Actual implementation (base ROP chain to ACE) of the exploit Kinnay found in the WiiU version of Mario Kart 8. Running this will boot the homebrew launcher.
Requirements
- A WiiU
- Two NNIDs logged into your WiiU
- A computer logged on the same network than the console
README, for real
- The exploit may not work on the first try (~85% success rate)
- Do not run any homebrew using memory before launching MK8 (like TCPGecko, Cafiine or Diibugger)
How to use
- Edit exploit.py and fill in your Nintendo Network IDs + console informations
- Edit main_exploit.py and edit the local computer IP
- Run make to build the payload0 binary (you need devkitPro + devkitPPC)
- Go on your WiiU, log on the victim NNID
- Open MK8, go online and host a private match, stay in the "earth menu", make sure you're alone in the room
- Start stage0.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER
- Wait for the game to reboot and rehost a private match, stay in the "earth menu", make sure you're alone in the room
- Start stage1.py and press ENTER (leave it in the background), then start main_exploit.py and press ENTER
- It should open the HOME Menu, return to the WiiU Menu, and tadaa, magic, you're on the HBL
Credits
- Kinnay for the Nintendo Clients library that allows use to communicate with NEX game servers and its protocols.
- Maschell for working with me on this exploit (and being as addicted as i was doing this), there was a lot of co-operation
- Rambo6Glaz / NexoCube / TheBrick for working on this, and all the chains here.
- wiiu-env for the payload_loader that's inside payload0/main_hook.h
by NexoDevelopment.