Make payload position-independent

TuxSH · Dec 17, 2020 · 99adaa1 · 99adaa1
1 parent 6da7803
commit 99adaa1
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 18 deletions.
diff --git a/Makefile b/Makefile
@@ -40,7 +40,7 @@ ifneq ($(MEMCHUNKHAX_ONLY),)
 	DEFINES += -DMEMCHUNKHAX_ONLY
 endif
 
-ARCH	:=	-march=armv6k -mtune=mpcore -mfloat-abi=hard -mtp=soft
+ARCH	:=	-march=armv6k -mtune=mpcore -mfloat-abi=hard -mtp=soft -fPIC
 
 CFLAGS	:=	-g -Wall -Wextra -Wno-main -Os -mword-relocations -fomit-frame-pointer \
 			-ffunction-sections -fdata-sections \
@@ -82,7 +82,7 @@ export DEPSDIR	:=	$(CURDIR)/$(BUILD)
 CFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
 CPPFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
 SFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
-BINFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*))) kernelhaxcode_3ds.bin
+BINFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))
 
 #---------------------------------------------------------------------------------
 # use CXX for linking C++ projects, CC for standard C

diff --git a/kernelhaxcode_3ds b/kernelhaxcode_3ds
diff --git a/linker.ld b/linker.ld
@@ -3,15 +3,22 @@ ENTRY(_start)
 
 MEMORY
 {
-    RAMRO (rx) : ORIGIN = 0x00101000, LENGTH = 0x0000C000
-    RAMRW (rw!i) : ORIGIN = 0x8000000, LENGTH = 0x00100000
+    /* This address will always crash should it be actually referenced. */
+    RAMRO (rx) : ORIGIN = 0x70000000, LENGTH = 0x00008000
 }
 
 SECTIONS
 {
-    .text : ALIGN(4)
+    . = ORIGIN(RAMRO);
+
+    .crt0 ALIGN(4) :
     {
         *(.crt0*)
+        . = ALIGN(4);
+    } >RAMRO
+
+    .text ALIGN(4) :
+    {
         *(.text*)
         . = ALIGN(4);
     } >RAMRO
@@ -21,5 +28,5 @@ SECTIONS
         *(.rodata*)
         . = ALIGN(4);
     } >RAMRO
-    
+
 }
diff --git a/source/main.c b/source/main.c
@@ -10,8 +10,6 @@
 #include "spipwn.h"
 #include "kernel_gspwn.h"
 
-#include "kernelhaxcode_3ds_bin.h"
-
 #ifndef DEFAULT_PAYLOAD_FILE_OFFSET
 #define DEFAULT_PAYLOAD_FILE_OFFSET 0
 #endif
@@ -26,17 +24,21 @@ typedef union ExploitChainLayout {
 
 static_assert(sizeof(ExploitChainLayout) == 0x10000);
 
-static void prepareBlobLayout(BlobLayout *layout, Handle gspHandle)
+static void prepareBlobLayout(BlobLayout *layout, Handle gspHandle, const u8 *khc3dsBin, size_t khc3dsBinSize)
 {
     memset(layout, 0, sizeof(BlobLayout));
-    memcpy(layout->code, kernelhaxcode_3ds_bin, kernelhaxcode_3ds_bin_size);
+    memcpy(layout->code, khc3dsBin, khc3dsBinSize);
     khc3dsPrepareL2Table(layout);
 
     // Ensure everything (esp. the layout) is written back into the main memory
     gspDoFullCleanInvCacheTrick(gspHandle);
 }
 
-static Result doExploitChain(ExploitChainLayout *layout, Handle gspHandle, const char *payloadFileName, size_t payloadFileOffset)
+static Result doExploitChain(
+    ExploitChainLayout *layout, Handle gspHandle,
+    const char *payloadFileName, size_t payloadFileOffset,
+    const u8 *khc3dsBin, size_t khc3dsBinSize
+)
 {
     Result res = 0;
 
@@ -45,7 +47,7 @@ static Result doExploitChain(ExploitChainLayout *layout, Handle gspHandle, const
         // Below 9.3 -- memchunkhax
         TRY(memchunkhax(layout->workBuffer, gspHandle));
 
-        prepareBlobLayout(&layout->blobLayout, gspHandle);
+        prepareBlobLayout(&layout->blobLayout, gspHandle, khc3dsBin, khc3dsBinSize);
         mapL2TableViaSvc0x7b(&layout->blobLayout);
 
         // https://developer.arm.com/docs/ddi0360/e/memory-management-unit/hardware-page-table-translation
@@ -71,7 +73,7 @@ static Result doExploitChain(ExploitChainLayout *layout, Handle gspHandle, const
         TRY(spipwn(srvHandle));
 
         // We can now GPU DMA the kernel. Let's map the L2 table we have prepared
-        prepareBlobLayout(&layout->blobLayout, gspHandle);
+        prepareBlobLayout(&layout->blobLayout, gspHandle, khc3dsBin, khc3dsBinSize);
         mapL2TableViaGpuDma(&layout->blobLayout, layout->blobLayout.smallWorkBuffer, gspHandle);
 
         svcCloseHandle(srvHandle);
@@ -82,7 +84,7 @@ static Result doExploitChain(ExploitChainLayout *layout, Handle gspHandle, const
     return khc3dsTakeover(payloadFileName, payloadFileOffset);
 }
 
-Result otherappMain(u32 paramBlkAddr)
+Result otherappMain(u32 paramBlkAddr, const u8 *khc3dsBin, size_t khc3dsBinSize)
 {
     Result res = 0;
 
@@ -109,7 +111,7 @@ Result otherappMain(u32 paramBlkAddr)
     // Set top priority for our thread
     TRY(svcSetThreadPriority(CUR_THREAD_HANDLE, 0x18));
 
-    res = doExploitChain(layout, gspHandle, arm9PayloadFileName, arm9PayloadFileOffset);
+    res = doExploitChain(layout, gspHandle, arm9PayloadFileName, arm9PayloadFileOffset, khc3dsBin, khc3dsBinSize);
     if (res != 0) {
         gspSetLcdFill(gspHandle, false, 255, 0, 0);
     }

diff --git a/source/start.s b/source/start.s
@@ -1,7 +1,21 @@
 #include "lib/asm_macros.s.h"
 
 FUNCTION _start, .crt0
-    mov     sp, #0x10000000
+    // Assume sp has been correctly set, we don't use the stack really much
+    //mov     sp, #0x10000000
+    adr     r1, kernelhaxcode_3ds_bin_size
+    ldr     r2, [r1], #4
     bl      otherappMain
-    bkpt 1
+    bkpt    1
 END_FUNCTION
+
+.global     kernelhaxcode_3ds_bin_size
+kernelhaxcode_3ds_bin_size:
+    .word   _kernelhaxcode_3ds_bin_end - kernelhaxcode_3ds_bin
+
+.global     kernelhaxcode_3ds_bin
+kernelhaxcode_3ds_bin:
+    .incbin "../kernelhaxcode_3ds/kernelhaxcode_3ds.bin"
+
+.hidden     _kernelhaxcode_3ds_bin_end
+_kernelhaxcode_3ds_bin_end:
+1 −1		arm11/linker.ld
+15 −0		arm11/source/asm_macros.s.h
+5 −5		arm11/source/start.s
+1 −1		arm9/linker.ld
+15 −0		arm9/source/asm_macros.s.h
+4 −5		arm9/source/start.s