5,579
edits
Changes
ββTechnical Details: Better function names and formatting cleanup
Line 79:
Line 79:
MOV R12, SP+ STMFD SP!, {R4-R6,R11,R12,LR,PC}+ LDR R4, =hook_msg+ MOV R6, R0+ SUB R11, R12, #4+ LDR R0, =aRelease+ BL printf_disabled+ LDR R3, [R4]+ MOV R5, #0+ CMP R3, R5+ MOVL R1, -6+ MOV R0, R6+ BEQ loc_20300C04+ +
β STR R5, [R4]+ MOV R0, R3+ LDR R3, [R3,#0x18]+ MOV R1, R5+ STR R5, [R3]+ BL AckMessage+ MOV R0, R6+ MOV R1, R5+ BL AckMessage+ LDMFD SP, {R4-R6,R11,SP,LR}+ BX LR+ +
β BL AckMessage+ LDR R3, [R4]+ B loc_20300BD8+ // this isn't exactly right on the IOS side, but it doesn't matter here+ u32 command; // 0x00 = 6 for ioctl+ s32 result; // 0x04+ s32 fd; // 0x08+ // arguments for ioctl+ u32 ioctl_number; // 0x0c+ void *buffer_in; // 0x10+ u32 in_size; // 0x14+ void *buffer_out; // 0x18+ u32 out_size; // 0x1c+ +
β +
β struct ios_message *the_hook_msg = hook_msg;+ +
β printf_disabled("Release\n");+ if (!the_hook_msg) {+ AckMessage(imm_msg, -6);+ }+ hook_msg = NULL;+ *(u32*)the_hook_msg->buffer_out = 0;+ AckMessage(the_hook_msg, 0);+ AckMessage(imm_msg, 0);+wtf1+ MOVS R3, #3+ STR R3, [R0]+ MOVS R3, #0+ STRH R3, [R1]+ BX LR+ +
βwtf2+ MOVS R3, #1+ STR R3, [R0]+ MOVS R3, #0+ STRH R3, [R1]+ BX LR+ *a = 3;+ *b = 0;+ +
β *a = 1;+ *b = 0;+
Looking closely at the release function in STM, hereβs what I found:
Looking closely at the release function in STM, hereβs what I found:
βrelease_eventhook
+ release_eventhook
β MOV R12, SP
β STMFD SP!, {R4-R6,R11,R12,LR,PC}
β LDR R4, =hook_msg
β MOV R6, R0
β SUB R11, R12, #4
β LDR R0, =aRelease
β BL printf_disabled
β LDR R3, [R4]
β MOV R5, #0
β CMP R3, R5
β MOVL R1, -6
β MOV R0, R6
β BEQ loc_20300C04
βloc_20300BD8
+ loc_20300BD8
β STR R5, [R4]
β MOV R0, R3
β LDR R3, [R3,#0x18]
β MOV R1, R5
β STR R5, [R3]
β BL AckMessage
β MOV R0, R6
β MOV R1, R5
β BL AckMessage
β LDMFD SP, {R4-R6,R11,SP,LR}
β BX LR
βloc_20300C04
+ loc_20300C04
β BL AckMessage
β LDR R3, [R4]
β B loc_20300BD8
This translates to the following C code:
This translates to the following C code:
βstruct ios_message {
+ struct ios_message {
β // this isn't exactly right on the IOS side, but it doesn't matter here
β u32 command; // 0x00 = 6 for ioctl
β s32 result; // 0x04
β s32 fd; // 0x08
β // arguments for ioctl
β u32 ioctl_number; // 0x0c
β void *buffer_in; // 0x10
β u32 in_size; // 0x14
β void *buffer_out; // 0x18
β u32 out_size; // 0x1c
β};
+ };
βstruct ios_message *hook_msg;
+ struct ios_message *hook_msg;
βvoid release_eventhook(ios_message *imm_msg)
+ void release_eventhook(ios_message *imm_msg)
β{
+ {
β struct ios_message *the_hook_msg = hook_msg;
β printf_disabled("Release\n");
β if (!the_hook_msg) {
β AckMessage(imm_msg, -6);
β }
β hook_msg = NULL;
β *(u32*)the_hook_msg->buffer_out = 0;
β AckMessage(the_hook_msg, 0);
β AckMessage(imm_msg, 0);
β}
+ }
Nintendo forgot a return; statement right at the end of the if(!the_hook_msg) block! This means that if there is no callback registered, it will try to ack the immediate message twice (which does nothing), it will try to ack a NULL message (which the kernel catches and does nothing), but most importantly, it will dereference a NULL structure, get a pointer from it, and write 0 to the address pointed to by that pointer. In other words, that line of code becomes **(u32**)0x18 = 0;, as 0Γ18 is the offset of buffer_out inside the structure. And 0Γ18 is an address in low MEM1 that we completely control from the PowerPC. Whoops.
Nintendo forgot a return; statement right at the end of the if(!the_hook_msg) block! This means that if there is no callback registered, it will try to ack the immediate message twice (which does nothing), it will try to ack a NULL message (which the kernel catches and does nothing), but most importantly, it will dereference a NULL structure, get a pointer from it, and write 0 to the address pointed to by that pointer. In other words, that line of code becomes **(u32**)0x18 = 0;, as 0Γ18 is the offset of buffer_out inside the structure. And 0Γ18 is an address in low MEM1 that we completely control from the PowerPC. Whoops.
Line 163:
Line 163:
But wait, we need to somehow break into the kernel to disable the signature check. How can we do that? Well, it turns out that Nintendo left behind some useful IOS syscalls (within the Starlet core; different from IPC). They look like this:
But wait, we need to somehow break into the kernel to disable the signature check. How can we do that? Well, it turns out that Nintendo left behind some useful IOS syscalls (within the Starlet core; different from IPC). They look like this:
β get_kernel_flavor
β MOVS R3, #3
β STR R3, [R0]
β MOVS R3, #0
β STRH R3, [R1]
β BX LR
β get_unk_flavor
β MOVS R3, #1
β STR R3, [R0]
β MOVS R3, #0
β STRH R3, [R1]
β BX LR
Which translates to:
Which translates to:
βvoid wtf1(u32 *a, u16 *b)
+ void get_kernel_flavor(u32 *type, u16 *unknown)
β{
+ {
β *type = 3;
β *unknown = 0;
β}
+ }
βvoid wtf2(u32 *a, u16 *b)
+ void get_unk_flavor(u32 *type, u16 *unknown)
β{
+ {
β *type = 1;
β *unknown = 0;
β}
+ }
These functions appear to be used as configuration for certain global settings, such as whether IOS is monolithic or modular, so they just return constant values by dereferencing their arguments. In any case, there are no permission checks and these calls happily write to any address that you want, with full kernel permissions. We just pass along an address inside the signature check function that we want patched out, and we win.
These functions appear to be used as configuration for certain global settings, such as whether IOS is monolithic or modular, so they just return constant values by dereferencing their arguments. In any case, there are no permission checks and these calls happily write to any address that you want, with full kernel permissions. We just pass along an address inside the signature check function that we want patched out, and we win.