289 lines
23 KiB
Plaintext
289 lines
23 KiB
Plaintext
|
Episode: 3036
|
||
|
|
Title: HPR3036: WiiU is dead long live WiiU!
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3036/hpr3036.mp3
|
||
|
|
Transcribed: 2025-10-24 15:31:33
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This is Hacker Public Radio Episode 3036 for Monday 23 March 2020.
|
||
|
|
Today's show is entitled, We You Is Dead Long Live We You.
|
||
|
|
Quote,
|
||
|
|
It is hosted by Operator
|
||
|
|
and is about 24 minutes long
|
||
|
|
and carries an explicit flag. The summer is
|
||
|
|
How to Approach Dishmod Communities.
|
||
|
|
This episode of HPR is brought to you by An Honesthost.com
|
||
|
|
Get 15% discount on all shared hosting
|
||
|
|
with the offer code HPR15. That's HPR15.
|
||
|
|
Better web hosting that's Honest and Fair at An Honesthost.com.
|
||
|
|
Hello and welcome to another Hacker Public Radio
|
||
|
|
with your host operator. This was going to be kind of a revisit
|
||
|
|
of the Wii U hacking stuff. Mainly
|
||
|
|
Jay Gecko or TCP Gecko formerly. My 5-year-old
|
||
|
|
this came back because of my 5-year-old starting to play games
|
||
|
|
and we have a Lego game that he is getting better at but
|
||
|
|
you know I don't want him to have to struggle and farm for
|
||
|
|
30,000 bricks or whatever that it takes to
|
||
|
|
get. Now I have a saved game that I downloaded
|
||
|
|
generally with some of these systems you can
|
||
|
|
mod your your system and then download saves
|
||
|
|
and there'll be repositories of different kinds of saves
|
||
|
|
for any kind of local based games you can usually find a save file
|
||
|
|
but I didn't necessarily want to do that in this case so I did keep that save file
|
||
|
|
and I'll put links and you know remind myself to put links for the
|
||
|
|
save file. I have a clicky keyboard you want to
|
||
|
|
excuse me for that. So the scene has obviously kind of
|
||
|
|
crashed with all the Wii U stuff and even about the Wii
|
||
|
|
and the Wii U are about at the same level of
|
||
|
|
involvement but I will say there is a community
|
||
|
|
for Nintendo Homebrew excuse me on Discord and they have a Wii U
|
||
|
|
Assistance channel 3DS and Switch Assistance channel.
|
||
|
|
Didn't really help me at all. I ended up finding videos which I'll put in
|
||
|
|
links to videos.
|
||
|
|
So mainly what happens with the struggles that people have today is
|
||
|
|
when you're trying to do something or figure something out is
|
||
|
|
this is basic Google Foo. You want to search within a year
|
||
|
|
and if you get no hits then good luck you can specify custom years with
|
||
|
|
advanced, excuse me advanced searches and Google
|
||
|
|
but generally I'll do filter by last year and I'll type in whatever I'm typing.
|
||
|
|
With these modding guides and all these modding videos and
|
||
|
|
999 and cheats and all that stuff you get a lot of click pay.
|
||
|
|
So my suggestion to anybody trying to mod or soft mod or anything mod
|
||
|
|
is go directly to the horse's mouth so go to webrew go to whatever
|
||
|
|
the software you know the open source or whatever source software is
|
||
|
|
available and then kind of go from there and try to figure out what they're
|
||
|
|
doing today who's using what tools today.
|
||
|
|
So when I did this years ago I soft modding my Wii using the
|
||
|
|
twilight thing because we had purchased the twilight
|
||
|
|
CD and then play around for a little while and realize that
|
||
|
|
you could do cheats and the way they do cheats is kind of interesting and I might
|
||
|
|
have mentioned this in the other podcast I did is they have a
|
||
|
|
TCP based cheat app basically. So it will pull the memory down
|
||
|
|
remotely or you can poke the memory remotely
|
||
|
|
and download like cheat files and memory files and stuff like that.
|
||
|
|
So one would think it would actually be easier to do like
|
||
|
|
Ocarna which the Wii U had. I think they just kind of
|
||
|
|
circumvented all that and said you know what since everybody's connected
|
||
|
|
we have a connected environment we can have a client that's connected and they
|
||
|
|
can update cheats and have cheats pulled down from the internet and
|
||
|
|
everything is kind of gonna kind of got to be a little bit easier where you have
|
||
|
|
a database of cheats and and all that stuff. So I think that was the
|
||
|
|
intention behind some of this as we grow more connected
|
||
|
|
but I was a little surprised to see that there was a TCP based like
|
||
|
|
memory, memory injection tool like memory tool which is kind of
|
||
|
|
kind of fascinating to me. I've never done any of that type of stuff
|
||
|
|
at least with consoles in the Windows environment sure but
|
||
|
|
it was very interesting to see how some of these worked.
|
||
|
|
Some had Python scripts that I had to run for a particular game
|
||
|
|
to get like all the items in the game or to get a certain amount of
|
||
|
|
coins or whatever or unlock a specific item and it was a lot of work and these
|
||
|
|
guys do a lot of work because it's not just a memory
|
||
|
|
address sometimes sometimes you got to trace down multiple memory addresses
|
||
|
|
to figure out how that item is actually equipped or
|
||
|
|
setup and the memory address space for any of these guys especially not on
|
||
|
|
PCs but for you know the Wii U especially for me
|
||
|
|
you can't just dump out the whole address space because you get like one
|
||
|
|
k per second or something transfer rate at least over the Wi-Fi for the Wii U.
|
||
|
|
But I'm sure there's some local dumping utilities. I didn't look into it because
|
||
|
|
I managed to finagle what I was trying to do so my five-year-olds run around
|
||
|
|
and he has to build this bridge and of course it calls 30,000 blocks which is
|
||
|
|
with him with him running around in circles and me not helping him
|
||
|
|
it would take him like at least 40 hours or more just to earn that many blocks.
|
||
|
|
So in this game and I guess newer games they have blocks and then they have
|
||
|
|
studs in the blocks hope you like build certain things and the studs help you
|
||
|
|
kind of buy certain things I feel like. So he had like you know
|
||
|
|
7,000 blocks and he had to get like 30,000 which would have
|
||
|
|
taken been very hard to do the next part of the game. So I started looking back
|
||
|
|
into the TCP Gecko stuff which is again the kind of remote memory injection
|
||
|
|
utility that they use. And first I you know got the jar files a job-of-base deal
|
||
|
|
and I got it running and what I remembered back when I first was doing all this stuff
|
||
|
|
the program that I used to kind of do some of the backups I think was called Mocha.
|
||
|
|
And Mocha was basically injected after or before kind of the with system menu comes up.
|
||
|
|
And then traditionally what you do is you run the TCP Gecko client which kind of starts a little
|
||
|
|
server in the background kind of in the kernel we're in the memory and then it allows you to
|
||
|
|
like connect remotely and inject memory directly into the game while you're playing it.
|
||
|
|
But to do that you have to of course run launch it first and I don't know if you
|
||
|
|
are old like me the game gene was kind of the thing that kind of gives me that same kind of feeling
|
||
|
|
where you put in the code before the game starts and then the game gene injects itself into
|
||
|
|
the main game. So in this instance I feel like it was giving me errors and crashing and doing
|
||
|
|
whatever and wouldn't load TCP Gecko. So what I found out is that basically I was kind of
|
||
|
|
injecting stuff into the memory for Mocha and then I was injecting stuff in the memory for TCP Gecko
|
||
|
|
and they were kind of flapping all over each other. So I pulled Mocha out which I think is only
|
||
|
|
used for if you're doing backups and maybe you know modding or installing wads or whatever.
|
||
|
|
And for guides on all this you know they're pretty standard you put in a USB USB stick and then
|
||
|
|
you run a banner bomb and you get remote code execution and you can install the home brew stuff.
|
||
|
|
And to get there it's a lot quicker the steps are a lot easier once the we use kind of depreciated
|
||
|
|
and all the exploits aren't going to be fixed. But to get there there's a lot of guides online
|
||
|
|
just Google it but I would say stay away from YouTube videos use those only for training purposes
|
||
|
|
on what to click and what to get but don't download a binary link from YouTube and start executing it
|
||
|
|
figure out what that program is called and find the get repo for it and even then you know you
|
||
|
|
want to look on the forums and find the official you know someone that's got some mod experience or
|
||
|
|
that's got some some cloud tips to post those binaries for you because we're starting to lose
|
||
|
|
staff community and these links are starting to get old so you'll have like an old google drive
|
||
|
|
link that doesn't work anymore or you know something like that. So be be wary of you know all these
|
||
|
|
YouTube videos with clickbait in them and just use the YouTube videos to help you understand how
|
||
|
|
to use the tools but don't start downloading people's YouTube video links with their binaries
|
||
|
|
and running them because you never know what kind of garbage is in there. So I know they had
|
||
|
|
changed it to this j j gecko which is I guess Java based gecko and I don't remember it mean being
|
||
|
|
that name before I think it was the dot net was when I was playing with it but anyways I used
|
||
|
|
the further the Zelda and there was basic cheat files for all those so it's a memory address
|
||
|
|
and then a push value and then it's like a title so I managed to find some some cheats for that
|
||
|
|
space for the Lego game it's called Lego City and of course I plug them in they don't work
|
||
|
|
and then I realized and I knew from the beginning that it was for the power version which is a
|
||
|
|
different region. So I'm using the US region and this was cheats for the power version. So I then
|
||
|
|
up again to start trying to do the searching myself which is extremely slow if you do the whole
|
||
|
|
range of memory. So I tried to do that a couple times and I guess Java got two full and
|
||
|
|
I tried manipulating the amount of memory and Java before for the jar file which you can do
|
||
|
|
set it like a maximum amount my wife's laptop only has like four gigs in it so I had to do like
|
||
|
|
three gigs and then it seemed to kind of kind of freeze up so I took a different approach to where
|
||
|
|
I looked at the memory addresses inside of the existing existing cheats and figured hey they're either
|
||
|
|
going to be around there or in that general vicinity within you know a few megs even so what I did
|
||
|
|
was as I without any understanding of math or how to do ranges of hex I added and subtracted some
|
||
|
|
numbers and or hex from the lowest value that I saw in the cheat file and then the highest value
|
||
|
|
that I saw. So for example if the if the cheats were you know if the range was one to a thousand
|
||
|
|
and the cheats were like five to twenty I said okay well let me do four to twenty one or even
|
||
|
|
like zero to twenty five and I picked those ranges and I got lucky and I was able to pull back the
|
||
|
|
pull back the information for the for the bricks and the studs. Now traditionally if you've ever
|
||
|
|
used any of these local cheat based programs sheet insons a big one been around forever you basically
|
||
|
|
search the memory for the value of whatever it is you're trying to mess with and then you increment
|
||
|
|
or decrement that value and then search again and you increment or decrement and then search again
|
||
|
|
and the theory is that you'll get one or two addresses that have to do with that range and if you
|
||
|
|
if you're lucky you can just change that range and and modify the the game localings and get
|
||
|
|
you know nine nine nine and this this runs true for they have Android based ones the one for
|
||
|
|
Android is called oh man defender or defend or it's it's got like a gray it's got a like a purple
|
||
|
|
got like a purple fan of course it's made in China and I wouldn't run it on any any workflow
|
||
|
|
or anything like that but anyways it works the same the same way I think in key K hunter I think
|
||
|
|
it's called hunter something hunter and it's all in Japanese or whatever Chinese but for Android
|
||
|
|
you obviously have to have a route route to the device so to modify the memory on the fly for
|
||
|
|
like local games and sometimes internet based games which is entirely different topic altogether
|
||
|
|
so I managed to find these values poke them and you can create a cheat file that's easy for people
|
||
|
|
to ingest and of course took screenshots and everything and then put that up on the the forms for
|
||
|
|
I think it's a GBA net or gba temp.net um which is kind of the the long standing we
|
||
|
|
modding community um so I put those up there I did spend a lot of time just doing other things so
|
||
|
|
I would tell it to search the memory and then run off and it would be like 33% done and it would
|
||
|
|
just crap out and fail um and a lot of things and I did a couple of tests just to make sure
|
||
|
|
that um what I what I was doing was actually like working um for like a better term
|
||
|
|
so I put some smaller memory addresses in there and then tried to observe and see that they were
|
||
|
|
moving and make sure and making sure I was getting updated and I had connectivity which I didn't
|
||
|
|
necessarily need to do but I was having issues with connectivity and I think it was just
|
||
|
|
them or the RAM running out of of space and it would you know halt at like 30% or whatever or some
|
||
|
|
kind of buffer for something where you know it only pull in so much so much memory before it kind
|
||
|
|
of grabs out but anyways um kind of a trial and error thing and I've had some background in doing
|
||
|
|
that but nothing like crazy like write my own cheat files or whatever um I'll also post a link
|
||
|
|
to my cheat engine files dot ct files links I found two big dumps of cheat engine files which I
|
||
|
|
don't know anything about um and a lot of times you've got like SSL pinning and stuff like that
|
||
|
|
in these games and they all have their security stack built into them so you got to do like more
|
||
|
|
memory stuff and you can't really do a whole lot of inline SSL stuff to decrypt and then like
|
||
|
|
edit your own values I know I'm kind of going all the place and I need to get back on topic but
|
||
|
|
the idea there is um you can you can there's several ways to kind of modify a game right
|
||
|
|
you can you can go to the server which is gonna get you in jail you can go to the server or
|
||
|
|
create your own server um get the code from the server that's been leaked or if you're lucky they
|
||
|
|
have like an open source server you can run and then you can modify the source or at least inject
|
||
|
|
stuff based on other people's work to do things like have zero gravity or whatever and then you
|
||
|
|
modify your your Xbox to connect to that that server instead of another one and there was a big
|
||
|
|
community around like granted.o and cheating and all that for a while um which they kind of
|
||
|
|
locked down or whatever but you can you can you can hack the server and create your own server
|
||
|
|
based on you know either leaked source or um open source or reverse engineering of server binary
|
||
|
|
with some point in time and you'll see that back in the old days you'll see old like old
|
||
|
|
battle net servers that um say either reverse engineered the whole protocol and made their own
|
||
|
|
ballot server or um maybe they got a whole little binary and are using that and then as the game
|
||
|
|
updates there they got geniuses to do all that stuff um and then there's kind of uh uh on the
|
||
|
|
wire which is not so common not as common anymore because a lot of people encrypt that traffic going
|
||
|
|
over the wire um and when you try to decrypt it it won't let you decrypt it and the game will just
|
||
|
|
bail a lot of your phones things like that we'll do the same kind of thing where as if they have
|
||
|
|
this thing called SSL pinning on them and applications kind of do the same thing um and you can't
|
||
|
|
really inject the traffic but if you're lucky um you can install like a root certificate on your
|
||
|
|
device and if it doesn't have SSL pinning you can do things um like modify stuff as it goes across
|
||
|
|
the wire and even in some cases they'll be using some kind of framework where all the values are
|
||
|
|
hashed so you see the plain text but the plain text is a much hash value so it'll be like a JSON
|
||
|
|
with like a blob hash and then you'll see another JSON with another blob hash and to to modify that
|
||
|
|
you can't there's nothing you can really do except replay um other hashes and if if it doesn't
|
||
|
|
match on the other end in the server either traps out or you get a four or four or whatever
|
||
|
|
the idea there is is um there's kind of replay attacks with with those type of things where you can
|
||
|
|
even if you don't know what the traffic is and you can get a general idea of what's going on
|
||
|
|
if you're smart enough which I'm not you can do things like replace um packets with with other
|
||
|
|
packets or replay packets that you know you want so for example you pick up a chest or pick up an
|
||
|
|
item you can potentially replay that packet and get the same item over and over again right which
|
||
|
|
doesn't really happen that much anymore um more often you'll see instances where you can swap out
|
||
|
|
a hash um for another thing so for example if you have as characters you know you have five
|
||
|
|
characters in your game they're sitting across um you're playing this game on your phone you're
|
||
|
|
sending across um are these hash values for each character right that are buying to something on
|
||
|
|
the server back in so for example your strongest character is really expensive and you put the money
|
||
|
|
and or time into them because you know we all pay for money premium games not um you can uh there's
|
||
|
|
been instances where you can take that hash value and assign it to the other characters to your team
|
||
|
|
for example so it'll be like you know my profile or my player you know my player group equals whatever
|
||
|
|
and it's like a JSON with a bunch of hashes well kind of with replay attacks you can put the same
|
||
|
|
hash in there five times and have your uber crazy character basically colon five times um as far
|
||
|
|
as you know either the the way they look or the way they operate but the idea there is that you can
|
||
|
|
kind of replay even if it's encrypted you can understand how the application works and add uh
|
||
|
|
and and kind of replay values or replay packets or replay instances um like for example if you get
|
||
|
|
a wheel and you spend a wheel or whatever you can potentially replay that packet back and get
|
||
|
|
whatever you wanted whatever you were going to get for that wheel if they didn't do any proper
|
||
|
|
checking on the back end so um i know this is supposed to be more about we modding stuff um but i'll
|
||
|
|
say you know use your main tutorials use youtube to help you out for um for understanding how to use
|
||
|
|
the tools um i'm i you know i'll be the first person to tell you i'd rather watch a video then
|
||
|
|
read a form post on how to use a tool because you know the problem with form post is that they don't
|
||
|
|
necessarily necessarily cater to the common common use case right they have to get all the
|
||
|
|
caveats out in in in the way to make sure that if you got some clowns running point 0.02 for
|
||
|
|
a bee of custom firmware for you know the little step pad thing that comes with the EU and they
|
||
|
|
have to do something different then they have to start off with that um and a lot of those caveats
|
||
|
|
are built into these tutorials and your common use case run of the middle person um just needs to
|
||
|
|
do the basic thing first the the basic tutorial first right and then once they get to tool working
|
||
|
|
and then you can start reverse engineering and understanding okay well this piece of the tool is
|
||
|
|
not really working i need to figure this out oh i missed a step over here because i didn't read
|
||
|
|
the documentation so you know i try to use any kind of video tutorials any kind of old you know
|
||
|
|
videos for stuff this is all this stuff is back you know kind of had a peak 2017 2016 15 for the
|
||
|
|
we use stuff um make sure i'm actually still recording um so so i'll say that use your like whatever
|
||
|
|
.nets for um you're we you modding in tutorials um don't give it you don't give anybody any money
|
||
|
|
obviously unless you want you know want them to help you learn reverse engineering and stuff um
|
||
|
|
be careful about you know downloading any binaries from weird links that aren't like official
|
||
|
|
gba uh temp links uh or you know off of a get up repo whatever and then even then if it's a
|
||
|
|
fork repo you kind of got to be careful about what you pull down from there to um there's stuff
|
||
|
|
in there about cheat engine so you can i guess potentially take in consume or use cheat engine dumps
|
||
|
|
from an in um in the the tcp gecko or the j gecko thing but just kind of interesting and i
|
||
|
|
didn't have a chance to play around with that um because cheat engine is used by a lot of folks to
|
||
|
|
do this type of stuff um i i went on the discord which i'll put a link into the thing but
|
||
|
|
i mainly just answered all my own questions um i did research and do some google food about
|
||
|
|
how to you know where do i start what memory addresses do i start at um i tried the big broad ones
|
||
|
|
and you know like i said i got to 33% or so i then grabbed up so then i said okay well if the
|
||
|
|
pal is anywhere close to the regular version i can add a few bits on either end and hopefully
|
||
|
|
if i get lucky i'll find it and i did get lucky and that's why i made that little cheat file for
|
||
|
|
the the gecko cheat engine thing so um follow the guides um doing an backup or what they call
|
||
|
|
is basically a complete backup of your system so the idea is once you get that code execution you
|
||
|
|
can kind of put in a bootloader or a bootme or a pre-boot system so so where if something happens
|
||
|
|
you can like hit the reset button on your Wii U as it's booting up and it'll boot you into like a
|
||
|
|
place where you can restore an old man backup if you manage to mangle your different ios and they
|
||
|
|
have the term ios are and we and i think we you where you have different versions of ios and if
|
||
|
|
you're trying to play a game sometimes you have to load that version up for that game um and depending
|
||
|
|
on your playstyle and how you're playing your backups you know you you don't know if it's kind of
|
||
|
|
work or maybe something freezes or you have to add support for something um there's always
|
||
|
|
limitations once you start messing around with the Wii U that if you start you know kind of
|
||
|
|
inundating it with lots of bells and whistles you start to find out that there's limitations with
|
||
|
|
you know how many songs you can import to like rock band right um you can only have like 3,000
|
||
|
|
or 6,000 at a time and i pulled down like all 10,000 or something of them and expected to be able to
|
||
|
|
like search through that list it's not possible because it only supports like only so much
|
||
|
|
memory for the Wii at runtime did you can put in you know the database of all those above those files
|
||
|
|
um just let's say um i looked at the 3ds stuff um that seems pretty complicated right now it's
|
||
|
|
like a 20 minute video on how to do 3ds um modding um but the Wii U stuff is still pretty pretty
|
||
|
|
standard stuff um so it can breathe some life back into your your Wii U or your Wii to uh mod it
|
||
|
|
play around some games um there's actually you know entire like modded add-ons you can have for
|
||
|
|
big games like Mario Kart has a bunch of add-ons where you can drive around as a giant Yoshi or
|
||
|
|
something um and do silly things in the game that weren't particularly designed to do or drive
|
||
|
|
around is something else or um custom a lot of custom stuff that you can do that wasn't really
|
||
|
|
there around back of the day um that's pretty much it um you know obviously this will break your
|
||
|
|
license agreement or whatever of course none of that stuff is supported anyways i don't think
|
||
|
|
but um you know feel free to reach out to me if you if you have a Wii or Wii U and you need
|
||
|
|
self you know soft modding or modding your Wii and you have a you know you have an old Wii lane
|
||
|
|
and you want to send it to me with some money to buy a drive and i can send it back to you
|
||
|
|
with all everything you need to go to do backups um your own backups and all that stuff so um
|
||
|
|
anyways um happy hacking and uh you know let me know if you need anything
|
||
|
|
you've been listening to hecka public radio at hecka public radio dot org
|
||
|
|
we are a community podcast network that releases shows every weekday Monday through Friday
|
||
|
|
today's show like all our shows was contributed by an hbr listener like yourself
|
||
|
|
if you ever thought of recording a podcast then click on our contribute link to find out
|
||
|
|
how easy it really is hecka public radio was founded by the digital dog pound and the
|
||
|
|
infonomican computer club and it's part of the binary revolution at binwreff.com if you have
|
||
|
|
comments on today's show please email the host directly leave a comment on the website or record
|
||
|
|
a follow up episode yourself unless otherwise status today's show is released on the creative
|
||
|
|
commons attribution share a light 3.0 license
|