diff --git a/Makefile b/Makefile index d9920c0..65f82d3 100644 --- a/Makefile +++ b/Makefile @@ -53,6 +53,7 @@ all: FORCE .version $(Q)$(MAKE) -C twilight $(Q)$(MAKE) -C lego $(Q)$(MAKE) -C batman + $(Q)$(MAKE) -C lsw FORCE: @@ -62,3 +63,4 @@ clean: $(MAKE) -C twilight clean $(MAKE) -C lego clean $(MAKE) -C batman clean + $(MAKE) -C lsw clean diff --git a/lsw/.gitignore b/lsw/.gitignore new file mode 100644 index 0000000..7b626cd --- /dev/null +++ b/lsw/.gitignore @@ -0,0 +1,5 @@ +rlg?.bin +FILE_V28 +exploit.bin +exploit.elf +title.bin diff --git a/lsw/Makefile b/lsw/Makefile new file mode 100644 index 0000000..60e345f --- /dev/null +++ b/lsw/Makefile @@ -0,0 +1,127 @@ +# Copyright 2008-2009 Segher Boessenkool +# Copyright 2011 roto +# Copyright 2011 Bernhard Urban +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + +# Configuration: + +# What toolchain prefix should we use +CROSS ?= broadway- + +# Where are the tools (http://git.infradead.org/users/segher/wii.git) +TOOLS ?= $(HOME)/wii/segher + +# End of configuration. + + + +# Set CC, LD, OBJCOPY based on CROSS, unless they are set already + +ifeq ($(origin CC), default) + CC := $(CROSS)gcc -m32 +endif +ifeq ($(origin LD), default) + LD := $(CROSS)ld +endif +OBJCOPY ?= $(CROSS)objcopy + + +# The compiler flags we need. + +CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750 + + +# Build with "V=1" to see the commands executed; be quiet otherwise. + +ifeq ($(V),1) + Q := +else + Q := @ + MAKEFLAGS += --no-print-directory +endif + + +targets := rlge.bin rlgp.bin rlgj.bin + +ppms := $(targets:%.bin=%-icon.ppm) generic-banner.ppm +assets := title.bin $(ppms) + +loader := ../loader/loader.bin + + +titleid = $(shell perl titleid.pl $(1)) + + +define twintig + D=$(call titleid,$(1)); \ + $(TOOLS)/twintig $$D $@ toc-$1 +endef + + +all: $(targets) + +$(targets): %.bin: toc-% FILE_V28 $(assets) + @echo " TWINTIG $@" + $(Q)$(call twintig,$*) + +FILE_V28: head.bin exploit.bin $(loader) + @echo " LEGOSTACK $@" + $(Q)./pack.sh $@ $^ + $(Q)$(TOOLS)/lego-cksum $@ 32380 #32328 #32688 + +head.bin: head.elf + @echo " OBJCOPY $@" + $(Q)$(OBJCOPY) -Obinary $< $@ + +exploit.bin: exploit.elf + @echo " OBJCOPY $@" + $(Q)$(OBJCOPY) -Obinary $< $@ + +exploit.elf: lego.lds exploit.o + @echo " LINK $@" + $(Q)$(LD) -T $^ -o $@ + +head.elf: head.o + @echo " LINK $@" + $(Q)$(LD) -e 0 $< -o $@ + +exploit.o: exploit.s + @echo " ASSEMBLE $@" + $(Q)$(CC) $(CFLAGS) -c $< -o $@ + +head.o: head.s head.b exploit2.s exploit.bin + @echo " ASSEMBLE $@" + $(Q)$(CC) $(CFLAGS) \ + -Wa,--defsym,exploitlen=$(shell wc -c exploit.bin | awk '{ print $$1 }') \ + -c $< -o $@ + +title.bin: ../.version + @echo " TITLEBIN $@" + $(Q)perl make-title-bin.pl > $@ + +../.version: FORCE + $(Q)$(MAKE) -C .. .version + +$(ppms): %.ppm: %.png + @echo " PPM $@" + $(Q)convert $< $@ + +zero16k: + $(Q)dd if=/dev/zero bs=18256 count=1 2>/dev/null > $@ +#17332 +#16384 +FAILURE: + $(Q)echo FAILURE > $@ + +$(loader): FORCE + $(Q)$(MAKE) -C ../loader + +FORCE: + +clean: + -rm -f $(targets) FILE_V28 + -rm -f exploit.bin exploit.elf exploit.o + -rm -f head.bin head.elf head.o + -rm -f title.bin diff --git a/lsw/README b/lsw/README new file mode 100644 index 0000000..060c267 --- /dev/null +++ b/lsw/README @@ -0,0 +1,41 @@ +Copyright 2011 roto +Copyright 2011 Bernhard Urban +Copyright 2008-2009 Segher Boessenkool +Copyright 2008 Haxx Enterprises +Copyright 2008 Hector Martin "marcan" +Copyright 2003-2004 Felix Domke + +This code is licensed to you under the terms of the GNU GPL, version 2; +see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + +Console font created by Freddy Leitner [www.dreamer.de], based on +the Droid Sans Mono font [www.droidfonts.com]. + +-- + +This is the Lego Star Wars exploit known as "Return of the Jodi". This exploit +works on all versions of the game (including 1.01) in all regions that are +currently known to have a release. + +Instructions: + +1. Copy the save to your SD card. +2. Put a "boot.elf" (such as the HackMii installer or Homebrew Channel) into the + ROOT of your SD card (not into any folder). +3. Copy the save to your Wii system, make sure you have a save for this game + already on your system, otherwise you won't be able to copy the exploit + save over. +4. Start up the game, load the first save slot (on the left, at 0.0%) +5. As soon as the level loads, run to the right and you'll see two characters + floating. Run to the area in front of them and you'll see "Return of Jodi" + show up, press the "A" button on your Wiimote and your boot.elf will run! + + +Credits: +Team Twiizers - Original LIJ release, source, savezelda (and many other things). +roto - Developing and testing this exploit. +lewurm - Cleaning up, fixing bugs, testing. +drmr - Awesome banner/icons! + +Thanks: +Everyone! diff --git a/lsw/exploit.s b/lsw/exploit.s new file mode 100644 index 0000000..f5b6bbd --- /dev/null +++ b/lsw/exploit.s @@ -0,0 +1,38 @@ +# Copyright 2008-2009 Segher Boessenkool +# Copyright 2011 roto +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + .section .start,"ax" + +start: + # Set up a stack frame. + lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1) + + # Stop audio and video. + lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl + lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl + + # Move code into place; a generous 32kB, starting at 64kB in + # the save file. + + # Load address where we're going to move our exploit code to + # (0x90000020) into R03 + lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4 + + # Load the address for the beginning of our save data + # (0x91168ea0) into R04 + lis 4,save@h ; ori 4,4,save@l ; addi 4,4,-4 + + addis 4,4,1 ; addi 4,4,end-start + li 0,0x2000 ; mtctr 0 +0: lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b + + # Sync caches on it. + li 0,0x0400 ; mtctr 0 ; mr 5,3 +0: dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b + sync ; isync + + # Jump to 0x90000020 and go for it! + mtctr 3 ; bctr +end: diff --git a/lsw/exploit2.s b/lsw/exploit2.s new file mode 100644 index 0000000..a845958 --- /dev/null +++ b/lsw/exploit2.s @@ -0,0 +1,57 @@ +# Copyright 2008-2009 Segher Boessenkool +# Copyright 2011 roto +# Copyright 2011 Bernhard Urban +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + bptr = 0x91178ea0 + save = 0x91177f40 + main = 0x90000020 + + audio_stop_usa = 0x8038ce9c + video_stop_usa = 0x8039971c + + audio_stop_eur = 0x8038cfec + video_stop_eur = 0x80399708 + + audio_stop_data = 0x9421fff0 # stwu 1,-16(1) + video_stop_data = 0x9421ffe0 # stwu 1,-32(1) + + # Set up a stack frame. + lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1) + + # Stop audio. + lis 10,audio_stop_data@h ; ori 10,10,audio_stop_data@l + lis 3,audio_stop_usa@h ; ori 3,3,audio_stop_usa@l; lwz 5,0(3) + cmpw 5,10 ; beq execa + lis 3,audio_stop_eur@h ; ori 3,3,audio_stop_eur@l +execa: + mtctr 3 ; bctrl + + # Stop video. + lis 10,video_stop_data@h ; ori 10,10,video_stop_data@l + lis 3,video_stop_usa@h ; ori 3,3,video_stop_usa@l; lwz 5,0(3) + cmpw 5,10 ; beq execv + lis 3,video_stop_eur@h ; ori 3,3,video_stop_eur@l +execv: + mtctr 3 ; bctrl + + # Move code into place; a generous 32kB, starting at 64kB in + # the save file. + lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4 + lis 4,save@h ; ori 4,4,save@l ; addi 4,4,-4 + + addis 4,4,1 ; addi 4,4,exploitlen # offset for exploit.bin + + li 0,0x2000 ; mtctr 0 +loop1: + lwzu 0,4(4) ; stwu 0,4(5) ; bdnz loop1 + + # Sync caches on it. + li 0,0x0400 ; mtctr 0 ; mr 5,3 +loop2: + dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz loop2 + sync ; isync + + # Go for it! + mtctr 3 ; bctr diff --git a/lsw/generic-banner.png b/lsw/generic-banner.png new file mode 100644 index 0000000..870b6bb Binary files /dev/null and b/lsw/generic-banner.png differ diff --git a/lsw/generic-banner.ppm b/lsw/generic-banner.ppm new file mode 100644 index 0000000..bfe9257 Binary files /dev/null and b/lsw/generic-banner.ppm differ diff --git a/lsw/head.b b/lsw/head.b new file mode 100755 index 0000000..cae261d Binary files /dev/null and b/lsw/head.b differ diff --git a/lsw/head.s b/lsw/head.s new file mode 100644 index 0000000..6670b80 --- /dev/null +++ b/lsw/head.s @@ -0,0 +1,43 @@ +# Copyright 2011 roto +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + bptr = 0x91178ea0 + +0: + # Part of the savefile + .long 0x00000001, 0x00000000, 0x00000000, 0x00000000 + .long 0x00000000, 0x00000013, 0x0000000d, 0x00000000 + .long 0x00000002, 0x00000000, 0x000007db, 0x00000000 + .long 0x00000001, 0x0000029e, 0x0000019d, 0x00050000 + .long 0x01010008, 0x060a0100, 0x00000001, 0x00000000 + .long 0x00000000, 0x00000000, 0x00000000, 0x00000000 + + # Filler + .fill 0xF60 - (. - 0b) + +exploitv2: + # This is necessary for the 2nd exploit (first release) of LSW + .include "exploit2.s" + + # More filler + .fill 0x7860 - (. - 0b) + + # Insert rest of the save + .incbin "head.b" + + # Smack the stack. + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111, 0x11111111, 0x11111111, 0x11111111 + .long 0x11111111 + + # Depending on the version we jump now to exploit.s or to "exploit2v:" + .long 0x11111111, bptr, 0x11111111, 0x11111111 + + .fill 0x10000 - (. - 0b) diff --git a/lsw/lego.lds b/lsw/lego.lds new file mode 100644 index 0000000..1718044 --- /dev/null +++ b/lsw/lego.lds @@ -0,0 +1,26 @@ +/* Copyright 2008-2009 Segher Boessenkool + This code is licensed to you under the terms of the GNU GPL, version 2; + see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */ + +OUTPUT_FORMAT("elf32-powerpc") +OUTPUT_ARCH(powerpc:common) + +SECTIONS { + audio_stop = 0x8038ce90; + video_stop = 0x80399708; + + save = 0x91168ea0; + bptr = 0x91178ea0; + + main = 0x90000020; + + .twilight save : + { + rli*.o(.start) + *(.text) + *(.rodata .rodata.*) + *(.data) + *(.bss) + /* . = 0x0a94; */ + } +} diff --git a/lsw/make-title-bin.pl b/lsw/make-title-bin.pl new file mode 100755 index 0000000..4bcc5d7 --- /dev/null +++ b/lsw/make-title-bin.pl @@ -0,0 +1,16 @@ +#!/usr/bin/perl +sub printline { + my $x = shift; + chomp $x; + $x .= "\0" x 32; + $x = substr $x, 0, 32; + $x =~ s/(.)/\0$1/g; + + print $x; +} + +$name = "Return of the Jodi"; +$version = `cat ../.version`; + +printline $name; +printline $version; diff --git a/lsw/pack.sh b/lsw/pack.sh new file mode 100755 index 0000000..57a388b --- /dev/null +++ b/lsw/pack.sh @@ -0,0 +1,3 @@ +#!/bin/bash +TARGET=$1; shift +cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET diff --git a/lsw/rlge-icon.png b/lsw/rlge-icon.png new file mode 100644 index 0000000..222c293 Binary files /dev/null and b/lsw/rlge-icon.png differ diff --git a/lsw/rlge-icon.ppm b/lsw/rlge-icon.ppm new file mode 100644 index 0000000..0b55e59 Binary files /dev/null and b/lsw/rlge-icon.ppm differ diff --git a/lsw/rlgj-icon.png b/lsw/rlgj-icon.png new file mode 100644 index 0000000..cc0edc0 Binary files /dev/null and b/lsw/rlgj-icon.png differ diff --git a/lsw/rlgj-icon.ppm b/lsw/rlgj-icon.ppm new file mode 100644 index 0000000..6388419 Binary files /dev/null and b/lsw/rlgj-icon.ppm differ diff --git a/lsw/rlgp-icon.png b/lsw/rlgp-icon.png new file mode 100644 index 0000000..706e616 Binary files /dev/null and b/lsw/rlgp-icon.png differ diff --git a/lsw/rlgp-icon.ppm b/lsw/rlgp-icon.ppm new file mode 100644 index 0000000..4fb2024 Binary files /dev/null and b/lsw/rlgp-icon.ppm differ diff --git a/lsw/titleid.pl b/lsw/titleid.pl new file mode 100755 index 0000000..f735f1d --- /dev/null +++ b/lsw/titleid.pl @@ -0,0 +1,2 @@ +#!/usr/bin/perl +print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0]; diff --git a/lsw/toc-rlge b/lsw/toc-rlge new file mode 100644 index 0000000..3d42533 --- /dev/null +++ b/lsw/toc-rlge @@ -0,0 +1,4 @@ +title.bin +generic-banner.ppm +rlge-icon.ppm +FILE_V28 FILE_V28 diff --git a/lsw/toc-rlgj b/lsw/toc-rlgj new file mode 100644 index 0000000..7f52ef8 --- /dev/null +++ b/lsw/toc-rlgj @@ -0,0 +1,4 @@ +title.bin +generic-banner.ppm +rlgj-icon.ppm +FILE_V28 FILE_V28 diff --git a/lsw/toc-rlgp b/lsw/toc-rlgp new file mode 100644 index 0000000..bf2a58e --- /dev/null +++ b/lsw/toc-rlgp @@ -0,0 +1,4 @@ +title.bin +generic-banner.ppm +rlgp-icon.ppm +FILE_V28 FILE_V28