mirror of
https://github.com/wiiu-env/wiiuhaxx_common.git
synced 2024-06-02 22:28:45 +02:00
Compare commits
3 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
8d5b8ab0b6 | ||
|
0a24047530 | ||
|
b6909c596b |
51
Makefile
51
Makefile
|
@ -22,17 +22,12 @@ export READELF := $(PREFIX)readelf
|
|||
export OBJCOPY := $(PREFIX)objcopy
|
||||
DEFINES :=
|
||||
|
||||
COREINIT_PATH := tmp/$(FIRMWARE)/000500101000400A/code/coreinit.rpl
|
||||
COREINIT_PATH_ELF := $(COREINIT_PATH).elf
|
||||
|
||||
GX2_PATH := tmp/$(FIRMWARE)/000500101000400A/code/gx2.rpl
|
||||
GX2_PATH_ELF := $(GX2_PATH).elf
|
||||
|
||||
ifeq ($(OS),Windows_NT)
|
||||
exe_ext := .exe
|
||||
else
|
||||
exe_ext :=
|
||||
endif
|
||||
COREINIT_CONFIG_PATH := coreinit.yml
|
||||
GX2_CONFIG_PATH := gx2.yml
|
||||
COREINIT_PATH := tmp/$(FIRMWARE)/coreinit.rpl
|
||||
GX2_PATH := tmp/$(FIRMWARE)/gx2.rpl
|
||||
TARGET_FILENAME := wiiuhaxx_rop_sysver_$(FIRMWARE).php
|
||||
GADGET_FINDER_PATH := bin/rpxgadgetfinder.jar
|
||||
|
||||
all: loader locateall
|
||||
|
||||
|
@ -47,30 +42,34 @@ wiiuhaxx_searcher.bin: wiiuhaxx_searcher.s
|
|||
$(OBJCOPY) -O binary wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin
|
||||
|
||||
locateall: locate532 locate550
|
||||
|
||||
|
||||
locate532:
|
||||
make locatespecific FIRMWARE=532 OS_VERSION=11464 TEXTADDRESS_COREINIT=0x0101c400 TEXTADDRESS_GX2=0x0101c400
|
||||
make locatespecific FIRMWARE=532 ADDRESS_OFFSET_COREINIT=$$((0x02000000-0x0101c400)) ADDRESS_OFFSET_GX2=$$((0x02000000-0x0114EC40))
|
||||
|
||||
locate550:
|
||||
make locatespecific FIRMWARE=550 OS_VERSION=15702 TEXTADDRESS_COREINIT=0x0101c400 TEXTADDRESS_GX2=0x0114EC40
|
||||
|
||||
convertrpl: $(COREINIT_PATH_ELF) $(GX2_PATH_ELF)
|
||||
|
||||
$(COREINIT_PATH_ELF): $(COREINIT_PATH)
|
||||
./bin/rpl2elf$(exe_ext) $(COREINIT_PATH) $(COREINIT_PATH_ELF) > /dev/null
|
||||
make locatespecific FIRMWARE=550 ADDRESS_OFFSET_COREINIT=$$((0x02000000-0x0101c400)) ADDRESS_OFFSET_GX2=$$((0x02000000-0x0114EC40))
|
||||
|
||||
$(GX2_PATH_ELF): $(GX2_PATH)
|
||||
./bin/rpl2elf$(exe_ext) $(GX2_PATH) $(GX2_PATH_ELF) > /dev/null
|
||||
checkrpl: $(COREINIT_PATH) $(GX2_PATH)
|
||||
|
||||
$(COREINIT_PATH):
|
||||
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*coreinit.rpl' -version $(OS_VERSION) -out tmp/$(FIRMWARE)
|
||||
if [ -a $(COREINIT_PATH) ]; then $(error missing $(COREINIT_PATH) for FW $(FIRMWARE)); fi;
|
||||
|
||||
$(GX2_PATH):
|
||||
java -jar bin/FileDownloader.jar -titleID 000500101000400A -file '.*gx2.rpl' -version $(OS_VERSION) -out tmp/$(FIRMWARE)
|
||||
if [ -a $(GX2_PATH) ]; then $(error missing $(GX2_PATH) for FW $(FIRMWARE)); fi;
|
||||
|
||||
$(CONFIG_FILENAME):
|
||||
if [ -a $(CONFIG_FILENAME) ]; then $(error missing $(CONFIG_FILENAME)); fi;
|
||||
|
||||
$(GADGET_FINDER_PATH):
|
||||
if [ -a $(GADGET_FINDER_PATH) ]; then $(error missing $(GADGET_FINDER_PATH)); fi;
|
||||
|
||||
locatespecific: convertrpl
|
||||
sh ./wiiuhaxx_locaterop.sh $(COREINIT_PATH) $(GX2_PATH) $(TEXTADDRESS_COREINIT) $(TEXTADDRESS_GX2) $(exe_ext) > wiiuhaxx_rop_sysver_$(FIRMWARE).php
|
||||
locatespecific: checkrpl $(GADGET_FINDER_PATH) $(CONFIG_FILENAME)
|
||||
@echo "Finding symbols for FW $(FIRMWARE)"
|
||||
@echo "<?php" > $(TARGET_FILENAME)
|
||||
@java -jar $(GADGET_FINDER_PATH) -cin $(COREINIT_CONFIG_PATH) -bin $(COREINIT_PATH) -aoff -$(ADDRESS_OFFSET_COREINIT) >> $(TARGET_FILENAME)
|
||||
@java -jar $(GADGET_FINDER_PATH) -cin $(GX2_CONFIG_PATH) -bin $(GX2_PATH) -aoff -$(ADDRESS_OFFSET_GX2) >> $(TARGET_FILENAME)
|
||||
@echo "?>" >> $(TARGET_FILENAME)
|
||||
|
||||
clean:
|
||||
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_* tmp
|
||||
rm -rf wiiuhaxx_loader.elf wiiuhaxx_loader.bin wiiuhaxx_searcher.elf wiiuhaxx_searcher.bin wiiuhaxx_rop_sysver_*
|
||||
|
||||
|
|
11
README.md
11
README.md
|
@ -1,15 +1,16 @@
|
|||
# README
|
||||
|
||||
This fork is supposed a common base for Wii U ROP-chains.
|
||||
This fork is supposed to be a common base for Wii U ROP-chains.
|
||||
|
||||
## Building
|
||||
Before using the ROP-chain, some files need to be compiled/generated, you can do it with `make`.
|
||||
|
||||
The makefile expects some binaries/files.
|
||||
- `bin/ropgadget_patternfinder(.exe)` [Download](https://github.com/wiiu-env/ropgadget_patternfinder/releases)
|
||||
- `bin/rpl2elf(.exe)` [Download](https://github.com/wiiu-env/rpl2elf/releases)
|
||||
- `bin/FileDownloader.jar` [Download](https://github.com/wiiu-env/NUSFileDownloader/releases)
|
||||
- `common.key` containing the retail Wii U common key (in binary form, 16 bytes).
|
||||
- `bin/rpxgadgetfinder.jar` [Download](https://github.com/wiiu-env/RPXGadgetFinder/releases) (requires Java 11(!))
|
||||
- `tmp/532/coreinit.rpl` from 00050010-1000400A OSv10 v11464
|
||||
- `tmp/532/gx2.rpl` from 00050010-1000400A OSv10 v11464
|
||||
- `tmp/550/coreinit.rpl` from 00050010-1000400A OSv10 v15702
|
||||
- `tmp/550/gx2.rpl` from 00050010-1000400A OSv10 v15702
|
||||
|
||||
When you have all needed files, you can use `make`.
|
||||
|
||||
|
|
74
coreinit.yml
Normal file
74
coreinit.yml
Normal file
|
@ -0,0 +1,74 @@
|
|||
!!de.orb.wiiu.rpxgadgetfinder.SymbolList
|
||||
symbols:
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: memcpy, out: $ROP_memcpy}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: DCFlushRange, out: $ROP_DCFlushRange}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: ICInvalidateRange, out: $ROP_ICInvalidateRange}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSSwitchSecCodeGenMode, out: $ROP_OSSwitchSecCodeGenMode}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSCodegenCopy, out: $ROP_OSCodegenCopy}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCodegenVirtAddrRange, out: $ROP_OSGetCodegenVirtAddrRange}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCoreId, out: $ROP_OSGetCoreId}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSGetCurrentThread, out: $ROP_OSGetCurrentThread}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSSetThreadAffinity, out: $ROP_OSSetThreadAffinity}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSYieldThread, out: $ROP_OSYieldThread}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSFatal, out: $ROP_OSFatal}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: _Exit, out: $ROP_Exit}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSScreenFlipBuffersEx, out: $ROP_OSScreenFlipBuffersEx}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSScreenClearBufferEx, out: $ROP_OSScreenClearBufferEx}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSDynLoad_Acquire, out: $ROP_OSDynLoad_Acquire}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: OSDynLoad_FindExport, out: $ROP_OSDynLoad_FindExport}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: __os_snprintf, out: $ROP_os_snprintf}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
yHAg7FCY0T7dPuDQ0BMToKXwp5N/NsD19OlQMWWuM/s=
|
||||
out: $ROP_POPJUMPLR_STACK12
|
||||
size: 16
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
3s/zyode/BqcPQrHYY8++j0zylm9P9YCp0fTRpvVwAA=
|
||||
out: $ROP_POPJUMPLR_STACK20
|
||||
size: 16
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
UwYkiCHAcqnPXHHJRpFx4XzSlm9m/H1hLOec/41dEko=
|
||||
out: $ROP_CALLFUNC
|
||||
size: 52
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
9OdgU6ZcVx8rO4xsbd6XPJX4ibzPCiLrlknLx4EMjpg=
|
||||
out: $ROP_CALLR28_POP_R28_TO_R31
|
||||
size: 44
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
R0G4Y63PdC+JKMSFo588yGKUadHdzPnmjJ3RwlNB8JE=
|
||||
out: $ROP_POP_R28R29R30R31
|
||||
size: 32
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
lylzvoB06SsPEPxfu6rvbCjikF+ZAHZUzXNaX9aZM/w=
|
||||
out: $ROP_POP_R27
|
||||
size: 20
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
b18R/cRB3e+PIYnLyQBlF8SRf89ul1y4y+sjc7+OjKI=
|
||||
out: $ROP_POP_R24_TO_R31
|
||||
size: 20
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
5gL2bPiq3E1efbB0rZuPv6QZD4YqghXPJvcHpJypUHA=
|
||||
out: $ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM
|
||||
size: 40
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
Xh+0gQ/2+4a7Uz8gUDBt5uA+CUUIh99ssixthRHD4mc=
|
||||
out: $ROP_SETR3TOR31_POP_R31
|
||||
size: 24
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
XO0YJxjoIEwpnqH44pWEGgMl7kk4k7hgU952LMDu+0g=
|
||||
out: $ROP_Register
|
||||
size: 12
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.GadgetSymbol
|
||||
hash: !!binary |-
|
||||
xFfDPPQrAMLgC5bixrCXhIZDvBcui9yfDn2XToM4YLY=
|
||||
out: $ROP_CopyToSaveArea
|
||||
size: 12
|
5
gx2.yml
Normal file
5
gx2.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
!!de.orb.wiiu.rpxgadgetfinder.SymbolList
|
||||
symbols:
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2Init, out: $ROP_GX2Init}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2Flush, out: $ROP_GX2Flush}
|
||||
- !!de.orb.wiiu.rpxgadgetfinder.ExportSymbol {name: GX2DirectCallDisplayList, out: $ROP_GX2DirectCallDisplayList}
|
|
@ -1,46 +0,0 @@
|
|||
coreinitpath=$1
|
||||
gx2path=$2
|
||||
coreinit_textaddr=$3
|
||||
gx2_textaddr=$4
|
||||
extension=$5
|
||||
|
||||
reloc_coreinit=$((0x02000000-$coreinit_textaddr))
|
||||
reloc_gx2=$((0x02000000-$gx2_textaddr))
|
||||
|
||||
|
||||
getcoreinit_symboladdr()
|
||||
{
|
||||
val=`powerpc-eabi-readelf -a "$PWD/$coreinitpath.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
|
||||
printf "$2 = 0x%X;\n" $((0x$val-$reloc_coreinit))
|
||||
}
|
||||
|
||||
getgx2_symboladdr()
|
||||
{
|
||||
val=`powerpc-eabi-readelf -a "$PWD/$gx2path.elf" | grep "$1" | head -n 1 | cut -d: -f2 | cut "-d " -f2`
|
||||
printf "$2 = 0x%X;\n" $((0x$val-$reloc_gx2))
|
||||
}
|
||||
|
||||
echo "<?php"
|
||||
./bin/ropgadget_patternfinder$extension $coreinitpath.elf --baseaddr=$coreinit_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script_ci #?1EFE3500?
|
||||
./bin/ropgadget_patternfinder$extension $gx2path.elf --baseaddr=$gx2_textaddr "--plainsuffix=;" --script=wiiuhaxx_locaterop_script_gx2 #?1EFE3500?
|
||||
echo ""
|
||||
getcoreinit_symboladdr "memcpy" "\$ROP_memcpy"
|
||||
getcoreinit_symboladdr "DCFlushRange" "\$ROP_DCFlushRange"
|
||||
getcoreinit_symboladdr "ICInvalidateRange" "\$ROP_ICInvalidateRange"
|
||||
getcoreinit_symboladdr "OSSwitchSecCodeGenMode" "\$ROP_OSSwitchSecCodeGenMode"
|
||||
getcoreinit_symboladdr "OSCodegenCopy" "\$ROP_OSCodegenCopy"
|
||||
getcoreinit_symboladdr "OSGetCodegenVirtAddrRange" "\$ROP_OSGetCodegenVirtAddrRange"
|
||||
getcoreinit_symboladdr "OSGetCoreId" "\$ROP_OSGetCoreId"
|
||||
getcoreinit_symboladdr "OSGetCurrentThread" "\$ROP_OSGetCurrentThread"
|
||||
getcoreinit_symboladdr "OSSetThreadAffinity" "\$ROP_OSSetThreadAffinity"
|
||||
getcoreinit_symboladdr "OSYieldThread" "\$ROP_OSYieldThread"
|
||||
getcoreinit_symboladdr "OSFatal" "\$ROP_OSFatal"
|
||||
getcoreinit_symboladdr "_Exit" "\$ROP_Exit"
|
||||
getcoreinit_symboladdr "OSScreenFlipBuffersEx" "\$ROP_OSScreenFlipBuffersEx"
|
||||
getcoreinit_symboladdr "OSScreenClearBufferEx" "\$ROP_OSScreenClearBufferEx"
|
||||
getcoreinit_symboladdr "OSDynLoad_Acquire" "\$ROP_OSDynLoad_Acquire"
|
||||
getcoreinit_symboladdr "OSDynLoad_FindExport" "\$ROP_OSDynLoad_FindExport"
|
||||
getcoreinit_symboladdr "__os_snprintf" "\$ROP_os_snprintf"
|
||||
getgx2_symboladdr "GX2Flush" "\$ROP_GX2Flush"
|
||||
getgx2_symboladdr "GX2DirectCallDisplayList" "\$ROP_GX2DirectCallDisplayList"
|
||||
echo "?>"
|
|
@ -1,11 +0,0 @@
|
|||
--patterntype=sha256 --patterndata=c87020ec5098d13edd3ee0d0d01313a0a5f0a7937f36c0f5f4e9503165ae33fb --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK12 = "
|
||||
--patterntype=sha256 --patterndata=decff3ca875efc1a9c3d0ac7618f3efa3d33ca59bd3fd602a747d3469bd5c000 --patternsha256size=0x10 --addval=0xFFFFFCFC "--plainout=$ROP_POPJUMPLR_STACK20 = "
|
||||
--patterntype=sha256 --patterndata=5306248821c072a9cf5c71c9469171e17cd2966f66fc7d612ce79cff8d5d124a --patternsha256size=0x34 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNC = "
|
||||
--patterntype=sha256 --patterndata=f4e76053a65c571f2b3b8c6c6dde973c95f889bccf0a22eb9649cbc7810c8e98 --patternsha256size=0x2c --addval=0xFFFFFCFC "--plainout=$ROP_CALLR28_POP_R28_TO_R31 = "
|
||||
--patterntype=sha256 --patterndata=4741b863adcf742f8928c485a39f3cc8629469d1ddccf9e68c9dd1c25341f091 --patternsha256size=0x20 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R28R29R30R31 = "
|
||||
--patterntype=sha256 --patterndata=972973be8074e92b0f10fc5fbbaaef6c28e2905f99007654cd735a5fd69933fc --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R27 = "
|
||||
--patterntype=sha256 --patterndata=6f5f11fdc441ddef8f2189cbc9006517c4917fcf6e975cb8cbeb2373bf8e8ca2 --patternsha256size=0x14 --addval=0xFFFFFCFC "--plainout=$ROP_POP_R24_TO_R31 = "
|
||||
--patterntype=sha256 --patterndata=e602f66cf8aadc4d5e7db074ad9b8fbfa4190f862a8215cf26f707a49ca95070 --patternsha256size=0x28 --addval=0xFFFFFCFC "--plainout=$ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = "
|
||||
--patterntype=sha256 --patterndata=5e1fb4810ff6fb86bb533f2050306de6e03e09450887df6cb22c6d8511c3e267 --patternsha256size=0x18 --addval=0xFFFFFCFC "--plainout=$ROP_SETR3TOR31_POP_R31 = "
|
||||
--patterntype=sha256 --patterndata=5CED182718E8204C299EA1F8E295841A0325EE493893B86053DE762CC0EEFB48 --patternsha256size=0x0C --addval=0xFFFFFCFC "--plainout=$ROP_Register = "
|
||||
--patterntype=sha256 --patterndata=C457C33CF42B00C2E00B96E2C6B097848643BC172E8BDC9F0E7D974E833860B6 --patternsha256size=0x0C --addval=0xFFFFFCFC "--plainout=$ROP_CopyToSaveArea = "
|
|
@ -1 +0,0 @@
|
|||
#--patterntype=sha256 --patterndata=0D47AE19D0344CB3545E4D5289ED1BBBCE55BF181C929C18C6C05939B73CAEC3 --patternsha256size=0x0C --addval=0xFFFFFCAC "--plainout=$GX2Flush = "
|
Loading…
Reference in New Issue
Block a user