diff --git a/Makefile b/Makefile index d0ae78a..5d24f6a 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ objects = $(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \ $(patsubst $(dir_source)/%.c, $(dir_build)/%.o, \ $(call rwildcard, $(dir_source), *.s *.c))) -bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h +bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/k11modulespatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h .PHONY: all all: launcher a9lh ninjhax @@ -97,6 +97,11 @@ $(dir_build)/rebootpatch.h: $(dir_patches)/reboot.s @armips $< @bin2c -o $@ -n reboot $(@D)/reboot.bin +$(dir_build)/k11modulespatch.h: $(dir_patches)/k11modules.s + @mkdir -p "$(@D)" + @armips $< + @bin2c -o $@ -n k11modules $(@D)/k11modules.bin + $(dir_build)/injector.h: $(dir_injector)/Makefile @mkdir -p "$(@D)" @$(MAKE) -C $(dir_injector) diff --git a/patches/k11modules.s b/patches/k11modules.s new file mode 100644 index 0000000..5784443 --- /dev/null +++ b/patches/k11modules.s @@ -0,0 +1,130 @@ +; +; This file is part of Luma3DS +; Copyright (C) 2016 Aurora Wright, TuxSH +; +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . +; +; Additional Terms 7.b of GPLv3 applies to this file: Requiring preservation of specified +; reasonable legal notices or author attributions in that material or in the Appropriate Legal +; Notices displayed by works containing it. +; + +; This is mainly Subv's code, big thanks to him. + +.arm.little + +.create "build/k11modules.bin", 0 +.arm + ; This code searches the sm module for a specific byte pattern and patches some of the instructions + ; in the code to disable service access checks when calling srv:GetServiceHandle + + ; It also searches the fs module for archive access check code + + ; Save the registers we'll be using + ; Register contents: + ; r4: Pointer to a pointer to the exheader of the current NCCH + ; r6: Constant 0 + ; SP + 0x80 - 0x7C: Pointer to the memory location where the NCCH text was loaded + + ; Save the value of sp + mov r0, sp + ; Save the value of all registers + push {r0-r12} + + ; Clear all the caches, just to be safe + mcr p15, 0, r6, c7, c14, 0 + mcr p15, 0, r6, c7, c5, 0 + + ldr r0, [r0, #(0x80 - 0x7C)] ; Load the .text address + ldr r2, [r7, #0x18] ; Load the size of the .text + mov r5, r0 + add r11, r5, r2 ; Max bounds of the memory region + + ldr r9, =0x00001002 ; Low title id of the sm module + ldr r7, [r4] + ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH + cmp r8, r9 ; Compare the low title id to the id of the sm module + bne fs_patch ; Skip if they're not the same + + ldr r7, =0xE1A01006 ; mov r1, r6 + ldr r8, =0xE1A00005 ; mov r0, r5 + ldr r9, =0xE3500000 ; cmp r0, #0 + ldr r10, =0xE2850004 ; add r0, r5, #4 + + loop: + cmp r11, r5 + blo out ; Check if we didn't go past the bounds of the memory region + ldr r6, [r5] + cmp r6, r7 + ldreq r6, [r5, #4] + cmpeq r6, r8 + ldreq r6, [r5, #12] + cmpeq r6, r9 + ldreq r6, [r5, #24] + cmpeq r6, r10 + moveq r8, r5 + addne r5, r5, #4 + bne loop + + ; r8 now contains the start address of the pattern we found + + ; Write NOPs to the four instructions we want to patch + ldr r9, =0xE320F000 ; nop + str r9, [r8, #8] ; Patch the bl + str r9, [r8, #12] ; Patch the cmp + str r9, [r8, #16] ; Patch the ldreq + str r9, [r8, #20] ; Patch the beq + b out + + fs_patch: ; patch adapted from BootNTR + ldr r9, =0x00001102 ; Low title id of the fs module + ldr r7, [r4] + ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH + cmp r8, r9 ; Compare the low title id to the id of the sm module + bne out ; Skip if they're not the same + + ldr r7, =0x4618 ; mov r0, r3 + ldr r8, =0x3481 ; add r4, #0x81 + + loop_fs: + cmp r11, r5 + blo out + ldrh r6, [r5] + cmp r6, r7 + ldreqh r6, [r5, #2] + cmpeq r6, r8 + subeq r8, r5, #8 + addne r5, #2 + bne loop + + ; r8 now contains the start address of the pattern we found + + ldr r9, =0x2001 ; mov r0, #1 + ldr r10, =0x4770 ; bx lr + strh r9, [r8] + strh r10, [r8, #2] + + out: + pop {r0-r12} ; Restore the registers we used + + ; Clear all the caches again, just to be safe + mcr p15, 0, r6, c7, c14, 0 + mcr p15, 0, r6, c7, c5, 0 + + ldr r0, [r4] ; Execute the instruction we overwrote in our detour + + bx lr ; Jump back to whoever called us + +.pool +.close \ No newline at end of file diff --git a/source/config.c b/source/config.c index 941ebaf..60b9063 100644 --- a/source/config.c +++ b/source/config.c @@ -44,7 +44,8 @@ void configureCFW(const char *configPath) "( ) Show current NAND in System Settings", "( ) Show GBA boot screen in patched AGB_FIRM", "( ) Enable splash screen with no screen-init", - "( ) Use a PIN" }; + "( ) Use a PIN", + "( ) Disable access checks" }; struct multiOption { int posXs[4]; diff --git a/source/firm.c b/source/firm.c index dc6034f..43af305 100755 --- a/source/firm.c +++ b/source/firm.c @@ -362,6 +362,13 @@ static inline void patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32 //Make FCRAM (and VRAM as a side effect) globally executable from arm11 kernel patchKernelFCRAMAndVRAMMappingPermissions(arm11Section1, section[1].size); } + + if(CONFIG(8)) + { + patchArm11SvcAccessChecks(arm11Section1, section[1].size); + patchK11ModuleChecks(arm11Section1, section[1].size); + patchP9AccessChecks(arm9Section, section[2].size); + } } static inline void patchLegacyFirm(FirmwareType firmType) diff --git a/source/patches.c b/source/patches.c index c5bddfc..253e4d7 100644 --- a/source/patches.c +++ b/source/patches.c @@ -24,19 +24,21 @@ #include "memory.h" #include "config.h" #include "../build/rebootpatch.h" +#include "../build/k11modulespatch.h" static u32 *arm11ExceptionsPage = NULL; static u32 *arm11SvcTable = NULL; +static u32 *arm11SvcHandler = NULL; -static void findArm11ExceptionsPageAndSvcTable(u8 *pos, u32 size) +static void findArm11ExceptionsPageAndSvcHandlerAndTable(u8 *pos, u32 size) { const u8 arm11ExceptionsPagePattern[] = {0x00, 0xB0, 0x9C, 0xE5}; if(arm11ExceptionsPage == NULL) arm11ExceptionsPage = (u32 *)memsearch(pos, arm11ExceptionsPagePattern, size, 4) - 0xB; - if(arm11SvcTable == NULL && arm11ExceptionsPage != NULL) + if((arm11SvcTable == NULL || arm11SvcHandler == NULL) && arm11ExceptionsPage != NULL) { u32 svcOffset = (-((arm11ExceptionsPage[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; //Branch offset + 8 for prefetch - arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address + arm11SvcHandler = arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address while(*arm11SvcTable) arm11SvcTable++; //Look for SVC0 (NULL) } } @@ -66,7 +68,7 @@ u32* getInfoForArm11ExceptionHandlers(u8 *pos, u32 size, u32 *stackAddr, u32 *co loadCodeSet--; *codeSetOffset = *loadCodeSet & 0xFFF; - findArm11ExceptionsPageAndSvcTable(pos, size); + findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size); return arm11ExceptionsPage; } @@ -182,10 +184,74 @@ void patchSvcBreak11(u8 *pos, u32 size) { //Same as above, for NFIRM arm11 - findArm11ExceptionsPageAndSvcTable(pos, size); + findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size); *(u32 *)(pos + arm11SvcTable[0x3C] - 0xFFF00000) = 0xE12FFF7F; } +void patchArm11SvcAccessChecks(u8 *pos, u32 size) +{ + findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size); + + u32 *off = arm11SvcHandler; + while(*off != 0xE11A0E1B) off++; //TST R10, R11,LSL LR + + *off = 0xE3B0A001; //MOVS R10, #1 +} + +//It's mainly Subv's code here: +void patchK11ModuleChecks(u8 *pos, u32 size) +{ + // We have to detour a function in the ARM11 kernel because builtin modules + // are compressed in memory and are only decompressed at runtime. + + // Find some padding space to add our code + const u8 bogus_pattern[] = { 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF, + 0x2F, 0xE1, 0x00, 0x10, 0xA0, 0xE3, 0x00, 0x10, 0xC0, 0xE5, + 0x1E, 0xFF, 0x2F, 0xE1 }; + + u32 *someSpace = (u32 *)memsearch(pos, bogus_pattern, size, 24); + + // We couldn't find the place where to begin our search of an empty block + if (someSpace == NULL) + return; + + // Advance until we reach the padding area (filled with 0xFF) + u32 *freeSpace; + for(freeSpace = someSpace; *freeSpace != 0xFFFFFFFF; freeSpace++); + + // Inject our code into the free space + memcpy(freeSpace, k11modules, k11modules_size); + + // Find the code that decompresses the .code section of the builtin modules and detour it with a jump to our code + const u8 pattern[] = { 0x00, 0x00, 0x94, 0xE5, 0x18, 0x10, 0x90, 0xE5, 0x28, 0x20, + 0x90, 0xE5, 0x48, 0x00, 0x9D, 0xE5 }; + + u8 *off = memsearch(pos, pattern, size, 16); + + // We couldn't find the code that decompresses the module + if (off == NULL) + return; + + // Inject a jump instruction to our code at the offset we found + // Construct a jump (BL) instruction to our code + u32 offset = ((((u32)freeSpace) - ((u32)off + 8)) >> 2) & 0xFFFFFF; + u32 instruction = offset | (1 << 24) | (0x5 << 25) | (0xE << 28); + + // Write our jump + memcpy(off, &instruction, 4); +} + +void patchP9AccessChecks(u8 *pos, u32 size) +{ + const u8 pattern[] = {0xE0, 0x00, 0x40, 0x39, 0x08, 0x58}; + + u16 *off = (u16 *)memsearch(pos, pattern, size, 6) - 7; + + off[0] = 0x2001; //mov r0, #1 + off[1] = 0x4770; //bx lr +} + + void patchUnitInfoValueSet(u8 *pos, u32 size) { //Look for UNITINFO value being set @@ -221,7 +287,7 @@ void reimplementSvcBackdoor(u8 *pos, u32 size) 0x00, 0xD0, 0xA0, 0xE1, //mov sp, r0 0x11, 0xFF, 0x2F, 0xE1}; //bx r1 - findArm11ExceptionsPageAndSvcTable(pos, size); + findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size); if(!arm11SvcTable[0x7B]) { diff --git a/source/patches.h b/source/patches.h index 5aa5d91..1e3dd6e 100644 --- a/source/patches.h +++ b/source/patches.h @@ -45,6 +45,9 @@ void patchFirmWriteSafe(u8 *pos, u32 size); void patchExceptionHandlersInstall(u8 *pos, u32 size); void patchSvcBreak9(u8 *pos, u32 size, u32 k9addr); void patchSvcBreak11(u8 *pos, u32 size); +void patchArm11SvcAccessChecks(u8 *pos, u32 size); +void patchK11ModuleChecks(u8 *pos, u32 size); +void patchP9AccessChecks(u8 *pos, u32 size); void patchUnitInfoValueSet(u8 *pos, u32 size); void patchKernelFCRAMAndVRAMMappingPermissions(u8 *pos, u32 size); void reimplementSvcBackdoor(u8 *pos, u32 size);