From 5d530f424013b77600c24c4545ac2f9d11f4f7e7 Mon Sep 17 00:00:00 2001
From: FIX94 <fix94.1@gmail.com>
Date: Fri, 23 Dec 2016 19:36:15 +0100
Subject: [PATCH] updated installer iosu exploit to be a bit more stable and
 added tiny debug patch

---
 dsrom/iosu_patcher/arm_kernel/source/main.c   |  3 ++
 dsrom/iosu_patcher/arm_kernel/source/reload.c | 21 ++++----
 installer/arm_kernel/source/crt0.s            |  3 --
 installer/arm_kernel/source/main.c            | 54 +++++--------------
 installer/arm_kernel/source/mmu.s             | 18 +++++++
 installer/arm_kernel/source/utils.c           | 25 ---------
 installer/arm_kernel/source/utils.h           |  7 ---
 installer/src/main.c                          | 17 ++++--
 8 files changed, 59 insertions(+), 89 deletions(-)
 create mode 100644 installer/arm_kernel/source/mmu.s
 delete mode 100644 installer/arm_kernel/source/utils.c
 delete mode 100644 installer/arm_kernel/source/utils.h

diff --git a/dsrom/iosu_patcher/arm_kernel/source/main.c b/dsrom/iosu_patcher/arm_kernel/source/main.c
index d47534b..a172295 100644
--- a/dsrom/iosu_patcher/arm_kernel/source/main.c
+++ b/dsrom/iosu_patcher/arm_kernel/source/main.c
@@ -127,6 +127,9 @@ int _main()
 		*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
 		*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 
+		// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
+		*(volatile u32*)(0x05055454 - 0x05000000 + 0x081C0000) = 0xEBFFA225; // bl 0x0503DCF0
+
 		if(from_cbhc) // coldboot specific patches
 		{
 			// change system.xml to syshax.xml
diff --git a/dsrom/iosu_patcher/arm_kernel/source/reload.c b/dsrom/iosu_patcher/arm_kernel/source/reload.c
index 704e379..838077a 100644
--- a/dsrom/iosu_patcher/arm_kernel/source/reload.c
+++ b/dsrom/iosu_patcher/arm_kernel/source/reload.c
@@ -10,12 +10,12 @@ extern const int from_cbhc;
 
 void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 {
-    void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
+	void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
 
-    if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
-    {
-        int level = disable_interrupts();
-        unsigned int control_register = disable_mmu();
+	if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
+	{
+		int level = disable_interrupts();
+		unsigned int control_register = disable_mmu();
 
 		u32 ios_elf_start = launch_address + 0x804 - 0x300;
 
@@ -55,6 +55,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 		section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0
 		section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
 
+		// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
+		section_write_word(ios_elf_start, 0x05055454, 0xEBFFA225); // bl 0x0503DCF0
+
 		if(from_cbhc) // coldboot specific patches
 		{
 			// change system.xml to syshax.xml
@@ -88,9 +91,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 		section_write_word(ios_elf_start, 0xE0030D68, 0xE3A00000); // mov r0, #0
 		section_write_word(ios_elf_start, 0xE0030D34, 0xE3A00000); // mov r0, #0
 
-        restore_mmu(control_register);
-        enable_interrupts(level);
-    }
+		restore_mmu(control_register);
+		enable_interrupts(level);
+	}
 
-    kernel_launch_bootrom(launch_address, L, C, H);
+	kernel_launch_bootrom(launch_address, L, C, H);
 }
diff --git a/installer/arm_kernel/source/crt0.s b/installer/arm_kernel/source/crt0.s
index ae2a3b1..83d7bb6 100644
--- a/installer/arm_kernel/source/crt0.s
+++ b/installer/arm_kernel/source/crt0.s
@@ -5,8 +5,5 @@
 .extern _main
 .type _main, %function
 
-.extern memset
-.type memset, %function
-
 _start:
 	b _main
diff --git a/installer/arm_kernel/source/main.c b/installer/arm_kernel/source/main.c
index 5d5305a..4bd4d3c 100644
--- a/installer/arm_kernel/source/main.c
+++ b/installer/arm_kernel/source/main.c
@@ -1,7 +1,5 @@
 #include "types.h"
-#include "utils.h"
 #include "../../payload/arm_user_bin.h"
-#include "../../payload/wupserver_bin.h"
 
 static const char repairData_set_fault_behavior[] = {
 	0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
@@ -40,20 +38,8 @@ static const char os_launch_hook[] = {
 	0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
 };
 
-//static const char sd_path[] = "/vol/sdcard";
-
-static unsigned int __attribute__((noinline)) disable_mmu(void)
-{
-	unsigned int control_register = 0;
-	asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
-	asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
-	return control_register;
-}
-
-static void __attribute__((noinline)) restore_mmu(unsigned int control_register)
-{
-	asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
-}
+unsigned int disable_mmu(void);
+void restore_mmu(unsigned int control_register);
 
 int _main()
 {
@@ -89,34 +75,22 @@ int _main()
 	void * pUserBinDest = (void*)0x101312D0;
 	kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
 
+	// take wupserver from mem1
+	u32 wupserver_bin_len = *(volatile u32*)0x01E70000;
+	void *wupserver_bin = (void*)0x01E70020;
+
 	// overwrite mcp_d_r code with wupserver
-	*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
-	void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
-	kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin));
-	invalidate_dcache((u32)test, sizeof(wupserver_bin));
+	*(volatile u32*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; // bx lr
+	void *wupserver_dst = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
+	kernel_memcpy(wupserver_dst, wupserver_bin, wupserver_bin_len);
+	invalidate_dcache((u32)wupserver_dst, wupserver_bin_len);
 	invalidate_icache();
 
 	// replace ioctl 0x62 code with jump to wupserver
-	*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
-	*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
-	*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
-	*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
-
-	*(unsigned int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
-
-	*(unsigned int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
-	*(unsigned int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
-
-	*(unsigned int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
-
-	*(unsigned int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-	*(unsigned int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-	*(unsigned int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-	*(unsigned int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-
-	int i;
-	for (i = 0; i < sizeof(os_launch_hook); i++)
-		((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
+	*(volatile u32*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
+	*(volatile u32*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
+	*(volatile u32*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
+	*(volatile u32*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
 
 	*(int*)(0x1555500) = 0;
 
diff --git a/installer/arm_kernel/source/mmu.s b/installer/arm_kernel/source/mmu.s
new file mode 100644
index 0000000..17fab93
--- /dev/null
+++ b/installer/arm_kernel/source/mmu.s
@@ -0,0 +1,18 @@
+.section ".text"
+.arm
+.align 4
+
+.globl disable_mmu
+.type disable_mmu, %function
+disable_mmu:
+	mrc p15, 0, r0, c1, c0, 0
+	ldr r1, =#0xFFFFEFFA
+	and r1, r0, r1
+	mcr p15, 0, r1, c1, c0, 0
+	bx lr
+
+.globl restore_mmu
+.type restore_mmu, %function
+restore_mmu:
+	mcr p15, 0, r0, c1, c0, 0
+	bx lr
diff --git a/installer/arm_kernel/source/utils.c b/installer/arm_kernel/source/utils.c
deleted file mode 100644
index f02ae47..0000000
--- a/installer/arm_kernel/source/utils.c
+++ /dev/null
@@ -1,25 +0,0 @@
-
-void* m_memcpy(void *dst, const void *src, unsigned int len)
-{
-    const unsigned char *src_ptr = (const unsigned char *)src;
-    unsigned char *dst_ptr = (unsigned char *)dst;
-
-    while(len)
-    {
-        *dst_ptr++ = *src_ptr++;
-        --len;
-    }
-    return dst;
-}
-
-void* m_memset(void *dst, int val, unsigned int bytes)
-{
-    unsigned char *dst_ptr = (unsigned char *)dst;
-    unsigned int i = 0;
-    while(i < bytes)
-    {
-        dst_ptr[i] = val;
-        ++i;
-    }
-    return dst;
-}
diff --git a/installer/arm_kernel/source/utils.h b/installer/arm_kernel/source/utils.h
deleted file mode 100644
index fd41db2..0000000
--- a/installer/arm_kernel/source/utils.h
+++ /dev/null
@@ -1,7 +0,0 @@
-#ifndef _UTILS_H_
-#define _UTILS_H_
-
-void* m_memcpy(void *dst, const void *src, unsigned int len);
-void* m_memset(void *dst, int val, unsigned int len);
-
-#endif
diff --git a/installer/src/main.c b/installer/src/main.c
index b506d02..8ccca09 100644
--- a/installer/src/main.c
+++ b/installer/src/main.c
@@ -11,6 +11,7 @@
 #include <libxml/parser.h>
 #include <libxml/tree.h>
 #include <libxml/xpath.h>
+#include <iosuhax.h>
 #include "dynamic_libs/os_functions.h"
 #include "dynamic_libs/gx2_functions.h"
 #include "dynamic_libs/sys_functions.h"
@@ -19,8 +20,8 @@
 #include "common/common.h"
 #include "main.h"
 #include "exploit.h"
-#include "iosuhax.h"
 #include "gameList.h"
+#include "../payload/wupserver_bin.h"
 
 static const char *sdCardVolPath = "/vol/storage_sdcard";
 #ifdef CB
@@ -125,9 +126,9 @@ int availSort(const void *c1, const void *c2)
 void printhdr_noflip()
 {
 #ifdef CB
-	println_noflip(0,"CBHC v1.4u1 by FIX94");
+	println_noflip(0,"CBHC v1.4u2 by FIX94");
 #else
-	println_noflip(0,"Haxchi v2.4 by FIX94");
+	println_noflip(0,"Haxchi v2.4u1 by FIX94");
 #endif
 	println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
 }
@@ -380,6 +381,9 @@ int Menu_Main(void)
 	if(res < 0)
 	{
 		println(line++,"Doing IOSU Exploit...");
+		*(volatile unsigned int*)0xF5E70000 = wupserver_bin_len;
+		memcpy((void*)0xF5E70020, &wupserver_bin, wupserver_bin_len);
+		DCStoreRange((void*)0xF5E70000, wupserver_bin_len + 0x40);
 		IOSUExploit();
 		//done with iosu exploit, take over mcp
 		if(MCPHookOpen() < 0)
@@ -839,8 +843,11 @@ prgEnd:
 			IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
 		if(sdMounted)
 			IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2);
-		if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
-			println(line++, "Flushed NAND Cache!");
+		if(mcp_hook_fd >= 0)
+		{
+			if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
+				println(line++, "Flushed NAND Cache!");
+		}
 		IOSUHAX_FSA_Close(fsaFd);
 	}
 	//close out iosuhax