Wii Hacking 101
An Intro to Wii Hacking With
WiiRd and the USB Gecko
By dexter0
Last Updated: 7/10/08
Why I Wrote This
This is the first complete guide on Wii Hacking with the USB Gecko by Nuke and WiiRd by Kenobi and Link. I intend this guide to be a place
where people can point beginners to.
Quick Note
DO NOT PM me with questions regarding the material in this text or Wii hacking in general. If you want to know why this is bad
read this. I recommend that those seeking help visit one of the
various forums dedicated to Nintendo systems hacking (I am a member of a few of
them).
>>>>Returning
Readers<<<<
Welcome back! If you have already read my fist Wii
Hacking guide detailing how to hack with the old Gecko Client (1 beta 5), I
highly recommend you re-read the sections of this new guide talking about code
types and walk yourself through example one again in order to get a feel for
how to use the software.
What Happened To The Examples?
In order to clean things up a little and make things quicker to find, I now
plan to give each example its own page. If I kept going like this, adding on
example after example, this page would become huge!
Changelog
5/10/08 - Initial release
6/6/08 - Modified guide to cover WiiRd.
7/10/08 - Added code types used in Example 2.
Table Of Contents
The USB Gecko, originally invented by Nuke
for the Gamecube, has seen some amazing developments
in the past few months that put it on the cutting edge of the Wii homebrew scene and has started the Wii
hacking scene. At the time of this writing no commercial company has announced
any sort of Wii cheat device aside from Datel's Powersaves. The USB Gecko
runs circles around Powersaves by providing a real
Cheat Engine with full support for all the code types found in any good cheat
device. At the same time WiiRd, the Gecko's first 3rd
part client software has just been released boasting a load of new features
promising to meet every expectation a hacker would have for a high quality
debugger client.
Box shot of Nuke's USB Gecko
This Tutorial
Congratulations on your 50$ plunge into
the world of game hacking. This tutorial is designed to take you from n00b to
hacker with a focus on using Nuke's USB Gecko hardware and Kenobi & Link's
3rd party Gecko Client: WiiRd. I assume you have no
previous knowledge of hacking, but you should have Basic to Semi-Advanced
computer skills to follow along. You also should have set up your Gecko by now
and installed the included drivers. But you can set it aside for now, we need to go over some basics. I am going to borrow
from my DS Hacking tutorial for a few things that don't change from system to
system. Here we go.
Counting
with 16
----------------
An
Introduction to Hexadecimal
What Is Hexadecimal
If you passed grade school, you can
probably count to 10; perhaps higher? You start at 0 and count 1.. 2.. 3.. 4..
5.. 6.. 7.. 8.. 9.. To get
the next number, you start back at 0 and insert a 1 in as the second digit to
get 10. Simple, right? What you are counting in is
know as a base-10 number system, also called decimal, because there are 10
different numbers per digit. Before we talk about hexadecimal, we should
mention a little bit about the number 0.
If I asked you to count to 4 you would
probably count: 1.. 2.. 3.. 4.. However, if I asked a computer to count to 4 it would
say: 0.. 1.. 2.. 3.. 4.. See
the difference. When you work with computers, 0 is just as important as the
other numbers. All computer counting counting
starts at 0 unless it has been told otherwise. This becomes important
when you deal with loops.
Now that you hopefully understand decimal
and what it is, lets move to hexadecimal. Hexadecimal,
also know as hex, is a base-16 numbering system. That's right, 16 different
numbers per digit. So, counting in hex works like this: 0..
1.. 2.. 3.. 4.. 5.. 6.. 7.. 8.. 9..
A.. B.. C.. D.. E.. F.. There you have it, 16 different numbers per digit. That
means that we can represent and number from 0 to 15 with a 1 digit number
instead of just 0 to 9 like in decimal. So what if we want to write 16 in hex?
Well, it's just like writing 10 in decimal. You reset the first digit back to
zero and tack on a 1 in front. So 16 in decimal is
actually 10 in hex. So how do I convert between hex and decimal? Simple! On
your computer go to Start > Run > calc.exe. Switch it into scientific
mode. Now click the radio button that says hex, type a number in, then click the radio button that says decimal. Done. You may also perform the reverse to convert from
decimal to hex. So how do I add, subtract, etc? Don't worry,
the calculator does all that for you too! It also will perform bitwise
operations, although bitwise operations are beyond the scope of this tutorial.
So when do I use hex? All the time in game
hacking! Everything is in hex from the values in memory to the codes you will
soon create! You may be wondering why the "ancient creators of the
computer" decided not to keep things simple and just use decimal. While
all that is history and beyond the scope of this tutorial. I will say that is
has to do with machine conversion of binary (The 1s and 0s used by machine
hardware) to a more "human readable" form. After all which looks more
confusing: 0100 1010 or 0x4A ;). BTW, The 0x is just
notation to let people know that the number is in hex. 0x4A is the same as just
4A. It is good habit to prefix hex with a 0x
Bits and Bytes
Many people often use the two words
interchangeably however they do not mean the same thing. A bit is a 1 or a 0
(base 2 numbering system ;) ). When 8 bits are put
together they form a byte as you can see in the example at the end of the last
paragraph. Every set of 4 bits makes up 1/2 of a byte or a nibble which is 1
digit of the byte. So from the above, 0100 represents 4 and
1010 represents A. How the conversion is done is beyond the scope of
this tutorial but I will show you why there are only 16 different numbers per
digit in hex. To understand this you should know some basic statistics. Each
bit can be only 1 of 2 different numbers and there are 4 bits per nibble. So 2x2x2x2 or 2^4 = 16. Don't worry
if this does not make sense, the only thing you need to know about bits to hack
is how big of a hex number they make which we will discuss next.
8 Bit hex numbers are the smallest hex
numbers you will be working with during this tutorial. An 8 bit hex number is
two digits and looks this 0x4A or just 4A. If you were paying attention above
you should know why it is an 8 bit hex number. Because it is
made up of 8 bits. Simple! Now let's see if you were really paying
attention. How big of a number (in decimal) can an 8 bit hex number hold? Think
about how many numbers are in a single hex digit and how many digits are in an
8 bit hex number. The answer to part 1 is 16 and the answer to part 2 is 2. So
if you take 16^2, you get 256. So an 8 bit hex number can store anything from 0
- 255. But what if you need to store a larger number? Read on to find out.
16 Bit hex numbers are the next size up.
They are 4 digits and can store anything from 0 - 65535. Not much else needs to
be said about them.
32 Bit is the largest sized number you
will deal with in your hacking. You can hold anything from 0 - 4,294,967,295!
That's huge! You can get bigger then 32 bits but I doubt you will ever need to.
24 bit hex numbers are not used for game hacking in case your wondering where
they are.
Endianess
This is the last important concept with
hexadecimal. Endianess is also know
as the "byte order". Just like the name says, "byte order"
determines the order of bytes in memory. Take this 32 Bit number for example. 0xF5
43 AE 01 (I have spaced the individual bytes apart for your convenience). In a
"Big-Endian" system, the number would be
written as 0xF5 43 AE 01. In a "Little Endian"
system, the number would be written like 0x01 AE 43 F5. See the difference?
"Little-Endian" flips the byte order so the
least significant byte comes first. It is very important to note however that Endianness does NOT affect individual bytes or 8 Bit hex
numbers. The Wii is a "Big-Endian"
system (no flipping required W00T).
WiiRd Code Types
----------------
Speaking
The WiiRd Language
A Note About
Wii Memory
Since this guide is geared at absolute
beginners, you may be asking yourself what is memory? For our purposes dealing
with the Wii, memory is used to store the
decompressed executable along with game data and game variables. We will not
concern ourselves with the executable or game data, aside from pointers which
will be discussed later. The game's variables are our primary focus. Variables
are storage containers for game information that reside in memory. Variables on
the Wii can be 8, 16, or 32 bits in size. They store
information such as how much health you have, how many bullets are in your gun,
your kart's speed, and your position on the map. Almost all codes revolve
around manipulating the game's variables to achieve effects such as infinite
health, ammo, or super speed. How we do this will be
discussed later. The Wii actually has 2 banks
of memory called MEM1 and MEM2. Each of these banks is further divided into 2
more banks of memory where the upper sub-bank mirrors the lower one (It might
be a 2 mirror way as well, I'm not sure). We are not going to concern ourselves
with MEM2 since it is used for graphics data. MEM1 contains the important stuff
and it ranges from 0x80000000 to 0x817FFFFF for the first sub bank and from
0xC0000000 to 0xC17FFFFF for the second sub bank. There is actually more memory
beyond these ranges but it is used to read buttons, operate the sound chip,
send network data, etc.
All About
Codes
You have probably seen a WiiRd code at some point. They look something like this:
140FCA24 00000001. REMEMBER! EVERYTHING IN A WIIRD CODE IS IN HEX! Most WiiRd codes contain 3 parts. The first two to four digits of the code is the code type (in this case the 04).
The code type tells the WiiRd Cheat Engine what to do
and how to use the rest of the numbers in the code. In most code types, the
second part of the code (in this case 0FCA24) is the address or the location in
memory the code will be working with. If you have been paying close attention
you may be wondering why the address part of the code is only 6 digits while
memory ranges listed in the last paragraph are 8. In the next section we will
talk about just that.
The P.O. and the B.A.
So what are these you ask? Well they are acronyms actually. P.O. stands for
Pointer Offset and B.A. stands for Base Address. Here's the deal; codes can
only be 16-digits long and need to contain a code type, an address, and a value
in that order. That means that the digits to represent the code type steal
digits from the address. So that if the code type is two digits then the
address only gets six digits instead of eight. But that's no good since now
only 0x80000000 through 0x80FFFFFF can be addressed. So what if you have an
address in the 0x81XXXXXX range? That's where the P.O. comes in. And what about the B.A? Well, we are just going to leave it
alone. If we need to make a code so complex that we need to use it I will
discuss it then. In case you are curious they both behave the same way but
formally there are certain things each should be used for. The idea with the
P.O. is you can set it to whatever you want and then when you write to the RAM
(or read from it) the address you are reading or writing to gets added to
whatever is in the P.O. And you can even do some cooler tricks with the P.O.
but I will bring that up when the time is right.
I plan to keep this codes section updated
with all the code types I am using in all of my examples. Check back here
before you start a new example to become familiar with the code types you will
be using.
Notation
In order to keep this a bit clean I am going to need to use some notation from
the WiiRd code type documentation. If you see
[XXXXXXXX] that means that we are not referring to the address or value XXXXXXXX
but we are referring to the value stored in memory at address 0xXXXXXXXX. Got
it? Next, we have one from coding notation: +=. All you
programmers no what this is. If I have X += 2 it is the same as me
writing X = X + 2. Those are the only two for now. Make sure you remember those
because you will get confused if you don't. Even
I had a hard time keeping them straight.
RAM Write Codes
There are three different RAM Write Codes. Which one you use depends on what
size of a value you need to write. That's right, we
have codes for 8, 16, and 32 bit values. RAM Write codes are the most basic and
form the foundation for many complex codes. As their name implies, when run,
they will constantly write a value to the RAM. This can be useful for keeping
your health full and your gun always loaded. Remember that the address listed
in these RAM Write codes gets added to the P.O.
10XXXXXX ZZZZ00YY (Introduced in Ex. 1)
This is the 8-bit value write. 10 is the code type, XXXXXX is the address you
want to write to + the address in the P.O., and YY is
the value you want to write. The ZZZZs are the number
of data to write - 1. Go ahead and just leave these as zeros for now. We might
use them later.
12XXXXXX ZZZZYYYY (Introduced in Ex. 1)
This is the 16-bit value write. The ZZZZs are the
number of data to write - 1 Go ahead and just leave these as zeros for now. We
might use them later.
14XXXXXX YYYYYYYY (Introduced in Ex. 1)
This is the 32-bit value write. 32-bit values are 8 digits long so they take up
the whole value portion.
Pointer Offset Codes
These codes modify the P.O. The code type on these types of codes are 4 digits long. It is also
worth noting that there is no address portion of these codes since the value
the P.O. contains is an address so we just insert 0s for the last 4 digits of
what would be the address section.
4A000000 XXXXXXXX (Introduced in Ex. 1)
This code will set whatever you plug into the value portion of the code, the XXXXXXXXs as the P.O.
48000000 XXXXXXXX (Introduced in Ex. 2)
This code will load the value at address XXXXXXXX into the P.O.
These codes are utility codes to aid you in keeping your reads and writes
within the safe memory range. Each code below is capable of checking either the
B.A. or the P.O. All execution stops if the P.O. and/or B.A are not in the safe
zone.
CE000000 XXXXYYYY (Introduced in Ex. 2)
This code will check if the B.A. is in the range given by YYYY > value >
XXXX. Execution will stop if this check fails.
DE000000 XXXXYYYY (Introduced in Ex. 2)
This code will check if the P.O. is in the range given by YYYY > value >
XXXX. Execution will stop if this check fails.
Terminators
This code will clear all temporary data that might
have been changed during the execution of your code. Use this code if you
modify the P.O. or B.A.
E0000000 XXXXYYYY (Introduced in Ex. 2)
If XXXX is not 0000 then the B.A will be set to the value in XXXX. If YYYY is
not 0000 then the P.O. will be set to the value in YYYY. This code also acts as
an end-if for any open conditionals.
What's
Next?
----------------
Onto
The Examples..
Congratulations for reading through all of
that. I know it’s not fun to read about boring stuff like Hex and Code Types
but trust me, you'll use every bit of it. So now it's time to move onto the fun
stuff: EXAMPLES!!!. Head back out to the GSHI Library
and start with Example 1. Please follow along with the examples in order as
each will build upon the last.