The-Homebrew-Cloud/MochaPayload
2
0
Fork 0
mirror of https://github.com/wiiu-env/MochaPayload.git synced 2024-11-22 16:09:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Run the kernel syscall with full kernel permissions

Browse Source
This commit is contained in:
GaryOderNichts 2022-01-03 00:30:14 +01:00 committed by Maschell
parent 4108e78800
commit 93efb2a4a6
2 changed files with 52 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
source/ios_kernel/source/kernel_patches.c
View File

@ -28,6 +28,7 @@
#include "kernel_patches.h" #include "kernel_patches.h"
#include "fsa.h" #include "fsa.h"
#include "utils.h" #include "utils.h"
#include "thread.h"
extern void __KERNEL_CODE_START(void); extern void __KERNEL_CODE_START(void);
@ -51,22 +52,28 @@ static const u32 KERNEL_MCP_IOMAPPINGS_STRUCT[] =
0x00000001 // pid (MCP) 0x00000001 // pid (MCP)
}; };
ThreadContext_t** currentThreadContext = (ThreadContext_t**) 0x08173ba0;
uint32_t* domainAccessPermissions = (uint32_t*) 0x081a4000;
int kernel_syscall_0x81(u32 command, u32 arg1, u32 arg2, u32 arg3) { int kernel_syscall_0x81(u32 command, u32 arg1, u32 arg2, u32 arg3) {
int result = 0;
int level = disable_interrupts();
set_domain_register(domainAccessPermissions[0]); // 0 = KERNEL
switch (command) { switch (command) {
case KERNEL_READ32: { case KERNEL_READ32: {
return *(volatile u32 *) arg1; result = *(volatile u32 *) arg1;
break;
} }
case KERNEL_WRITE32: { case KERNEL_WRITE32: {
*(volatile u32 *) arg1 = arg2; *(volatile u32 *) arg1 = arg2;
break; break;
} }
case KERNEL_MEMCPY: { case KERNEL_MEMCPY: {
//set_domain_register(0xFFFFFFFF);
kernel_memcpy((void *) arg1, (void *) arg2, arg3); kernel_memcpy((void *) arg1, (void *) arg2, arg3);
break; break;
} }
case KERNEL_GET_CFW_CONFIG: { case KERNEL_GET_CFW_CONFIG: {
//set_domain_register(0xFFFFFFFF);
//kernel_memcpy((void*)arg1, &cfw_config, sizeof(cfw_config)); //kernel_memcpy((void*)arg1, &cfw_config, sizeof(cfw_config));
break; break;
} }
@ -75,10 +82,16 @@ int kernel_syscall_0x81(u32 command, u32 arg1, u32 arg2, u32 arg3) {
read_otp_internal(0, (void*)(arg1), 0x400); read_otp_internal(0, (void*)(arg1), 0x400);
break; break;
} }
default: default: {
return -1; result = -1;
break;
} }
return 0; }
set_domain_register(domainAccessPermissions[(*currentThreadContext)->pid]);
enable_interrupts(level);
return result;
} }
void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) { void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) {

33
source/ios_kernel/source/thread.h Normal file
View File

@ -0,0 +1,33 @@
#pragma once
#include <stdint.h>
#include <assert.h>
typedef struct ThreadContext {
uint32_t cspr;
uint32_t gpr[14];
uint32_t lr;
uint32_t pc;
struct ThreadContext* threadQueueNext;
uint32_t maxPriority;
uint32_t priority;
uint32_t state;
uint32_t pid;
uint32_t id;
uint32_t flags;
uint32_t exitValue;
struct ThreadContext** joinQueue;
struct ThreadContext** threadQueue;
uint8_t unk1[56];
void* stackPointer;
uint8_t unk2[8];
void* sysStackAddr;
void* userStackAddr;
uint32_t userStackSize;
void* threadLocalStorage;
uint32_t profileCount;
uint32_t profileTime;
} ThreadContext_t;
static_assert(sizeof(ThreadContext_t) == 0xC8, "ThreadContext_t: different size than expected");
extern ThreadContext_t** currentThreadContext;