first commit

.gitignore

@@ -0,0 +1,3 @@
+build/
+*.elf
+*.cbp

Makefile

@@ -0,0 +1,177 @@
+#---------------------------------------------------------------------------------
+# Clear the implicit built in rules
+#---------------------------------------------------------------------------------
+.SUFFIXES:
+#---------------------------------------------------------------------------------
+ifeq ($(strip $(DEVKITPPC)),)
+$(error "Please set DEVKITPPC in your environment. export DEVKITPPC=<path to>devkitPPC")
+endif
+export PATH			:=	$(DEVKITPPC)/bin:$(PORTLIBS)/bin:$(PATH)
+export PORTLIBS		:=	$(DEVKITPRO)/portlibs/ppc
+
+GCC_VER := $(shell $(DEVKITPPC)/bin/powerpc-eabi-gcc -dumpversion)
+
+PREFIX	:=	powerpc-eabi-
+
+export AS	:=	$(PREFIX)as
+export CC	:=	$(PREFIX)gcc
+export CXX	:=	$(PREFIX)g++
+export AR	:=	$(PREFIX)ar
+export OBJCOPY	:=	$(PREFIX)objcopy
+
+#---------------------------------------------------------------------------------
+# TARGET is the name of the output
+# BUILD is the directory where object files & intermediate files will be placed
+# SOURCES is a list of directories containing source code
+# INCLUDES is a list of directories containing extra header files
+#---------------------------------------------------------------------------------
+TARGET		:=	main_hook
+BUILD		:=	build
+BUILD_DBG	:=	$(TARGET)_dbg
+SOURCES		:=	src
+DATA		:=
+INCLUDES	:=
+
+#---------------------------------------------------------------------------------
+# options for code generation
+#---------------------------------------------------------------------------------
+CFLAGS	:=  -std=gnu11 -mrvl -mcpu=750 -meabi -mhard-float -ffast-math -fno-builtin \
+		    -O0 -Wall -Wextra -Wno-unused-parameter -Wno-strict-aliasing $(INCLUDE)
+CXXFLAGS := -std=gnu++11 -mrvl -mcpu=750 -meabi -mhard-float -ffast-math \
+		    -O0 -Wall -Wextra -Wno-unused-parameter -Wno-strict-aliasing $(INCLUDE)
+ASFLAGS	:= -mregnames
+LDFLAGS	:= -nostartfiles -Wl,--gc-sections
+
+Q := @
+MAKEFLAGS += --no-print-directory
+#---------------------------------------------------------------------------------
+# any extra libraries we wish to link with the project
+#---------------------------------------------------------------------------------
+LIBS	:=
+
+#---------------------------------------------------------------------------------
+# list of directories containing libraries, this must be the top level containing
+# include and lib
+#---------------------------------------------------------------------------------
+LIBDIRS	:=	$(CURDIR)	\
+			$(DEVKITPPC)/lib  \
+			$(DEVKITPPC)/lib/gcc/powerpc-eabi/$(GCC_VER)
+
+
+#---------------------------------------------------------------------------------
+# no real need to edit anything past this point unless you need to add additional
+# rules for different file extensions
+#---------------------------------------------------------------------------------
+ifneq ($(BUILD),$(notdir $(CURDIR)))
+#---------------------------------------------------------------------------------
+export PROJECTDIR := $(CURDIR)
+export OUTPUT	:=	$(CURDIR)/$(TARGETDIR)/$(TARGET)
+export VPATH	:=	$(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \
+					$(foreach dir,$(DATA),$(CURDIR)/$(dir))
+export DEPSDIR	:=	$(CURDIR)/$(BUILD)
+
+#---------------------------------------------------------------------------------
+# automatically build a list of object files for our project
+#---------------------------------------------------------------------------------
+CFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
+CPPFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
+sFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
+SFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.S)))
+BINFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))
+TTFFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.ttf)))
+PNGFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.png)))
+
+#---------------------------------------------------------------------------------
+# use CXX for linking C++ projects, CC for standard C
+#---------------------------------------------------------------------------------
+ifeq ($(strip $(CPPFILES)),)
+	export LD	:=	$(CC)
+else
+	export LD	:=	$(CXX)
+endif
+
+export OFILES	:=	$(CPPFILES:.cpp=.o) $(CFILES:.c=.o) \
+					$(sFILES:.s=.o) $(SFILES:.S=.o) \
+					$(PNGFILES:.png=.png.o) $(addsuffix .o,$(BINFILES))
+
+#---------------------------------------------------------------------------------
+# build a list of include paths
+#---------------------------------------------------------------------------------
+export INCLUDE	:=	$(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
+					$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
+					-I$(CURDIR)/$(BUILD)
+
+#---------------------------------------------------------------------------------
+# build a list of library paths
+#---------------------------------------------------------------------------------
+export LIBPATHS	:=	$(foreach dir,$(LIBDIRS),-L$(dir)/lib) \
+					 -L$(PORTLIBS)/lib
+
+export OUTPUT	:=	$(CURDIR)/$(TARGET)
+.PHONY: $(BUILD) clean install
+
+#---------------------------------------------------------------------------------
+$(BUILD):
+	@[ -d $@ ] || mkdir -p $@
+	@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile
+
+#---------------------------------------------------------------------------------
+clean:
+	@echo clean ...
+	@rm -fr $(BUILD) $(OUTPUT).elf $(OUTPUT).bin $(BUILD_DBG).elf    
+
+#---------------------------------------------------------------------------------
+else
+
+DEPENDS	:=	$(OFILES:.o=.d)
+
+#---------------------------------------------------------------------------------
+# main targets
+#---------------------------------------------------------------------------------
+$(OUTPUT).elf: $(OFILES)
+
+#---------------------------------------------------------------------------------
+# This rule links in binary data with the .jpg extension
+#---------------------------------------------------------------------------------
+%.elf: link.ld $(OFILES)
+	@echo "linking ... $(TARGET).elf"
+	$(Q)$(LD) -n -T $^ $(LDFLAGS) -o ../$(BUILD_DBG).elf  $(LIBPATHS) $(LIBS)
+	$(Q)$(OBJCOPY) -S -R .comment -R .gnu.attributes ../$(BUILD_DBG).elf $@
+
+#---------------------------------------------------------------------------------
+%.a:
+#---------------------------------------------------------------------------------
+	@echo $(notdir $@)
+	@rm -f $@
+	@$(AR) -rc $@ $^
+
+#---------------------------------------------------------------------------------
+%.o: %.cpp
+	@echo $(notdir $<)
+	@$(CXX) -MMD -MP -MF $(DEPSDIR)/$*.d $(CXXFLAGS) -c $< -o $@ $(ERROR_FILTER)
+
+#---------------------------------------------------------------------------------
+%.o: %.c
+	@echo $(notdir $<)
+	@$(CC) -MMD -MP -MF $(DEPSDIR)/$*.d $(CFLAGS) -c $< -o $@ $(ERROR_FILTER)
+
+#---------------------------------------------------------------------------------
+%.o: %.S
+	@echo $(notdir $<)
+	@$(CC) -MMD -MP -MF $(DEPSDIR)/$*.d -x assembler-with-cpp $(ASFLAGS) -c $< -o $@ $(ERROR_FILTER)
+
+#---------------------------------------------------------------------------------
+%.png.o : %.png
+	@echo $(notdir $<)
+	@bin2s -a 32 $< | $(AS) -o $(@)
+
+#---------------------------------------------------------------------------------
+%.ttf.o : %.ttf
+	@echo $(notdir $<)
+	@bin2s -a 32 $< | $(AS) -o $(@)
+
+-include $(DEPENDS)
+
+#---------------------------------------------------------------------------------
+endif
+#---------------------------------------------------------------------------------

README.md

@@ -0,0 +1,71 @@
+# Payload loader
+
+This is a generic payload loader for the Wii U to load arbitrary from the SD Card.  
+Currently it's hardcoded to loads a `.elf` file from `sd:/wiiu/payload.elf`.
+
+# Preconditions
+
+This loader expects:  
+
+  - to be able to run at `0x011DD000` (and copied to this place and then executed).
+  - to be running inside Mii Maker (for the SD card access),
+  - the common `kern_write` (0x35) and `kern_read` (0x34) syscalls installed
+  (hooks on `0x0xFFF02234` (write) / `0x0xFFF02214` (read) on FW 5.5.0+)
+  - the 0x09 syscall installed which is expected to be a function manipulate
+  IBAT0 (`extern void SC_0x09_SETIBAT0(uint32_t upper, uint32_t lower);`)
+
+  Running in any other application with sd access may also work, the IBAT0 setup
+  may be to be adjusted though (set back to orignal values at the end)
+
+# Usage
+A common usage for this would be to exploit an application, do a kernel exploit
+to be able to have kernel read/write, somehow copy the sections of the payload
+loader `.elf` file to the expected destination in memory fulfill the mentioned
+preconditions.
+
+After that, simply put the `.elf` to be loaded in `sd:/wiiu/payload.elf`
+
+The loaded `.elf` needs to be statically linked somewhere between `0x00800000
+and 0x0‭1000000‬`. This whole area is has rwx for both, user and supervisor
+(kernel) mode and can be used.  
+
+**This mapping only lasts for this exeuction!** As soon as you leave the running
+application (in this case the Mii Maker), the mapping will be reset and you will
+loose access to the `0x00800000` region.
+
+# Compiling
+
+In order to be able to compile this, you need to have installed
+[devkitPPC](https://devkitpro.org/wiki/Getting_Started) with the following
+pacman packages installed.
+
+```
+pacman -Syu devkitPPC
+```
+
+Make sure the following environment variables are set:
+```
+DEVKITPRO=/opt/devkitpro
+DEVKITPPC=/opt/devkitpro/devkitPPC
+```
+
+# Technical details
+- This payload loader is supposed to loaded somewhere between
+`01000000..01800000` (virtual address), `0x011DD000...0x011E0000` should be free to use.
+- The 0x09 syscall is used to set IBAT0 to map `01000000..01800000` (virtual address) to
+`32000000..32800000` (physical address) with r/w for user and kernel.
+This includes the region where payload loader is, and allows us to register
+and execute kernel syscall.
+- This setting is meant to match the orignal IBAT0 values (at least in Mii Maker),
+but with r/w for the kernel. Resetting is not needed when using the Mii Maker,
+but may be needed to be adjusted.
+- Afterwards it's possible to register an own syscall (we use 0x36 as it's unused)
+to setup IBAT4 and DBAT5 to make `00000000..00800000` (virtual address) to
+`30000000..30800000` (physical address) with r/w for user and supervisor.
+This allows full user/kernel access to this region, for data and code.
+- The mapping is done for all 3 cores.
+
+# Credits
+
+- orboditilt
+- dimok789: Most parts (especially sd loading, elf copying) are based on the [homebrew launcher sd loader](https://github.com/dimok789/homebrew_launcher/tree/master/sd_loader).

src/common.h

@@ -0,0 +1,36 @@
+#ifndef COMMON_H
+#define	COMMON_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define OSDynLoad_Acquire ((void (*)(char* rpl, unsigned int *handle))0x0102A3B4)
+#define OSDynLoad_FindExport ((void (*)(unsigned int handle, int isdata, char *symbol, void *address))0x0102B828)
+#define OSFatal ((void (*)(char* msg))0x01031618)
+
+#define ADDRESS_OSTitle_main_entry_ptr              0x1005E040
+#define ADDRESS_main_entry_hook                     0x0101c56c
+
+#define KERN_SYSCALL_TBL_1                          0xFFE84C70 // unknown
+#define KERN_SYSCALL_TBL_2                          0xFFE85070 // works with games
+#define KERN_SYSCALL_TBL_3                          0xFFE85470 // works with loader
+#define KERN_SYSCALL_TBL_4                          0xFFEAAA60 // works with home menu
+#define KERN_SYSCALL_TBL_5                          0xFFEAAE60 // works with browser (previously KERN_SYSCALL_TBL)
+
+#define CAFE_OS_SD_PATH                             "/vol/external01"
+#define SD_PATH                                     "sd:"
+#define WIIU_PATH "/wiiu"
+
+#define EXPORT_DECL(res, func, ...) res (* func)(__VA_ARGS__);
+#define OS_FIND_EXPORT(handle, funcName, func) OSDynLoad_FindExport(handle, 0, funcName, &func)
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif	/* COMMON_H */
+