From 93efb2a4a656ecdbad848c38ede1c20a40c84463 Mon Sep 17 00:00:00 2001
From: GaryOderNichts <12049776+GaryOderNichts@users.noreply.github.com>
Date: Mon, 3 Jan 2022 00:30:14 +0100
Subject: [PATCH] Run the kernel syscall with full kernel permissions

---
 source/ios_kernel/source/kernel_patches.c | 25 ++++++++++++-----
 source/ios_kernel/source/thread.h         | 33 +++++++++++++++++++++++
 2 files changed, 52 insertions(+), 6 deletions(-)
 create mode 100644 source/ios_kernel/source/thread.h

diff --git a/source/ios_kernel/source/kernel_patches.c b/source/ios_kernel/source/kernel_patches.c
index 66168e7..43590b6 100644
--- a/source/ios_kernel/source/kernel_patches.c
+++ b/source/ios_kernel/source/kernel_patches.c
@@ -28,6 +28,7 @@
 #include "kernel_patches.h"
 #include "fsa.h"
 #include "utils.h"
+#include "thread.h"
 
 extern void __KERNEL_CODE_START(void);
 
@@ -51,22 +52,28 @@ static const u32 KERNEL_MCP_IOMAPPINGS_STRUCT[] =
                 0x00000001                  // pid (MCP)
         };
 
+ThreadContext_t** currentThreadContext = (ThreadContext_t**) 0x08173ba0;
+uint32_t* domainAccessPermissions = (uint32_t*) 0x081a4000;
+
 int kernel_syscall_0x81(u32 command, u32 arg1, u32 arg2, u32 arg3) {
+    int result = 0;
+    int level = disable_interrupts();
+    set_domain_register(domainAccessPermissions[0]); // 0 = KERNEL
+
     switch (command) {
         case KERNEL_READ32: {
-            return *(volatile u32 *) arg1;
+            result = *(volatile u32 *) arg1;
+            break;
         }
         case KERNEL_WRITE32: {
             *(volatile u32 *) arg1 = arg2;
             break;
         }
         case KERNEL_MEMCPY: {
-            //set_domain_register(0xFFFFFFFF);
             kernel_memcpy((void *) arg1, (void *) arg2, arg3);
             break;
         }
         case KERNEL_GET_CFW_CONFIG: {
-            //set_domain_register(0xFFFFFFFF);
             //kernel_memcpy((void*)arg1, &cfw_config, sizeof(cfw_config));
             break;
         }
@@ -75,10 +82,16 @@ int kernel_syscall_0x81(u32 command, u32 arg1, u32 arg2, u32 arg3) {
             read_otp_internal(0, (void*)(arg1), 0x400);
             break;
         }
-        default:
-            return -1;
+        default: {
+            result = -1;
+            break;
+        }
     }
-    return 0;
+
+    set_domain_register(domainAccessPermissions[(*currentThreadContext)->pid]);
+    enable_interrupts(level);
+
+    return result;
 }
 
 void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) {
diff --git a/source/ios_kernel/source/thread.h b/source/ios_kernel/source/thread.h
new file mode 100644
index 0000000..65d41ab
--- /dev/null
+++ b/source/ios_kernel/source/thread.h
@@ -0,0 +1,33 @@
+#pragma once
+
+#include <stdint.h>
+#include <assert.h>
+
+typedef struct ThreadContext {
+    uint32_t cspr;
+    uint32_t gpr[14];
+    uint32_t lr;
+    uint32_t pc;
+    struct ThreadContext* threadQueueNext;
+    uint32_t maxPriority;
+    uint32_t priority;
+    uint32_t state;
+    uint32_t pid;
+    uint32_t id;
+    uint32_t flags;
+    uint32_t exitValue;
+    struct ThreadContext** joinQueue;
+    struct ThreadContext** threadQueue;
+    uint8_t unk1[56];
+    void* stackPointer;
+    uint8_t unk2[8];
+    void* sysStackAddr;
+    void* userStackAddr;
+    uint32_t userStackSize;
+    void* threadLocalStorage;
+    uint32_t profileCount;
+    uint32_t profileTime;
+} ThreadContext_t;
+static_assert(sizeof(ThreadContext_t) == 0xC8, "ThreadContext_t: different size than expected");
+
+extern ThreadContext_t** currentThreadContext;