Replace men.rpx with .rpx from sd card when reloading the iosu/ppc. Fixes returning from the settings.

2024-07-01 05:36:05 +02:00 · 2020-06-21 00:04:10 +02:00 · 2020-06-21 00:04:10 +02:00 · 36ac8626f0
commit 36ac8626f0
parent da9f12f6ef
6 changed files with 72 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -3,7 +3,7 @@ This a lite version of the [original mocha](https://github.com/dimok789/mocha) t

 ## Usage
 Place the `00_mocha.rpx` in the `sd:/wiiu/modules/setup` folder and run the [SetupPayload](https://github.com/wiiu-env/SetupPayload).
-
+Requires [PayloadFromRPX](https://github.com/wiiu-env/PayloadFromRPX) as `sd:/wiiu/root.rpx` to support returning from the system settings.

 ## Patches
 - You can also place a RPX as `men.rpx` in the `sd:/wiiu` folder which will replace the Wii U Menu.
--- a/source/ios_kernel/source/instant_patches.c
+++ b/source/ios_kernel/source/instant_patches.c
@ -71,6 +71,9 @@ void instant_patches_setup(void) {
    *(volatile u32 *) (0x050254D6 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x050254D6, MCP_LoadFile_patch);
    *(volatile u32 *) (0x05025242 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05025242, MCP_ioctl100_patch);

+    *(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch);
+    *(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch);
+
    // change system.xml to syshax.xml
    /*
    *(volatile u32*)mcp_rodata_phys(0x050600F0) = 0x79736861; // ysha
--- a/source/ios_kernel/source/ios_mcp_patches.c
+++ b/source/ios_kernel/source/ios_mcp_patches.c
@ -51,6 +51,9 @@ void mcp_run_patches(u32 ios_elf_start) {
    section_write_word(ios_elf_start, 0x050254D6, THUMB_BL(0x050254D6, MCP_LoadFile_patch));
    section_write_word(ios_elf_start, 0x05025242, THUMB_BL(0x05025242, MCP_ioctl100_patch));

+    section_write_word(ios_elf_start, 0x0501dd78, THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch));
+    section_write_word(ios_elf_start, 0x051105ce, THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch));
+
    // change system.xml to syshax.xml
    section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha
    section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm
--- a/source/ios_mcp/source/mcp_loadfile.c
+++ b/source/ios_mcp/source/mcp_loadfile.c
@ -21,6 +21,7 @@
 #include "../../common/ipc_defs.h"
 #include "fsa.h"
 #include "svc.h"
+#include "utils.h"
 #include <string.h>

 int (*const real_MCP_LoadFile)(ipcmessage *msg) = (void *) 0x0501CAA8 + 1; //+1 for thumb
@ -62,10 +63,8 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
    int replace_fileoffset = rep_fileoffset;
    char *replace_path = rpxpath;

-    skipPPCSetup = true;
-
    if (strncmp(request->name, "men.rpx", strlen("men.rpx")) == 0) {
-        //replace_path = "wiiu/root.rpx";
+        replace_path = "wiiu/root.rpx";
        if (skipPPCSetup) {
            replace_path = "wiiu/men.rpx";
        }
@ -89,7 +88,7 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
            didrpxfirstchunk = false;
        }

-        // if we don't explicitly replace files, we do want replace the Healt and Safety app with the HBL
+        // if we don't explicitly replace files, we do want replace the Health and Safety app with the HBL
        if (!doWantReplaceRPX) {
            replace_path = "wiiu/apps/homebrew_launcher/homebrew_launcher.rpx";
            replace_target = LOAD_FILE_TARGET_SD_CARD;
@ -125,8 +124,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
    if (path == NULL) {
        return 0;
    }
-
-
    char filepath[256];
    memset(filepath, 0, sizeof(filepath));
    strncpy(filepath, path, sizeof(filepath) - 1);
@ -153,7 +150,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
    int result = MCP_DoLoadFile(filepath, NULL, buffer_out, buffer_len, pos + fileoffset, &bytesRead, 0);
    //log("MCP_DoLoadFile returned %d, bytesRead = %d pos %d \n", result, bytesRead, pos + fileoffset);

-
    if (result >= 0) {
        if (!bytesRead) {
            return 0;
@ -168,6 +164,43 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
    return result;
 }

+int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) {
+    int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb
+
+    int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData);
+
+
+    if (!skipPPCSetup) {
+        if (xmlData->titleId == 0x0005001010040000 ||
+            xmlData->titleId == 0x0005001010040100 ||
+            xmlData->titleId == 0x0005001010040200) {
+
+            xmlData->codegen_size = 0x02000000;
+            xmlData->codegen_core = 0x80000001;
+            xmlData->max_codesize = 0x02800000;
+            /*
+            xmlData->max_size = 0x40000000;
+            xmlData->max_codesize = 0x00800000;
+            xmlData->avail_size = 0;
+            xmlData->overlay_arena = 0;
+            for (uint32_t i = 0; i < 19; i++) {
+                xmlData->permissions[i].mask = 0xFFFFFFFFFFFFFFFF;
+            }
+            xmlData->default_stack0_size = 0;
+            xmlData->default_stack1_size = 0;
+            xmlData->default_stack2_size = 0;
+            xmlData->default_redzone0_size = 0;
+            xmlData->default_redzone1_size = 0;
+            xmlData->default_redzone2_size = 0;
+            xmlData->exception_stack0_size = 0x00001000;
+            xmlData->exception_stack1_size = 0x00001000;
+            xmlData->exception_stack2_size = 0x00001000;
+            */
+        }
+    }
+
+    return res;
+}

 /*  RPX replacement! Call this ioctl to replace the next loaded RPX with an arbitrary path.
    DO NOT RETURN 0, this affects the codepaths back in the IOSU code */
--- a/source/ios_mcp/source/mcp_loadfile_asm.s
+++ b/source/ios_mcp/source/mcp_loadfile_asm.s
@ -18,3 +18,14 @@ MCP_ioctl100_patch:
    .arm
    ldr r12, =_MCP_ioctl100_patch
    bx r12
+
+.extern _MCP_ReadCOSXml_patch
+.global MCP_ReadCOSXml_patch
+MCP_ReadCOSXml_patch:
+    .thumb
+    bx pc
+    nop
+    .arm
+    ldr r12, =_MCP_ReadCOSXml_patch
+    bx r12
+
--- a/source/main.cpp
+++ b/source/main.cpp
@ -4,6 +4,8 @@

 #include <coreinit/cache.h>

+#include <coreinit/ios.h>
+

 #include "whb/log.h"
 #include "whb/log_udp.h"
@ -15,10 +17,22 @@ int main(int argc, char **argv) {
    WHBLogUdpInit();
    WHBLogPrintf("Hello from mocha");
    unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
+
    memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
    DCStoreRange((void *) 0xF417FFF0, 0x8);

    ExecuteIOSExploit();
+
+    // When the kernel exploit is set up successfully, we signal the ios to move on.
+    int mcpFd = IOS_Open("/dev/mcp", (IOSOpenMode) 0);
+    if (mcpFd >= 0) {
+        int in = 0xFD;//IPC_CUSTOM_MEN_RPX_HOOK_COMPLETED;
+        int out = 0;
+
+        IOS_Ioctl(mcpFd, 100, &in, sizeof(in), &out, sizeof(out));
+        IOS_Close(mcpFd);
+    }
+
    WHBLogPrintf("Bye from mocha");
    return 0;
 }