How to do a switch hack

[Kzksjjsjsj]

The Mocha config. The latest release of Homebrew Launcher Installer. You will need to download the payload.zip file. The 1.4 release of The Homebrew Launcher. You will need to download the v1.4 homebrew_launcher.v1.4.zip release of The Homebrew Launcher. The latest release of WUP Installer GX2. The latest release of Wii U NAND Dumper. The latest release of the Homebrew App Store. You will need to download the wiiu-extracttosd.zip file. The latest release of Mocha. The latest release of SaveMii Mod.

İnstructions Insert your Wii U's SD Card into your PC. Copy the contents of the wup_installer_gx2.zip file to the root of your SD Card. Copy the contents of the nanddumper.zip file to the root of your SD Card. Copy the contents of the wiiu-extracttosd.zip file to the root of your SD Card. Copy the contents of the homebrew_launcher.v.1.4.zip file to the root of your SD Card. Copy the contents of the mocha.zip file to the root of your SD Card. Copy the contents of the savemii_mod.zip file to the root of your SD Card. Copy the config.ini file to the /wiiu/apps/mocha folder on your SD Card. Copy the payload.elf from the payload.zip to the wiiu folder on your SD Card.

Final sd card look 💾sd: ┗ 📂wiiu ┣ 📂apps ┃ ┣ 📂homebrew_launcher ┃ ┃ ┣ 📜homebrew_launcher.elf ┃ ┃ ┣ 📜icon.png ┃ ┃ ┗ 📜meta.xml ┃ ┗ (All other apps like disc2app, nanddumper, etc. should be here too) ┗ 📜payload.elf

[Cooleli912]

Nice, I've done a more barebones approach before though: all you actually need is the JSTypeHax payload file, the homebrew launcher, and the Homebrew Appstore, Which is on the switch... I also find it weird that breath of the wild was released on Wii U, then was on the switch in basically no time.

Which means, homebrew for the switch is almost the same as on the Wii U... I think I'm getting somewhere but I need to look into some more code to find out how the Wii U exploit works.

[Kzksjjsjsj]

Ok thank u i will be happy when u get started on the exploit i had heard about that the wii u is really similar to the switch but tgat thing about breath of the wild is kinda strange don't you think that just don't make since

[Kzksjjsjsj]

Thus is how to get the jstypehax file payload and how it kinda works

(author=orboditilt) orboditilt JsTypeHax payload This is an example payload for the JsTypeHax. It simply copies a given statically linked payload (main_hook/main_hook.elf) into memory and installs a "main hook" to jump to this every time a application starts. Usage This payload meant to be used with JsTypeHax, a browser exploit for the Wii U (FW 5.5.2 to 5.5.3). Copy the created code550.bin into the JsTypeHax folder and run the exploit. Read the README of the JsTypeHax repository for more information.

The browser will switch to Mii Maker and from now on load your payload every time you switch to another application.

Overwrite the address 0x0101c56c (our main entry hook) with 0x4E800421 (= bctrl) to override this behaviour. Note This address is not writeable from user/kernel, you need to either set up a DBAT or disable memory translation temporarily. Then disabling the memory translation, make sure to use physical addresses, OSEffectiveToPhysical might help there.

Building Place the a project with Makefile into a subfolder /main_hook that creates a main_hook.elf. Using a .elf directly requires changes on the Makefile. This repository provides a generic .elf as submodule, see it's README for detailed information and usage.

Clone via git init --recursive URL.

In order to be able to compile this, you need to have installed devkitPPC with the following pacman packages installed.

pacman -Syu devkitPPC Make sure the following environment variables are set:

DEVKITPRO=/opt/devkitpro DEVKITPPC=/opt/devkitpro/devkitPPC The command make should produce a code550.bin, meant to be used with JsTypeHax

Technical details This payload:

Creates a new stable thread, as the current one is really unstable Kill the browser and waits a bit. Performs a kernel exploit, and registers the syscalls 0x34/0x35 for kern_read/kern_write These can be used to register further, complete custom syscalls. Syscall 0x25 is registered to copy data with memory protection disabled. (this is not available in the to be loaded main_hook.elf payload) Copies the embedded main_hook.elf to the address where it's statically linked to. Currently these sections are supported. .text, .rodata, .data and .bss. In theory this could be placed anywhere, but keep in mind that the memory area may be cleared (like the codegen area, or the whole heap), and needs to be executable in user mode (even after switching the application). It's recommended to use 0x011DD000...0x011E0000 Afterwards the main entry hook is set up to jump to this position on every application switch. You also may have to modify this if the jump turns out to be too big. A small function to modify IBAT0 is copied to kernel space and registers as syscall 0x09. This can used in the loaded .elf. The declaration of this function is extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);. The payload is switching to Mii Maker The main_hook.elf will be called, (and every other time when switching the application until the hook it reverted.) What this payload offers to the loaded .elf The loaded main_hook.elf can expect:

To be called everytime the application switches. (Mii Maker has sd access!) Syscall 0x09 to be available. Declaration: extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower); , call via asm. This function can be used to set IBAT0 to allow the kernel to execute new created syscall (the kernel has for example no access to 0x011DD000...0x011E0000). Syscall 0x34 (kern_read) and 0x35 (kern_write) to be available. Use the following functions to use them: / Read a 32-bit word with kernel permissions / uint32_t attribute ((noinline)) kern_read(const void *addr) { uint32_t result; asm volatile ( "li 3,1\n" "li 4,0\n" "li 5,0\n" "li 6,0\n" "li 7,0\n" "lis 8,1\n" "mr 9,%1\n" "li 0,0x3400\n" "mr %0,1\n" "sc\n" "nop\n" "mr 1,%0\n" "mr %0,3\n" : "=r"(result) : "b"(addr) : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" );

return result;

}

/ Write a 32-bit word with kernel permissions / void attribute ((noinline)) kern_write(void *addr, uint32_t value) { asm volatile ( "li 3,1\n" "li 4,0\n" "mr 5,%1\n" "li 6,0\n" "li 7,0\n" "lis 8,1\n" "mr 9,%0\n" "mr %1,1\n" "li 0,0x3500\n" "sc\n" "nop\n" "mr 1,%1\n" : : "r"(addr), "r"(value) : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" ); } Credits orboditilt: Putting everything together. Marionumber1: gx2sploit, the used kernel exploit. dimok789: This is based on the homebrew launcher installer Kinnay: for the KernelCopyData function Releases No releases published Packages No packages published Languages C 95.9%

Makefile 2.9%

Assembly 1.2% Footer © 2023 GitHub, Inc. Footer navigation Terms Privacy Security Status Docs Contact GitHub Pricing API Training Blog About

[Cooleli912]

How it works

From what I understand currently, The Wii U Legacy exploit works by using a bunch of vulnerable areas of the OS, After it's managed to almost complete it's task, It switches to Mii Maker to get access to the SD Card of the system. And that's why it doesn't work with USB Storage Devices, Because Mii Maker doesn't support USB Storage Devices.

The Problem

The JSTypeHax Payload runs through Mii Maker, So we need to find a new weakness, This is gonna have to go through a lot of testing, but I think what I wanna try first is to get a homebrew launcher running.

The Hope

Almost every console Nintendo has ever made has been homebrewed through software or a disc, or a flashcart. When has a console ever not had a weak spot in the software? Well multiple, but that's when we didn't have internet right on our consoles or SD Card Slots.

If you find anything new then please tell me.

[Kzksjjsjsj]

İ wonder if you could do something with the secret browser through the dns to get to where you could download things and if you could hack it from there

[Kzksjjsjsj]

Because if u can download things from there u could probaly get homebrew launcher on there by downloading it i don't know if there is a exploit u can use can't we just try and use the mii creator for the hack there is a mii creator on the nintendo switch but not an app like mii maker just wondered let me know if u need to know how to get to the mii creator on the nintendo switch

[christhgreat1]

Hi my name is chris the other one you were talking to was brayden can you please tell me when it is ready to use I want to try it out as soon as possible

[Cooleli912]

Hi my name is chris the other one you were talking to was brayden can you please tell me when it is ready to use I want to try it out as soon as possible

Hello, I have been working for a while and still haven't come across anything that could help exactly.. However, I did find that game engines can work on the switch web browser, this gives me some hope that Javascript exploitation is still possible, I am working on attempting to download a script to the target and run that script, I am thinking of returning to this project.