Add an option to disable access checks (svc, service and arm9 flag checks) (thanks to @Subv for the most part)
This commit is contained in:
parent
eccf9eab93
commit
4e21cf4f1c
7
Makefile
7
Makefile
@ -34,7 +34,7 @@ objects = $(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \
|
|||||||
$(patsubst $(dir_source)/%.c, $(dir_build)/%.o, \
|
$(patsubst $(dir_source)/%.c, $(dir_build)/%.o, \
|
||||||
$(call rwildcard, $(dir_source), *.s *.c)))
|
$(call rwildcard, $(dir_source), *.s *.c)))
|
||||||
|
|
||||||
bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h
|
bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/k11modulespatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h
|
||||||
|
|
||||||
.PHONY: all
|
.PHONY: all
|
||||||
all: launcher a9lh ninjhax
|
all: launcher a9lh ninjhax
|
||||||
@ -97,6 +97,11 @@ $(dir_build)/rebootpatch.h: $(dir_patches)/reboot.s
|
|||||||
@armips $<
|
@armips $<
|
||||||
@bin2c -o $@ -n reboot $(@D)/reboot.bin
|
@bin2c -o $@ -n reboot $(@D)/reboot.bin
|
||||||
|
|
||||||
|
$(dir_build)/k11modulespatch.h: $(dir_patches)/k11modules.s
|
||||||
|
@mkdir -p "$(@D)"
|
||||||
|
@armips $<
|
||||||
|
@bin2c -o $@ -n k11modules $(@D)/k11modules.bin
|
||||||
|
|
||||||
$(dir_build)/injector.h: $(dir_injector)/Makefile
|
$(dir_build)/injector.h: $(dir_injector)/Makefile
|
||||||
@mkdir -p "$(@D)"
|
@mkdir -p "$(@D)"
|
||||||
@$(MAKE) -C $(dir_injector)
|
@$(MAKE) -C $(dir_injector)
|
||||||
|
130
patches/k11modules.s
Normal file
130
patches/k11modules.s
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
;
|
||||||
|
; This file is part of Luma3DS
|
||||||
|
; Copyright (C) 2016 Aurora Wright, TuxSH
|
||||||
|
;
|
||||||
|
; This program is free software: you can redistribute it and/or modify
|
||||||
|
; it under the terms of the GNU General Public License as published by
|
||||||
|
; the Free Software Foundation, either version 3 of the License, or
|
||||||
|
; (at your option) any later version.
|
||||||
|
;
|
||||||
|
; This program is distributed in the hope that it will be useful,
|
||||||
|
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
; GNU General Public License for more details.
|
||||||
|
;
|
||||||
|
; You should have received a copy of the GNU General Public License
|
||||||
|
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
;
|
||||||
|
; Additional Terms 7.b of GPLv3 applies to this file: Requiring preservation of specified
|
||||||
|
; reasonable legal notices or author attributions in that material or in the Appropriate Legal
|
||||||
|
; Notices displayed by works containing it.
|
||||||
|
;
|
||||||
|
|
||||||
|
; This is mainly Subv's code, big thanks to him.
|
||||||
|
|
||||||
|
.arm.little
|
||||||
|
|
||||||
|
.create "build/k11modules.bin", 0
|
||||||
|
.arm
|
||||||
|
; This code searches the sm module for a specific byte pattern and patches some of the instructions
|
||||||
|
; in the code to disable service access checks when calling srv:GetServiceHandle
|
||||||
|
|
||||||
|
; It also searches the fs module for archive access check code
|
||||||
|
|
||||||
|
; Save the registers we'll be using
|
||||||
|
; Register contents:
|
||||||
|
; r4: Pointer to a pointer to the exheader of the current NCCH
|
||||||
|
; r6: Constant 0
|
||||||
|
; SP + 0x80 - 0x7C: Pointer to the memory location where the NCCH text was loaded
|
||||||
|
|
||||||
|
; Save the value of sp
|
||||||
|
mov r0, sp
|
||||||
|
; Save the value of all registers
|
||||||
|
push {r0-r12}
|
||||||
|
|
||||||
|
; Clear all the caches, just to be safe
|
||||||
|
mcr p15, 0, r6, c7, c14, 0
|
||||||
|
mcr p15, 0, r6, c7, c5, 0
|
||||||
|
|
||||||
|
ldr r0, [r0, #(0x80 - 0x7C)] ; Load the .text address
|
||||||
|
ldr r2, [r7, #0x18] ; Load the size of the .text
|
||||||
|
mov r5, r0
|
||||||
|
add r11, r5, r2 ; Max bounds of the memory region
|
||||||
|
|
||||||
|
ldr r9, =0x00001002 ; Low title id of the sm module
|
||||||
|
ldr r7, [r4]
|
||||||
|
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
|
||||||
|
cmp r8, r9 ; Compare the low title id to the id of the sm module
|
||||||
|
bne fs_patch ; Skip if they're not the same
|
||||||
|
|
||||||
|
ldr r7, =0xE1A01006 ; mov r1, r6
|
||||||
|
ldr r8, =0xE1A00005 ; mov r0, r5
|
||||||
|
ldr r9, =0xE3500000 ; cmp r0, #0
|
||||||
|
ldr r10, =0xE2850004 ; add r0, r5, #4
|
||||||
|
|
||||||
|
loop:
|
||||||
|
cmp r11, r5
|
||||||
|
blo out ; Check if we didn't go past the bounds of the memory region
|
||||||
|
ldr r6, [r5]
|
||||||
|
cmp r6, r7
|
||||||
|
ldreq r6, [r5, #4]
|
||||||
|
cmpeq r6, r8
|
||||||
|
ldreq r6, [r5, #12]
|
||||||
|
cmpeq r6, r9
|
||||||
|
ldreq r6, [r5, #24]
|
||||||
|
cmpeq r6, r10
|
||||||
|
moveq r8, r5
|
||||||
|
addne r5, r5, #4
|
||||||
|
bne loop
|
||||||
|
|
||||||
|
; r8 now contains the start address of the pattern we found
|
||||||
|
|
||||||
|
; Write NOPs to the four instructions we want to patch
|
||||||
|
ldr r9, =0xE320F000 ; nop
|
||||||
|
str r9, [r8, #8] ; Patch the bl
|
||||||
|
str r9, [r8, #12] ; Patch the cmp
|
||||||
|
str r9, [r8, #16] ; Patch the ldreq
|
||||||
|
str r9, [r8, #20] ; Patch the beq
|
||||||
|
b out
|
||||||
|
|
||||||
|
fs_patch: ; patch adapted from BootNTR
|
||||||
|
ldr r9, =0x00001102 ; Low title id of the fs module
|
||||||
|
ldr r7, [r4]
|
||||||
|
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
|
||||||
|
cmp r8, r9 ; Compare the low title id to the id of the sm module
|
||||||
|
bne out ; Skip if they're not the same
|
||||||
|
|
||||||
|
ldr r7, =0x4618 ; mov r0, r3
|
||||||
|
ldr r8, =0x3481 ; add r4, #0x81
|
||||||
|
|
||||||
|
loop_fs:
|
||||||
|
cmp r11, r5
|
||||||
|
blo out
|
||||||
|
ldrh r6, [r5]
|
||||||
|
cmp r6, r7
|
||||||
|
ldreqh r6, [r5, #2]
|
||||||
|
cmpeq r6, r8
|
||||||
|
subeq r8, r5, #8
|
||||||
|
addne r5, #2
|
||||||
|
bne loop
|
||||||
|
|
||||||
|
; r8 now contains the start address of the pattern we found
|
||||||
|
|
||||||
|
ldr r9, =0x2001 ; mov r0, #1
|
||||||
|
ldr r10, =0x4770 ; bx lr
|
||||||
|
strh r9, [r8]
|
||||||
|
strh r10, [r8, #2]
|
||||||
|
|
||||||
|
out:
|
||||||
|
pop {r0-r12} ; Restore the registers we used
|
||||||
|
|
||||||
|
; Clear all the caches again, just to be safe
|
||||||
|
mcr p15, 0, r6, c7, c14, 0
|
||||||
|
mcr p15, 0, r6, c7, c5, 0
|
||||||
|
|
||||||
|
ldr r0, [r4] ; Execute the instruction we overwrote in our detour
|
||||||
|
|
||||||
|
bx lr ; Jump back to whoever called us
|
||||||
|
|
||||||
|
.pool
|
||||||
|
.close
|
@ -44,7 +44,8 @@ void configureCFW(const char *configPath)
|
|||||||
"( ) Show current NAND in System Settings",
|
"( ) Show current NAND in System Settings",
|
||||||
"( ) Show GBA boot screen in patched AGB_FIRM",
|
"( ) Show GBA boot screen in patched AGB_FIRM",
|
||||||
"( ) Enable splash screen with no screen-init",
|
"( ) Enable splash screen with no screen-init",
|
||||||
"( ) Use a PIN" };
|
"( ) Use a PIN",
|
||||||
|
"( ) Disable access checks" };
|
||||||
|
|
||||||
struct multiOption {
|
struct multiOption {
|
||||||
int posXs[4];
|
int posXs[4];
|
||||||
|
@ -362,6 +362,13 @@ static inline void patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32
|
|||||||
//Make FCRAM (and VRAM as a side effect) globally executable from arm11 kernel
|
//Make FCRAM (and VRAM as a side effect) globally executable from arm11 kernel
|
||||||
patchKernelFCRAMAndVRAMMappingPermissions(arm11Section1, section[1].size);
|
patchKernelFCRAMAndVRAMMappingPermissions(arm11Section1, section[1].size);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(CONFIG(8))
|
||||||
|
{
|
||||||
|
patchArm11SvcAccessChecks(arm11Section1, section[1].size);
|
||||||
|
patchK11ModuleChecks(arm11Section1, section[1].size);
|
||||||
|
patchP9AccessChecks(arm9Section, section[2].size);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void patchLegacyFirm(FirmwareType firmType)
|
static inline void patchLegacyFirm(FirmwareType firmType)
|
||||||
|
@ -24,19 +24,21 @@
|
|||||||
#include "memory.h"
|
#include "memory.h"
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
#include "../build/rebootpatch.h"
|
#include "../build/rebootpatch.h"
|
||||||
|
#include "../build/k11modulespatch.h"
|
||||||
|
|
||||||
static u32 *arm11ExceptionsPage = NULL;
|
static u32 *arm11ExceptionsPage = NULL;
|
||||||
static u32 *arm11SvcTable = NULL;
|
static u32 *arm11SvcTable = NULL;
|
||||||
|
static u32 *arm11SvcHandler = NULL;
|
||||||
|
|
||||||
static void findArm11ExceptionsPageAndSvcTable(u8 *pos, u32 size)
|
static void findArm11ExceptionsPageAndSvcHandlerAndTable(u8 *pos, u32 size)
|
||||||
{
|
{
|
||||||
const u8 arm11ExceptionsPagePattern[] = {0x00, 0xB0, 0x9C, 0xE5};
|
const u8 arm11ExceptionsPagePattern[] = {0x00, 0xB0, 0x9C, 0xE5};
|
||||||
|
|
||||||
if(arm11ExceptionsPage == NULL) arm11ExceptionsPage = (u32 *)memsearch(pos, arm11ExceptionsPagePattern, size, 4) - 0xB;
|
if(arm11ExceptionsPage == NULL) arm11ExceptionsPage = (u32 *)memsearch(pos, arm11ExceptionsPagePattern, size, 4) - 0xB;
|
||||||
if(arm11SvcTable == NULL && arm11ExceptionsPage != NULL)
|
if((arm11SvcTable == NULL || arm11SvcHandler == NULL) && arm11ExceptionsPage != NULL)
|
||||||
{
|
{
|
||||||
u32 svcOffset = (-((arm11ExceptionsPage[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; //Branch offset + 8 for prefetch
|
u32 svcOffset = (-((arm11ExceptionsPage[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; //Branch offset + 8 for prefetch
|
||||||
arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
|
arm11SvcHandler = arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
|
||||||
while(*arm11SvcTable) arm11SvcTable++; //Look for SVC0 (NULL)
|
while(*arm11SvcTable) arm11SvcTable++; //Look for SVC0 (NULL)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -66,7 +68,7 @@ u32* getInfoForArm11ExceptionHandlers(u8 *pos, u32 size, u32 *stackAddr, u32 *co
|
|||||||
loadCodeSet--;
|
loadCodeSet--;
|
||||||
*codeSetOffset = *loadCodeSet & 0xFFF;
|
*codeSetOffset = *loadCodeSet & 0xFFF;
|
||||||
|
|
||||||
findArm11ExceptionsPageAndSvcTable(pos, size);
|
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||||
return arm11ExceptionsPage;
|
return arm11ExceptionsPage;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -182,10 +184,74 @@ void patchSvcBreak11(u8 *pos, u32 size)
|
|||||||
{
|
{
|
||||||
//Same as above, for NFIRM arm11
|
//Same as above, for NFIRM arm11
|
||||||
|
|
||||||
findArm11ExceptionsPageAndSvcTable(pos, size);
|
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||||
*(u32 *)(pos + arm11SvcTable[0x3C] - 0xFFF00000) = 0xE12FFF7F;
|
*(u32 *)(pos + arm11SvcTable[0x3C] - 0xFFF00000) = 0xE12FFF7F;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void patchArm11SvcAccessChecks(u8 *pos, u32 size)
|
||||||
|
{
|
||||||
|
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||||
|
|
||||||
|
u32 *off = arm11SvcHandler;
|
||||||
|
while(*off != 0xE11A0E1B) off++; //TST R10, R11,LSL LR
|
||||||
|
|
||||||
|
*off = 0xE3B0A001; //MOVS R10, #1
|
||||||
|
}
|
||||||
|
|
||||||
|
//It's mainly Subv's code here:
|
||||||
|
void patchK11ModuleChecks(u8 *pos, u32 size)
|
||||||
|
{
|
||||||
|
// We have to detour a function in the ARM11 kernel because builtin modules
|
||||||
|
// are compressed in memory and are only decompressed at runtime.
|
||||||
|
|
||||||
|
// Find some padding space to add our code
|
||||||
|
const u8 bogus_pattern[] = { 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF,
|
||||||
|
0x2F, 0xE1, 0x00, 0x10, 0xA0, 0xE3, 0x00, 0x10, 0xC0, 0xE5,
|
||||||
|
0x1E, 0xFF, 0x2F, 0xE1 };
|
||||||
|
|
||||||
|
u32 *someSpace = (u32 *)memsearch(pos, bogus_pattern, size, 24);
|
||||||
|
|
||||||
|
// We couldn't find the place where to begin our search of an empty block
|
||||||
|
if (someSpace == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
// Advance until we reach the padding area (filled with 0xFF)
|
||||||
|
u32 *freeSpace;
|
||||||
|
for(freeSpace = someSpace; *freeSpace != 0xFFFFFFFF; freeSpace++);
|
||||||
|
|
||||||
|
// Inject our code into the free space
|
||||||
|
memcpy(freeSpace, k11modules, k11modules_size);
|
||||||
|
|
||||||
|
// Find the code that decompresses the .code section of the builtin modules and detour it with a jump to our code
|
||||||
|
const u8 pattern[] = { 0x00, 0x00, 0x94, 0xE5, 0x18, 0x10, 0x90, 0xE5, 0x28, 0x20,
|
||||||
|
0x90, 0xE5, 0x48, 0x00, 0x9D, 0xE5 };
|
||||||
|
|
||||||
|
u8 *off = memsearch(pos, pattern, size, 16);
|
||||||
|
|
||||||
|
// We couldn't find the code that decompresses the module
|
||||||
|
if (off == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
// Inject a jump instruction to our code at the offset we found
|
||||||
|
// Construct a jump (BL) instruction to our code
|
||||||
|
u32 offset = ((((u32)freeSpace) - ((u32)off + 8)) >> 2) & 0xFFFFFF;
|
||||||
|
u32 instruction = offset | (1 << 24) | (0x5 << 25) | (0xE << 28);
|
||||||
|
|
||||||
|
// Write our jump
|
||||||
|
memcpy(off, &instruction, 4);
|
||||||
|
}
|
||||||
|
|
||||||
|
void patchP9AccessChecks(u8 *pos, u32 size)
|
||||||
|
{
|
||||||
|
const u8 pattern[] = {0xE0, 0x00, 0x40, 0x39, 0x08, 0x58};
|
||||||
|
|
||||||
|
u16 *off = (u16 *)memsearch(pos, pattern, size, 6) - 7;
|
||||||
|
|
||||||
|
off[0] = 0x2001; //mov r0, #1
|
||||||
|
off[1] = 0x4770; //bx lr
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void patchUnitInfoValueSet(u8 *pos, u32 size)
|
void patchUnitInfoValueSet(u8 *pos, u32 size)
|
||||||
{
|
{
|
||||||
//Look for UNITINFO value being set
|
//Look for UNITINFO value being set
|
||||||
@ -221,7 +287,7 @@ void reimplementSvcBackdoor(u8 *pos, u32 size)
|
|||||||
0x00, 0xD0, 0xA0, 0xE1, //mov sp, r0
|
0x00, 0xD0, 0xA0, 0xE1, //mov sp, r0
|
||||||
0x11, 0xFF, 0x2F, 0xE1}; //bx r1
|
0x11, 0xFF, 0x2F, 0xE1}; //bx r1
|
||||||
|
|
||||||
findArm11ExceptionsPageAndSvcTable(pos, size);
|
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||||
|
|
||||||
if(!arm11SvcTable[0x7B])
|
if(!arm11SvcTable[0x7B])
|
||||||
{
|
{
|
||||||
|
@ -45,6 +45,9 @@ void patchFirmWriteSafe(u8 *pos, u32 size);
|
|||||||
void patchExceptionHandlersInstall(u8 *pos, u32 size);
|
void patchExceptionHandlersInstall(u8 *pos, u32 size);
|
||||||
void patchSvcBreak9(u8 *pos, u32 size, u32 k9addr);
|
void patchSvcBreak9(u8 *pos, u32 size, u32 k9addr);
|
||||||
void patchSvcBreak11(u8 *pos, u32 size);
|
void patchSvcBreak11(u8 *pos, u32 size);
|
||||||
|
void patchArm11SvcAccessChecks(u8 *pos, u32 size);
|
||||||
|
void patchK11ModuleChecks(u8 *pos, u32 size);
|
||||||
|
void patchP9AccessChecks(u8 *pos, u32 size);
|
||||||
void patchUnitInfoValueSet(u8 *pos, u32 size);
|
void patchUnitInfoValueSet(u8 *pos, u32 size);
|
||||||
void patchKernelFCRAMAndVRAMMappingPermissions(u8 *pos, u32 size);
|
void patchKernelFCRAMAndVRAMMappingPermissions(u8 *pos, u32 size);
|
||||||
void reimplementSvcBackdoor(u8 *pos, u32 size);
|
void reimplementSvcBackdoor(u8 *pos, u32 size);
|
||||||
|
Reference in New Issue
Block a user