Fix and rewrite parts of k11modules.s

This commit is contained in:
TuxSH 2016-08-15 21:07:06 +02:00
parent 802bce12a7
commit 8d5d8d2100

View File

@ -42,86 +42,75 @@
; Save the value of all registers ; Save the value of all registers
push {r0-r12} push {r0-r12}
; Clear all the caches, just to be safe
mcr p15, 0, r6, c7, c14, 0
mcr p15, 0, r6, c7, c5, 0
ldr r0, [r0, #(0x80 - 0x7C)] ; Load the .text address ldr r0, [r0, #(0x80 - 0x7C)] ; Load the .text address
ldr r2, [r7, #0x18] ; Load the size of the .text ldr r7, [r4]
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
ldr r2, [r7, #0x18]
mov r5, r0 mov r5, r0
add r11, r5, r2 ; Max bounds of the memory region add r11, r5, r2 ; Max bounds of the memory region
ldr r9, =0x00001002 ; Low title id of the sm module ldr r9, =0x00001002 ; Low title id of the sm module
ldr r7, [r4]
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
cmp r8, r9 ; Compare the low title id to the id of the sm module cmp r8, r9 ; Compare the low title id to the id of the sm module
bne fs_patch ; Skip if they're not the same bne fs_patch ; Skip if they're not the same
ldr r7, =0xE1A01006 ; mov r1, r6 ldr r7, =0xE5901024 ; mov r6, r2
ldr r8, =0xE1A00005 ; mov r0, r5 ldr r8, =0xE1B02001 ; mov r7, #0
ldr r9, =0xE3500000 ; cmp r0, #0 ldr r9, =0x0A00000A ; ldr r1, [r2, #0x24]
ldr r10, =0xE2850004 ; add r0, r5, #4 ldr r10, =0xE5915014 ; movs r2, r1
loop: loop_sm: ; patch adapted from BootNTR
cmp r11, r5 cmp r5, r11
blo out ; Check if we didn't go past the bounds of the memory region bhs out
ldr r6, [r5] ldr r6, [r5]
cmp r6, r7 cmp r6, r7
ldreq r6, [r5, #4] bne loop_sm_continue
cmpeq r6, r8 ldr r6, [r5, #4]
ldreq r6, [r5, #12] cmp r6, r8
cmpeq r6, r9 bne loop_sm_continue
ldreq r6, [r5, #24] ldr r6, [r5, #8]
cmpeq r6, r10 cmp r6, r9
moveq r8, r5 bne loop_sm_continue
addne r5, r5, #4 ldr r6, [r5, #12]
bne loop cmp r6, r10
bne loop_sm_continue
; r8 now contains the start address of the pattern we found ldr r9, =0xE3A00002 ; mov r0, #2
ldr r10, =0xE12FFF1E ; bx lr
; Write NOPs to the four instructions we want to patch str r9, [r5, #-8]
ldr r9, =0xE320F000 ; nop str r10, [r5, #-4]
str r9, [r8, #8] ; Patch the bl
str r9, [r8, #12] ; Patch the cmp
str r9, [r8, #16] ; Patch the ldreq
str r9, [r8, #20] ; Patch the beq
b out b out
loop_sm_continue:
add r5, r5, #4
b loop_sm
fs_patch: ; patch adapted from BootNTR fs_patch: ; patch adapted from BootNTR
ldr r9, =0x00001102 ; Low title id of the fs module ldr r9, =0x00001102 ; Low title id of the fs module
ldr r7, [r4] cmp r8, r9 ; Compare the low title id to the id of the fs module
ldr r8, [r7, #0x200] ; Load the low title id of the current NCCH
cmp r8, r9 ; Compare the low title id to the id of the sm module
bne out ; Skip if they're not the same bne out ; Skip if they're not the same
ldr r7, =0x4618 ; mov r0, r3 ldr r7, =0x4618 ; mov r0, r3
ldr r8, =0x3481 ; add r4, #0x81 ldr r8, =0x3481 ; add r4, #0x81
loop_fs: loop_fs:
cmp r11, r5 cmp r5, r11
blo out bhs out
ldrh r6, [r5] ldrh r6, [r5]
cmp r6, r7 cmp r6, r7
ldreqh r6, [r5, #2] bne loop_fs_continue
cmpeq r6, r8 ldrh r6, [r5, #2]
subeq r8, r5, #8 cmp r6, r8
addne r5, #2 bne loop_fs_continue
bne loop
; r8 now contains the start address of the pattern we found
ldr r9, =0x2001 ; mov r0, #1 ldr r9, =0x2001 ; mov r0, #1
ldr r10, =0x4770 ; bx lr ldr r10, =0x4770 ; bx lr
strh r9, [r8] strh r9, [r5, #-8]
strh r10, [r8, #2] strh r10, [r5, #-6]
b out
loop_fs_continue:
add r5, #2
b loop_fs
out: out:
pop {r0-r12} ; Restore the registers we used pop {r0-r12} ; Restore the registers we used
; Clear all the caches again, just to be safe
mcr p15, 0, r6, c7, c14, 0
mcr p15, 0, r6, c7, c5, 0
ldr r0, [r4] ; Execute the instruction we overwrote in our detour ldr r0, [r4] ; Execute the instruction we overwrote in our detour
bx lr ; Jump back to whoever called us bx lr ; Jump back to whoever called us