XeDumpHV

1. /*
2. XeDumpHV : http://www.putlocker.com/file/E0C5C22E50C43716
3.  
4. A simple tool to dump the hypervisor from memory. Hopefully this works on all future kernels. Tested on 14719
5.  
6. Should help those of you trying to crack The Atlas Project or Project Sable.
7.  
8. Don't forget to reverse XeBuild changes to the HV, plus a few other things.
9.  
10. XeDumpHV.xex stores payload at 0x32500 in HV, make sure to reverse that to 0's.
11.  
12. This was built in an attempt to make it easier to dump the HV without checking for systemcall updates. This uses a built in feature of XeBuild patches to execute a payload in HV state.
13. There are much easier ways to dump the HV(HvxExpansion systemcalls) but usually require updating of offsets or systemcall numbers.
14.  
15. */
16.  
17.  
18. #include <stdio.h> //for sprintf_s
19. #include <xtl.h>
20. #include "AtgConsole.h"
21. #include "AtgUtil.h"
22. #include "AtgInput.h"
23. #include "kernel.h"
24.  
25. ATG::Console atg_Con;
26.  
27. void dprintf(const char* s, ...)
28. {
29.     va_list argp;
30.     char temp[512];
31.  
32.     va_start(argp, s);
33.     vsnprintf_s(temp, 512,512, s, argp);
34.     va_end(argp);
35.     atg_Con.Format("%s", temp);
36.     #ifdef DEBUG_MSG
37.     DbgPrint("%s", temp);
38.     #endif
39. }
40.  
41. // Payload PPC code
42. /*
43.     lis %r11, 1
44.     bl loc_1
45. loc_1:
46.     mfspr %r3, %LR
47.     addi %r3, %r3, 52
48. loc_2:
49.     ldu %r4, 8(%r3)
50.     cmpdi %r4, -1
51.     beq end
52.     mtctr %r11
53. loop_1:
54.     lbz %r9, 0(%r4)
55.     stb %r9, 0(%r8)
56.     addi %r4, %r4, 1
57.     addi %r8, %r8, 1
58.     bdnz loop_1
59.     b loc_2
60. end:
61.     addi %r1, %r1, 0x10
62.     nop
63.     mtspr %LR, %r12
64.     blr
65.     .quad 0x8000010000000000
66.     .quad 0x8000010200010000
67.     .quad 0x8000010400020000
68.     .quad 0x8000010600030000
69.     .quad 0xFFFFFFFFFFFFFFFF
70.  
71. */
72. unsigned char hvPayload[112] = {
73.     0x3D, 0x60, 0x00, 0x01, 0x48, 0x00, 0x00, 0x05,
74.     0x7C, 0x68, 0x02, 0xA6, 0x38, 0x63, 0x00, 0x38,
75.     0xE8, 0x83, 0x00, 0x09, 0x2C, 0x24, 0xFF, 0xFF,
76.     0x41, 0x82, 0x00, 0x20, 0x7D, 0x69, 0x03, 0xA6,
77.     0x89, 0x24, 0x00, 0x00, 0x99, 0x28, 0x00, 0x00,
78.     0x38, 0x84, 0x00, 0x01, 0x39, 0x08, 0x00, 0x01,
79.     0x42, 0x00, 0xFF, 0xF0, 0x4B, 0xFF, 0xFF, 0xDC,
80.     0x38, 0x21, 0x00, 0x10, 0x60, 0x00, 0x00, 0x00,
81.     0x7D, 0x88, 0x03, 0xA6, 0x4E, 0x80, 0x00, 0x20,
82.     0x80, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
83.     0x80, 0x00, 0x01, 0x02, 0x00, 0x01, 0x00, 0x00,
84.     0x80, 0x00, 0x01, 0x04, 0x00, 0x02, 0x00, 0x00,
85.     0x80, 0x00, 0x01, 0x06, 0x00, 0x03, 0x00, 0x00,
86.     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
87. };
88.  
89. DWORD __declspec(naked) HvxGetVersion(DWORD magic, DWORD mode, UINT64 dest, UINT64 src, UINT32 len, UINT64 arg_r8)
90. {
91.     __asm {
92.         li      r0, 0 // HvxGetVersion
93.         sc
94.         blr
95.     }
96. }
97.  
98. VOID __cdecl main()
99. {
100.     char* newLine = "---------------------------------------------------\n";
101.     atg_Con.Create( "game:\\Media\\Fonts\\Arial_12.xpr", 0xFF000000, 0xFFFFFFFF );
102.     atg_Con.Clear();
103.     dprintf("Welcome to XeDumpHV!\n    For Kernel: %d\n\n", XboxKrnlVersion->Build);
104.     dprintf(newLine);
105.     dprintf("Press A to Dump HV\n");
106.     dprintf("Press Y to Exit\n");
107.     dprintf(newLine);
108.     for (;;)
109.     {
110.         ATG::Input::GetMergedInput();
111.  
112.         if (ATG::Input::m_DefaultGamepad.wPressedButtons & XINPUT_GAMEPAD_A )
113.         {
114.             dprintf("Dumping HV....\n");
115.             UINT64 dest = 0x8000010600032500ULL;
116.             BYTE* pbPayload = (BYTE*)XPhysicalAlloc(0x100, MAXULONG_PTR, 0, PAGE_READWRITE);
117.             memcpy(pbPayload, hvPayload, 112);
118.             UINT64 src = 0x8000000000000000ULL + ((DWORD)MmGetPhysicalAddress(pbPayload));
119.             BYTE* pbHypervisor = (BYTE*)XPhysicalAlloc(0x40000, MAXULONG_PTR, 0, PAGE_READWRITE);
120.             memset(pbHypervisor, 0, 0x40000);
121.             UINT64 xArg = 0x8000000000000000ULL + ((DWORD)MmGetPhysicalAddress(pbHypervisor));
122.             HvxGetVersion(0x72627472, 4, dest, src, 0x40, xArg);
123.            
124.             dprintf("HV dumped\nSaving HV....\n");
125.             HANDLE hFile;
126.             DWORD size;
127.             char hvBuild[255];
128.             sprintf_s(hvBuild, "GAME:\\HV_%d.bin", XboxKrnlVersion->Build);
129.             hFile = CreateFile(hvBuild, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);           
130.             if(hFile != INVALID_HANDLE_VALUE)
131.             {
132.                 WriteFile(hFile, pbHypervisor, 0x40000, &size, NULL);
133.                 CloseHandle(hFile);
134.                 dprintf("HV version %d saved\n", XboxKrnlVersion->Build);
135.             }
136.             dprintf("Exiting........\n");
137.             XPhysicalFree(pbPayload);
138.             XPhysicalFree(pbHypervisor);
139.             Sleep(2500);
140.             XLaunchNewImage(XLAUNCH_KEYWORD_DEFAULT_APP, 0);       
141.         }
142.         else if( ATG::Input::m_DefaultGamepad.wPressedButtons & XINPUT_GAMEPAD_Y )
143.         {
144.             XLaunchNewImage(XLAUNCH_KEYWORD_DEFAULT_APP, 0);
145.             break;
146.         }
147.     }
148.  
149. }