-when starting up the console with system menu autoboot CBHC will now…

… start the menu into mii selection if no default mii is set instead of just using the first mii

-added system reload patches to CBHC, thanks to dimok for patch location and elf patcher!

dsrom/CBHC/arm_kernel/link.ld

@@ -2,17 +2,19 @@ OUTPUT_ARCH(arm)
 
 MEMORY
 {
-	RAMX (rx) : ORIGIN = 0x08134100, LENGTH = 0x000BF00
+	RAMX (rx) : ORIGIN = 0x08135000, LENGTH = 0x000B000
 }
 
 SECTIONS
 {
 	.text : ALIGN(0x100) {
+		__file_start = .;
 		build/crt0.o(.init)
 		*(.text)
 	}
 	.rodata : {
 		*(.rodata*)
+		__file_end = .;
 	}
 }
 

dsrom/CBHC/arm_kernel/source/crt0.s

@@ -5,8 +5,5 @@
 .extern _main
 .type _main, %function
 
-.extern memset
-.type memset, %function
-
 _start:
 	b _main

dsrom/CBHC/arm_kernel/source/elf_patcher.c

@@ -0,0 +1,110 @@
+/***************************************************************************
+ * Copyright (C) 2016
+ * by Dimok
+ *
+ * This software is provided 'as-is', without any express or implied
+ * warranty. In no event will the authors be held liable for any
+ * damages arising from the use of this software.
+ *
+ * Permission is granted to anyone to use this software for any
+ * purpose, including commercial applications, and to alter it and
+ * redistribute it freely, subject to the following restrictions:
+ *
+ * 1. The origin of this software must not be misrepresented; you
+ * must not claim that you wrote the original software. If you use
+ * this software in a product, an acknowledgment in the product
+ * documentation would be appreciated but is not required.
+ *
+ * 2. Altered source versions must be plainly marked as such, and
+ * must not be misrepresented as being the original software.
+ *
+ * 3. This notice may not be removed or altered from any source
+ * distribution.
+ ***************************************************************************/
+#include "types.h"
+#include "elf_abi.h"
+#include "utils.h"
+
+static Elf32_Phdr * get_section(u32 data, u32 vaddr)
+{
+    Elf32_Ehdr *ehdr = (Elf32_Ehdr *) data;
+
+    if (   !IS_ELF (*ehdr)
+        || (ehdr->e_type != ET_EXEC)
+        || (ehdr->e_machine != EM_ARM))
+    {
+        return 0;
+    }
+
+    Elf32_Phdr *phdr = 0;
+
+    u32 i;
+    for(i = 0; i < ehdr->e_phnum; i++)
+    {
+        phdr = (Elf32_Phdr *) (data + ehdr->e_phoff + ehdr->e_phentsize * i);
+
+        if((vaddr >= phdr[0].p_vaddr) && ((i == ehdr->e_phnum) || (vaddr < phdr[1].p_vaddr)))
+        {
+            break;
+        }
+    }
+    return phdr;
+}
+
+void section_write_bss(u32 ios_elf_start, u32 address, u32 size)
+{
+    Elf32_Phdr *phdr = get_section(ios_elf_start, address);
+    if(!phdr)
+        return;
+
+    if((address - phdr->p_vaddr + size) > phdr->p_memsz)
+    {
+        phdr->p_memsz = (address - phdr->p_vaddr + size);
+    }
+}
+
+void section_write(u32 ios_elf_start, u32 address, const void *data, u32 size)
+{
+    Elf32_Phdr *phdr = get_section(ios_elf_start, address);
+    if(!phdr)
+        return;
+
+    u32 *addr = (u32*)(ios_elf_start + address - phdr->p_vaddr + phdr->p_offset);
+
+    if((address - phdr->p_vaddr + size) > phdr->p_filesz)
+    {
+        u32 additionalSize = address - phdr->p_vaddr + size - phdr->p_filesz;
+
+        Elf32_Ehdr *ehdr = (Elf32_Ehdr *) ios_elf_start;
+        Elf32_Phdr * tmpPhdr;
+        u32 i;
+        for(i = (ehdr->e_phnum-1); i >= 0; i--)
+        {
+            tmpPhdr = (Elf32_Phdr *) (ios_elf_start + ehdr->e_phoff + ehdr->e_phentsize * i);
+
+            if(phdr->p_offset < tmpPhdr->p_offset)
+            {
+                reverse_memcpy((u8*)ios_elf_start + tmpPhdr->p_offset + additionalSize, (u8*)ios_elf_start + tmpPhdr->p_offset, tmpPhdr->p_filesz);
+                tmpPhdr->p_offset += additionalSize;
+            }
+            else {
+                break;
+            }
+        }
+        phdr->p_filesz += additionalSize;
+        if(phdr->p_memsz < phdr->p_filesz)
+        {
+            phdr->p_memsz = phdr->p_filesz;
+        }
+    }
+
+    // in most cases only a word is copied to an aligned address so do a short cut for performance
+    if(size == 4 && !((unsigned int)addr & 3) && !((unsigned int)data & 3))
+    {
+        *(u32*)addr = *(u32*)data;
+    }
+    else
+    {
+        kernel_memcpy(addr, data, size);
+    }
+}

dsrom/CBHC/arm_kernel/source/elf_patcher.h

@@ -0,0 +1,58 @@
+/***************************************************************************
+ * Copyright (C) 2016
+ * by Dimok
+ *
+ * This software is provided 'as-is', without any express or implied
+ * warranty. In no event will the authors be held liable for any
+ * damages arising from the use of this software.
+ *
+ * Permission is granted to anyone to use this software for any
+ * purpose, including commercial applications, and to alter it and
+ * redistribute it freely, subject to the following restrictions:
+ *
+ * 1. The origin of this software must not be misrepresented; you
+ * must not claim that you wrote the original software. If you use
+ * this software in a product, an acknowledgment in the product
+ * documentation would be appreciated but is not required.
+ *
+ * 2. Altered source versions must be plainly marked as such, and
+ * must not be misrepresented as being the original software.
+ *
+ * 3. This notice may not be removed or altered from any source
+ * distribution.
+ ***************************************************************************/
+#ifndef _ELF_PATCHER_H
+#define _ELF_PATCHER_H
+
+#include "types.h"
+
+#define ARM_B(addr, func)   (0xEA000000 | ((((u32)(func) - (u32)(addr) - 8) >> 2) & 0x00FFFFFF))
+#define ARM_BL(addr, func)  (0xEB000000 | ((((u32)(func) - (u32)(addr) - 8) >> 2) & 0x00FFFFFF))
+
+typedef struct
+{
+    u32 address;
+    void* data;
+    u32 size;
+} patch_table_t;
+
+void section_write(u32 ios_elf_start, u32 address, const void *data, u32 size);
+void section_write_bss(u32 ios_elf_start, u32 address, u32 size);
+
+static inline void section_write_word(u32 ios_elf_start, u32 address, u32 word)
+{
+    section_write(ios_elf_start, address, &word, sizeof(word));
+}
+
+
+static inline void patch_table_entries(u32 ios_elf_start, const patch_table_t * patch_table, u32 patch_count)
+{
+    u32 i;
+    for(i = 0; i < patch_count; i++)
+    {
+        section_write(ios_elf_start, patch_table[i].address, patch_table[i].data, patch_table[i].size);
+    }
+}
+
+
+#endif

dsrom/CBHC/arm_kernel/source/main.c

@@ -1,8 +1,9 @@
 #include "types.h"
 #include "utils.h"
+#include "reload.h"
+#include "elf_patcher.h"
 #include "../../payload/arm_user_bin.h"
-#include "../../payload/wupserver_bin.h"
-
+#include "wupserver.h"
 static const char repairData_set_fault_behavior[] = {
 	0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
 	0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02,
@@ -42,27 +43,13 @@ static const char os_launch_hook[] = {
 
 static const char sd_path[] = "/vol/sdcard";
 
-static unsigned int __attribute__((noinline)) disable_mmu(void)
-{
-	unsigned int control_register = 0;
-	asm volatile("MRC p15, 0, %0, c1, c0, 0" : "=r" (control_register));
-	asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register & 0xFFFFEFFA));
-	return control_register;
-}
-
-static void __attribute__((noinline)) restore_mmu(unsigned int control_register)
-{
-	asm volatile("MCR p15, 0, %0, c1, c0, 0" : : "r" (control_register));
-}
+#define wupserver_phys (0x0510E570 - 0x05100000 + 0x13D80000)
 
 int _main()
 {
-	int(*disable_interrupts)() = (int(*)())0x0812E778;
-	int(*enable_interrupts)(int) = (int(*)(int))0x0812E78C;
 	void(*invalidate_icache)() = (void(*)())0x0812DCF0;
 	void(*invalidate_dcache)(unsigned int, unsigned int) = (void(*)())0x08120164;
 	void(*flush_dcache)(unsigned int, unsigned int) = (void(*)())0x08120160;
-	char* (*kernel_memcpy)(void*, void*, int) = (char*(*)(void*, void*, int))0x08131D04;
 
 	flush_dcache(0x081200F0, 0x4001); // giving a size >= 0x4000 flushes all cache
 
@@ -76,6 +63,9 @@ int _main()
 	/* Patch kernel_error_handler to BX LR immediately */
 	*(volatile u32*)0x08129A24 = 0xE12FFF1E;
 
+	/* apply IOS ELF launch hook (thanks dimok!) */
+	*(volatile u32*)0x0812A120 = ARM_BL(0x0812A120, kernel_launch_ios);
+
 	void * pset_fault_behavior = (void*)0x081298BC;
 	kernel_memcpy(pset_fault_behavior, (void*)repairData_set_fault_behavior, sizeof(repairData_set_fault_behavior));
 
@@ -91,9 +81,8 @@ int _main()
 
 	// overwrite mcp_d_r code with wupserver
 	*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
-	void * test = (void*)(0x0510E570 - 0x05100000 + 0x13D80000);
-	kernel_memcpy(test, (void*)wupserver_bin, sizeof(wupserver_bin));
-	invalidate_dcache((u32)test, sizeof(wupserver_bin));
+	kernel_memcpy((void*)wupserver_phys, get_wupserver_bin(), get_wupserver_bin_len());
+	invalidate_dcache((u32)wupserver_phys, get_wupserver_bin_len());
 	invalidate_icache();
 
 	// replace ioctl 0x62 code with jump to wupserver
@@ -157,14 +146,14 @@ int _main()
 
 		for (i = 0; i < sizeof(os_launch_hook); i++)
 			((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
+	}
 
-		// change system.xml to syshax.xml
-		*(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; //ysha
-		*(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; //x.xm
+	// change system.xml to syshax.xml
+	*(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; //ysha
+	*(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; //x.xm
 
-		*(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; //ysha
-		*(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; //x.xm
-	}
+	*(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; //ysha
+	*(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; //x.xm
 
 	*(volatile u32*)(0x1555500) = 0;
 

dsrom/CBHC/arm_kernel/source/mmu.s

@@ -0,0 +1,18 @@
+.section ".text"
+.arm
+.align 4
+
+.globl disable_mmu
+.type disable_mmu, %function
+disable_mmu:
+	mrc p15, 0, r0, c1, c0, 0
+	ldr r1, =#0xFFFFEFFA
+	and r1, r0, r1
+	mcr p15, 0, r1, c1, c0, 0
+	bx lr
+
+.globl restore_mmu
+.type restore_mmu, %function
+restore_mmu:
+	mcr p15, 0, r0, c1, c0, 0
+	bx lr

dsrom/CBHC/arm_kernel/source/reload.c

@@ -0,0 +1,86 @@
+//kernel relaunch hook, thanks to dimok
+#include "types.h"
+#include "utils.h"
+#include "reload.h"
+#include "elf_patcher.h"
+#include "wupserver.h"
+
+extern char __file_start, __file_end;
+
+void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
+{
+    void (*kernel_launch_bootrom)(u32 launch_address, u32 L, u32 C, u32 H) = (void*)0x0812A050;
+
+    if(*(u32*)(launch_address - 0x300 + 0x1AC) == 0x00DFD000)
+    {
+        int level = disable_interrupts();
+        unsigned int control_register = disable_mmu();
+
+		u32 ios_elf_start = launch_address + 0x804 - 0x300;
+
+		// nop out memcmp hash checks
+		section_write_word(ios_elf_start, 0x040017E0, 0xE3A00000); // mov r0, #0
+		section_write_word(ios_elf_start, 0x040019C4, 0xE3A00000); // mov r0, #0
+		section_write_word(ios_elf_start, 0x04001BB0, 0xE3A00000); // mov r0, #0
+		section_write_word(ios_elf_start, 0x04001D40, 0xE3A00000); // mov r0, #0
+
+		// patch OS launch sig check
+		section_write_word(ios_elf_start, 0x0500A818, 0x20002000); // mov r0, #0; mov r0, #0
+
+		// patch MCP authentication check
+		section_write_word(ios_elf_start, 0x05014CAC, 0x20004770); // mov r0, #0; bx lr
+
+		// jump over overwritten MCP debug thread start function
+		section_write_word(ios_elf_start, 0x0501FEE0, 0x20002000); //mov r0, #0; mov r0, #0
+
+		// fix 10 minute timeout that crashes MCP after 10 minutes of booting
+		section_write_word(ios_elf_start, 0x05022474, 0xFFFFFFFF); // NEW_TIMEOUT
+
+		// replace ioctl 0x62 code with jump to wupserver
+		section_write_word(ios_elf_start, 0x05026BA8, 0x47780000); // bx pc
+		section_write_word(ios_elf_start, 0x05026BAC, 0xE59F1000); // ldr r1, [pc]
+		section_write_word(ios_elf_start, 0x05026BB0, 0xE12FFF11); // bx r1
+		section_write_word(ios_elf_start, 0x05026BB4, 0x0510E570); // wupserver code
+
+		// patch cert verification
+		section_write_word(ios_elf_start, 0x05052A90, 0xE3A00000); // mov r0, #0
+		section_write_word(ios_elf_start, 0x05052A94, 0xE12FFF1E); // bx lr
+
+		// patch IOSC_VerifyPubkeySign to always succeed
+		section_write_word(ios_elf_start, 0x05052C44, 0xE3A00000); // mov r0, #0
+		section_write_word(ios_elf_start, 0x05052C48, 0xE12FFF1E); // bx lr
+
+		// patch cached cert check
+		section_write_word(ios_elf_start, 0x05054D6C, 0xE3A00000); // mov r0, 0
+		section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
+
+		// change system.xml to syshax.xml
+		section_write_word(ios_elf_start, 0x050600F0, 0x79736861); //ysha
+		section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); //x.xm
+
+		section_write_word(ios_elf_start, 0x05060114, 0x79736861); //ysha
+		section_write_word(ios_elf_start, 0x05060118, 0x782E786D); //x.xm
+
+		// overwrite mcp_d_r code with wupserver
+		section_write_word(ios_elf_start, 0x0510E56C, 0x47700000); //bx lr
+		section_write(ios_elf_start, 0x0510E570, get_wupserver_bin(), get_wupserver_bin_len());
+
+		// apply IOS ELF launch hook (thanks dimok!)
+		section_write_word(ios_elf_start, 0x0812A120, ARM_BL(0x0812A120, kernel_launch_ios));
+
+		// Put arm_kernel file back where it is now
+		section_write(ios_elf_start, (u32)&__file_start, &__file_start, &__file_end - &__file_start);
+
+		// allow any region title launch
+		section_write_word(ios_elf_start, 0xE0030498, 0xE3A00000); // mov r0, #0
+
+		// allow custom bootLogoTex and bootMovie.h264
+		section_write_word(ios_elf_start, 0xE0030D68, 0xE3A00000); // mov r0, #0
+		section_write_word(ios_elf_start, 0xE0030D34, 0xE3A00000); // mov r0, #0
+
+        restore_mmu(control_register);
+        enable_interrupts(level);
+    }
+
+    kernel_launch_bootrom(launch_address, L, C, H);
+}

dsrom/CBHC/arm_kernel/source/reload.h

@@ -0,0 +1,7 @@
+
+#ifndef _RELOAD_H_
+#define _RELOAD_H_
+
+void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H);
+
+#endif