Replace men.rpx with .rpx from sd card when reloading the iosu/ppc. Fixes returning from the settings.

2025-02-18 00:56:20 +01:00 · 2020-06-21 00:04:10 +02:00 · 2020-06-21 00:04:10 +02:00 · 36ac8626f0
commit 36ac8626f0
parent da9f12f6ef
6 changed files with 72 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -3,7 +3,7 @@ This a lite version of the [original mocha](https://github.com/dimok789/mocha) t
 ## Usage
 Place the `00_mocha.rpx` in the `sd:/wiiu/modules/setup` folder and run the [SetupPayload](https://github.com/wiiu-env/SetupPayload).
-
+Requires [PayloadFromRPX](https://github.com/wiiu-env/PayloadFromRPX) as `sd:/wiiu/root.rpx` to support returning from the system settings.
 ## Patches
 - You can also place a RPX as `men.rpx` in the `sd:/wiiu` folder which will replace the Wii U Menu.
--- a/source/ios_kernel/source/instant_patches.c
+++ b/source/ios_kernel/source/instant_patches.c
@ -71,6 +71,9 @@ void instant_patches_setup(void) {
    *(volatile u32 *) (0x050254D6 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x050254D6, MCP_LoadFile_patch);
    *(volatile u32 *) (0x05025242 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05025242, MCP_ioctl100_patch);
    *(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch);
    *(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch);
    // change system.xml to syshax.xml
    /*
    *(volatile u32*)mcp_rodata_phys(0x050600F0) = 0x79736861; // ysha
--- a/source/ios_kernel/source/ios_mcp_patches.c
+++ b/source/ios_kernel/source/ios_mcp_patches.c
@ -51,6 +51,9 @@ void mcp_run_patches(u32 ios_elf_start) {
    section_write_word(ios_elf_start, 0x050254D6, THUMB_BL(0x050254D6, MCP_LoadFile_patch));
    section_write_word(ios_elf_start, 0x05025242, THUMB_BL(0x05025242, MCP_ioctl100_patch));
    section_write_word(ios_elf_start, 0x0501dd78, THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch));
    section_write_word(ios_elf_start, 0x051105ce, THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch));
    // change system.xml to syshax.xml
    section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha
    section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm
--- a/source/ios_mcp/source/mcp_loadfile.c
+++ b/source/ios_mcp/source/mcp_loadfile.c
@ -21,6 +21,7 @@
 #include "../../common/ipc_defs.h"
 #include "fsa.h"
 #include "svc.h"
 #include "utils.h"
 #include <string.h>
 int (*const real_MCP_LoadFile)(ipcmessage *msg) = (void *) 0x0501CAA8 + 1; //+1 for thumb
@ -62,10 +63,8 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
    int replace_fileoffset = rep_fileoffset;
    char *replace_path = rpxpath;
    skipPPCSetup = true;
    if (strncmp(request->name, "men.rpx", strlen("men.rpx")) == 0) {
-        //replace_path = "wiiu/root.rpx";
+        replace_path = "wiiu/root.rpx";
        if (skipPPCSetup) {
            replace_path = "wiiu/men.rpx";
        }
@ -89,7 +88,7 @@ int _MCP_LoadFile_patch(ipcmessage *msg) {
            didrpxfirstchunk = false;
        }
-        // if we don't explicitly replace files, we do want replace the Healt and Safety app with the HBL
+        // if we don't explicitly replace files, we do want replace the Health and Safety app with the HBL
        if (!doWantReplaceRPX) {
            replace_path = "wiiu/apps/homebrew_launcher/homebrew_launcher.rpx";
            replace_target = LOAD_FILE_TARGET_SD_CARD;
@ -125,8 +124,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
    if (path == NULL) {
        return 0;
    }
    char filepath[256];
    memset(filepath, 0, sizeof(filepath));
    strncpy(filepath, path, sizeof(filepath) - 1);
@ -153,7 +150,6 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
    int result = MCP_DoLoadFile(filepath, NULL, buffer_out, buffer_len, pos + fileoffset, &bytesRead, 0);
    //log("MCP_DoLoadFile returned %d, bytesRead = %d pos %d \n", result, bytesRead, pos + fileoffset);
    if (result >= 0) {
        if (!bytesRead) {
            return 0;
@ -168,6 +164,43 @@ static int MCP_LoadCustomFile(int target, char *path, int filesize, int fileoffs
    return result;
 }
 int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) {
    int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb
    int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData);
    if (!skipPPCSetup) {
        if (xmlData->titleId == 0x0005001010040000 ||
            xmlData->titleId == 0x0005001010040100 ||
            xmlData->titleId == 0x0005001010040200) {
            xmlData->codegen_size = 0x02000000;
            xmlData->codegen_core = 0x80000001;
            xmlData->max_codesize = 0x02800000;
            /*
            xmlData->max_size = 0x40000000;
            xmlData->max_codesize = 0x00800000;
            xmlData->avail_size = 0;
            xmlData->overlay_arena = 0;
            for (uint32_t i = 0; i < 19; i++) {
                xmlData->permissions[i].mask = 0xFFFFFFFFFFFFFFFF;
            }
            xmlData->default_stack0_size = 0;
            xmlData->default_stack1_size = 0;
            xmlData->default_stack2_size = 0;
            xmlData->default_redzone0_size = 0;
            xmlData->default_redzone1_size = 0;
            xmlData->default_redzone2_size = 0;
            xmlData->exception_stack0_size = 0x00001000;
            xmlData->exception_stack1_size = 0x00001000;
            xmlData->exception_stack2_size = 0x00001000;
            */
        }
    }
    return res;
 }
 /*  RPX replacement! Call this ioctl to replace the next loaded RPX with an arbitrary path.
    DO NOT RETURN 0, this affects the codepaths back in the IOSU code */
--- a/source/ios_mcp/source/mcp_loadfile_asm.s
+++ b/source/ios_mcp/source/mcp_loadfile_asm.s
@ -18,3 +18,14 @@ MCP_ioctl100_patch:
    .arm
    ldr r12, =_MCP_ioctl100_patch
    bx r12
 .extern _MCP_ReadCOSXml_patch
 .global MCP_ReadCOSXml_patch
 MCP_ReadCOSXml_patch:
    .thumb
    bx pc
    nop
    .arm
    ldr r12, =_MCP_ReadCOSXml_patch
    bx r12
--- a/source/main.cpp
+++ b/source/main.cpp
@ -4,6 +4,8 @@
 #include <coreinit/cache.h>
 #include <coreinit/ios.h>
 #include "whb/log.h"
 #include "whb/log_udp.h"
@ -15,10 +17,22 @@ int main(int argc, char **argv) {
    WHBLogUdpInit();
    WHBLogPrintf("Hello from mocha");
    unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
    memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
    DCStoreRange((void *) 0xF417FFF0, 0x8);
    ExecuteIOSExploit();
    // When the kernel exploit is set up successfully, we signal the ios to move on.
    int mcpFd = IOS_Open("/dev/mcp", (IOSOpenMode) 0);
    if (mcpFd >= 0) {
        int in = 0xFD;//IPC_CUSTOM_MEN_RPX_HOOK_COMPLETED;
        int out = 0;
        IOS_Ioctl(mcpFd, 100, &in, sizeof(in), &out, sizeof(out));
        IOS_Close(mcpFd);
    }
    WHBLogPrintf("Bye from mocha");
    return 0;
 }