175 lines
3.7 KiB
ArmAsm
175 lines
3.7 KiB
ArmAsm
# This stuff may need a change in different kernel versions
|
|
# This is only needed when launched directly through browser and not SD card.
|
|
|
|
.section ".kernel_code"
|
|
.globl SaveAndResetDataBATs_And_SRs_hook
|
|
SaveAndResetDataBATs_And_SRs_hook:
|
|
# setup CTR to the position we need to return to
|
|
mflr r5
|
|
mtctr r5
|
|
# set link register to its original value
|
|
mtlr r7
|
|
# setup us a nice DBAT for our code data with same region as our code
|
|
mfspr r5, 560
|
|
mtspr 570, r5
|
|
mfspr r5, 561
|
|
mtspr 571, r5
|
|
# restore the original kernel instructions that we replaced
|
|
lwz r5, 0x34(r3)
|
|
lwz r6, 0x38(r3)
|
|
lwz r7, 0x3C(r3)
|
|
lwz r8, 0x40(r3)
|
|
lwz r9, 0x44(r3)
|
|
lwz r10, 0x48(r3)
|
|
lwz r11, 0x4C(r3)
|
|
lwz r3, 0x50(r3)
|
|
isync
|
|
mtsr 7, r5
|
|
# jump back to the position in kernel after our patch (from LR)
|
|
bctr
|
|
|
|
.extern my_PrepareTitle
|
|
.globl my_PrepareTitle_hook
|
|
my_PrepareTitle_hook:
|
|
# store all registers on stack to avoid issues with the call to C functions
|
|
stwu r1, -0x90(r1)
|
|
# registers for our own usage
|
|
# only need r31 and rest is from tests before, just leaving it for later tests
|
|
stw r28, 0x20(r1)
|
|
stw r29, 0x24(r1)
|
|
stw r30, 0x28(r1)
|
|
stw r31, 0x2C(r1)
|
|
|
|
stw r3, 0x30(r1)
|
|
stw r4, 0x34(r1)
|
|
stw r5, 0x38(r1)
|
|
stw r6, 0x3C(r1)
|
|
stw r7, 0x40(r1)
|
|
stw r8, 0x44(r1)
|
|
stw r9, 0x48(r1)
|
|
stw r10, 0x4C(r1)
|
|
stw r11, 0x50(r1)
|
|
stw r12, 0x54(r1)
|
|
stw r13, 0x58(r1)
|
|
stw r14, 0x5C(r1)
|
|
stw r15, 0x60(r1)
|
|
stw r16, 0x64(r1)
|
|
stw r17, 0x68(r1)
|
|
stw r18, 0x6C(r1)
|
|
stw r19, 0x70(r1)
|
|
stw r20, 0x74(r1)
|
|
stw r21, 0x78(r1)
|
|
stw r22, 0x7C(r1)
|
|
|
|
# save original DBAT registers
|
|
mfdbatu r28, 0
|
|
mfdbatl r29, 0
|
|
|
|
# setup access to our data memory range
|
|
lis r3, 0xC000
|
|
ori r3, r3, 0x1FFF
|
|
mtdbatu 0, r3
|
|
lis r3, 0x3000
|
|
ori r3, r3, 0x0012
|
|
mtdbatl 0, r3
|
|
|
|
# memory barrier
|
|
eieio
|
|
isync
|
|
|
|
# save the LR from where we came
|
|
mflr r31
|
|
|
|
# the cos.xml/app.xml structure is at the location 0x68 of r11
|
|
# there are actually many places that can be hooked for it
|
|
# e.g. 0xFFF16130 and r27 points to this structure
|
|
addi r3, r11, 0x68
|
|
|
|
bl my_PrepareTitle
|
|
|
|
# restore original DBAT registers
|
|
mtdbatu 0, r28
|
|
mtdbatl 0, r29
|
|
|
|
# memory barrier
|
|
eieio
|
|
isync
|
|
|
|
# setup LR to jump back to kernel code
|
|
mtlr r31
|
|
|
|
# restore all original values of registers from stack
|
|
lwz r28, 0x20(r1)
|
|
lwz r29, 0x24(r1)
|
|
lwz r30, 0x28(r1)
|
|
lwz r31, 0x2C(r1)
|
|
|
|
lwz r3, 0x30(r1)
|
|
lwz r4, 0x34(r1)
|
|
lwz r5, 0x38(r1)
|
|
lwz r6, 0x3C(r1)
|
|
lwz r7, 0x40(r1)
|
|
lwz r8, 0x44(r1)
|
|
lwz r9, 0x48(r1)
|
|
lwz r10, 0x4C(r1)
|
|
lwz r11, 0x50(r1)
|
|
lwz r12, 0x54(r1)
|
|
lwz r13, 0x58(r1)
|
|
lwz r14, 0x5C(r1)
|
|
lwz r15, 0x60(r1)
|
|
lwz r16, 0x64(r1)
|
|
lwz r17, 0x68(r1)
|
|
lwz r18, 0x6C(r1)
|
|
lwz r19, 0x70(r1)
|
|
lwz r20, 0x74(r1)
|
|
lwz r21, 0x78(r1)
|
|
lwz r22, 0x7C(r1)
|
|
|
|
# restore the stack
|
|
addi r1, r1, 0x90
|
|
|
|
# restore original instruction that we replaced in the kernel
|
|
clrlwi r7, r12, 0
|
|
|
|
# jump back
|
|
blr
|
|
|
|
.globl injectBAT
|
|
injectBAT:
|
|
#Set dbat6u
|
|
#lis r3, 0x000000FF@h
|
|
#ori r3, r3, 0x000000FF@l
|
|
#mtspr 1, r3
|
|
#set dbat6l
|
|
#lis r3, 0x30000012@h
|
|
#ori r3, r3, 0x30000012@l
|
|
#mtspr 2, r3
|
|
#Set ibat6u
|
|
#lis r3, 0x000000FF@h
|
|
#ori r3, r3, 0x000000FF@l
|
|
#mtspr 3, r3
|
|
#set ibat6l
|
|
lis r3, 0x2ff09C00@h
|
|
ori r3, r3, 0x2ff09C00@l
|
|
mtspr 4, r3
|
|
rfi
|
|
|
|
.globl RunSyscall36
|
|
RunSyscall36:
|
|
mflr r0
|
|
stwu r1, -0x10(r1)
|
|
stw r30, 0x4(r1)
|
|
stw r31, 0x8(r1)
|
|
mr r5, r0
|
|
mr r6, r1
|
|
li r0, 0x3600
|
|
sc
|
|
nop
|
|
mr r0, r5
|
|
mr r1, r6
|
|
lwz r30, 0x04(r1)
|
|
lwz r31, 0x08(r1)
|
|
addi r1, r1, 0x10
|
|
mtlr r0
|
|
blr
|