Wii U
53 archivos
-
64Inject
64Inject is a program that allows you to inject games into the Nintendo 64 virtual console of the Wii U. Focused on streamlining the testing of different combination of ROM, ".ini" configuration file and base game.
Features
Two modes of use, graphic and by commands. Contextual help and two languages, English and Spanish. Virtual console configuration, easily disable the dark filter, aspect ratio and display scale of the game. Simplify the incorporation of the ".ini" configuration file for the game. Support for ROM formats *.z64, *.n64, *.v64 and *.u64 Support images *.png, *.jpg and *.bmp The Title ID reflects if you have used the same combination of ROM, ".ini" configuration file and base game. Multiple options through the command window, you can define each thing or simply an input folder and an output folder, or combine.
by phacoxcll.
-
Aroma
Aroma es una colección de herramientas para usar homebrew en la Wii U.
Características
Las herramientas, módulos y plugins de Aroma son modulares, lo que significa que se pueden añadir o eliminar características fácilmente.
Una instancia de Aroma por defecto viene con las siguientes características:
Compatibilidad con el último firmware (5.5.5/5.5.6). Punto de entrada libre y persistente (incluyendo un instalador + opción de coldboot) Compatible con los puntos de entrada existentes (browser exploit) Fácil configuración y actualización: sólo hay que copiar los archivos en la tarjeta SD. Compatibilidad incorporada con los módulos Integración incorporada del sistema de plugins de Wii U Todos los módulos y plugins utilizan un montón de memoria independiente para mejorar la estabilidad Los plugins y las aplicaciones homebrew pueden utilizarse al mismo tiempo. Uso
Extrae los archivos a la raíz de tu tarjeta sd Inicia el entorno a través del EnvironmentLoader. Es posible que tengas que mantener la tecla X mientras lanzas el EnvironmentLoader para forzar la apertura del menú. Aroma es una aplicación creada por Maschell.
-
Bloopair
Bloopair permite conectar controladores de otras consolas como los controladores nativos de Wii U Pro en la Wii U, aplicando temporalmente parches al módulo IOS-PAD responsable de las conexiones del controlador Bluetooth.
Características
Conecte hasta 4 controladores de forma inalámbrica a través de Bluetooth Soporte para vibración Niveles de batería Controladores compatibles
Mando Pro de Nintendo Switch Nintendo Switch Joy-Con Controlador Microsoft Xbox One S / X Controlador Sony Dualsense
Instalación
Descargar la aplicación y extraerla en el directorio raíz de la tarjeta SD. Uso
Ejecute Bloopair desde WiiU Homebrew Launcher Una vez lanzado, debería abrirse el menú de Wii U Una vez de vuelta en el menú de Wii U, presione el botón SYNC en su consola y controlador Espere hasta que el controlador esté conectado Si un controlador se había emparejado en el pasado, simplemente enciéndalo nuevamente y debería volver a conectarse.
Después de reiniciar la consola o salir de la Configuración del sistema, reinicie Bloopair.
Aplicación creada por GaryOderNichts.
-
BluuBomb
BluuBomb es un exploit para Wii U que aprovecha el stack bluetooth para obtener acceso al kernel de IOSU a través de bluetooth.
No confundir con , que es paraBlueBomb Wii y Wii Mini.
Requisitos
Una Wii U capaz de emparejarse con un Wii Remote Un PC con Bluetooth Un PC o una máquina virtual ejecutando una versión de Linux capaz de ejecutar una build personalizada de BlueZ. Como usar
Run sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev to install the required dependencies. Download Wiimote Emulator. Run source ./build-custom.sh to build BlueZ. Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps. Stop the already running bluetooth service sudo systemctl disable --now bluetooth Run the custom built bluetoothd sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n Download the bluubomb from here (kernel binaries included). Make the bluubomb file executable by running sudo chmod +x bluubomb. Power on the Wii U and press the sync button. Run sudo ./bluubomb arm_kernel.bin and wait for the pairing process to complete. This might take a minute. If you get a warning about Simple Pairing mode read the Simple Pairing mode section below. Write down the Wii U's bd address that should be displayed after the pairing is complete.
You can now run sudo ./bluubomb arm_kernel.bin <bdaddr here> to connect directly to the Wii U and skip the pairing process.
Kernel binaries
arm_kernel_loadfile Launches a launch.rpx from the root of your SD card on the next application launch. arm_kernel_fw_launcher Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings). arm_kernel_region_free Applies IOSU patches to temporarily remove region restrictions. This should be helpful if you've locked yourself out of your applications due to permanent region modifications. Simple Pairing mode
On some devices the simple pairing mode can't be disabled by bluubomb. You can check the current Simple Pairing mode by running hciconfig hci0 sspmode. Make sure it says Simple Pairing mode: Disabled. If not run sudo hciconfig hci0 sspmode disabled and sudo hciconfig hci0 reset. Then check the mode again. BluuBomb ha sido creada por GaryOderNichts.
-
CBHC
Installing just Haxchi is perfectly safe and will give you simple channel access to other homebrew programs without the need of the browser exploit anymore.
Installing CBHC though is FAR, FAR more dangerous but will allow coldboot into patched menu/homebrew.
WARNING
Please ONLY INSTALL THIS if you already have the normal Haxchi installed and know that it works perfectly, just install it over your existing Haxchi installation, again, DO NOT INSTALL IT from a freshly downloaded, never started/tested game or you may brick. Also ONLY INSTALL THIS IF THE DS VC IS BOUGHT FROM THE ESHOP ON THAT CONSOLE AND ON NAND AND YOU HAVE NO USB CONNECTED WHEN USING THE INSTALLER.
If a new CBHC version comes out you can just run the installer again and let it overwrite the existing CBHC installation, same rules as on the first installation still apply.
Infos
Installing this will execute the DS VC of your choice directly on system boot - giving you a direct coldboot exploit, the features you have after installing it are explained down below.
After installing it you better go ahead and set up some DNS server protection to block potential future system updates, while CBHC will fake the system version to 99.99.99 it still adds another safety factor just in case Disable standby for extra safety, again just in case NEVER try to delete/install over the DS VC you used to install since it is now basically your system menu so if you break it your console bricks too, there are several protections against overwriting, moving to usb and deleting, but you should still not try your luck and trigger that protection over and over again, just generally be smart about it, I am not responsible for your dead wiiu because of user error. Do NOT do a system format while CBHC is installed and autoboots your system or you will brick because you delete CBHC in the process Do NOT delete the user profile you used to buy the DS VC since that will make it not properly licensed anymore on your console. Also there still is a myth going around it will brick if you move its icon in the menu or put the icon into a folder; that is false and is perfectly safe as it is only a visual change in the system menu. Features
Anyways, enough of that - what can this actually do when installed?
It offers a basic menu from which you can boot into:
The system menu which will get full signature and region patching and support this ftpiiu-everywhere version; CBHC comes with its own sysnand CFW included. You can boot into the .elf version of homebrew launcher. You can boot a fw.img or Mocha CFW on your sd card which could be useful for rednand and if you really need to connect to wupserver from a pc, but thats really only interesting as a developer. For pretty much anyone the system menu setting (which uses the included CBHC CFW) is enough, on top of that using Mocha or fw.img for sysnand can lead to bootup problems and takes far longer to boot so please just dont do it, I dont know how often I can repeat that point anymore. You can boot into the vWii system menu or the vWii homebrew channel, also if you hold down B on boot you will automatically boot into the vWii system menu as the menu originally did If after installing CBHC no menu pops up when you turn on your console then you may have run into the very rare case in which CBHC did not properly install and your Haxchi installation still runs, in this case just go back into the homebrew launcher and try installing it again.
Autoboot
If you want to automatically go to any of these options just enable the autoboot option for it.
The menu controls are very simplistic, up/down to move the cursor and A to either select the option or change the autoboot option, you can control it using the gamepad or any wiimote, classic controller or wiiu pro controller OR if you are really desperate the the "sync" button on the console itself will work too - click once to move the cursor down and double click to simulate what A does normally.
Once autoboot is set up you can easily cancel it by pressing the home/sync button while the "Autobooting..." message is shown to get back into the little menu and change your settings or launch something different from there.
by FIX94.
-
CDecrypt
Aplicación para Windows que nos permite desencriptar el contenido de los archivos NUS.
-
CustomRPXLoader
CustomRPXLoader es un cargador personalizado para archivos .rpx puede ser usado con cualquier cargador payload.elf. (Por ejemplo PayloadFromRPX o JsTypeHax).
Uso
Coloca el payload.elf en la carpeta sd:/wiiu de tu tarjeta sd y ejecuta un exploit que cargue payload.elf, esto cargará el sd:/wiiu/payload.rpx en memoria y lo ejecutará. El tamaño máximo del payload.rpx depende del tamaño de este cargador, pero debe ser > 7Mib.
CustomRPXLoader ha sido creado por wiiu-env.
-
DiscU
A Windows Tool that can Extract and Decrypt Wii U Game Images in WUD Format
New in this Release:
Fixes wrong IV in sys part Adds content extraction for WUP install Few other minor changes & fixes. -
Dumpling
Dumpling es un simple y completo volcador de archivos para Wii U. Desarrollado con la intención de hacer el volcado de juegos y otros archivos (para emuladores como Cemu) más rápido y fácil.
Principales características
¡Vuelca todo lo relacionado con tus juegos! El juego, las actualizaciones, los DLC y las partidas guardadas se vuelcan a través de una sencilla interfaz gráfica de usuario. Vuelca tanto los juegos de disco como los digitales en un formato extraído, facilitando el modding y el uso con Cemu. Crea copias 1:1 de los datos con los metadatos adecuados. Permite volcar a una memoria SD o USB (debe estar formateada como fat32). Permite volcar también las aplicaciones del sistema. Función para volcar rápidamente todo lo necesario para jugar online con Cemu, ¡incluyendo el otp.bin y el seeprom.bin! También vuelca archivos de compatibilidad extra para Cemu cuando se vuelcan archivos online. Dispone de funciones para volcar el juego base, la actualización, el DLC y los archivos de guardado por separado. Ahora también permite volcar fácilmente juegos vWii (requiere nfs2iso2nfs para convertir juegos vWii a .iso). Cómo instalarlo
Descarga el archivo desde aquí mismo, descomprímelo y copia el contenido a la carpeta raíz de la tarjeta SD.
Cómo usarlo
No necesitas ejecutar/tener Mocha CFW o Haxchi, simplemente lanza Dumpling desde el Homebrew Launcher.
Dumpling es una aplicación creada por Crementif.
-
EnvironmentLoader
EnvironmentLoader es un payload que debe ejecutarse con CustomRPXLoader.
Uso
Pon el payload.rpx en la carpeta sd:/wiiu/ de tu tarjeta sd y usa el CustomRPXLoader para ejecutar este payload de configuración, mantén pulsado X en el Gamepad mientras se carga para forzar la apertura del menú.
Este payload busca entornos en el siguiente directorio: sd:/wiiu/environments/.
Ejemplo de estructura de archivos para tener un entorno tiramisu y un entorno instalador en la tarjeta sd:
sd:\wiiu\environments\tiramisu\modules\setup\00_mocha.rpx sd:\wiiu\environments\tiramisu\modules\setup\01_other_cool_payload.rpx sd:\wiiu\environments\installer\modules\setup\00_mocha.rpx sd:\wiiu\environments\installer\modules\setup\01_installer_launcher.rpx Cuando inicies el EnvironmentLoader aparecerá un menú de selección. Utilice Y en el Gamepad para establecer un entorno predeterminado. Para abrir el menú de selección cuando se establece un entorno predeterminado, mantenga pulsado X en el Gamepad mientras inicia EnvironmentLoader.
Al iniciar un entorno determinado, se ejecutarán todos los archivos .rpx de [ENTORNO]/módulos/configuración.
Asegúrese de no llamar a exit en los payloads de configuración. Los archivos se ejecutarán en el orden de sus nombres ordenados. EnvironmentLoader ha sido creado por wiiu-env.
-
FF Viewer Legacy
Allows you to edit .ff Files or Mod Menu's!!!!
This works for all .FF Files including for Wii COD Games.
by ShadowTheAmazing.
-
fuse-wiiu
fuse-wiiu is an easy way to extract data from Wii U titles in various formats. It's compatible to:
Title in the installable format (.tmd, .app, .h3 etc.) Multiple versions of a title in the installable format (.tmd, .app, .h3 etc.) Wii U disc images (WUD, WUX and splitted WUD), including kiosk discs fuse-wiiu requires Java 8 and fuse implementation thats compatible to you OS and CPU architecture.
-
Haxchi
This is the continuation of the POC Haxchi exploit by smea.
It features compatibility with a lot of DS VC and can be easly installed and further configured.
Installation
Just extract the contents of it onto your sd card. The "haxchi" folder right now just consists of a simple replacement icon, logo and replacing the game title with "Haxchi", its example config.txt will boot homebrew launcher by default and a fw.img on your sd card when holding A. For a full list of all compatible buttons that you can use for the config.txt go here.
The content of this haxchi folder can be changed to your liking - if you want to you can also add in an alternative bootSound.btsnd to replace the original startup sound which I did not do in this example haxchi folder.
After setting up the content to your liking all you have to do is run the Haxchi Installer in homebrew launcher, select the game you want to install it on and that is it! If you ever want to make changes to the content folder it installed to then just re-run the Haxchi Installer and install it again, you dont have to reinstall the game beforehand, it'll just overwrite the previous haxchi installation with your new data.
Please note, this will ONLY WORK WITH DS VC GAMES ON NAND, if you have a ds vc game on USB you want to use then please move it to your NAND first and ideally detach your usb device before using this installer .elf, if you dont remove your usb devices it may freeze up on exiting or not install properly.
This also ONLY LOADS THE .ELF VERSION OF THE HOMBEBREW LAUNCHER which as of right now is v1.4 so make sure to keep that on your sd card or you will just get error -5 when starting your haxchi channel. Once you are in the homebrew launcher it is also perfectly compatible with loading .rpx files, you just cant use haxchi itself to load .rpx files.
Credits
smea, plutoo, yellows8, naehrwert, derrek, FIX94 and dimok
by FIX94.
-
Homebrew App Store
Description
Homebrew App Store allows you to download homebrew apps for HBL directly in the app. Installed apps can also be reinstalled, updated, or deleted. It is an attempt at a poor man's Cydia for Wii U!
Apps featured within HBAS are made by other homebrew developers. If anyone takes an issue with their work being distributed in this manner, contact the respective repository owner.
Although "store" is in the name, the apps within are all free-- If a specific homebrew developer wants to charge for their app, they would have to do so outside of HBAS. The name just refers to the concept of an App Store.
Requirements
- Internet connection - SD card - A way to run HBL (see stickies) How to Use Unzip the "appstore" folder from the zip at the above download link. This is the bundled HBAS app. Place this folder inside the /apps/wiiu/ folder on your SD card. After this, run HBL and select it from the menu.
Once the app launches, press A or touch the screen to dismiss the splash screen. You can scroll with either stick, the D-pad or the touch screen. To download an app, touch its icon and choose "GET".
Guide:
LOCAL - An app that is only on your SD card INSTALLED - An app on your SD card and the server UPDATE - An app on your SD card and the server, with a different version number GET - An app only on the server Changelog
It's been a while, but here's the second release of the HBAS!
In particular, the 1.5 release seeks to address major crashing/freezing issues as well as a way to help sift through the growing number of apps on the store.
There are a lot of much needed changes in this build:
Icons are cached and no longer load asynchronously (#20 and #6) Categories added based on web frontend (#13) App loading restructured, more Stabiity™ (#14) "Random" button added to help discover new apps App re-themed to mimic the new wiiubru.com Elf is 35% smaller Minor text fixes -
Inkay
Inkay es un complemento de Aroma/WUPS que parchea varias URL de Nintendo Network en una Wii U para que utilicen Pretendo Network en su lugar. También (por el momento) evita la verificación SSL en la mayoría de los casos.
Inkay no incluye actualmente los parches específicos del juego presentes en Nimble. Se implementarán pronto.
Dependencias
Inkay solo es compatible con la versión de lanzamiento de Aroma configurada para arranque automático o arranque en frío. Para Tiramisu, consulte Nimble.
Seguridad
Los parches de Inkay son todos temporales y solo se aplican en la memoria sin modificar la consola. El parche SSL, aunque también es temporal, podría reducir la seguridad general de la consola mientras está activo, ya que ya no comprueba si un servidor está verificado. Sin embargo, esto no se aplica al navegador de Internet, donde SSL sigue funcionando como se espera.
Inkay ha sido creado por PretendoNetwork.
-
isfshax
isfshax es un exploit coldboot boot1 para la Wii U.
¡Asegúrese de comprender adecuadamente todos los riesgos involucrados antes de intentar instalarlo!
Asegúrese de tener una copia de seguridad de SLC a mano y una forma segura de restaurarla antes de continuar.
Gracias a la vulnerabilidad de_Fuse de shinyquagsire123, ahora debería ser posible restaurar SLC sin la necesidad de un hardmod SLC, lo que debería hacer que las reparaciones sean al menos un poco menos problemáticas.
Este repositorio contiene el exploit isfshax principal y stage2loader. Utilizará minuto_minuto como etapa2. Producirá una imagen de superbloque ISFS (sin cifrar), destinada a instalarse a través de isfshax_installer. El payload de la etapa 2 de Minute_Minute intentará cargar (en orden):
slc:/sys/hax/fw.img sd:/fw.img(5 veces) slc:/sys/title/00050010/1000400a/code/fw.img+ parches Se supone que los dos primeros lugares retendrán el minuto completo . La tercera ubicación es OSv10 IOSU como alternativa. Se aplicará un conjunto mínimo de parches al IOSU para que arranque con ISFShax y mitigar los efectos secundarios de ISFShax y bloquear las actualizaciones del sistema.
En caso de que se instale un fw.img roto en el slc, la carga del SLC se puede omitir por completo enviando spam al botón de encendido. En ese caso sólo se probará la SD y se reintentará indefinidamente.
Cuando se usa Minute con stroopwafel, se requiere wafel_isfshax_patch o , de lo contrario, IOSU fallaría debido a ISFShax.
-
Isfshax Installer
Este instalador permite la instalación y eliminación del superbloque isfshax hacia/desde el SLC de Wii U.
El instalador busca superblock.img y superblock.img.sha en la SD. La instalación fallará si ambos archivos no están presentes.
Lanzando el instalador
Puede iniciarse mediante el cargador fw_img o desde un minuto. El cargador fw_img requiere que el archivo fw.img esté cifrado. Para ejecutarlo desde un minuto, debe compilarse sin cifrado ( no_crypto = Falseen castify.py)
Cuando se inicia en una consola desactivada, necesita una otp.binque contenga al menos la clave SLC y el hmackey SLC.
-
JsTypeHax
It loads WiiU Homebrew Launcher, I successfully haxchied a 5.5.2 ;)
Currently in beta test, you can follow this guide to use it:
Prepare the needed files
Prepare your FAT32 SD card with Homebrew launcher, and preferably Haxchi installer to get a persistent and more stable entry point for homebrew.Extract the homebrew launcher 1.4 on your SD card.
sd:/wiiu/apps/homebrew_launcher/homebrew_launcher.elf
If you plan to install Haxchi, be sure you already have a compatible NDS game installed on NAND. Prepare any other homebrew you want to use, for example Homebrew App Store. Find a web host or create your own
Visit a website hosting it, like http://dlae.life/, http://wiiu.insanenutter.com, http://www.wiiubru.com/x or http://u.drg.li/ or host the sources on your computer. If it's on your computer, you need python installed, and launch "startServer.bat" on windows, or use any other webserver you want. Run the browser hack on WiiU
Clear your browser's data, launch the browser again. Open the server's URL in your browser, or your computer's IP if you are hosting it yourself. select Exploit If it freezes, shutdown and try this step again. It can be quick if you are lucky, or taking hours of retries... If it works, use that opportunity to install haxchi, it will be more stable. Note: As it is still in beta test phase, http://u.drg.li/ is hosting different versions of that exploit. You should prefer it over other currently available web hosts, and select exploits from delta 0 to 4 until one works (2 seems to be the one is working the most).
If your screen goes grey-white but your console freezes, that's the correct delta, so keep trying that exploit number.
by JmpCallPoo.
-
JWUDTool
Here is just a simple program that uses the Jnuslib. The usage should be pretty self explaining.
STILL EXPERIMENTAL. Bugs may occur, please report them!
Features
Compressing .wud and splitted wud files into .wux Decompressing a .wux back to .wud Extracting from the GI or GM partition Extracting .app/-h3/.tmd/.cert/.tik files from a .wud/.wux or splitted .wud Extracting just the contents/hashes/ticket. Decrypting the full game partition from a .wud/.wux or splitted .wud Decrypting specific files the game partition from a .wud/.wux or splitted .wud Verify a image / Compare two images (for example a .wud with .wux to make sure its legit) Usage
Optional:
Copy the common.key into the folder next to the .jar or provide the key via the command line Copy the game.key into the folder next to the wud image or provide the key via the command line usage: -commonkey <WiiU common key> Optional. HexString. Will be used if no "common.key" in the folder of this .jar is found -dev Required when using discs without a titlekey. -compress Compresses the input to a .wux file. -decompress Decompresses the input to a .wud file. -decrypt Decrypts full the game partition of the given wud. -decryptFile <regular expression> Decrypts files of the game partition that match the regular expression of the given wud. -extract <all|content|ticket|hashes> Extracts files from the game partition of the given wud (Arguments optional) -help shows this text -in <input file> Input file. Can be a .wux, .wud or a game_part1.wud -noVerify Disables verification after (de)compressing -out <output path> The path where the result will be saved -overwrite Optional. Overwrites existing files -titlekey <WUD title key> Optional. HexString. Will be used if no "game.key" in the folder of the wud image is found -verify <wudimage1|wudimage2> Compares two WUD images to find differences Examples
Getting .app files from an Wii U Image:
Extract .app etc. from a WUD:
Get .app files from "game.wud" to the folder "extracted" with game.key in the same folder
java -jar JWUDTool.jar -in "game.wud" -out "extracted" -extract all Extract .app etc. from a WUX (compressed WUD):
Get .app files from "game.wux" to the folder "extracted" with game.key in the same folder
java -jar JWUDTool.jar -in "game.wux" -out "extracted" -extract all Extract .app etc. from a splitted WUD (dump with wudump):
Get .app files from "game_part1.wud" to the folder "extracted" with game.key in the same folder
java -jar JWUDTool.jar -in "game_part1.wud" -out "extracted" -extract all Compressing into .wux examples:
Compress a .wud to .wux:[/B]
Compress a "game.wud" to "game.wux"
java -jar JWUDTool.jar -in "game.wud" -compress Compress a splitted game_part1.wud to .wux:
Compress a "game_part1.wud" from a wudump dump to "game.wux"
java -jar JWUDTool.jar -in "game_part1.wud" -compress Decryption game files examples:
Decrypt a WUD image to game files
Input can be a .wud, game_part1.wud or a .wux. This decrypted the full game partition. Given a game.key and common.key in the same folder.
java -jar JWUDTool.jar -in "game.wud" -decrypt //WUD java -jar JWUDTool.jar -in "game.wux" -decrypt //WUX java -jar JWUDTool.jar -in "game_part1.wud" -decrypt //game_part1 Decrypt a single file from an WUD
Input can be a .wud, game_part1.wud or a .wux. This decrypted the full game partition. Given a game.key and common.key in the same folder.
Extracting the code/app.xml file.
java -jar JWUDTool.jar -in "game.wud" -decryptFile /code/app.xml java -jar JWUDTool.jar -in "game.wux" -decryptFile /code/app.xml java -jar JWUDTool.jar -in "game_part1.wud" -decryptFile /code/app.xml Extracting all .bfstm files.
java -jar JWUDTool.jar -in "game.wud" -decryptFile /.*.bfstm java -jar JWUDTool.jar -in "game.wux" -decryptFile /.*.bfstm java -jar JWUDTool.jar -in "game_part1.wud" -decryptFile /.*.bfstm Extracting the folder /content/Sound
java -jar JWUDTool.jar -in "game.wud" -decryptFile /content/Sound/.* java -jar JWUDTool.jar -in "game.wux" -decryptFile /content/Sound/.* java -jar JWUDTool.jar -in "game_part1.wud" -decryptFile /content/Sound/.* Compiling
clean assembly:single package
Credits
Maschell
Thanks to:
Crediar for CDecrypt
All people who have contributed to vgmtoolbox
Exzap for the .wux file format
FIX94 for wudump
The creators of lombok.
-
Loadiine
RPX/RPL and File Replacement Tool.
- 1......Requirements
- 2......How to Use
- 3......Preparing the SD Card
/******************************************************************************/
/* Requirements */
/******************************************************************************/
Wii U FW 5.3.2 SD(HC) Card Super Smash Bros for Wii U (Disc or EShop version) - optional but may be needed for some games
/******************************************************************************/
/* How to Use */
/******************************************************************************/
- 1. Setup your SD Card (see below)
- 2. In the Internet Browser, launch the included kernel exploit (www/kexploit)
(You need a modified kernel exploit that sets 0xA0000000 virtual memory range to 0x10000000 physical memory address)
- 3. Relaunch the Internet Browser
- 4. Insert your SD Card into the Wii U, if it's not already done.
- 5. Launch loadiine (www/loadiine)
- Press A to install loadiine
or
- Press X to install loadiine with server enabled (use it for debug purpose, the server must be running before pressing X).
- 6. The loadiine menu should open. Now, Select your App/Game using the D-Pad.
- Press A to use Smash Bros mode and launch directly the disk
- Note : auto-launch does not work for everyone, launch manually Smash Bros instead
- Note : if you are using Smash Bros EShop version, press Y instead, it returns to Home Menu, then launch Smash Bros.
or
- Press X to use Mii Maker mode (Smash Bros disk is not needed)
- The game should start
- 7. Enjoy
- Note: When exiting the Game/Application, you must relaunch the Mii Maker and select the game again.
If you don't, launching Super Smash Bros will result in a crash.
/******************************************************************************/
/* Preparing the SD Card / How to add a Game or Application */
/******************************************************************************/
Note: You may add multiple Games/Applications, but ALL STEPS are REQUIRED
-------------------------------------------------------------------------------
Setting Up RPX/RPL and Data Files
1. Create a folder named "wiiu" in the root of the SD Card.
- ex : SDCARD/wiiu
2. In "wiiu", create another folder named "games"
- ex : SDCARD/wiiu/games
3. In "games", create a new folder with the name of your app
- ex : SDCARD/wiiu/games/MyApplication/
4. Copy the "code" folder of your app/game inside your application folder (with rpx, rpl and xml files)
- ex : SDCARD/wiiu/games/MyApplicatin/code/my_application.rpx
- ex : SDCARD/wiiu/games/MyApplicatin/code/my_application_library.rpl
- ex : SDCARD/wiiu/games/MyApplicatin/code/app.xml
- ex : SDCARD/wiiu/games/MyApplicatin/code/cos.xml
- note : if you don't have the xml files, loadiine will try to use default values instead
5. Copy the "content" folder of your app/game inside your application folder
- ex : SDCARD/wiiu/games/MyApplication/content/...
- ex : H:/MyApplication/vol/content/data.bin -> SDCARD/wiiu/games/MyApplication/content/data.bin
- ex : H:/MyApplication/vol/content/datab/datab.bin -> SDCARD/wiiu/games/MyApplication/content/datab/datab.bin
Note : Do not rename RPX and RPL files
-------------------------------------------------------------------------------
Summary
Your file structure should look like this if the above information was used :
- SDCARD/wiiu/games/MyApplication/code/my_application.rpx
- SDCARD/wiiu/games/MyApplication/code/*.rpl [only if application contains .rpl files]
- SDCARD/wiiu/games/MyApplication/code/app.xml
- SDCARD/wiiu/games/MyApplication/code/cos.xml
- SDCARD/wiiu/games/MyApplication/content/[content files/folders]
/******************************************************************************/
/* Limitations : */
/******************************************************************************/
- The total size of each RPX and RPL files must be less than 65.7 MB (tested up to 47.3 MB)
- Don't go in the wiiu settings it breaks everything
/******************************************************************************/
/* Notes : */
/******************************************************************************/
- If you have problems with saves, try delete your Smash Bros saves.
/******************************************************************************/
/* Special thanks : */
/******************************************************************************/
- To everyone involved in libwiiu and webkit/kernel exploit !
- To the testers !
Feel free to modify and improve this software.
Golden45.
Dimok.
-
Loadiine GX2
Loadiine is a WiiU homebrew. It launches WiiU game backups from SD card. Its Graphical User Interface is based on the WiiU GX2 graphics engine.
Credits
Dimok Cyan Maschell n1ghty dibas The anonymous graphics dude (he knows who is ment) and several more contributers -
Mario Kart 8 Exploit
A implementation of the Mario Kart 8 exploit which allows abritrary Userland code execution and read/write with kernel permissions.
Preparation
Before using the ROP-chain, some files need to be generated, you can do it with make.
The makefile expects some binaries/files.
Download RPX Gadget Finder (requires Java) tmp/550/coreinit.rpl from 00050010-1000400A OSv10 v15702 tmp/550/gx2.rpl from 00050010-1000400A OSv10 v15702 tmp/Turbo.rpx the binary of the Mario Kart 8 version you want to exploit (only tested with EUR v64) When you have all needed files, you can use make.
On success, you can now find the following files:
ropgadget_addr.py The default ropgadget_addr.py can be used with the EUR V64 of Mario Kart on EUR 5.5.x consoles.
Usage
Download Nintendo Clients. Checkout commit d044b3f9717e096862517b060c2370627a4bcf56 or rewrite exploit.py to be compatible with the latest commit. Fill in the required information, like your device id and serial number in the config.py. Make sure have a valid ropgadget_addr.py with the needed gadgets addresses. Create a friend room in Mario Kart 8 and run do_memory_mapping.py. If everything went right, the game should restart. Create an other friend room in Mario Kart 8 and run run_codebin_loader_ropchain.py. If everything went right, the given payload should be executed. Technical details
The exploit itself allows to abritrary 4 byte writes which is enough to get a (size limited) rop chain execution by carefully overriding a vtable. This allows us to remotely execute rop chain < ~1000 bytes. 1000 bytes are enough to create a new thread on the main core and implement a small TCP client which receives a bigger payload that will be copied into memory. With the help of a stack pivot this new (and bigger) rop chain can be executed. From now on it's possible execute a bigger rop chain (as long as it fits in one TCP packet) which can be used to:
Perform a kernel exploit to get read/write with kernel priviliges Which is enough to restart the game with a different memory mapping, which allows modifcations of executable memory, effectively bypasing the NX-Bit. After the restart the exploit will be executed again with a different payload which copies a code.bin into memory and executes it. => This leads to: userland code execution with a usable kernel memcpy syscall (0x25) (for copying data with kernel priviliges). Credits
Maschell: Ideas, testing, rop chain implementation, adding serveral rop gadgets, implementing all other rop chains NexoCube: Ideas, testing, rop chain implementation and creating the rop chain to load bigger one via TCP Kinnay: Discovery and initial implementation of the exploit -
Mario Kart 8 Exploit Payload
This is an example payload for the Mario Kart 8 Exploit. It simply copies a given statically linked payload (main_hook/main_hook.elf) into memory and executes it.
Usage
This payload meant to be used with Mario Kart 8 Exploit, a exploit for the Wii U (tested with latest european version of the game, v64 on EU Wii U with 5.5.4). Copy the created code.bin into the Mario Kart 8 Exploit folder and run the exploit according to the readm. Read the README of the repository for more information.
The game will switch to Mii Maker and run your main_hook.elf. From now your payload will be loaded every time you switch to another application.
Overwrite the address 0x0101c56c (our main entry hook) with 0x4E800421 (= bctrl) to override this behaviour. Note This address is not writeable from user/kernel, you need to either set up a DBAT or disable memory translation temporarily. Then disabling the memory translation, make sure to use physical addresses, OSEffectiveToPhysical might help there.
Building
Place the a project with Makefile into a subfolder /main_hook that creates a main_hook.elf. Using a .elf directly requires changes on the Makefile. This repository provides a generic .elf as submodule, see it's README for detailed information and usage.
Clone via git init --recursive URL.
In order to be able to compile this, you need to have installed devkitPPC with the following pacman packages installed.
pacman -Syu devkitPPC Make sure the following environment variables are set:
DEVKITPRO=/opt/devkitpro DEVKITPPC=/opt/devkitpro/devkitPPC
The command make should produce a code.bin, meant to be used with Mario Kart 8 Exploit.
Technical details
This payload expects:
To be run inside the Mii Maker The Syscall 0x25 to be a memcpy with kernel privileges This payload does:
A small function to modify IBAT0 is copied to kernel space and registers as syscall 0x09 The declaration of this function is extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);. Copies the embedded main_hook.elf to the address where it's statically linked to. Currently these sections are supported. .text, .rodata, .data and .bss. In theory this could be placed anywhere, but keep in mind that the memory area may be cleared (like the codegen area, or the whole heap), and needs to be executable in user mode (even after switching the application). Due to size limits it need to be somewhere between 0x011DD000...0x011DE200 or in a completly different region (0x011DE200...0x011E0000 is used by this payload) Afterwards the main entry hook is set up to jump to this position on every application switch. You also may have to modify this if the jump turns out to be too big. The entrypoint of themain_hook.elf will be called directly as we are already in Mii Maker. What this payload offers to the loaded .elf
The loaded main_hook.elf can expect:
To be called everytime the application switches. (Mii Maker has sd access!) Syscall 0x09 to be available. Declaration: extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower); , call via asm. This function can be used to set IBAT0 to allow the kernel to execute new created syscall (the kernel has for example no access to 0x011DD000...0x011E0000). Syscall 0x34 (kern_read) and 0x35 (kern_write) to be available. Use the following functions to use them: /* Read a 32-bit word with kernel permissions */ uint32_t __attribute__ ((noinline)) kern_read(const void *addr) { uint32_t result; asm volatile ( "li 3,1\n" "li 4,0\n" "li 5,0\n" "li 6,0\n" "li 7,0\n" "lis 8,1\n" "mr 9,%1\n" "li 0,0x3400\n" "mr %0,1\n" "sc\n" "nop\n" "mr 1,%0\n" "mr %0,3\n" : "=r"(result) : "b"(addr) : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" ); return result; } /* Write a 32-bit word with kernel permissions */ void __attribute__ ((noinline)) kern_write(void *addr, uint32_t value) { asm volatile ( "li 3,1\n" "li 4,0\n" "mr 5,%1\n" "li 6,0\n" "li 7,0\n" "lis 8,1\n" "mr 9,%0\n" "mr %1,1\n" "li 0,0x3500\n" "sc\n" "nop\n" "mr 1,%1\n" : : "r"(addr), "r"(value) : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" ); }
Credits
orboditilt: Putting everything together. dimok789: This is based on the Wii U Homebrew Launcher. by wiiu-env.
-
Mario Kart 8 primary userland exploit for the WiiU
Actual implementation (base ROP chain to ACE) of the exploit Kinnay found in the WiiU version of Mario Kart 8. Running this will boot the homebrew launcher.
Requirements
A WiiU Two NNIDs logged into your WiiU A computer logged on the same network than the console README, for real
The exploit may not work on the first try (~85% success rate) Do not run any homebrew using memory before launching MK8 (like TCPGecko, Cafiine or Diibugger) How to use
Edit exploit.py and fill in your Nintendo Network IDs + console informations Edit main_exploit.py and edit the local computer IP Run make to build the payload0 binary (you need devkitPro + devkitPPC) Go on your WiiU, log on the victim NNID Open MK8, go online and host a private match, stay in the "earth menu", make sure you're alone in the room Start stage0.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER Wait for the game to reboot and rehost a private match, stay in the "earth menu", make sure you're alone in the room Start stage1.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER It should open the HOME Menu, return to the WiiU Menu, and tadaa, magic, you're on the HBL Credits
Kinnay for the Nintendo Clients library that allows use to communicate with NEX game servers and its protocols. Maschell for working with me on this exploit (and being as addicted as i was doing this), there was a lot of co-operation Rambo6Glaz / NexoCube / TheBrick for working on this, and all the chains here. wiiu-env for the payload_loader that's inside payload0/main_hook.h by NexoDevelopment.
-
Nimble
Nimble es un módulo de configuración de Aroma que parchea las URL de la lista de políticas BOSS de Nintendo Network en una Wii U para usar Pretendo Network en su lugar. Esta lista de políticas se usa para controlar varias funciones del sistema, en particular Wara Wara Plaza. Esto no hará ningún parche además de la lista de políticas BOSS. Para conectarse al resto de Pretendo Network, consulte Inkay.
Red Nintendo
Los parches de Nimble son temporales y solo se aplican en la memoria sin modificar la consola. Si tienes problemas para conectarte a Nintendo Network mientras usas Nimble, mantén presionado el botón ZL del control mientras enciendes la consola para omitir los parches.
Nimble ha sido creado por PretendoNetwork.