From 36ac8626f0430fad00ceeb7dd3c1a5e66e959ada Mon Sep 17 00:00:00 2001 From: Maschell Date: Sun, 21 Jun 2020 00:04:10 +0200 Subject: [PATCH] Replace men.rpx with .rpx from sd card when reloading the iosu/ppc. Fixes returning from the settings. --- README.md | 2 +- source/ios_kernel/source/instant_patches.c | 3 ++ source/ios_kernel/source/ios_mcp_patches.c | 3 ++ source/ios_mcp/source/mcp_loadfile.c | 47 ++++++++++++++++++---- source/ios_mcp/source/mcp_loadfile_asm.s | 11 +++++ source/main.cpp | 14 +++++++ 6 files changed, 72 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 636adfd..2936128 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ This a lite version of the [original mocha](https://github.com/dimok789/mocha) t ## Usage Place the `00_mocha.rpx` in the `sd:/wiiu/modules/setup` folder and run the [SetupPayload](https://github.com/wiiu-env/SetupPayload). - +Requires [PayloadFromRPX](https://github.com/wiiu-env/PayloadFromRPX) as `sd:/wiiu/root.rpx` to support returning from the system settings. ## Patches - You can also place a RPX as `men.rpx` in the `sd:/wiiu` folder which will replace the Wii U Menu. diff --git a/source/ios_kernel/source/instant_patches.c b/source/ios_kernel/source/instant_patches.c index 35c3982..0d0fefa 100644 --- a/source/ios_kernel/source/instant_patches.c +++ b/source/ios_kernel/source/instant_patches.c @@ -71,6 +71,9 @@ void instant_patches_setup(void) { *(volatile u32 *) (0x050254D6 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x050254D6, MCP_LoadFile_patch); *(volatile u32 *) (0x05025242 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05025242, MCP_ioctl100_patch); + *(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch); + *(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch); + // change system.xml to syshax.xml /* *(volatile u32*)mcp_rodata_phys(0x050600F0) = 0x79736861; // ysha diff --git a/source/ios_kernel/source/ios_mcp_patches.c b/source/ios_kernel/source/ios_mcp_patches.c index b48e33c..42ec24f 100644 --- a/source/ios_kernel/source/ios_mcp_patches.c +++ b/source/ios_kernel/source/ios_mcp_patches.c @@ -51,6 +51,9 @@ void mcp_run_patches(u32 ios_elf_start) { section_write_word(ios_elf_start, 0x050254D6, THUMB_BL(0x050254D6, MCP_LoadFile_patch)); section_write_word(ios_elf_start, 0x05025242, THUMB_BL(0x05025242, MCP_ioctl100_patch)); + section_write_word(ios_elf_start, 0x0501dd78, THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch)); + section_write_word(ios_elf_start, 0x051105ce, THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch)); + // change system.xml to syshax.xml section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm diff --git a/source/ios_mcp/source/mcp_loadfile.c b/source/ios_mcp/source/mcp_loadfile.c index 4986f6a..1bcd392 100644 --- a/source/ios_mcp/source/mcp_loadfile.c +++ b/source/ios_mcp/source/mcp_loadfile.c @@ -21,6 +21,7 @@ #include "../../common/ipc_defs.h" #include "fsa.h" #include "svc.h" +#include "utils.h" #include int (*const real_MCP_LoadFile)(ipcmessage *msg) = (void *) 0x0501CAA8 + 1; //+1 for thumb @@ -62,10 +63,8 @@ int _MCP_LoadFile_patch(ipcmessage *msg) { int replace_fileoffset = rep_fileoffset; char *replace_path = rpxpath; - skipPPCSetup = true; - if (strncmp(request->name, "men.rpx", strlen("men.rpx")) == 0) { - //replace_path = "wiiu/root.rpx"; + replace_path = "wiiu/root.rpx"; if (skipPPCSetup) { replace_path = "wiiu/men.rpx"; } @@ -89,7 +88,7 @@ int _MCP_LoadFile_patch(ipcmessage *msg) { didrpxfirstchunk = false; } - // if we don't explicitly replace files, we do want replace the Healt and Safety app with the HBL + // if we don't explicitly replace files, we do want replace the Health and Safety app with the HBL if (!doWantReplaceRPX) { replace_path = "wiiu/apps/homebrew_launcher/homebrew_launcher.rpx"; replace_target = LOAD_FILE_TARGET_SD_CARD; @@ -125,8 +124,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs if (path == NULL) { return 0; } - - char filepath[256]; memset(filepath, 0, sizeof(filepath)); strncpy(filepath, path, sizeof(filepath) - 1); @@ -153,7 +150,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs int result = MCP_DoLoadFile(filepath, NULL, buffer_out, buffer_len, pos + fileoffset, &bytesRead, 0); //log("MCP_DoLoadFile returned %d, bytesRead = %d pos %d \n", result, bytesRead, pos + fileoffset); - if (result >= 0) { if (!bytesRead) { return 0; @@ -168,6 +164,43 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs return result; } +int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) { + int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb + + int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData); + + + if (!skipPPCSetup) { + if (xmlData->titleId == 0x0005001010040000 || + xmlData->titleId == 0x0005001010040100 || + xmlData->titleId == 0x0005001010040200) { + + xmlData->codegen_size = 0x02000000; + xmlData->codegen_core = 0x80000001; + xmlData->max_codesize = 0x02800000; + /* + xmlData->max_size = 0x40000000; + xmlData->max_codesize = 0x00800000; + xmlData->avail_size = 0; + xmlData->overlay_arena = 0; + for (uint32_t i = 0; i < 19; i++) { + xmlData->permissions[i].mask = 0xFFFFFFFFFFFFFFFF; + } + xmlData->default_stack0_size = 0; + xmlData->default_stack1_size = 0; + xmlData->default_stack2_size = 0; + xmlData->default_redzone0_size = 0; + xmlData->default_redzone1_size = 0; + xmlData->default_redzone2_size = 0; + xmlData->exception_stack0_size = 0x00001000; + xmlData->exception_stack1_size = 0x00001000; + xmlData->exception_stack2_size = 0x00001000; + */ + } + } + + return res; +} /* RPX replacement! Call this ioctl to replace the next loaded RPX with an arbitrary path. DO NOT RETURN 0, this affects the codepaths back in the IOSU code */ diff --git a/source/ios_mcp/source/mcp_loadfile_asm.s b/source/ios_mcp/source/mcp_loadfile_asm.s index 9593533..712e317 100644 --- a/source/ios_mcp/source/mcp_loadfile_asm.s +++ b/source/ios_mcp/source/mcp_loadfile_asm.s @@ -18,3 +18,14 @@ MCP_ioctl100_patch: .arm ldr r12, =_MCP_ioctl100_patch bx r12 + +.extern _MCP_ReadCOSXml_patch +.global MCP_ReadCOSXml_patch +MCP_ReadCOSXml_patch: + .thumb + bx pc + nop + .arm + ldr r12, =_MCP_ReadCOSXml_patch + bx r12 + diff --git a/source/main.cpp b/source/main.cpp index c4f27b6..f1e8954 100644 --- a/source/main.cpp +++ b/source/main.cpp @@ -4,6 +4,8 @@ #include +#include + #include "whb/log.h" #include "whb/log_udp.h" @@ -15,10 +17,22 @@ int main(int argc, char **argv) { WHBLogUdpInit(); WHBLogPrintf("Hello from mocha"); unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0); + memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8); DCStoreRange((void *) 0xF417FFF0, 0x8); ExecuteIOSExploit(); + + // When the kernel exploit is set up successfully, we signal the ios to move on. + int mcpFd = IOS_Open("/dev/mcp", (IOSOpenMode) 0); + if (mcpFd >= 0) { + int in = 0xFD;//IPC_CUSTOM_MEN_RPX_HOOK_COMPLETED; + int out = 0; + + IOS_Ioctl(mcpFd, 100, &in, sizeof(in), &out, sizeof(out)); + IOS_Close(mcpFd); + } + WHBLogPrintf("Bye from mocha"); return 0; }