Add an option to disable access checks (svc, service and arm9 flag checks) (thanks to @Subv for the most part)
This commit is contained in:
parent
eccf9eab93
commit
4e21cf4f1c
7
Makefile
7
Makefile
@ -34,7 +34,7 @@ objects = $(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \
|
||||
$(patsubst $(dir_source)/%.c, $(dir_build)/%.o, \
|
||||
$(call rwildcard, $(dir_source), *.s *.c)))
|
||||
|
||||
bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h
|
||||
bundled = $(dir_build)/rebootpatch.h $(dir_build)/emunandpatch.h $(dir_build)/k11modulespatch.h $(dir_build)/arm9_exceptions.h $(dir_build)/arm11_exceptions.h $(dir_build)/injector.h $(dir_build)/loader.h
|
||||
|
||||
.PHONY: all
|
||||
all: launcher a9lh ninjhax
|
||||
@ -97,6 +97,11 @@ $(dir_build)/rebootpatch.h: $(dir_patches)/reboot.s
|
||||
@armips $<
|
||||
@bin2c -o $@ -n reboot $(@D)/reboot.bin
|
||||
|
||||
$(dir_build)/k11modulespatch.h: $(dir_patches)/k11modules.s
|
||||
@mkdir -p "$(@D)"
|
||||
@armips $<
|
||||
@bin2c -o $@ -n k11modules $(@D)/k11modules.bin
|
||||
|
||||
$(dir_build)/injector.h: $(dir_injector)/Makefile
|
||||
@mkdir -p "$(@D)"
|
||||
@$(MAKE) -C $(dir_injector)
|
||||
|
130
patches/k11modules.s
Normal file
130
patches/k11modules.s
Normal file
@ -0,0 +1,130 @@
|
||||
;
|
||||
; This file is part of Luma3DS
|
||||
; Copyright (C) 2016 Aurora Wright, TuxSH
|
||||
;
|
||||
; This program is free software: you can redistribute it and/or modify
|
||||
; it under the terms of the GNU General Public License as published by
|
||||
; the Free Software Foundation, either version 3 of the License, or
|
||||
; (at your option) any later version.
|
||||
;
|
||||
; This program is distributed in the hope that it will be useful,
|
||||
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
; GNU General Public License for more details.
|
||||
;
|
||||
; You should have received a copy of the GNU General Public License
|
||||
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
;
|
||||
; Additional Terms 7.b of GPLv3 applies to this file: Requiring preservation of specified
|
||||
; reasonable legal notices or author attributions in that material or in the Appropriate Legal
|
||||
; Notices displayed by works containing it.
|
||||
;
|
||||
|
||||
; This is mainly Subv's code, big thanks to him.
|
||||
|
||||
.arm.little
|
||||
|
||||
.create "build/k11modules.bin", 0
|
||||
.arm
|
||||
; This code searches the sm module for a specific byte pattern and patches some of the instructions
|
||||
; in the code to disable service access checks when calling srv:GetServiceHandle
|
||||
|
||||
; It also searches the fs module for archive access check code
|
||||
|
||||
; Save the registers we'll be using
|
||||
; Register contents:
|
||||
; r4: Pointer to a pointer to the exheader of the current NCCH
|
||||
; r6: Constant 0
|
||||
; SP + 0x80 - 0x7C: Pointer to the memory location where the NCCH text was loaded
|
||||
|
||||
; Save the value of sp
|
||||
mov r0, sp
|
||||
; Save the value of all registers
|
||||
push {r0-r12}
|
||||
|
||||
; Clear all the caches, just to be safe
|
||||
mcr p15, 0, r6, c7, c14, 0
|
||||
mcr p15, 0, r6, c7, c5, 0
|
||||
|
||||
ldr r0, [r0, #(0x80 - 0x7C)] ; Load the .text address
|
||||
ldr r2, [r7, #0x18] ; Load the size of the .text
|
||||
mov r5, r0
|
||||
add r11, r5, r2 ; Max bounds of the memory region
|
||||
|
||||
ldr r9, =0x00001002 ; Low title id of the sm module
|
||||
ldr r7, [r4]
|
||||
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
|
||||
cmp r8, r9 ; Compare the low title id to the id of the sm module
|
||||
bne fs_patch ; Skip if they're not the same
|
||||
|
||||
ldr r7, =0xE1A01006 ; mov r1, r6
|
||||
ldr r8, =0xE1A00005 ; mov r0, r5
|
||||
ldr r9, =0xE3500000 ; cmp r0, #0
|
||||
ldr r10, =0xE2850004 ; add r0, r5, #4
|
||||
|
||||
loop:
|
||||
cmp r11, r5
|
||||
blo out ; Check if we didn't go past the bounds of the memory region
|
||||
ldr r6, [r5]
|
||||
cmp r6, r7
|
||||
ldreq r6, [r5, #4]
|
||||
cmpeq r6, r8
|
||||
ldreq r6, [r5, #12]
|
||||
cmpeq r6, r9
|
||||
ldreq r6, [r5, #24]
|
||||
cmpeq r6, r10
|
||||
moveq r8, r5
|
||||
addne r5, r5, #4
|
||||
bne loop
|
||||
|
||||
; r8 now contains the start address of the pattern we found
|
||||
|
||||
; Write NOPs to the four instructions we want to patch
|
||||
ldr r9, =0xE320F000 ; nop
|
||||
str r9, [r8, #8] ; Patch the bl
|
||||
str r9, [r8, #12] ; Patch the cmp
|
||||
str r9, [r8, #16] ; Patch the ldreq
|
||||
str r9, [r8, #20] ; Patch the beq
|
||||
b out
|
||||
|
||||
fs_patch: ; patch adapted from BootNTR
|
||||
ldr r9, =0x00001102 ; Low title id of the fs module
|
||||
ldr r7, [r4]
|
||||
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
|
||||
cmp r8, r9 ; Compare the low title id to the id of the sm module
|
||||
bne out ; Skip if they're not the same
|
||||
|
||||
ldr r7, =0x4618 ; mov r0, r3
|
||||
ldr r8, =0x3481 ; add r4, #0x81
|
||||
|
||||
loop_fs:
|
||||
cmp r11, r5
|
||||
blo out
|
||||
ldrh r6, [r5]
|
||||
cmp r6, r7
|
||||
ldreqh r6, [r5, #2]
|
||||
cmpeq r6, r8
|
||||
subeq r8, r5, #8
|
||||
addne r5, #2
|
||||
bne loop
|
||||
|
||||
; r8 now contains the start address of the pattern we found
|
||||
|
||||
ldr r9, =0x2001 ; mov r0, #1
|
||||
ldr r10, =0x4770 ; bx lr
|
||||
strh r9, [r8]
|
||||
strh r10, [r8, #2]
|
||||
|
||||
out:
|
||||
pop {r0-r12} ; Restore the registers we used
|
||||
|
||||
; Clear all the caches again, just to be safe
|
||||
mcr p15, 0, r6, c7, c14, 0
|
||||
mcr p15, 0, r6, c7, c5, 0
|
||||
|
||||
ldr r0, [r4] ; Execute the instruction we overwrote in our detour
|
||||
|
||||
bx lr ; Jump back to whoever called us
|
||||
|
||||
.pool
|
||||
.close
|
@ -44,7 +44,8 @@ void configureCFW(const char *configPath)
|
||||
"( ) Show current NAND in System Settings",
|
||||
"( ) Show GBA boot screen in patched AGB_FIRM",
|
||||
"( ) Enable splash screen with no screen-init",
|
||||
"( ) Use a PIN" };
|
||||
"( ) Use a PIN",
|
||||
"( ) Disable access checks" };
|
||||
|
||||
struct multiOption {
|
||||
int posXs[4];
|
||||
|
@ -362,6 +362,13 @@ static inline void patchNativeFirm(u32 firmVersion, FirmwareSource nandType, u32
|
||||
//Make FCRAM (and VRAM as a side effect) globally executable from arm11 kernel
|
||||
patchKernelFCRAMAndVRAMMappingPermissions(arm11Section1, section[1].size);
|
||||
}
|
||||
|
||||
if(CONFIG(8))
|
||||
{
|
||||
patchArm11SvcAccessChecks(arm11Section1, section[1].size);
|
||||
patchK11ModuleChecks(arm11Section1, section[1].size);
|
||||
patchP9AccessChecks(arm9Section, section[2].size);
|
||||
}
|
||||
}
|
||||
|
||||
static inline void patchLegacyFirm(FirmwareType firmType)
|
||||
|
@ -24,19 +24,21 @@
|
||||
#include "memory.h"
|
||||
#include "config.h"
|
||||
#include "../build/rebootpatch.h"
|
||||
#include "../build/k11modulespatch.h"
|
||||
|
||||
static u32 *arm11ExceptionsPage = NULL;
|
||||
static u32 *arm11SvcTable = NULL;
|
||||
static u32 *arm11SvcHandler = NULL;
|
||||
|
||||
static void findArm11ExceptionsPageAndSvcTable(u8 *pos, u32 size)
|
||||
static void findArm11ExceptionsPageAndSvcHandlerAndTable(u8 *pos, u32 size)
|
||||
{
|
||||
const u8 arm11ExceptionsPagePattern[] = {0x00, 0xB0, 0x9C, 0xE5};
|
||||
|
||||
if(arm11ExceptionsPage == NULL) arm11ExceptionsPage = (u32 *)memsearch(pos, arm11ExceptionsPagePattern, size, 4) - 0xB;
|
||||
if(arm11SvcTable == NULL && arm11ExceptionsPage != NULL)
|
||||
if((arm11SvcTable == NULL || arm11SvcHandler == NULL) && arm11ExceptionsPage != NULL)
|
||||
{
|
||||
u32 svcOffset = (-((arm11ExceptionsPage[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; //Branch offset + 8 for prefetch
|
||||
arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
|
||||
arm11SvcHandler = arm11SvcTable = (u32 *)(pos + *(u32 *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); //SVC handler address
|
||||
while(*arm11SvcTable) arm11SvcTable++; //Look for SVC0 (NULL)
|
||||
}
|
||||
}
|
||||
@ -66,7 +68,7 @@ u32* getInfoForArm11ExceptionHandlers(u8 *pos, u32 size, u32 *stackAddr, u32 *co
|
||||
loadCodeSet--;
|
||||
*codeSetOffset = *loadCodeSet & 0xFFF;
|
||||
|
||||
findArm11ExceptionsPageAndSvcTable(pos, size);
|
||||
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||
return arm11ExceptionsPage;
|
||||
}
|
||||
|
||||
@ -182,10 +184,74 @@ void patchSvcBreak11(u8 *pos, u32 size)
|
||||
{
|
||||
//Same as above, for NFIRM arm11
|
||||
|
||||
findArm11ExceptionsPageAndSvcTable(pos, size);
|
||||
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||
*(u32 *)(pos + arm11SvcTable[0x3C] - 0xFFF00000) = 0xE12FFF7F;
|
||||
}
|
||||
|
||||
void patchArm11SvcAccessChecks(u8 *pos, u32 size)
|
||||
{
|
||||
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||
|
||||
u32 *off = arm11SvcHandler;
|
||||
while(*off != 0xE11A0E1B) off++; //TST R10, R11,LSL LR
|
||||
|
||||
*off = 0xE3B0A001; //MOVS R10, #1
|
||||
}
|
||||
|
||||
//It's mainly Subv's code here:
|
||||
void patchK11ModuleChecks(u8 *pos, u32 size)
|
||||
{
|
||||
// We have to detour a function in the ARM11 kernel because builtin modules
|
||||
// are compressed in memory and are only decompressed at runtime.
|
||||
|
||||
// Find some padding space to add our code
|
||||
const u8 bogus_pattern[] = { 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF, 0x2F, 0xE1, 0x1E, 0xFF,
|
||||
0x2F, 0xE1, 0x00, 0x10, 0xA0, 0xE3, 0x00, 0x10, 0xC0, 0xE5,
|
||||
0x1E, 0xFF, 0x2F, 0xE1 };
|
||||
|
||||
u32 *someSpace = (u32 *)memsearch(pos, bogus_pattern, size, 24);
|
||||
|
||||
// We couldn't find the place where to begin our search of an empty block
|
||||
if (someSpace == NULL)
|
||||
return;
|
||||
|
||||
// Advance until we reach the padding area (filled with 0xFF)
|
||||
u32 *freeSpace;
|
||||
for(freeSpace = someSpace; *freeSpace != 0xFFFFFFFF; freeSpace++);
|
||||
|
||||
// Inject our code into the free space
|
||||
memcpy(freeSpace, k11modules, k11modules_size);
|
||||
|
||||
// Find the code that decompresses the .code section of the builtin modules and detour it with a jump to our code
|
||||
const u8 pattern[] = { 0x00, 0x00, 0x94, 0xE5, 0x18, 0x10, 0x90, 0xE5, 0x28, 0x20,
|
||||
0x90, 0xE5, 0x48, 0x00, 0x9D, 0xE5 };
|
||||
|
||||
u8 *off = memsearch(pos, pattern, size, 16);
|
||||
|
||||
// We couldn't find the code that decompresses the module
|
||||
if (off == NULL)
|
||||
return;
|
||||
|
||||
// Inject a jump instruction to our code at the offset we found
|
||||
// Construct a jump (BL) instruction to our code
|
||||
u32 offset = ((((u32)freeSpace) - ((u32)off + 8)) >> 2) & 0xFFFFFF;
|
||||
u32 instruction = offset | (1 << 24) | (0x5 << 25) | (0xE << 28);
|
||||
|
||||
// Write our jump
|
||||
memcpy(off, &instruction, 4);
|
||||
}
|
||||
|
||||
void patchP9AccessChecks(u8 *pos, u32 size)
|
||||
{
|
||||
const u8 pattern[] = {0xE0, 0x00, 0x40, 0x39, 0x08, 0x58};
|
||||
|
||||
u16 *off = (u16 *)memsearch(pos, pattern, size, 6) - 7;
|
||||
|
||||
off[0] = 0x2001; //mov r0, #1
|
||||
off[1] = 0x4770; //bx lr
|
||||
}
|
||||
|
||||
|
||||
void patchUnitInfoValueSet(u8 *pos, u32 size)
|
||||
{
|
||||
//Look for UNITINFO value being set
|
||||
@ -221,7 +287,7 @@ void reimplementSvcBackdoor(u8 *pos, u32 size)
|
||||
0x00, 0xD0, 0xA0, 0xE1, //mov sp, r0
|
||||
0x11, 0xFF, 0x2F, 0xE1}; //bx r1
|
||||
|
||||
findArm11ExceptionsPageAndSvcTable(pos, size);
|
||||
findArm11ExceptionsPageAndSvcHandlerAndTable(pos, size);
|
||||
|
||||
if(!arm11SvcTable[0x7B])
|
||||
{
|
||||
|
@ -45,6 +45,9 @@ void patchFirmWriteSafe(u8 *pos, u32 size);
|
||||
void patchExceptionHandlersInstall(u8 *pos, u32 size);
|
||||
void patchSvcBreak9(u8 *pos, u32 size, u32 k9addr);
|
||||
void patchSvcBreak11(u8 *pos, u32 size);
|
||||
void patchArm11SvcAccessChecks(u8 *pos, u32 size);
|
||||
void patchK11ModuleChecks(u8 *pos, u32 size);
|
||||
void patchP9AccessChecks(u8 *pos, u32 size);
|
||||
void patchUnitInfoValueSet(u8 *pos, u32 size);
|
||||
void patchKernelFCRAMAndVRAMMappingPermissions(u8 *pos, u32 size);
|
||||
void reimplementSvcBackdoor(u8 *pos, u32 size);
|
||||
|
Reference in New Issue
Block a user