mirror of
https://github.com/wiiu-env/MochaPayload.git
synced 2024-11-13 03:35:07 +01:00
Replace men.rpx with .rpx from sd card when reloading the iosu/ppc. Fixes returning from the settings.
This commit is contained in:
parent
da9f12f6ef
commit
36ac8626f0
@ -3,7 +3,7 @@ This a lite version of the [original mocha](https://github.com/dimok789/mocha) t
|
||||
|
||||
## Usage
|
||||
Place the `00_mocha.rpx` in the `sd:/wiiu/modules/setup` folder and run the [SetupPayload](https://github.com/wiiu-env/SetupPayload).
|
||||
|
||||
Requires [PayloadFromRPX](https://github.com/wiiu-env/PayloadFromRPX) as `sd:/wiiu/root.rpx` to support returning from the system settings.
|
||||
|
||||
## Patches
|
||||
- You can also place a RPX as `men.rpx` in the `sd:/wiiu` folder which will replace the Wii U Menu.
|
||||
|
@ -71,6 +71,9 @@ void instant_patches_setup(void) {
|
||||
*(volatile u32 *) (0x050254D6 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x050254D6, MCP_LoadFile_patch);
|
||||
*(volatile u32 *) (0x05025242 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05025242, MCP_ioctl100_patch);
|
||||
|
||||
*(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch);
|
||||
*(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch);
|
||||
|
||||
// change system.xml to syshax.xml
|
||||
/*
|
||||
*(volatile u32*)mcp_rodata_phys(0x050600F0) = 0x79736861; // ysha
|
||||
|
@ -51,6 +51,9 @@ void mcp_run_patches(u32 ios_elf_start) {
|
||||
section_write_word(ios_elf_start, 0x050254D6, THUMB_BL(0x050254D6, MCP_LoadFile_patch));
|
||||
section_write_word(ios_elf_start, 0x05025242, THUMB_BL(0x05025242, MCP_ioctl100_patch));
|
||||
|
||||
section_write_word(ios_elf_start, 0x0501dd78, THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch));
|
||||
section_write_word(ios_elf_start, 0x051105ce, THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch));
|
||||
|
||||
// change system.xml to syshax.xml
|
||||
section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha
|
||||
section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm
|
||||
|
@ -21,6 +21,7 @@
|
||||
#include "../../common/ipc_defs.h"
|
||||
#include "fsa.h"
|
||||
#include "svc.h"
|
||||
#include "utils.h"
|
||||
#include <string.h>
|
||||
|
||||
int (*const real_MCP_LoadFile)(ipcmessage *msg) = (void *) 0x0501CAA8 + 1; //+1 for thumb
|
||||
@ -62,10 +63,8 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
|
||||
int replace_fileoffset = rep_fileoffset;
|
||||
char *replace_path = rpxpath;
|
||||
|
||||
skipPPCSetup = true;
|
||||
|
||||
if (strncmp(request->name, "men.rpx", strlen("men.rpx")) == 0) {
|
||||
//replace_path = "wiiu/root.rpx";
|
||||
replace_path = "wiiu/root.rpx";
|
||||
if (skipPPCSetup) {
|
||||
replace_path = "wiiu/men.rpx";
|
||||
}
|
||||
@ -89,7 +88,7 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
|
||||
didrpxfirstchunk = false;
|
||||
}
|
||||
|
||||
// if we don't explicitly replace files, we do want replace the Healt and Safety app with the HBL
|
||||
// if we don't explicitly replace files, we do want replace the Health and Safety app with the HBL
|
||||
if (!doWantReplaceRPX) {
|
||||
replace_path = "wiiu/apps/homebrew_launcher/homebrew_launcher.rpx";
|
||||
replace_target = LOAD_FILE_TARGET_SD_CARD;
|
||||
@ -125,8 +124,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
|
||||
if (path == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
char filepath[256];
|
||||
memset(filepath, 0, sizeof(filepath));
|
||||
strncpy(filepath, path, sizeof(filepath) - 1);
|
||||
@ -153,7 +150,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
|
||||
int result = MCP_DoLoadFile(filepath, NULL, buffer_out, buffer_len, pos + fileoffset, &bytesRead, 0);
|
||||
//log("MCP_DoLoadFile returned %d, bytesRead = %d pos %d \n", result, bytesRead, pos + fileoffset);
|
||||
|
||||
|
||||
if (result >= 0) {
|
||||
if (!bytesRead) {
|
||||
return 0;
|
||||
@ -168,6 +164,43 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
|
||||
return result;
|
||||
}
|
||||
|
||||
int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) {
|
||||
int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb
|
||||
|
||||
int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData);
|
||||
|
||||
|
||||
if (!skipPPCSetup) {
|
||||
if (xmlData->titleId == 0x0005001010040000 ||
|
||||
xmlData->titleId == 0x0005001010040100 ||
|
||||
xmlData->titleId == 0x0005001010040200) {
|
||||
|
||||
xmlData->codegen_size = 0x02000000;
|
||||
xmlData->codegen_core = 0x80000001;
|
||||
xmlData->max_codesize = 0x02800000;
|
||||
/*
|
||||
xmlData->max_size = 0x40000000;
|
||||
xmlData->max_codesize = 0x00800000;
|
||||
xmlData->avail_size = 0;
|
||||
xmlData->overlay_arena = 0;
|
||||
for (uint32_t i = 0; i < 19; i++) {
|
||||
xmlData->permissions[i].mask = 0xFFFFFFFFFFFFFFFF;
|
||||
}
|
||||
xmlData->default_stack0_size = 0;
|
||||
xmlData->default_stack1_size = 0;
|
||||
xmlData->default_stack2_size = 0;
|
||||
xmlData->default_redzone0_size = 0;
|
||||
xmlData->default_redzone1_size = 0;
|
||||
xmlData->default_redzone2_size = 0;
|
||||
xmlData->exception_stack0_size = 0x00001000;
|
||||
xmlData->exception_stack1_size = 0x00001000;
|
||||
xmlData->exception_stack2_size = 0x00001000;
|
||||
*/
|
||||
}
|
||||
}
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
/* RPX replacement! Call this ioctl to replace the next loaded RPX with an arbitrary path.
|
||||
DO NOT RETURN 0, this affects the codepaths back in the IOSU code */
|
||||
|
@ -18,3 +18,14 @@ MCP_ioctl100_patch:
|
||||
.arm
|
||||
ldr r12, =_MCP_ioctl100_patch
|
||||
bx r12
|
||||
|
||||
.extern _MCP_ReadCOSXml_patch
|
||||
.global MCP_ReadCOSXml_patch
|
||||
MCP_ReadCOSXml_patch:
|
||||
.thumb
|
||||
bx pc
|
||||
nop
|
||||
.arm
|
||||
ldr r12, =_MCP_ReadCOSXml_patch
|
||||
bx r12
|
||||
|
||||
|
@ -4,6 +4,8 @@
|
||||
|
||||
#include <coreinit/cache.h>
|
||||
|
||||
#include <coreinit/ios.h>
|
||||
|
||||
|
||||
#include "whb/log.h"
|
||||
#include "whb/log_udp.h"
|
||||
@ -15,10 +17,22 @@ int main(int argc, char **argv) {
|
||||
WHBLogUdpInit();
|
||||
WHBLogPrintf("Hello from mocha");
|
||||
unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
|
||||
|
||||
memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
|
||||
DCStoreRange((void *) 0xF417FFF0, 0x8);
|
||||
|
||||
ExecuteIOSExploit();
|
||||
|
||||
// When the kernel exploit is set up successfully, we signal the ios to move on.
|
||||
int mcpFd = IOS_Open("/dev/mcp", (IOSOpenMode) 0);
|
||||
if (mcpFd >= 0) {
|
||||
int in = 0xFD;//IPC_CUSTOM_MEN_RPX_HOOK_COMPLETED;
|
||||
int out = 0;
|
||||
|
||||
IOS_Ioctl(mcpFd, 100, &in, sizeof(in), &out, sizeof(out));
|
||||
IOS_Close(mcpFd);
|
||||
}
|
||||
|
||||
WHBLogPrintf("Bye from mocha");
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user