mirror of
https://github.com/wiiu-env/haxchi.git
synced 2024-11-16 13:19:16 +01:00
updated installer iosu exploit to be a bit more stable and added tiny debug patch
This commit is contained in:
FIX94
parent
0ad99123db
commit
5d530f4240
@ -127,6 +127,9 @@ int _main()
|
||||
*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
|
||||
*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
|
||||
|
||||
// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
|
||||
*(volatile u32*)(0x05055454 - 0x05000000 + 0x081C0000) = 0xEBFFA225; // bl 0x0503DCF0
|
||||
|
||||
if(from_cbhc) // coldboot specific patches
|
||||
{
|
||||
// change system.xml to syshax.xml
|
||||
|
||||
@ -10,12 +10,12 @@ extern const int from_cbhc;
|
||||
|
||||
void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
|
||||
{
|
||||
void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
|
||||
void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
|
||||
|
||||
if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
|
||||
{
|
||||
int level = disable_interrupts();
|
||||
unsigned int control_register = disable_mmu();
|
||||
if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
|
||||
{
|
||||
int level = disable_interrupts();
|
||||
unsigned int control_register = disable_mmu();
|
||||
|
||||
u32 ios_elf_start = launch_address + 0x804 - 0x300;
|
||||
|
||||
@ -55,6 +55,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
|
||||
section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0
|
||||
section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
|
||||
|
||||
// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
|
||||
section_write_word(ios_elf_start, 0x05055454, 0xEBFFA225); // bl 0x0503DCF0
|
||||
|
||||
if(from_cbhc) // coldboot specific patches
|
||||
{
|
||||
// change system.xml to syshax.xml
|
||||
@ -88,9 +91,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
|
||||
section_write_word(ios_elf_start, 0xE0030D68, 0xE3A00000); // mov r0, #0
|
||||
section_write_word(ios_elf_start, 0xE0030D34, 0xE3A00000); // mov r0, #0
|
||||
|
||||
restore_mmu(control_register);
|
||||
enable_interrupts(level);
|
||||
}
|
||||
restore_mmu(control_register);
|
||||
enable_interrupts(level);
|
||||
}
|
||||
|
||||
kernel_launch_bootrom(launch_address, L, C, H);
|
||||
kernel_launch_bootrom(launch_address, L, C, H);
|
||||
}
|
||||
|
||||
@ -5,8 +5,5 @@
|
||||
.extern _main
|
||||
.type _main, %function
|
||||
|
||||
.extern memset
|
||||
.type memset, %function
|
||||
|
||||
_start:
|
||||
b _main
|
||||
|
||||
@ -1,7 +1,5 @@
|
||||
#include "types.h"
|
||||
#include "utils.h"
|
||||
#include "../../payload/arm_user_bin.h"
|
||||
#include "../../payload/wupserver_bin.h"
|
||||
|
||||
static const char repairData_set_fault_behavior[] = {
|
||||
0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
|
||||
@ -40,20 +38,8 @@ static const char os_launch_hook[] = {
|
||||
0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
|
||||
};
|
||||
|
||||
//static const char sd_path[] = "/vol/sdcard";
|
||||
|
||||
static unsigned int __attribute__((noinline)) disable_mmu(void)
|
||||
{
|
||||
unsigned int control_register = 0;
|
||||
asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
|
||||
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
|
||||
return control_register;
|
||||
}
|
||||
|
||||
static void __attribute__((noinline)) restore_mmu(unsigned int control_register)
|
||||
{
|
||||
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
|
||||
}
|
||||
unsigned int disable_mmu(void);
|
||||
void restore_mmu(unsigned int control_register);
|
||||
|
||||
int _main()
|
||||
{
|
||||
@ -89,34 +75,22 @@ int _main()
|
||||
void * pUserBinDest = (void*)0x101312D0;
|
||||
kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
|
||||
|
||||
// take wupserver from mem1
|
||||
u32 wupserver_bin_len = *(volatile u32*)0x01E70000;
|
||||
void *wupserver_bin = (void*)0x01E70020;
|
||||
|
||||
// overwrite mcp_d_r code with wupserver
|
||||
*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
|
||||
void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
|
||||
kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin));
|
||||
invalidate_dcache((u32)test, sizeof(wupserver_bin));
|
||||
*(volatile u32*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; // bx lr
|
||||
void *wupserver_dst = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
|
||||
kernel_memcpy(wupserver_dst, wupserver_bin, wupserver_bin_len);
|
||||
invalidate_dcache((u32)wupserver_dst, wupserver_bin_len);
|
||||
invalidate_icache();
|
||||
|
||||
// replace ioctl 0x62 code with jump to wupserver
|
||||
*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
|
||||
*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
|
||||
*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
|
||||
*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
|
||||
|
||||
*(unsigned int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
|
||||
|
||||
*(unsigned int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
|
||||
*(unsigned int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
|
||||
|
||||
*(unsigned int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
|
||||
|
||||
*(unsigned int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
|
||||
*(unsigned int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
|
||||
*(unsigned int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
|
||||
*(unsigned int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
|
||||
|
||||
int i;
|
||||
for (i = 0; i < sizeof(os_launch_hook); i++)
|
||||
((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
|
||||
*(volatile u32*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
|
||||
*(volatile u32*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
|
||||
*(volatile u32*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
|
||||
*(volatile u32*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
|
||||
|
||||
*(int*)(0x1555500) = 0;
|
||||
|
||||
|
||||
18
installer/arm_kernel/source/mmu.s
Normal file
18
installer/arm_kernel/source/mmu.s
Normal file
@ -0,0 +1,18 @@
|
||||
.section ".text"
|
||||
.arm
|
||||
.align 4
|
||||
|
||||
.globl disable_mmu
|
||||
.type disable_mmu, %function
|
||||
disable_mmu:
|
||||
mrc p15, 0, r0, c1, c0, 0
|
||||
ldr r1, =#0xFFFFEFFA
|
||||
and r1, r0, r1
|
||||
mcr p15, 0, r1, c1, c0, 0
|
||||
bx lr
|
||||
|
||||
.globl restore_mmu
|
||||
.type restore_mmu, %function
|
||||
restore_mmu:
|
||||
mcr p15, 0, r0, c1, c0, 0
|
||||
bx lr
|
||||
@ -1,25 +0,0 @@
|
||||
|
||||
void* m_memcpy(void *dst, const void *src, unsigned int len)
|
||||
{
|
||||
const unsigned char *src_ptr = (const unsigned char *)src;
|
||||
unsigned char *dst_ptr = (unsigned char *)dst;
|
||||
|
||||
while(len)
|
||||
{
|
||||
*dst_ptr++ = *src_ptr++;
|
||||
--len;
|
||||
}
|
||||
return dst;
|
||||
}
|
||||
|
||||
void* m_memset(void *dst, int val, unsigned int bytes)
|
||||
{
|
||||
unsigned char *dst_ptr = (unsigned char *)dst;
|
||||
unsigned int i = 0;
|
||||
while(i < bytes)
|
||||
{
|
||||
dst_ptr[i] = val;
|
||||
++i;
|
||||
}
|
||||
return dst;
|
||||
}
|
||||
@ -1,7 +0,0 @@
|
||||
#ifndef _UTILS_H_
|
||||
#define _UTILS_H_
|
||||
|
||||
void* m_memcpy(void *dst, const void *src, unsigned int len);
|
||||
void* m_memset(void *dst, int val, unsigned int len);
|
||||
|
||||
#endif
|
||||
@ -11,6 +11,7 @@
|
||||
#include <libxml/parser.h>
|
||||
#include <libxml/tree.h>
|
||||
#include <libxml/xpath.h>
|
||||
#include <iosuhax.h>
|
||||
#include "dynamic_libs/os_functions.h"
|
||||
#include "dynamic_libs/gx2_functions.h"
|
||||
#include "dynamic_libs/sys_functions.h"
|
||||
@ -19,8 +20,8 @@
|
||||
#include "common/common.h"
|
||||
#include "main.h"
|
||||
#include "exploit.h"
|
||||
#include "iosuhax.h"
|
||||
#include "gameList.h"
|
||||
#include "../payload/wupserver_bin.h"
|
||||
|
||||
static const char *sdCardVolPath = "/vol/storage_sdcard";
|
||||
#ifdef CB
|
||||
@ -125,9 +126,9 @@ int availSort(const void *c1, const void *c2)
|
||||
void printhdr_noflip()
|
||||
{
|
||||
#ifdef CB
|
||||
println_noflip(0,"CBHC v1.4u1 by FIX94");
|
||||
println_noflip(0,"CBHC v1.4u2 by FIX94");
|
||||
#else
|
||||
println_noflip(0,"Haxchi v2.4 by FIX94");
|
||||
println_noflip(0,"Haxchi v2.4u1 by FIX94");
|
||||
#endif
|
||||
println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
|
||||
}
|
||||
@ -380,6 +381,9 @@ int Menu_Main(void)
|
||||
if(res < 0)
|
||||
{
|
||||
println(line++,"Doing IOSU Exploit...");
|
||||
*(volatile unsigned int*)0xF5E70000 = wupserver_bin_len;
|
||||
memcpy((void*)0xF5E70020, &wupserver_bin, wupserver_bin_len);
|
||||
DCStoreRange((void*)0xF5E70000, wupserver_bin_len + 0x40);
|
||||
IOSUExploit();
|
||||
//done with iosu exploit, take over mcp
|
||||
if(MCPHookOpen() < 0)
|
||||
@ -839,8 +843,11 @@ prgEnd:
|
||||
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
|
||||
if(sdMounted)
|
||||
IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2);
|
||||
if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
|
||||
println(line++, "Flushed NAND Cache!");
|
||||
if(mcp_hook_fd >= 0)
|
||||
{
|
||||
if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
|
||||
println(line++, "Flushed NAND Cache!");
|
||||
}
|
||||
IOSUHAX_FSA_Close(fsaFd);
|
||||
}
|
||||
//close out iosuhax
|
||||
|
||||
Loading…
Reference in New Issue
Block a user