mirror of
https://github.com/wiiu-env/wiiuhaxx_common.git
synced 2024-12-18 12:11:50 +01:00
The makefile now grabs the coreinit.rpl and converts it to an elf.
This commit is contained in:
parent
7c346375f9
commit
8619b2c680
7
.gitignore
vendored
Normal file
7
.gitignore
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
common.key
|
||||
bin/
|
||||
*.zip
|
||||
wiiuhaxx_loader.elf
|
||||
wiiuhaxx_loader.bin
|
||||
tmp/
|
||||
wiiuhaxx_rop_sysver_*
|
56
Makefile
56
Makefile
@ -1,10 +1,56 @@
|
||||
#---------------------------------------------------------------------------------
|
||||
# Clear the implicit built in rules
|
||||
#---------------------------------------------------------------------------------
|
||||
.SUFFIXES:
|
||||
#---------------------------------------------------------------------------------
|
||||
ifeq ($(strip $(DEVKITPPC)),)
|
||||
$(error "Please set DEVKITPPC in your environment. export DEVKITPPC=<path to>devkitPPC")
|
||||
endif
|
||||
ifeq ($(strip $(DEVKITPRO)),)
|
||||
$(error "Please set DEVKITPRO in your environment. export DEVKITPRO=<path to>devkitPRO")
|
||||
endif
|
||||
|
||||
export PATH := $(DEVKITPPC)/bin:$(PORTLIBS)/bin:$(PATH)
|
||||
|
||||
PREFIX := powerpc-eabi-
|
||||
|
||||
export AS := $(PREFIX)as
|
||||
export CC := $(PREFIX)gcc
|
||||
export CXX := $(PREFIX)g++
|
||||
export AR := $(PREFIX)ar
|
||||
export READELF := $(PREFIX)readelf
|
||||
export OBJCOPY := $(PREFIX)objcopy
|
||||
DEFINES :=
|
||||
|
||||
all:
|
||||
powerpc-eabi-gcc -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
|
||||
powerpc-eabi-objcopy -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
|
||||
cp wiiuhaxx_loader.bin $(OUTPATH)
|
||||
COREINIT_PATH := tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl
|
||||
COREINIT_PATH_ELF := $(COREINIT_PATH).elf
|
||||
|
||||
ifeq ($(OS),Windows_NT)
|
||||
exe_ext := .exe
|
||||
else
|
||||
exe_ext :=
|
||||
endif
|
||||
|
||||
all: loader locateall
|
||||
|
||||
loader:
|
||||
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
|
||||
$(OBJCOPY) -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
|
||||
|
||||
locateall: locate532 locate550
|
||||
|
||||
locate532:
|
||||
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 11464 -out tmp/532
|
||||
make locatespecific FIRMWARE=532 TEXTADDRESS=0x0101c400
|
||||
|
||||
locate550:
|
||||
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 15702 -out tmp/550
|
||||
make locatespecific FIRMWARE=550 TEXTADDRESS=0x0101c400
|
||||
|
||||
locatespecific:
|
||||
./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null
|
||||
sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(TEXTADDRESS) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php
|
||||
|
||||
clean:
|
||||
rm -f wiiuhaxx_loader.elf wiiuhaxx_loader.bin
|
||||
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_rop_sysver_* tmp
|
||||
|
||||
|
21
README.md
21
README.md
@ -1,3 +1,24 @@
|
||||
# README
|
||||
|
||||
This fork is supposed a common base for Wii U ROP-chains.
|
||||
|
||||
# Building
|
||||
Before using the ROP-chain, some files need to be compiled/generated, you can do it with `make`.
|
||||
|
||||
The makefile expects some binaries/files.
|
||||
- `bin/ropgadget_patternfinder(.exe)` [Download](https://github.com/wiiu-env/ropgadget_patternfinder/releases)
|
||||
- `bin/rpl2elf(.exe)` [Download](https://github.com/wiiu-env/rpl2elf/releases)
|
||||
- `bin/FileDownloader.jar` [Download] (https://github.com/wiiu-env/NUSFileDownloader/releases).
|
||||
- `common.key` containing the reatil wii u common key (in binary form, 16 bytes).
|
||||
|
||||
When you have all needed files, you can use `make`.
|
||||
|
||||
On success, you can now find the following files:
|
||||
- `wiiuhaxx_rop_sysver_*.php` one for each supported firmware.
|
||||
- `wiiuhaxx_loader.bin`
|
||||
|
||||
# Original README
|
||||
|
||||
This is a common codebase for generating ROP-chains/etc for *seperate* Wii U PowerPC-userland exploits. This uses addresses auto-located from coreinit, with .php for each sysver that was pre-generated. This is basically a Wii U version of this: https://github.com/yellows8/3ds_browserhax_common
|
||||
|
||||
Currently only binary ROP-chains are supported, hence no support for using this easily with WebKit exploits. The core1-switch ROP here doesn't work correctly currently, hence this codebase isn't usable as-is unless the current core is already core1(which isn't the case for WebKit exploits it seems). In other words, this codebase is currently only usable with non-WebKit exploits. Hence the use of php, this is intended for running under browser-based titles, but could be used with others as well if the ROP-chain(s) are usable with them.
|
||||
|
@ -1,3 +0,0 @@
|
||||
./wiiuhaxx_locaterop.sh $1/v11464 0x0101c400 > wiiuhaxx_rop_sysver_532.php
|
||||
./wiiuhaxx_locaterop.sh $1/v15702 0x0101c400 > wiiuhaxx_rop_sysver_550.php
|
||||
|
@ -1,16 +1,18 @@
|
||||
ospath=$1
|
||||
coreinit_textaddr=$2
|
||||
extension=$3
|
||||
|
||||
powerpc-eabi-objcopy --change-section-address .text=$coreinit_textaddr $ospath/coreinit.elf $ospath/coreinit_reloc.elf
|
||||
reloc=$((0x02000000-$coreinit_textaddr))
|
||||
|
||||
function getcoreinit_symboladdr
|
||||
|
||||
getcoreinit_symboladdr()
|
||||
{
|
||||
val=`powerpc-eabi-readelf -a $ospath/coreinit_reloc.elf | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
|
||||
echo "$2 = 0x$val;"
|
||||
val=`powerpc-eabi-readelf -a "$PWD/$ospath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
|
||||
printf "$2 = 0x%X;\n" $((0x$val-$reloc))
|
||||
}
|
||||
|
||||
echo "<?php"
|
||||
ropgadget_patternfinder $1/coreinit.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script
|
||||
./bin/ropgadget_patternfinder$extension $ospath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script #?1EFE3500?
|
||||
echo ""
|
||||
getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
|
||||
getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
|
||||
|
@ -1,29 +0,0 @@
|
||||
<?php
|
||||
$ROP_POPJUMPLR_STACK12 = 0x0101cd14;
|
||||
$ROP_POPJUMPLR_STACK20 = 0x01024d28;
|
||||
$ROP_CALLFUNC = 0x0107f82c;
|
||||
$ROP_CALLR28_POP_R28_TO_R31 = 0x0107d328;
|
||||
$ROP_POP_R28R29R30R31 = 0x0101d8c4;
|
||||
$ROP_POP_R27 = 0x0101caf0;
|
||||
$ROP_POP_R24_TO_R31 = 0x0102042c;
|
||||
$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x01025360;
|
||||
$ROP_SETR3TOR31_POP_R31 = 0x0101cc00;
|
||||
|
||||
$ROP_memcpy = 0x01035a68;
|
||||
$ROP_DCFlushRange = 0x01023ee8;
|
||||
$ROP_ICInvalidateRange = 0x01024010;
|
||||
$ROP_OSSwitchSecCodeGenMode = 0x010370c0;
|
||||
$ROP_OSCodegenCopy = 0x010370d8;
|
||||
$ROP_OSGetCodegenVirtAddrRange = 0x01036fc0;
|
||||
$ROP_OSGetCoreId = 0x01024e2c;
|
||||
$ROP_OSGetCurrentThread = 0x010429cc;
|
||||
$ROP_OSSetThreadAffinity = 0x01042284;
|
||||
$ROP_OSYieldThread = 0x01041250;
|
||||
$ROP_OSFatal = 0x01031368;
|
||||
$ROP_Exit = 0x0101cd70;
|
||||
$ROP_OSScreenFlipBuffersEx = 0x0103a9d0;
|
||||
$ROP_OSScreenClearBufferEx = 0x0103aa90;
|
||||
$ROP_OSDynLoad_Acquire = 0x0102a31c;
|
||||
$ROP_OSDynLoad_FindExport = 0x0102b790;
|
||||
$ROP_os_snprintf = 0x0102f09c;
|
||||
?>
|
@ -1,29 +0,0 @@
|
||||
<?php
|
||||
$ROP_POPJUMPLR_STACK12 = 0x0101cd24;
|
||||
$ROP_POPJUMPLR_STACK20 = 0x01024d88;
|
||||
$ROP_CALLFUNC = 0x01080274;
|
||||
$ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
|
||||
$ROP_POP_R28R29R30R31 = 0x0101d8d4;
|
||||
$ROP_POP_R27 = 0x0101cb00;
|
||||
$ROP_POP_R24_TO_R31 = 0x010204c8;
|
||||
$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
|
||||
$ROP_SETR3TOR31_POP_R31 = 0x0101cc10;
|
||||
|
||||
$ROP_memcpy = 0x01035fc8;
|
||||
$ROP_DCFlushRange = 0x01023f88;
|
||||
$ROP_ICInvalidateRange = 0x010240b0;
|
||||
$ROP_OSSwitchSecCodeGenMode = 0x010376c0;
|
||||
$ROP_OSCodegenCopy = 0x010376d8;
|
||||
$ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
|
||||
$ROP_OSGetCoreId = 0x01024e8c;
|
||||
$ROP_OSGetCurrentThread = 0x01043150;
|
||||
$ROP_OSSetThreadAffinity = 0x010429dc;
|
||||
$ROP_OSYieldThread = 0x010418e4;
|
||||
$ROP_OSFatal = 0x01031618;
|
||||
$ROP_Exit = 0x0101cd80;
|
||||
$ROP_OSScreenFlipBuffersEx = 0x0103afd0;
|
||||
$ROP_OSScreenClearBufferEx = 0x0103b090;
|
||||
$ROP_OSDynLoad_Acquire = 0x0102a3b4;
|
||||
$ROP_OSDynLoad_FindExport = 0x0102b828;
|
||||
$ROP_os_snprintf = 0x0102f160;
|
||||
?>
|
Loading…
Reference in New Issue
Block a user