diff --git a/source/main.c b/source/main.c index f8fbd92..1f01254 100644 --- a/source/main.c +++ b/source/main.c @@ -7,7 +7,6 @@ #include "util.h" #include "libkhax/khax.h" #include "mch2t/mch2t.h" -#include "patcher/patcher.h" #include "ui/mainmenu.h" #include "ui/section/action/clipboard.h" #include "ui/section/task/task.h" @@ -45,8 +44,6 @@ int main(int argc, const char* argv[]) { } } - apply_patches(); - aptOpenSession(); Result setCpuTimeRes = APT_SetAppCpuTimeLimit(30); aptCloseSession(); diff --git a/source/mch2t/mch2t.c b/source/mch2t/mch2t.c index 0f4a6f0..449ca81 100644 --- a/source/mch2t/mch2t.c +++ b/source/mch2t/mch2t.c @@ -241,6 +241,28 @@ static void allocate_work(void) { svcExitThread(); } +u32 kprocess_ptr = 0; +u32 kprocess_pid_offset = 0; + +u32 old_pid = 0; + +s32 kernel_patch_pid_zero() { + u32* pidPtr = (u32*) (*(u32*) kprocess_ptr + kprocess_pid_offset); + + old_pid = *pidPtr; + *pidPtr = 0; + + return 0; +} + +s32 kernel_patch_pid_reset() { + u32* pidPtr = (u32*) (*(u32*) kprocess_ptr + kprocess_pid_offset); + + *pidPtr = old_pid; + + return 0; +} + #define VTABLE_ENTRIES 64 #define MAX_HANDLES 32 #define DUMMY_STACK_U32S 0x80 @@ -643,10 +665,32 @@ Result mch2t(void) { STEP_PRINT_VA(8, "free memory before exploit: %lld", start_free); STEP_PRINT_VA(8, "free memory now: %lld", osGetMemRegionFree(MEMREGION_APPLICATION)); + kprocess_ptr = 0xFFFF9004; + + if(osGetKernelVersion() < 0x022C0600) { + kprocess_pid_offset = 0xAC; + } else { + bool n3ds = false; + APT_CheckNew3DS((u8*) &n3ds); + + if(n3ds) { + kprocess_pid_offset = 0xBC; + } else { + kprocess_pid_offset = 0xB4; + } + } + + if(osGetKernelVersion() > 0x022E0000) { + svcBackdoor(kernel_patch_pid_zero); + srvExit(); + srvInit(); + svcBackdoor(kernel_patch_pid_reset); + } + STEP_PRINT(9, "success!"); return 0; - exploit_failed: +exploit_failed: DEBUG_PRINT("Exploit failed irrecoverably; please long-press power and reboot"); while (true) { svcSleepThread(10000000000ULL); diff --git a/source/patcher/patcher.c b/source/patcher/patcher.c deleted file mode 100644 index 230ba01..0000000 --- a/source/patcher/patcher.c +++ /dev/null @@ -1,139 +0,0 @@ -#include - -#include <3ds.h> - -#include "patcher.h" - -#pragma pack(1) -typedef struct KBlockInfo { - u32 section_start; - u32 page_count; -} KBlockInfo; - -typedef struct KLinkedListNode { - struct KLinkedListNode* next; - struct KLinkedListNode* prev; - void* data; -} KLinkedListNode; - -typedef struct MemSectionInfo { - u8 padding[0x0C - 0x00]; - KLinkedListNode* first_node; - KLinkedListNode* last_node; -} MemSectionInfo; - -typedef struct KCodeSet { - u8 padding0[0x08 - 0x00]; - MemSectionInfo text_info; - u8 padding1[0x64 - 0x1C]; -} KCodeSet; -#pragma pack(0) - -u32 kprocess_ptr = 0; -u32 kprocess_size = 0; -u32 kprocess_code_set_offset = 0; -u32 kprocess_pid_offset = 0; - -s32 kernel_patch_fs() { - asm volatile("cpsid aif"); - - u32 currProcessPtr = *(u32*) kprocess_ptr; - u32 vtablePtr = *(u32*) currProcessPtr; - - for(u32 processPtr = currProcessPtr; *(u32*) processPtr == vtablePtr; processPtr -= kprocess_size) { - if(*(u32*) (processPtr + kprocess_pid_offset) == 0) { - KCodeSet* codeSet = *(KCodeSet**) (processPtr + kprocess_code_set_offset); - if(codeSet != NULL) { - // Patches out an archive access check. - u8 original[] = {0x0C, 0x05, 0x0C, 0x33, 0x46, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x28, 0x01, 0xD0, 0x00, 0x20, 0xF8}; - u8 patched[] = {0x0C, 0x05, 0x0C, 0x33, 0x46, 0x01, 0x20, 0x00, 0x00, 0x00, 0x28, 0x01, 0xD0, 0x00, 0x20, 0xF8}; - - for(KLinkedListNode* node = codeSet->text_info.first_node; node != NULL; node = node->next) { - KBlockInfo* blockInfo = (KBlockInfo*) node->data; - u32 blockSize = blockInfo->page_count * 0x1000; - - bool done = false; - for(u32 i = 0; i <= blockSize - sizeof(original); i++) { - u8* dst = (u8*) (blockInfo->section_start + i); - - bool equal = true; - for(u32 b = 0; b < sizeof(original); b++) { - if(original[b] != 0xFF && dst[b] != original[b]) { - equal = false; - break; - } - } - - if(equal) { - for(u32 b = 0; b < sizeof(patched); b++) { - dst[b] = patched[b]; - } - - done = true; - break; - } - } - - if(done || node == codeSet->text_info.last_node) { - break; - } - } - } - - break; - } - } - - return 0; -} - -u32 old_pid = 0; - -s32 kernel_patch_pid_zero() { - u32* pidPtr = (u32*) (*(u32*) kprocess_ptr + kprocess_pid_offset); - - old_pid = *pidPtr; - *pidPtr = 0; - - return 0; -} - -s32 kernel_patch_pid_reset() { - u32* pidPtr = (u32*) (*(u32*) kprocess_ptr + kprocess_pid_offset); - - *pidPtr = old_pid; - - return 0; -} - -void apply_patches() { - kprocess_ptr = 0xFFFF9004; - - if(osGetKernelVersion() < 0x022C0600) { - kprocess_size = 0x260; - kprocess_code_set_offset = 0xA8; - kprocess_pid_offset = 0xAC; - } else { - bool n3ds = false; - APT_CheckNew3DS((u8*) &n3ds); - - if(n3ds) { - kprocess_size = 0x270; - kprocess_code_set_offset = 0xB8; - kprocess_pid_offset = 0xBC; - } else { - kprocess_size = 0x268; - kprocess_code_set_offset = 0xB0; - kprocess_pid_offset = 0xB4; - } - } - - if(osGetKernelVersion() > 0x022E0000) { - svcBackdoor(kernel_patch_pid_zero); - srvExit(); - srvInit(); - svcBackdoor(kernel_patch_pid_reset); - } - - svcBackdoor(kernel_patch_fs); -} \ No newline at end of file diff --git a/source/patcher/patcher.h b/source/patcher/patcher.h deleted file mode 100644 index cf980cb..0000000 --- a/source/patcher/patcher.h +++ /dev/null @@ -1,4 +0,0 @@ -#pragma once - -void apply_patches(); -