maker and select the game again.
If you don't, launching Super Smash Bros will result in a crash.
/******************************************************************************/
/* Preparing the SD Card / How to add a Game or Application */
/******************************************************************************/
Note: You may add multiple Games/Applications, but ALL STEPS are REQUIRED
-------------------------------------------------------------------------------
Setting Up RPX/RPL and Data Files
1. Create a folder named "wiiu" in the root of the SD Card.
- ex : SDCARD/wiiu
2. In "wiiu", create another folder named "games"
- ex : SDCARD/wiiu/games
3. In "games", create a new folder with the name of your app
- ex : SDCARD/wiiu/games/MyApplication/
4. Copy the "code" folder of your app/game inside your application folder (with rpx, rpl and xml files)
- ex : SDCARD/wiiu/games/MyApplicatin/code/my_application.rpx
- ex : SDCARD/wiiu/games/MyApplicatin/code/my_application_library.rpl
- ex : SDCARD/wiiu/games/MyApplicatin/code/app.xml
- ex : SDCARD/wiiu/games/MyApplicatin/code/cos.xml
- note : if you don't have the xml files, loadiine will try to use default values instead
5. Copy the "content" folder of your app/game inside your application folder
- ex : SDCARD/wiiu/games/MyApplication/content/...
- ex : H:/MyApplication/vol/content/data.bin -> SDCARD/wiiu/games/MyApplication/content/data.bin
- ex : H:/MyApplication/vol/content/datab/datab.bin -> SDCARD/wiiu/games/MyApplication/content/datab/datab.bin
Note : Do not rename RPX and RPL files
-------------------------------------------------------------------------------
Summary
Your file structure should look like this if the above information was used :
- SDCARD/wiiu/games/MyApplication/code/my_application.rpx
- SDCARD/wiiu/games/MyApplication/code/*.rpl [only if application contains .rpl files]
- SDCARD/wiiu/games/MyApplication/code/app.xml
- SDCARD/wiiu/games/MyApplication/code/cos.xml
- SDCARD/wiiu/games/MyApplication/content/[content files/folders]
/******************************************************************************/
/* Limitations : */
/******************************************************************************/
- The total size of each RPX and RPL files must be less than 65.7 MB (tested up to 47.3 MB)
- Don't go in the wiiu settings it breaks everything
/******************************************************************************/
/* Notes : */
/******************************************************************************/
- If you have problems with saves, try delete your Smash Bros saves.
/******************************************************************************/
/* Special thanks : */
/******************************************************************************/
- To everyone involved in libwiiu and webkit/kernel exploit !
- To the testers !
Feel free to modify and improve this software.
Golden45.
Dimok.
-
Loadiine GX2
Loadiine is a WiiU homebrew. It launches WiiU game backups from SD card. Its Graphical User Interface is based on the WiiU GX2 graphics engine.
Credits
Dimok Cyan Maschell n1ghty dibas The anonymous graphics dude (he knows who is ment) and several more contributers -
Mario Kart 8 Exploit
A implementation of the Mario Kart 8 exploit which allows abritrary Userland code execution and read/write with kernel permissions.
Preparation
Before using the ROP-chain, some files need to be generated, you can do it with make.
The makefile expects some binaries/files.
Download RPX Gadget Finder (requires Java) tmp/550/coreinit.rpl from 00050010-1000400A OSv10 v15702 tmp/550/gx2.rpl from 00050010-1000400A OSv10 v15702 tmp/Turbo.rpx the binary of the Mario Kart 8 version you want to exploit (only tested with EUR v64) When you have all needed files, you can use make.
On success, you can now find the following files:
ropgadget_addr.py The default ropgadget_addr.py can be used with the EUR V64 of Mario Kart on EUR 5.5.x consoles.
Usage
Download Nintendo Clients. Checkout commit d044b3f9717e096862517b060c2370627a4bcf56 or rewrite exploit.py to be compatible with the latest commit. Fill in the required information, like your device id and serial number in the config.py. Make sure have a valid ropgadget_addr.py with the needed gadgets addresses. Create a friend room in Mario Kart 8 and run do_memory_mapping.py. If everything went right, the game should restart. Create an other friend room in Mario Kart 8 and run run_codebin_loader_ropchain.py. If everything went right, the given payload should be executed. Technical details
The exploit itself allows to abritrary 4 byte writes which is enough to get a (size limited) rop chain execution by carefully overriding a vtable. This allows us to remotely execute rop chain < ~1000 bytes. 1000 bytes are enough to create a new thread on the main core and implement a small TCP client which receives a bigger payload that will be copied into memory. With the help of a stack pivot this new (and bigger) rop chain can be executed. From now on it's possible execute a bigger rop chain (as long as it fits in one TCP packet) which can be used to:
Perform a kernel exploit to get read/write with kernel priviliges Which is enough to restart the game with a different memory mapping, which allows modifcations of executable memory, effectively bypasing the NX-Bit. After the restart the exploit will be executed again with a different payload which copies a code.bin into memory and executes it. => This leads to: userland code execution with a usable kernel memcpy syscall (0x25) (for copying data with kernel priviliges). Credits
Maschell: Ideas, testing, rop chain implementation, adding serveral rop gadgets, implementing all other rop chains NexoCube: Ideas, testing, rop chain implementation and creating the rop chain to load bigger one via TCP Kinnay: Discovery and initial implementation of the exploit -
Mario Kart 8 Exploit Payload
This is an example payload for the Mario Kart 8 Exploit. It simply copies a given statically linked payload (main_hook/main_hook.elf) into memory and executes it.
Usage
This payload meant to be used with Mario Kart 8 Exploit, a exploit for the Wii U (tested with latest european version of the game, v64 on EU Wii U with 5.5.4). Copy the created code.bin into the Mario Kart 8 Exploit folder and run the exploit according to the readm. Read the README of the repository for more information.
The game will switch to Mii Maker and run your main_hook.elf. From now your payload will be loaded every time you switch to another application.
Overwrite the address 0x0101c56c (our main entry hook) with 0x4E800421 (= bctrl) to override this behaviour. Note This address is not writeable from user/kernel, you need to either set up a DBAT or disable memory translation temporarily. Then disabling the memory translation, make sure to use physical addresses, OSEffectiveToPhysical might help there.
Building
Place the a project with Makefile into a subfolder /main_hook that creates a main_hook.elf. Using a .elf directly requires changes on the Makefile. This repository provides a generic .elf as submodule, see it's README for detailed information and usage.
Clone via git init --recursive URL.
In order to be able to compile this, you need to have installed devkitPPC with the following pacman packages installed.
pacman -Syu devkitPPC Make sure the following environment variables are set:
DEVKITPRO=/opt/devkitpro DEVKITPPC=/opt/devkitpro/devkitPPC
The command make should produce a code.bin, meant to be used with Mario Kart 8 Exploit.
Technical details
This payload expects:
To be run inside the Mii Maker The Syscall 0x25 to be a memcpy with kernel privileges This payload does:
A small function to modify IBAT0 is copied to kernel space and registers as syscall 0x09 The declaration of this function is extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);. Copies the embedded main_hook.elf to the address where it's statically linked to. Currently these sections are supported. .text, .rodata, .data and .bss. In theory this could be placed anywhere, but keep in mind that the memory area may be cleared (like the codegen area, or the whole heap), and needs to be executable in user mode (even after switching the application). Due to size limits it need to be somewhere between 0x011DD000...0x011DE200 or in a completly different region (0x011DE200...0x011E0000 is used by this payload) Afterwards the main entry hook is set up to jump to this position on every application switch. You also may have to modify this if the jump turns out to be too big. The entrypoint of themain_hook.elf will be called directly as we are already in Mii Maker. What this payload offers to the loaded .elf
The loaded main_hook.elf can expect:
To be called everytime the application switches. (Mii Maker has sd access!) Syscall 0x09 to be available. Declaration: extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower); , call via asm. This function can be used to set IBAT0 to allow the kernel to execute new created syscall (the kernel has for example no access to 0x011DD000...0x011E0000). Syscall 0x34 (kern_read) and 0x35 (kern_write) to be available. Use the following functions to use them: /* Read a 32-bit word with kernel permissions */ uint32_t __attribute__ ((noinline)) kern_read(const void *addr) { uint32_t result; asm volatile ( "li 3,1\n" "li 4,0\n" "li 5,0\n" "li 6,0\n" "li 7,0\n" "lis 8,1\n" "mr 9,%1\n" "li 0,0x3400\n" "mr %0,1\n" "sc\n" "nop\n" "mr 1,%0\n" "mr %0,3\n" : "=r"(result) : "b"(addr) : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" ); return result; } /* Write a 32-bit word with kernel permissions */ void __attribute__ ((noinline)) kern_write(void *addr, uint32_t value) { asm volatile ( "li 3,1\n" "li 4,0\n" "mr 5,%1\n" "li 6,0\n" "li 7,0\n" "lis 8,1\n" "mr 9,%0\n" "mr %1,1\n" "li 0,0x3500\n" "sc\n" "nop\n" "mr 1,%1\n" : : "r"(addr), "r"(value) : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" ); }
Credits
orboditilt: Putting everything together. dimok789: This is based on the Wii U Homebrew Launcher. by wiiu-env.
-
Mario Kart 8 primary userland exploit for the WiiU
Actual implementation (base ROP chain to ACE) of the exploit Kinnay found in the WiiU version of Mario Kart 8. Running this will boot the homebrew launcher.
Requirements
A WiiU Two NNIDs logged into your WiiU A computer logged on the same network than the console README, for real
The exploit may not work on the first try (~85% success rate) Do not run any homebrew using memory before launching MK8 (like TCPGecko, Cafiine or Diibugger) How to use
Edit exploit.py and fill in your Nintendo Network IDs + console informations Edit main_exploit.py and edit the local computer IP Run make to build the payload0 binary (you need devkitPro + devkitPPC) Go on your WiiU, log on the victim NNID Open MK8, go online and host a private match, stay in the "earth menu", make sure you're alone in the room Start stage0.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER Wait for the game to reboot and rehost a private match, stay in the "earth menu", make sure you're alone in the room Start stage1.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER It should open the HOME Menu, return to the WiiU Menu, and tadaa, magic, you're on the HBL Credits
Kinnay for the Nintendo Clients library that allows use to communicate with NEX game servers and its protocols. Maschell for working with me on this exploit (and being as addicted as i was doing this), there was a lot of co-operation Rambo6Glaz / NexoCube / TheBrick for working on this, and all the chains here. wiiu-env for the payload_loader that's inside payload0/main_hook.h by NexoDevelopment.
-
Nintendont
Un proyecto Wii Homebrew para jugar a juegos de GameCube en Wii y vWii en Wii U
Características:
Funciona en Wii y Wii U (en modo vWii) Carga a toda velocidad desde un dispositivo USB o una tarjeta SD. Carga 1:1 e imágenes de disco .GCM/.ISO reducidas. Carga juegos como archivos extraídos (formato FST). Carga imágenes de disco en formato CISO. (formato uLoader CISO) Emulación de tarjeta de memoria Reproducción de audio mediante transmisión de audio de disco Compatibilidad con mandos Bluetooth (mando clásico (Pro), mando Wii U Pro) Compatibilidad con mandos HID a través de USB Disposición personalizada de los botones al usar mandos HID Compatibilidad con códigos de trucos Configuración modificable de varios ajustes Reinicio/apagado mediante combinación de botones (R + Z + Start) (R + Z + B + D-Pad Abajo) Parcheo avanzado de modo de vídeo, forzar progresivo y forzar pantalla ancha 16:9 Arranque automático desde el cargador Cambio de disco Utiliza el adaptador oficial del mando de Nintendo GameCube Emulación BBA (ver Léame Emulación BBA) Funciones: (sólo Wii)
Reproducción de discos Reproducir copias de seguridad de DVD grabables (sólo Wii antigua) Utiliza tarjetas de memoria reales Cable GBA-Link WiiRd Permitir el uso del micrófono de Nintendo GameCube Lo que Nintendont nunca apoyará
Game Boy Player Instalación rápida:
Consigue el archivo loader.dol desde aquí mismo, renómbralo a boot.dol y ponlo en /apps/Nintendont/ junto con los archivos meta.xml e icon.png. Copia tus juegos de GameCube en el directorio /games/. Los subdirectorios son opcionales para los juegos de 1 disco en formato ISO/GCM y CISO. Para juegos de 2 discos, debes crear un subdirectorio /games/MYGAME/ (donde MYGAME puede ser cualquier cosa), y luego nombrar el disco 1 como "game.iso" y el disco 2 como "disc2.iso". Para los FST extraídos, el FST debe estar ubicado en un subdirectorio, por ejemplo /games/FSTgame/sys/boot.bin . Conecta tu dispositivo de almacenamiento a tu Wii o Wii U e inicia The Homebrew Channel. Selecciona Nintendont. Notas
Se sabe que la ranura para tarjetas SD de Wii y Wii U es lenta. Si estás usando una tarjeta SD y tienes problemas de rendimiento, considera usar un lector SD USB o un disco duro USB. Se sabe que las memorias USB dan problemas. Nintendont funciona mejor con dispositivos de almacenamiento formateados con clusters de 32 KB. (Utiliza FAT32 o exFAT). Nintendont es una aplicación creada por FIX94.
-
NKit
NKit is a Nintendo ToolKit that can Recover and Preserve Wii and GameCube disc images
Recovery is the ability to rebuild source images to match the known good images verified by Redump
Preserve is the ability to shrink any image and convert it back to the source iso
NKit can convert to ISO and NKit format. The NKit format is designed to shrink an image to it's smallest while ensuring it can be restored back to the original source data. NKit images are also playable by Dolphin
by nanook.
-
NUSspli
NUSspli es una aplicación que nos permite instalar contenido directamente desde los servidores de actualización de Nintendo a nuestra WiiU.
Características:
Descargar juegos desde los servidores de Nintendo (NUS). Instalar juiegos descargados tanto en el almacenamiento interno de la consola como en una memoria externa. Buscar tickets en NUS y "esa web de juegos". Crear tickets fake a voluntad o si no los encuentra. Mostrar la velocidad de descarga. Teclado en pantalla. Es capaz de descargar cualquier cosa disponible en NUS. Soporte completo para el menú HOME. Nombres de carpeta personalizados para los juegos descargados.
Cómo usar NUSspli
Para descargar un juego, realiza la búsqueda en "Title Database" por el ID de un juego (por ejemplo: base de datos WiiUBrew) Para crear un ticket fake necesitarás el Title ID y la clave de encriptación (disponible en "ese sitio de claves de juegos"). Para instalar la aplicación, descárgala desde esta misma página, descomprime el archivo y, dependiendo de donde vayas a ejecutar la aplicación, sigue los siguientes pasos:
Homebrew Launcher
Mueve la carpeta a SD:/wiiu/apps/ Ejecuta la aplicación desde el HBL a través de Haxchi, Browserhax o cualquier otro exploit compatible. Home Menu
Instala un Custom Firmware. Mueve la carpeta a SD:/install e instalalá con WUPInstaller. Ejecútala desde el menú HOME. Info
NUSspli está basada en WUPDownloader de Poke303.
La aplicación ha sido creada por V10lator.
-
Payload Loader
This is a generic payload loader for the Wii U to load arbitrary from the SD Card.
Currently it's hardcoded to loads a .elf file from sd:/wiiu/payload.elf.
Preconditions
This loader expects:
to be able to run at 0x011DD000 (and copied to this place and then executed). to be running inside Mii Maker (for the SD card access), the common kern_write (0x35) and kern_read (0x34) syscalls installed (hooks on 0x0xFFF02234 (write) / 0x0xFFF02214 (read) on FW 5.5.0+) the 0x09 syscall installed which is expected to be a function manipulate IBAT0 (extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);) Running in any other application with sd access may also work, the IBAT0 setup may be to be adjusted though (set back to orignal values at the end)
Usage
A common usage for this would be to exploit an application, do a kernel exploit to be able to have kernel read/write, somehow copy the sections of the payload loader .elf file to the expected destination in memory fulfill the mentioned preconditions.
After that, simply put the .elf to be loaded in sd:/wiiu/payload.elf
The loaded .elf needs to be statically linked somewhere between 0x00800000 and 0x01000000. This whole area is has rwx for both, user and supervisor (kernel) mode and can be used.
This mapping only lasts for this exeuction! As soon as you leave the running application (in this case the Mii Maker), the mapping will be reset and you will loose access to the 0x00800000 region.
Compiling
In order to be able to compile this, you need to have installed devkitPPC with the following pacman packages installed.
pacman -Syu devkitPPC
Make sure the following environment variables are set:
DEVKITPRO=/opt/devkitpro DEVKITPPC=/opt/devkitpro/devkitPPC Technical details
This payload loader is supposed to loaded somewhere between 01000000..01800000 (virtual address), 0x011DD000...0x011E0000 should be free to use. The 0x09 syscall is used to set IBAT0 to map 01000000..01800000 (virtual address) to 32000000..32800000 (physical address) with r/w for user and kernel. This includes the region where payload loader is, and allows us to register and execute kernel syscall. This setting is meant to match the orignal IBAT0 values (at least in Mii Maker), but with r/w for the kernel. Resetting is not needed when using the Mii Maker, but may be needed to be adjusted. Afterwards it's possible to register an own syscall (we use 0x36 as it's unused) to setup IBAT4 and DBAT5 to make 00800000..01000000 (virtual address) to 30800000..31000000 (physical address) with r/w for user and supervisor. This allows full user/kernel access to this region, for data and code. The mapping is done for all 3 cores. Credits
orboditilt dimok789: Most parts (especially sd loading, elf copying) are based on the homebrew launcher sd loader. by wiiu-env.
-
Pimp my Wii
Here is "Pimp My Wii", an homebrew that will Hack your Wii, install missing or outdated IOS / titles, install the cIOS and mIOS necessary.
The program will detect missing or outdated IOS and check that you have the latest version of the Wii System Menu. It also checks if you have the latest versions of BC, MIOS and those channels : Wii Shop, News, Weather, Mii, Photo and Photo 1.1
If you don't have the latest versions of those titles, the program will download them, or read them from USB or SD to install them. When using this program, you will have all advantages from 4.1 cumulated from those of 3.2, and this without drawbacks !
It also install cIOS d2x (based on Waninkoko) (249, 250) v10 and 10 alt and cIOS from Hermes 202/222/223/224 rev5.1. You can if you want install the cIOS from
Waninkoko rev20/21 or d2x v6, 7, 8 or 9beta (you'll have to install it manually from the menu "Install cIOS").
Pimp install the cMIOS from WiiGator.
Pimp will avert you if some homebrews aren't updated. Pimp check the version of the following homebrew (the dirnames must match, and are not case sensible) :
-> Neogamma, in version R9 beta 50 minimum. Dirname : neogamma -> Usb Loader gx, in version 2.2 minimum. Dirname : usbloader_gx -> Uloader, in version 5.1 minimum. Dirname : uloader -> Wiiflow, in version 2.2 (or r302) minimum. Dirname : wiiflow -> Configurable usb loader, in version 70 minimum. Dirname : usbloader or usbloader_cfg Pimp does not update those homebrews itself. No verification will be made on channels, only on the files installed on the SD card in the directory /apps/.
The homebrew is displayed automatically in english, french, italian, german or spanish depending of your Wii's language. It is also compatible with NTSC-U, NTSC-J and PAL Wii consoles. (Korean Wii theoricaly compatible).
Warning: I do not take any responsibility for any damage in your wii because of a improper usage of this software.
Menu:
- Pass the test and fix problems
Check if everything is alright on the Wii, and install what need to be installed, after asking user.
- Pass the test
Only check if everything is alright on the Wii, without installing anything.
- Manual installation
Will propose to install every IOS and titles possible.. By default, the installation will be on "no".
- Hack te Wii/Minimal installation
Pass the test and only install the minimal requirement to hack your Wii. It patch IOS 36.
Also install the cIOSes 249, 250, 202, 222, 223, 224 from d2x and Hermes and the cMIOS.
- Install cIOS
Install a cIOS of your choice between cIOS from Hermes, Waninkoko and Waninkoko d2x. You can choose the IOS source of your choice, the destination slot and the revision.
For Waninkoko's/d2x cIOS, you can choose this IOS source: IOS36 v3607 IOS37 v5662 IOS38 v4123 IOS53 v5662 IOS55 v5662 IOS56 v5661 IOS57 v5918 IOS58 v6175 IOS60 v6174 IOS61 v5661 IOS70 v6687 IOS80 v6943 (IOS 58 only for revision above 20).
For Hermes cIOS, you have the choice between IOS60 v6174, IOS38 v3867, IOS37 v3869 and IOS57 v5661.
Button "minus", "safe mode". In this mode, the IOS test is disabled, you will be asked instead to choose an IOS to use for the installation. You must know that in this mode, you will not know if your installed IOS have the differents bugs, and then the program will not know if they need to be patched.
Note: Pimp my Wii is compatible with the WiiU Wii emulator, but some options are disabled. Moreover, you absolutely need to place the wad files on your SD/USB device because the IOS for the WiiU can't be downloaded directly.
----------------------------------------------------
--------Correction of encountered problems----------
----------------------------------------------------
Here is a lit of common problems that you could have on your Wii (even on latest version) and the solutions that "Pimp My Wii" will do.
- Black screen at loading of dvd games :
Missing IOS -> Install those IOS (patching them)
- The Wii asks for an upgrade when inserting games :
Old IOS -> Update those IOS (patching them).
- A modified game (trucha signed) can't load on the disc channel with my modchip :
The IOS used by game has the trucha bug corrected -> Install a new IOS and patch the bug inside.
The IOS used by system menu has the trucha bug corrected -> Install a new IOS and patch the bug inside.
- The preloader and other homebrew does not work :
The IOS36 has the ES_Identify patched -> Install a new IOS 36 and patch the bug.
- I got reading problems with my backup launcher :
Old cIOS installed (older than rev20) -> Ask user to update this.
- No SD menu, no latest functionnality :
Old version of Wii (system menu, by example 3.2) -> Upgrade to 4.1 (but patching everything) for more compatibility, functionnality.
- The Wii Shop ask me to update :
Old version of Wii Shop (older than v20) -> Upgrade to this version (and install IOS 56 associated).
- I don't have any IOS that has the trucha bug (if you have a virgin Wii) :
The homebrew put the trucha bug back in IOS15.
- I can't install the Hackmii Install, because I have some kind of cIOSCorp :
You need a unmodified IOS 58 -> Install this IOS.
!!!!!!!!!Leave the parameters by default if you don't know what you do ! A bad choice of "hacks" could leave your system unstable!!!!!!!!!!!!
----------------------------------------------------
-----------------Questions / answers----------------
----------------------------------------------------
- Does it works without internet ? / I got errors during download, what can i do ?
It works without internet, you just need to put necessary wad files to the root of the SD card, or of a USB device in FAT32.
Follow this (french) tutoriel to get those files : http://www.wii-info.fr/article-53-comment-recuperer-un-ios-mios-chaine.htm
The necessary IOS are those, in their specific versions :
9 v1034, 12 v526, 13 v1032, 14 v1032, 15 v1032, 17 v1032, 21 v1039, 22 v1294, 28 v1807, 30 v2576, 31 v3608, 33 v3608, 34 v3608, 35 v3608, 36 v3608, 37 v5663, 38 v4124, 50 v4889, 53 v5663, 55 v5663, 56 v5662, 57 v5919, 58 v6175, 60 v6174, 61 v5661, 70 v6687 and 80 v6944.
And thoses "stub" IOSes, within their specific versions : IOS4v65280, IOS10v768, IOS11v10, IOS16v512, IOS20v12, IOS41v3607, IOS43v3607, IOS45v3607, IOS46v3607, IOS48v4124, IOS51v4633 and IOS254v260.
IOs must be named this way : IOSX-64-vY.wad, where X and Y are respectively the version and revision number.
To update the System Menu, you need the file RVL-WiiSystemmenu-vX.wad, where X is 448 for 4.1J, 449 for 4.1U, 450 for 4.1E and 454 for 4.1K.
For Wii Shop, you need RVL-Shopping-v20.wad
For bc, RVL-bc-v6.wad
For MIOS, RVL-mios-v10.wad
For other channels, XY-NUS-vZ.wad, where X is the "type", Y the number and Z the version. By example for Mii Channel it's 1000248414341-NUS-v6.wad (or RVL-NigaoeNR-v6.wad).
For the cIOS installation:
- cIOS 249 : IOS 56 rev 5661
- cIOS 250 : IOS 57 rev 5918
- cIOS 202 : IOS 60 rev 6174
- cIOS 222 : IOS 38 rev 3867
- cIOS 223 : IOS 37 rev 3869
- cIOS 224 : IOS 57 rev 5661
- I got the preloader, will it work ?
If you are not in 4.1 and if you accept the installation of this system menu, you will need to reinstall the preloader and the specifics hacks to this version. Follow this (french) tutoriel to install and configure preloader : http://www.wii-info.fr/article-52-installer-et-configurer-le-preloader.htm
- I have the preloader and i got "system files are corrupted", what can I do ?
If you have the preloader, you must patch "ES_Identify" on the IOS used by this. For Wii 4.x, it's IOS60, else it's IOS 30. Leave the parameters by default if you don't know what you do.
- I have a custom theme, will it stay ?
If you change your Wii version, you will lose all themes and you will need to reinstall a compatible theme with the version of System Menu you have.
- I have cIOSCorp or equivalent installed (to read backup games from disc channel), what will happened ?
If you install IOSes, it will replace those installed by cIOSCorp and you will loose the ability to launch games via disc channel without modchip. But cIOSCorp isn't recommanded, you just need a loader like Neogamma to read backups. If you reinstall cIOSCorp, you will get your old IOS back then Pimp My Wii will tell you that they are outdated
- Should I upgrade my console to 4.1 ? I thougt I must stay to 3.2 ?
If you use this program to put your console to 4.1, you will have exactly the same advantages as a 3.2 Wii, but you will have the improvements of 4.1. You won't have any disadvantages to put your Wii to 4.1.
- Should I install all IOS asked ?
It is recommanded to install IOS indicated as "not present" and IOS 30, 34, 36 and 60. You should also leave parameters by default. If you install at least those, you will avoid most of problems.
- The other IOS, are they useless ?
For other IOS, patching them help launching Trucha Signed gamed on Wii with a modchip.
- I got a message saying that my Custom IOS is outdated, what can I do ?
Follow this (french) tutoriel to upgrade your cIOS : http://www.wii-info.fr/article-40-installer-ou-desinstaller-un-custom-ios.htm
-
RetroArch for WiiU
RetroArch is a frontend for emulators, game engines and media players.
It enables you to run classic games on a wide range of computers and consoles through its slick graphical interface. Settings are also unified so configuration is done once and for all.
RetroArch has advanced features like shaders, netplay, rewinding, next-frame response times, and more!
