Fix sd access patch

This commit is contained in:
Maschell 2021-02-14 15:28:56 +01:00
parent 3df156eb97
commit 46921d3771
4 changed files with 5 additions and 24 deletions

View File

@ -50,7 +50,7 @@ void instant_patches_setup(void) {
*(volatile u32 *) 0x1070FAEC = 0xEAFFFFF9;
int (*_iosMapSharedUserExecution)(void *descr) = (void *) 0x08124F88;
// patch kernel dev node registration
*(volatile u32 *) 0x081430B4 = 1;
@ -74,7 +74,6 @@ void instant_patches_setup(void) {
*(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch);
*(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch);
// patch default title id to system menu
*(volatile u32 *) mcp_data_phys(0x050B817C) = *(volatile u32 *) 0x0017FFF0;
*(volatile u32 *) mcp_data_phys(0x050B8180) = *(volatile u32 *) 0x0017FFF4;
@ -84,11 +83,6 @@ void instant_patches_setup(void) {
// set zero to start thread directly on first title change
*(volatile u32 *) (0x050BC580 - 0x05000000 + 0x081C0000) = 0;
// down display launch image at this state
*(volatile u32 *) (_text_start - 4 - 0x05100000 + 0x13D80000) = 0;
// patch the read position for the cos xml's p4.mask(ios_fs) to read 0xFFFFFFFFFFFFFFFF
*(volatile u32 *) (0x05002BBE - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05002BBE, patch_SD_access_check);
ios_map_shared_info_t map_info;
map_info.paddr = 0x050BD000 - 0x05000000 + 0x081C0000;

View File

@ -43,8 +43,6 @@ void mcp_run_patches(u32 ios_elf_start) {
section_write_word(ios_elf_start, 0x05056718, ARM_BL(0x05056718, _text_start));
section_write_word(ios_elf_start, 0x05002BBE, THUMB_BL(0x05002BBE, patch_SD_access_check));
u32 patch_count = (u32) (((u8 *) mcp_patches_table_end) - ((u8 *) mcp_patches_table)) / sizeof(patch_table_t);
patch_table_entries(ios_elf_start, mcp_patches_table, patch_count);

View File

@ -17,18 +17,4 @@ int _startMainThread(void) {
ipc_init();
}
return 0;
}
void patch_SD_access_check(void) {
__asm__ volatile(
".thumb\n"
//clobbered instructions
"add r0, r7, r2\n"
//app.permissions.r2.mask seems to be 0xFFFFFFFFFFFFFFFF for every application
"ldr r1, =0x32\n"
"sub r3, r3, #7\n"
"strb r1, [r3]\n"
//this instruction was also clobbered but we use r1 so we do it after our patch stuff
"movs r1, #0\n"
"bx lr");
}
}

View File

@ -166,6 +166,9 @@ int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlDat
int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb
int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData);
// Give us sd access!
xmlData->permissions[4].mask = 0xFFFFFFFFFFFFFFFF;
// if we replace the RPX we want to increase the max_codesize and give us full permission!
if (replace_valid) {