Skip to content
Permalink
Browse files

Add JIT patches; rework logic for loading custom firmware files

  • Loading branch information...
Reisyukaku committed Feb 16, 2019
1 parent 76fe8d4 commit e0e59b75cca1182c6e6bd297e336bac285f00f3d
Showing with 56 additions and 19 deletions.
  1. +16 −6 src/firmware.c
  2. +1 −1 src/hwinit/tsec.c
  3. +27 −8 src/package.c
  4. +12 −4 src/package.h
@@ -25,6 +25,9 @@

static pk11_offs *pk11Offs = NULL;
static u8 *bctBuf = NULL;
static bool customWarmboot = false;
static bool customSecmon = false;
static bool customKern = false;

int drawSplash() {
// Draw splashscreen to framebuffer.
@@ -90,8 +93,9 @@ pkg2_kip1_info_t* find_by_tid(link_t* kip_list, u64 tid) {
}

void patchWarmboot(u32 warmbootBase) {
print("Patching Warmboot...\n");
//Patch warmboot
if(!customWarmboot) {
print("Patching Warmboot...\n");
uPtr *fuseCheck = NULL;
uPtr *segmentID = NULL;
u8 fuseCheckPat[] = {0x44, 0x12, 0x80, 0xE5};
@@ -108,9 +112,9 @@ void patchWarmboot(u32 warmbootBase) {
}

void patchSecmon(u32 secmonBase, u32 fw){
print("Patching Secmon...\n");
//Patch Secmon
if(!customSecmon){
print("Patching Secmon...\n");
uPtr *rlc_ptr = NULL;
uPtr *ver_ptr = NULL;
uPtr *pk21_ptr = NULL;
@@ -243,9 +247,9 @@ void patchSecmon(u32 secmonBase, u32 fw){
}

void patchKernel(pkg2_hdr_t *pkg2){
print("Patching Kernel...\n");
//Patch Kernel
if(!customKern) {
print("Patching Kernel...\n");
u8 hash[0x20];
se_calc_sha256(hash, pkg2->data, pkg2->sec_size[PKG2_SEC_KERNEL]);
uPtr kern = (uPtr)&pkg2->data;
@@ -256,12 +260,12 @@ void patchKernel(pkg2_hdr_t *pkg2){
print("Patching kernel %d\n", i);

//ID Send
uPtr freeSpace = getFreeSpace((void*)(kern+0x45000), 0x200, 0x20000) + 0x45000; //Find area to write payload
uPtr freeSpace = getFreeSpace((void*)(kern+0x45000), 0x200, 0x20000) + 0x45000; //Find area to write payload
print("Kernel Freespace: 0x%08X\n", freeSpace);
size_t payloadSize;
u32 *sndPayload = getSndPayload(i, &payloadSize);
*(vu32*)(kern + kernelInfo[i].SendOff) = _B(kernelInfo[i].SendOff, freeSpace); //write hook to payload
memcpy((void*)(kern + freeSpace), sndPayload, payloadSize); //Copy payload to free space
*(vu32*)(kern + kernelInfo[i].SendOff) = _B(kernelInfo[i].SendOff, freeSpace); //write hook to payload
memcpy((void*)(kern + freeSpace), sndPayload, payloadSize); //Copy payload to free space
*(vu32*)(kern + freeSpace + payloadSize) = _B(freeSpace + payloadSize, kernelInfo[i].SendOff + kernelInfo[i].CodeSndOff); //Jump back skipping the hook

//ID Receive
@@ -278,6 +282,9 @@ void patchKernel(pkg2_hdr_t *pkg2){
*(vu32*)(kern + kernelInfo[i].SvcDebug) = _MOVZX(8, 1, 0);
}

//JIT patches
*(vu32*)(kern + kernelInfo[i].GenericOff) = NOP_v8;

break;
}
}else{
@@ -346,6 +353,8 @@ u8 loadFirm() {

print("Unpacking pkg1\n");
pkg1_unpack(pk11Offs, (u32)pkg11);
customWarmboot = hasCustomWb();
customSecmon = hasCustomSecmon();
PMC(APBDEV_PMC_SCRATCH1) = pk11Offs->warmboot_base;
free(pkg1ldr);

@@ -354,6 +363,7 @@ u8 loadFirm() {

// Unpack Package2.
print("Unpacking package2...\n");
customKern = hasCustomKern();
pkg2_hdr_t *dec_pkg2 = unpackFirmwarePackage(pkg2);
LIST_INIT(kip1_info);
pkg2_parse_kips(&kip1_info, dec_pkg2);
@@ -248,4 +248,4 @@ out:;
clock_disable_host1x();

return res;
}
}
@@ -108,7 +108,8 @@ void pkg1_unpack(pk11_offs *offs, u32 pkg1Off) {
fclose();
}
memcpy((void *)offs->warmboot_base, extWb == NULL ? pdata : extWb, sec_size[offs->sec_map[i]]);
} else if (offs->sec_map[i] == 2 && offs->secmon_base) {
}
if (offs->sec_map[i] == 2 && offs->secmon_base) {
u8 *extSec = NULL;
if(fopen("/ReiNX/secmon.bin", "rb") != 0) {
extSec = malloc(fsize());
@@ -119,14 +120,33 @@ void pkg1_unpack(pk11_offs *offs, u32 pkg1Off) {
}
pdata += sec_size[offs->sec_map[i]];
}
if(extWb != NULL) {
free(extWb);
customWarmboot = 1;
}

bool hasCustomWb() {
bool ret = false;
if(fopen("/ReiNX/warmboot.bin", "rb") != 0) {
ret = true;
fclose();
}
return ret;
}

bool hasCustomSecmon() {
bool ret = false;
if(fopen("/ReiNX/secmon.bin", "rb") != 0) {
ret = true;
fclose();
}
if(extSec != NULL) {
free(extSec);
customSecmon = 1;
return ret;
}

bool hasCustomKern() {
bool ret = false;
if(fopen("/ReiNX/kernel.bin", "rb") != 0) {
ret = true;
fclose();
}
return ret;
}

void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info) {
@@ -151,7 +171,6 @@ void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info) {
fread(extKern, fsize(), 1);
fclose();
}
if(extKern != NULL) customKern = 1;
memcpy(pdst, extKern == NULL ? kernel : extKern, kernel_size);
hdr->sec_size[PKG2_SEC_KERNEL] = kernel_size;
hdr->sec_off[PKG2_SEC_KERNEL] = 0x10000000;
@@ -28,10 +28,6 @@
#define NOP_v7 0xE320F000
#define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)

static u8 customSecmon = 0;
static u8 customWarmboot = 0;
static u8 customKern = 0;

typedef struct _pkg2_hdr_t
{
u8 ctr[0x10];
@@ -228,6 +224,7 @@ typedef struct {
u32 SvcDebug;
u32 SendOff;
u32 RcvOff;
u32 GenericOff;
u8 CodeSndOff;
u8 CodeRcvOff;
} KernelMeta;
@@ -240,6 +237,7 @@ static const KernelMeta kernelInfo[] = {
0x44074,
0x23CC0,
0x219F0,
0,
4,
4
},
@@ -250,6 +248,7 @@ static const KernelMeta kernelInfo[] = {
0x6086C,
0x3F134,
0x3D1A8,
0,
4,
4
},
@@ -260,6 +259,7 @@ static const KernelMeta kernelInfo[] = {
0x483FC,
0x26080,
0x240F0,
0,
4,
4
},
@@ -270,6 +270,7 @@ static const KernelMeta kernelInfo[] = {
0x48414,
0x26080,
0x240F0,
0,
4,
4
},
@@ -280,6 +281,7 @@ static const KernelMeta kernelInfo[] = {
0x4EBFC,
0x2AF64,
0x28F6C,
0,
8,
4
},
@@ -290,6 +292,7 @@ static const KernelMeta kernelInfo[] = {
0x5513C,
0x2AD34,
0x28DAC,
0x38C2C,
8,
8
},
@@ -300,6 +303,7 @@ static const KernelMeta kernelInfo[] = {
0x57548,
0x2BB8C,
0x29B6C,
0x3A8CC,
0x10,
0x10
},
@@ -310,6 +314,7 @@ static const KernelMeta kernelInfo[] = {
0x581B0,
0x2D044,
0x2B23C,
0x3C6E0,
0x10,
0x10
},
@@ -326,6 +331,9 @@ void pkg1_unpack(pk11_offs *offs, u32 pkg1Off);
void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info);
size_t calcKipSize(pkg2_kip1_t *kip1);
void pkg2_parse_kips(link_t *info, pkg2_hdr_t *pkg2);
bool hasCustomKern();
bool hasCustomSecmon();
bool hasCustomWb();
void loadKip(link_t *info, char *path);
u32 *getSndPayload(u32 id, size_t *size);
u32 *getRcvPayload(u32 id, size_t *size);

1 comment on commit e0e59b7

@magi009

This comment has been minimized.

Copy link

magi009 commented on e0e59b7 Feb 16, 2019

Reisyukaku,great job,have repost for download?or lauch is in coming next week?

Please sign in to comment.
You can’t perform that action at this time.