From 29928e206f8d28fce95f5a78847718b97317b7f9 Mon Sep 17 00:00:00 2001 From: Maschell Date: Sat, 11 Nov 2017 15:47:46 +0100 Subject: [PATCH] Removed the kernel code. All stuff is already done by the kernel exploit --- source/kernel/kernel_defs.h | 11 -- source/kernel/kernel_functions.c | 8 - source/kernel/kernel_functions.h | 16 -- source/kernel/syscalls.c | 238 ------------------------------ source/kernel/syscalls.h | 7 - source/kernel/syscalls_asm.s | 12 -- source/utils/function_patcher.cpp | 2 - 7 files changed, 294 deletions(-) delete mode 100644 source/kernel/kernel_functions.c delete mode 100644 source/kernel/kernel_functions.h delete mode 100644 source/kernel/syscalls.c diff --git a/source/kernel/kernel_defs.h b/source/kernel/kernel_defs.h index 17c6473..61fe2c4 100644 --- a/source/kernel/kernel_defs.h +++ b/source/kernel/kernel_defs.h @@ -98,17 +98,6 @@ typedef struct char rpx_name[FS_MAX_ENTNAME_SIZE]; // rpx name from cos.xml, length 256 as it can't get bigger from FS anyway } __attribute__((packed)) ReducedCosAppXmlInfo; -typedef struct _bat_t -{ - u32 h; - u32 l; -} bat_t; - -typedef struct _bat_table_t -{ - bat_t bat[8]; -} bat_table_t; - #ifdef __cplusplus } #endif diff --git a/source/kernel/kernel_functions.c b/source/kernel/kernel_functions.c deleted file mode 100644 index 084d1b0..0000000 --- a/source/kernel/kernel_functions.c +++ /dev/null @@ -1,8 +0,0 @@ -#include -#include "kernel_defs.h" -#include "kernel_functions.h" -#include "syscalls.h" - -void SetupKernelCallback(void){ - KernelSetupSyscalls(); -} diff --git a/source/kernel/kernel_functions.h b/source/kernel/kernel_functions.h deleted file mode 100644 index a37f3b0..0000000 --- a/source/kernel/kernel_functions.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef __KERNEL_FUNCTIONS_H_ -#define __KERNEL_FUNCTIONS_H_ - -#ifdef __cplusplus -extern "C" { -#endif - -#include "kernel_defs.h" - -void SetupKernelCallback(void); - -#ifdef __cplusplus -} -#endif - -#endif // __KERNEL_FUNCTIONS_H_ diff --git a/source/kernel/syscalls.c b/source/kernel/syscalls.c deleted file mode 100644 index 57bc2b8..0000000 --- a/source/kernel/syscalls.c +++ /dev/null @@ -1,238 +0,0 @@ -#include "kernel_defs.h" -#include -#include -#include "utils/utils.h" -#include "syscalls.h" - -extern void my_PrepareTitle_hook(void); - -static void KernelCopyData(u32 addr, u32 src, u32 len) -{ - /* - * Setup a DBAT access with cache inhibited to write through and read directly from memory - */ - u32 dbatu0, dbatl0, dbatu1, dbatl1; - // save the original DBAT value - asm volatile("mfdbatu %0, 0" : "=r" (dbatu0)); - asm volatile("mfdbatl %0, 0" : "=r" (dbatl0)); - asm volatile("mfdbatu %0, 1" : "=r" (dbatu1)); - asm volatile("mfdbatl %0, 1" : "=r" (dbatl1)); - - u32 target_dbatu0 = 0; - u32 target_dbatl0 = 0; - u32 target_dbatu1 = 0; - u32 target_dbatl1 = 0; - - unsigned char *dst_p = (unsigned char*)addr; - unsigned char *src_p = (unsigned char*)src; - - // we only need DBAT modification for addresses out of our own DBAT range - // as our own DBAT is available everywhere for user and supervisor - // since our own DBAT is on DBAT5 position we don't collide here - if(addr < 0x00800000 || addr >= 0x01000000) - { - target_dbatu0 = (addr & 0x00F00000) | 0xC0000000 | 0x1F; - target_dbatl0 = (addr & 0xFFF00000) | 0x32; - asm volatile("mtdbatu 0, %0" : : "r" (target_dbatu0)); - asm volatile("mtdbatl 0, %0" : : "r" (target_dbatl0)); - dst_p = (unsigned char*)((addr & 0xFFFFFF) | 0xC0000000); - } - if(src < 0x00800000 || src >= 0x01000000) - { - target_dbatu1 = (src & 0x00F00000) | 0xB0000000 | 0x1F; - target_dbatl1 = (src & 0xFFF00000) | 0x32; - - asm volatile("mtdbatu 1, %0" : : "r" (target_dbatu1)); - asm volatile("mtdbatl 1, %0" : : "r" (target_dbatl1)); - src_p = (unsigned char*)((src & 0xFFFFFF) | 0xB0000000); - } - - asm volatile("eieio; isync"); - - u32 i; - for(i = 0; i < len; i++) - { - // if we are on the edge to next chunk - if((target_dbatu0 != 0) && (((u32)dst_p & 0x00F00000) != (target_dbatu0 & 0x00F00000))) - { - target_dbatu0 = ((addr + i) & 0x00F00000) | 0xC0000000 | 0x1F; - target_dbatl0 = ((addr + i) & 0xFFF00000) | 0x32; - dst_p = (unsigned char*)(((addr + i) & 0xFFFFFF) | 0xC0000000); - - asm volatile("eieio; isync"); - asm volatile("mtdbatu 0, %0" : : "r" (target_dbatu0)); - asm volatile("mtdbatl 0, %0" : : "r" (target_dbatl0)); - asm volatile("eieio; isync"); - } - if((target_dbatu1 != 0) && (((u32)src_p & 0x00F00000) != (target_dbatu1 & 0x00F00000))) - { - target_dbatu1 = ((src + i) & 0x00F00000) | 0xB0000000 | 0x1F; - target_dbatl1 = ((src + i) & 0xFFF00000) | 0x32; - src_p = (unsigned char*)(((src + i) & 0xFFFFFF) | 0xB0000000); - - asm volatile("eieio; isync"); - asm volatile("mtdbatu 1, %0" : : "r" (target_dbatu1)); - asm volatile("mtdbatl 1, %0" : : "r" (target_dbatl1)); - asm volatile("eieio; isync"); - } - - *dst_p = *src_p; - - ++dst_p; - ++src_p; - } - - /* - * Restore original DBAT value - */ - asm volatile("eieio; isync"); - asm volatile("mtdbatu 0, %0" : : "r" (dbatu0)); - asm volatile("mtdbatl 0, %0" : : "r" (dbatl0)); - asm volatile("mtdbatu 1, %0" : : "r" (dbatu1)); - asm volatile("mtdbatl 1, %0" : : "r" (dbatl1)); - asm volatile("eieio; isync"); -} - -static void KernelReadDBATs(bat_table_t * table) -{ - u32 i = 0; - - asm volatile("eieio; isync"); - - asm volatile("mfspr %0, 536" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 537" : "=r" (table->bat[i].l)); - i++; - asm volatile("mfspr %0, 538" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 539" : "=r" (table->bat[i].l)); - i++; - asm volatile("mfspr %0, 540" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 541" : "=r" (table->bat[i].l)); - i++; - asm volatile("mfspr %0, 542" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 543" : "=r" (table->bat[i].l)); - i++; - - asm volatile("mfspr %0, 568" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 569" : "=r" (table->bat[i].l)); - i++; - asm volatile("mfspr %0, 570" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 571" : "=r" (table->bat[i].l)); - i++; - asm volatile("mfspr %0, 572" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 573" : "=r" (table->bat[i].l)); - i++; - asm volatile("mfspr %0, 574" : "=r" (table->bat[i].h)); - asm volatile("mfspr %0, 575" : "=r" (table->bat[i].l)); -} - -static void KernelWriteDBATs(bat_table_t * table) -{ - u32 i = 0; - - asm volatile("eieio; isync"); - - asm volatile("mtspr 536, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 537, %0" : : "r" (table->bat[i].l)); - i++; - asm volatile("mtspr 538, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 539, %0" : : "r" (table->bat[i].l)); - i++; - asm volatile("mtspr 540, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 541, %0" : : "r" (table->bat[i].l)); - i++; - asm volatile("mtspr 542, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 543, %0" : : "r" (table->bat[i].l)); - i++; - - asm volatile("mtspr 568, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 569, %0" : : "r" (table->bat[i].l)); - i++; - asm volatile("mtspr 570, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 571, %0" : : "r" (table->bat[i].l)); - i++; - asm volatile("mtspr 572, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 573, %0" : : "r" (table->bat[i].l)); - i++; - asm volatile("mtspr 574, %0" : : "r" (table->bat[i].h)); - asm volatile("mtspr 575, %0" : : "r" (table->bat[i].l)); - - asm volatile("eieio; isync"); -} - -/* Read a 32-bit word with kernel permissions */ -uint32_t __attribute__ ((noinline)) kern_read(const void *addr) -{ - uint32_t result; - asm volatile ( - "li 3,1\n" - "li 4,0\n" - "li 5,0\n" - "li 6,0\n" - "li 7,0\n" - "lis 8,1\n" - "mr 9,%1\n" - "li 0,0x3400\n" - "mr %0,1\n" - "sc\n" - "nop\n" - "mr 1,%0\n" - "mr %0,3\n" - : "=r"(result) - : "b"(addr) - : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", - "11", "12" - ); - - return result; -} - -/* Write a 32-bit word with kernel permissions */ -void __attribute__ ((noinline)) kern_write(void *addr, uint32_t value) -{ - asm volatile ( - "li 3,1\n" - "li 4,0\n" - "mr 5,%1\n" - "li 6,0\n" - "li 7,0\n" - "lis 8,1\n" - "mr 9,%0\n" - "mr %1,1\n" - "li 0,0x3500\n" - "sc\n" - "nop\n" - "mr 1,%1\n" - : - : "r"(addr), "r"(value) - : "memory", "ctr", "lr", "0", "3", "4", "5", "6", "7", "8", "9", "10", - "11", "12" - ); -} - -void KernelSetupSyscalls(void) -{ - //! assign 1 so that this variable gets into the retained .data section - static uint8_t ucSyscallsSetupRequired = 1; - if(!ucSyscallsSetupRequired) - return; - - ucSyscallsSetupRequired = 0; - - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl1 + (0x36 * 4)), (u32)KernelReadDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl2 + (0x36 * 4)), (u32)KernelReadDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl3 + (0x36 * 4)), (u32)KernelReadDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl4 + (0x36 * 4)), (u32)KernelReadDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl5 + (0x36 * 4)), (u32)KernelReadDBATs); - - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl1 + (0x37 * 4)), (u32)KernelWriteDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl2 + (0x37 * 4)), (u32)KernelWriteDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl3 + (0x37 * 4)), (u32)KernelWriteDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl4 + (0x37 * 4)), (u32)KernelWriteDBATs); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl5 + (0x37 * 4)), (u32)KernelWriteDBATs); - - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl1 + (0x25 * 4)), (u32)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl2 + (0x25 * 4)), (u32)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl3 + (0x25 * 4)), (u32)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl4 + (0x25 * 4)), (u32)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl5 + (0x25 * 4)), (u32)KernelCopyData); -} diff --git a/source/kernel/syscalls.h b/source/kernel/syscalls.h index 9a51d72..2af3d56 100644 --- a/source/kernel/syscalls.h +++ b/source/kernel/syscalls.h @@ -7,14 +7,7 @@ extern "C" { #include "kernel_defs.h" -void KernelSetupSyscalls(void); - void SC0x25_KernelCopyData(u32 addr, u32 src, u32 len); -void SC0x36_KernelReadDBATs(bat_table_t * table); -void SC0x37_KernelWriteDBATs(bat_table_t * table); - -uint32_t __attribute__ ((noinline)) kern_read(const void *addr); -void __attribute__ ((noinline)) kern_write(void *addr, uint32_t value); #ifdef __cplusplus } diff --git a/source/kernel/syscalls_asm.s b/source/kernel/syscalls_asm.s index 60bf1fa..29afb19 100644 --- a/source/kernel/syscalls_asm.s +++ b/source/kernel/syscalls_asm.s @@ -1,18 +1,6 @@ # Created by dimok # Syscalls for kernel that we use - .globl SC0x36_KernelReadDBATs -SC0x36_KernelReadDBATs: - li r0, 0x3600 - sc - blr - - .globl SC0x37_KernelWriteDBATs -SC0x37_KernelWriteDBATs: - li r0, 0x3700 - sc - blr - .globl SC0x25_KernelCopyData SC0x25_KernelCopyData: li r0, 0x2500 diff --git a/source/utils/function_patcher.cpp b/source/utils/function_patcher.cpp index de2ae36..187e303 100644 --- a/source/utils/function_patcher.cpp +++ b/source/utils/function_patcher.cpp @@ -25,7 +25,6 @@ #include "function_patcher.h" #include "logger.h" #include "kernel/kernel_defs.h" -#include "kernel/kernel_functions.h" #include "kernel/syscalls.h" #define LIB_CODE_RW_BASE_OFFSET 0xC1000000 @@ -57,7 +56,6 @@ u32 vpadbase_handle_internal = 0; * "normal" functions should be patch with the normal patcher. Current Code by Maschell with the help of dimok. Orignal code by Chadderz. */ void PatchInvidualMethodHooks(hooks_magic_t method_hooks[],s32 hook_information_size, volatile u32 dynamic_method_calls[]){ - SetupKernelCallback(); //Patch Kernel. Just to be sure. InitAcquireOS(); resetLibs();