From 46921d37712100f5fdce6304c56f5187768e5d73 Mon Sep 17 00:00:00 2001 From: Maschell Date: Sun, 14 Feb 2021 15:28:56 +0100 Subject: [PATCH] Fix sd access patch --- source/ios_kernel/source/instant_patches.c | 8 +------- source/ios_kernel/source/ios_mcp_patches.c | 2 -- source/ios_mcp/source/main.c | 16 +--------------- source/ios_mcp/source/mcp_loadfile.c | 3 +++ 4 files changed, 5 insertions(+), 24 deletions(-) diff --git a/source/ios_kernel/source/instant_patches.c b/source/ios_kernel/source/instant_patches.c index 96df178..5d59c10 100644 --- a/source/ios_kernel/source/instant_patches.c +++ b/source/ios_kernel/source/instant_patches.c @@ -50,7 +50,7 @@ void instant_patches_setup(void) { *(volatile u32 *) 0x1070FAEC = 0xEAFFFFF9; int (*_iosMapSharedUserExecution)(void *descr) = (void *) 0x08124F88; - + // patch kernel dev node registration *(volatile u32 *) 0x081430B4 = 1; @@ -74,7 +74,6 @@ void instant_patches_setup(void) { *(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch); *(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch); - // patch default title id to system menu *(volatile u32 *) mcp_data_phys(0x050B817C) = *(volatile u32 *) 0x0017FFF0; *(volatile u32 *) mcp_data_phys(0x050B8180) = *(volatile u32 *) 0x0017FFF4; @@ -84,11 +83,6 @@ void instant_patches_setup(void) { // set zero to start thread directly on first title change *(volatile u32 *) (0x050BC580 - 0x05000000 + 0x081C0000) = 0; - // down display launch image at this state - *(volatile u32 *) (_text_start - 4 - 0x05100000 + 0x13D80000) = 0; - - // patch the read position for the cos xml's p4.mask(ios_fs) to read 0xFFFFFFFFFFFFFFFF - *(volatile u32 *) (0x05002BBE - 0x05000000 + 0x081C0000) = (volatile u32 *) THUMB_BL(0x05002BBE, patch_SD_access_check); ios_map_shared_info_t map_info; map_info.paddr = 0x050BD000 - 0x05000000 + 0x081C0000; diff --git a/source/ios_kernel/source/ios_mcp_patches.c b/source/ios_kernel/source/ios_mcp_patches.c index e69c1ca..a3430c0 100644 --- a/source/ios_kernel/source/ios_mcp_patches.c +++ b/source/ios_kernel/source/ios_mcp_patches.c @@ -43,8 +43,6 @@ void mcp_run_patches(u32 ios_elf_start) { section_write_word(ios_elf_start, 0x05056718, ARM_BL(0x05056718, _text_start)); - section_write_word(ios_elf_start, 0x05002BBE, THUMB_BL(0x05002BBE, patch_SD_access_check)); - u32 patch_count = (u32) (((u8 *) mcp_patches_table_end) - ((u8 *) mcp_patches_table)) / sizeof(patch_table_t); patch_table_entries(ios_elf_start, mcp_patches_table, patch_count); diff --git a/source/ios_mcp/source/main.c b/source/ios_mcp/source/main.c index 8e0e51e..a95cb01 100644 --- a/source/ios_mcp/source/main.c +++ b/source/ios_mcp/source/main.c @@ -17,18 +17,4 @@ int _startMainThread(void) { ipc_init(); } return 0; -} - -void patch_SD_access_check(void) { - __asm__ volatile( - ".thumb\n" - //clobbered instructions - "add r0, r7, r2\n" - //app.permissions.r2.mask seems to be 0xFFFFFFFFFFFFFFFF for every application - "ldr r1, =0x32\n" - "sub r3, r3, #7\n" - "strb r1, [r3]\n" - //this instruction was also clobbered but we use r1 so we do it after our patch stuff - "movs r1, #0\n" - "bx lr"); -} +} \ No newline at end of file diff --git a/source/ios_mcp/source/mcp_loadfile.c b/source/ios_mcp/source/mcp_loadfile.c index 8f4b009..7127d78 100644 --- a/source/ios_mcp/source/mcp_loadfile.c +++ b/source/ios_mcp/source/mcp_loadfile.c @@ -166,6 +166,9 @@ int _MCP_ReadCOSXml_patch(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlDat int (*const real_MCP_ReadCOSXml_patch)(uint32_t u1, uint32_t u2, MCPPPrepareTitleInfo *xmlData) = (void *) 0x050024ec + 1; //+1 for thumb int res = real_MCP_ReadCOSXml_patch(u1, u2, xmlData); + + // Give us sd access! + xmlData->permissions[4].mask = 0xFFFFFFFFFFFFFFFF; // if we replace the RPX we want to increase the max_codesize and give us full permission! if (replace_valid) {