Replace men.rpx with .rpx from sd card when reloading the iosu/ppc. Fixes returning from the settings.

This commit is contained in:
Maschell 2020-06-21 00:04:10 +02:00
parent da9f12f6ef
commit 36ac8626f0
6 changed files with 72 additions and 8 deletions

View File

@ -3,7 +3,7 @@ This a lite version of the [original mocha](https://github.com/dimok789/mocha) t
## Usage
Place the `00_mocha.rpx` in the `sd:/wiiu/modules/setup` folder and run the [SetupPayload](https://github.com/wiiu-env/SetupPayload).
Requires [PayloadFromRPX](https://github.com/wiiu-env/PayloadFromRPX) as `sd:/wiiu/root.rpx` to support returning from the system settings.
## Patches
- You can also place a RPX as `men.rpx` in the `sd:/wiiu` folder which will replace the Wii U Menu.

View File

@ -71,6 +71,9 @@ void instant_patches_setup(void) {
*(volatile u32 *) (0x050254D6 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x050254D6, MCP_LoadFile_patch);
*(volatile u32 *) (0x05025242 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05025242, MCP_ioctl100_patch);
*(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch);
*(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch);
// change system.xml to syshax.xml
/*
*(volatile u32*)mcp_rodata_phys(0x050600F0) = 0x79736861; // ysha

View File

@ -51,6 +51,9 @@ void mcp_run_patches(u32 ios_elf_start) {
section_write_word(ios_elf_start, 0x050254D6, THUMB_BL(0x050254D6, MCP_LoadFile_patch));
section_write_word(ios_elf_start, 0x05025242, THUMB_BL(0x05025242, MCP_ioctl100_patch));
section_write_word(ios_elf_start, 0x0501dd78, THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch));
section_write_word(ios_elf_start, 0x051105ce, THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch));
// change system.xml to syshax.xml
section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha
section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm

View File

@ -21,6 +21,7 @@
#include "../../common/ipc_defs.h"
#include "fsa.h"
#include "svc.h"
#include "utils.h"
#include <string.h>
int (*const real_MCP_LoadFile)(ipcmessage *msg) = (void *) 0x0501CAA8 + 1; //+1 for thumb
@ -62,10 +63,8 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
int replace_fileoffset = rep_fileoffset;
char *replace_path = rpxpath;
skipPPCSetup = true;
if (strncmp(request->name, "men.rpx", strlen("men.rpx")) == 0) {
//replace_path = "wiiu/root.rpx";
replace_path = "wiiu/root.rpx";
if (skipPPCSetup) {
replace_path = "wiiu/men.rpx";
}
@ -89,7 +88,7 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
didrpxfirstchunk = false;
}
// if we don't explicitly replace files, we do want replace the Healt and Safety app with the HBL
// if we don't explicitly replace files, we do want replace the Health and Safety app with the HBL
if (!doWantReplaceRPX) {
replace_path = "wiiu/apps/homebrew_launcher/homebrew_launcher.rpx";
replace_target = LOAD_FILE_TARGET_SD_CARD;
@ -125,8 +124,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
if (path == NULL) {
return 0;
}
char filepath[256];
memset(filepath, 0, sizeof(filepath));
strncpy(filepath, path, sizeof(filepath) - 1);
@ -153,7 +150,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
int result = MCP_DoLoadFile(filepath, NULL, buffer_out, buffer_len, pos + fileoffset, &bytesRead, 0);
//log("MCP_DoLoadFile returned %d, bytesRead = %d pos %d \n", result, bytesRead, pos + fileoffset);
if (result >= 0) {
if (!bytesRead) {
return 0;
@ -168,6 +164,43 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
return result;
}
int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) {
int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb
int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData);
if (!skipPPCSetup) {
if (xmlData->titleId == 0x0005001010040000 ||
xmlData->titleId == 0x0005001010040100 ||
xmlData->titleId == 0x0005001010040200) {
xmlData->codegen_size = 0x02000000;
xmlData->codegen_core = 0x80000001;
xmlData->max_codesize = 0x02800000;
/*
xmlData->max_size = 0x40000000;
xmlData->max_codesize = 0x00800000;
xmlData->avail_size = 0;
xmlData->overlay_arena = 0;
for (uint32_t i = 0; i < 19; i++) {
xmlData->permissions[i].mask = 0xFFFFFFFFFFFFFFFF;
}
xmlData->default_stack0_size = 0;
xmlData->default_stack1_size = 0;
xmlData->default_stack2_size = 0;
xmlData->default_redzone0_size = 0;
xmlData->default_redzone1_size = 0;
xmlData->default_redzone2_size = 0;
xmlData->exception_stack0_size = 0x00001000;
xmlData->exception_stack1_size = 0x00001000;
xmlData->exception_stack2_size = 0x00001000;
*/
}
}
return res;
}
/* RPX replacement! Call this ioctl to replace the next loaded RPX with an arbitrary path.
DO NOT RETURN 0, this affects the codepaths back in the IOSU code */

View File

@ -18,3 +18,14 @@ MCP_ioctl100_patch:
.arm
ldr r12, =_MCP_ioctl100_patch
bx r12
.extern _MCP_ReadCOSXml_patch
.global MCP_ReadCOSXml_patch
MCP_ReadCOSXml_patch:
.thumb
bx pc
nop
.arm
ldr r12, =_MCP_ReadCOSXml_patch
bx r12

View File

@ -4,6 +4,8 @@
#include <coreinit/cache.h>
#include <coreinit/ios.h>
#include "whb/log.h"
#include "whb/log_udp.h"
@ -15,10 +17,22 @@ int main(int argc, char **argv) {
WHBLogUdpInit();
WHBLogPrintf("Hello from mocha");
unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
DCStoreRange((void *) 0xF417FFF0, 0x8);
ExecuteIOSExploit();
// When the kernel exploit is set up successfully, we signal the ios to move on.
int mcpFd = IOS_Open("/dev/mcp", (IOSOpenMode) 0);
if (mcpFd >= 0) {
int in = 0xFD;//IPC_CUSTOM_MEN_RPX_HOOK_COMPLETED;
int out = 0;
IOS_Ioctl(mcpFd, 100, &in, sizeof(in), &out, sizeof(out));
IOS_Close(mcpFd);
}
WHBLogPrintf("Bye from mocha");
return 0;
}