Updated firm.bin to 11.3, stole new reboot.s, went back to decrypting…

… arm9bin, make custom loader optional (if exists on SD), updated cakesbrah, etc
Reisyukaku · Feb 23, 2017 · b7d138f · b7d138f
1 parent a42c528
commit b7d138f
Show file tree

Hide file tree

Showing 9 changed files with 184 additions and 255 deletions.
diff --git a/CakeBrah b/CakeBrah
diff --git a/data/firmware.bin b/data/firmware.bin
diff --git a/payloads/reboot.s b/payloads/reboot.s
@@ -1,221 +1,139 @@
-.nds
-.create "build/reboot.bin", 0
+; Code originally from delebile and mid-kid
+
+.arm.little
 
-byteswritten equ 0x2000E000
-externalFirm equ 0x2000A000
-kernelCode equ 0x080F0000
-buffer equ 0x24000000
-fileOpen equ 0x4E45504F ;dummy
+payload_addr equ 0x23F00000   ; Brahma payload address
+payload_maxsize equ 0x100000  ; Maximum size for the payload (maximum that CakeBrah supports)
 
+.create "build/reboot.bin", 0
 .arm
-//Code jumps here right after the sprintf call
-process9Reboot:
-	doPxi:
-        ldr r4, =0x44846
-		ldr r0, =0x10008000
-		readPxiLoop1:
-			ldrh r1, [r0,#4]
-			.word 0xE1B01B81	//lsls r1, r1, #0x17
-			bmi readPxiLoop1
-			ldr r0, [r0,#0xC]		
-        cmp r0, r4
-        bne doPxi
-
-	GetFirmPath:
-		add r0, sp, #0x3A8-0x70+0x24
-		ldr r1, [r0], #4
-		ldr r2, =0x00300030
-		cmp r1, r2
-		ldreq r1, [r0], #4
-		ldreq r2, =0x002F0032
-		cmpeq r1, r2
-
-	OpenFirm:
-		ldreq r1, =(FileName - OpenFirm - 12)
-		addeq r1, pc
-		addne r1, sp, #0x3A8-0x70
-		ldr r0, =externalFirm
-		moveq r2, #1
-		movne r2, #0
-		str r2, [r0]
-		mov r2, #1
-		add r0, r7, #8
-		ldr r6, =fileOpen
-		blx r6
-
-    SeekFirm:
-		ldr r0, =externalFirm
-		ldr r0, [r0]
-		cmp r0, #1
-		moveq r0, r7
-        ldreq r1, =byteswritten
-        ldreq r2, =buffer
-        ldreq r3, =0x0
-		ldreq r6, [sp,#0x3A8-0x198]
-		ldreq r6, [r6,#0x28]	//fread function stored here
-		blxeq r6
-
-	ReadFirm:
-		mov r0, r7
-        ldr r1, =byteswritten
-        ldr r2, =buffer
-        ldr r3, =0x200000
-		ldr r6, [sp,#0x3A8-0x198]
-		ldr r6, [r6,#0x28]	//fread function stored here
-		blx r6
-
-    KernelSetState:
-        mov r2, #0
-        mov r3, r2
-        mov r1, r2
-        mov r0, r2
-        .word 0xEF00007C    //SVC 0x7C
-
-    GoToReboot:
-        ldr r0, =(KernelCodeStart - GoToReboot - 12)
-		add r0, pc
-		ldr r1, =kernelCode
-		ldr r2, =0x300
-		bl Memcpy
-
-		ldr r0, =kernelCode
-        .word 0xEF00007B    //SVC 0x7B
-
-    InfiniteLoop:
-        b InfiniteLoop
-
-Memcpy:
-	MOV     R12, LR
-	STMFD   SP!, {R0-R4}
-	ADD     R2, R2, R0
-
-	memcpyLoop:
-		LDR     R3, [R0],#4
-		STR     R3, [R1],#4
-		CMP     R0, R2
-		BLT     memcpyLoop
-		LDMFD   SP!, {R0-R4}
-		MOV     LR, R12
-		BX      LR
-
-FileName:
-	.dcw "sdmc:/rei/rebootFirmware.bin"
-	.word 0x0
+    ; Interesting registers and locations to keep in mind, set just before this code is ran:
+    ; - r1: FIRM path in exefs.
+    ; - r7: pointer to file object
+    ;   - *r7: vtable
+    ;       - *(vtable + 0x28): fread function 
+    ;   - *(r7 + 8): file handle
+
+    mov r8, r1
+
+    pxi_wait_recv:
+        ldr r2, =0x44846
+        ldr r0, =0x10008000
+        readPxiLoop1:
+            ldrh r1, [r0, #4]
+            lsls r1, #0x17
+            bmi readPxiLoop1
+            ldr r0, [r0, #0xC]
+        cmp r0, r2
+        bne pxi_wait_recv
+
+    mov r4, #2
+
+    open_payload:
+        ; Open file
+        add r0, r7, #8
+        adr r1, fname
+        mov r2, #1
+        ldr r6, [fopen]
+        orr r6, 1
+        blx r6
+        cmp r0, #0
+        beq read_payload
+        subs r4, r4, #1
+        beq panic
+        adr r0, fname
+        adr r1, nand_mount
+        mov r2, #8
+        bl memcpy16
+        b open_payload
+
+    read_payload:
+        ; Read file
+        mov r0, r7
+        adr r1, bytes_read
+        ldr r2, =payload_addr
+        ldr r3, =payload_maxsize
+        ldr r6, [r7]
+        ldr r6, [r6, #0x28]
+        blx r6
+
+    ; Copy the low TID (in UTF-16) of the wanted firm to the 5th byte of the payload
+    ldr r0, =payload_addr + 4
+    add r1, r8, #0x1A
+    mov r2, #0x10
+    bl memcpy16
+
+    ; Set kernel state
+    mov r0, #0
+    mov r1, #0
+    mov r2, #0
+    mov r3, #0
+    swi 0x7C
+
+    goto_reboot:
+        ; Jump to reboot code
+        ldr r0, =(kernelcode_start - goto_reboot - 12)
+        add r0, pc ; pc is two instructions ahead of the instruction being executed (12 = 2*4 + 4)
+        swi 0x7B
+
+    die:
+        b die
 
+    memcpy16:
+        add r2, r0, r2
+        copy_loop:
+            ldrh r3, [r1], #2
+            strh r3, [r0], #2
+            cmp r0, r2
+            blo copy_loop
+        bx lr
+
+    panic:
+        mov r1, r0 ; unused register
+        mov r0, #0
+        swi 0x3C ; svcBreak(USERBREAK_PANIC)
+        b die
+
+bytes_read: .word 0
+fopen: .ascii "OPEN"
+.pool
+fname: .dcw "sdmc:/arm9loaderhax.bin"
+       .word 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
 .pool
+nand_mount: .dcw "nand"
 
-// Kernel Code
 .align 4
-KernelCodeStart:
-	memorySetting:
-		MRC     p15, 0, R0,c2,c0, 0
-        MRC     p15, 0, R12,c2,c0, 1
-        MRC     p15, 0, R1,c3,c0, 0
-        MRC     p15, 0, R2,c5,c0, 2
-        MRC     p15, 0, R3,c5,c0, 3
-        LDR     R4, =0x18000035
-        BIC     R2, R2, #0xF0000
-        BIC     R3, R3, #0xF0000
-        ORR     R0, R0, #0x10
-        ORR     R2, R2, #0x30000
-        ORR     R3, R3, #0x30000
-        ORR     R12, R12, #0x10
-        ORR     R1, R1, #0x10
-        MCR     p15, 0, R0,c2,c0, 0
-        MCR     p15, 0, R12,c2,c0, 1
-        MCR     p15, 0, R1,c3,c0, 0
-        MCR     p15, 0, R2,c5,c0, 2
-        MCR     p15, 0, R3,c5,c0, 3
-        MCR     p15, 0, R4,c6,c4, 0
-        MRC     p15, 0, R0,c2,c0, 0
-        MRC     p15, 0, R1,c2,c0, 1
-        MRC     p15, 0, R2,c3,c0, 0
-        ORR     R0, R0, #0x20
-        ORR     R1, R1, #0x20
-        ORR     R2, R2, #0x20
-        MCR     p15, 0, R0,c2,c0, 0
-        MCR     p15, 0, R1,c2,c0, 1
-        MCR     p15, 0, R2,c3,c0, 0
-
-    copyFirmPartitions:
-        LDR     R4, =buffer
-        ADD     R3, R4, #0x40
-        LDR     R0, [R3]
-        ADD     R0, R0, R4
-        LDR     R1, [R3,#4]
-        LDR     R2, [R3,#8] 
-		bl KernelMemcpy
-
-        ADD     R3, R4, #0x70
-        LDR     R0, [R3]
-        ADD     R0, R0, R4
-        LDR     R1, [R3,#4]
-        LDR     R2, [R3,#8]
-        bl KernelMemcpy
-
-        ADD     R3, R4, #0xA0
-        LDR     R0, [R3]
-        ADD     R0, R0, R4
-        LDR     R1, [R3,#4]
-        LDR     R2, [R3,#8]
-        bl KernelMemcpy
-
-		ADD     R3, R4, #0xD0
-        LDR     R0, [R3]
-		CMP		R0, #0
-		BEQ		invalidateDataCache
-        ADD     R0, R0, R4
-        LDR     R1, [R3,#4]
-        LDR     R2, [R3,#8]
-        bl KernelMemcpy
-
-    invalidateDataCache:
-        MOV     R2, #0
-        MOV     R1, R2
-        loc_809460C:
-        MOV     R0, #0
-        MOV     R3, R2,LSL#30
-        loc_8094614:
-        ORR     R12, R3, R0,LSL#5
-        MCR     p15, 0, R1,c7,c10, 4
-        MCR     p15, 0, R12,c7,c14, 2
-        ADD     R0, R0, #1
-        CMP     R0, #0x20
-        BCC     loc_8094614
-        ADD     R2, R2, #1
-        CMP     R2, #4
-        BCC     loc_809460C
-
-    jumpToEntrypoint:
-        MCR     p15, 0, R1,c7,c10, 4
-        LDR     R0, =0x42078
-        MCR     p15, 0, R0,c1,c0, 0
-        MCR     p15, 0, R1,c7,c5, 0
-        MCR     p15, 0, R1,c7,c6, 0
-        MCR     p15, 0, R1,c7,c10, 4
-		LDR     R4, =buffer
-        MOV     R1, #0x1FFFFFFC
-		LDR     R2, [R4,#8]
-		STR     R2, [R1]
-		LDR     R0, [R4,#0xC]
-		BX      R0
-.pool
+    kernelcode_start:
 
-KernelMemcpy:
-	MOV     R12, LR
-	STMFD   SP!, {R0-R4}
-	ADD     R2, R2, R0
-
-	kmemcpyLoop:
-		LDR     R3, [R0],#4
-		STR     R3, [R1],#4
-		CMP     R0, R2
-		BLT     kmemcpyLoop
-		LDMFD   SP!, {R0-R4}
-		MOV     LR, R12
-		BX      LR
-.pool
+    ; Disable MPU
+    ldr r0, =0x42078 ; alt vector select, enable itcm
+    mcr p15, 0, r0, c1, c0, 0
+
+    ; Clean and flush data cache
+    mov r1, #0 ; segment counter
+    outer_loop:
+        mov r0, #0 ; line counter
 
-KernelCodeEnd:
+        inner_loop:
+            orr r2, r1, r0 ; generate segment and line address
+            mcr p15, 0, r2, c7, c14, 2 ; clean and flush the line
+            add r0, #0x20 ; increment to next line
+            cmp r0, #0x400
+            bne inner_loop
 
-.close
+        add r1, #0x40000000
+        cmp r1, #0
+        bne outer_loop
+
+    ; Drain write buffer
+    mcr p15, 0, r1, c7, c10, 4
+
+    ; Flush instruction cache
+    mcr p15, 0, r1, c7, c5, 0
+
+    ; Jump to payload
+    ldr r0, =payload_addr
+    bx r0
+
+.pool
+.close