Preserve environment path, fix returns values of custom IOCTL,

source/common/ipc_defs.h

@@ -227,5 +227,6 @@ typedef struct {
 #define IPC_CUSTOM_LOAD_CUSTOM_RPX          0xFC
 #define IPC_CUSTOM_META_XML_READ            0xFB
 #define IPC_CUSTOM_START_USB_LOGGING        0xFA
+#define IPC_CUSTOM_COPY_ENVIRONMENT_PATH    0xF9
 
 #define LOAD_FILE_TARGET_SD_CARD            0

source/ios_exploit.c

@@ -320,7 +320,6 @@ static void uhs_exploit_init(int dev_uhs_0_handle) {
     payloads->size = sizeof(ios_mcp);
     memcpy(payloads->data, ios_mcp, payloads->size);
 
-
     pretend_root_hub[33] = 0x500000;
     pretend_root_hub[78] = 0;
 

source/ios_kernel/source/instant_patches.c

@@ -64,7 +64,7 @@ void instant_patches_setup(void) {
     // fix 10 minute timeout that crashes MCP after 10 minutes of booting
     *(volatile u32 *) (0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF;    // NEW_TIMEOUT
 
-    kernel_memset((void *) (0x050BD000 - 0x05000000 + 0x081C0000), 0, 0x3000);
+    kernel_memset((void *) (0x050BD000 - 0x05000000 + 0x081C0000), 0, 0x2F00);
 
     // allow custom bootLogoTex and bootMovie.h264
     *(volatile u32 *) (0xE0030D68 - 0xE0000000 + 0x12900000) = 0xE3A00000;    // mov r0, #0
@@ -83,7 +83,7 @@ void instant_patches_setup(void) {
 
     *(volatile u32 *) (0x0501dd78 - 0x05000000 + 0x081C0000) = THUMB_BL(0x0501dd78, MCP_ReadCOSXml_patch);
     *(volatile u32 *) (0x051105ce - 0x05000000 + 0x081C0000) = THUMB_BL(0x051105ce, MCP_ReadCOSXml_patch);
-    
+
     // give us bsp::ee:read permission for PPC
     *(volatile u32 *) (0xe6044db0 - 0xe6042000 + 0x13d02000) = 0x000001F0;
 
@@ -96,6 +96,11 @@ void instant_patches_setup(void) {
     *(volatile u32 *) mcp_data_phys(0x050B817C) = *(volatile u32 *) 0x0017FFF0;
     *(volatile u32 *) mcp_data_phys(0x050B8180) = *(volatile u32 *) 0x0017FFF4;
 
+    // Place the environment path at the end of our .text section.
+    for (int i = 0; i < 0x100; i += 4) {
+        *(volatile u32 *) (0x05119F00 - 0x05100000 + 0x13D80000 + i) = *(volatile u32 *) (0x0017FEF0 + i);
+    }
+
     // force check USB storage on load
     *(volatile u32 *) acp_phys(0xE012202C) = 0x00000001; // find USB flag
 

source/ios_kernel/source/ios_mcp_patches.c

@@ -39,7 +39,9 @@ u32 mcp_get_phys_code_base(void) {
 void mcp_run_patches(u32 ios_elf_start) {
     // write ios_mcp code and bss
     section_write_bss(ios_elf_start, _bss_start, _bss_end - _bss_start);
-    section_write(ios_elf_start, _text_start, (void *) mcp_get_phys_code_base(), _text_end - _text_start);
+    // We can't use "_text_end" here because we need to copy the full 0x4000 to preserve the envrionmen path which
+    // is at the end of the .text section.
+    section_write(ios_elf_start, _text_start, (void *) mcp_get_phys_code_base(), 0x4000);
 
     u32 patch_count = (u32) (((u8 *) mcp_patches_table_end) - ((u8 *) mcp_patches_table)) / sizeof(patch_table_t);
     patch_table_entries(ios_elf_start, mcp_patches_table, patch_count);

source/ios_mcp/link.ld

@@ -20,3 +20,6 @@ SECTIONS
 	}
 }
 
+ASSERT((SIZEOF(.text)) < 0x3F00, "text section is too big");
+ASSERT((SIZEOF(.bss)) < 0x3000, "bss section is too big");
+

source/ios_mcp/source/mcp_loadfile.c

@@ -274,26 +274,33 @@ int _MCP_ioctl100_patch(ipcmessage *msg) {
                 _startMainThread();
                 break;
             }
-
+            case IPC_CUSTOM_COPY_ENVIRONMENT_PATH: {
+                if (msg->ioctl.buffer_io && msg->ioctl.length_io >= 0x100) {
+                    strncpy((char *) msg->ioctl.buffer_io, (void *) 0x05119F00, 0xFF);
+                    return 0;
+                } else {
+                    return 29;
+                }
+            }
             case IPC_CUSTOM_START_USB_LOGGING: {
-                if(*((uint32_t*)0x050290dc) == 0x42424242){
+                if (*((uint32_t *) 0x050290dc) == 0x42424242) {
                     // Skip syslog after a reload
                     break;
                 }
                 int handle = svcOpen("/dev/testproc1", 0);
-                if(handle > 0){
+                if (handle > 0) {
                     svcResume(handle);
                     svcClose(handle);
                 }
-                
+
                 handle = svcOpen("/dev/usb_syslog", 0);
-                if(handle > 0){
+                if (handle > 0) {
                     svcResume(handle);
                     svcClose(handle);
                 }
-                
+
                 // Kill existing syslogs to avoid long catch up
-                uint32_t * bufferPtr = (uint32_t*)(*(uint32_t*)0x05095ecc);
+                uint32_t *bufferPtr = (uint32_t *) (*(uint32_t *) 0x05095ecc);
                 bufferPtr[0] = 0;
                 bufferPtr[1] = 0;
 
@@ -303,12 +310,7 @@ int _MCP_ioctl100_patch(ipcmessage *msg) {
             }
         }
     } else {
-        return -29;
+        return 29;
     }
-
+    return 0;
-    /*  Signal that all went well */
-    if (msg->ioctl.buffer_io && msg->ioctl.length_io >= sizeof(u32)) {
-        msg->ioctl.buffer_io[0] = 2;
-    }
-    return 1;
 }

source/main.cpp

@@ -1,5 +1,5 @@
 #include <cstring>
-
+#include <cstdio>
 #include <coreinit/cache.h>
 #include <coreinit/ios.h>
 #include <sysapp/title.h>
@@ -14,6 +14,13 @@ int main(int argc, char **argv) {
     WHBLogUdpInit();
     WHBLogPrintf("Hello from mocha");
 
+    if (argc >= 1) {
+        if (strncmp(argv[0], "fs:/", 4) == 0) {
+            strncpy((char *) 0xF417FEF0, argv[0], 0xFF);
+            DCStoreRange((void *) 0xF417EFF0, 0x100);
+        }
+    }
+
     uint64_t sysmenuIdUll = _SYSGetSystemApplicationTitleId(SYSTEM_APP_ID_HOME_MENU);
     memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
     DCStoreRange((void *) 0xF417FFF0, 0x8);