CBHC now comes with a version of wupserver that can be used in for ex…

…ample ftpiiu-everywhere

updated installer for this new wupserver version

dsrom/CBHC/Makefile

@@ -16,11 +16,16 @@ FIRMWARE = 550
 
 all: clean setup main
 
-$(CURDIR)/payload/arm_kernel_bin.h:  $(CURDIR)/payload/arm_user_bin.h
+$(CURDIR)/payload/arm_kernel_bin.h:  $(CURDIR)/payload/wupserver_bin.h $(CURDIR)/payload/arm_user_bin.h
 	@$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f  $(CURDIR)/arm_kernel/Makefile
 	@-mkdir -p $(CURDIR)/payload
 	@cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@
-
+
+$(CURDIR)/payload/wupserver_bin.h:
+	@$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f  $(CURDIR)/../../wupserver/Makefile
+	@-mkdir -p $(CURDIR)/payload
+	@cp -p $(CURDIR)/../../wupserver/wupserver_bin.h $@
+
 $(CURDIR)/payload/arm_user_bin.h:
 	@$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f  $(CURDIR)/arm_user/Makefile
 	@-mkdir -p $(CURDIR)/payload
@@ -41,4 +46,5 @@ clean:
 	rm -rf $(build) payload
 	rm -rf CBHC.elf CBHC.map
 	$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f  $(CURDIR)/arm_user/Makefile clean
+	@$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f  $(CURDIR)/../../wupserver/Makefile clean
 	$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f  $(CURDIR)/arm_kernel/Makefile clean

dsrom/CBHC/arm_kernel/source/main.c

@@ -1,6 +1,7 @@
 #include "types.h"
 #include "utils.h"
 #include "../../payload/arm_user_bin.h"
+#include "../../payload/wupserver_bin.h"
 
 static const char repairData_set_fault_behavior[] = {
 	0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
@@ -88,16 +89,29 @@ int _main()
 	void * pUserBinDest = (void*)0x101312D0;
 	kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
 
+	// overwrite mcp_d_r code with wupserver
+	*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
+	void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
+	kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin));
+	invalidate_dcache((u32)test, sizeof(wupserver_bin));
+	invalidate_icache();
+
+	// replace ioctl 0x62 code with jump to wupserver
+	*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
+	*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
+	*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
+	*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
+
 	// fix 10 minute timeout that crashes MCP after 10 minutes of booting
-	*(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF;        // NEW_TIMEOUT
+	*(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT
 
 	// patch cached cert check
-	*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000;    // mov r0, 0
-	*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E;    // bx lr
+	*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
+	*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 
 	// patch cert verification
-	*(volatile u32*)(0x05052A90 - 0x05000000 + 0x081C0000) = 0xe3a00000;    // mov r0, #0
-	*(volatile u32*)(0x05052A94 - 0x05000000 + 0x081C0000) = 0xe12fff1e;    // bx lr
+	*(volatile u32*)(0x05052A90 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
+	*(volatile u32*)(0x05052A94 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 
 	// patch MCP authentication check
 	*(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr

dsrom/CBHC/main.c

@@ -36,32 +36,37 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp
 #define FORCE_SYSMENU (VPAD_BUTTON_ZL | VPAD_BUTTON_ZR | VPAD_BUTTON_L | VPAD_BUTTON_R)
 #define FORCE_HBL (VPAD_BUTTON_A | VPAD_BUTTON_B | VPAD_BUTTON_X | VPAD_BUTTON_Y)
 #define SD_HBL_PATH "/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf"
+#define SD_MOCHA_PATH "/vol/external01/wiiu/apps/mocha/mocha.elf"
 
-static const char *verChar = "CBHC v1.1 by FIX94";
+static const char *verChar = "CBHC v1.2 by FIX94";
 
 #define DEFAULT_DISABLED 0
 #define DEFAULT_SYSMENU 1
 #define DEFAULT_HBL 2
-#define DEFAULT_CFW_IMG 3
-#define DEFAULT_MAX 4
+#define DEFAULT_MOCHA 3
+#define DEFAULT_CFW_IMG 4
+#define DEFAULT_MAX 5
 
 static const char *defOpts[DEFAULT_MAX] = {
 	"DEFAULT_DISABLED",
 	"DEFAULT_SYSMENU",
 	"DEFAULT_HBL",
+	"DEFAULT_MOCHA",
 	"DEFAULT_CFW_IMG",
 };
 
 static const char *bootOpts[DEFAULT_MAX] = {
 	"Disabled",
 	"System Menu",
 	"Homebrew Launcher",
+	"Mocha CFW",
 	"fw.img on SD Card",
 };
 
 #define LAUNCH_SYSMENU 0
 #define LAUNCH_HBL 1
-#define LAUNCH_CFW_IMG 2
+#define LAUNCH_MOCHA 2
+#define LAUNCH_CFW_IMG 3
 
 #define OSScreenEnable(enable) OSScreenEnableEx(0, enable); OSScreenEnableEx(1, enable);
 #define OSScreenClearBuffer(tmp) OSScreenClearBufferEx(0, tmp); OSScreenClearBufferEx(1, tmp);
@@ -86,9 +91,6 @@ uint32_t __main(void)
 	OSDynLoad_FindExport(sysapp_handle,0,"_SYSGetSystemApplicationTitleId",&_SYSGetSystemApplicationTitleId);
 	unsigned long long sysmenu = _SYSGetSystemApplicationTitleId(0);
 
-	//set up default hbl path
-	strcpy((void*)0xF5E70000,SD_HBL_PATH);
-
 	unsigned int vpad_handle;
 	OSDynLoad_Acquire("vpad.rpl", &vpad_handle);
 
@@ -112,6 +114,7 @@ uint32_t __main(void)
 		else if(((vpad.btns_d|vpad.btns_h) & FORCE_HBL) == FORCE_HBL)
 		{
 			// original hbl loader payload
+			strcpy((void*)0xF5E70000,SD_HBL_PATH);
 			return 0x01800000;
 		}
 	}
@@ -298,7 +301,7 @@ uint32_t __main(void)
 cbhc_menu:	;
 	int redraw = 1;
 	int PosX = 0;
-	int ListMax = 4;
+	int ListMax = 5;
 	int clickT = 0;
 	while(1)
 	{
@@ -342,7 +345,7 @@ cbhc_menu:	;
 
 		if( btnDown & VPAD_BUTTON_A )
 		{
-			if(PosX == 3)
+			if(PosX == 4)
 			{
 				cur_autoboot++;
 				if(cur_autoboot == DEFAULT_MAX)
@@ -366,10 +369,12 @@ cbhc_menu:	;
 			OSScreenPutFont(0, 1, printStr);
 			__os_snprintf(printStr,64,"%c Boot Homebrew Launcher", 1 == PosX ? '>' : ' ');
 			OSScreenPutFont(0, 2, printStr);
-			__os_snprintf(printStr,64,"%c Boot fw.img on SD Card", 2 == PosX ? '>' : ' ');
+			__os_snprintf(printStr,64,"%c Boot Mocha CFW", 2 == PosX ? '>' : ' ');
 			OSScreenPutFont(0, 3, printStr);
-			__os_snprintf(printStr,64,"%c Autoboot: %s", 3 == PosX ? '>' : ' ', bootOpts[cur_autoboot]);
+			__os_snprintf(printStr,64,"%c Boot fw.img on SD Card", 3 == PosX ? '>' : ' ');
 			OSScreenPutFont(0, 4, printStr);
+			__os_snprintf(printStr,64,"%c Autoboot: %s", 4 == PosX ? '>' : ' ', bootOpts[cur_autoboot]);
+			OSScreenPutFont(0, 5, printStr);
 
 			OSScreenFlipBuffers();
 			redraw = 0;
@@ -428,7 +433,15 @@ cbhc_menu:	;
 	IOS_Close(dev_uhs_0_handle);
 
 	if(launchmode == LAUNCH_HBL)
+	{
+		strcpy((void*)0xF5E70000,SD_HBL_PATH);
+		return 0x01800000;
+	}
+	else if(launchmode == LAUNCH_MOCHA)
+	{
+		strcpy((void*)0xF5E70000,SD_MOCHA_PATH);
 		return 0x01800000;
+	}
 	//sysmenu or cfw
 	if(launchmode == LAUNCH_CFW_IMG)
 		OSForceFullRelaunch();

installer/Makefile

@@ -136,9 +136,9 @@ $(CURDIR)/payload/arm_kernel_bin.h:  $(CURDIR)/payload/wupserver_bin.h $(CURDIR)
 	@cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@
 
 $(CURDIR)/payload/wupserver_bin.h:
-	@$(MAKE) --no-print-directory -C $(CURDIR)/wupserver -f  $(CURDIR)/wupserver/Makefile
+	@$(MAKE) --no-print-directory -C $(CURDIR)/../wupserver -f  $(CURDIR)/../wupserver/Makefile
 	@-mkdir -p $(CURDIR)/payload
-	@cp -p $(CURDIR)/wupserver/wupserver_bin.h $@
+	@cp -p $(CURDIR)/../wupserver/wupserver_bin.h $@
 
 $(CURDIR)/payload/arm_user_bin.h:
 	@$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f  $(CURDIR)/arm_user/Makefile
@@ -150,7 +150,7 @@ clean:
 	@echo clean ...
 	@rm -fr $(BUILD) $(CURDIR)/*.elf $(CURDIR)/payload
 	@$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f  $(CURDIR)/arm_user/Makefile clean
-	@$(MAKE) --no-print-directory -C $(CURDIR)/wupserver -f  $(CURDIR)/wupserver/Makefile clean
+	@$(MAKE) --no-print-directory -C $(CURDIR)/../wupserver -f  $(CURDIR)/../wupserver/Makefile clean
 	@$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f  $(CURDIR)/arm_kernel/Makefile clean
 
 

installer/arm_kernel/source/main.c

@@ -89,7 +89,9 @@ int _main()
 	void * pUserBinDest = (void*)0x101312D0;
 	kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
 
-	void * test = (void*)(0x05100000 - 0x05100000 + 0x13D80000);
+	// overwrite mcp_d_r code with wupserver
+	*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
+	void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
 	kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin));
 	invalidate_dcache((u32)test, sizeof(wupserver_bin));
 	invalidate_icache();
@@ -98,7 +100,7 @@ int _main()
 	*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
 	*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
 	*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
-	*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x05100000; // wupserver code
+	*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
 
 	*(unsigned int*)(0x050282AE - 0x05000000 + 0x081C0000) = 0xF031FB43; // bl launch_os_hook
 

installer/src/main.c

@@ -125,9 +125,9 @@ int availSort(const void *c1, const void *c2)
 void printhdr_noflip()
 {
 #ifdef CB
-	println_noflip(0,"CBHC v1.1 by FIX94");
+	println_noflip(0,"CBHC v1.2 by FIX94");
 #else
-	println_noflip(0,"Haxchi v2.3 by FIX94");
+	println_noflip(0,"Haxchi v2.3u1 by FIX94");
 #endif
 	println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
 }
@@ -369,19 +369,24 @@ int Menu_Main(void)
 	int line = 6;
 #endif
 
-	//will inject our custom mcp code
-	println(line++,"Doing IOSU Exploit...");
-	IOSUExploit();
-
 	int fsaFd = -1;
 	int sdMounted = 0;
 	int sdFd = -1, mlcFd = -1, slcFd = -1;
 
-	//done with iosu exploit, take over mcp
-	if(MCPHookOpen() < 0)
+	//open up iosuhax
+	int res = IOSUHAX_Open(NULL);
+	if(res < 0)
+		res = MCPHookOpen();
+	if(res < 0)
 	{
-		println(line++,"MCP hook could not be opened!");
-		goto prgEnd;
+		println(line++,"Doing IOSU Exploit...");
+		IOSUExploit();
+		//done with iosu exploit, take over mcp
+		if(MCPHookOpen() < 0)
+		{
+			println(line++,"MCP hook could not be opened!");
+			goto prgEnd;
+		}
 	}
 
 	//mount with full permissions
@@ -838,8 +843,11 @@ int Menu_Main(void)
 			println(line++, "Flushed NAND Cache!");
 		IOSUHAX_FSA_Close(fsaFd);
 	}
-	//close out old mcp instance
-	MCPHookClose();
+	//close out iosuhax
+	if(mcp_hook_fd >= 0)
+		MCPHookClose();
+	else
+		IOSUHAX_Close();
 	sleep(5);
 	//will do IOSU reboot
 	OSForceFullRelaunch();

release/wiiu/apps/cbhc/meta.xml

@@ -2,9 +2,9 @@
 <app version="1">
   <name>CBHC</name>
   <coder>FIX94</coder>
-  <version>1.1</version>
+  <version>1.2</version>
   <url>https://github.com/FIX94/haxchi</url>
-  <release_date>20161210200000</release_date>
+  <release_date>20161213200000</release_date>
   <short_description>Coldboot Haxchi Installer</short_description>
   <long_description>WARNING! This will install Coldboot Haxchi on your system.
 ONLY USE THIS IF YOU ARE WILLING TO TAKE A RISK OF BRICKING YOUR CONSOLE.

release/wiiu/apps/haxchi/meta.xml

@@ -2,9 +2,9 @@
 <app version="1">
   <name>Haxchi</name>
   <coder>FIX94</coder>
-  <version>2.3</version>
+  <version>2.3u1</version>
   <url>https://github.com/FIX94/haxchi</url>
-  <release_date>20161210200000</release_date>
+  <release_date>20161213200000</release_date>
   <short_description>Haxchi Installer</short_description>
   <long_description>This will install Haxchi on your system.
   </long_description>

installer/wupserver/Makefile → wupserver/Makefile

@@ -11,7 +11,7 @@ CC = arm-none-eabi-gcc
 LINK = arm-none-eabi-ld
 AS = arm-none-eabi-as
 OBJCOPY = arm-none-eabi-objcopy
-CFLAGS += -Wall -mbig-endian -std=c99 -march=armv5 -Os -I$(DEVKITPRO)/libnds/include
+CFLAGS += -Wall -mbig-endian -std=c99 -mcpu=arm926ej-s -Os -s -mthumb -I$(DEVKITPRO)/libnds/include
 LDFLAGS += --script=ccd00.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib"
 
 CFILES = $(wildcard source/*.c)
@@ -43,13 +43,13 @@ dirs:
 
 $(PROJECTNAME).bin: $(PROJECTNAME).elf
 #	$(OBJCOPY) -O binary $< $@
-	$(OBJCOPY) -j .text -j .rodata -O binary $< $@
+	$(OBJCOPY) -j .text -j .rodata -S -O binary $< $@
 
 $(PROJECTNAME)_bin.h: $(PROJECTNAME).bin
 	xxd -i $< | sed "s/unsigned/static const unsigned/g;s/$(PROJECTNAME)$*/$(PROJECTNAME)/g" > $@
 
 $(PROJECTNAME).elf: $(OFILES)
-	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(sort $(filter-out build/crt0.o, $(OFILES)))
+	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(sort $(filter-out build/crt0.o, $(OFILES))) libgcc.a
 
 clean:
 	@rm -f build/*.o build/*.d

installer/wupserver/ccd00.ld → wupserver/ccd00.ld

@@ -2,13 +2,13 @@ OUTPUT_ARCH(arm)
 
 MEMORY
 {
-	RAMX (rx) : ORIGIN = 0x05100000, LENGTH = 0x0004000
+	RAMX (rx) : ORIGIN = 0x0510E570, LENGTH = 0x00015BC
 	RAMRW (rw!i) : ORIGIN = 0x05089780, LENGTH = 0x00001F00
 }
 
 SECTIONS
 {
-	.text : ALIGN(0x100) {
+	.text : {
 		build/crt0.o(.init)
 		*(.text)
 		*(.rodata)
@@ -20,4 +20,3 @@ SECTIONS
 	}
 	_bss_end = .;
 }
-

installer/wupserver/source/imports.c → wupserver/source/imports.c

@@ -21,7 +21,7 @@ void* memcpy(void* dst, const void* src, size_t size)
 {
 	return _memcpy(dst, (void*)src, size);
 }
-
+/*
 int strlen(const char* str)
 {
     unsigned int i = 0;
@@ -30,7 +30,7 @@ int strlen(const char* str)
     }
     return i;
 }
-
+*/
 char* strncpy(char* dst, const char* src, size_t size)
 {
 	int i;
@@ -42,8 +42,9 @@ char* strncpy(char* dst, const char* src, size_t size)
 
 	return dst;
 }
-
+/*
 int vsnprintf(char * s, size_t n, const char * format, va_list arg)
 {
     return ((int (*const)(char*, size_t, const char *, va_list))0x05055C40)(s, n, format, arg);
 }
+*/