Nintendo Pinky's Wii-U Tutorials

[pinky]

I know u can downgrade everything if u have no entry point by way of a hard mod. there's a tutorial on it on temp. I think the important thing is to have the otp. it's what can decrypt a NAND dump if u don't already have one. it's very important to keep that safe, but u probably already knew that. anyway, I think downgrading the browser involves using wup installer or maybe even ftpii everywhere/wupclient, so u don't have to break down the system and install a teensy to do it.. u might look around on there to see how it's done or even if it can be since I only skimmed a thread in which someone shows a video of doing it. he's a credible member though, Ricardo I think is his name, so u might look that up. I may have spelled his name wrong, but it's something like that.

 

[pinky]

btw, @Joonie , u need to make sure updates r blocked even if downgrading only the browser. I asked on temp, and someone told me that the system will try to forcibly update the browser if u don't do that even if everything else is updated. there's a way to update everything but the browser using wup installer, so u may need to download the downgraded browser elsewhere. I'm not sure if nus only downloads the updated versions of the system software or not. with that, u can decrypt or possibly install the browser. I think Ricardo is using ftpii everywhere, so the software is most likely decrypted.

 

[Joonie]

btw, @Joonie , u need to make sure updates r blocked even if downgrading only the browser. I asked on temp, and someone told me that the system will try to forcibly update the browser if u don't do that even if everything else is updated. there's a way to update everything but the browser using wup installer, so u may need to download the downgraded browser elsewhere. I'm not sure if nus only downloads the updated versions of the system software or not. with that, u can decrypt or possibly install the browser. I think Ricardo is using ftpii everywhere, so the software is most likely decrypted.

I'll save some hassles until things get easier, I don't need an extra entry point anyways


Sent from my iPhone using Tapatalk

 

[pinky]

I'm trying to see if there's a way to spoof it. that's a sort of advanced question. I think someone on temp might know. if I understand it correctly, the version number is in the tmd file. it might be elsewhere, but I think that's the main file. I did some reading on the files used in installation, and that's what I remember anyway.

 

[Joonie]

I'm trying to see if there's a way to spoof it. that's a sort of advanced question. I think someone on temp might know. if I understand it correctly, the version number is in the tmd file. it might be elsewhere, but I think that's the main file. I did some reading on the files used in installation, and that's what I remember anyway.

The system titles can be repacked after changing version number or sth, but it maybe risk without CBHC, since it will be fakesigned or debug signed

Ah, or it can just patched after installing the legit one.

I know system titles are also compressed like The 1st party wiiu games (botw and mk8)

Sent from my iPhone using Tapatalk

 

[pinky]

yeah, they're compressed and encrypted. the system version number is in a file called version.bin I believe with two xml files associated with it. I'm not sure what's inside the installable files exactly, but the ticket file is what decrypts it. I think the tmd is associated with the .h3 files in some way. and the .app ffiles r the game/app content. u may only need a legit ticket to resign the files. that's all u need with game files as far as I know. I wrote a tutorial on getting rid of a fake ticket using a hex editor. it's pretty easy to do, and I learned it from a member of temp when I had to delete a fake ticket. if u try to install a game or an app with a fake ticket, it will fail on ofw. it won't on cfw which is how I think some haxchi installs of legit titles ended up bricking a system when installing cbhc. the fake ticket sometimes remains even after deleting the game which was the case for me. if the fake ticket is first in the .tik bucket, the game or app will fail install on ofw. it can still reside deeper in .tik bucket and not be used as long as the legit ticket is first. I'd still recommend deleting the fake ticket though just in case especially if it's going to be a cbhc title. dlc and downloadable games all require fake tickets, but legit tickets can be used with retail games like breath of the wild. however, that's only if ur pirating the content. u should have a legit ticket for the content otherwise. that seems to be tied to the console and to the profile that purchased the content, so it can't be reused on another console.

 

[pinky]

I'm wondering if the .tmd file is also responsible for telling the ticket where to go in the ticket bucket. when I discovered the location of the crunchy roll ticket (mentioned a few posts back), I also looked up other tickets in the same .tik file. twilight princess' ticket was in the same bucket as crunchy roll's iirc. there seems to be no logical pattern to where tickets end up, but the same tickets seem to end up in the same .tik bucket though, so I'm wondering if one of install files is responsible for this. there's also metadata indexer that I was told was on the root of either the slc or mlc partition. how does it get that information I wonder?

btw, I read on temp that the ticket is instantaneously downloaded to the system the moment u purchase something, so u could download a game using usb helper and replace the fake ticket with the legit one. install. then, remove the fake ticket. or u could use the legit ticket in place of the fake one, and install it that way. the system won't know the difference. this was an issue for people trying to install haxchi but getting studded by the 5.5.2 update being in the queue not allowing them to download the game without downloading the update first. that was the recommendation anyway which is what led me to believe that's all u need - a legit ticket.

 

[pinky]

looks like the member's name is Ryccardo . @Joonie . he's the one I saw a video of downgrading the browser. I'm not sure if u have to have cbhc for it. apparently, Nintendo messed up to where the system can't determine the integrity of installed apps. I read about something like that on wiiubrew . there's actually an article talking about the exploits for each boot level including boot0, the equivalent of lv0 on the ps3.

 

[pinky]

@Joonie , it looks like ur correct. the browser downgrade only works on cfw. this may or may not change in the future.

 

[pinky]

new from Eyekey on temp: the ability to install haxchi on 5.5.2 if u have none. u need ur seeprom and ur otp (can be given to u by someone else). poor Nintendo. lmao!

 

[Joonie]

new from Eyekey on temp: the ability to install haxchi on 5.5.2 if u have none. u need ur seeprom and ur otp (can be given to u by someone else). poor Nintendo. lmao!

Seeprom is per console right? Still not quite useful stage yet


Sent from my iPhone using Tapatalk

 

[pinky]

yes. it seems to be related to the usb drive in some way as the value changes whenever u reformat the drive. it changes by a value of 1 is what I've read.

 

[pinky]

I'd suggest anyone on 5.5.2 to dump their otp and seeprom just in case something happens to the haxchi install. otherwise, there's no way to hack the wii u side of the system. u can do this with eyekey's tools on temp. u might want to dump the NAND as well. the NAND is only necessary, though, if u don't have the otp which can be retrieved from someone else. it allows u to decrypt the NAND in case of a brick.

 

[pinky]

does anyone have the documentation for system config tool? it was on a website, but it seems to have disappeared. the website is still active and describes the various wii u hacks, just that documentation no longer exists for some reason.

 

[pinky]

I just posted this on temp. I "think" this works, but if u have a pending system update, and it constantly tries to install before a game download (haxchi), u can install the game with usb helper. the legit ticket is downloaded the moment u select purchase, and it overrides any pending downloads including that of the game. now, install the game with usb helper, then delete the fake ticket as per my tutorial. test first since I believe this works, but I don't know for sure.

an easier method that may work is to go to the madridi site. he's a member of temp who hosts a hacking site for the wii u. it will let u delete incomplete updates. I forgot the url as I've only seen it once (last night), so it's on temp. it may or may not work depending on if the update has downloaded at all. delete the update folder once this done. deleting the update folder with a pending update download doesn't seem to work or so I've heard.

edit: nm. here it is. I skimmed through his post history:

https://madridi7.github.io/WiiU/index540-551.html

 

[pinky]

does anyone want a haxchi tutorial? I'm not sure what to put into it though since haxchi is largely automated aside from dropping the haxchi app on to the sd card. cbhc would be the same process mostly except with a bunch of warnings.

also, I think I may have found a couple bugs when using custom themes on the virtual wii. I play the wii u daily, and I've run some tests on it. I think the custom theme may be responsible for slowly corrupting ios 80 which I think is what the theme is applied to. it's the home menu basically. from what I understand, about how the virtual wii/wii works, is that each ios is stand alone with redirects given to other ios like ios 80. now, the bug I'm talking about involves bluetooth and screen tilting. what happens is that randomly my pro controller will lose its sync if entering the virtual wii. I don't mean it not working in the virtual wii, but it loses its sync in wii u mode after opening the virtual wii. I'm not sure if this is attributed to the wiimote or just opening the virtual wii though. I really should test that.

another bug I uncovered involves the screen titling at an angle whenever u open the virtual wii. also, about this custom theme, this is the new method of applying themes, not the ones for the original wii. those themes will brick ur virtual wii if used. this is just a word of warning when using custom themes. it's not such a big deal. the pro controller can be resynced since I did test it only on the wii u and no dropped sync occurred. as for the screen tilt, this can be corrected by leaving the virtual wii and reopening it.

edit: I have a backup of the .app file responsible for the theme, so I can reapply it via ftpii everywhere.

 

[pinky]

@Joonie ,

https://gbatemp.net/threads/webhack-on-5-5-2.480938/page-2#post-7515194

a new webkit exploit. it's pretty unstable from what I've read, but it works just in case u need it.

 

[pinky]

for anyone interested, I've read that the exploit seems to be more stable if self-hosting which I wrote a tutorial for. it's really very simple to do. there's also a python method to self-hosting with its tutorial being on temp. I've heard of people spending hours if not a full day trying to get the exploit to work if going by a website, but it seems to work much better by self-hosting. that's the way I've always done it even on the 5.3.2 days when u'd get a lot of "race attack failed" errors requiring a reset. however, I usually didn't always do that. I just kept trying 'til it succeeded. it didn't take hours or anything, but sometimes it would frustrate u. lol. on 5.5.1, self-hosting (perhaps websites too) the success rate is about 100%, so hopefully this gets that way as well. it took a while for it to become that reliable (perhaps a year or more).

 

[pinky]

apparently, websites (not self-hosting) r at 50% reliability (now). try here:

http://stupiid.ovh/

 

[pinky]

that's "now" unlike 24 hours ago. btw, the web exploit works on 5.5.1, so if anyone is willing to test.. I haven't gotten around to it myself.

edit: also, it looks like I was wrong. mongoose works with 5.5.2, so my guide is still relevant. I thought it was a lack of php support that caused it no longer to work or maybe that's just with 5.5.1?