Skip to content

Commit

Permalink
- fixed bug with re-initialization of EEPROM and OTP dump on SD card
Browse files Browse the repository at this point in the history
- added new feature which allows you to disable os full relaunch (only possible in combination with sysNAND, not redNAND)
- added new option which allows to return to HBL after executing the patches and not launch to System Menu (only in combination with disabled OS full relaunch)
- some clean ups

NOTE to the new feature:
The new feature to disable full OS reload behaves similar to the simple signature patcher except that it setups execution memory region from kernel for wupserver and iosuhax dev node code and starts those. So it's a fast simple signature patcher with the addition of wupserver and iosuhax dev node. Another addition to the simple sign patcher is that the patches reload themself when exiting settings. Launch image is disabled for this method though.
  • Loading branch information
dimok789 committed Dec 14, 2016
1 parent 47c03cb commit b65b6c8
Show file tree
Hide file tree
Showing 17 changed files with 821 additions and 544 deletions.
5 changes: 3 additions & 2 deletions ios_kernel/source/fsa.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,15 @@
#include "types.h"

#define NAND_DUMP_SIGNATURE_SECTOR 0x01
#define NAND_MAX_DESC_TYPES 5

#define NAND_DUMP_SIGNATURE 0x4841585844554d50ULL // HAXXDUMP

#define NAND_DESC_TYPE_SLC 0x534c4320 // 'SLC '
#define NAND_DESC_TYPE_SLCCMPT 0x534c4332 // 'SLC2'
#define NAND_DESC_TYPE_MLC 0x4d4c4320 // 'MLC '
#define NAND_DESC_TYPE_OTP 0x4f545020 // 'OTP '
#define NAND_DESC_TYPE_SEEPROM 0x45455052 // 'EEPR'
#define NAND_DESC_TYPE_OTP 0x4f545020 // 'OTP '

typedef struct _stdio_nand_desc_t
{
Expand All @@ -46,7 +47,7 @@ typedef struct _stdio_nand_desc_t
typedef struct _sdio_nand_signature_sector_t
{
u64 signature; // HAXXDUMP
stdio_nand_desc_t nand_descriptions[5];
stdio_nand_desc_t nand_descriptions[NAND_MAX_DESC_TYPES];
} __attribute__((packed)) sdio_nand_signature_sector_t;

int FSA_SDReadRawSectors(void *buffer, u32 sector, u32 num_sectors);
Expand Down
102 changes: 102 additions & 0 deletions ios_kernel/source/instant_patches.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
/***************************************************************************
* Copyright (C) 2016
* by Dimok
*
* This software is provided 'as-is', without any express or implied
* warranty. In no event will the authors be held liable for any
* damages arising from the use of this software.
*
* Permission is granted to anyone to use this software for any
* purpose, including commercial applications, and to alter it and
* redistribute it freely, subject to the following restrictions:
*
* 1. The origin of this software must not be misrepresented; you
* must not claim that you wrote the original software. If you use
* this software in a product, an acknowledgment in the product
* documentation would be appreciated but is not required.
*
* 2. Altered source versions must be plainly marked as such, and
* must not be misrepresented as being the original software.
*
* 3. This notice may not be removed or altered from any source
* distribution.
***************************************************************************/
#include "config.h"
#include "utils.h"
#include "types.h"
#include "elf_patcher.h"
#include "kernel_patches.h"
#include "ios_mcp_patches.h"
#include "../../ios_mcp/ios_mcp_syms.h"

typedef struct
{
u32 paddr;
u32 vaddr;
u32 size;
u32 domain;
u32 type;
u32 cached;
} ios_map_shared_info_t;

void instant_patches_setup(void)
{
// apply IOS ELF launch hook
*(volatile u32*)0x0812A120 = ARM_BL(0x0812A120, kernel_launch_ios);

// patch FSA raw access
*(volatile u32*)0x1070FAE8 = 0x05812070;
*(volatile u32*)0x1070FAEC = 0xEAFFFFF9;

if(cfw_config.noIosReload)
{
int (*_iosMapSharedUserExecution)(void *descr) = (void*)0x08124F88;

// patch kernel dev node registration
*(volatile u32*)0x081430B4 = 1;

// fix 10 minute timeout that crashes MCP after 10 minutes of booting
*(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT

// patch cached cert check
// start our MCP thread directly on first title change
kernel_memset((void*)(0x050BD000 - 0x05000000 + 0x081C0000), 0, 0x3000);
*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = ARM_B(0x05054D6C, _startMainThread);

// patch MCP authentication check
*(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr

// patch IOSC_VerifyPubkeySign to always succeed
*(volatile u32*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
*(volatile u32*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr

// allow custom bootLogoTex and bootMovie.h264
*(volatile u32*)(0xE0030D68 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
*(volatile u32*)(0xE0030D34 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0

// allow any region title launch
*(volatile u32*)(0xE0030498 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0

// set zero to start thread directly on first title change
*(volatile u32*)(0x050BC580 - 0x05000000 + 0x081C0000) = 0;
// down display launch image at this state
*(volatile u32*)(_text_start - 4 - 0x05100000 + 0x13D80000) = 0;

ios_map_shared_info_t map_info;
map_info.paddr = 0x050BD000 - 0x05000000 + 0x081C0000;
map_info.vaddr = 0x050BD000;
map_info.size = 0x3000;
map_info.domain = 1; // MCP
map_info.type = 3; // 0 = undefined, 1 = kernel only, 2 = read only, 3 = read/write
map_info.cached = 0xFFFFFFFF;
_iosMapSharedUserExecution(&map_info); // actually a bss section but oh well it will have read/write

map_info.paddr = 0x05116000 - 0x05100000 + 0x13D80000;
map_info.vaddr = 0x05116000;
map_info.size = 0x4000;
map_info.domain = 1; // MCP
map_info.type = 3; // 0 = undefined, 1 = kernel only, 2 = read only, 3 = read write
map_info.cached = 0xFFFFFFFF;
_iosMapSharedUserExecution(&map_info);
}
}
29 changes: 29 additions & 0 deletions ios_kernel/source/instant_patches.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/***************************************************************************
* Copyright (C) 2016
* by Dimok
*
* This software is provided 'as-is', without any express or implied
* warranty. In no event will the authors be held liable for any
* damages arising from the use of this software.
*
* Permission is granted to anyone to use this software for any
* purpose, including commercial applications, and to alter it and
* redistribute it freely, subject to the following restrictions:
*
* 1. The origin of this software must not be misrepresented; you
* must not claim that you wrote the original software. If you use
* this software in a product, an acknowledgment in the product
* documentation would be appreciated but is not required.
*
* 2. Altered source versions must be plainly marked as such, and
* must not be misrepresented as being the original software.
*
* 3. This notice may not be removed or altered from any source
* distribution.
***************************************************************************/
#ifndef _INSTANT_PATCHES_SETUP_H_
#define _INSTANT_PATCHES_SETUP_H_

void instant_patches_setup(void);

#endif
9 changes: 4 additions & 5 deletions ios_kernel/source/ios_bsp_patches.c
Original file line number Diff line number Diff line change
Expand Up @@ -40,26 +40,25 @@ u32 bsp_get_phys_code_base(void)

int bsp_init_seeprom_buffer(u32 baseSector, int dumpFound)
{
int(*disable_interrupts)() = (int(*)())0x0812E778;
int(*enable_interrupts)(int) = (int(*)(int))0x0812E78C;
void *tmpBuffer = (void*)0x00140000;

if(dumpFound)
{
int res = FSA_SDReadRawSectors((void*)0x00140000, baseSector, 1);
int res = FSA_SDReadRawSectors(tmpBuffer, baseSector, 1);
if(res < 0)
return res;
}
else
{
//! just clear out the seeprom and it will be re-initialized on BSP module
//! TODO: maybe read in the seeprom here from SPI or BSP module
kernel_memset((void*)0x00140000, 0, 0x200);
kernel_memset(tmpBuffer, 0, 0x200);
}

int level = disable_interrupts();
unsigned int control_register = disable_mmu();

kernel_memcpy((void*)(_seeprom_buffer_start - 0xE6047000 + 0x13D07000), (void*)0x00140000, 0x200);
kernel_memcpy((void*)(_seeprom_buffer_start - 0xE6047000 + 0x13D07000), tmpBuffer, 0x200);

restore_mmu(control_register);
enable_interrupts(level);
Expand Down
2 changes: 2 additions & 0 deletions ios_kernel/source/ios_mcp_patches.c
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ void mcp_run_patches(u32 ios_elf_start)
section_write(ios_elf_start, 0x050600FC, "/vol/system_slc/config/syshax.xml", 0x24);
}

section_write_word(ios_elf_start, (_text_start - 4), cfw_config.launchImage);

u32 patch_count = (u32)(((u8*)mcp_patches_table_end) - ((u8*)mcp_patches_table)) / sizeof(patch_table_t);
patch_table_entries(ios_elf_start, mcp_patches_table, patch_count);
}
40 changes: 37 additions & 3 deletions ios_kernel/source/kernel_patches.c
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@
***************************************************************************/
#include "types.h"
#include "elf_patcher.h"
#include "ios_mcp_patches.h"
#include "ios_fs_patches.h"
#include "ios_bsp_patches.h"
#include "kernel_patches.h"
#include "exception_handler.h"
#include "fsa.h"
Expand Down Expand Up @@ -63,11 +66,11 @@ static int kernel_read_otp_internal(int index, void* out_buf, u32 size)
return 0;
}

int kernel_init_otp_buffer(u32 sd_sector, int tagValid)
int kernel_init_otp_buffer(u32 sd_sector, int dumpFound)
{
int res;

if(tagValid)
if(dumpFound)
{
res = FSA_SDReadRawSectors(otp_buffer, sd_sector, 2);
}
Expand All @@ -77,13 +80,43 @@ int kernel_init_otp_buffer(u32 sd_sector, int tagValid)
res = orig_kernel_read_otp_internal(0, otp_buffer, 0x400);
}

if((res == 0) && !tagValid)
if((res == 0) && (dumpFound == 0))
{
FSA_SDWriteRawSectors(otp_buffer, sd_sector, 2);
}
return res;
}

void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
{
void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;

if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
{
int level = disable_interrupts();
unsigned int control_register = disable_mmu();

u32 ios_elf_start = launch_address + 0x804 - 0x300;

//! try to keep the order of virt. addresses to reduce the memmove amount
mcp_run_patches(ios_elf_start);
kernel_run_patches(ios_elf_start);

if(cfw_config.redNAND)
{
fs_run_patches(ios_elf_start);

if(cfw_config.seeprom_red)
bsp_run_patches(ios_elf_start);
}

restore_mmu(control_register);
enable_interrupts(level);
}

kernel_launch_bootrom(launch_address, L, C, H);
}

void kernel_run_patches(u32 ios_elf_start)
{
section_write(ios_elf_start, (u32)__KERNEL_CODE_START, __KERNEL_CODE_START, __KERNEL_CODE_END - __KERNEL_CODE_START);
Expand All @@ -106,3 +139,4 @@ void kernel_run_patches(u32 ios_elf_start)
u32 patch_count = (u32)(((u8*)kernel_patches_table_end) - ((u8*)kernel_patches_table)) / sizeof(patch_table_t);
patch_table_entries(ios_elf_start, kernel_patches_table, patch_count);
}

Loading

0 comments on commit b65b6c8

Please sign in to comment.