From 88142b2269c24f37a2bb54c70336da9bee9b9f5f Mon Sep 17 00:00:00 2001 From: Spotlight Date: Thu, 30 Dec 2021 16:38:03 -0600 Subject: [PATCH] Fix markdown woes --- docs/README.md | 4 +-- docs/patch_overwrite_ios.md | 57 +++++++++++++++++++------------------ 2 files changed, 32 insertions(+), 29 deletions(-) diff --git a/docs/README.md b/docs/README.md index f382503..d9dba7b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -2,6 +2,6 @@ This directory contains documentation about given patches applied. Contents: - - [[`opcacrt6.yml`]]: A [Kaitai](https://kaitai.io) structure describing a very basic `opcacrt6.dat`. + - [`opcacrt6.yml`](opcacrt6.yml): A [Kaitai](https://kaitai.io) structure describing a very basic `opcacrt6.dat`. It does not attempt to handle things such as client certificates or user passwords. - - [[`patch_overwrite_ec.md`]]: An explanation as to why IOS needs to be patched for our operations. \ No newline at end of file + - [`patch_overwrite_ios.md`](patch_overwrite_ios.md): An explanation over why and how IOS is patched for operation of the Wii Shop Channel. \ No newline at end of file diff --git a/docs/patch_overwrite_ios.md b/docs/patch_overwrite_ios.md index 06f597d..3ef0788 100644 --- a/docs/patch_overwrite_ios.md +++ b/docs/patch_overwrite_ios.md @@ -67,12 +67,14 @@ However, space constraints for our patch made this difficult. We chose to hardco By default, the PowerPC core (Broadway) has memory protections enabled, preventing from us editing IOS's memory in MEM2. We need to apply several patches to achieve our goal. -1. e need to obtain access to overwriting IOS memory. +--- +First, we need to obtain access to overwriting IOS memory. We set the Access Rights field in the WAD's Title Metadata (or `.tmd`) to 0x00000003, permitting memory access. We will use this with `MEM2_PROT` later. This is thankfully a very quick fix. -2. We need to find space to put our own custom function within the binary. +--- +Second, we need to find space to put our own custom function within the binary. Via symbols within the main ARC, we find a C++ class named `textinput::EventObserver` with 4 functions in a row that immediately `blr` - returning with no other logic: @@ -88,7 +90,8 @@ We must additionally update references to this single at two separate virtual ta - `textinput::EventObserver` at `0x802f7a9` - `ipl::keyboard::EventObserver` at `0x802f8418` -3. We need to devise a way to have the channel overwrite IOS memory. +--- +Next, we need to devise a way to have the channel overwrite IOS memory. We have carved out our own space at `0x80014428` to put a function. Thankfully, the operation is fairly simple: @@ -104,33 +107,33 @@ Thankfully, the operation is fairly simple: We write and apply the following PowerPC assembly to achieve this task: ```asm overwriteIOSPatch: - ; Load 0x0d8b420a, location of MEM_PROT, to r9. - lis r9, 0xcd8b - ori r9, r9, 0x420a - ; We wish to write 0x2 in order to disable. - li r10, 0x2 + ; Load 0x0d8b420a, location of MEM_PROT, to r9. + lis r9, 0xcd8b + ori r9, r9, 0x420a + ; We wish to write 0x2 in order to disable. + li r10, 0x2 + + ; And... write! + sth r10, 0x0(r9) + eieio - ; And... write! - sth r10, 0x0(r9) - eieio - - ; Load 0xd3a73ad4, location of of IOSC_VerifyPublicKeySig, to r9. - lis r9, 0xd3a7 - ori r9, r9, 0x73ad4 - ; 0x20004770 represents our actual patch. - lis r10, 0x2000 - ori r10, r10, 0x4770 - - ; And... write. - stw r10, 0x0(r9) - - ; Clear cache - dcbi 0, r10 - blr + ; Load 0xd3a73ad4, location of of IOSC_VerifyPublicKeySig, to r9. + lis r9, 0xd3a7 + ori r9, r9, 0x73ad4 + ; 0x20004770 represents our actual patch. + lis r10, 0x2000 + ori r10, r10, 0x4770 + + ; And... write. + stw r10, 0x0(r9) + + ; Clear cache + dcbi 0, r10 + blr ``` - -4. We need to determine the best way to call our custom patching function. +--- +Finally, we need to determine the best way to call our custom patching function. Using the aforementioned symbols we find `ES_InitLib`, called once during initialization to open a handle with `/dev/es`. We insert a call to our function in its epilog, immediately before loading the previous LR from stack and branching back.