The makefile now grabs the coreinit.rpl and converts it to an elf.

2019-01-06 18:10:45 +01:00 · 2019-01-06 18:10:45 +01:00 · 8619b2c680
parent 7c346375f9
commit 8619b2c680
7 changed files with 87 additions and 72 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,7 @@
+common.key
+bin/
+*.zip
+wiiuhaxx_loader.elf
+wiiuhaxx_loader.bin
+tmp/
+wiiuhaxx_rop_sysver_*
--- a/56
+++ b/56
@ -1,10 +1,56 @@
+#---------------------------------------------------------------------------------
+# Clear the implicit built in rules
+#---------------------------------------------------------------------------------
+.SUFFIXES:
+#---------------------------------------------------------------------------------
+ifeq ($(strip $(DEVKITPPC)),)
+$(error "Please set DEVKITPPC in your environment. export DEVKITPPC=<path to>devkitPPC")
+endif
+ifeq ($(strip $(DEVKITPRO)),)
+$(error "Please set DEVKITPRO in your environment. export DEVKITPRO=<path to>devkitPRO")
+endif
+
+export PATH			:=	$(DEVKITPPC)/bin:$(PORTLIBS)/bin:$(PATH)
+
+PREFIX	:=	powerpc-eabi-
+
+export AS	:=	$(PREFIX)as
+export CC	:=	$(PREFIX)gcc
+export CXX	:=	$(PREFIX)g++
+export AR	:=	$(PREFIX)ar
+export READELF	:=	$(PREFIX)readelf
+export OBJCOPY	:=	$(PREFIX)objcopy
 DEFINES	:=	

-all:
-	powerpc-eabi-gcc -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
-	powerpc-eabi-objcopy -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
-	cp wiiuhaxx_loader.bin $(OUTPATH)
+COREINIT_PATH	:= tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl
+COREINIT_PATH_ELF	:= $(COREINIT_PATH).elf
+
+ifeq ($(OS),Windows_NT) 
+    exe_ext := .exe
+else
+    exe_ext := 
+endif
+
+all: loader locateall
+	
+loader:
+	$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
+	$(OBJCOPY) -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
+	
+locateall: locate532 locate550
+	
+locate532:
+	java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 11464 -out tmp/532
+	make locatespecific FIRMWARE=532 TEXTADDRESS=0x0101c400
+	
+locate550:
+	java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 15702 -out tmp/550
+	make locatespecific FIRMWARE=550 TEXTADDRESS=0x0101c400
+	
+locatespecific:	
+	./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null
+	sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(TEXTADDRESS) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php

 clean:
-	rm -f wiiuhaxx_loader.elf wiiuhaxx_loader.bin
+	rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_rop_sysver_* tmp

--- a/README.md
+++ b/README.md
@ -1,3 +1,24 @@
+# README
+
+This fork is supposed a common base for Wii U ROP-chains.
+
+# Building
+Before using the ROP-chain, some files need to be compiled/generated, you can do it with `make`.
+
+The makefile expects some binaries/files.
+- `bin/ropgadget_patternfinder(.exe)` [Download](https://github.com/wiiu-env/ropgadget_patternfinder/releases)
+- `bin/rpl2elf(.exe)` [Download](https://github.com/wiiu-env/rpl2elf/releases)
+- `bin/FileDownloader.jar` [Download] (https://github.com/wiiu-env/NUSFileDownloader/releases).
+- `common.key` containing the reatil wii u common key (in binary form, 16 bytes).
+
+When you have all needed files, you can use `make`.
+
+On success, you can now find the following files:
+ - `wiiuhaxx_rop_sysver_*.php` one for each supported firmware.
+ - `wiiuhaxx_loader.bin`
+
+# Original README
+
 This is a common codebase for generating ROP-chains/etc for *seperate* Wii U PowerPC-userland exploits. This uses addresses auto-located from coreinit, with .php for each sysver that was pre-generated. This is basically a Wii U version of this: https://github.com/yellows8/3ds_browserhax_common

 Currently only binary ROP-chains are supported, hence no support for using this easily with WebKit exploits. The core1-switch ROP here doesn't work correctly currently, hence this codebase isn't usable as-is unless the current core is already core1(which isn't the case for WebKit exploits it seems). In other words, this codebase is currently only usable with non-WebKit exploits. Hence the use of php, this is intended for running under browser-based titles, but could be used with others as well if the ROP-chain(s) are usable with them.
--- a/wiiuhaxx_buildropversions.sh
+++ b/wiiuhaxx_buildropversions.sh
@ -1,3 +0,0 @@
-./wiiuhaxx_locaterop.sh $1/v11464 0x0101c400 > wiiuhaxx_rop_sysver_532.php
-./wiiuhaxx_locaterop.sh $1/v15702 0x0101c400 > wiiuhaxx_rop_sysver_550.php
-
--- a/wiiuhaxx_locaterop.sh
+++ b/wiiuhaxx_locaterop.sh
@ -1,16 +1,18 @@
 ospath=$1
 coreinit_textaddr=$2
+extension=$3

-powerpc-eabi-objcopy --change-section-address .text=$coreinit_textaddr $ospath/coreinit.elf $ospath/coreinit_reloc.elf
+reloc=$((0x02000000-$coreinit_textaddr))

-function getcoreinit_symboladdr
+
+getcoreinit_symboladdr()
 {
-	val=`powerpc-eabi-readelf -a $ospath/coreinit_reloc.elf | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
-	echo "$2 = 0x$val;"
+	val=`powerpc-eabi-readelf -a "$PWD/$ospath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
+	printf "$2 = 0x%X;\n" $((0x$val-$reloc))
 }

-echo "<?php"
-ropgadget_patternfinder $1/coreinit.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script
+echo "<?php" 
+./bin/ropgadget_patternfinder$extension $ospath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script #?1EFE3500?
 echo ""
 getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
 getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
--- a/wiiuhaxx_rop_sysver_532.php
+++ b/wiiuhaxx_rop_sysver_532.php
@ -1,29 +0,0 @@
-<?php
-$ROP_POPJUMPLR_STACK12 = 0x0101cd14;
-$ROP_POPJUMPLR_STACK20 = 0x01024d28;
-$ROP_CALLFUNC = 0x0107f82c;
-$ROP_CALLR28_POP_R28_TO_R31 = 0x0107d328;
-$ROP_POP_R28R29R30R31 = 0x0101d8c4;
-$ROP_POP_R27 = 0x0101caf0;
-$ROP_POP_R24_TO_R31 = 0x0102042c;
-$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x01025360;
-$ROP_SETR3TOR31_POP_R31 = 0x0101cc00;
-
-$ROP_memcpy = 0x01035a68;
-$ROP_DCFlushRange = 0x01023ee8;
-$ROP_ICInvalidateRange = 0x01024010;
-$ROP_OSSwitchSecCodeGenMode = 0x010370c0;
-$ROP_OSCodegenCopy = 0x010370d8;
-$ROP_OSGetCodegenVirtAddrRange = 0x01036fc0;
-$ROP_OSGetCoreId = 0x01024e2c;
-$ROP_OSGetCurrentThread = 0x010429cc;
-$ROP_OSSetThreadAffinity = 0x01042284;
-$ROP_OSYieldThread = 0x01041250;
-$ROP_OSFatal = 0x01031368;
-$ROP_Exit = 0x0101cd70;
-$ROP_OSScreenFlipBuffersEx = 0x0103a9d0;
-$ROP_OSScreenClearBufferEx = 0x0103aa90;
-$ROP_OSDynLoad_Acquire = 0x0102a31c;
-$ROP_OSDynLoad_FindExport = 0x0102b790;
-$ROP_os_snprintf = 0x0102f09c;
-?>
--- a/wiiuhaxx_rop_sysver_550.php
+++ b/wiiuhaxx_rop_sysver_550.php
@ -1,29 +0,0 @@
-<?php
-$ROP_POPJUMPLR_STACK12 = 0x0101cd24;
-$ROP_POPJUMPLR_STACK20 = 0x01024d88;
-$ROP_CALLFUNC = 0x01080274;
-$ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
-$ROP_POP_R28R29R30R31 = 0x0101d8d4;
-$ROP_POP_R27 = 0x0101cb00;
-$ROP_POP_R24_TO_R31 = 0x010204c8;
-$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
-$ROP_SETR3TOR31_POP_R31 = 0x0101cc10;
-
-$ROP_memcpy = 0x01035fc8;
-$ROP_DCFlushRange = 0x01023f88;
-$ROP_ICInvalidateRange = 0x010240b0;
-$ROP_OSSwitchSecCodeGenMode = 0x010376c0;
-$ROP_OSCodegenCopy = 0x010376d8;
-$ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
-$ROP_OSGetCoreId = 0x01024e8c;
-$ROP_OSGetCurrentThread = 0x01043150;
-$ROP_OSSetThreadAffinity = 0x010429dc;
-$ROP_OSYieldThread = 0x010418e4;
-$ROP_OSFatal = 0x01031618;
-$ROP_Exit = 0x0101cd80;
-$ROP_OSScreenFlipBuffersEx = 0x0103afd0;
-$ROP_OSScreenClearBufferEx = 0x0103b090;
-$ROP_OSDynLoad_Acquire = 0x0102a3b4;
-$ROP_OSDynLoad_FindExport = 0x0102b828;
-$ROP_os_snprintf = 0x0102f160;
-?>