updated installer iosu exploit to be a bit more stable and added tiny debug patch

This commit is contained in:
FIX94 2016-12-23 19:36:15 +01:00
parent 0ad99123db
commit 5d530f4240
8 changed files with 59 additions and 89 deletions

View File

@ -127,6 +127,9 @@ int _main()
*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0 *(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr *(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
*(volatile u32*)(0x05055454 - 0x05000000 + 0x081C0000) = 0xEBFFA225; // bl 0x0503DCF0
if(from_cbhc) // coldboot specific patches if(from_cbhc) // coldboot specific patches
{ {
// change system.xml to syshax.xml // change system.xml to syshax.xml

View File

@ -10,12 +10,12 @@ extern const int from_cbhc;
void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H) void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
{ {
void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050; void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000) if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
{ {
int level = disable_interrupts(); int level = disable_interrupts();
unsigned int control_register = disable_mmu(); unsigned int control_register = disable_mmu();
u32 ios_elf_start = launch_address + 0x804 - 0x300; u32 ios_elf_start = launch_address + 0x804 - 0x300;
@ -55,6 +55,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0 section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0
section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
section_write_word(ios_elf_start, 0x05055454, 0xEBFFA225); // bl 0x0503DCF0
if(from_cbhc) // coldboot specific patches if(from_cbhc) // coldboot specific patches
{ {
// change system.xml to syshax.xml // change system.xml to syshax.xml
@ -88,9 +91,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
section_write_word(ios_elf_start, 0xE0030D68, 0xE3A00000); // mov r0, #0 section_write_word(ios_elf_start, 0xE0030D68, 0xE3A00000); // mov r0, #0
section_write_word(ios_elf_start, 0xE0030D34, 0xE3A00000); // mov r0, #0 section_write_word(ios_elf_start, 0xE0030D34, 0xE3A00000); // mov r0, #0
restore_mmu(control_register); restore_mmu(control_register);
enable_interrupts(level); enable_interrupts(level);
} }
kernel_launch_bootrom(launch_address, L, C, H); kernel_launch_bootrom(launch_address, L, C, H);
} }

View File

@ -5,8 +5,5 @@
.extern _main .extern _main
.type _main, %function .type _main, %function
.extern memset
.type memset, %function
_start: _start:
b _main b _main

View File

@ -1,7 +1,5 @@
#include "types.h" #include "types.h"
#include "utils.h"
#include "../../payload/arm_user_bin.h" #include "../../payload/arm_user_bin.h"
#include "../../payload/wupserver_bin.h"
static const char repairData_set_fault_behavior[] = { static const char repairData_set_fault_behavior[] = {
0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00, 0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
@ -40,20 +38,8 @@ static const char os_launch_hook[] = {
0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e, 0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
}; };
//static const char sd_path[] = "/vol/sdcard"; unsigned int disable_mmu(void);
void restore_mmu(unsigned int control_register);
static unsigned int __attribute__((noinline)) disable_mmu(void)
{
unsigned int control_register = 0;
asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
return control_register;
}
static void __attribute__((noinline)) restore_mmu(unsigned int control_register)
{
asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
}
int _main() int _main()
{ {
@ -89,34 +75,22 @@ int _main()
void * pUserBinDest = (void*)0x101312D0; void * pUserBinDest = (void*)0x101312D0;
kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin)); kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
// take wupserver from mem1
u32 wupserver_bin_len = *(volatile u32*)0x01E70000;
void *wupserver_bin = (void*)0x01E70020;
// overwrite mcp_d_r code with wupserver // overwrite mcp_d_r code with wupserver
*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr *(volatile u32*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; // bx lr
void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000); void *wupserver_dst = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin)); kernel_memcpy(wupserver_dst, wupserver_bin, wupserver_bin_len);
invalidate_dcache((u32)test, sizeof(wupserver_bin)); invalidate_dcache((u32)wupserver_dst, wupserver_bin_len);
invalidate_icache(); invalidate_icache();
// replace ioctl 0x62 code with jump to wupserver // replace ioctl 0x62 code with jump to wupserver
*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc *(volatile u32*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc] *(volatile u32*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1 *(volatile u32*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code *(volatile u32*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
*(unsigned int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
*(unsigned int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
*(unsigned int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
*(unsigned int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
*(unsigned int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
*(unsigned int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
*(unsigned int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
*(unsigned int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
int i;
for (i = 0; i < sizeof(os_launch_hook); i++)
((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
*(int*)(0x1555500) = 0; *(int*)(0x1555500) = 0;

View File

@ -0,0 +1,18 @@
.section ".text"
.arm
.align 4
.globl disable_mmu
.type disable_mmu, %function
disable_mmu:
mrc p15, 0, r0, c1, c0, 0
ldr r1, =#0xFFFFEFFA
and r1, r0, r1
mcr p15, 0, r1, c1, c0, 0
bx lr
.globl restore_mmu
.type restore_mmu, %function
restore_mmu:
mcr p15, 0, r0, c1, c0, 0
bx lr

View File

@ -1,25 +0,0 @@
void* m_memcpy(void *dst, const void *src, unsigned int len)
{
const unsigned char *src_ptr = (const unsigned char *)src;
unsigned char *dst_ptr = (unsigned char *)dst;
while(len)
{
*dst_ptr++ = *src_ptr++;
--len;
}
return dst;
}
void* m_memset(void *dst, int val, unsigned int bytes)
{
unsigned char *dst_ptr = (unsigned char *)dst;
unsigned int i = 0;
while(i < bytes)
{
dst_ptr[i] = val;
++i;
}
return dst;
}

View File

@ -1,7 +0,0 @@
#ifndef _UTILS_H_
#define _UTILS_H_
void* m_memcpy(void *dst, const void *src, unsigned int len);
void* m_memset(void *dst, int val, unsigned int len);
#endif

View File

@ -11,6 +11,7 @@
#include <libxml/parser.h> #include <libxml/parser.h>
#include <libxml/tree.h> #include <libxml/tree.h>
#include <libxml/xpath.h> #include <libxml/xpath.h>
#include <iosuhax.h>
#include "dynamic_libs/os_functions.h" #include "dynamic_libs/os_functions.h"
#include "dynamic_libs/gx2_functions.h" #include "dynamic_libs/gx2_functions.h"
#include "dynamic_libs/sys_functions.h" #include "dynamic_libs/sys_functions.h"
@ -19,8 +20,8 @@
#include "common/common.h" #include "common/common.h"
#include "main.h" #include "main.h"
#include "exploit.h" #include "exploit.h"
#include "iosuhax.h"
#include "gameList.h" #include "gameList.h"
#include "../payload/wupserver_bin.h"
static const char *sdCardVolPath = "/vol/storage_sdcard"; static const char *sdCardVolPath = "/vol/storage_sdcard";
#ifdef CB #ifdef CB
@ -125,9 +126,9 @@ int availSort(const void *c1, const void *c2)
void printhdr_noflip() void printhdr_noflip()
{ {
#ifdef CB #ifdef CB
println_noflip(0,"CBHC v1.4u1 by FIX94"); println_noflip(0,"CBHC v1.4u2 by FIX94");
#else #else
println_noflip(0,"Haxchi v2.4 by FIX94"); println_noflip(0,"Haxchi v2.4u1 by FIX94");
#endif #endif
println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok"); println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
} }
@ -380,6 +381,9 @@ int Menu_Main(void)
if(res < 0) if(res < 0)
{ {
println(line++,"Doing IOSU Exploit..."); println(line++,"Doing IOSU Exploit...");
*(volatile unsigned int*)0xF5E70000 = wupserver_bin_len;
memcpy((void*)0xF5E70020, &wupserver_bin, wupserver_bin_len);
DCStoreRange((void*)0xF5E70000, wupserver_bin_len + 0x40);
IOSUExploit(); IOSUExploit();
//done with iosu exploit, take over mcp //done with iosu exploit, take over mcp
if(MCPHookOpen() < 0) if(MCPHookOpen() < 0)
@ -839,8 +843,11 @@ prgEnd:
IOSUHAX_FSA_CloseFile(fsaFd, sdFd); IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
if(sdMounted) if(sdMounted)
IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2); IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2);
if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0) if(mcp_hook_fd >= 0)
println(line++, "Flushed NAND Cache!"); {
if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
println(line++, "Flushed NAND Cache!");
}
IOSUHAX_FSA_Close(fsaFd); IOSUHAX_FSA_Close(fsaFd);
} }
//close out iosuhax //close out iosuhax