- Improve makefile to compile/build/download only when needed.

- Add support for getting gadgets from gx2.rpl
- Add some new rop address to be searched
This commit is contained in:
orboditilt 2019-01-23 21:10:08 +01:00
parent 439b34bc7e
commit 4b56cb4cd0
4 changed files with 50 additions and 18 deletions

View File

@ -25,6 +25,9 @@ DEFINES :=
COREINIT_PATH := tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl
COREINIT_PATH_ELF := $(COREINIT_PATH).elf
GX2_PATH := tmp/$(FIRMWARE)/000500101000400A/code/gx2.rpl
GX2_PATH_ELF := $(GX2_PATH).elf
ifeq ($(OS),Windows_NT)
exe_ext := .exe
else
@ -33,26 +36,40 @@ endif
all: loader locateall
loader:
loader: wiiuhaxx_loader.bin wiiuhaxx_searcher.bin
wiiuhaxx_loader.bin: wiiuhaxx_loader.s
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
$(OBJCOPY) -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
wiiuhaxx_searcher.bin: wiiuhaxx_searcher.s
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_searcher.elf wiiuhaxx_searcher.s
$(OBJCOPY) -O binary wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin
locateall: locate532 locate550
locate532:
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 11464 -out tmp/532
make locatespecific FIRMWARE=532 TEXTADDRESS=0x0101c400
make locatespecific FIRMWARE=532 OS_VERSION=11464 TEXTADDRESS_COREINIT=0x0101c400 TEXTADDRESS_GX2=0x0101c400
locate550:
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 15702 -out tmp/550
make locatespecific FIRMWARE=550 TEXTADDRESS=0x0101c400
locatespecific:
make locatespecific FIRMWARE=550 OS_VERSION=15702 TEXTADDRESS_COREINIT=0x0101c400 TEXTADDRESS_GX2=0x0114EC40
convertrpl: $(COREINIT_PATH_ELF) $(GX2_PATH_ELF)
$(COREINIT_PATH_ELF): $(COREINIT_PATH)
./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null
sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(TEXTADDRESS) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php
$(GX2_PATH_ELF): $(GX2_PATH)
./bin/rpl2elf$(exe_ext) $(GX2_PATH) $(GX2_PATH_ELF) > /dev/null
$(COREINIT_PATH):
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version $(OS_VERSION) -out tmp/$(FIRMWARE)
$(GX2_PATH):
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*gx2.rpl' -version $(OS_VERSION) -out tmp/$(FIRMWARE)
locatespecific: convertrpl
sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(GX2_PATH) $(TEXTADDRESS_COREINIT) $(TEXTADDRESS_GX2) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php
clean:
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_* tmp

View File

@ -1,18 +1,28 @@
ospath=$1
coreinit_textaddr=$2
extension=$3
coreinitpath=$1
gx2path=$2
coreinit_textaddr=$3
gx2_textaddr=$4
extension=$5
reloc=$((0x02000000-$coreinit_textaddr))
reloc_coreinit=$((0x02000000-$coreinit_textaddr))
reloc_gx2=$((0x02000000-$gx2_textaddr))
getcoreinit_symboladdr()
{
val=`powerpc-eabi-readelf -a "$PWD/$ospath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
printf "$2 = 0x%X;\n" $((0x$val-$reloc))
val=`powerpc-eabi-readelf -a "$PWD/$coreinitpath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
printf "$2 = 0x%X;\n" $((0x$val-$reloc_coreinit))
}
getgx2_symboladdr()
{
val=`powerpc-eabi-readelf -a "$PWD/$gx2path.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
printf "$2 = 0x%X;\n" $((0x$val-$reloc_gx2))
}
echo "<?php"
./bin/ropgadget_patternfinder$extension $ospath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script #?1EFE3500?
./bin/ropgadget_patternfinder$extension $coreinitpath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script_ci #?1EFE3500?
./bin/ropgadget_patternfinder$extension $gx2path.elf --baseaddr=$gx2_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script_gx2 #?1EFE3500?
echo ""
getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
@ -31,4 +41,6 @@ getcoreinit_symboladdr "OSScreenClearBufferEx" "\$ROP_OSScreenClearBufferEx"
getcoreinit_symboladdr "OSDynLoad_Acquire" "\$ROP_OSDynLoad_Acquire"
getcoreinit_symboladdr "OSDynLoad_FindExport" "\$ROP_OSDynLoad_FindExport"
getcoreinit_symboladdr "__os_snprintf" "\$ROP_os_snprintf"
echo "?>"
getgx2_symboladdr "GX2Flush" "\$ROP_GX2Flush"
getgx2_symboladdr "GX2DirectCallDisplayList" "\$ROP_GX2DirectCallDisplayList"
echo "?>"

View File

@ -7,3 +7,5 @@
--patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = "
--patterntype=sha256 --patterndata=e602f66cf8aadc4d5e7db074ad9b8fbfa4190f862a8215cf26f707a49ca95070 --patternsha256size=0x28 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = "
--patterntype=sha256 --patterndata=5e1fb4810ff6fb86bb533f2050306de6e03e09450887df6cb22c6d8511c3e267 --patternsha256size=0x18 --addval=0xFFFFFCFC "--plainout=$ROP_SETR3TOR31_POP_R31 = "
--patterntype=sha256 --patterndata=5CED182718E8204C299EA1F8E295841A0325EE493893B86053DE762CC0EEFB48 --patternsha256size=0x0C --addval=0xFFFFFCFC "--plainout=$ROP_Register = "
--patterntype=sha256 --patterndata=C457C33CF42B00C2E00B96E2C6B097848643BC172E8BDC9F0E7D974E833860B6 --patternsha256size=0x0C --addval=0xFFFFFCFC "--plainout=$ROP_CopyToSaveArea = "

View File

@ -0,0 +1 @@
#--patterntype=sha256 --patterndata=0D47AE19D0344CB3545E4D5289ED1BBBCE55BF181C929C18C6C05939B73CAEC3 --patternsha256size=0x0C --addval=0xFFFFFCAC "--plainout=$GX2Flush = "