View
47 src/fuse.c

This file was deleted.

Oops, something went wrong.
View
21 src/fuse.h

This file was deleted.

Oops, something went wrong.
View
5 src/hwinit.h
@@ -41,4 +41,7 @@
#include "hwinit/nx_emmc.h"
#include "hwinit/se.h"
#include "hwinit/se_t210.h"
#include "hwinit/mmc.h"
#include "hwinit/mmc.h"
#include "hwinit/gfx.h"
#define DEFAULT_TEXT_COL ORANGE
View
2 src/hwinit/pmc.h
@@ -45,6 +45,6 @@
#define APBDEV_PMC_SCRATCH200 0x840
#define APBDEV_PMC_RST_STATUS_0 0x1B4
#define APBDEV_PMC_SECURE_SCRATCH49_0 0x3A4
#define APBDEV_PMC_SCRATCH49_0 0x244
#define APBDEV_PMC_SCRATCH49 0x244
#endif
View
1 src/hwinit/types.h
@@ -52,6 +52,7 @@ enum KB_FIRMWARE_VERSION {
KB_FIRMWARE_VERSION_301 = 2,
KB_FIRMWARE_VERSION_400 = 3,
KB_FIRMWARE_VERSION_500 = 4,
KB_FIRMWARE_VERSION_600 = 5,
KB_FIRMWARE_VERSION_MAX
};
View
13 src/hwinit/util.c
@@ -64,6 +64,19 @@ uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patt
return 0;
}
//probably could be more optimized :<
uPtr getFreeSpace(void *start, size_t space, size_t searchSize) {
for(int i = 0; i < searchSize; i++) {
if(*(u8*)(start+i) == 0) {
for(int j=0;j<space;j++) {
if(*(u8*)(start+i+j) != 0) break;
if(j==space-1) return (uintptr_t)(start+i);
}
}
}
return 0;
}
#define CRC32C_POLY 0x82F63B78
u32 crc32c(const void *buf, u32 len)
{
View
1 src/hwinit/util.h
@@ -35,6 +35,7 @@ void musleep(u32 milliseconds);
void usleep(u32 microseconds);
void exec_cfg(u32 *base, const cfg_op_t *ops, u32 num_ops);
uPtr memsearch(const u8 *startPos, u32 searchSize, const void *pattern, u32 patternSize);
uPtr getFreeSpace(void *start, size_t space, size_t searchSize);
u32 crc32c(const void *buf, u32 len);
#endif
View
112 src/kippatches.c

This file was deleted.

Oops, something went wrong.
View
31 src/kippatches.h

This file was deleted.

Oops, something went wrong.
View
61 src/kippatches/fs.inc
@@ -139,12 +139,59 @@ static kipdiff_t fs_diffs_510_nocmac[8] = {
{ 0, 0, NULL, NULL },
};
static kipdiff_t fs_diffs_600_exfat_nocmac[8] = {
{ 0x10B7F4, 4, "\x20\x0A\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x10BCF8, 4, "\xA0\x03\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x113934, 4, "\x60\x14\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x11429C, 4, "\x60\x06\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x1143DC, 4, "\x20\x07\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x11B128, 4, "\xC0\x05\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x11B254, 4, "\xC0\x06\x00\x36", "\x1F\x20\x03\xD5" },
{ 0, 0, NULL, NULL },
};
//exfat offsets are simply shifted by + 0xB700
static kipdiff_t fs_diffs_600_nocmac[8] = {
{ 0x1000F4, 4, "\x20\x0A\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x1005F8, 4, "\xA0\x03\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x108234, 4, "\x60\x14\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x108B9C, 4, "\x60\x06\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x108CDC, 4, "\x20\x07\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x10FA28, 4, "\xC0\x05\x00\x36", "\x1F\x20\x03\xD5" },
{ 0x10FB54, 4, "\xC0\x06\x00\x36", "\x1F\x20\x03\xD5" },
{ 0, 0, NULL, NULL },
};
static kipdiff_t fs_diffs_510_nogc[3] = {
{ 0xCF794, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
{ 0xD7770, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
{ 0, 0, NULL, NULL },
};
static kipdiff_t fs_diffs_600_exfat_nogc[3] = {
{ 0x15EFF4, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
{ 0x138320, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
{ 0, 0, NULL, NULL },
};
static kipdiff_t fs_diffs_600_nogc[3] = {
{ 0x1538F4, 4, "\x14\x40\x80\x52", "\x14\x80\x80\x52" },
{ 0x12CC20, 8, "\xF4\x4F\xBE\xA9\xFD\x7B\x01\xA9", "\xE0\x03\x1F\x2A\xC0\x03\x5F\xD6" },
{ 0, 0, NULL, NULL },
};
static kipdiff_t fs_diffs_600_exfat_nosigchk[3] = {
{ 0x7C9A8, 4, "\x8E\x3E\x00\x94", "\xE0\x03\x1F\x2A" },
{ 0xF678C, 4, "\xC0\x03\x00\x36", "\x1F\x20\x03\xD5" },
{ 0, 0, NULL, NULL },
};
static kipdiff_t fs_diffs_600_nosigchk[3] = {
{ 0x712A8, 4, "\x8E\x3E\x00\x94", "\xE0\x03\x1F\x2A" },
{ 0xEB08C, 4, "\xC0\x03\x00\x36", "\x1F\x20\x03\xD5" },
{ 0, 0, NULL, NULL },
};
/* patches */
static kippatch_t fs_kip_patches_100[] = {
@@ -204,3 +251,17 @@ static kippatch_t fs_kip_patches_510[] = {
{ "nogc", fs_diffs_510_nogc },
{ NULL, NULL }
};
static kippatch_t fs_kip_patches_600[] = {
{ "nosigchk", fs_diffs_600_nosigchk },
{ "nocmac", fs_diffs_600_nocmac },
{ "nogc", fs_diffs_600_nogc },
{ NULL, NULL }
};
static kippatch_t fs_kip_patches_600_exfat[] = {
{ "nosigchk", fs_diffs_600_exfat_nosigchk },
{ "nocmac", fs_diffs_600_exfat_nocmac },
{ "nogc", fs_diffs_600_exfat_nogc },
{ NULL, NULL }
};
View
136 src/package.c
@@ -14,11 +14,48 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "hwinit/gfx.h"
#include "hwinit/list.h"
#include "hwinit.h"
#include "error.h"
#include "fs.h"
#include "package.h"
#include "kippatches/fs.inc"
u8 *ReadPackage1(sdmmc_storage_t *storage) {
u8 *pk11 = malloc(0x40000);
sdmmc_storage_read(storage, 0x100000 / NX_EMMC_BLOCKSIZE, 0x40000 / NX_EMMC_BLOCKSIZE, pk11);
return pk11;
}
u8 *ReadPackage2(sdmmc_storage_t *storage) {
// Read GPT partition.
LIST_INIT(gpt);
sdmmc_storage_set_mmc_partition(storage, 0);
print("Parsing GPT...\n");
nx_emmc_gpt_parse(&gpt, storage);
emmc_part_t *pkg2_part = nx_emmc_part_find(&gpt, "BCPKG2-1-Normal-Main");
nx_emmc_gpt_free(&gpt);
if (!pkg2_part) {
error("Failed to read GPT!\n");
return 0;
}
// Read Package2.
u8 *tmp = (u8 *)malloc(NX_EMMC_BLOCKSIZE);
print("Reading Package2 size...\n");
nx_emmc_part_read(storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, 1, tmp);
u32 *hdr = (u32 *)(tmp + 0x100);
u32 pkg2_size = hdr[0] ^ hdr[2] ^ hdr[3];
free(tmp);
u8 *pkg2 = malloc(ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE));
print("Reading Package2...\n");
u32 ret = nx_emmc_part_read(storage, pkg2_part, 0x4000 / NX_EMMC_BLOCKSIZE, ALIGN(pkg2_size, NX_EMMC_BLOCKSIZE) / NX_EMMC_BLOCKSIZE, pkg2);
sdmmc_storage_end(storage);
if (!ret) {
error("Failed to read Package2!\n");
return 0;
}
return pkg2;
}
pkg2_hdr_t *unpackFirmwarePackage(u8 *data) {
print("Unpacking firmware...\n");
@@ -189,4 +226,99 @@ void loadKip(link_t *info, char *path) {
ki->kip1 = ckip;
ki->size = calcKipSize(ckip);
list_append(info, &ki->link);
}
// TODO: get full hashes somewhere and not just the first 16 bytes
// every second one is the exfat version
kippatchset_t kip_patches[] = {
{ "FS", "\xde\x9f\xdd\xa4\x08\x5d\xd5\xfe\x68\xdc\xb2\x0b\x41\x09\x5b\xb4", fs_kip_patches_100 },
{ "FS", "\xfc\x3e\x80\x99\x1d\xca\x17\x96\x4a\x12\x1f\x04\xb6\x1b\x17\x5e", fs_kip_patches_100 },
{ "FS", "\xcd\x7b\xbe\x18\xd6\x13\x0b\x28\xf6\x2f\x19\xfa\x79\x45\x53\x5b", fs_kip_patches_200 },
{ "FS", "\xe7\x66\x92\xdf\xaa\x04\x20\xe9\xfd\xd6\x8e\x43\x63\x16\x18\x18", fs_kip_patches_200 },
{ "FS", "\x0d\x70\x05\x62\x7b\x07\x76\x7c\x0b\x96\x3f\x9a\xff\xdd\xe5\x66", fs_kip_patches_210 },
{ "FS", "\xdb\xd8\x5f\xca\xcc\x19\x3d\xa8\x30\x51\xc6\x64\xe6\x45\x2d\x32", fs_kip_patches_210 },
{ "FS", "\xa8\x6d\xa5\xe8\x7e\xf1\x09\x7b\x23\xda\xb5\xb4\xdb\xba\xef\xe7", fs_kip_patches_300 },
{ "FS", "\x98\x1c\x57\xe7\xf0\x2f\x70\xf7\xbc\xde\x75\x31\x81\xd9\x01\xa6", fs_kip_patches_300 },
{ "FS", "\x57\x39\x7c\x06\x3f\x10\xb6\x31\x3f\x4d\x83\x76\x53\xcc\xc3\x71", fs_kip_patches_301 },
{ "FS", "\x07\x30\x99\xd7\xc6\xad\x7d\x89\x83\xbc\x7a\xdd\x93\x2b\xe3\xd1", fs_kip_patches_301 },
{ "FS", "\x06\xe9\x07\x19\x59\x5a\x01\x0c\x62\x46\xff\x70\x94\x6f\x10\xfb", fs_kip_patches_401 },
{ "FS", "\x54\x9b\x0f\x8d\x6f\x72\xc4\xe9\xf3\xfd\x1f\x19\xea\xce\x4a\x5a", fs_kip_patches_401 },
{ "FS", "\x80\x96\xaf\x7c\x6a\x35\xaa\x82\x71\xf3\x91\x69\x95\x41\x3b\x0b", fs_kip_patches_410 },
{ "FS", "\x02\xd5\xab\xaa\xfd\x20\xc8\xb0\x63\x3a\xa0\xdb\xae\xe0\x37\x7e", fs_kip_patches_410 },
{ "FS", "\xa6\xf2\x7a\xd9\xac\x7c\x73\xad\x41\x9b\x63\xb2\x3e\x78\x5a\x0c", fs_kip_patches_500 },
{ "FS", "\xce\x3e\xcb\xa2\xf2\xf0\x62\xf5\x75\xf8\xf3\x60\x84\x2b\x32\xb4", fs_kip_patches_500 },
{ "FS", "\x76\xf8\x74\x02\xc9\x38\x7c\x0f\x0a\x2f\xab\x1b\x45\xce\xbb\x93", fs_kip_patches_510 },
{ "FS", "\x10\xb2\xd8\x16\x05\x48\x85\x99\xdf\x22\x42\xcb\x6b\xac\x2d\xf1", fs_kip_patches_510 },
{ "FS", "\x1b\x82\xcb\x22\x18\x67\xcb\x52\xc4\x4a\x86\x9e\xa9\x1a\x1a\xdd", fs_kip_patches_600 },
{ "FS", "\x96\x6a\xdd\x3d\x20\xb6\x27\x13\x2c\x5a\x8d\xa4\x9a\xc9\xd8\xdd", fs_kip_patches_600_exfat },
{ NULL, NULL, NULL },
};
int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch) {
if (!patch || !patch->diffs) return -1;
for (kipdiff_t *diff = patch->diffs; diff->len; ++diff) {
if (!diff->len || diff->offset + diff->len > kipdata_len)
return 1 + (int)(diff - patch->diffs);
u8 *start = kipdata + diff->offset;
if (memcmp(start, diff->orig_bytes, diff->len))
continue;
// TODO: maybe start copying after every diff has been verified?
memcpy(start, diff->patch_bytes, diff->len);
}
return 0;
}
int nca_patch(u8 * kipdata, u64 kipdata_len) {
char pattern[8] = {0xE5, 0x07, 0x00, 0x32, 0xE0, 0x03, 0x16, 0xAA};
char buf[0x10];
memcpy(buf, kipdata+0x1C450, 0x10);
u32 * addr = memsearch(kipdata, kipdata_len, pattern, sizeof(pattern));
int ret=0;
int max_dist = 0x10;
for(int i=0; i<max_dist; i++) {
u32 op = addr[i];
if((op & 0xFC000000)==0x94000000) { //is a BL op
addr[i] = NOP;
ret=1;
break;
}
}
return ret;
}
int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset) {
char *patchFilter[] = { "nosigchk", "nocmac", "nogc", NULL };
if (!fopen("/ReiNX/nogc", "rb")) {
patchFilter[2] = NULL;
fclose();
}
for (kippatch_t *p = patchset->patches; p && p->name; ++p) {
int found = 0;
for (char **filtname = patchFilter; filtname && *filtname; ++filtname) {
if (!strcmp(p->name, *filtname)) {
found = 1;
break;
}
}
if (patchFilter && !found) continue;
int r = kippatch_apply(kipdata, kipdata_len, p);
if (r) return r;
}
if(!strncmp("FS", patchset->kip_name, 2))
nca_patch(kipdata, kipdata_len);
return 0;
}
kippatchset_t *kippatch_find_set(u8 *kiphash, kippatchset_t *patchsets) {
for (kippatchset_t *ps = patchsets; ps && ps->kip_name; ++ps) {
if (!memcmp(kiphash, ps->kip_hash, 0x10)) return ps;
}
return NULL;
}
View
60 src/package.h
@@ -31,21 +31,26 @@
#define FREE_CODE_OFF_1ST_302 0x494BC
#define FREE_CODE_OFF_1ST_400 0x52890
#define FREE_CODE_OFF_1ST_500 0x5C020
#define FREE_CODE_OFF_1ST_600 0x5EE00
#define ID_SND_OFF_100 0x23CC0
#define ID_SND_OFF_200 0x3F134
#define ID_SND_OFF_300 0x26080
#define ID_SND_OFF_302 0x26080
#define ID_SND_OFF_400 0x2AF64
#define ID_SND_OFF_500 0x2AD34
#define ID_SND_OFF_600 0x2BB88
#define ID_RCV_OFF_100 0x219F0
#define ID_RCV_OFF_200 0x3D1A8
#define ID_RCV_OFF_300 0x240F0
#define ID_RCV_OFF_302 0x240F0
#define ID_RCV_OFF_400 0x28F6C
#define ID_RCV_OFF_500 0x28DAC
#define ID_RCV_OFF_600 0x29B6C
#define NOP 0xD503201F
#define ADRP(r, o) 0x90000000 | ((((o) >> 12) & 0x3) << 29) | ((((o) >> 12) & 0x1FFFFC) << 3) | ((r) & 0x1F)
static u8 customSecmon = 0;
static u8 customWarmboot = 0;
@@ -225,6 +230,18 @@ static u32 PRC_ID_RCV_500[] =
0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
};
static u32 PRC_ID_SND_600[] =
{
0x2A1703EA, 0xD37EF54A, 0xF86A6B6A, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A, 0xD2FFFFC9,
0xEB09015F, 0x54000060, 0xF94043EA, 0xF9415948, 0xF94043EA
};
#define FREE_CODE_OFF_2ND_600 (FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600) + 4)
static u32 PRC_ID_RCV_600[] =
{
0xF9403BED, 0x2A1503EA, 0xD37EF54A, 0xF86A69AA, 0x92FFFFE9, 0x8A090148, 0xD2FFFFE9, 0x8A09014A,
0xD2FFFFC9, 0xEB09015F, 0x54000040, 0xF9415B08, 0xF9406FEA
};
static kernel_patch_t kern1[] = {
{ SVC_VERIFY_DS, 0x3764C, _NOP(), NULL }, // Disable SVC verifications
@@ -313,6 +330,21 @@ static kernel_patch_t kern5[] = {
{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
};
static kernel_patch_t kern6[] = {
{ SVC_VERIFY_DS, 0x47E98, _NOP(), NULL }, // Disable SVC verifications
{ DEBUG_MODE_EN, 0x52D40, _MOVZX(8, 1, 0), NULL }, // Enable Debug Patch
// Atmosphère kernel patches.
{ ATM_GEN_PATCH, ID_SND_OFF_600, _B(ID_SND_OFF_600, FREE_CODE_OFF_1ST_600), NULL}, // Send process id branch.
{ ATM_ARR_PATCH, FREE_CODE_OFF_1ST_600, sizeof(PRC_ID_SND_600) >> 2, PRC_ID_SND_600}, // Send process id code.
{ ATM_GEN_PATCH, FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), // Branch back and skip 2 instructions.
_B(FREE_CODE_OFF_1ST_600 + sizeof(PRC_ID_SND_600), ID_SND_OFF_600 + 8), NULL},
{ ATM_GEN_PATCH, ID_RCV_OFF_600, _B(ID_RCV_OFF_600, FREE_CODE_OFF_2ND_600), NULL}, // Receive process id branch.
{ ATM_ARR_PATCH, FREE_CODE_OFF_2ND_600, sizeof(PRC_ID_RCV_600) >> 2, PRC_ID_RCV_600}, // Receive process id code.
{ ATM_GEN_PATCH, FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), // Branch back and skip 2 instructions.
_B(FREE_CODE_OFF_2ND_600 + sizeof(PRC_ID_RCV_600), ID_RCV_OFF_600 + 8), NULL},
{0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, (u32*)0xFFFFFFFF}
};
static const pkg2_kernel_id_t _pkg2_kernel_ids[] =
{
{ 0x427f2647, kern1 }, //1.0.0
@@ -321,9 +353,37 @@ static const pkg2_kernel_id_t _pkg2_kernel_ids[] =
{ 0xe0e8cdc4, kern302 }, //3.0.2
{ 0x485d0157, kern4 }, //4.0.0 - 4.1.0
{ 0xf3c363f2, kern5 }, //5.0.0 - 5.1.0
{ 0x64ce1a44, kern6 }, //6.0.0
{ 0, 0 } //End.
};
typedef struct kipdiff_s {
u64 offset; // offset from start of kip's .text segment
u32 len; // length of below strings, NULL signifies end of patch
const char *orig_bytes; // original byte string (this must match exactly)
const char *patch_bytes; // replacement byte string (same length)
} kipdiff_t;
// a single patch for a particular kip version
typedef struct kippatch_s {
const char *name; // name/id of the patch, NULL signifies end of patchset
kipdiff_t *diffs; // array of kipdiff_t's to apply
} kippatch_t;
// a group of patches that patch several different things in a particular kip version
typedef struct kippatchset_s {
const char *kip_name; // name/id of the kip, NULL signifies end of patchset list
const char *kip_hash; // sha256 of the right version of the kip
kippatch_t *patches; // set of patches for this version of the kip
} kippatchset_t;
extern kippatchset_t kip_patches[];
u8 *ReadPackage1(sdmmc_storage_t *storage);
u8 *ReadPackage2(sdmmc_storage_t *storage);
int kippatch_apply(u8 *kipdata, u64 kipdata_len, kippatch_t *patch);
int kippatch_apply_set(u8 *kipdata, u64 kipdata_len, kippatchset_t *patchset);
kippatchset_t *kippatch_find_set(u8 *kiphash, kippatchset_t *patchsets);
pkg2_hdr_t *unpackFirmwarePackage(u8 *data);
void pkg1_unpack(pk11_offs *offs, u8 *pkg1);
void buildFirmwarePackage(u8 *kernel, u32 kernel_size, link_t *kips_info);
View
12 src/start.s
@@ -36,32 +36,32 @@
.type _start, %function
_start:
ADR R0, _start
LDR R1, =__ipl_start
LDR R1, =payload_start
CMP R0, R1
BEQ _real_start
/* If we are not in the right location already, copy a relocator to upper IRAM. */
ADR R2, _reloc_ipl
ADR R2, reloc_payload
LDR R3, =0x4003FF00
MOV R4, #(_real_start - _reloc_ipl)
MOV R4, #(_real_start - reloc_payload)
_copy_loop:
LDMIA R2!, {R5}
STMIA R3!, {R5}
SUBS R4, #4
BNE _copy_loop
/* Use the relocator to copy ourselves into the right place. */
LDR R2, =__ipl_end
LDR R2, =payload_end
SUB R2, R2, R1
LDR R3, =_real_start
LDR R4, =0x4003FF00
BX R4
_reloc_ipl:
reloc_payload:
LDMIA R0!, {R4-R7}
STMIA R1!, {R4-R7}
SUBS R2, #0x10
BNE _reloc_ipl
BNE reloc_payload
/* Jump to the relocated entry. */
BX R3