LowLevel/Luma3DS-3GX
Archived
1
0
Fork 0
Code Issues Pull Requests Releases 2 Wiki Activity

New reboot patch (works on N3DS, no more GBA/DS or 80 MB games toggle), fixed N3DS 3D bug (thanks TiniVi and Cakes), code cleanup, new universal MPU code (thanks Cakes)

Browse Source 
Thanks to a very skilled reverser for the reboot patch!
This commit is contained in:
Aurora
2016-02-25 20:19:20 +01:00
parent e53c186144
commit 23fd26630f
14 changed files with 332 additions and 350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

355
reboot/rebootCode.s
View File

@@ -1,148 +1,221 @@
.arm.little
.nds
.create "reboot.bin", 0
firm_size equ 0x000EA000
firm_addr equ 0x24000000
fopen equ 0x08059D10
fread equ 0x0804CC54
pxi_wait_recv equ 0x08054134
byteswritten equ 0x2000E000
externalFirm equ 0x2000A000
kernelCode equ 0x080F0000
buffer equ 0x24000000
fileOpen equ 0x4E45504F ;dummy
.create "reboot1.bin", 0x080849DC
.org 0x080849DC
.arm
patch005:
ldr r0, =0x2000E000
mov r1, #0x200
mov r2, #0
add r1, r1, r0
@@memset_loop:
str r2, [r0]
add r0, r0, #4
cmp r0, r1
blt @@memset_loop
ldr r0, =0x2000E000
ldr r1, =firm_fname
mov r2, #1
blx fopen
ldr r0, =0x2000E000
ldr r1, =0x2000E100
mov r2, #firm_addr
mov r3, #firm_size
blx fread
//Code jumps here right after the sprintf call
process9Reboot:
doPxi:
ldr r4, =0x44846
ldr r0, =0x10008000
readPxiLoop1:
ldrh r1, [r0,#4]
.word 0xE1B01B81 //lsls r1, r1, #0x17
bmi readPxiLoop1
ldr r0, [r0,#0xC]
cmp r0, r4
bne doPxi
GetFirmPath:
add r0, sp, #0x3A8-0x70+0x24
ldr r1, [r0], #4
ldr r2, =0x00300030
cmp r1, r2
ldreq r1, [r0], #4
ldreq r2, =0x002F0032
cmpeq r1, r2
OpenFirm:
ldreq r1, =(FileName - OpenFirm - 12)
addeq r1, pc
addne r1, sp, #0x3A8-0x70
ldr r0, =externalFirm
moveq r2, #1
movne r2, #0
str r2, [r0]
mov r2, #1
add r0, r7, #8
ldr r6, =fileOpen
blx r6
SeekFirm:
ldr r0, =externalFirm
ldr r0, [r0]
cmp r0, #1
moveq r0, r7
ldreq r1, =byteswritten
ldreq r2, =buffer
ldreq r3, =0x0
ldreq r6, [sp,#0x3A8-0x198]
ldreq r6, [r6,#0x28] //fread function stored here
blxeq r6
ReadFirm:
mov r0, r7
ldr r1, =byteswritten
ldr r2, =buffer
ldr r3, =0x200000
ldr r6, [sp,#0x3A8-0x198]
ldr r6, [r6,#0x28] //fread function stored here
blx r6
ldr r4, =0x44846
blx pxi_wait_recv
cmp r0, r4
bne patch005
mov r2, #0
mov r3, r2
mov r1, r2
mov r0, r2
swi 0x7C
ldr r0, =0x80FF4FC
swi 0x7B
KernelSetState:
mov r2, #0
mov r3, r2
mov r1, r2
mov r0, r2
.word 0xEF00007C //SVC 0x7C
GoToReboot:
ldr r0, =(KernelCodeStart - GoToReboot - 12)
add r0, pc
ldr r1, =kernelCode
ldr r2, =0x300
bl Memcpy
ldr r0, =kernelCode
.word 0xEF00007B //SVC 0x7B
InfiniteLoop:
b InfiniteLoop
Memcpy:
MOV R12, LR
STMFD SP!, {R0-R4}
ADD R2, R2, R0
memcpyLoop:
LDR R3, [R0],#4
STR R3, [R1],#4
CMP R0, R2
BLT memcpyLoop
LDMFD SP!, {R0-R4}
MOV LR, R12
BX LR
FileName:
.dcw "sdmc:/rei/patched_firmware.bin"
.word 0x0
@@inf_loop:
b @@inf_loop
.pool
firm_fname:
.close
.create "reboot2.bin", 0x080933CC
.org 0x080933CC
.arm
stmfd sp!, {r4-r11,lr}
sub sp, sp, #0x3C
mrc p15, 0, r0, c2, c0, 0 ; dcacheable
mrc p15, 0, r12, c2, c0, 1 ; icacheable
mrc p15, 0, r1, c3, c0, 0 ; write bufferable
mrc p15, 0, r2, c5, c0, 2 ; daccess
mrc p15, 0, r3, c5, c0, 3 ; iaccess
ldr r4, =0x18000035 ; 0x18000000 128M
bic r2, r2, #0xF0000 ; unprotect region 4
bic r3, r3, #0xF0000 ; unprotect region 4
orr r0, r0, #0x10 ; dcacheable region 4
orr r2, r2, #0x30000 ; region 4 r/w
orr r3, r3, #0x30000 ; region 4 r/w
orr r12, r12, #0x10 ; icacheable region 4
orr r1, r1, #0x10 ; write bufferable region 4
mcr p15, 0, r0, c2, c0, 0
mcr p15, 0, r12, c2, c0, 1
mcr p15, 0, r1, c3, c0, 0 ; write bufferable
mcr p15, 0, r2, c5, c0, 2 ; daccess
mcr p15, 0, r3, c5, c0, 3 ; iaccess
mcr p15, 0, r4, c6, c4, 0 ; region 4 (hmmm)
mrc p15, 0, r0, c2, c0, 0 ; dcacheable
mrc p15, 0, r1, c2, c0, 1 ; icacheable
mrc p15, 0, r2, c3, c0, 0 ; write bufferable
orr r0, r0, #0x20 ; dcacheable region 5
orr r1, r1, #0x20 ; icacheable region 5
orr r2, r2, #0x20 ; write bufferable region 5
mcr p15, 0, r0, c2, c0, 0 ; dcacheable
mcr p15, 0, r1, c2, c0, 1 ; icacheable
mcr p15, 0, r2, c3, c0, 0 ; write bufferable
mov r4, #firm_addr
add r3, r4, #0x40
ldr r0, [r3] ; offset
add r0, r0, r4 ; src
ldr r1, [r3,#4] ; dst
ldr r2, [r3,#8] ; size
bl memcpy32
add r3, r4, #0x70
ldr r0, [r3]
add r0, r0, r4 ; src
ldr r1, [r3,#4] ; dst
ldr r2, [r3,#8] ; size
bl memcpy32
add r3, r4, #0xA0
ldr r0, [r3]
add r0, r0, r4 ; src
ldr r1, [r3,#4] ; dst
ldr r2, [r3,#8] ; size
bl memcpy32
mov r2, #0
mov r1, r2
@flush_cache:
mov r0, #0
mov r3, r2, lsl#30
@flush_cache_inner_loop:
orr r12, r3, r0, lsl#5
mcr p15, 0, r1, c7, c10, 4 ; drain write buffer
mcr p15, 0, r12, c7, c14, 2 ; clean and flush dcache entry (index and segment)
add r0, r0, #1
cmp r0, #0x20
bcc @flush_cache_inner_loop
add r2, r2, #1
cmp r2, #4
bcc @flush_cache
mcr p15, 0, r1, c7, c10, 4 ; drain write buffer
@mpu_enable:
ldr r0, =0x42078 ; alt vector select, enable itcm
mcr p15, 0, r0, c1, c0, 0
mcr p15, 0, r1, c7, c5, 0 ; flush dcache
mcr p15, 0, r1, c7, c6, 0 ; flush icache
mcr p15, 0, r1, c7, c10, 4 ; drain write buffer
mov r0, #firm_addr
mov r1, 0X1FFFFFFC
ldr r2, [r0,#8] ; arm11 entry
str r2, [r1]
ldr r0, [r0,#0xC] ; arm9 entry
add sp, sp, #0x3C
ldmfd sp!, {r4-r11,lr}
bx r0
.pool
memcpy32: ; memcpy32(void *src, void *dst, unsigned int size)
mov r12, lr
stmfd sp!, {r0-r4}
add r2, r2, r0
@memcpy_loop:
ldr r3, [r0], #4
str r3, [r1], #4
cmp r0, r2
blt @memcpy_loop
ldmfd sp!, {r0-r4}
mov lr, r12
bx lr
.pool
// Kernel Code
.align 4
KernelCodeStart:
memorySetting:
MRC p15, 0, R0,c2,c0, 0
MRC p15, 0, R12,c2,c0, 1
MRC p15, 0, R1,c3,c0, 0
MRC p15, 0, R2,c5,c0, 2
MRC p15, 0, R3,c5,c0, 3
LDR R4, =0x18000035
BIC R2, R2, #0xF0000
BIC R3, R3, #0xF0000
ORR R0, R0, #0x10
ORR R2, R2, #0x30000
ORR R3, R3, #0x30000
ORR R12, R12, #0x10
ORR R1, R1, #0x10
MCR p15, 0, R0,c2,c0, 0
MCR p15, 0, R12,c2,c0, 1
MCR p15, 0, R1,c3,c0, 0
MCR p15, 0, R2,c5,c0, 2
MCR p15, 0, R3,c5,c0, 3
MCR p15, 0, R4,c6,c4, 0
MRC p15, 0, R0,c2,c0, 0
MRC p15, 0, R1,c2,c0, 1
MRC p15, 0, R2,c3,c0, 0
ORR R0, R0, #0x20
ORR R1, R1, #0x20
ORR R2, R2, #0x20
MCR p15, 0, R0,c2,c0, 0
MCR p15, 0, R1,c2,c0, 1
MCR p15, 0, R2,c3,c0, 0
copyFirmPartitions:
LDR R4, =buffer
ADD R3, R4, #0x40
LDR R0, [R3]
ADD R0, R0, R4
LDR R1, [R3,#4]
LDR R2, [R3,#8]
bl KernelMemcpy
ADD R3, R4, #0x70
LDR R0, [R3]
ADD R0, R0, R4
LDR R1, [R3,#4]
LDR R2, [R3,#8]
bl KernelMemcpy
ADD R3, R4, #0xA0
LDR R0, [R3]
ADD R0, R0, R4
LDR R1, [R3,#4]
LDR R2, [R3,#8]
bl KernelMemcpy
ADD R3, R4, #0xD0
LDR R0, [R3]
CMP R0, #0
BEQ invalidateDataCache
ADD R0, R0, R4
LDR R1, [R3,#4]
LDR R2, [R3,#8]
bl KernelMemcpy
invalidateDataCache:
MOV R2, #0
MOV R1, R2
loc_809460C:
MOV R0, #0
MOV R3, R2,LSL#30
loc_8094614:
ORR R12, R3, R0,LSL#5
MCR p15, 0, R1,c7,c10, 4
MCR p15, 0, R12,c7,c14, 2
ADD R0, R0, #1
CMP R0, #0x20
BCC loc_8094614
ADD R2, R2, #1
CMP R2, #4
BCC loc_809460C
jumpToEntrypoint:
MCR p15, 0, R1,c7,c10, 4
LDR R0, =0x42078
MCR p15, 0, R0,c1,c0, 0
MCR p15, 0, R1,c7,c5, 0
MCR p15, 0, R1,c7,c6, 0
MCR p15, 0, R1,c7,c10, 4
LDR R4, =buffer
MOV R1, #0x1FFFFFFC
LDR R2, [R4,#8]
STR R2, [R1]
LDR R0, [R4,#0xC]
BX R0
.pool
KernelMemcpy:
MOV R12, LR
STMFD SP!, {R0-R4}
ADD R2, R2, R0
kmemcpyLoop:
LDR R3, [R0],#4
STR R3, [R1],#4
CMP R0, R2
BLT kmemcpyLoop
LDMFD SP!, {R0-R4}
MOV LR, R12
BX LR
.pool
KernelCodeEnd:
.close

48
reboot/rebootCodeNtr.s
View File

@@ -1,48 +0,0 @@
.arm.little
firm_size equ 0x000EB000
firm_addr equ 0x24000000
fopen equ 0x0805B180
fread equ 0x0804D9B0
pxi_wait_recv equ 0x08055178
.create "reboot1.bin", 0x080859C8
.org 0x080859C8
.arm
patch005:
ldr r0, =0x2000E000
mov r1, #0x200
mov r2, #0
add r1, r1, r0
@@memset_loop:
str r2, [r0]
add r0, r0, #4
cmp r0, r1
blt @@memset_loop
ldr r0, =0x2000E000
ldr r1, =firm_fname
mov r2, #1
blx fopen
ldr r0, =0x2000E000
ldr r1, =0x2000E100
mov r2, #firm_addr
mov r3, #firm_size
blx fread
ldr r4, =0x44846
blx pxi_wait_recv
cmp r0, r4
bne patch005
mov r2, #0
mov r3, r2
mov r1, r2
mov r0, r2
swi 0x7C
ldr r0, =0x80FF4FC
swi 0x7B
@@inf_loop:
b @@inf_loop
.pool
firm_fname:
.close