Skip to content
This repository was archived by the owner on Oct 17, 2020. It is now read-only.

Commit 746fded

Browse files
ReisyukakuReisyukaku
committed
fix last commit + TAB->SPACE
1 parent cefc174 commit 746fded

File tree

3 files changed

+186
-106
lines changed

3 files changed

+186
-106
lines changed

src/firmware.c

+23-14
Original file line numberDiff line numberDiff line change
@@ -122,69 +122,76 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
122122
if(!customKern) {
123123
u32 crc = crc32c(pkg2->data, pkg2->sec_size[PKG2_SEC_KERNEL]);
124124
uPtr kern = (uPtr)&pkg2->data;
125-
uPtr sendOff, recvOff, codeRcvOff, codeSndOff, svcVerifOff, svcDebugOff;
125+
uPtr sendOff, recvOff, codeRcvOff, codeSndOff, svcVerifOff, svcDebugOff, ver;
126126
switch(crc){
127-
case 0x427f2647:{
127+
case 0x427f2647:{ //1.0.0
128128
svcVerifOff = 0x3764C;
129129
svcDebugOff = 0x44074;
130130
sendOff = 0x23CC0;
131131
recvOff = 0x219F0;
132132
codeSndOff = 4;
133133
codeRcvOff = 4;
134+
ver = 0;
134135
break;
135136
}
136-
case 0xae19cf1b:{
137+
case 0xae19cf1b:{ //2.0.0
137138
svcVerifOff = 0x54834;
138139
svcDebugOff = 0x6086C;
139140
sendOff = 0x3F134;
140141
recvOff = 0x3D1A8;
141142
codeSndOff = 4;
142143
codeRcvOff = 4;
144+
ver = 1;
143145
break;
144146
}
145-
case 0x73c9e274:{
147+
case 0x73c9e274:{ //3.0.0
146148
svcVerifOff = 0x3BD24;
147149
svcDebugOff = 0x483FC;
148150
sendOff = 0x26080;
149151
recvOff = 0x240F0;
150152
codeSndOff = 4;
151153
codeRcvOff = 4;
154+
ver = 2;
152155
break;
153156
}
154-
case 0xe0e8cdc4:{
157+
case 0xe0e8cdc4:{ //3.0.2
155158
svcVerifOff = 0x3BD24;
156159
svcDebugOff = 0x48414;
157160
sendOff = 0x26080;
158161
recvOff = 0x240F0;
159162
codeSndOff = 4;
160163
codeRcvOff = 4;
164+
ver = 3;
161165
break;
162166
}
163-
case 0x485d0157:{
167+
case 0x485d0157:{ //4.0.0
164168
svcVerifOff = 0x41EB4;
165169
svcDebugOff = 0x4EBFC;
166170
sendOff = 0x2AF64;
167171
recvOff = 0x28F6C;
168172
codeSndOff = 8;
169173
codeRcvOff = 4;
174+
ver = 4;
170175
break;
171176
}
172-
case 0xf3c363f2:{
177+
case 0xf3c363f2:{ //5.0.0
173178
svcVerifOff = 0x45E6C;
174179
svcDebugOff = 0x5513C;
175180
sendOff = 0x2AD34;
176181
recvOff = 0x28DAC;
177182
codeSndOff = 8;
178183
codeRcvOff = 8;
184+
ver = 5;
179185
break;
180186
}
181-
case 0x64ce1a44:{
187+
case 0x64ce1a44:{ //6.0.0
182188
svcVerifOff = 0x47EA0;
183189
svcDebugOff = 0x57548;
184190
sendOff = 0x2BB8C;
185191
recvOff = 0x29B6C;
186192
codeSndOff = 0x10;
187193
codeRcvOff = 0x10;
194+
ver = 6;
188195
break;
189196
}
190197
default:
@@ -193,17 +200,19 @@ void patch(pk11_offs *pk11, pkg2_hdr_t *pkg2, link_t *kips) {
193200
}
194201

195202
//ID Send
196-
uPtr freeSpace = getFreeSpace((void*)pkg2->data, 0x200, pkg2->sec_size[PKG2_SEC_KERNEL]); //Find area to write payload
197-
size_t payloadSize = sizeof(PRC_ID_SND_600);
203+
uPtr freeSpace = getFreeSpace((void*)(kern+0x45000), 0x200, 0x20000) + 0x45000; //Find area to write payload
204+
print("Kernel Freespace: 0x%08X\n", freeSpace);
205+
size_t payloadSize;
206+
u32 *sndPayload = getSndPayload(ver, &payloadSize);
198207
*(vu32*)(kern + sendOff) = _B(sendOff, freeSpace); //write hook to payload
199-
memcpy((void*)(kern + freeSpace), (void*)PRC_ID_SND_600, payloadSize); //Copy payload to free space
208+
memcpy((void*)(kern + freeSpace), sndPayload, payloadSize); //Copy payload to free space
200209
*(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, sendOff + codeSndOff); //Jump back skipping the hook
201210

202211
//ID Receive
203212
freeSpace += (payloadSize+4);
204-
payloadSize = sizeof(PRC_ID_RCV_600);
213+
u32 *rcvPayload = getRcvPayload(ver, &payloadSize);
205214
*(vu32*)(kern + recvOff) = _B(recvOff, freeSpace);
206-
memcpy((void*)(kern + freeSpace), (void*)PRC_ID_RCV_600, payloadSize);
215+
memcpy((void*)(kern + freeSpace), rcvPayload, payloadSize);
207216
*(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, recvOff + codeRcvOff);
208217

209218
//SVC patches
@@ -400,7 +409,7 @@ void firmware() {
400409
((void (*)())PAYLOAD_ADDR)();
401410
}
402411
SYSREG(AHB_AHB_SPARE_REG) = (volatile vu32)0xFFFFFF9F;
403-
PMC(APBDEV_PMC_SCRATCH49) = 0;
412+
PMC(APBDEV_PMC_SCRATCH49) = 0;
404413

405414
if (btn_read() & BTN_VOL_DOWN) {
406415
print("Booting verbosely\n");

src/package.c

+86-17
Original file line numberDiff line numberDiff line change
@@ -264,23 +264,92 @@ int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
264264
return 0;
265265
}
266266

267+
u32 *getSndPayload(u32 id, size_t *size) {
268+
u32 *ret;
269+
switch(id){
270+
case 0:
271+
*size = sizeof(PRC_ID_SND_100);
272+
ret = PRC_ID_SND_100;
273+
break;
274+
case 1:
275+
*size = sizeof(PRC_ID_SND_200);
276+
ret = PRC_ID_SND_200;
277+
break;
278+
case 2:
279+
*size = sizeof(PRC_ID_SND_300);
280+
ret = PRC_ID_SND_300;
281+
break;
282+
case 3:
283+
*size = sizeof(PRC_ID_SND_302);
284+
ret = PRC_ID_SND_302;
285+
break;
286+
case 4:
287+
*size = sizeof(PRC_ID_SND_400);
288+
ret = PRC_ID_SND_400;
289+
break;
290+
case 5:
291+
*size = sizeof(PRC_ID_SND_500);
292+
ret = PRC_ID_SND_500;
293+
break;
294+
case 6:
295+
*size = sizeof(PRC_ID_SND_600);
296+
ret = PRC_ID_SND_600;
297+
break;
298+
}
299+
return ret;
300+
}
301+
302+
u32 *getRcvPayload(u32 id, size_t *size) {
303+
u32 *ret;
304+
switch(id){
305+
case 0:
306+
*size = sizeof(PRC_ID_RCV_100);
307+
ret = PRC_ID_RCV_100;
308+
break;
309+
case 1:
310+
*size = sizeof(PRC_ID_RCV_200);
311+
ret = PRC_ID_RCV_200;
312+
break;
313+
case 2:
314+
*size = sizeof(PRC_ID_RCV_300);
315+
ret = PRC_ID_RCV_300;
316+
break;
317+
case 3:
318+
*size = sizeof(PRC_ID_RCV_302);
319+
ret = PRC_ID_RCV_302;
320+
break;
321+
case 4:
322+
*size = sizeof(PRC_ID_RCV_400);
323+
ret = PRC_ID_RCV_400;
324+
break;
325+
case 5:
326+
*size = sizeof(PRC_ID_RCV_500);
327+
ret = PRC_ID_RCV_500;
328+
break;
329+
case 6:
330+
*size = sizeof(PRC_ID_RCV_600);
331+
ret = PRC_ID_RCV_600;
332+
break;
333+
}
334+
return ret;
335+
}
267336

268337
int nca_patch(u8 * kipdata, u64 kipdata_len) {
269-
char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
270-
char buf[0x10];
271-
memcpy(buf, kipdata+0x1C450, 0x10);
272-
u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
273-
int ret=0;
274-
int max_dist = 0x10;
275-
for(int i=0; i<max_dist; i++) {
276-
u32 op = addr[i];
277-
if((op & 0xFC000000)==0x94000000) { //is a BL op
278-
addr[i] = NOP;
279-
ret=1;
280-
break;
281-
}
282-
}
283-
return ret;
338+
char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
339+
char buf[0x10];
340+
memcpy(buf, kipdata+0x1C450, 0x10);
341+
u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
342+
int ret=0;
343+
int max_dist = 0x10;
344+
for(int i=0; i<max_dist; i++) {
345+
u32 op = addr[i];
346+
if((op & 0xFC000000)==0x94000000) { //is a BL op
347+
addr[i] = NOP;
348+
ret=1;
349+
break;
350+
}
351+
}
352+
return ret;
284353
}
285354

286355
int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset) {
@@ -305,8 +374,8 @@ int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset) {
305374
int r = kippatch_apply(kipdata, kipdata_len, p);
306375
if (r) return r;
307376
}
308-
if(!strncmp("FS", patchset->kip_name, 2))
309-
nca_patch(kipdata, kipdata_len);
377+
if(!strncmp("FS", patchset->kip_name, 2))
378+
nca_patch(kipdata, kipdata_len);
310379
return 0;
311380
}
312381

0 commit comments

Comments
 (0)