From 4b56cb4cd08f9e8701c2f283a55057eb2102f76e Mon Sep 17 00:00:00 2001 From: orboditilt <45944072+orboditilt@users.noreply.github.com> Date: Wed, 23 Jan 2019 21:10:08 +0100 Subject: [PATCH] - Improve makefile to compile/build/download only when needed. - Add support for getting gadgets from gx2.rpl - Add some new rop address to be searched --- Makefile | 37 ++++++++++++++----- wiiuhaxx_locaterop.sh | 28 ++++++++++---- ...rop_script => wiiuhaxx_locaterop_script_ci | 2 + wiiuhaxx_locaterop_script_gx2 | 1 + 4 files changed, 50 insertions(+), 18 deletions(-) rename wiiuhaxx_locaterop_script => wiiuhaxx_locaterop_script_ci (82%) create mode 100644 wiiuhaxx_locaterop_script_gx2 diff --git a/Makefile b/Makefile index 3a5ad6a..5466139 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,9 @@ DEFINES := COREINIT_PATH := tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl COREINIT_PATH_ELF := $(COREINIT_PATH).elf +GX2_PATH := tmp/$(FIRMWARE)/000500101000400A/code/gx2.rpl +GX2_PATH_ELF := $(GX2_PATH).elf + ifeq ($(OS),Windows_NT) exe_ext := .exe else @@ -33,26 +36,40 @@ endif all: loader locateall -loader: +loader: wiiuhaxx_loader.bin wiiuhaxx_searcher.bin + +wiiuhaxx_loader.bin: wiiuhaxx_loader.s $(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s $(OBJCOPY) -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin - + +wiiuhaxx_searcher.bin: wiiuhaxx_searcher.s $(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_searcher.elf wiiuhaxx_searcher.s $(OBJCOPY) -O binary wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin locateall: locate532 locate550 locate532: - java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 11464 -out tmp/532 - make locatespecific FIRMWARE=532 TEXTADDRESS=0x0101c400 - + make locatespecific FIRMWARE=532 OS_VERSION=11464 TEXTADDRESS_COREINIT=0x0101c400 TEXTADDRESS_GX2=0x0101c400 + locate550: - java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 15702 -out tmp/550 - make locatespecific FIRMWARE=550 TEXTADDRESS=0x0101c400 - -locatespecific: + make locatespecific FIRMWARE=550 OS_VERSION=15702 TEXTADDRESS_COREINIT=0x0101c400 TEXTADDRESS_GX2=0x0114EC40 + +convertrpl: $(COREINIT_PATH_ELF) $(GX2_PATH_ELF) + +$(COREINIT_PATH_ELF): $(COREINIT_PATH) ./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null - sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(TEXTADDRESS) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php + +$(GX2_PATH_ELF): $(GX2_PATH) + ./bin/rpl2elf$(exe_ext) $(GX2_PATH) $(GX2_PATH_ELF) > /dev/null + +$(COREINIT_PATH): + java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version $(OS_VERSION) -out tmp/$(FIRMWARE) + +$(GX2_PATH): + java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*gx2.rpl' -version $(OS_VERSION) -out tmp/$(FIRMWARE) + +locatespecific: convertrpl + sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(GX2_PATH) $(TEXTADDRESS_COREINIT) $(TEXTADDRESS_GX2) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php clean: rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_* tmp diff --git a/wiiuhaxx_locaterop.sh b/wiiuhaxx_locaterop.sh index a9e52e8..0c5a815 100755 --- a/wiiuhaxx_locaterop.sh +++ b/wiiuhaxx_locaterop.sh @@ -1,18 +1,28 @@ -ospath=$1 -coreinit_textaddr=$2 -extension=$3 +coreinitpath=$1 +gx2path=$2 +coreinit_textaddr=$3 +gx2_textaddr=$4 +extension=$5 -reloc=$((0x02000000-$coreinit_textaddr)) +reloc_coreinit=$((0x02000000-$coreinit_textaddr)) +reloc_gx2=$((0x02000000-$gx2_textaddr)) getcoreinit_symboladdr() { - val=`powerpc-eabi-readelf -a "$PWD/$ospath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2` - printf "$2 = 0x%X;\n" $((0x$val-$reloc)) + val=`powerpc-eabi-readelf -a "$PWD/$coreinitpath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2` + printf "$2 = 0x%X;\n" $((0x$val-$reloc_coreinit)) +} + +getgx2_symboladdr() +{ + val=`powerpc-eabi-readelf -a "$PWD/$gx2path.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2` + printf "$2 = 0x%X;\n" $((0x$val-$reloc_gx2)) } echo "" +getgx2_symboladdr "GX2Flush" "\$ROP_GX2Flush" +getgx2_symboladdr "GX2DirectCallDisplayList" "\$ROP_GX2DirectCallDisplayList" +echo "?>" \ No newline at end of file diff --git a/wiiuhaxx_locaterop_script b/wiiuhaxx_locaterop_script_ci similarity index 82% rename from wiiuhaxx_locaterop_script rename to wiiuhaxx_locaterop_script_ci index 7c94d7e..ffdb15b 100644 --- a/wiiuhaxx_locaterop_script +++ b/wiiuhaxx_locaterop_script_ci @@ -7,3 +7,5 @@ --patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = " --patterntype=sha256 --patterndata=e602f66cf8aadc4d5e7db074ad9b8fbfa4190f862a8215cf26f707a49ca95070 --patternsha256size=0x28 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = " --patterntype=sha256 --patterndata=5e1fb4810ff6fb86bb533f2050306de6e03e09450887df6cb22c6d8511c3e267 --patternsha256size=0x18 --addval=0xFFFFFCFC "--plainout=$ROP_SETR3TOR31_POP_R31 = " +--patterntype=sha256 --patterndata=5CED182718E8204C299EA1F8E295841A0325EE493893B86053DE762CC0EEFB48 --patternsha256size=0x0C --addval=0xFFFFFCFC "--plainout=$ROP_Register = " +--patterntype=sha256 --patterndata=C457C33CF42B00C2E00B96E2C6B097848643BC172E8BDC9F0E7D974E833860B6 --patternsha256size=0x0C --addval=0xFFFFFCFC "--plainout=$ROP_CopyToSaveArea = " \ No newline at end of file diff --git a/wiiuhaxx_locaterop_script_gx2 b/wiiuhaxx_locaterop_script_gx2 new file mode 100644 index 0000000..65267de --- /dev/null +++ b/wiiuhaxx_locaterop_script_gx2 @@ -0,0 +1 @@ +#--patterntype=sha256 --patterndata=0D47AE19D0344CB3545E4D5289ED1BBBCE55BF181C929C18C6C05939B73CAEC3 --patternsha256size=0x0C --addval=0xFFFFFCAC‬ "--plainout=$GX2Flush = " \ No newline at end of file