Guest User

isfshax

a guest
Apr 11th, 2021
199
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. =======
  2. isfshax
  3. =======
  4.  
  5. Boot1 stack:
  6. 0x0D40EDB0 <-- stack base
  7. 0x0D40FADC <-- stack ptr on the second ISFS_ProcessSuperblock call
  8. 0x0D40FB18 <-- stack ptr on the first ISFS_ProcessSuperblock call
  9. 0x0D40FDB0 <-- stack top
  10.  
  11. ISFS_ProcessSuperblock is at 0x0d402e70. The recursive call happens at 0x0d402ff6 for FST directory entries.
  12. Each recursive call decrements sp by 0x3C
  13.  
  14. 0x6A directory entries (FST root entry included) will overflow the stack up to 0x0d40e240
  15.  
  16. Original data Overwritten by
  17. --------------------------------------------------
  18. 0d40e240 gAncastKey << 000000000000000301f8000000000000
  19. 0d40e250 gAncastKeyAddr << 00000000
  20. 0d40e254 gAncastModuloAddr << 00000001
  21. 0d40e258 ndevStatus << 0000XXXX
  22. 0d40e25c pFsDeviceFLA << 01f80000
  23. 0d40e260 flaDevice.field_0x0 << 01f8000c
  24. 0d40e264 flaDevice.instance << 000XXXX0
  25. 0d40e268 flaDevice.init << YYYYYYYY
  26. 0d40e26c flaDevice.read << WWWWWWWW
  27. 0d40e270 flaDevice.field_0x10 << ZZZZZZZZ
  28. 0d40e274 flaDevice.shutdown << YYYYYYYY
  29. 0d40e278 flaDevice.field_0x18 << 0d402e7c
  30.  
  31. pFsDeviceFLA will points to the superblock load address (0x01f80000).
  32.  
  33. An FS device has the following structure:
  34. struct FS_Device {
  35. /* 0x00 */ int field_0x0;
  36. /* 0x04 */ u32 instance;
  37. /* 0x08 */ int (* init)(struct FS_Device *);
  38. /* 0x0C */ int (* read)(struct FS_Device *, u64, uint, void *, u8 *);
  39. /* 0x10 */ int (* write)(struct FS_Device *, u64, uint, void *, u8 *);
  40. /* 0x14 */ int (* shutdown)(struct FS_Device *);
  41. ...
  42. }
  43.  
  44. The read field will correspond to the first two cluster entries in the FAT of the superblock.
  45. Since AHMN is not yet enabled, it's possible to redirect execution to the superblock data.
  46.  
  47. The read() field will be called (at 0x0d40135a) when boot1 attempts to read
  48. /sys/config/system.xml. As such said entries must be present in the superblock.
  49. The system.xml FST entry should point to a valid and terminated cluster in the FAT
  50. to prevent a crash when boot1 gets file's stats.
  51.  
  52. A payload can be saved in the FAT or FST area. FAT entries of value 0xffff will
  53. be corrected to 0xfffe, while the first bit of the size field in FST entries with
  54. (fst->mode & 3) != 0 will be cleared, so payloads should be written with precautions
  55. in place to avoid being corrupted by those operations.
  56.  
  57. - rw-r-r-0644
RAW Paste Data