mirror of
https://github.com/wiiu-env/fw_img_payload.git
synced 2025-07-12 21:05:48 +02:00
214 lines
8.5 KiB
C
214 lines
8.5 KiB
C
/***************************************************************************
|
|
* Copyright (C) 2016
|
|
* by Dimok
|
|
*
|
|
* This software is provided 'as-is', without any express or implied
|
|
* warranty. In no event will the authors be held liable for any
|
|
* damages arising from the use of this software.
|
|
*
|
|
* Permission is granted to anyone to use this software for any
|
|
* purpose, including commercial applications, and to alter it and
|
|
* redistribute it freely, subject to the following restrictions:
|
|
*
|
|
* 1. The origin of this software must not be misrepresented; you
|
|
* must not claim that you wrote the original software. If you use
|
|
* this software in a product, an acknowledgment in the product
|
|
* documentation would be appreciated but is not required.
|
|
*
|
|
* 2. Altered source versions must be plainly marked as such, and
|
|
* must not be misrepresented as being the original software.
|
|
*
|
|
* 3. This notice may not be removed or altered from any source
|
|
* distribution.
|
|
***************************************************************************/
|
|
#include "types.h"
|
|
#include "utils.h"
|
|
|
|
#define USB_PHYS_CODE_BASE 0x101312D0
|
|
|
|
typedef struct
|
|
{
|
|
u32 size;
|
|
u8 data[0];
|
|
} payload_info_t;
|
|
|
|
static const char repairData_set_fault_behavior[] = {
|
|
0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
|
|
0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02,
|
|
0xE1,0x53,0x00,0x00,0xE3,0xE0,0x00,0x00,0x18,0xBD,0x80,0x30,0xE3,0x54,0x00,0x0D,
|
|
};
|
|
static const char repairData_set_panic_behavior[] = {
|
|
0x08,0x16,0x6C,0x00,0x00,0x00,0x18,0x0C,0x08,0x14,0x40,0x00,0x00,0x00,0x9D,0x70,
|
|
0x08,0x16,0x84,0x0C,0x00,0x00,0xB4,0x0C,0x00,0x00,0x01,0x01,0x08,0x14,0x40,0x00,
|
|
0x08,0x15,0x00,0x00,0x08,0x17,0x21,0x80,0x08,0x17,0x38,0x00,0x08,0x14,0x30,0xD4,
|
|
0x08,0x14,0x12,0x50,0x08,0x14,0x12,0x94,0xE3,0xA0,0x35,0x36,0xE5,0x93,0x21,0x94,
|
|
0xE3,0xC2,0x2E,0x21,0xE5,0x83,0x21,0x94,0xE5,0x93,0x11,0x94,0xE1,0x2F,0xFF,0x1E,
|
|
0xE5,0x9F,0x30,0x1C,0xE5,0x9F,0xC0,0x1C,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x10,0x00,
|
|
0xE5,0x92,0x30,0x54,0xE5,0x9C,0x00,0x00,
|
|
};
|
|
static const char repairData_usb_root_thread[] = {
|
|
0xE5,0x8D,0xE0,0x04,0xE5,0x8D,0xC0,0x08,0xE5,0x8D,0x40,0x0C,0xE5,0x8D,0x60,0x10,
|
|
0xEB,0x00,0xB2,0xFD,0xEA,0xFF,0xFF,0xC9,0x10,0x14,0x03,0xF8,0x10,0x62,0x4D,0xD3,
|
|
0x10,0x14,0x50,0x00,0x10,0x14,0x50,0x20,0x10,0x14,0x00,0x00,0x10,0x14,0x00,0x90,
|
|
0x10,0x14,0x00,0x70,0x10,0x14,0x00,0x98,0x10,0x14,0x00,0x84,0x10,0x14,0x03,0xE8,
|
|
0x10,0x14,0x00,0x3C,0x00,0x00,0x01,0x73,0x00,0x00,0x01,0x76,0xE9,0x2D,0x4F,0xF0,
|
|
0xE2,0x4D,0xDE,0x17,0xEB,0x00,0xB9,0x92,0xE3,0xA0,0x10,0x00,0xE3,0xA0,0x20,0x03,
|
|
0xE5,0x9F,0x0E,0x68,0xEB,0x00,0xB3,0x20,
|
|
};
|
|
|
|
/* from smealum's iosuhax: must be placed at 0x05059938
|
|
0x0000000005059938: 47 78 bx pc
|
|
0x000000000505993a: 00 00
|
|
0x000000000505993c: E9 2D 40 0F push {r0, r1, r2, r3, lr}
|
|
0x0000000005059940: E2 4D D0 08 sub sp, sp, #8
|
|
0x0000000005059944: EB FF FD FD bl #0x5059140
|
|
0x0000000005059948: E3 A0 00 00 mov r0, #0
|
|
0x000000000505994c: EB FF FE 03 bl #0x5059160
|
|
0x0000000005059950: E5 9F 10 4C ldr r1, [pc, #0x4c] @ -> 050599a4 -> 05059970 -> "/dev/sdcard01"
|
|
0x0000000005059954: E5 9F 20 4C ldr r2, [pc, #0x4c] @ -> 050599a8 -> 0505997E -> "/vol/sdcard"
|
|
0x0000000005059958: E3 A0 30 00 mov r3, #0
|
|
0x000000000505995c: E5 8D 30 00 str r3, [sp]
|
|
0x0000000005059960: E5 8D 30 04 str r3, [sp, #4]
|
|
0x0000000005059964: EB FF FE F1 bl #0x5059530
|
|
0x0000000005059968: E2 8D D0 08 add sp, sp, #8
|
|
0x000000000505996c: E8 BD 80 0F pop {r0, r1, r2, r3, pc}
|
|
0x0000000005059970: "/dev/sdcard01",0
|
|
0x000000000505997e: "/vol/sdcard",0,0,0
|
|
0x000000000505998c: "/vol/sdcard",0
|
|
0x0000000005059998: 05 11 60 00
|
|
0x000000000505999c: 05 0B E0 00
|
|
0x00000000050599a0: 05 0B CF FC
|
|
0x00000000050599a4: 05 05 99 70
|
|
0x00000000050599a8: 05 05 99 7E
|
|
|
|
*/
|
|
static const char os_launch_hook[] = {
|
|
0x47, 0x78, 0x00, 0x00, 0xe9, 0x2d, 0x40, 0x0f, 0xe2, 0x4d, 0xd0, 0x08, 0xeb,
|
|
0xff, 0xfd, 0xfd, 0xe3, 0xa0, 0x00, 0x00, 0xeb, 0xff, 0xfe, 0x03, 0xe5, 0x9f,
|
|
0x10, 0x4c, 0xe5, 0x9f, 0x20, 0x4c, 0xe3, 0xa0, 0x30, 0x00, 0xe5, 0x8d, 0x30,
|
|
0x00, 0xe5, 0x8d, 0x30, 0x04, 0xeb, 0xff, 0xfe, 0xf1, 0xe2, 0x8d, 0xd0, 0x08,
|
|
0xe8, 0xbd, 0x80, 0x0f, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x64, 0x63, 0x61,
|
|
0x72, 0x64, 0x30, 0x31, 0x00, 0x2f, 0x76, 0x6f, 0x6c, 0x2f, 0x73, 0x64, 0x63,
|
|
0x61, 0x72, 0x64, 0x00, 0x00, 0x00, 0x2f, 0x76, 0x6f, 0x6c, 0x2f, 0x73, 0x64,
|
|
0x63, 0x61, 0x72, 0x64, 0x00, 0x05, 0x11, 0x60, 0x00, 0x05, 0x0b, 0xe0, 0x00,
|
|
0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
|
|
};
|
|
|
|
/* from stoopwafel, allows unencrypted fw.img
|
|
ancast_crypt_check:
|
|
.thumb
|
|
bx pc
|
|
nop
|
|
.arm
|
|
ldr r7, =0x010001A0 @ device type offset
|
|
ldrh r7, [r7] @ get device type
|
|
tst r7, #1 @ set bit 0 at the u16 at 0x1A0 for no-crypt mode
|
|
bne ancast_no_crypt
|
|
|
|
add r7, sp, #0x24
|
|
str r7, [sp, #0x18]
|
|
bx lr
|
|
|
|
ancast_no_crypt:
|
|
pop {r4-r7, lr}
|
|
add sp, #0x10
|
|
mov r0, #0
|
|
bx lr
|
|
|
|
*/
|
|
static const char ancast_decrypt_hook[] = {
|
|
0x47, 0x78, 0xbf, 0x00,
|
|
0xe5, 0x9f, 0x70, 0x24, 0xe1, 0xd7, 0x70, 0xb0,
|
|
0xe3, 0x17, 0x00, 0x01, 0x1a, 0x00, 0x00, 0x02,
|
|
0xe2, 0x8d, 0x70, 0x24, 0xe5, 0x8d, 0x70, 0x18,
|
|
0xe1, 0x2f, 0xff, 0x1e, 0xe8, 0xbd, 0x40, 0xf0,
|
|
0xe2, 0x8d, 0xd0, 0x10, 0xe3, 0xa0, 0x00, 0x00,
|
|
0xe1, 0x2f, 0xff, 0x1e, 0x01, 0x00, 0x01, 0xa0,
|
|
};
|
|
|
|
static const char sd_path[] = "/vol/sdcard";
|
|
|
|
static u32 generate_bl_t(u32 from, u32 to){
|
|
s32 bl_offs = (((s32)to - (s32)(from)) - 4) / 2;
|
|
u32 bl_insn = 0xF000F800 | ((u32)bl_offs & 0x7FF) | ((((u32)bl_offs >> 11) & 0x3FF) << 16);
|
|
return bl_insn;
|
|
}
|
|
|
|
int _main()
|
|
{
|
|
void(*invalidate_icache)() = (void(*)())0x0812DCF0;
|
|
void(*invalidate_dcache)(unsigned int, unsigned int) = (void(*)())0x08120164;
|
|
void(*flush_dcache)(unsigned int, unsigned int) = (void(*)())0x08120160;
|
|
|
|
flush_dcache(0x081200F0, 0x4001); // giving a size >= 0x4000 flushes all cache
|
|
|
|
int level = disable_interrupts();
|
|
|
|
unsigned int control_register = disable_mmu();
|
|
|
|
/* Save the request handle so we can reply later */
|
|
*(volatile u32*)0x0012F000 = *(volatile u32*)0x1016AD18;
|
|
|
|
/* Patch kernel_error_handler to BX LR immediately */
|
|
*(volatile u32*)0x08129A24 = 0xE12FFF1E;
|
|
|
|
void * pset_fault_behavior = (void*)0x081298BC;
|
|
kernel_memcpy(pset_fault_behavior, (void*)repairData_set_fault_behavior, sizeof(repairData_set_fault_behavior));
|
|
|
|
void * pset_panic_behavior = (void*)0x081296E4;
|
|
kernel_memcpy(pset_panic_behavior, (void*)repairData_set_panic_behavior, sizeof(repairData_set_panic_behavior));
|
|
|
|
void * pusb_root_thread = (void*)0x10100174;
|
|
kernel_memcpy(pusb_root_thread, (void*)repairData_usb_root_thread, sizeof(repairData_usb_root_thread));
|
|
|
|
payload_info_t *payloads = (payload_info_t*)0x00148000;
|
|
kernel_memcpy((void*)USB_PHYS_CODE_BASE, payloads->data, payloads->size);
|
|
|
|
int i;
|
|
for (i = 0; i < 32; i++)
|
|
if (i < sizeof(sd_path))
|
|
((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = sd_path[i];
|
|
else
|
|
((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = (char)0;
|
|
|
|
*(int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
|
|
|
|
*(int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
|
|
*(int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
|
|
|
|
*(int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
|
|
|
|
*(int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000;
|
|
*(int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000;
|
|
*(int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000;
|
|
*(int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000;
|
|
|
|
for (i = 0; i < sizeof(os_launch_hook); i++)
|
|
((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
|
|
|
|
u32 ancast_hook_start = (0x05059938 + sizeof(os_launch_hook) + 3) & ~3;
|
|
for (i = 0; i < sizeof(ancast_decrypt_hook); i++)
|
|
((char*)(ancast_hook_start - 0x05000000 + 0x081C0000))[i] = ancast_decrypt_hook[i];
|
|
|
|
*(u32*)(0x0500A678 - 0x05000000 + 0x081C0000) = generate_bl_t(0x0500A678, ancast_hook_start);
|
|
|
|
// remove various Ancast header size checks (somehow needed for unencrypted fw.img)
|
|
*(u32*)(0x0500A7C8 - 0x05000000 + 0x081C0000) = 0xbf00bf00; // nop nop
|
|
*(u16*)(0x0500A7C8 - 0x05000000 + 0x081C0000) = 0xe00f; // b #0x500a7ea
|
|
*(u32*)(0x0500a7f4 - 0x05000000 + 0x081C0000) = 0x2302e003; // movs r3, #2; b #0x500a800
|
|
|
|
*(int*)(0x1555500) = 0;
|
|
|
|
*(volatile u32*)(0x1555500) = 0;
|
|
|
|
/* REENABLE MMU */
|
|
restore_mmu(control_register);
|
|
|
|
invalidate_dcache(0x081298BC, 0x4001); // giving a size >= 0x4000 invalidates all cache
|
|
invalidate_icache();
|
|
|
|
enable_interrupts(level);
|
|
|
|
return 0;
|
|
}
|