updated installer iosu exploit to be a bit more stable and added tiny debug patch

2024-11-16 13:19:16 +01:00 · 2016-12-23 19:36:15 +01:00 · 2016-12-23 19:36:15 +01:00 · 5d530f4240
commit 5d530f4240
parent 0ad99123db
8 changed files with 59 additions and 89 deletions
--- a/dsrom/iosu_patcher/arm_kernel/source/main.c
+++ b/dsrom/iosu_patcher/arm_kernel/source/main.c
@ -127,6 +127,9 @@ int _main()
 		*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
 		*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 		// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
 		*(volatile u32*)(0x05055454 - 0x05000000 + 0x081C0000) = 0xEBFFA225; // bl 0x0503DCF0
 		if(from_cbhc) // coldboot specific patches
 		{
 			// change system.xml to syshax.xml
--- a/dsrom/iosu_patcher/arm_kernel/source/reload.c
+++ b/dsrom/iosu_patcher/arm_kernel/source/reload.c
@ -10,12 +10,12 @@ extern const int from_cbhc;
 void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 {
-    void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
+	void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
-    if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
+	if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
-    {
+	{
-        int level = disable_interrupts();
+		int level = disable_interrupts();
-        unsigned int control_register = disable_mmu();
+		unsigned int control_register = disable_mmu();
 		u32 ios_elf_start = launch_address + 0x804 - 0x300;
@ -55,6 +55,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 		section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0
 		section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
 		// redirect mcp_debug_print to mcp_syslog_print (0x0503DCF0)
 		section_write_word(ios_elf_start, 0x05055454, 0xEBFFA225); // bl 0x0503DCF0
 		if(from_cbhc) // coldboot specific patches
 		{
 			// change system.xml to syshax.xml
@ -88,9 +91,9 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 		section_write_word(ios_elf_start, 0xE0030D68, 0xE3A00000); // mov r0, #0
 		section_write_word(ios_elf_start, 0xE0030D34, 0xE3A00000); // mov r0, #0
-        restore_mmu(control_register);
+		restore_mmu(control_register);
-        enable_interrupts(level);
+		enable_interrupts(level);
-    }
+	}
-    kernel_launch_bootrom(launch_address, L, C, H);
+	kernel_launch_bootrom(launch_address, L, C, H);
 }
--- a/installer/arm_kernel/source/crt0.s
+++ b/installer/arm_kernel/source/crt0.s
@ -5,8 +5,5 @@
 .extern _main
 .type _main, %function
 .extern memset
 .type memset, %function
 _start:
 	b _main
--- a/installer/arm_kernel/source/main.c
+++ b/installer/arm_kernel/source/main.c
@ -1,7 +1,5 @@
 #include "types.h"
 #include "utils.h"
 #include "../../payload/arm_user_bin.h"
 #include "../../payload/wupserver_bin.h"
 static const char repairData_set_fault_behavior[] = {
 	0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
@ -40,20 +38,8 @@ static const char os_launch_hook[] = {
 	0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
 };
-//static const char sd_path[] = "/vol/sdcard";
+unsigned int disable_mmu(void);
-
+void restore_mmu(unsigned int control_register);
 static unsigned int __attribute__((noinline)) disable_mmu(void)
 {
 	unsigned int control_register = 0;
 	asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
 	asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
 	return control_register;
 }
 static void __attribute__((noinline)) restore_mmu(unsigned int control_register)
 {
 	asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
 }
 int _main()
 {
@ -89,34 +75,22 @@ int _main()
 	void * pUserBinDest = (void*)0x101312D0;
 	kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
 	// take wupserver from mem1
 	u32 wupserver_bin_len = *(volatile u32*)0x01E70000;
 	void *wupserver_bin = (void*)0x01E70020;
 	// overwrite mcp_d_r code with wupserver
-	*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
+	*(volatile u32*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; // bx lr
-	void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
+	void *wupserver_dst = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
-	kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin));
+	kernel_memcpy(wupserver_dst, wupserver_bin, wupserver_bin_len);
-	invalidate_dcache((u32)test, sizeof(wupserver_bin));
+	invalidate_dcache((u32)wupserver_dst, wupserver_bin_len);
 	invalidate_icache();
 	// replace ioctl 0x62 code with jump to wupserver
-	*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
+	*(volatile u32*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
-	*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
+	*(volatile u32*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
-	*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
+	*(volatile u32*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
-	*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
+	*(volatile u32*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
 	*(unsigned int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
 	*(unsigned int*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
 	*(unsigned int*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 	*(unsigned int*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
 	*(unsigned int*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
 	*(unsigned int*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
 	*(unsigned int*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
 	*(unsigned int*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
 	int i;
 	for (i = 0; i < sizeof(os_launch_hook); i++)
 		((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
 	*(int*)(0x1555500) = 0;
--- a/installer/arm_kernel/source/mmu.s
+++ b/installer/arm_kernel/source/mmu.s
@ -0,0 +1,18 @@
 .section ".text"
 .arm
 .align 4
 .globl disable_mmu
 .type disable_mmu, %function
 disable_mmu:
 	mrc p15, 0, r0, c1, c0, 0
 	ldr r1, =#0xFFFFEFFA
 	and r1, r0, r1
 	mcr p15, 0, r1, c1, c0, 0
 	bx lr
 .globl restore_mmu
 .type restore_mmu, %function
 restore_mmu:
 	mcr p15, 0, r0, c1, c0, 0
 	bx lr
--- a/installer/arm_kernel/source/utils.c
+++ b/installer/arm_kernel/source/utils.c
@ -1,25 +0,0 @@
 void* m_memcpy(void *dst, const void *src, unsigned int len)
 {
    const unsigned char *src_ptr = (const unsigned char *)src;
    unsigned char *dst_ptr = (unsigned char *)dst;
    while(len)
    {
        *dst_ptr++ = *src_ptr++;
        --len;
    }
    return dst;
 }
 void* m_memset(void *dst, int val, unsigned int bytes)
 {
    unsigned char *dst_ptr = (unsigned char *)dst;
    unsigned int i = 0;
    while(i < bytes)
    {
        dst_ptr[i] = val;
        ++i;
    }
    return dst;
 }
--- a/installer/arm_kernel/source/utils.h
+++ b/installer/arm_kernel/source/utils.h
@ -1,7 +0,0 @@
 #ifndef _UTILS_H_
 #define _UTILS_H_
 void* m_memcpy(void *dst, const void *src, unsigned int len);
 void* m_memset(void *dst, int val, unsigned int len);
 #endif
--- a/installer/src/main.c
+++ b/installer/src/main.c
@ -11,6 +11,7 @@
 #include <libxml/parser.h>
 #include <libxml/tree.h>
 #include <libxml/xpath.h>
 #include <iosuhax.h>
 #include "dynamic_libs/os_functions.h"
 #include "dynamic_libs/gx2_functions.h"
 #include "dynamic_libs/sys_functions.h"
@ -19,8 +20,8 @@
 #include "common/common.h"
 #include "main.h"
 #include "exploit.h"
 #include "iosuhax.h"
 #include "gameList.h"
 #include "../payload/wupserver_bin.h"
 static const char *sdCardVolPath = "/vol/storage_sdcard";
 #ifdef CB
@ -125,9 +126,9 @@ int availSort(const void *c1, const void *c2)
 void printhdr_noflip()
 {
 #ifdef CB
-	println_noflip(0,"CBHC v1.4u1 by FIX94");
+	println_noflip(0,"CBHC v1.4u2 by FIX94");
 #else
-	println_noflip(0,"Haxchi v2.4 by FIX94");
+	println_noflip(0,"Haxchi v2.4u1 by FIX94");
 #endif
 	println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
 }
@ -380,6 +381,9 @@ int Menu_Main(void)
 	if(res < 0)
 	{
 		println(line++,"Doing IOSU Exploit...");
 		*(volatile unsigned int*)0xF5E70000 = wupserver_bin_len;
 		memcpy((void*)0xF5E70020, &wupserver_bin, wupserver_bin_len);
 		DCStoreRange((void*)0xF5E70000, wupserver_bin_len + 0x40);
 		IOSUExploit();
 		//done with iosu exploit, take over mcp
 		if(MCPHookOpen() < 0)
@ -839,8 +843,11 @@ prgEnd:
 			IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
 		if(sdMounted)
 			IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2);
-		if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
+		if(mcp_hook_fd >= 0)
-			println(line++, "Flushed NAND Cache!");
+		{
 			if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
 				println(line++, "Flushed NAND Cache!");
 		}
 		IOSUHAX_FSA_Close(fsaFd);
 	}
 	//close out iosuhax