Add an option to disable access checks (svc, service and arm9 flag checks) (thanks to @Subv for the most part)

This commit is contained in:
TuxSH 2016-08-04 20:10:31 +02:00
parent eccf9eab93
commit 4e21cf4f1c
6 changed files with 220 additions and 8 deletions

View File

@ -34,7 +34,7 @@ objects = $(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \
$(patsubst $(dir_source)/%.c, $(dir_build)/%.o, \
$(call rwildcard, $(dir_source), *.s *.c)))
bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h
bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/k11modulespatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h
.PHONY: all
all: launcher a9lh ninjhax
@ -97,6 +97,11 @@ $(dir_build)/rebootpatch.h: $(dir_patches)/reboot.s
@armips $<
@bin2c -o $@ -n reboot $(@D)/reboot.bin
$(dir_build)/k11modulespatch.h: $(dir_patches)/k11modules.s
@mkdir -p "$(@D)"
@armips $<
@bin2c -o $@ -n k11modules $(@D)/k11modules.bin
$(dir_build)/injector.h: $(dir_injector)/Makefile
@mkdir -p "$(@D)"
@$(MAKE) -C $(dir_injector)

130
patches/k11modules.s Normal file
View File

@ -0,0 +1,130 @@
;
; This file is part of Luma3DS
; Copyright (C) 2016 Aurora Wright, TuxSH
;
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
;
; Additional Terms 7.b of GPLv3 applies to this file: Requiring preservation of specified
; reasonable legal notices or author attributions in that material or in the Appropriate Legal
; Notices displayed by works containing it.
;
; This is mainly Subv's code, big thanks to him.
.arm.little
.create "build/k11modules.bin", 0
.arm
; This code searches the sm module for a specific byte pattern and patches some of the instructions
; in the code to disable service access checks when calling srv:GetServiceHandle
; It also searches the fs module for archive access check code
; Save the registers we'll be using
; Register contents:
; r4: Pointer to a pointer to the exheader of the current NCCH
; r6: Constant 0
; SP + 0x80 - 0x7C: Pointer to the memory location where the NCCH text was loaded
; Save the value of sp
mov r0, sp
; Save the value of all registers
push {r0-r12}
; Clear all the caches, just to be safe
mcr p15, 0, r6, c7, c14, 0
mcr p15, 0, r6, c7, c5, 0
ldr r0, [r0, #(0x80 - 0x7C)] ; Load the .text address
ldr r2, [r7, #0x18] ; Load the size of the .text
mov r5, r0
add r11, r5, r2 ; Max bounds of the memory region
ldr r9, =0x00001002 ; Low title id of the sm module
ldr r7, [r4]
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
cmp r8, r9 ; Compare the low title id to the id of the sm module
bne fs_patch ; Skip if they're not the same
ldr r7, =0xE1A01006 ; mov r1, r6
ldr r8, =0xE1A00005 ; mov r0, r5
ldr r9, =0xE3500000 ; cmp r0, #0
ldr r10, =0xE2850004 ; add r0, r5, #4
loop:
cmp r11, r5
blo out ; Check if we didn't go past the bounds of the memory region
ldr r6, [r5]
cmp r6, r7
ldreq r6, [r5, #4]
cmpeq r6, r8
ldreq r6, [r5, #12]
cmpeq r6, r9
ldreq r6, [r5, #24]
cmpeq r6, r10
moveq r8, r5
addne r5, r5, #4
bne loop
; r8 now contains the start address of the pattern we found
; Write NOPs to the four instructions we want to patch
ldr r9, =0xE320F000 ; nop
str r9, [r8, #8] ; Patch the bl
str r9, [r8, #12] ; Patch the cmp
str r9, [r8, #16] ; Patch the ldreq
str r9, [r8, #20] ; Patch the beq
b out
fs_patch: ; patch adapted from BootNTR
ldr r9, =0x00001102 ; Low title id of the fs module
ldr r7, [r4]
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
cmp r8, r9 ; Compare the low title id to the id of the sm module
bne out ; Skip if they're not the same
ldr r7, =0x4618 ; mov r0, r3
ldr r8, =0x3481 ; add r4, #0x81
loop_fs:
cmp r11, r5
blo out
ldrh r6, [r5]
cmp r6, r7
ldreqh r6, [r5, #2]
cmpeq r6, r8
subeq r8, r5, #8
addne r5, #2
bne loop
; r8 now contains the start address of the pattern we found
ldr r9, =0x2001 ; mov r0, #1
ldr r10, =0x4770 ; bx lr
strh r9, [r8]
strh r10, [r8, #2]
out:
pop {r0-r12} ; Restore the registers we used
; Clear all the caches again, just to be safe
mcr p15, 0, r6, c7, c14, 0
mcr p15, 0, r6, c7, c5, 0
ldr r0, [r4] ; Execute the instruction we overwrote in our detour
bx lr ; Jump back to whoever called us
.pool
.close

View File

@ -44,7 +44,8 @@ void configureCFW(const char *configPath)
"( ) Show current NAND in System Settings",
"( ) Show GBA boot screen in patched AGB_FIRM",
"( ) Enable splash screen with no screen-init",
"( ) Use a PIN" };
"( ) Use a PIN",
"( ) Disable access checks" };
struct multiOption {
int posXs[4];

View File

@ -362,6 +362,13 @@ static inline void patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32
//Make FCRAM (and VRAM as a side effect) globally executable from arm11 kernel
patchKernelFCRAMAndVRAMMappingPermissions(arm11Section1, section[1].size);
}
if(CONFIG(8))
{
patchArm11SvcAccessChecks(arm11Section1, section[1].size);
patchK11ModuleChecks(arm11Section1, section[1].size);
patchP9AccessChecks(arm9Section, section[2].size);
}
}
static inline void patchLegacyFirm(FirmwareType firmType)

View File

@ -24,19 +24,21 @@
#include "memory.h"
#include "config.h"
#include "../build/rebootpatch.h"
#include "../build/k11modulespatch.h"
static u32 *arm11ExceptionsPage = NULL;
static u32 *arm11SvcTable = NULL;
static u32 *arm11SvcHandler = NULL;
static void findArm11ExceptionsPageAndSvcTable(u8 *pos, u32 size)
static void findArm11ExceptionsPageAndSvcHandlerAndTable(u8 *pos, u32 size)
{
const u8 arm11ExceptionsPagePattern[] = {0x00, 0xB0, 0x9C, 0xE5};
if(arm11ExceptionsPage == NULL) arm11ExceptionsPage = (u32 *)memsearch(pos, arm11ExceptionsPagePattern, size, 4) - 0xB;
if(arm11SvcTable == NULL && arm11ExceptionsPage != NULL)
if((arm11SvcTable == NULL || arm11SvcHandler == NULL) && arm11ExceptionsPage != NULL)
{
u32 svcOffset = (-((arm11ExceptionsPage[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; //Branch offset + 8 for prefetch
arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
arm11SvcHandler = arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
while(*arm11SvcTable) arm11SvcTable++; //Look for SVC0 (NULL)
}
}
@ -66,7 +68,7 @@ u32* getInfoForArm11ExceptionHandlers(u8 *pos, u32 size, u32 *stackAddr, u32 *co
loadCodeSet--;
*codeSetOffset = *loadCodeSet & 0xFFF;
findArm11ExceptionsPageAndSvcTable(pos, size);
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
return arm11ExceptionsPage;
}
@ -182,10 +184,74 @@ void patchSvcBreak11(u8 *pos, u32 size)
{
//Same as above, for NFIRM arm11
findArm11ExceptionsPageAndSvcTable(pos, size);
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
*(u32 *)(pos + arm11SvcTable[0x3C] - 0xFFF00000) = 0xE12FFF7F;
}
void patchArm11SvcAccessChecks(u8 *pos, u32 size)
{
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
u32 *off = arm11SvcHandler;
while(*off != 0xE11A0E1B) off++; //TST R10, R11,LSL LR
*off = 0xE3B0A001; //MOVS R10, #1
}
//It's mainly Subv's code here:
void patchK11ModuleChecks(u8 *pos, u32 size)
{
// We have to detour a function in the ARM11 kernel because builtin modules
// are compressed in memory and are only decompressed at runtime.
// Find some padding space to add our code
const u8 bogus_pattern[] = { 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF,
0x2F, 0xE1, 0x00, 0x10, 0xA0, 0xE3, 0x00, 0x10, 0xC0, 0xE5,
0x1E, 0xFF, 0x2F, 0xE1 };
u32 *someSpace = (u32 *)memsearch(pos, bogus_pattern, size, 24);
// We couldn't find the place where to begin our search of an empty block
if (someSpace == NULL)
return;
// Advance until we reach the padding area (filled with 0xFF)
u32 *freeSpace;
for(freeSpace = someSpace; *freeSpace != 0xFFFFFFFF; freeSpace++);
// Inject our code into the free space
memcpy(freeSpace, k11modules, k11modules_size);
// Find the code that decompresses the .code section of the builtin modules and detour it with a jump to our code
const u8 pattern[] = { 0x00, 0x00, 0x94, 0xE5, 0x18, 0x10, 0x90, 0xE5, 0x28, 0x20,
0x90, 0xE5, 0x48, 0x00, 0x9D, 0xE5 };
u8 *off = memsearch(pos, pattern, size, 16);
// We couldn't find the code that decompresses the module
if (off == NULL)
return;
// Inject a jump instruction to our code at the offset we found
// Construct a jump (BL) instruction to our code
u32 offset = ((((u32)freeSpace) - ((u32)off + 8)) >> 2) & 0xFFFFFF;
u32 instruction = offset | (1 << 24) | (0x5 << 25) | (0xE << 28);
// Write our jump
memcpy(off, &instruction, 4);
}
void patchP9AccessChecks(u8 *pos, u32 size)
{
const u8 pattern[] = {0xE0, 0x00, 0x40, 0x39, 0x08, 0x58};
u16 *off = (u16 *)memsearch(pos, pattern, size, 6) - 7;
off[0] = 0x2001; //mov r0, #1
off[1] = 0x4770; //bx lr
}
void patchUnitInfoValueSet(u8 *pos, u32 size)
{
//Look for UNITINFO value being set
@ -221,7 +287,7 @@ void reimplementSvcBackdoor(u8 *pos, u32 size)
0x00, 0xD0, 0xA0, 0xE1, //mov sp, r0
0x11, 0xFF, 0x2F, 0xE1}; //bx r1
findArm11ExceptionsPageAndSvcTable(pos, size);
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
if(!arm11SvcTable[0x7B])
{

View File

@ -45,6 +45,9 @@ void patchFirmWriteSafe(u8 *pos, u32 size);
void patchExceptionHandlersInstall(u8 *pos, u32 size);
void patchSvcBreak9(u8 *pos, u32 size, u32 k9addr);
void patchSvcBreak11(u8 *pos, u32 size);
void patchArm11SvcAccessChecks(u8 *pos, u32 size);
void patchK11ModuleChecks(u8 *pos, u32 size);
void patchP9AccessChecks(u8 *pos, u32 size);
void patchUnitInfoValueSet(u8 *pos, u32 size);
void patchKernelFCRAMAndVRAMMappingPermissions(u8 *pos, u32 size);
void reimplementSvcBackdoor(u8 *pos, u32 size);