Skip to content

Commit

Permalink
Add DLP patches to allow .cia reading from sd card
Browse files Browse the repository at this point in the history
  • Loading branch information
Maschell committed Jul 14, 2024
1 parent 1a9acbd commit 0fc7bf1
Show file tree
Hide file tree
Showing 13 changed files with 450 additions and 5 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ cmake-build-debug/
.idea/
CMakeLists.txt
cmake-build-debug-mocha-builder/
source/ios_net/ios_net.bin
source/ios_net/ios_net.bin.h
11 changes: 8 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -96,16 +96,20 @@ $(BUILD): $(CURDIR)/source/ios_kernel/ios_kernel.bin.h
@[ -d $@ ] || mkdir -p $@
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_fs -f $(CURDIR)/source/ios_fs/Makefile
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_mcp -f $(CURDIR)/source/ios_mcp/Makefile
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_usb -f $(CURDIR)/source/ios_usb/Makefile
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_net -f $(CURDIR)/source/ios_mcp/Makefile
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_usb -f $(CURDIR)/source/ios_usb/Makefile
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_kernel -f $(CURDIR)/source/ios_kernel/Makefile
@$(MAKE) -j1 --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile

$(CURDIR)/source/ios_kernel/ios_kernel.bin.h: $(CURDIR)/source/ios_usb/ios_usb.bin.h $(CURDIR)/source/ios_mcp/ios_mcp.bin.h $(CURDIR)/source/ios_fs/ios_fs.bin.h
$(CURDIR)/source/ios_kernel/ios_kernel.bin.h: $(CURDIR)/source/ios_usb/ios_usb.bin.h $(CURDIR)/source/ios_net/ios_net.bin.h $(CURDIR)/source/ios_mcp/ios_mcp.bin.h $(CURDIR)/source/ios_fs/ios_fs.bin.h
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_kernel -f $(CURDIR)/source/ios_kernel/Makefile

$(CURDIR)/source/ios_usb/ios_usb.bin.h:
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_usb -f $(CURDIR)/source/ios_usb/Makefile


$(CURDIR)/source/ios_net/ios_net.bin.h:
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_net -f $(CURDIR)/source/ios_net/Makefile

$(CURDIR)/source/ios_mcp/ios_mcp.bin.h:
@$(MAKE) -j1 --no-print-directory -C $(CURDIR)/source/ios_mcp -f $(CURDIR)/source/ios_mcp/Makefile

Expand All @@ -117,6 +121,7 @@ clean:
@rm -fr $(BUILD) $(TARGET).rpx $(TARGET).elf
@$(MAKE) --no-print-directory -C $(CURDIR)/source/ios_kernel -f $(CURDIR)/source/ios_kernel/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/source/ios_usb -f $(CURDIR)/source/ios_usb/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/source/ios_net -f $(CURDIR)/source/ios_net/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/source/ios_mcp -f $(CURDIR)/source/ios_mcp/Makefile clean
@$(MAKE) --no-print-directory -C $(CURDIR)/source/ios_fs -f $(CURDIR)/source/ios_fs/Makefile clean

Expand Down
7 changes: 6 additions & 1 deletion source/ios_exploit.c
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ typedef struct __attribute__((packed)) {
#include "ios_fs/ios_fs.bin.h"
#include "ios_kernel/ios_kernel.bin.h"
#include "ios_mcp/ios_mcp.bin.h"
#include "ios_net/ios_net.bin.h"
#include "ios_usb/ios_usb.bin.h"

/* ROP CHAIN STARTS HERE (0x1015BD78) */
Expand Down Expand Up @@ -316,11 +317,15 @@ static void uhs_exploit_init(int dev_uhs_0_handle) {
static_assert(sizeof(final_chain) < 0xF4148000 - 0xF4140000, "ios_kernel is too big");
memcpy((char *) (0xF4140000), ios_kernel, sizeof(ios_kernel));

static_assert(sizeof(ios_usb) < 0xF4160000 - 0xF4148000, "IOS_USB is too big");
static_assert(sizeof(ios_usb) < 0xF4149000 - 0xF4148000, "IOS_USB is too big");
payload_info_t *payloads = (payload_info_t *) 0xF4148000;
payloads->size = sizeof(ios_usb);
memcpy(payloads->data, ios_usb, payloads->size);

static_assert(sizeof(ios_net) < 0xF4160000 - 0xF4149000, "IOS_NET is too big");
payloads = (payload_info_t *) 0xF4149000;
payloads->size = sizeof(ios_net);
memcpy(payloads->data, ios_net, payloads->size);

static_assert(sizeof(ios_mcp) < 0xF4170000 - 0xF4160000, "IOS_MCP is too big");
payloads = (payload_info_t *) 0xF4160000;
Expand Down
50 changes: 49 additions & 1 deletion source/ios_kernel/source/instant_patches.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@
***************************************************************************/
#include "../../ios_fs/ios_fs_syms.h"
#include "../../ios_mcp/ios_mcp_syms.h"
#include "../../ios_net/ios_net_syms.h"
#include "elf_patcher.h"
#include "ios_fs_patches.h"
#include "ios_mcp_patches.h"
#include "kernel_patches.h"
#include "types.h"
#include "utils.h"
Expand All @@ -47,6 +47,7 @@ typedef struct {
#define mcp_text_phys(addr) ((u32) (addr) -0x05000000 + 0x081C0000)
#define mcp_rodata_phys(addr) ((u32) (addr) -0x05060000 + 0x08220000)
#define mcp_data_phys(addr) ((u32) (addr) -0x05074000 + 0x08234000)
#define net_phys(addr) ((u32) (addr))
#define fsa_phys(addr) ((u32) (addr))
#define kernel_phys(addr) ((u32) (addr))
#define acp_text_phys(addr) ((u32) (addr) -0xE0000000 + 0x12900000)
Expand Down Expand Up @@ -165,6 +166,53 @@ void instant_patches_setup(void) {
*(volatile u32 *) mcp_data_phys(0x050B817C) = *(volatile u32 *) 0x0017FFF0;
*(volatile u32 *) mcp_data_phys(0x050B8180) = *(volatile u32 *) 0x0017FFF4;

// Patch DLP region check by replacing result code with success
*(volatile u32 *) net_phys(0x1239DA7C) = 0;

// Patch DLP to ignore error for missing title archive
*(volatile u32 *) net_phys(0x1239E108) = 0xEA000000; // mov r0, r0
*(volatile u32 *) net_phys(0x1239E10C) = 0xEA000000; // mov r0, r0
*(volatile u32 *) net_phys(0x1239E110) = 0xEA000000; // mov r0, r0

// Patch DLP path from /vol/content/dlp/app to sd:/dlp/app
*(volatile u32 *) net_phys(0x12455368) = 0x2F766F6C; // /vol
*(volatile u32 *) net_phys(0x12455368 + 4) = 0x2F646C70; // /dlp
*(volatile u32 *) net_phys(0x12455368 + 8) = 0x5F5F7364; // __sd
*(volatile u32 *) net_phys(0x12455368 + 12) = 0x2F646C70; // /dlp
*(volatile u32 *) net_phys(0x12455368 + 16) = 0x2F617070; // /app
*(volatile u32 *) net_phys(0x12455368 + 20) = 0x00000000; //

// Patch DLP path from /vol/content/dlp/app to sd:/dlp/app
*(volatile u32 *) net_phys(0x12455490) = 0x2F766F6C; // /vol
*(volatile u32 *) net_phys(0x12455490 + 4) = 0x2F646C70; // /dlp
*(volatile u32 *) net_phys(0x12455490 + 8) = 0x5F5F7364; // __sd
*(volatile u32 *) net_phys(0x12455490 + 12) = 0x2F646C70; // /dlp
*(volatile u32 *) net_phys(0x12455490 + 16) = 0x2F617070; // /app
*(volatile u32 *) net_phys(0x12455490 + 20) = 0x00000000; //

// DLP: (un)mount sd card for .cia reading.
*(volatile u32 *) net_phys(0x1237f33c) = ARM_BL(0x1237f33c, DLP_FSAInit_patch);
*(volatile u32 *) net_phys(0x123a4448) = ARM_BL(0x123a4448, DLP_FSAInit_patch);
*(volatile u32 *) net_phys(0x1239de98) = ARM_BL(0x1239de98, DLP_FSAInit_patch);

*(volatile u32 *) net_phys(0x1237f310) = ARM_BL(0x1237f310, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x1239dfa0) = ARM_BL(0x1239dfa0, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x1239dfc0) = ARM_BL(0x1239dfc0, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x1239dfd8) = ARM_BL(0x1239dfd8, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x1239dfec) = ARM_BL(0x1239dfec, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x1239e020) = ARM_BL(0x1239e020, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x1239e094) = ARM_BL(0x1239e094, DLP_FSADeinit_patch);
*(volatile u32 *) net_phys(0x123a457c) = ARM_BL(0x123a457c, DLP_FSADeinit_patch);

// DLP debug:
/*
*(volatile u32 *) net_phys(0x123a449c) = ARM_BL(0x123a449c, DLP_FSA_OpenFile);
*(volatile u32 *) net_phys(0x1239ce08) = ARM_BL(0x1239ce08, DLP_FSA_OpenFile);
*(volatile u32 *) net_phys(0x1239cf68) = ARM_BL(0x1239cf68, DLP_FSA_OpenFile);
*(volatile u32 *) net_phys(0x1239defc) = ARM_BL(0x1239defc, DLP_FSA_OpenFile);
*(volatile u32 *) net_phys(0x1239debc) = ARM_BL(0x1239debc, DLP_GetChildTitleId);
*/

// Place the environment path at the end of our .text section.
for (int i = 0; i < ENVIRONMENT_PATH_LENGTH; i += 4) {
*(volatile u32 *) mcp_custom_text_phys(MCP_CUSTOM_TEXT_START + MCP_CUSTOM_TEXT_LENGTH - ENVIRONMENT_PATH_LENGTH + i) = *(volatile u32 *) (0x0017FEF0 + i);
Expand Down
61 changes: 61 additions & 0 deletions source/ios_kernel/source/ios_net_patches.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
#include "ios_net_patches.h"
#include "../../ios_net/ios_net_syms.h"
#include "elf_patcher.h"
#include "types.h"

#define NET_CODE_BASE_PHYS_ADDR (0)

u32 net_get_phys_code_base(void) {
return _text_start + NET_CODE_BASE_PHYS_ADDR;
}

void net_run_patches(u32 ios_elf_start) {
section_write(ios_elf_start, _text_start, (void *) net_get_phys_code_base(), _text_end - _text_start);

// Patch DLP region check by replacing result code with success
section_write_word(ios_elf_start, 0x1239DA7C, 0);

// Patch DLP to ignore error for missing title archive
section_write_word(ios_elf_start, 0x1239E108, 0xEA000000); // mov r0, r0
section_write_word(ios_elf_start, 0x1239E10C, 0xEA000000); // mov r0, r0
section_write_word(ios_elf_start, 0x1239E110, 0xEA000000); // mov r0, r0

// Patch DLP path from /vol/content/dlp/app to sd:/dlp/app
section_write_word(ios_elf_start, 0x12455368, 0x2F766F6C); // /vol
section_write_word(ios_elf_start, 0x12455368 + 4, 0x2F646C70); // /dlp
section_write_word(ios_elf_start, 0x12455368 + 8, 0x5F5F7364); // __sd
section_write_word(ios_elf_start, 0x12455368 + 12, 0x2F646C70); // /dlp
section_write_word(ios_elf_start, 0x12455368 + 16, 0x2F617070); // /app
section_write_word(ios_elf_start, 0x12455368 + 20, 0x00000000); //

// Patch DLP path from /vol/content/dlp/app to sd:/dlp/app
section_write_word(ios_elf_start, 0x12455490, 0x2F766F6C); // /vol
section_write_word(ios_elf_start, 0x12455490 + 4, 0x2F646C70); // /dlp
section_write_word(ios_elf_start, 0x12455490 + 8, 0x5F5F7364); // __sd
section_write_word(ios_elf_start, 0x12455490 + 12, 0x2F646C70); // /dlp
section_write_word(ios_elf_start, 0x12455490 + 16, 0x2F617070); // /app
section_write_word(ios_elf_start, 0x12455490 + 20, 0x00000000); //

// DLP: (un)mount sd card for .cia reading.
section_write_word(ios_elf_start, 0x1237f33c, ARM_BL(0x1237f33c, DLP_FSAInit_patch));
section_write_word(ios_elf_start, 0x123a4448, ARM_BL(0x123a4448, DLP_FSAInit_patch));
section_write_word(ios_elf_start, 0x1239de98, ARM_BL(0x1239de98, DLP_FSAInit_patch));

section_write_word(ios_elf_start, 0x1237f310, ARM_BL(0x1237f310, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x1239dfa0, ARM_BL(0x1239dfa0, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x1239dfc0, ARM_BL(0x1239dfc0, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x1239dfd8, ARM_BL(0x1239dfd8, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x1239dfec, ARM_BL(0x1239dfec, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x1239e020, ARM_BL(0x1239e020, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x1239e094, ARM_BL(0x1239e094, DLP_FSADeinit_patch));
section_write_word(ios_elf_start, 0x123a457c, ARM_BL(0x123a457c, DLP_FSADeinit_patch));

// DLP debug:
/*
section_write_word(ios_elf_start, 0x123a449c, ARM_BL(0x123a449c, DLP_FSA_OpenFile));
section_write_word(ios_elf_start, 0x1239ce08, ARM_BL(0x1239ce08, DLP_FSA_OpenFile));
section_write_word(ios_elf_start, 0x1239cf68, ARM_BL(0x1239cf68, DLP_FSA_OpenFile));
section_write_word(ios_elf_start, 0x1239defc, ARM_BL(0x1239defc, DLP_FSA_OpenFile));
section_write_word(ios_elf_start, 0x1239debc, ARM_BL(0x1239debc, DLP_GetChildTitleId));
*/
}
10 changes: 10 additions & 0 deletions source/ios_kernel/source/ios_net_patches.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#ifndef _NET_PATCHES_H_
#define _NET_PATCHES_H_

#include "types.h"

u32 net_get_phys_code_base(void);

void net_run_patches(u32 ios_elf_start);

#endif
4 changes: 4 additions & 0 deletions source/ios_kernel/source/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
***************************************************************************/
#include "instant_patches.h"
#include "ios_mcp_patches.h"
#include "ios_net_patches.h"
#include "types.h"
#include "utils.h"

Expand Down Expand Up @@ -90,6 +91,9 @@ int _main() {
payload_info_t *payloads = (payload_info_t *) 0x00148000;
kernel_memcpy((void *) USB_PHYS_CODE_BASE, payloads->data, payloads->size);

payloads = (payload_info_t *) 0x00149000;
kernel_memcpy((void *) net_get_phys_code_base(), payloads->data, payloads->size);

payloads = (payload_info_t *) 0x00160000;
kernel_memcpy((void *) mcp_get_phys_code_base(), payloads->data, payloads->size);

Expand Down
146 changes: 146 additions & 0 deletions source/ios_net/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
#-------------------------------------------------------------------------------
.SUFFIXES:
#-------------------------------------------------------------------------------

ifeq ($(strip $(DEVKITPRO)),)
$(error "Please set DEVKITPRO in your environment. export DEVKITPRO=<path to>/devkitpro")
endif

TOPDIR ?= $(CURDIR)

#---------------------------------------------------------------------------------
# iosu_rules
#---------------------------------------------------------------------------------
ifeq ($(strip $(DEVKITARM)),)
$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>/devkitARM")
endif

include $(DEVKITARM)/base_rules
export OBJDUMP := $(PREFIX)objdump

MACHDEP = -DSTARBUCK -mbig-endian -mcpu=arm926ej-s -msoft-float -mfloat-abi=soft

%.elf:
@echo linking ... $(notdir $@)
$(SILENTCMD)$(LD) $(LDFLAGS) $(OFILES) $(LIBPATHS) $(LIBS) -o $@
#---------------------------------------------------------------------------------

#---------------------------------------------------------------------------------
# TARGET is the name of the output
# SOURCES is a list of directories containing source code
# DATA is a list of directories containing data files
# INCLUDES is a list of directories containing header files
#---------------------------------------------------------------------------------
TARGET := $(notdir $(CURDIR))
BUILD := build
SOURCES := source
DATA := data
INCLUDES := source

#---------------------------------------------------------------------------------
# options for code generation
#---------------------------------------------------------------------------------
CFLAGS := -Wall -std=gnu11 -Os $(MACHDEP) $(INCLUDE) -Wno-array-bounds -fno-builtin

ASFLAGS := $(MACHDEP)

LDFLAGS := -nostartfiles -nodefaultlibs -mbig-endian \
-Wl,-L $(TOPDIR) -Wl,-Map,$(notdir $*.map),-T $(TOPDIR)/link.ld

LIBS := -lgcc

#-------------------------------------------------------------------------------
# list of directories containing libraries, this must be the top level
# containing include and lib
#-------------------------------------------------------------------------------
LIBDIRS :=

#---------------------------------------------------------------------------------
# no real need to edit anything past this point unless you need to add additional
# rules for different file extensions
#---------------------------------------------------------------------------------
ifneq ($(BUILD),$(notdir $(CURDIR)))
#---------------------------------------------------------------------------------

export TARGETNAME := $(TARGET)

export OUTPUT := $(CURDIR)/$(TARGET)
export TOPDIR := $(CURDIR)

export VPATH := $(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \
$(foreach dir,$(DATA),$(CURDIR)/$(dir))

export DEPSDIR := $(CURDIR)/$(BUILD)

CFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
SFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
BINFILES := $(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))

export LD := $(CC)

export OFILES_BIN := $(addsuffix .o,$(BINFILES))
export OFILES_SRC := $(SFILES:.s=.o) $(CFILES:.c=.o)
export OFILES := $(OFILES_BIN) $(OFILES_SRC)
export HFILES_BIN := $(addsuffix .h,$(subst .,_,$(BINFILES)))

export INCLUDE := $(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
-I$(CURDIR)/$(BUILD)

export LIBPATHS := $(foreach dir,$(LIBDIRS),-L$(dir)/lib)

.PHONY: $(BUILD) clean all
#---------------------------------------------------------------------------------
all: $(BUILD)

$(BUILD):
@[ -d $@ ] || mkdir -p $@
@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile

#---------------------------------------------------------------------------------
clean:
@echo clean ...
@rm -fr $(BUILD) $(TARGET).elf $(TARGET).bin $(TARGET).bin.h $(TARGET)_syms.h

#---------------------------------------------------------------------------------
else

DEPENDS := $(OFILES:.o=.d)

#---------------------------------------------------------------------------------
# main targets
#---------------------------------------------------------------------------------
all : $(OUTPUT).bin.h $(OUTPUT)_syms.h

$(OUTPUT).elf : $(OFILES)

$(OUTPUT).bin: $(OUTPUT).elf
@echo "built ... $(notdir $@)"
@$(OBJCOPY) -j .text -j .rodata -j .data -O binary $(OUTPUT).elf $@

$(OUTPUT).bin.h: $(OUTPUT).bin
@raw2c $<
@cp $(TARGETNAME).c $@

$(OUTPUT)_syms.h: $(OUTPUT).elf
@echo "#ifndef $(TARGETNAME)_SYMS_H" > $@
@echo "#define $(TARGETNAME)_SYMS_H" >> $@
@$(OBJDUMP) -EB -t -marm $(OUTPUT).elf | grep 'g F .text' | grep -v '.hidden' | awk '{print "#define " $$6 " 0x" $$1}' >> $@
@$(OBJDUMP) -EB -t -marm $(OUTPUT).elf | grep -e 'g .text' -e '_bss_' | awk '{print "#define " $$5 " 0x" $$1}' >> $@
@echo "#endif" >> $@

$(OFILES_SRC) : $(HFILES_BIN)

#-------------------------------------------------------------------------------
# you need a rule like this for each extension you use as binary data
#-------------------------------------------------------------------------------
%.bin.o %_bin.h : %.bin
#-------------------------------------------------------------------------------
@echo $(notdir $<)
@$(bin2o)

-include $(DEPENDS)

#---------------------------------------------------------------------------------------
endif
#---------------------------------------------------------------------------------------
Loading

0 comments on commit 0fc7bf1

Please sign in to comment.