mirror of
https://github.com/wiiu-env/homebrew_launcher.git
synced 2025-02-17 13:06:20 +01:00
code i forgot to commit in may (haha)
This commit is contained in:
parent
0baf7cfa05
commit
e33c9894f1
@ -69,6 +69,7 @@ main: sd_loader.h
|
||||
clean:
|
||||
rm -rf $(build)
|
||||
rm -rf sd_loader.h
|
||||
make clean -C ../sd_loader
|
||||
|
||||
print_stats:
|
||||
@echo
|
||||
|
@ -128,28 +128,15 @@ SC_0x25_KernelCopyData:
|
||||
|
||||
.globl Syscall_0x36
|
||||
Syscall_0x36:
|
||||
mflr r0
|
||||
stwu r1, -0x10(r1)
|
||||
stw r30, 0x4(r1)
|
||||
stw r31, 0x8(r1)
|
||||
mr r5, r0
|
||||
mr r6, r1
|
||||
li r0, 0x3600
|
||||
sc
|
||||
nop
|
||||
mr r0, r5
|
||||
mr r1, r6
|
||||
lwz r30, 0x04(r1)
|
||||
lwz r31, 0x08(r1)
|
||||
addi r1, r1, 0x10
|
||||
mtlr r0
|
||||
blr
|
||||
|
||||
.globl KernelPatches
|
||||
KernelPatches:
|
||||
# store the old DBAT0
|
||||
mfdbatu r30, 0
|
||||
mfdbatl r31, 0
|
||||
mfdbatu r5, 0
|
||||
mfdbatl r6, 0
|
||||
|
||||
# memory barrier
|
||||
eieio
|
||||
@ -284,12 +271,12 @@ KernelPatches:
|
||||
isync
|
||||
|
||||
# restore DBAT 0 and return from interrupt
|
||||
mtdbatu 0, r30
|
||||
mtdbatl 0, r31
|
||||
mtdbatu 0, r5
|
||||
mtdbatl 0, r6
|
||||
|
||||
# memory barrier
|
||||
eieio
|
||||
isync
|
||||
|
||||
rfi
|
||||
blr
|
||||
|
||||
|
@ -21,7 +21,7 @@ void run_kexploit(private_data_t *private_data)
|
||||
|
||||
/* Exit functions */
|
||||
void (*__PPCExit)();
|
||||
void (*_Exit)();
|
||||
void (*_Exit)(int);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "__PPCExit", &__PPCExit);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit);
|
||||
|
||||
@ -40,14 +40,17 @@ void run_kexploit(private_data_t *private_data)
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "OSFreeToSystem", &OSFreeToSystem);
|
||||
|
||||
/* OS thread functions */
|
||||
bool (*OSCreateThread)(void *thread, void *entry, int argc, void *args, uint32_t *stack, uint32_t stack_size, int priority, uint16_t attr);
|
||||
bool (*OSCreateThread)(void *thread, void *entry, int argc, void *args, uint32_t stack, uint32_t stack_size, int priority, uint16_t attr);
|
||||
int (*OSResumeThread)(void *thread);
|
||||
void (*OSExitThread)();
|
||||
int (*OSIsThreadTerminated)(void *thread);
|
||||
void (*OSYieldThread)(void);
|
||||
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "OSYieldThread", &OSYieldThread);
|
||||
|
||||
/* OSDriver functions */
|
||||
uint32_t reg[] = {0x38003200, 0x44000002, 0x4E800020};
|
||||
@ -89,9 +92,9 @@ void run_kexploit(private_data_t *private_data)
|
||||
uint32_t kpaddr = KERN_HEAP_PHYS + STARTID_OFFSET;
|
||||
|
||||
/* Make a thread to modify the semaphore */
|
||||
OSContext *thread = (OSContext*)private_data->MEMAllocFromDefaultHeapEx(0x1000,8);
|
||||
uint32_t *stack = (uint32_t*)private_data->MEMAllocFromDefaultHeapEx(0xa0,0x20);
|
||||
if (!OSCreateThread(thread, (void*)0x11a1dd8, 0, NULL, stack + 0x28, 0xa0, 0, 0x1 | 0x8)) OSFatal("Failed to create thread");
|
||||
OSContext *thread = (OSContext*)private_data->MEMAllocFromDefaultHeapEx(0x1000, 8);
|
||||
uint32_t *stack = (uint32_t*)private_data->MEMAllocFromDefaultHeapEx(0xA0, 0x20);
|
||||
if (!OSCreateThread(thread, (void*)0x11a1dd8, 0, NULL, ((uint32_t)stack) + 0xA0, 0xA0, 0, 0x1 | 0x8)) OSFatal("Failed to create thread");
|
||||
|
||||
/* Set up the ROP chain */
|
||||
thread->gpr[1] = (uint32_t)stack;
|
||||
@ -117,22 +120,16 @@ void run_kexploit(private_data_t *private_data)
|
||||
|
||||
stack[0x94/4] = (uint32_t)OSExitThread;
|
||||
|
||||
DCFlushRange(thread, 0x1000);
|
||||
DCFlushRange(stack, 0x1000);
|
||||
|
||||
/* Start the thread */
|
||||
OSResumeThread(thread);
|
||||
|
||||
/* Wait for a while */
|
||||
while(OSIsThreadTerminated(thread) == 0)
|
||||
{
|
||||
asm volatile (
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
" nop\n"
|
||||
);
|
||||
OSYieldThread();
|
||||
}
|
||||
|
||||
/* Free stuff */
|
||||
|
@ -111,14 +111,14 @@ void __main(void)
|
||||
|
||||
/* Get our memory functions */
|
||||
unsigned int* functionPointer;
|
||||
void* (*memset)(void * dest, unsigned int value, unsigned int bytes);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "memset", &memset);
|
||||
void* (*p_memset)(void * dest, unsigned int value, unsigned int bytes);
|
||||
OSDynLoad_FindExport(coreinit_handle, 0, "memset", &p_memset);
|
||||
|
||||
private_data_t private_data;
|
||||
memset(&private_data, 0, sizeof(private_data_t));
|
||||
p_memset(&private_data, 0, sizeof(private_data_t));
|
||||
|
||||
private_data.coreinit_handle = coreinit_handle;
|
||||
private_data.memset = memset;
|
||||
private_data.memset = p_memset;
|
||||
private_data.data_elf = (unsigned char *) ___sd_loader_sd_loader_elf; // use this address as temporary to load the elf
|
||||
|
||||
OSDynLoad_FindExport(coreinit_handle, 1, "MEMAllocFromDefaultHeapEx", &functionPointer);
|
||||
@ -234,7 +234,7 @@ void __main(void)
|
||||
private_data.MEMFreeToDefaultHeap(stack);
|
||||
|
||||
//! we are done -> exit browser now
|
||||
private_data._Exit();
|
||||
private_data._Exit(0);
|
||||
}
|
||||
|
||||
void ExitFailure(private_data_t *private_data, const char *failure)
|
||||
@ -287,7 +287,7 @@ void ExitFailure(private_data_t *private_data, const char *failure)
|
||||
unsigned int t1 = 0x3FFFFFFF;
|
||||
while(t1--) asm volatile("nop");
|
||||
|
||||
private_data->_Exit();
|
||||
private_data->_Exit(0);
|
||||
}
|
||||
|
||||
/* *****************************************************************************
|
||||
|
@ -19,7 +19,7 @@ typedef struct {
|
||||
void (*MEMFreeToDefaultHeap)(void *ptr);
|
||||
void (*DCFlushRange)(const void *addr, unsigned int length);
|
||||
void (*ICInvalidateRange)(const void *addr, unsigned int length);
|
||||
void (*_Exit)(void);
|
||||
void (*_Exit)(int);
|
||||
|
||||
void* (*curl_easy_init)(void);
|
||||
void (*curl_easy_setopt)(void *handle, unsigned int param, const void *op);
|
||||
|
@ -136,8 +136,31 @@ for($i=0; $i<0x2000; $i+=4)//Old stuff, probably should be removed(testing is re
|
||||
$con.= pack("N*", 0x8495a6b4);
|
||||
}
|
||||
|
||||
header('HTTP/1.0 200 OK');
|
||||
header("Content-Type: video/mp4");
|
||||
header('Accept-Ranges: bytes');
|
||||
header('Content-Length: '.strlen($con));
|
||||
header("Content-Transfer-Encoding: binary\n");
|
||||
header('Connection: close');
|
||||
|
||||
// thanks to http://loadiine.ovh for finding this out
|
||||
// At this exact moment, WiiU is loading its video player according to "Content-Type: video/mp4"
|
||||
// When loaded too quickly, the video player can still freeze. So let's leave him 1 second to pop-up
|
||||
sleep(1);
|
||||
|
||||
//echo $con;
|
||||
|
||||
|
||||
do
|
||||
{
|
||||
$sub = substr($con, 0, 1024*16);
|
||||
$con = substr($con, 1024*16);
|
||||
|
||||
echo $sub;
|
||||
usleep(1000);
|
||||
$len = strlen($con);
|
||||
}
|
||||
while($len > 0);
|
||||
|
||||
echo $con;
|
||||
|
||||
?>
|
||||
|
Loading…
x
Reference in New Issue
Block a user