Hacking Firmware Reverse Engineering (Info Dump)
- Thread starter NWPlayer123
- Start date
- Views 54,421
- Replies 151
- Likes 82
I've only really seen unicode stuff in smash 4's RPX, SJIS totally skipped my mind though. Unfortunately i've never found a way to convert stuff to .space :/ might be some tricky idc or idapython function that can do it though.
Is this confirmed somewhere? I thought the rumored update never dropped?
I believe it was an April fool's day joke that went horribly wrong.
https://gbatemp.net/threads/wii-u-hacking-homebrew-discussion.367489/page-918#post-6221249
https://gbatemp.net/threads/wii-u-hacking-homebrew-discussion.367489/page-919#post-6221920
Last edited by Bug_Checker_,
Some information you may find useful for knowing the memory mapping of the PPC
(from the ARM's point of view)
Here's where the PPC's kernel.img file gets loaded from the ARM in IOS_MCP:
Here's where the ARM sets up its own and the PPC's misc Memory Segments in IOS_KERNEL:
I would think that the PPC re-maps the memory locations with its own loader after this.\
.
(from the ARM's point of view)
Here's where the PPC's kernel.img file gets loaded from the ARM in IOS_MCP:
Code:
IOS_MCP:05033FFA LDR R0, =0x1FFF000
IOS_MCP:05033FFC BL Call_SysCall_0x6D_IOS_MCP ; int set_ppc_boot_params(void *params)
IOS_MCP:05033FFC ; Registers the supplied address as a pointer for setting up the PPC boot parameters
IOS_MCP:05033FFC ; -> 0 on success
IOS_MCP:05034000 ORRS R4, R6
IOS_MCP:05034002 ORRS R5, R0
IOS_MCP:05034004 ORRS R4, R5
IOS_MCP:05034006 BEQ loc_503400A
IOS_MCP:05034008 B loc_503456A
IOS_MCP:0503400A ; ---------------------------------------------------------------------------
IOS_MCP:0503400A
IOS_MCP:0503400A loc_503400A ; CODE XREF: sub_5033C50+3B6j
IOS_MCP:0503400A MOVS R0, #0x80 ; 'Ç' ; Load 0x80 into R0
IOS_MCP:0503400C MOVS R1, #0x90 ; 'É' ; Load 0x90 into R1
IOS_MCP:0503400E LSLS R0, R0, #0x14 ; Shift 0x80 to 0x8000000
IOS_MCP:05034010 LSLS R1, R1, #0xD ; Shift 0x90 to 0x120000
IOS_MCP:05034012 BL Call_SysCall_0x77_IOS_MCP ; int load_ppc_kernel(u32 address, u32 size) - Maps the PPC kernel image memory:
IOS_MCP:05034012 ; address == 0x08000000
IOS_MCP:05034012 ; size == 0x00120000
IOS_MCP:05034012 ; ->0 on success
IOS_MCP:05034016 MOVS R4, R0
IOS_MCP:05034018 CMP R0, #0
IOS_MCP:0503401A BEQ loc_503401E
IOS_MCP:0503401C B loc_503456A
IOS_MCP:0503401E ; ---------------------------------------------------------------------------
IOS_MCP:0503401E
IOS_MCP:0503401E loc_503401E ; CODE XREF: sub_5033C50+3CAj
IOS_MCP:0503401E LDR R1, =aKernel_img ; Load the location of string "kernel.img" into R1
IOS_MCP:05034020 MOVS R4, R7
IOS_MCP:05034022 ADDS R4, #0x30 ; '0'
IOS_MCP:05034024 STR R1, [SP,#0x19C+var_19C] ; Store Kernel.img into var_19C
IOS_MCP:05034026 MOVS R5, #0xC6 ; '¦' ; Load 0xC6 into R5
IOS_MCP:05034028 MOVS R1, #0x80 ; 'Ç' ; Load 0x80 into R1
IOS_MCP:0503402A LDR R2, =aSS ; Load string "%s/%s" into R2
IOS_MCP:0503402C LDR R3, =dword_50B7FD0
IOS_MCP:0503402E MOVS R0, R4
IOS_MCP:05034030 LSLS R1, R1, #1 ; Left shift 0x80 to 0x100 = Offset to start of PPC Kernel Image in kernel.img
IOS_MCP:05034032 LSLS R5, R5, #1 ; Left shift R5 to 0x18c
IOS_MCP:05034034 BL parse_strings ; int __fastcall sub_5055C8C(int a1, int a2, _BYTE *a3, int a4)
IOS_MCP:05034038 ADDS R3, R7, R5
IOS_MCP:0503403A STR R3, [SP,#0x19C+var_19C]
IOS_MCP:0503403C MOVS R0, #1
IOS_MCP:0503403E MOVS R2, #0x80 ; 'Ç' ; Load 0x80 into R2
IOS_MCP:05034040 MOVS R3, #0x90 ; 'É' ; Load 0x90 into R3
IOS_MCP:05034042 STR R0, [SP,#0x19C+var_198]
IOS_MCP:05034044 MOVS R1, #0
IOS_MCP:05034046 MOVS R0, R4
IOS_MCP:05034048 LSLS R2, R2, #0x14 ; Left shift to =0x8000000 = PPC Kernel PPC_MEM0_A_MMU
IOS_MCP:0503404A LSLS R3, R3, #0xD ; Left shift to =0x120000 = PPC Kernel Size
IOS_MCP:0503404C BL sub_50170FC
IOS_MCP:05034050 MOVS R1, #0x120000 ; PPC Kernel Size
IOS_MCP:05034054 MOVS R4, R0
IOS_MCP:05034056 MOVS R0, #0x8000000 ; PPC Kernel Mem PPC_MEM0_A_MMU
IOS_MCP:0503405A BL Call_SysCall_0x52_IOS_MCP ; void IOS_FlushDCache(void *ptr, unsigned int len)
IOS_MCP:0503405A ; Flush data cache
IOS_MCP:0503405A ; -> Nothing
IOS_MCP:0503405E CMP R4, #0
IOS_MCP:05034060 BEQ loc_5034064
IOS_MCP:05034062 B loc_503456A
IOS_MCP:05034064 ; ---------------------------------------------------------------------------
IOS_MCP:05034064
IOS_MCP:05034064 loc_5034064 ; CODE XREF: sub_5033C50+410j
IOS_MCP:05034064 MOVS R0, #0x8000000 ; PPC Kernel Mem PPC_MEM0_A_MMU
IOS_MCP:05034068 MOVS R1, #0
IOS_MCP:0503406A BL Call_SysCall_0x77_IOS_MCP ; int load_ppc_kernel(u32 address, u32 size) - Maps the PPC kernel image memory:
IOS_MCP:0503406A ; address == 0x08000000
IOS_MCP:0503406A ; size == 0x00120000
IOS_MCP:0503406A ; ->0 on success
IOS_MCP:0503406E MOVS R4, R0 ; Move return value to register R0
IOS_MCP:05034070 CMP R0, #0 ; Compare to Success value
IOS_MCP:05034072 BEQ loc_5034076 ; Memory Load OK
IOS_MCP:05034074 B loc_503456A
IOS_MCP:05034076 ; ---------------------------------------------------------------------------
IOS_MCP:05034076
IOS_MCP:05034076 loc_5034076 ; CODE XREF: sub_5033C50+422j
IOS_MCP:05034076 LDR R1, =0x16FFFFC
IOS_MCP:05034078 STR R0, [R1]
IOS_MCP:0503407A MOVS R0, R1
IOS_MCP:0503407C MOVS R1, #4
IOS_MCP:0503407E BL Call_SysCall_0x52_IOS_MCP ; void IOS_FlushDCache(void *ptr, unsigned int len)
IOS_MCP:0503407E ; Flush data cache
IOS_MCP:0503407E ; -> NothingHere's where the ARM sets up its own and the PPC's misc Memory Segments in IOS_KERNEL:
Code:
IOS_KERNEL:08122500 IOS_Kernel___iosMemMapInit ; CODE XREF: Setup_MMU:loc_8120C98p
IOS_KERNEL:08122500
IOS_KERNEL:08122500 var_14 = -0x14
IOS_KERNEL:08122500 var_10 = -0x10
IOS_KERNEL:08122500 var_C = -0xC
IOS_KERNEL:08122500
IOS_KERNEL:08122500 STMFD SP!, {R4,LR}
IOS_KERNEL:08122504 SUB SP, SP, #0xC
IOS_KERNEL:08122508 BL sub_813124C
IOS_KERNEL:0812250C SUBS R4, R0, #0
IOS_KERNEL:08122510 BLT initialize_system_protection_failed
IOS_KERNEL:08122514 MOV R0, #4
IOS_KERNEL:08122518 MOV R1, #0xFF
IOS_KERNEL:0812251C BL sub_812FD7C
IOS_KERNEL:08122520 SUBS R4, R0, #0
IOS_KERNEL:08122524 BEQ loc_81227EC
IOS_KERNEL:08122528
IOS_KERNEL:08122528 map_kernel_SRAM ; CODE XREF: IOS_Kernel___iosMemMapInit+2FCj
IOS_KERNEL:08122528 ; IOS_Kernel___iosMemMapInit+310j ...
IOS_KERNEL:08122528 CMP R4, #0
IOS_KERNEL:0812252C BLT initialize_system_protection_failed
IOS_KERNEL:08122530 LDR R0, =0xFFFF0000 ; Start Address of Segment
IOS_KERNEL:08122534 MOV R4, #0
IOS_KERNEL:08122538 MOV R12, #0x30 ; '0'
IOS_KERNEL:0812253C MOV R3, R4
IOS_KERNEL:08122540 MOV R1, R0
IOS_KERNEL:08122544 MOV R2, #0x10000 ; Segment Size
IOS_KERNEL:08122548 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:0812254C STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122550 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:08122554 BL IOS_Kernel_map_memory
IOS_KERNEL:08122558 CMP R0, #0
IOS_KERNEL:0812255C BLT map_kernel_SRAM_failed
IOS_KERNEL:08122560
IOS_KERNEL:08122560 map_kernel_MEM0_MMU ; CODE XREF: IOS_Kernel___iosMemMapInit:loc_8122A7Cj
IOS_KERNEL:08122560 LDR R0, =0x8120000 ; Start Address of Segment
IOS_KERNEL:08122564 MOV R4, #0
IOS_KERNEL:08122568 MOV R12, #0x30 ; '0'
IOS_KERNEL:0812256C MOV R3, R4
IOS_KERNEL:08122570 MOV R1, R0
IOS_KERNEL:08122574 MOV R2, #0xA0000 ; Segment Size
IOS_KERNEL:08122578 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:0812257C STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122580 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:08122584 BL IOS_Kernel_map_memory
IOS_KERNEL:08122588 CMP R0, #0
IOS_KERNEL:0812258C BLT map_kernel_MEM0_MMU_failed
IOS_KERNEL:08122590
IOS_KERNEL:08122590 map_IOS_global_heap_MEM2 ; CODE XREF: IOS_Kernel___iosMemMapInit+54Cj
IOS_KERNEL:08122590 MOV R0, #0x1D000000 ; Start Address of Segment
IOS_KERNEL:08122594 BL sub_8121FF4
IOS_KERNEL:08122598 MOV R3, #0
IOS_KERNEL:0812259C LDR R1, =0x3FFFFF
IOS_KERNEL:081225A0 STR R1, [SP,#0x14+var_14]
IOS_KERNEL:081225A4 LDR R12, =0x3FFFF0
IOS_KERNEL:081225A8 MOV R2, #0x2B00000 ; Segment Size
IOS_KERNEL:081225AC STR R12, [SP,#0x14+var_10]
IOS_KERNEL:081225B0 CMP R0, R3
IOS_KERNEL:081225B4 MOV R0, #0x1D000000
IOS_KERNEL:081225B8 MOVGE R4, #0x60 ; '`'
IOS_KERNEL:081225BC MOVLT R4, #0x20 ; ' '
IOS_KERNEL:081225C0 MOV R1, R0
IOS_KERNEL:081225C4 STR R4, [SP,#0x14+var_C]
IOS_KERNEL:081225C8 BL IOS_Kernel_map_memory
IOS_KERNEL:081225CC CMP R0, #0
IOS_KERNEL:081225D0 BLT map_IOS_global_heap_MEM2_failed
IOS_KERNEL:081225D4
IOS_KERNEL:081225D4 map_PPC_MEM0_A_MMU ; CODE XREF: IOS_Kernel___iosMemMapInit+51Cj
IOS_KERNEL:081225D4 MOV R0, #0x8000000 ; Start Address of Segment
IOS_KERNEL:081225D8 MOV R4, #0
IOS_KERNEL:081225DC MOV R12, #0x20 ; ' '
IOS_KERNEL:081225E0 MOV R1, R0
IOS_KERNEL:081225E4 MOV R2, #0x100000 ; Segment Size
IOS_KERNEL:081225E8 MOV R3, #0xF
IOS_KERNEL:081225EC STMFA SP, {R4,R12}
IOS_KERNEL:081225F0 STR R4, [SP,#0x14+var_14]
IOS_KERNEL:081225F4 BL IOS_Kernel_map_memory
IOS_KERNEL:081225F8 CMP R0, #0
IOS_KERNEL:081225FC BLT map_PPC_MEM0_A_MMU_failed
IOS_KERNEL:08122600
IOS_KERNEL:08122600 map_PPC_MEM0_B_MMU ; CODE XREF: IOS_Kernel___iosMemMapInit+4ECj
IOS_KERNEL:08122600 MOV R4, #0
IOS_KERNEL:08122604 MOV R0, #0x8100000 ; Start Address of Segment
IOS_KERNEL:08122608 MOV R12, #0x20 ; ' '
IOS_KERNEL:0812260C MOV R3, R4
IOS_KERNEL:08122610 MOV R1, R0
IOS_KERNEL:08122614 MOV R2, #0x20000 ; Segment Size
IOS_KERNEL:08122618 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:0812261C STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122620 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:08122624 BL IOS_Kernel_map_memory
IOS_KERNEL:08122628 CMP R0, #0
IOS_KERNEL:0812262C BLT map_PPC_MEM0_B_MMU_failed
IOS_KERNEL:08122630
IOS_KERNEL:08122630 map_PPC_MEM0_FG ; CODE XREF: IOS_Kernel___iosMemMapInit+4BCj
IOS_KERNEL:08122630 LDR R0, =0x80C0000 ; Start Address of Segment
IOS_KERNEL:08122634 LDR R12, =0x3FFFFF
IOS_KERNEL:08122638 STR R12, [SP,#0x14+var_14]
IOS_KERNEL:0812263C LDR LR, =0x3FFFF0
IOS_KERNEL:08122640 MOV R12, #0x40 ; '@'
IOS_KERNEL:08122644 MOV R1, R0
IOS_KERNEL:08122648 MOV R2, #0x60000 ; Segment Size
IOS_KERNEL:0812264C MOV R3, #0
IOS_KERNEL:08122650 STR LR, [SP,#0x14+var_10]
IOS_KERNEL:08122654 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:08122658 BL IOS_Kernel_map_memory
IOS_KERNEL:0812265C CMP R0, #0
IOS_KERNEL:08122660 BLT map_PPC_MEM0_FG_failed
IOS_KERNEL:08122664
IOS_KERNEL:08122664 map_MEM1_A_MMU ; CODE XREF: IOS_Kernel___iosMemMapInit+48Cj
IOS_KERNEL:08122664 MOV R4, #0 ; Start Address of Segment
IOS_KERNEL:08122668 MOV R12, #0x30 ; '0'
IOS_KERNEL:0812266C MOV R0, R4
IOS_KERNEL:08122670 MOV R1, R4
IOS_KERNEL:08122674 MOV R2, #0x1000 ; Segment Size
IOS_KERNEL:08122678 MOV R3, R4
IOS_KERNEL:0812267C STR R12, [SP,#0x14+var_C]
IOS_KERNEL:08122680 STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122684 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:08122688 BL IOS_Kernel_map_memory
IOS_KERNEL:0812268C CMP R0, #0
IOS_KERNEL:08122690 BLT map_MEM1_A_MMU_failed
IOS_KERNEL:08122694
IOS_KERNEL:08122694 map_MEM1_B_MMU ; CODE XREF: IOS_Kernel___iosMemMapInit+45Cj
IOS_KERNEL:08122694 MOV R4, #0
IOS_KERNEL:08122698 MOV R0, #0x1000 ; Start Address of Segment
IOS_KERNEL:0812269C MOV R12, #0x20 ; ' '
IOS_KERNEL:081226A0 MOV R3, R4
IOS_KERNEL:081226A4 MOV R1, R0
IOS_KERNEL:081226A8 LDR R2, =0x1FFF000 ; Segment Size
IOS_KERNEL:081226AC STR R12, [SP,#0x14+var_C]
IOS_KERNEL:081226B0 STR R4, [SP,#0x14+var_14]
IOS_KERNEL:081226B4 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:081226B8 BL IOS_Kernel_map_memory
IOS_KERNEL:081226BC CMP R0, #0
IOS_KERNEL:081226C0 BLT map_MEM1_B_MMU_failed
IOS_KERNEL:081226C4
IOS_KERNEL:081226C4 map_MEM1_FG ; CODE XREF: IOS_Kernel___iosMemMapInit+42Cj
IOS_KERNEL:081226C4 MOV R0, #0 ; Start Address of Segment
IOS_KERNEL:081226C8 LDR R12, =0x3FFFFF
IOS_KERNEL:081226CC STR R12, [SP,#0x14+var_14]
IOS_KERNEL:081226D0 LDR LR, =0x3FFFF0
IOS_KERNEL:081226D4 MOV R12, #0x40 ; '@'
IOS_KERNEL:081226D8 MOV R1, R0
IOS_KERNEL:081226DC MOV R2, #0x2000000 ; Segment Size
IOS_KERNEL:081226E0 MOV R3, R0
IOS_KERNEL:081226E4 STR LR, [SP,#0x14+var_10]
IOS_KERNEL:081226E8 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:081226EC BL IOS_Kernel_map_memory
IOS_KERNEL:081226F0 CMP R0, #0
IOS_KERNEL:081226F4 BLT map_MEM1_FG_failed
IOS_KERNEL:081226F8
IOS_KERNEL:081226F8 map_PPC_MEM2_A ; CODE XREF: IOS_Kernel___iosMemMapInit+3FCj
IOS_KERNEL:081226F8 MOV R4, #0 ; Start Address of Segment
IOS_KERNEL:081226FC MOV R0, #0x14000000
IOS_KERNEL:08122700 MOV R12, #0x20 ; ' '
IOS_KERNEL:08122704 MOV R3, R4
IOS_KERNEL:08122708 MOV R1, R0
IOS_KERNEL:0812270C MOV R2, #0x9000000 ; Segment Size
IOS_KERNEL:08122710 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:08122714 STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122718 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:0812271C BL IOS_Kernel_map_memory
IOS_KERNEL:08122720 CMP R0, #0
IOS_KERNEL:08122724 BLT map_PPC_MEM2_A_failed
IOS_KERNEL:08122728
IOS_KERNEL:08122728 map_PPC_MEM2_B_0 ; CODE XREF: IOS_Kernel___iosMemMapInit+3CCj
IOS_KERNEL:08122728 MOV R4, #0
IOS_KERNEL:0812272C MOV R0, #0x28000000 ; Start Address of Segment
IOS_KERNEL:08122730 MOV R12, #0x20 ; ' '
IOS_KERNEL:08122734 MOV R3, R4
IOS_KERNEL:08122738 MOV R1, R0
IOS_KERNEL:0812273C MOV R2, #0xA8000000 ; Segment Size
IOS_KERNEL:08122740 STR R12, [SP,#0x14+var_C]
IOS_KERNEL:08122744 STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122748 STR R4, [SP,#0x14+var_10]
IOS_KERNEL:0812274C BL IOS_Kernel_map_memory
IOS_KERNEL:08122750 CMP R0, #0
IOS_KERNEL:08122754 BLT map_PPC_MEM2_B_failed
IOS_KERNEL:08122758
IOS_KERNEL:08122758 map_PPC_MEM2_B_1 ; CODE XREF: IOS_Kernel___iosMemMapInit+39Cj
IOS_KERNEL:08122758 MOV R4, #0
IOS_KERNEL:0812275C MOV R0, #0x28000000 ; Start Address of Segment
IOS_KERNEL:08122760 MOV R3, R4
IOS_KERNEL:08122764 MOV R12, #0x20 ; ' '
IOS_KERNEL:08122768 MOV R1, R0
IOS_KERNEL:0812276C MOV R2, #0xA8000000 ; Segment Size
IOS_KERNEL:08122770 STR R4, [SP,#0x14+var_14]
IOS_KERNEL:08122774 STMFA SP, {R4,R12}
IOS_KERNEL:08122778 BL IOS_Kernel_map_memory
IOS_KERNEL:0812277C SUBS R4, R0, #0
IOS_KERNEL:08122780 BGE loc_81227E0
IOS_KERNEL:08122784 MVN R1, R4
IOS_KERNEL:08122788 TST R4, #0x8000
IOS_KERNEL:0812278C MOV R1, R1,ASR#16
IOS_KERNEL:08122790 MVNNE R2, R4,LSL#16
IOS_KERNEL:08122794 MOVEQ R2, R4,LSL#16
IOS_KERNEL:08122798 MOV R1, R1,LSL#22
IOS_KERNEL:0812279C MVNNE R2, R2,LSR#16
IOS_KERNEL:081227A0 MOVEQ R2, R2,LSR#16
IOS_KERNEL:081227A4 MOV R1, R1,LSR#22
IOS_KERNEL:081227A8 LDR R0, =aFailedToMapPpc ; "Failed to map PPC MEM2-B with status %d"...
IOS_KERNEL:081227AC BL Kernel_Error_Handler
IOS_KERNEL:081227B0 B loc_81227E0I would think that the PPC re-maps the memory locations with its own loader after this.\
.
I guess I'll just post this here informally, once you figure some stuff out it gets really easy to see what programs are doing, eg what all the registers are doing at each part.
r0 is usually reserved for copying/storing the link register in stack frames because r1 has its own purpose)
r1 is the stack pointer
r2 I don't think I've ever actually seen used
r3-r31 are used for data manipulation
at the start of a function, unless it's very very simple like getting a value from a specific static location, it'll set up a stack frame, stwu/lwzu makes r1 update itself to add a new stack frame, and then it'll do an addi r1, r1 at the end when restoring. After that, it'll store r0 (link register value from the function that called this one), and then r31 and down depending on how many registers are used in the function, it backs them up because ->
when you call a function with variables, var0 is r3, var1 is r4, and functions then usually do a move register to copy them into r31 down (which we stored the original values of) so it can use r3+ for the math, so you'll see mr r29, r5 mr r30, r4 mr r31, r3
in C and C++ you can only return one "value" so if you have multiple things you need to send back, you need to store them in a data structure or somewhere other code can get them, so you can usually scroll down to the very bottom, sometimes the compiler will have a mr r3, rXX at the very end and it'll use a different register to send the return value back (assuming it's just an int), otherwise you can see what jumps to the very last loc_XXXXXXXX (which I like to rename to ret_ so I can see it's the return piece of the code which restores stack frame data before returning)
The Wii U is 32-bit, so for example, GX2GetLastSubmittedTimeStamp does
lis r12 0x1001 #upper part of data address
lwzu r3, 0x4E80(r12) #lower part of data address, r12 = 0x10014E80
lwz r4, 4(r12) #get value from r12 + 4 which is E84
blr
Time data is usually u64 so the compiler will just return with both r3 and r4 to get 64 bits, which is how you can tell it's a uint64_t GX2GetLastSubmittedTimeStamp(void); cause r3 and r4 will get overwritten even if you pass variables in anyways
BUT, that's the fun thing you can try doing to exploit functions, give it data it doesn't expect, if you can find a register you can load data into that isn't supposed to have anything, you can do fun stuff.
The difficult part is getting the kernel to write data somewhere where it has kernel/supervisor level permissions when called, either replacing a fastcall or getting it to write to the syscall table itself, cause once you install kern_write you have free reign
r0 is usually reserved for copying/storing the link register in stack frames because r1 has its own purpose)
r1 is the stack pointer
r2 I don't think I've ever actually seen used
r3-r31 are used for data manipulation
at the start of a function, unless it's very very simple like getting a value from a specific static location, it'll set up a stack frame, stwu/lwzu makes r1 update itself to add a new stack frame, and then it'll do an addi r1, r1 at the end when restoring. After that, it'll store r0 (link register value from the function that called this one), and then r31 and down depending on how many registers are used in the function, it backs them up because ->
when you call a function with variables, var0 is r3, var1 is r4, and functions then usually do a move register to copy them into r31 down (which we stored the original values of) so it can use r3+ for the math, so you'll see mr r29, r5 mr r30, r4 mr r31, r3
in C and C++ you can only return one "value" so if you have multiple things you need to send back, you need to store them in a data structure or somewhere other code can get them, so you can usually scroll down to the very bottom, sometimes the compiler will have a mr r3, rXX at the very end and it'll use a different register to send the return value back (assuming it's just an int), otherwise you can see what jumps to the very last loc_XXXXXXXX (which I like to rename to ret_ so I can see it's the return piece of the code which restores stack frame data before returning)
The Wii U is 32-bit, so for example, GX2GetLastSubmittedTimeStamp does
lis r12 0x1001 #upper part of data address
lwzu r3, 0x4E80(r12) #lower part of data address, r12 = 0x10014E80
lwz r4, 4(r12) #get value from r12 + 4 which is E84
blr
Time data is usually u64 so the compiler will just return with both r3 and r4 to get 64 bits, which is how you can tell it's a uint64_t GX2GetLastSubmittedTimeStamp(void); cause r3 and r4 will get overwritten even if you pass variables in anyways
BUT, that's the fun thing you can try doing to exploit functions, give it data it doesn't expect, if you can find a register you can load data into that isn't supposed to have anything, you can do fun stuff.
The difficult part is getting the kernel to write data somewhere where it has kernel/supervisor level permissions when called, either replacing a fastcall or getting it to write to the syscall table itself, cause once you install kern_write you have free reign
As far as i've been able to see, this is still mostly the case for WiiU's powerPC (but i haven't really looked super far so nobody crucify me plsthx)
Code:
r0 volatile, may be used by function linkage
r1 stack pointer
r2 reserved for system
r3 .. r4 volatile, pass 1st - 2nd int args, return 1st - 2nd ints
r5 .. r10 volatile, pass 3rd - 8th int args
r11 .. r12 volatile, may be used by function linkage
r13 small data area pointer
r14 .. r31 saved
f0 volatile
f1 volatile, pass 1st float arg, return 1st float
f2 .. f8 volatile, pass 2nd - 8th float args
f9 .. f13 volatile
f14 .. f30 saved
f31 saved, static chain if needed.
lr volatile, return address
ctr volatile
xer volatile
fpscr volatile
cr0 volatile
cr1 volatile
cr2 .. cr4 saved
cr5 .. cr7 volatileInteresting... it seems the syscall_loader uses a few different Functions for some of it's SysCalls.
Use different Functions for syscall_loader than do syscall_system, syscall_games, syscall_unknown and syscall_RAMPID1
What's more,it looks like syscall_loader calls the same function for 0x1E00 and 0x1F00
.
Code:
SysCall_0x0000_ConsoleWrite
SysCall 0x1700 FindClosestSymbol
SysCall 0x1E00 IPCKDriver_Loader_User_Open
SysCall_0x1F00 IPCKDriver_Loader_User_Close
SysCall_0x2000 IPCKDriver_SubmitRequestUse different Functions for syscall_loader than do syscall_system, syscall_games, syscall_unknown and syscall_RAMPID1
What's more,it looks like syscall_loader calls the same function for 0x1E00 and 0x1F00
Code:
Kernel-Data:FFE84C70 syscall_RAMPID1: SysCall_0x0000_ConsoleWrite
Kernel-Data:FFE84C74 SysCall_0x0100_AppPanic
Kernel-Data:FFE84C78 SysCall_0x0200_EffectiveToPhysical
Kernel-Data:FFE84C7C SysCall_0x0300_PhysicalToEffectiveCached
Kernel-Data:FFE84C80 SysCall_0x0400_PhysicalToEffectiveUncached
Kernel-Data:FFE84C84 SysCall_0x0500_ValidateAddrRange
Kernel-Data:FFE84C88 SysCall_0x0600_UpdateCoreTime
Kernel-Data:FFE84C90 SysCall_0x0800_SetUserModeExHandler
Kernel-Data:FFE84C9C SysCall_0x0B00_AllocateTimer
Kernel-Data:FFE84CA0 SysCall_0x0C00_FreeTimer
Kernel-Data:FFE84CA4 SysCall_0x0D00_PrimeTimer
Kernel-Data:FFE84CA8 SysCall_0x0E00_StopTimer
Kernel-Data:FFE84CAC SysCall_0x0F00_DumpModuleList
Kernel-Data:FFE84CB0 SysCall_0x1000_SetInterruptHandler
Kernel-Data:FFE84CB4 SysCall_0x1100_GetInterruptHandler
Kernel-Data:FFE84CB8 SysCall_0x1200_DisableInterrupt
Kernel-Data:FFE84CBC SysCall_0x1300_EnableInterrupt
Kernel-Data:FFE84CC0 SysCall_0x1400_ClearAndEnableInterrupt
Kernel-Data:FFE84CC4 SysCall_0x1500_GetInterruptStatus
Kernel-Data:FFE84CC8 SysCall_0x1600_ClearInterruptStatus
Kernel-Data:FFE84CCC SysCall_0x1700_FindClosestSymbol
Kernel-Data:FFE84CD4 SysCall_0x1900_Exit_Halt
Kernel-Data:FFE84CD8 SysCall_0x1A00_GetInfo
Kernel-Data:FFE84CDC SysCall_0x1B00_SetInfo
Kernel-Data:FFE84CE0 SysCall_0x1C00_ThreadInit
Kernel-Data:FFE84CE4 SysCall_0x1D00_SendICI
Kernel-Data:FFE84CE8 SysCall_0x1E00_IPCKDriver_Loader_User_Open
Kernel-Data:FFE84CEC SysCall_0x1F00_IPCKDriver_Loader_User_Close
Kernel-Data:FFE84CF0 SysCall_0x2000_IPCKDriver_SubmitRequest
Kernel-Data:FFE84CF8 SysCall_0x2200_GetEnvironmentVariable
Kernel-Data:FFE84D0C SysCall_0x2700_GetNotifyTarget
Kernel-Data:FFE84D10 SysCall_0x2800_ProcCtrl
Kernel-Data:FFE84D14 SysCall_0x2900_GetForegroundBucket
Kernel-Data:FFE84D18 SysCall_0x2A00_RequestSwitch
Kernel-Data:FFE84D1C SysCall_0x2B00_PrepareTitle
Kernel-Data:FFE84D20 SysCall_0x2C00_ProcYield
Kernel-Data:FFE84D28 SysCall_0x2E00_GetSystemMessage
Kernel-Data:FFE84D2C SysCall_0x2F00_GetCallArgs
Kernel-Data:FFE84D30 SysCall_0x3000_GetAbsoluteSystemTimeInternal
Kernel-Data:FFE84D34 SysCall_0x3100_SetAbsoluteSystemTimeInternal
Kernel-Data:FFE84D38 SysCall_0x3200_Driver_Register
Kernel-Data:FFE84D3C SysCall_0x3300_Driver_Deregister
Kernel-Data:FFE84D50 SysCall_0x3800_AllocVirtAddr
Kernel-Data:FFE84D54 SysCall_0x3900_FreeVirtAddr
Kernel-Data:FFE84D58 SysCall_0x3A00_GetMapVirtAddrRange
Kernel-Data:FFE84D5C SysCall_0x3B00_GetDataPhysAddrRange
Kernel-Data:FFE84D60 SysCall_0x3C00_GetAvailPhysAddrRange
Kernel-Data:FFE84D64 SysCall_0x3D00_MapMemory
Kernel-Data:FFE84D68 SysCall_0x3E00_UnmapMemory
Kernel-Data:FFE84D6C SysCall_0x3F00_LogBuffer
Kernel-Data:FFE84D70 SysCall_0x4000_LogArgs
Kernel-Data:FFE84D74 SysCall_0x4100_LogFunc
Kernel-Data:FFE84D78 SysCall_0x4200_LogReportKernel
Kernel-Data:FFE84D7C SysCall_0x4300_LogRetrieve
Kernel-Data:FFE84D80 SysCall_0x4400_Unknown
Kernel-Data:FFE84D84 SysCall_0x4500_Unknown
Kernel-Data:FFE84D88 SysCall_0x4600_Unknown
Kernel-Data:FFE84D8C SysCall_0x4700_Driver_CopyFromSaveArea
Kernel-Data:FFE84D90 SysCall_0x4800_Driver_CopyToSaveArea
Kernel-Data:FFE84D94 SysCall_0x4900_SavesDone_ReadyToRelease
Kernel-Data:FFE84D98 SysCall_0x4A00_SetAlarm
Kernel-Data:FFE84D9C SysCall_0x4B00_SetDABR
Kernel-Data:FFE84DA0 SysCall_0x4C00_SetIABR
Kernel-Data:FFE84DA4 SysCall_0x4D00_GetProcessInfo
Kernel-Data:FFE84DA8 SysCall_0x4E00_GetCodegenVirtAddrRange
Kernel-Data:FFE84DAC SysCall_0x4F00_LoaderCall
Kernel-Data:FFE84DD4 SysCall_0x5900_GetSharedArea
Kernel-Data:FFE84DD8 SysCall_0x5A00_SendPolicy
Kernel-Data:FFE84DE4 SysCall_0x5D00_BlockLogSave
Kernel-Data:FFE84DF4 SysCall_0x6100_QuerySwitchReady
Kernel-Data:FFE84DF8 SysCall_0x6200_Unknown
Kernel-Data:FFE84DFC SysCall_0x6300_Unknown
Kernel-Data:FFE84E04 SysCall_0x6500_blr
Kernel-Data:FFE84E0C SysCall_0x6700_RequestFastExit
Kernel-Data:FFE84E10 SysCall_0x6800_CoreInitDone
Kernel-Data:FFE84E14 SysCall_0x6900_GetSwitchTarget
Kernel-Data:FFE84E18 SysCall_0x6A00_AcquireDone
Kernel-Data:FFE84E1C SysCall_0x6B00_GetBuiltSDKVersion
Kernel-Data:FFE84E20 SysCall_0x6C00_SystemFatal
Kernel-Data:FFE84E28 SysCall_0x6E00_SwitchSecCodeGenMode
Kernel-Data:FFE84E2C SysCall_0x6F00_IopShell_RegisterCallback
Kernel-Data:FFE84E30 SysCall_0x7000_GetTitleVersion
Kernel-Data:FFE84E34 SysCall_0x7100_IsTestKernel
Kernel-Data:FFE84E38 SysCall_0x7200_ForceFullRelaunch
Kernel-Data:FFE84E3C SysCall_0x7300_Recycle
Kernel-Data:FFE84E40 SysCall_0x7400_get_mode_flags
Kernel-Data:FFE84E44 SysCall_0x7500_QueryVirtAddr
Kernel-Data:FFE84E48 SysCall_0x7600_GetCodegenCore
Kernel-Data:FFE84E4C SysCall_0x7700_GetSecCodeGenMode
Kernel-Data:FFE84E50 SysCall_0x7800_CodegenCopy
Kernel-Data:FFE84E54 SysCall_0x7900_LoadShared
Kernel-Data:FFE84E58 SysCall_0x7A00_SetExceptionCallback
Kernel-Data:FFE84E5C SysCall_0x7B00_IopShell_InjectCommand
Kernel-Data:FFE84E60 SysCall_0x7C00_Kill
Kernel-Data:FFE84E64 SysCall_0x7D00_EnableOverlayArena
Kernel-Data:FFE84E68 SysCall_0x7E00_DisableOverlayArena
Kernel-Data:FFE84E6C SysCall_0x7F00_GetSystemMode
Kernel-Data:FFE84E70 SysCall_0x8000_SystemMode_RegisterCallback
Kernel-Data:FFE84E74 SysCall_0x8100_ZeroProcessMemory
Kernel-Data:FFE84E78 SysCall_0x8200_HandleIopPowerEvents
Kernel-Data:FFE84E7C SysCall_0x8300_ConsoleTimestamp
Kernel-Data:FFE85070 syscall_games: SysCall_0x0000_ConsoleWrite
Kernel-Data:FFE85074 SysCall_0x0100_AppPanic
Kernel-Data:FFE85078 SysCall_0x0200_EffectiveToPhysical
Kernel-Data:FFE8507C SysCall_0x0300_PhysicalToEffectiveCached
Kernel-Data:FFE85080 SysCall_0x0400_PhysicalToEffectiveUncached
Kernel-Data:FFE85084 SysCall_0x0500_ValidateAddrRange
Kernel-Data:FFE85088 SysCall_0x0600_UpdateCoreTime
Kernel-Data:FFE85090 SysCall_0x0800_SetUserModeExHandler
Kernel-Data:FFE8509C SysCall_0x0B00_AllocateTimer
Kernel-Data:FFE850A0 SysCall_0x0C00_FreeTimer
Kernel-Data:FFE850A4 SysCall_0x0D00_PrimeTimer
Kernel-Data:FFE850A8 SysCall_0x0E00_StopTimer
Kernel-Data:FFE850AC SysCall_0x0F00_DumpModuleList
Kernel-Data:FFE850B0 SysCall_0x1000_SetInterruptHandler
Kernel-Data:FFE850B4 SysCall_0x1100_GetInterruptHandler
Kernel-Data:FFE850B8 SysCall_0x1200_DisableInterrupt
Kernel-Data:FFE850BC SysCall_0x1300_EnableInterrupt
Kernel-Data:FFE850C0 SysCall_0x1400_ClearAndEnableInterrupt
Kernel-Data:FFE850C4 SysCall_0x1500_GetInterruptStatus
Kernel-Data:FFE850C8 SysCall_0x1600_ClearInterruptStatus
Kernel-Data:FFE850CC SysCall_0x1700_FindClosestSymbol
Kernel-Data:FFE850D4 SysCall_0x1900_Exit_Halt
Kernel-Data:FFE850D8 SysCall_0x1A00_GetInfo
Kernel-Data:FFE850DC SysCall_0x1B00_SetInfo
Kernel-Data:FFE850E0 SysCall_0x1C00_ThreadInit
Kernel-Data:FFE850E4 SysCall_0x1D00_SendICI
Kernel-Data:FFE850E8 SysCall_0x1E00_IPCKDriver_Loader_User_Open
Kernel-Data:FFE850EC SysCall_0x1F00_IPCKDriver_Loader_User_Close
Kernel-Data:FFE850F0 SysCall_0x2000_IPCKDriver_SubmitRequest
Kernel-Data:FFE850F8 SysCall_0x2200_GetEnvironmentVariable
Kernel-Data:FFE8510C SysCall_0x2700_GetNotifyTarget
Kernel-Data:FFE85110 SysCall_0x2800_ProcCtrl
Kernel-Data:FFE85114 SysCall_0x2900_GetForegroundBucket
Kernel-Data:FFE85118 SysCall_0x2A00_RequestSwitch
Kernel-Data:FFE8511C SysCall_0x2B00_PrepareTitle
Kernel-Data:FFE85120 SysCall_0x2C00_ProcYield
Kernel-Data:FFE85128 SysCall_0x2E00_GetSystemMessage
Kernel-Data:FFE8512C SysCall_0x2F00_GetCallArgs
Kernel-Data:FFE85130 SysCall_0x3000_GetAbsoluteSystemTimeInternal
Kernel-Data:FFE85134 SysCall_0x3100_SetAbsoluteSystemTimeInternal
Kernel-Data:FFE85138 SysCall_0x3200_Driver_Register
Kernel-Data:FFE8513C SysCall_0x3300_Driver_Deregister
Kernel-Data:FFE85150 SysCall_0x3800_AllocVirtAddr
Kernel-Data:FFE85154 SysCall_0x3900_FreeVirtAddr
Kernel-Data:FFE85158 SysCall_0x3A00_GetMapVirtAddrRange
Kernel-Data:FFE8515C SysCall_0x3B00_GetDataPhysAddrRange
Kernel-Data:FFE85160 SysCall_0x3C00_GetAvailPhysAddrRange
Kernel-Data:FFE85164 SysCall_0x3D00_MapMemory
Kernel-Data:FFE85168 SysCall_0x3E00_UnmapMemory
Kernel-Data:FFE8516C SysCall_0x3F00_LogBuffer
Kernel-Data:FFE85170 SysCall_0x4000_LogArgs
Kernel-Data:FFE85174 SysCall_0x4100_LogFunc
Kernel-Data:FFE85178 SysCall_0x4200_LogReportKernel
Kernel-Data:FFE8517C SysCall_0x4300_LogRetrieve
Kernel-Data:FFE85180 SysCall_0x4400_Unknown
Kernel-Data:FFE85184 SysCall_0x4500_Unknown
Kernel-Data:FFE85188 SysCall_0x4600_Unknown
Kernel-Data:FFE8518C SysCall_0x4700_Driver_CopyFromSaveArea
Kernel-Data:FFE85190 SysCall_0x4800_Driver_CopyToSaveArea
Kernel-Data:FFE85194 SysCall_0x4900_SavesDone_ReadyToRelease
Kernel-Data:FFE85198 SysCall_0x4A00_SetAlarm
Kernel-Data:FFE8519C SysCall_0x4B00_SetDABR
Kernel-Data:FFE851A0 SysCall_0x4C00_SetIABR
Kernel-Data:FFE851A4 SysCall_0x4D00_GetProcessInfo
Kernel-Data:FFE851A8 SysCall_0x4E00_GetCodegenVirtAddrRange
Kernel-Data:FFE851AC SysCall_0x4F00_LoaderCall
Kernel-Data:FFE851D4 SysCall_0x5900_GetSharedArea
Kernel-Data:FFE851D8 SysCall_0x5A00_SendPolicy
Kernel-Data:FFE851E4 SysCall_0x5D00_BlockLogSave
Kernel-Data:FFE851F4 SysCall_0x6100_QuerySwitchReady
Kernel-Data:FFE851F8 SysCall_0x6200_Unknown
Kernel-Data:FFE851FC SysCall_0x6300_Unknown
Kernel-Data:FFE85204 SysCall_0x6500_blr
Kernel-Data:FFE8520C SysCall_0x6700_RequestFastExit
Kernel-Data:FFE85210 SysCall_0x6800_CoreInitDone
Kernel-Data:FFE85214 SysCall_0x6900_GetSwitchTarget
Kernel-Data:FFE85218 SysCall_0x6A00_AcquireDone
Kernel-Data:FFE8521C SysCall_0x6B00_GetBuiltSDKVersion
Kernel-Data:FFE85220 SysCall_0x6C00_SystemFatal
Kernel-Data:FFE85228 SysCall_0x6E00_SwitchSecCodeGenMode
Kernel-Data:FFE8522C SysCall_0x6F00_IopShell_RegisterCallback
Kernel-Data:FFE85230 SysCall_0x7000_GetTitleVersion
Kernel-Data:FFE85234 SysCall_0x7100_IsTestKernel
Kernel-Data:FFE85238 SysCall_0x7200_ForceFullRelaunch
Kernel-Data:FFE85240 SysCall_0x7400_get_mode_flags
Kernel-Data:FFE85244 SysCall_0x7500_QueryVirtAddr
Kernel-Data:FFE85248 SysCall_0x7600_GetCodegenCore
Kernel-Data:FFE8524C SysCall_0x7700_GetSecCodeGenMode
Kernel-Data:FFE85250 SysCall_0x7800_CodegenCopy
Kernel-Data:FFE85258 SysCall_0x7A00_SetExceptionCallback
Kernel-Data:FFE8525C SysCall_0x7B00_IopShell_InjectCommand
Kernel-Data:FFE85260 SysCall_0x7C00_Kill
Kernel-Data:FFE85264 SysCall_0x7D00_EnableOverlayArena
Kernel-Data:FFE85268 SysCall_0x7E00_DisableOverlayArena
Kernel-Data:FFE8526C SysCall_0x7F00_GetSystemMode
Kernel-Data:FFE85270 SysCall_0x8000_SystemMode_RegisterCallback
Kernel-Data:FFE85278 SysCall_0x8200_HandleIopPowerEvents
Kernel-Data:FFE8527C SysCall_0x8300_ConsoleTimestamp
Kernel-Data:FFE85470 syscall_loader: SysCall_0x0000_ConsoleWrite_SP
Kernel-Data:FFE85474 SysCall_0x0100_AppPanic
Kernel-Data:FFE85484 SysCall_0x0500_ValidateAddrRange
Kernel-Data:FFE854CC SysCall_0x1700_FindClosestSymbol_SP
Kernel-Data:FFE854E8 SysCall_Special_IPCKDriver_Loader_User_SP
Kernel-Data:FFE854EC SysCall_Special_IPCKDriver_Loader_User_SP
Kernel-Data:FFE854F0 SysCall_0x2000_IPCKDriver_SubmitRequest_SP
Kernel-Data:FFE8556C SysCall_0x3F00_LogBuffer
Kernel-Data:FFE85570 SysCall_0x4000_LogArgs
Kernel-Data:FFE85574 SysCall_0x4100_LogFunc
Kernel-Data:FFE85578 SysCall_0x4200_LogReportKernel
Kernel-Data:FFE8557C SysCall_0x4300_LogRetrieve
Kernel-Data:FFE855B0 SysCall_0x5000_RPLLoaderResumeContext
Kernel-Data:FFE855B8 SysCall_0x5200_WaitIopComplete
Kernel-Data:FFE855BC SysCall_0x5300_FlushCode
Kernel-Data:FFE855C0 SysCall_0x5400_FlushData
Kernel-Data:FFE855C4 SysCall_0x5500_UpdateHeartbeat
Kernel-Data:FFE855C8 SysCall_0x5600_LogEntry
Kernel-Data:FFE855CC SysCall_0x5700_FastClearMemory
Kernel-Data:FFE855D0 SysCall_0x5800_GetBusClockSpeed
Kernel-Data:FFE855DC SysCall_0x5B00_GetProcessIndex
Kernel-Data:FFE855E0 SysCall_0x5C00_IPCKDriver_PollLoaderCompletion
Kernel-Data:FFE855E8 SysCall_0x5E00_FinishInitandPreload
Kernel-Data:FFE855EC SysCall_0x5F00_ContinueStartProcess
Kernel-Data:FFE855F0 SysCall_0x6000_OpenMCP
Kernel-Data:FFE85608 SysCall_0x6600_ProfileEntry_blr
Kernel-Data:FFE85640 SysCall_0x7400_get_mode_flags
Kernel-Data:FFE8567C SysCall_0x8300_ConsoleTimestamp
Kernel-Data:FFE85680 SysCall_0x8400_ValidateOverlayRange
Kernel-Data:FFEAAE60 SysCall_Unknown: SysCall_0x0000_ConsoleWrite
Kernel-Data:FFEAAE64 SysCall_0x0100_AppPanic
Kernel-Data:FFEAAE68 SysCall_0x0200_EffectiveToPhysical
Kernel-Data:FFEAAE6C SysCall_0x0300_PhysicalToEffectiveCached
Kernel-Data:FFEAAE70 SysCall_0x0400_PhysicalToEffectiveUncached
Kernel-Data:FFEAAE74 SysCall_0x0500_ValidateAddrRange
Kernel-Data:FFEAAE78 SysCall_0x0600_UpdateCoreTime
Kernel-Data:FFEAAE80 SysCall_0x0800_SetUserModeExHandler
Kernel-Data:FFEAAE8C SysCall_0x0B00_AllocateTimer
Kernel-Data:FFEAAE90 SysCall_0x0C00_FreeTimer
Kernel-Data:FFEAAE94 SysCall_0x0D00_PrimeTimer
Kernel-Data:FFEAAE98 SysCall_0x0E00_StopTimer
Kernel-Data:FFEAAE9C SysCall_0x0F00_DumpModuleList
Kernel-Data:FFEAAEA0 SysCall_0x1000_SetInterruptHandler
Kernel-Data:FFEAAEA4 SysCall_0x1100_GetInterruptHandler
Kernel-Data:FFEAAEA8 SysCall_0x1200_DisableInterrupt
Kernel-Data:FFEAAEAC SysCall_0x1300_EnableInterrupt
Kernel-Data:FFEAAEB0 SysCall_0x1400_ClearAndEnableInterrupt
Kernel-Data:FFEAAEB4 SysCall_0x1500_GetInterruptStatus
Kernel-Data:FFEAAEB8 SysCall_0x1600_ClearInterruptStatus
Kernel-Data:FFEAAEBC SysCall_0x1700_FindClosestSymbol
Kernel-Data:FFEAAEC4 SysCall_0x1900_Exit_Halt
Kernel-Data:FFEAAEC8 SysCall_0x1A00_GetInfo
Kernel-Data:FFEAAECC SysCall_0x1B00_SetInfo
Kernel-Data:FFEAAED0 SysCall_0x1C00_ThreadInit
Kernel-Data:FFEAAED4 SysCall_0x1D00_SendICI
Kernel-Data:FFEAAED8 SysCall_0x1E00_IPCKDriver_Loader_User_Open
Kernel-Data:FFEAAEDC SysCall_0x1F00_IPCKDriver_Loader_User_Close
Kernel-Data:FFEAAEE0 SysCall_0x2000_IPCKDriver_SubmitRequest
Kernel-Data:FFEAAEE8 SysCall_0x2200_GetEnvironmentVariable
Kernel-Data:FFEAAEFC SysCall_0x2700_GetNotifyTarget
Kernel-Data:FFEAAF00 SysCall_0x2800_ProcCtrl
Kernel-Data:FFEAAF04 SysCall_0x2900_GetForegroundBucket
Kernel-Data:FFEAAF08 SysCall_0x2A00_RequestSwitch
Kernel-Data:FFEAAF0C SysCall_0x2B00_PrepareTitle
Kernel-Data:FFEAAF10 SysCall_0x2C00_ProcYield
Kernel-Data:FFEAAF18 SysCall_0x2E00_GetSystemMessage
Kernel-Data:FFEAAF1C SysCall_0x2F00_GetCallArgs
Kernel-Data:FFEAAF20 SysCall_0x3000_GetAbsoluteSystemTimeInternal
Kernel-Data:FFEAAF24 SysCall_0x3100_SetAbsoluteSystemTimeInternal
Kernel-Data:FFEAAF28 SysCall_0x3200_Driver_Register
Kernel-Data:FFEAAF2C SysCall_0x3300_Driver_Deregister
Kernel-Data:FFEAAF40 SysCall_0x3800_AllocVirtAddr
Kernel-Data:FFEAAF44 SysCall_0x3900_FreeVirtAddr
Kernel-Data:FFEAAF48 SysCall_0x3A00_GetMapVirtAddrRange
Kernel-Data:FFEAAF4C SysCall_0x3B00_GetDataPhysAddrRange
Kernel-Data:FFEAAF50 SysCall_0x3C00_GetAvailPhysAddrRange
Kernel-Data:FFEAAF54 SysCall_0x3D00_MapMemory
Kernel-Data:FFEAAF58 SysCall_0x3E00_UnmapMemory
Kernel-Data:FFEAAF5C SysCall_0x3F00_LogBuffer
Kernel-Data:FFEAAF60 SysCall_0x4000_LogArgs
Kernel-Data:FFEAAF64 SysCall_0x4100_LogFunc
Kernel-Data:FFEAAF68 SysCall_0x4200_LogReportKernel
Kernel-Data:FFEAAF6C SysCall_0x4300_LogRetrieve
Kernel-Data:FFEAAF70 SysCall_0x4400_Unknown
Kernel-Data:FFEAAF74 SysCall_0x4500_Unknown
Kernel-Data:FFEAAF78 SysCall_0x4600_Unknown
Kernel-Data:FFEAAF7C SysCall_0x4700_Driver_CopyFromSaveArea
Kernel-Data:FFEAAF80 SysCall_0x4800_Driver_CopyToSaveArea
Kernel-Data:FFEAAF84 SysCall_0x4900_SavesDone_ReadyToRelease
Kernel-Data:FFEAAF88 SysCall_0x4A00_SetAlarm
Kernel-Data:FFEAAF8C SysCall_0x4B00_SetDABR
Kernel-Data:FFEAAF90 SysCall_0x4C00_SetIABR
Kernel-Data:FFEAAF94 SysCall_0x4D00_GetProcessInfo
Kernel-Data:FFEAAF98 SysCall_0x4E00_GetCodegenVirtAddrRange
Kernel-Data:FFEAAF9C SysCall_0x4F00_LoaderCall
Kernel-Data:FFEAAFC4 SysCall_0x5900_GetSharedArea
Kernel-Data:FFEAAFC8 SysCall_0x5A00_SendPolicy
Kernel-Data:FFEAAFD4 SysCall_0x5D00_BlockLogSave
Kernel-Data:FFEAAFE4 SysCall_0x6100_QuerySwitchReady
Kernel-Data:FFEAAFE8 SysCall_0x6200_Unknown
Kernel-Data:FFEAAFEC SysCall_0x6300_Unknown
Kernel-Data:FFEAAFF4 SysCall_0x6500_blr
Kernel-Data:FFEAAFFC SysCall_0x6700_RequestFastExit
Kernel-Data:FFEAB000 SysCall_0x6800_CoreInitDone
Kernel-Data:FFEAB004 SysCall_0x6900_GetSwitchTarget
Kernel-Data:FFEAB008 SysCall_0x6A00_AcquireDone
Kernel-Data:FFEAB00C SysCall_0x6B00_GetBuiltSDKVersion
Kernel-Data:FFEAB010 SysCall_0x6C00_SystemFatal
Kernel-Data:FFEAB018 SysCall_0x6E00_SwitchSecCodeGenMode
Kernel-Data:FFEAB01C SysCall_0x6F00_IopShell_RegisterCallback
Kernel-Data:FFEAB020 SysCall_0x7000_GetTitleVersion
Kernel-Data:FFEAB024 SysCall_0x7100_IsTestKernel
Kernel-Data:FFEAB028 SysCall_0x7200_ForceFullRelaunch
Kernel-Data:FFEAB030 SysCall_0x7400_get_mode_flags
Kernel-Data:FFEAB034 SysCall_0x7500_QueryVirtAddr
Kernel-Data:FFEAB038 SysCall_0x7600_GetCodegenCore
Kernel-Data:FFEAB03C SysCall_0x7700_GetSecCodeGenMode
Kernel-Data:FFEAB040 SysCall_0x7800_CodegenCopy
Kernel-Data:FFEAB048 SysCall_0x7A00_SetExceptionCallback
Kernel-Data:FFEAB04C SysCall_0x7B00_IopShell_InjectCommand
Kernel-Data:FFEAB050 SysCall_0x7C00_Kill
Kernel-Data:FFEAB054 SysCall_0x7D00_EnableOverlayArena
Kernel-Data:FFEAB058 SysCall_0x7E00_DisableOverlayArena
Kernel-Data:FFEAB05C SysCall_0x7F00_GetSystemMode
Kernel-Data:FFEAB060 SysCall_0x8000_SystemMode_RegisterCallback
Kernel-Data:FFEAB068 SysCall_0x8200_HandleIopPowerEvents
Kernel-Data:FFEAB06C SysCall_0x8300_ConsoleTimestamp.
Last edited by Datalogger,
Yeah, no idea why that is, I meant to note the Open_Close reused syscall on the wiki page oops, I just marked them (sp) for special
You poke and prod until you find a function that will allow you to modify and take control of the kernel. E-C-P-C.
Thanks but I am only beginner in this can you be more specific ?
It's not that simple as to just explain it to you, there are a number of different ways to achieve our goal which is to write memory to the syscall table so we can add kern_read and kern_write, once that happens we have free reign. kern_read and kern_write are actually the last 3 instructions of Read/WriteRegister32Ex which on 5.5.0 is 0xFFF023D4 and 0xFFF023F4 but of course we can't just jump there, fastcalls are multiplied by 0x20 and that minus 0xFFF021A0 isn't divisible by 0x20
Last edited by NWPlayer123,
You need to find a programming oversight or bug that will let you use the function in a way it wasn't intended to be used, or at a time it wasn't intended to be used, in an exploitable fashion. It takes programming know-how and ingenuity. It's kinda like trying to find a loophole in a contract in that sense, you gotta look for the little quirks that allows you to do something unintended. For it to be worth it, it needs to also be something that lets you write to memory. Or something that helps contribute to that goal along the way somehow.
So from what 'm getting here, the first 0x20 FastCall landing zones would be like below.
Has anyone tried going past 0x19?
I know the next 6 would just hit App_Panic, but the question would be:
Does it have a max limit set to 0x19 it checks against?
Code:
Address----------------Jmp#------------Distance--------------Landing Zone
FFF021A0----------------00----------------0----------------- Jump_to_SysCall_Table
FFF021C0----------------01----------------20---------------- LoadContext
FFF021E0----------------02----------------40---------------- Call SysCall_App_Panic
FFF02200----------------03----------------60---------------- Call SysCall_App_Panic
FFF02220----------------04----------------80---------------- Call SysCall_App_Panic
FFF02240----------------05----------------A0---------------- Call SysCall_App_Panic
FFF02260----------------06----------------C0---------------- LoadContext
FFF02280----------------07----------------E0---------------- SaveContext
FFF022A0----------------08----------------100--------------- SetCurrentContext
FFF022C0----------------09----------------120--------------- GetCurrentFPUContext
FFF022E0----------------0A----------------140--------------- SetCurrentFPUContext
FFF02300----------------0B----------------160--------------- CompareAndSwapCurrentFPUContext
FFF02320----------------0C----------------180--------------- WriteGatherInit
FFF02340----------------0D----------------1A0--------------- SetPerformanceMonitor
FFF02360----------------0E----------------1C0--------------- FlushDMAQueue
FFF02380----------------0F----------------1E0--------------- rfi
FFF023A0----------------10----------------200--------------- DisableFPU (maybe)
FFF023C0----------------11----------------220--------------- ReadRegister32Ex (Target Zone -0x14)
FFF023E0----------------12----------------240--------------- WriteRegister32Ex(Target Zone -0x14 )
FFF02400----------------13----------------260--------------- Unknown
FFF02420----------------14----------------280--------------- Unknown
FFF02440----------------15----------------2A0--------------- Unknown
FFF02460----------------16----------------2C0--------------- Unknown
FFF02480----------------17----------------2E0--------------- WriteGatherGetPtr
FFF024A0----------------18----------------300--------------- EnableFPU (maybe)
FFF024C0----------------19----------------320--------------- GetSecurityLevel
FFF024E0----------------1A----------------340--------------- Call SysCall_App_Panic
FFF02500----------------1B----------------360--------------- Call SysCall_App_Panic
FFF02520----------------1C----------------380--------------- Call SysCall_App_Panic
FFF02540----------------1D----------------3A0--------------- Call SysCall_App_Panic
FFF02560----------------1E----------------3C0--------------- Call SysCall_App_Panic
FFF02580----------------1F----------------3E0--------------- Call SysCall_App_Panic
FFF025A0----------------20----------------400--------------- sub_FFF025A0 <------ Out of reach!.
Last edited by Datalogger,
It uses 0xFFF00C00 which sets r12 = 0xFFF00000 (-0x10 on top nybble), sets msr thru r11 to 0x1070 (go look at the PPC750CL manual on F0F's website if you care), then it has an insrwi (insert right word immediate), which does (r0 << 5) & 0x3E0 and inserts it in those 5 bits of r12, and then adds the 0x21A0, so theoretically you could have anything from 0 (0xFFF021A0 which is table dispatcher) to 0x3E0 >> 5 which is 31 (which would be 0xFFF02580)
OK, thanks.
If I understand it correctly, insrwi r12, r0, 5,22 is:
R12 = R0 Shift Left 5 & Mask with (32-(5+22)) = 5 bits Left of ((5+22)-1) = bit26 = 00000000000000000000001111100000 = 0x3E0
(PPC is a bit different than ARM/Thumb, but I think I can figure most of it out)
That makes 0x1F × 0x20 the max call distance from base, 0xFFF021A0
That makes sense since that maps to the last syscall_App_Panic.
I only wish it was as easy as re-routing one of those useless App_Panics to jump for/back to where we want, but we can't mod here (yet).
Q: Has someone already started mapping all of the Strings to their instructions for 0xFFE84450 to 0xFFE84604/(0xFFE84688 to 0xFFE84754) and -or- 0xFFEB9840 to 0xFFEBE485 ?
I'm thinking they must be using a similar strategy to point to their locations, but thought I'd ask before researching it.
If I understand it correctly, insrwi r12, r0, 5,22 is:
R12 = R0 Shift Left 5 & Mask with (32-(5+22)) = 5 bits Left of ((5+22)-1) = bit26 = 00000000000000000000001111100000 = 0x3E0
(PPC is a bit different than ARM/Thumb, but I think I can figure most of it out)
That makes 0x1F × 0x20 the max call distance from base, 0xFFF021A0
That makes sense since that maps to the last syscall_App_Panic.
I only wish it was as easy as re-routing one of those useless App_Panics to jump for/back to where we want, but we can't mod here (yet).
Q: Has someone already started mapping all of the Strings to their instructions for 0xFFE84450 to 0xFFE84604/(0xFFE84688 to 0xFFE84754) and -or- 0xFFEB9840 to 0xFFEBE485 ?
I'm thinking they must be using a similar strategy to point to their locations, but thought I'd ask before researching it.
Last edited by Datalogger,
First one, yes, MN1's already documented it all on the wiki, that first set is just the exception vectors in the table I mentioned at FFE84438, with ints_masks, dsp_irqs, ipc_irqs, the full tables are right below those strings
The second set, not yet, I dunno where to start if it didn't already get loaded when I first disassembled code :\
Also, lmao, I just realized the PPC750CL manual on F0F's site has all the 0xFFF functions documented in section 4.5, with syscall still going to MSR+0xC00 (0xFFF00C00)
Last edited by NWPlayer123,
OK, I'll look into how they map the text in the 2nd set.
The "Key" to the 2nd text strings is 0xFFEC13E0 (TOC)
Using this "Key", I confirmed these are correct:
Code:
Kernel-Data:FFE847EC .long Coretrace
Kernel-Data:FFE847F0 .long Kpanic
Kernel-Data:FFE847F4 .long Crashdump
Kernel-Data:FFE847F8 .long Memdump
Kernel-Data:FFE847FC .long Intstats
Kernel-Data:FFE84800 .long Debug
Kernel-Data:FFE84804 .long Kill_and_Kill_Restart
Kernel-Data:FFE84808 .long Kill_and_Kill_RestartAnd a small sample of text:
Code:
Kernel:FFF04C94 lwz r12, 8(r26)
Kernel:FFF04C98 addi r3, r2, -0x6A19 # "\n Interrupt Configuration:\n"
Kernel:FFF04C9C mr r20, r4
Kernel:FFF04CA0 divwu r24, r12, r11
Kernel:FFF04CA4 crclr 4*cr1+eq
Kernel:FFF04CA8 bl sub_FFF0AD0C
Kernel:FFF04CAC lwz r4, 0x5A8(r25)
Kernel:FFF04CB0 addi r3, r2, -0x6BFD # "\tvalidVectors = %d\n"
Kernel:FFF04CB4 crclr 4*cr1+eq
Kernel:FFF04CB8 bl sub_FFF0AD0C
Kernel:FFF04CBC lwz r4, 0x5AC(r25)
Kernel:FFF04CC0 addi r3, r2, -0x6BD1 # "\tinvalidVectors = %d\n"
Kernel:FFF04CC4 crclr 4*cr1+eq
Kernel:FFF04CC8 bl sub_FFF0AD0C
Kernel:FFF04CCC addi r3, r2, -0x69FE # "Interrupt Timing:\n"
Kernel:FFF04CD0 crclr 4*cr1+eq
Kernel:FFF04CD4 bl sub_FFF0AD0C
Kernel:FFF04CD8 bl sub_FFF04E78
Kernel:FFF04CDC addi r3, r2, -0x6C8D # "\tlastFetchedSystemTime = 0x%llX\n"
Kernel:FFF04CE0 bl fprint_2
Kernel:FFF04CE4 mr r4, r21
Kernel:FFF04CE8 addi r3, r2, -0x6C5D # "\tDelta SystemTime, Elapsed Ticks = 0x%08X\n"
Kernel:FFF04CEC bl fprint_2
Kernel:FFF04CF0 mr r4, r20
Kernel:FFF04CF4 addi r3, r2, -0x6C2D # "\tDelta SystemTime, Elapsed usec = 0x%08X\n"
Kernel:FFF04CF8 bl fprint_2
Kernel:FFF04CFC mr r4, r22
Kernel:FFF04D00 addi r3, r2, -0x6BA5 # "\tPI Interrupts / Sec = %d\n"
Kernel:FFF04D04 bl fprint_2
Kernel:FFF04D08 mr r4, r23
Kernel:FFF04D0C addi r3, r2, -0x6B79 # "\tAHB Interrupts / Sec = %d\n"
Kernel:FFF04D10 bl fprint_2
Kernel:FFF04D14 mr r4, r24
Kernel:FFF04D18 addi r3, r2, -0x6B4D # "\tDSP Interrupts / Sec = %d\n"
Kernel:FFF04D1C bl fprint_2
Kernel:FFF04D20 addi r3, r2, -0x69EB # "Interrupt Statistics:\n"
Kernel:FFF04D24 bl fprint_2
Kernel:FFF04D28 lwz r4, 0(r26)
Kernel:FFF04D2C addi r3, r2, -0x6B21 # "\tpiInterrupts = %d\n"
Kernel:FFF04D30 bl fprint_2
Kernel:FFF04D34 lwz r4, 4(r26)
Kernel:FFF04D38 addi r3, r2, -0x6AF5 # "\tahbInterrupts = %d\n"
Kernel:FFF04D3C bl fprint_2
Kernel:FFF04D40 lwz r4, 8(r26)
Kernel:FFF04D44 addi r3, r2, -0x6AC9 # "\tdspInterrupts = %d\n"
Kernel:FFF04D48 bl fprint_2
Kernel:FFF04D4C lwz r4, 0x5B0(r25)
Kernel:FFF04D50 addi r3, r2, -0x6A9D # "\tpiSpuriousInterrupts = %d\n"
Kernel:FFF04D54 bl fprint_2
Kernel:FFF04D58 lwz r4, 0xC(r26)
Kernel:FFF04D5C addi r3, r2, -0x6A71 # "\tuserModeDispatchedInterrupts = %d\n"
Kernel:FFF04D60 bl fprint_2
Kernel:FFF04D64 lwz r4, 0x14(r26)
Kernel:FFF04D68 addi r3, r2, -0x6A45 # "\tkernelModeDispatchedInterrupts = %d\n"
Kernel:FFF04D6C bl fprint_2
Kernel:FFF04D70 addi r3, r2, -0x69D4 # "Non-zero Interrupt Vector Counts:\n"Seems odd that there are calls in coreinit that branch to unreachable Fast/Sys calls.
(done)
In 5.5.x:
0x02005F00 SysCall -0x7B00 (0x8500)
0x02005F0C FastCall 0x1A
.
Last edited by Datalogger,
Similar threads
-
DinohScene
That cat suit twink
-
-
-
-
@
TwoSpikedHands:
yall im torn... ive been hacking away at tales of phantasia GBA (the USA version) and have so many documents of reverse engineering i've done -
@
TwoSpikedHands:
I just found out that the EU version is better in literally every way, better sound quality, better lighting, and there's even a patch someone made to make the text look nicer
-
@
TwoSpikedHands:
Do I restart now using what i've learned on the EU version since it's a better overall experience? or do I continue with the US version since that is what ive been using, and if someone decides to play my hack, it would most likely be that version?
-
@
Sicklyboy:
@TwoSpikedHands, I'll preface this with the fact that I know nothing about the game, but, I think it depends on what your goals are. Are you trying to make a definitive version of the game? You may want to refocus your efforts on the EU version then. Or, are you trying to make a better US version? In which case, the only way to make a better US version is to keep on plugging away at that one
-
@
Sicklyboy:
I'm not familiar with the technicalities of the differences between the two versions, but I'm wondering if at least some of those differences are things that you could port over to the US version in your patch without having to include copyrighted assets from the EU version
-
@
TwoSpikedHands:
@Sicklyboy I am wanting to fully change the game and bend it to my will lol. I would like to eventually have the ability to add more characters, enemies, even have a completely different story if i wanted. I already have the ability to change the tilemaps in the US version, so I can basically make my own map and warp to it in game - so I'm pretty far into it!
-
@
TwoSpikedHands:
I really would like to make a hack that I would enjoy playing, and maybe other people would too. swapping to the EU version would also mean my US friends could not legally play it
-
@
TwoSpikedHands:
I am definitely considering porting over some of the EU features without using the actual ROM itself, tbh that would probably be the best way to go about it... but i'm sad that the voice acting is so.... not good on the US version. May not be a way around that though
-
-
@
The Real Jdbye:
@TwoSpikedHands just switch, all the knowledge you learned still applies and most of the code and assets should be the same anyway -
@
The Real Jdbye:
and realistically they wouldn't
be able to play it legally anyway since they need a ROM and they probably don't have the means to dump it themselves -
-
-
-
-
@
Karma177:
do y'all think having an sd card that has a write speed of 700kb/s is a bad idea?
trying to restore emunand rn but it's taking ages... (also when I finished the first time hekate decided to delete all my fucking files
) -
-
-
-
@
Karma177:
@The Real Jdbye it hasn't given me any error trying to write things on it so I don't really think it's faulty (pasted 40/50gb+ folders and no write errors)
-
-
@
DinohScene:
when SD cards/microSD write speeds drop below a meg a sec, they're usually on the verge of dying
@
DinohScene:
when SD cards/microSD write speeds drop below a meg a sec, they're usually on the verge of dying