Wii Hacking 101
An Intro to Wii Hacking With WiiRd and the USB Gecko
Last Updated: 7/10/08
Why I Wrote This
This is the first complete guide on Wii Hacking with the USB Gecko by Nuke and WiiRd by Kenobi and Link. I intend this guide to be a place where people can point beginners to.
DO NOT PM me with questions regarding the material in this text or Wii hacking in general. If you want to know why this is bad read this. I recommend that those seeking help visit one of the various forums dedicated to Nintendo systems hacking (I am a member of a few of them).
Welcome back! If you have already read my fist Wii Hacking guide detailing how to hack with the old Gecko Client (1 beta 5), I highly recommend you re-read the sections of this new guide talking about code types and walk yourself through example one again in order to get a feel for how to use the software.
What Happened To The Examples?
In order to clean things up a little and make things quicker to find, I now plan to give each example its own page. If I kept going like this, adding on example after example, this page would become huge!
5/10/08 - Initial release
6/6/08 - Modified guide to cover WiiRd.
7/10/08 - Added code types used in Example 2.
Table Of Contents
The USB Gecko, originally invented by Nuke for the Gamecube, has seen some amazing developments in the past few months that put it on the cutting edge of the Wii homebrew scene and has started the Wii hacking scene. At the time of this writing no commercial company has announced any sort of Wii cheat device aside from Datel's Powersaves. The USB Gecko runs circles around Powersaves by providing a real Cheat Engine with full support for all the code types found in any good cheat device. At the same time WiiRd, the Gecko's first 3rd part client software has just been released boasting a load of new features promising to meet every expectation a hacker would have for a high quality debugger client.
Box shot of Nuke's USB Gecko
Congratulations on your 50$ plunge into the world of game hacking. This tutorial is designed to take you from n00b to hacker with a focus on using Nuke's USB Gecko hardware and Kenobi & Link's 3rd party Gecko Client: WiiRd. I assume you have no previous knowledge of hacking, but you should have Basic to Semi-Advanced computer skills to follow along. You also should have set up your Gecko by now and installed the included drivers. But you can set it aside for now, we need to go over some basics. I am going to borrow from my DS Hacking tutorial for a few things that don't change from system to system. Here we go.
What Is Hexadecimal
If you passed grade school, you can probably count to 10; perhaps higher? You start at 0 and count 1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9.. To get the next number, you start back at 0 and insert a 1 in as the second digit to get 10. Simple, right? What you are counting in is know as a base-10 number system, also called decimal, because there are 10 different numbers per digit. Before we talk about hexadecimal, we should mention a little bit about the number 0.
If I asked you to count to 4 you would probably count: 1.. 2.. 3.. 4.. However, if I asked a computer to count to 4 it would say: 0.. 1.. 2.. 3.. 4.. See the difference. When you work with computers, 0 is just as important as the other numbers. All computer counting counting starts at 0 unless it has been told otherwise. This becomes important when you deal with loops.
Now that you hopefully understand decimal and what it is, lets move to hexadecimal. Hexadecimal, also know as hex, is a base-16 numbering system. That's right, 16 different numbers per digit. So, counting in hex works like this: 0.. 1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9.. A.. B.. C.. D.. E.. F.. There you have it, 16 different numbers per digit. That means that we can represent and number from 0 to 15 with a 1 digit number instead of just 0 to 9 like in decimal. So what if we want to write 16 in hex? Well, it's just like writing 10 in decimal. You reset the first digit back to zero and tack on a 1 in front. So 16 in decimal is actually 10 in hex. So how do I convert between hex and decimal? Simple! On your computer go to Start > Run > calc.exe. Switch it into scientific mode. Now click the radio button that says hex, type a number in, then click the radio button that says decimal. Done. You may also perform the reverse to convert from decimal to hex. So how do I add, subtract, etc? Don't worry, the calculator does all that for you too! It also will perform bitwise operations, although bitwise operations are beyond the scope of this tutorial.
So when do I use hex? All the time in game hacking! Everything is in hex from the values in memory to the codes you will soon create! You may be wondering why the "ancient creators of the computer" decided not to keep things simple and just use decimal. While all that is history and beyond the scope of this tutorial. I will say that is has to do with machine conversion of binary (The 1s and 0s used by machine hardware) to a more "human readable" form. After all which looks more confusing: 0100 1010 or 0x4A ;). BTW, The 0x is just notation to let people know that the number is in hex. 0x4A is the same as just 4A. It is good habit to prefix hex with a 0x
Bits and Bytes
Many people often use the two words interchangeably however they do not mean the same thing. A bit is a 1 or a 0 (base 2 numbering system ;) ). When 8 bits are put together they form a byte as you can see in the example at the end of the last paragraph. Every set of 4 bits makes up 1/2 of a byte or a nibble which is 1 digit of the byte. So from the above, 0100 represents 4 and 1010 represents A. How the conversion is done is beyond the scope of this tutorial but I will show you why there are only 16 different numbers per digit in hex. To understand this you should know some basic statistics. Each bit can be only 1 of 2 different numbers and there are 4 bits per nibble. So 2x2x2x2 or 2^4 = 16. Don't worry if this does not make sense, the only thing you need to know about bits to hack is how big of a hex number they make which we will discuss next.
8 Bit hex numbers are the smallest hex numbers you will be working with during this tutorial. An 8 bit hex number is two digits and looks this 0x4A or just 4A. If you were paying attention above you should know why it is an 8 bit hex number. Because it is made up of 8 bits. Simple! Now let's see if you were really paying attention. How big of a number (in decimal) can an 8 bit hex number hold? Think about how many numbers are in a single hex digit and how many digits are in an 8 bit hex number. The answer to part 1 is 16 and the answer to part 2 is 2. So if you take 16^2, you get 256. So an 8 bit hex number can store anything from 0 - 255. But what if you need to store a larger number? Read on to find out.
16 Bit hex numbers are the next size up. They are 4 digits and can store anything from 0 - 65535. Not much else needs to be said about them.
32 Bit is the largest sized number you will deal with in your hacking. You can hold anything from 0 - 4,294,967,295! That's huge! You can get bigger then 32 bits but I doubt you will ever need to. 24 bit hex numbers are not used for game hacking in case your wondering where they are.
This is the last important concept with hexadecimal. Endianess is also know as the "byte order". Just like the name says, "byte order" determines the order of bytes in memory. Take this 32 Bit number for example. 0xF5 43 AE 01 (I have spaced the individual bytes apart for your convenience). In a "Big-Endian" system, the number would be written as 0xF5 43 AE 01. In a "Little Endian" system, the number would be written like 0x01 AE 43 F5. See the difference? "Little-Endian" flips the byte order so the least significant byte comes first. It is very important to note however that Endianness does NOT affect individual bytes or 8 Bit hex numbers. The Wii is a "Big-Endian" system (no flipping required W00T).
A Note About Wii Memory
Since this guide is geared at absolute beginners, you may be asking yourself what is memory? For our purposes dealing with the Wii, memory is used to store the decompressed executable along with game data and game variables. We will not concern ourselves with the executable or game data, aside from pointers which will be discussed later. The game's variables are our primary focus. Variables are storage containers for game information that reside in memory. Variables on the Wii can be 8, 16, or 32 bits in size. They store information such as how much health you have, how many bullets are in your gun, your kart's speed, and your position on the map. Almost all codes revolve around manipulating the game's variables to achieve effects such as infinite health, ammo, or super speed. How we do this will be discussed later. The Wii actually has 2 banks of memory called MEM1 and MEM2. Each of these banks is further divided into 2 more banks of memory where the upper sub-bank mirrors the lower one (It might be a 2 mirror way as well, I'm not sure). We are not going to concern ourselves with MEM2 since it is used for graphics data. MEM1 contains the important stuff and it ranges from 0x80000000 to 0x817FFFFF for the first sub bank and from 0xC0000000 to 0xC17FFFFF for the second sub bank. There is actually more memory beyond these ranges but it is used to read buttons, operate the sound chip, send network data, etc.
All About Codes
You have probably seen a WiiRd code at some point. They look something like this: 140FCA24 00000001. REMEMBER! EVERYTHING IN A WIIRD CODE IS IN HEX! Most WiiRd codes contain 3 parts. The first two to four digits of the code is the code type (in this case the 04). The code type tells the WiiRd Cheat Engine what to do and how to use the rest of the numbers in the code. In most code types, the second part of the code (in this case 0FCA24) is the address or the location in memory the code will be working with. If you have been paying close attention you may be wondering why the address part of the code is only 6 digits while memory ranges listed in the last paragraph are 8. In the next section we will talk about just that.
The P.O. and the B.A.
So what are these you ask? Well they are acronyms actually. P.O. stands for Pointer Offset and B.A. stands for Base Address. Here's the deal; codes can only be 16-digits long and need to contain a code type, an address, and a value in that order. That means that the digits to represent the code type steal digits from the address. So that if the code type is two digits then the address only gets six digits instead of eight. But that's no good since now only 0x80000000 through 0x80FFFFFF can be addressed. So what if you have an address in the 0x81XXXXXX range? That's where the P.O. comes in. And what about the B.A? Well, we are just going to leave it alone. If we need to make a code so complex that we need to use it I will discuss it then. In case you are curious they both behave the same way but formally there are certain things each should be used for. The idea with the P.O. is you can set it to whatever you want and then when you write to the RAM (or read from it) the address you are reading or writing to gets added to whatever is in the P.O. And you can even do some cooler tricks with the P.O. but I will bring that up when the time is right.
I plan to keep this codes section updated with all the code types I am using in all of my examples. Check back here before you start a new example to become familiar with the code types you will be using.
In order to keep this a bit clean I am going to need to use some notation from the WiiRd code type documentation. If you see [XXXXXXXX] that means that we are not referring to the address or value XXXXXXXX but we are referring to the value stored in memory at address 0xXXXXXXXX. Got it? Next, we have one from coding notation: +=. All you programmers no what this is. If I have X += 2 it is the same as me writing X = X + 2. Those are the only two for now. Make sure you remember those because you will get confused if you don't. Even I had a hard time keeping them straight.
RAM Write Codes
There are three different RAM Write Codes. Which one you use depends on what size of a value you need to write. That's right, we have codes for 8, 16, and 32 bit values. RAM Write codes are the most basic and form the foundation for many complex codes. As their name implies, when run, they will constantly write a value to the RAM. This can be useful for keeping your health full and your gun always loaded. Remember that the address listed in these RAM Write codes gets added to the P.O.
10XXXXXX ZZZZ00YY (Introduced in Ex. 1)
This is the 8-bit value write. 10 is the code type, XXXXXX is the address you want to write to + the address in the P.O., and YY is the value you want to write. The ZZZZs are the number of data to write - 1. Go ahead and just leave these as zeros for now. We might use them later.
12XXXXXX ZZZZYYYY (Introduced in Ex. 1)
This is the 16-bit value write. The ZZZZs are the number of data to write - 1 Go ahead and just leave these as zeros for now. We might use them later.
14XXXXXX YYYYYYYY (Introduced in Ex. 1)
This is the 32-bit value write. 32-bit values are 8 digits long so they take up the whole value portion.
Pointer Offset Codes
These codes modify the P.O. The code type on these types of codes are 4 digits long. It is also worth noting that there is no address portion of these codes since the value the P.O. contains is an address so we just insert 0s for the last 4 digits of what would be the address section.
4A000000 XXXXXXXX (Introduced in Ex. 1)
This code will set whatever you plug into the value portion of the code, the XXXXXXXXs as the P.O.
48000000 XXXXXXXX (Introduced in Ex. 2)
This code will load the value at address XXXXXXXX into the P.O.
These codes are utility codes to aid you in keeping your reads and writes within the safe memory range. Each code below is capable of checking either the B.A. or the P.O. All execution stops if the P.O. and/or B.A are not in the safe zone.
CE000000 XXXXYYYY (Introduced in Ex. 2)
This code will check if the B.A. is in the range given by YYYY > value > XXXX. Execution will stop if this check fails.
DE000000 XXXXYYYY (Introduced in Ex. 2)
This code will check if the P.O. is in the range given by YYYY > value > XXXX. Execution will stop if this check fails.
This code will clear all temporary data that might have been changed during the execution of your code. Use this code if you modify the P.O. or B.A.
E0000000 XXXXYYYY (Introduced in Ex. 2)
If XXXX is not 0000 then the B.A will be set to the value in XXXX. If YYYY is not 0000 then the P.O. will be set to the value in YYYY. This code also acts as an end-if for any open conditionals.
Congratulations for reading through all of that. I know it’s not fun to read about boring stuff like Hex and Code Types but trust me, you'll use every bit of it. So now it's time to move onto the fun stuff: EXAMPLES!!!. Head back out to the GSHI Library and start with Example 1. Please follow along with the examples in order as each will build upon the last.