diff --git a/dsrom/CBHC/Makefile b/dsrom/CBHC/Makefile index d460d79..1d460f3 100644 --- a/dsrom/CBHC/Makefile +++ b/dsrom/CBHC/Makefile @@ -16,11 +16,16 @@ FIRMWARE = 550 all: clean setup main -$(CURDIR)/payload/arm_kernel_bin.h: $(CURDIR)/payload/arm_user_bin.h +$(CURDIR)/payload/arm_kernel_bin.h: $(CURDIR)/payload/wupserver_bin.h $(CURDIR)/payload/arm_user_bin.h @$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile @-mkdir -p $(CURDIR)/payload @cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@ - + +$(CURDIR)/payload/wupserver_bin.h: + @$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f $(CURDIR)/../../wupserver/Makefile + @-mkdir -p $(CURDIR)/payload + @cp -p $(CURDIR)/../../wupserver/wupserver_bin.h $@ + $(CURDIR)/payload/arm_user_bin.h: @$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile @-mkdir -p $(CURDIR)/payload @@ -41,4 +46,5 @@ clean: rm -rf $(build) payload rm -rf CBHC.elf CBHC.map $(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean + @$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f $(CURDIR)/../../wupserver/Makefile clean $(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile clean diff --git a/dsrom/CBHC/arm_kernel/source/main.c b/dsrom/CBHC/arm_kernel/source/main.c index 74b37b9..783d1a2 100644 --- a/dsrom/CBHC/arm_kernel/source/main.c +++ b/dsrom/CBHC/arm_kernel/source/main.c @@ -1,6 +1,7 @@ #include "types.h" #include "utils.h" #include "../../payload/arm_user_bin.h" +#include "../../payload/wupserver_bin.h" static const char repairData_set_fault_behavior[] = { 0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00, @@ -88,16 +89,29 @@ int _main() void * pUserBinDest = (void*)0x101312D0; kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin)); + // overwrite mcp_d_r code with wupserver + *(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr + void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000); + kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin)); + invalidate_dcache((u32)test, sizeof(wupserver_bin)); + invalidate_icache(); + + // replace ioctl 0x62 code with jump to wupserver + *(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc + *(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc] + *(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1 + *(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code + // fix 10 minute timeout that crashes MCP after 10 minutes of booting - *(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT + *(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT // patch cached cert check - *(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0 - *(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr + *(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0 + *(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr // patch cert verification - *(volatile u32*)(0x05052A90 - 0x05000000 + 0x081C0000) = 0xe3a00000; // mov r0, #0 - *(volatile u32*)(0x05052A94 - 0x05000000 + 0x081C0000) = 0xe12fff1e; // bx lr + *(volatile u32*)(0x05052A90 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0 + *(volatile u32*)(0x05052A94 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr // patch MCP authentication check *(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr diff --git a/dsrom/CBHC/main.c b/dsrom/CBHC/main.c index 3e9b34c..ad6a5d6 100644 --- a/dsrom/CBHC/main.c +++ b/dsrom/CBHC/main.c @@ -36,19 +36,22 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp #define FORCE_SYSMENU (VPAD_BUTTON_ZL | VPAD_BUTTON_ZR | VPAD_BUTTON_L | VPAD_BUTTON_R) #define FORCE_HBL (VPAD_BUTTON_A | VPAD_BUTTON_B | VPAD_BUTTON_X | VPAD_BUTTON_Y) #define SD_HBL_PATH "/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf" +#define SD_MOCHA_PATH "/vol/external01/wiiu/apps/mocha/mocha.elf" -static const char *verChar = "CBHC v1.1 by FIX94"; +static const char *verChar = "CBHC v1.2 by FIX94"; #define DEFAULT_DISABLED 0 #define DEFAULT_SYSMENU 1 #define DEFAULT_HBL 2 -#define DEFAULT_CFW_IMG 3 -#define DEFAULT_MAX 4 +#define DEFAULT_MOCHA 3 +#define DEFAULT_CFW_IMG 4 +#define DEFAULT_MAX 5 static const char *defOpts[DEFAULT_MAX] = { "DEFAULT_DISABLED", "DEFAULT_SYSMENU", "DEFAULT_HBL", + "DEFAULT_MOCHA", "DEFAULT_CFW_IMG", }; @@ -56,12 +59,14 @@ static const char *bootOpts[DEFAULT_MAX] = { "Disabled", "System Menu", "Homebrew Launcher", + "Mocha CFW", "fw.img on SD Card", }; #define LAUNCH_SYSMENU 0 #define LAUNCH_HBL 1 -#define LAUNCH_CFW_IMG 2 +#define LAUNCH_MOCHA 2 +#define LAUNCH_CFW_IMG 3 #define OSScreenEnable(enable) OSScreenEnableEx(0, enable); OSScreenEnableEx(1, enable); #define OSScreenClearBuffer(tmp) OSScreenClearBufferEx(0, tmp); OSScreenClearBufferEx(1, tmp); @@ -86,9 +91,6 @@ uint32_t __main(void) OSDynLoad_FindExport(sysapp_handle,0,"_SYSGetSystemApplicationTitleId",&_SYSGetSystemApplicationTitleId); unsigned long long sysmenu = _SYSGetSystemApplicationTitleId(0); - //set up default hbl path - strcpy((void*)0xF5E70000,SD_HBL_PATH); - unsigned int vpad_handle; OSDynLoad_Acquire("vpad.rpl", &vpad_handle); @@ -112,6 +114,7 @@ uint32_t __main(void) else if(((vpad.btns_d|vpad.btns_h) & FORCE_HBL) == FORCE_HBL) { // original hbl loader payload + strcpy((void*)0xF5E70000,SD_HBL_PATH); return 0x01800000; } } @@ -298,7 +301,7 @@ uint32_t __main(void) cbhc_menu: ; int redraw = 1; int PosX = 0; - int ListMax = 4; + int ListMax = 5; int clickT = 0; while(1) { @@ -342,7 +345,7 @@ cbhc_menu: ; if( btnDown & VPAD_BUTTON_A ) { - if(PosX == 3) + if(PosX == 4) { cur_autoboot++; if(cur_autoboot == DEFAULT_MAX) @@ -366,10 +369,12 @@ cbhc_menu: ; OSScreenPutFont(0, 1, printStr); __os_snprintf(printStr,64,"%c Boot Homebrew Launcher", 1 == PosX ? '>' : ' '); OSScreenPutFont(0, 2, printStr); - __os_snprintf(printStr,64,"%c Boot fw.img on SD Card", 2 == PosX ? '>' : ' '); + __os_snprintf(printStr,64,"%c Boot Mocha CFW", 2 == PosX ? '>' : ' '); OSScreenPutFont(0, 3, printStr); - __os_snprintf(printStr,64,"%c Autoboot: %s", 3 == PosX ? '>' : ' ', bootOpts[cur_autoboot]); + __os_snprintf(printStr,64,"%c Boot fw.img on SD Card", 3 == PosX ? '>' : ' '); OSScreenPutFont(0, 4, printStr); + __os_snprintf(printStr,64,"%c Autoboot: %s", 4 == PosX ? '>' : ' ', bootOpts[cur_autoboot]); + OSScreenPutFont(0, 5, printStr); OSScreenFlipBuffers(); redraw = 0; @@ -428,7 +433,15 @@ doIOSUexploit: IOS_Close(dev_uhs_0_handle); if(launchmode == LAUNCH_HBL) + { + strcpy((void*)0xF5E70000,SD_HBL_PATH); return 0x01800000; + } + else if(launchmode == LAUNCH_MOCHA) + { + strcpy((void*)0xF5E70000,SD_MOCHA_PATH); + return 0x01800000; + } //sysmenu or cfw if(launchmode == LAUNCH_CFW_IMG) OSForceFullRelaunch(); diff --git a/installer/Makefile b/installer/Makefile index 4148af7..cd51857 100644 --- a/installer/Makefile +++ b/installer/Makefile @@ -136,9 +136,9 @@ $(CURDIR)/payload/arm_kernel_bin.h: $(CURDIR)/payload/wupserver_bin.h $(CURDIR) @cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@ $(CURDIR)/payload/wupserver_bin.h: - @$(MAKE) --no-print-directory -C $(CURDIR)/wupserver -f $(CURDIR)/wupserver/Makefile + @$(MAKE) --no-print-directory -C $(CURDIR)/../wupserver -f $(CURDIR)/../wupserver/Makefile @-mkdir -p $(CURDIR)/payload - @cp -p $(CURDIR)/wupserver/wupserver_bin.h $@ + @cp -p $(CURDIR)/../wupserver/wupserver_bin.h $@ $(CURDIR)/payload/arm_user_bin.h: @$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile @@ -150,7 +150,7 @@ clean: @echo clean ... @rm -fr $(BUILD) $(CURDIR)/*.elf $(CURDIR)/payload @$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f $(CURDIR)/arm_user/Makefile clean - @$(MAKE) --no-print-directory -C $(CURDIR)/wupserver -f $(CURDIR)/wupserver/Makefile clean + @$(MAKE) --no-print-directory -C $(CURDIR)/../wupserver -f $(CURDIR)/../wupserver/Makefile clean @$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f $(CURDIR)/arm_kernel/Makefile clean diff --git a/installer/arm_kernel/source/main.c b/installer/arm_kernel/source/main.c index 3e5cc5c..5d5305a 100644 --- a/installer/arm_kernel/source/main.c +++ b/installer/arm_kernel/source/main.c @@ -89,7 +89,9 @@ int _main() void * pUserBinDest = (void*)0x101312D0; kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin)); - void * test = (void*)(0x05100000 - 0x05100000 + 0x13D80000); + // overwrite mcp_d_r code with wupserver + *(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr + void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000); kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin)); invalidate_dcache((u32)test, sizeof(wupserver_bin)); invalidate_icache(); @@ -98,7 +100,7 @@ int _main() *(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc *(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc] *(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1 - *(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x05100000; // wupserver code + *(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code *(unsigned int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook diff --git a/installer/src/main.c b/installer/src/main.c index 9a884dc..cb71b53 100644 --- a/installer/src/main.c +++ b/installer/src/main.c @@ -125,9 +125,9 @@ int availSort(const void *c1, const void *c2) void printhdr_noflip() { #ifdef CB - println_noflip(0,"CBHC v1.1 by FIX94"); + println_noflip(0,"CBHC v1.2 by FIX94"); #else - println_noflip(0,"Haxchi v2.3 by FIX94"); + println_noflip(0,"Haxchi v2.3u1 by FIX94"); #endif println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok"); } @@ -369,19 +369,24 @@ int Menu_Main(void) int line = 6; #endif - //will inject our custom mcp code - println(line++,"Doing IOSU Exploit..."); - IOSUExploit(); - int fsaFd = -1; int sdMounted = 0; int sdFd = -1, mlcFd = -1, slcFd = -1; - //done with iosu exploit, take over mcp - if(MCPHookOpen() < 0) + //open up iosuhax + int res = IOSUHAX_Open(NULL); + if(res < 0) + res = MCPHookOpen(); + if(res < 0) { - println(line++,"MCP hook could not be opened!"); - goto prgEnd; + println(line++,"Doing IOSU Exploit..."); + IOSUExploit(); + //done with iosu exploit, take over mcp + if(MCPHookOpen() < 0) + { + println(line++,"MCP hook could not be opened!"); + goto prgEnd; + } } //mount with full permissions @@ -838,8 +843,11 @@ prgEnd: println(line++, "Flushed NAND Cache!"); IOSUHAX_FSA_Close(fsaFd); } - //close out old mcp instance - MCPHookClose(); + //close out iosuhax + if(mcp_hook_fd >= 0) + MCPHookClose(); + else + IOSUHAX_Close(); sleep(5); //will do IOSU reboot OSForceFullRelaunch(); diff --git a/release/wiiu/apps/cbhc/meta.xml b/release/wiiu/apps/cbhc/meta.xml index 941e256..08ae718 100644 --- a/release/wiiu/apps/cbhc/meta.xml +++ b/release/wiiu/apps/cbhc/meta.xml @@ -2,9 +2,9 @@ CBHC FIX94 - 1.1 + 1.2 https://github.com/FIX94/haxchi - 20161210200000 + 20161213200000 Coldboot Haxchi Installer WARNING! This will install Coldboot Haxchi on your system. ONLY USE THIS IF YOU ARE WILLING TO TAKE A RISK OF BRICKING YOUR CONSOLE. diff --git a/release/wiiu/apps/haxchi/meta.xml b/release/wiiu/apps/haxchi/meta.xml index 92b7c31..6c44504 100644 --- a/release/wiiu/apps/haxchi/meta.xml +++ b/release/wiiu/apps/haxchi/meta.xml @@ -2,9 +2,9 @@ Haxchi FIX94 - 2.3 + 2.3u1 https://github.com/FIX94/haxchi - 20161210200000 + 20161213200000 Haxchi Installer This will install Haxchi on your system. diff --git a/installer/wupserver/Makefile b/wupserver/Makefile similarity index 92% rename from installer/wupserver/Makefile rename to wupserver/Makefile index 3542b40..1bb45f7 100644 --- a/installer/wupserver/Makefile +++ b/wupserver/Makefile @@ -11,7 +11,7 @@ CC = arm-none-eabi-gcc LINK = arm-none-eabi-ld AS = arm-none-eabi-as OBJCOPY = arm-none-eabi-objcopy -CFLAGS += -Wall -mbig-endian -std=c99 -march=armv5 -Os -I$(DEVKITPRO)/libnds/include +CFLAGS += -Wall -mbig-endian -std=c99 -mcpu=arm926ej-s -Os -s -mthumb -I$(DEVKITPRO)/libnds/include LDFLAGS += --script=ccd00.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib" CFILES = $(wildcard source/*.c) @@ -43,13 +43,13 @@ dirs: $(PROJECTNAME).bin: $(PROJECTNAME).elf # $(OBJCOPY) -O binary $< $@ - $(OBJCOPY) -j .text -j .rodata -O binary $< $@ + $(OBJCOPY) -j .text -j .rodata -S -O binary $< $@ $(PROJECTNAME)_bin.h: $(PROJECTNAME).bin xxd -i $< | sed "s/unsigned/static const unsigned/g;s/$(PROJECTNAME)$*/$(PROJECTNAME)/g" > $@ $(PROJECTNAME).elf: $(OFILES) - $(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(sort $(filter-out build/crt0.o, $(OFILES))) + $(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(sort $(filter-out build/crt0.o, $(OFILES))) libgcc.a clean: @rm -f build/*.o build/*.d diff --git a/installer/wupserver/ccd00.ld b/wupserver/ccd00.ld similarity index 72% rename from installer/wupserver/ccd00.ld rename to wupserver/ccd00.ld index 1e5b2fd..a0187bc 100644 --- a/installer/wupserver/ccd00.ld +++ b/wupserver/ccd00.ld @@ -2,13 +2,13 @@ OUTPUT_ARCH(arm) MEMORY { - RAMX (rx) : ORIGIN = 0x05100000, LENGTH = 0x0004000 + RAMX (rx) : ORIGIN = 0x0510E570, LENGTH = 0x00015BC RAMRW (rw!i) : ORIGIN = 0x05089780, LENGTH = 0x00001F00 } SECTIONS { - .text : ALIGN(0x100) { + .text : { build/crt0.o(.init) *(.text) *(.rodata) @@ -20,4 +20,3 @@ SECTIONS } _bss_end = .; } - diff --git a/installer/wupserver/ccd00.specs b/wupserver/ccd00.specs similarity index 100% rename from installer/wupserver/ccd00.specs rename to wupserver/ccd00.specs diff --git a/wupserver/libgcc.a b/wupserver/libgcc.a new file mode 100644 index 0000000..b8beee7 Binary files /dev/null and b/wupserver/libgcc.a differ diff --git a/installer/wupserver/source/crt0.s b/wupserver/source/crt0.s similarity index 100% rename from installer/wupserver/source/crt0.s rename to wupserver/source/crt0.s diff --git a/installer/wupserver/source/fsa.c b/wupserver/source/fsa.c similarity index 100% rename from installer/wupserver/source/fsa.c rename to wupserver/source/fsa.c diff --git a/installer/wupserver/source/fsa.h b/wupserver/source/fsa.h similarity index 100% rename from installer/wupserver/source/fsa.h rename to wupserver/source/fsa.h diff --git a/installer/wupserver/source/imports.c b/wupserver/source/imports.c similarity index 98% rename from installer/wupserver/source/imports.c rename to wupserver/source/imports.c index a3f94b3..ef04ead 100644 --- a/installer/wupserver/source/imports.c +++ b/wupserver/source/imports.c @@ -21,7 +21,7 @@ void* memcpy(void* dst, const void* src, size_t size) { return _memcpy(dst, (void*)src, size); } - +/* int strlen(const char* str) { unsigned int i = 0; @@ -30,7 +30,7 @@ int strlen(const char* str) } return i; } - +*/ char* strncpy(char* dst, const char* src, size_t size) { int i; @@ -42,8 +42,9 @@ char* strncpy(char* dst, const char* src, size_t size) return dst; } - +/* int vsnprintf(char * s, size_t n, const char * format, va_list arg) { return ((int (*const)(char*, size_t, const char *, va_list))0x05055C40)(s, n, format, arg); } +*/ \ No newline at end of file diff --git a/installer/wupserver/source/imports.h b/wupserver/source/imports.h similarity index 100% rename from installer/wupserver/source/imports.h rename to wupserver/source/imports.h diff --git a/installer/wupserver/source/ipc.c b/wupserver/source/ipc.c similarity index 98% rename from installer/wupserver/source/ipc.c rename to wupserver/source/ipc.c index bcdab38..cc70a3f 100644 --- a/installer/wupserver/source/ipc.c +++ b/wupserver/source/ipc.c @@ -31,6 +31,7 @@ //#include "logger.h" #include "fsa.h" +#define IOSUHAX_MAGIC_WORD 0x4E696365 #define IOS_ERROR_UNKNOWN_VALUE 0xFFFFFFD6 #define IOS_ERROR_INVALID_ARG 0xFFFFFFE3 #define IOS_ERROR_INVALID_SIZE 0xFFFFFFE9 @@ -71,6 +72,7 @@ #define IOCTL_FSA_RAW_CLOSE 0x57 #define IOCTL_FSA_CHANGEMODE 0x58 #define IOCTL_FSA_FLUSHVOLUME 0x59 +#define IOCTL_CHECK_IF_IOSUHAX 0x5B //static u8 threadStack[0x1000] __attribute__((aligned(0x20))); @@ -136,7 +138,7 @@ static int ipc_ioctl(ipcmessage *message) } break; } - case IOCTL_REPEATED_WRITE: + /*case IOCTL_REPEATED_WRITE: { if(message->ioctl.length_in < 12) { @@ -191,7 +193,7 @@ static int ipc_ioctl(ipcmessage *message) //! TODO: add syscall as on kern_read32 res = IOS_ERROR_NOEXISTS; break; - } + }*/ //!-------------------------------------------------------------------------------------------------------------- //! FSA handles for better performance //!-------------------------------------------------------------------------------------------------------------- @@ -414,10 +416,15 @@ static int ipc_ioctl(ipcmessage *message) message->ioctl.buffer_io[0] = FSA_ChangeMode(fd, path, mode); break; } + case IOCTL_CHECK_IF_IOSUHAX: + { + message->ioctl.buffer_io[0] = IOSUHAX_MAGIC_WORD; + break; + } default: res = IOS_ERROR_INVALID_ARG; break; - } + } return res; } diff --git a/installer/wupserver/source/ipc.h b/wupserver/source/ipc.h similarity index 100% rename from installer/wupserver/source/ipc.h rename to wupserver/source/ipc.h diff --git a/installer/wupserver/source/ipc_types.h b/wupserver/source/ipc_types.h similarity index 100% rename from installer/wupserver/source/ipc_types.h rename to wupserver/source/ipc_types.h diff --git a/installer/wupserver/source/svc.h b/wupserver/source/svc.h similarity index 100% rename from installer/wupserver/source/svc.h rename to wupserver/source/svc.h diff --git a/installer/wupserver/source/svc.s b/wupserver/source/svc.s similarity index 100% rename from installer/wupserver/source/svc.s rename to wupserver/source/svc.s diff --git a/installer/wupserver/source/types.h b/wupserver/source/types.h similarity index 100% rename from installer/wupserver/source/types.h rename to wupserver/source/types.h