diff --git a/source/emunand.c b/source/emunand.c index f1eaa96..7aa8ad1 100644 --- a/source/emunand.c +++ b/source/emunand.c @@ -48,13 +48,13 @@ u32 getSDMMC(u8 *pos, u32 size) return *(u32 *)(off + 9) + *(u32 *)(off + 0xD); } -void getEmuRW(u8 *pos, u32 size, u32 *readOff, u32 *writeOff) +void getEmuRW(u8 *pos, u32 size, u32 *readOffset, u32 *writeOffset) { //Look for read/write code const u8 pattern[] = {0x1E, 0x00, 0xC8, 0x05}; - *readOff = (u32)memsearch(pos, pattern, size, 4) - 6; - *writeOff = (u32)memsearch((u8 *)(*readOff + 0xA), pattern, 0x100, 4) - 6; + *readOffset = (u32)memsearch(pos, pattern, size, 4) - 6; + *writeOffset = (u32)memsearch((u8 *)(*readOffset + 0xA), pattern, 0x100, 4) - 6; } u32 *getMPU(u8 *pos, u32 size) diff --git a/source/firm.c b/source/firm.c index efcebc4..3d52a86 100755 --- a/source/firm.c +++ b/source/firm.c @@ -369,31 +369,19 @@ static inline void reimplementSvcBackdoor(void) { u8 *arm11Section1 = (u8 *)firm + section[1].offset; - u32 *exceptionsPage = getExceptionVectorsPage(arm11Section1, section[1].size); + u32 exceptionsPage; - u32 offset = (-((exceptionsPage[2] & 0xFFFFFF) << 2) & 0xFFFFF) + 8; //Branch offset + 8 for prefetch - u32 *svcTable = (u32 *)(arm11Section1 + *(u32 *)(arm11Section1 + 0xFFFF0008 - offset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address - while(*svcTable != 0) svcTable++; //SVC0 = NULL + u32 *svcTable = getSvcAndExceptions(arm11Section1, section[1].size, &exceptionsPage); if(!svcTable[0x7B]) { u32 *freeSpace; - for(freeSpace = exceptionsPage; *freeSpace != 0xFFFFFFFF; freeSpace++); + for(freeSpace = (u32 *)exceptionsPage; *freeSpace != 0xFFFFFFFF; freeSpace++); - //Official implementation of svcBackdoor - freeSpace[0] = 0xE3CD10FF; //bic r1, sp, #0xff - freeSpace[1] = 0xE3811C0F; //orr r1, r1, #0xf00 - freeSpace[2] = 0xE2811028; //add r1, r1, #0x28 - freeSpace[3] = 0xE5912000; //ldr r2, [r1] - freeSpace[4] = 0xE9226000; //stmdb r2!, {sp, lr} - freeSpace[5] = 0xE1A0D002; //mov sp, r2 - freeSpace[6] = 0xE12FFF30; //blx r0 - freeSpace[7] = 0xE8BD0003; //pop {r0, r1} - freeSpace[8] = 0xE1A0D000; //mov sp, r0 - freeSpace[9] = 0xE12FFF11; //bx r1 + memcpy(freeSpace, svcBackdoor, 40); - svcTable[0x7B] = 0xFFFF0000 + ((u8 *)freeSpace - (u8 *)exceptionsPage); + svcTable[0x7B] = 0xFFFF0000 + (u32)((u8 *)freeSpace - exceptionsPage); } } @@ -487,11 +475,11 @@ static inline void patchLegacyFirm(u32 firmType) } } -static inline void launchFirm(u32 firstSectionToCopy, u32 bootType) +static inline void launchFirm(u32 sectionNum, u32 bootType) { //Copy FIRM sections to respective memory locations - for(u32 i = firstSectionToCopy; i < 4 && section[i].size; i++) - memcpy(section[i].address, (u8 *)firm + section[i].offset, section[i].size); + for(; sectionNum < 4 && section[sectionNum].size; sectionNum++) + memcpy(section[sectionNum].address, (u8 *)firm + section[sectionNum].offset, section[sectionNum].size); //Determine the ARM11 entry to use vu32 *arm11; diff --git a/source/firm.h b/source/firm.h index 8cba9c1..a4e567f 100644 --- a/source/firm.h +++ b/source/firm.h @@ -46,4 +46,4 @@ static inline void copySection0AndInjectLoader(void); static inline void patchSafeFirm(void); static void patchFirmWrites(u8 *offset, u32 size, u32 mode); static inline void patchLegacyFirm(u32 firmType); -static inline void launchFirm(u32 firstSectionToCopy, u32 bootType); \ No newline at end of file +static inline void launchFirm(u32 sectionNum, u32 bootType); \ No newline at end of file diff --git a/source/patches.c b/source/patches.c index 0892e83..01d8cee 100644 --- a/source/patches.c +++ b/source/patches.c @@ -16,6 +16,18 @@ const u16 nandRedir[2] = {0x4C00, 0x47A0}, writeBlock[2] = {0x2000, 0x46C0}, writeBlockSafe[2] = {0x2400, 0xE01D}; +//Official implementation of svcBackdoor +const u8 svcBackdoor[40] = {0xFF, 0x10, 0xCD, 0xE3, //bic r1, sp, #0xff + 0x0F, 0x1C, 0x81, 0xE3, //orr r1, r1, #0xf00 + 0x28, 0x10, 0x81, 0xE2, //add r1, r1, #0x28 + 0x00, 0x20, 0x91, 0xE5, //ldr r2, [r1] + 0x00, 0x60, 0x22, 0xE9, //stmdb r2!, {sp, lr} + 0x02, 0xD0, 0xA0, 0xE1, //mov sp, r2 + 0x30, 0xFF, 0x2F, 0xE1, //blx r0 + 0x03, 0x00, 0xBD, 0xE8, //pop {r0, r1} + 0x00, 0xD0, 0xA0, 0xE1, //mov sp, r0 + 0x11, 0xFF, 0x2F, 0xE1}; //bx r1 + /************************************************** * Functions **************************************************/ @@ -24,7 +36,7 @@ u8 *getProcess9(u8 *pos, u32 size, u32 *process9Size, u32 *process9MemAddr) { u8 *off = memsearch(pos, "ess9", size, 4); - *process9Size = *(u32 *)(off - 0x100) * 0x200; + *process9Size = *(u32 *)(off - 0x60) * 0x200; *process9MemAddr = *(u32 *)(off + 0xC); //Process9 code offset (start of NCCH + ExeFS offset + ExeFS header size) @@ -88,9 +100,15 @@ u32 getLoader(u8 *pos, u32 *loaderSize) return (u32)(off - pos); } -u32 *getExceptionVectorsPage(u8 *pos, u32 size) +u32 *getSvcAndExceptions(u8 *pos, u32 size, u32 *exceptionsPage) { const u8 pattern[] = {0x00, 0xB0, 0x9C, 0xE5}; - return (u32 *)(memsearch(pos, pattern, size, 4) - 0x2C); + *exceptionsPage = (u32)memsearch(pos, pattern, size, 4) - 0x2C; + + u32 svcOffset = (-((*(u32 *)(*exceptionsPage + 8) & 0xFFFFFF) << 2) & 0xFFFFF) - 8; //Branch offset + 8 for prefetch + u32 *svcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address + while(*svcTable) svcTable++; //Look for SVC0 (NULL) + + return svcTable; } \ No newline at end of file diff --git a/source/patches.h b/source/patches.h index d4fb6ad..0a6f710 100644 --- a/source/patches.h +++ b/source/patches.h @@ -14,6 +14,7 @@ const u16 nandRedir[2], sigPatch[2], writeBlock[2], writeBlockSafe[2]; +const u8 svcBackdoor[40]; /************************************************** * Functions @@ -24,4 +25,4 @@ void *getReboot(u8 *pos, u32 size, u32 process9MemAddr, u32 *fOpenOffset); u16 *getFirmWrite(u8 *pos, u32 size); u16 *getFirmWriteSafe(u8 *pos, u32 size); u32 getLoader(u8 *pos, u32 *loaderSize); -u32 *getExceptionVectorsPage(u8 *pos, u32 size); +u32 *getSvcAndExceptions(u8 *pos, u32 size, u32 *exceptionsPage); \ No newline at end of file diff --git a/source/utils.c b/source/utils.c index 1335344..5d565c6 100644 --- a/source/utils.c +++ b/source/utils.c @@ -6,8 +6,6 @@ #include "i2c.h" #include "buttons.h" -u32 chronoStarted = 0; - u32 waitInput(void) { u32 pressedKey = 0, @@ -42,7 +40,7 @@ void mcuReboot(void) } //TODO: add support for TIMER IRQ -void startChrono(u64 initialTicks) +static void startChrono(u64 initialTicks) { //Based on a NATIVE_FIRM disassembly @@ -57,7 +55,13 @@ void startChrono(u64 initialTicks) u64 chrono(void) { - if(!chronoStarted) startChrono(0); + static u32 chronoStarted = 0; + + if(!chronoStarted) + { + startChrono(0); + chronoStarted++; + } u64 res = 0; @@ -68,5 +72,5 @@ u64 chrono(void) void stopChrono(void) { - if(chronoStarted) for(u32 i = 1; i < 4; i++) *(vu16 *)(0x10003002 + 4 * i) &= ~0x80; + for(u32 i = 1; i < 4; i++) *(vu16 *)(0x10003002 + 4 * i) &= ~0x80; } \ No newline at end of file diff --git a/source/utils.h b/source/utils.h index e2ef8ff..b6c78ee 100644 --- a/source/utils.h +++ b/source/utils.h @@ -11,6 +11,5 @@ void mcuReboot(void); #define TICKS_PER_SEC 67027964ULL -void startChrono(u64 initialTicks); u64 chrono(void); void stopChrono(void); \ No newline at end of file