From 3b7b66b27282884900322407854940643d7b98af Mon Sep 17 00:00:00 2001 From: Aurora Date: Sat, 15 Oct 2016 15:04:48 +0200 Subject: [PATCH] Fix fs patch to work on old FIRMs --- patches/k11modules.s | 76 +++++++++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 36 deletions(-) diff --git a/patches/k11modules.s b/patches/k11modules.s index 8233eb0..70c2e35 100644 --- a/patches/k11modules.s +++ b/patches/k11modules.s @@ -35,66 +35,70 @@ ; Register contents: ; r4: Pointer to a pointer to the exheader of the current NCCH ; r6: Constant 0 - ; SP + 0x80 - 0x7C: Pointer to the memory location where the NCCH text was loaded + ; SP + 4: Pointer to the memory location where the NCCH text was loaded + + ; Execute the instruction we overwrote in our detour + ldr r0, [r4] ; Save the value of the register we use - push {r1-r4} + push {r0-r4} - ldr r0, [sp, #20] ; Load the .text address - ldr r1, [r4] - ldr r2, [r1, #0x200] ; Load the low title id of the current NCCH - ldr r1, [r1, #0x18] ; Load the size of the .text - add r1, r0, r1 ; Max bounds of the memory region + ldr r1, [sp, #24] ; Load the .text address + ldr r2, [r0, #0x200] ; Load the low title id of the current NCCH + ldr r0, [r0, #0x18] ; Load the size of the .text + add r0, r1, r0 ; Max bounds of the memory region - ldr r3, =0x1002 ; Low title id of the sm module - cmp r2, r3 ; Compare the low title id to the id of the sm module - bne fs_patch ; Skip if they're not the same + ldr r3, =0x1002 ; Low title id of the sm module + cmp r2, r3 ; Compare the low title id to the id of the sm module + bne fs_patch ; Skip if they're not the same - ldr r2, =0xE1A01006 ; mov r1, r6 + ldr r2, =0xE1A01006 ; mov r1, r6 loop: - cmp r1, r0 - blo out ; Check if we didn't go past the bounds of the memory region - ldr r3, [r0] + cmp r0, r1 + blo die ; Check if we didn't go past the bounds of the memory region + ldr r3, [r1] cmp r3, r2 - ldreqh r3, [r0, #4] + ldreqh r3, [r1, #4] cmpeq r3, #5 - addne r0, #4 + addne r1, #4 bne loop - ; r0 now contains the start address of the pattern we found - ldr r1, =0xE3A00001 ; mov r0, #1 - str r1, [r0, #8] ; Patch the bl + ; r1 now contains the start address of the pattern we found + ldr r0, =0xE3A00001 ; mov r0, #1 + str r0, [r1, #8] ; Patch the bl b out fs_patch: ; patch adapted from BootNTR ldr r3, =0x1102 ; Low title id of the fs module - cmp r2, r3 ; Compare the low title id to the id of the sm module - bne out ; Skip if they're not the same - ldr r2, =0x4618 ; mov r0, r3 - ldr r3, =0x3481 ; add r4, #0x81 + cmp r2, r3 ; Compare the low title id to the id of the sm module + bne out ; Skip if they're not the same + ldr r2, =0x7401 ; strb r1, [r0, #16] + ldr r3, =0x2000 ; movs r0, #0 loop_fs: - cmp r1, r0 - blo out - ldrh r4, [r0] + cmp r0, r1 + blo die + ldrh r4, [r1] cmp r4, r2 - ldreqh r4, [r0, #2] + ldreqh r4, [r1, #2] cmpeq r4, r3 - subeq r0, #8 - addne r0, #2 + addeq r1, #8 + addne r1, #2 bne loop_fs - ; r0 now contains the start address of the pattern we found - ldr r1, =0x2001 ; mov r0, #1 + ; r1 now contains the start address of the pattern we found + ldr r0, =0x2001 ; mov r0, #1 ldr r2, =0x4770 ; bx lr - strh r1, [r0] - strh r2, [r0, #2] + strh r0, [r1] + strh r2, [r1, #2] out: - pop {r1-r4} ; Restore the registers we used - ldr r0, [r4] ; Execute the instruction we overwrote in our detour - bx lr ; Jump back to whoever called us + pop {r0-r4} ; Restore the registers we used + bx lr ; Jump back to whoever called us + + die: + b die .pool .close \ No newline at end of file