The-Homebrew-Cloud/PayloadFromRPX
2
0
Fork 0
mirror of https://github.com/wiiu-env/PayloadFromRPX.git synced 2024-06-18 15:28:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update the Readme and remove some DEBUG printfs

Browse Source
This commit is contained in:
Maschell 2020-04-26 13:45:12 +02:00
parent aaf363baa4
commit da8dfaafed
2 changed files with 1 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -1,5 +1,5 @@
# Standalone payload.elf loader # Standalone payload.elf loader
This is a payload that should be run with [MochaLite](https://github.com/wiiu-env/MochaLite) before the System Menu. This is .rpx is meant to run in a envrionment with sd and codegen (jit) access.
It's exploits the Cafe OS and maps 8 MiB of usable memory from 0x30000000...0x30800000 (physical address) to 0x00800000... 0x01000000 (virtual address) where a payload will be loaded. You may need to hook into the kernel and patch out some thing to gain persistent access to this area. It's exploits the Cafe OS and maps 8 MiB of usable memory from 0x30000000...0x30800000 (physical address) to 0x00800000... 0x01000000 (virtual address) where a payload will be loaded. You may need to hook into the kernel and patch out some thing to gain persistent access to this area.
The loaded `hook_payload.elf` needs to be mapped to this memory area. The loaded `hook_payload.elf` needs to be mapped to this memory area.

5
source/gx2sploit.cpp
View File

@ -242,7 +242,6 @@ int DoKernelExploit(void) {
OSThread *thread = (OSThread*)memalign(8, 0x1000); OSThread *thread = (OSThread*)memalign(8, 0x1000);
uint8_t *stack = (uint8_t*)memalign(0x40, 0x2000); uint8_t *stack = (uint8_t*)memalign(0x40, 0x2000);
OSSwitchSecCodeGenMode(0); OSSwitchSecCodeGenMode(0);
memcpy((void*)0x1800000, (void*)&SCKernelCopyData, 0x100); memcpy((void*)0x1800000, (void*)&SCKernelCopyData, 0x100);
@ -262,7 +261,6 @@ int DoKernelExploit(void) {
OSSwitchSecCodeGenMode(1); OSSwitchSecCodeGenMode(1);
if (OSCreateThread(thread, (OSThreadEntryPointFn)exploitThread, 0, NULL, stack + 0x2000, 0x2000, 0, 0x1) == 0) { if (OSCreateThread(thread, (OSThreadEntryPointFn)exploitThread, 0, NULL, stack + 0x2000, 0x2000, 0, 0x1) == 0) {
OSFatal("Failed to create thread"); OSFatal("Failed to create thread");
} }
@ -278,7 +276,6 @@ int DoKernelExploit(void) {
uint32_t targetAddress = 0x017FF000; uint32_t targetAddress = 0x017FF000;
KernelWrite((uint32_t) backupBuffer, (void*) 0x017FF000, 0x40); KernelWrite((uint32_t) backupBuffer, (void*) 0x017FF000, 0x40);
targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528 targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528
targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03 targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03
targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3 targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3
@ -304,8 +301,6 @@ int DoKernelExploit(void) {
/* run our kernel code :) */ /* run our kernel code :) */
SC_0x36_SETBATS(); SC_0x36_SETBATS();
WHBLogPrintf("repair data");
/* repair data */ /* repair data */
KernelWrite(targetAddress, backupBuffer, sizeof(backupBuffer)); KernelWrite(targetAddress, backupBuffer, sizeof(backupBuffer));
DCFlushRange((void*)targetAddress, sizeof(backupBuffer)); DCFlushRange((void*)targetAddress, sizeof(backupBuffer));