verify mini_b9s_installer in arm9 memory before memcpy

safer unsafe mode
zoogie · Apr 30, 2020 · f5d20a9 · f5d20a9
1 parent 5608f0e
commit f5d20a9
Show file tree

Hide file tree

Showing 4 changed files with 163 additions and 2 deletions.
diff --git a/build_payload.py b/build_payload.py
@@ -1,4 +1,4 @@
-import os,sys,struct
+import os,sys,struct,binascii
 
 payload="\x00"*0x20000
 
@@ -51,6 +51,7 @@ def fix_crc16(path, offset, size, crc_offset, type):
 if(len(b9s) > 0x10000):
 	print("Error: b9s_installer too large")
 	sys.exit(0)
+crc=binascii.crc32(b9s+("\x00"*(0x10000-len(b9s)-4))) & 0xffffffff
 
 with open("usm.bin","wb") as f:
 	f.write(payload)
@@ -64,5 +65,9 @@ def fix_crc16(path, offset, size, crc_offset, type):
 	f.write(code)
 	f.seek(0x10000)
 	f.write(b9s)
+	f.seek(0x20000-4)
+	f.write(struct.pack("<I",crc))
+
+
 
 print("Payload built")
diff --git a/stage3_pre9otherapp/usr2arm9ldr/arm9/source/i2c.c b/stage3_pre9otherapp/usr2arm9ldr/arm9/source/i2c.c
@@ -0,0 +1,113 @@
+#include "i2c.h"
+
+//-----------------------------------------------------------------------------
+
+static const struct { u8 bus_id, reg_addr; } dev_data[] = {
+    {0, 0x4A}, {0, 0x7A}, {0, 0x78},
+    {1, 0x4A}, {1, 0x78}, {1, 0x2C},
+    {1, 0x2E}, {1, 0x40}, {1, 0x44},
+    {2, 0xD6}, {2, 0xD0}, {2, 0xD2},
+    {2, 0xA4}, {2, 0x9A}, {2, 0xA0},
+};
+
+static inline u8 i2cGetDeviceBusId(u8 device_id)
+{
+    return dev_data[device_id].bus_id;
+}
+
+static inline u8 i2cGetDeviceRegAddr(u8 device_id)
+{
+    return dev_data[device_id].reg_addr;
+}
+
+//-----------------------------------------------------------------------------
+
+static vu8 *reg_data_addrs[] = {
+    (vu8 *)(I2C1_REG_OFF + I2C_REG_DATA),
+    (vu8 *)(I2C2_REG_OFF + I2C_REG_DATA),
+    (vu8 *)(I2C3_REG_OFF + I2C_REG_DATA),
+};
+
+static inline vu8 *i2cGetDataReg(u8 bus_id)
+{
+    return reg_data_addrs[bus_id];
+}
+
+//-----------------------------------------------------------------------------
+
+static vu8 *reg_cnt_addrs[] = {
+    (vu8 *)(I2C1_REG_OFF + I2C_REG_CNT),
+    (vu8 *)(I2C2_REG_OFF + I2C_REG_CNT),
+    (vu8 *)(I2C3_REG_OFF + I2C_REG_CNT),
+};
+
+static inline vu8 *i2cGetCntReg(u8 bus_id)
+{
+    return reg_cnt_addrs[bus_id];
+}
+
+//-----------------------------------------------------------------------------
+
+static inline void i2cWaitBusy(u8 bus_id)
+{
+    while (*i2cGetCntReg(bus_id) & 0x80);
+}
+
+static inline bool i2cGetResult(u8 bus_id)
+{
+    i2cWaitBusy(bus_id);
+
+    return (*i2cGetCntReg(bus_id) >> 4) & 1;
+}
+
+static void i2cStop(u8 bus_id, u8 arg0)
+{
+    *i2cGetCntReg(bus_id) = (arg0 << 5) | 0xC0;
+    i2cWaitBusy(bus_id);
+    *i2cGetCntReg(bus_id) = 0xC5;
+}
+
+//-----------------------------------------------------------------------------
+
+static bool i2cSelectDevice(u8 bus_id, u8 dev_reg)
+{
+    i2cWaitBusy(bus_id);
+    *i2cGetDataReg(bus_id) = dev_reg;
+    *i2cGetCntReg(bus_id) = 0xC2;
+
+    return i2cGetResult(bus_id);
+}
+
+static bool i2cSelectRegister(u8 bus_id, u8 reg)
+{
+    i2cWaitBusy(bus_id);
+    *i2cGetDataReg(bus_id) = reg;
+    *i2cGetCntReg(bus_id) = 0xC0;
+
+    return i2cGetResult(bus_id);
+}
+
+//-----------------------------------------------------------------------------
+
+bool i2cWriteRegister(u8 dev_id, u8 reg, u8 data)
+{
+    u8 bus_id = i2cGetDeviceBusId(dev_id),
+       dev_addr = i2cGetDeviceRegAddr(dev_id);
+
+    for(u32 i = 0; i < 8; i++)
+    {
+        if(i2cSelectDevice(bus_id, dev_addr) && i2cSelectRegister(bus_id, reg))
+        {
+            i2cWaitBusy(bus_id);
+            *i2cGetDataReg(bus_id) = data;
+            *i2cGetCntReg(bus_id) = 0xC1;
+            i2cStop(bus_id, 0);
+
+            if(i2cGetResult(bus_id)) return true;
+        }
+        *i2cGetCntReg(bus_id) = 0xC5;
+        i2cWaitBusy(bus_id);
+    }
+
+    return false;
+}
diff --git a/stage3_pre9otherapp/usr2arm9ldr/arm9/source/i2c.h b/stage3_pre9otherapp/usr2arm9ldr/arm9/source/i2c.h
@@ -0,0 +1,18 @@
+#pragma once
+
+#include "types.h"
+
+#define I2C1_REG_OFF 0x10161000
+#define I2C2_REG_OFF 0x10144000
+#define I2C3_REG_OFF 0x10148000
+
+#define I2C_REG_DATA  0
+#define I2C_REG_CNT   1
+#define I2C_REG_CNTEX 2
+#define I2C_REG_SCL   4
+
+#define I2C_DEV_MCU  3
+#define I2C_DEV_GYRO 10
+#define I2C_DEV_IR   13
+
+bool i2cWriteRegister(u8 dev_id, u8 reg, u8 data);
diff --git a/stage3_pre9otherapp/usr2arm9ldr/arm9/source/main.c b/stage3_pre9otherapp/usr2arm9ldr/arm9/source/main.c
@@ -2,6 +2,7 @@
 #include "PXI.h"
 #include "arm11.h"
 #include "petitfs/pff.h"
+#include "i2c.h"
 
 #define CFG11_SHAREDWRAM_32K_DATA(i)    (*(vu8 *)(0x10140000 + i))
 #define CFG11_SHAREDWRAM_32K_CODE(i)    (*(vu8 *)(0x10140008 + i))
@@ -123,9 +124,33 @@ static void patchSvcReplyAndReceive11(void)
     patch[2] = svcTable[0x7C];;
 }
 
+u32 crc32(u8 *data, int size)
+{
+  u32 r = ~0; u8 *end = data + size;
+
+  while(data < end)
+  {
+    r ^= *data++;
+
+    for(int i = 0; i < 8; i++)
+    {
+      u32 t = ~((r&1) - 1); r = (r>>1) ^ (0xEDB88320 & t); 
+    }
+  }
+
+  return ~r;
+}
+
 void main(void)
 {
-    memcpy((void*)0x23F00000, (void*)0x23D45000, 0x10000);
+
+    u8 *minib9s=(void*)0x23D45000;
+    u32 crc=crc32(minib9s, 0x10000-4);
+    if(crc != *(u32*)(minib9s+0x10000-4)){
+	    i2cWriteRegister(I2C_DEV_MCU, 0x20, 1 << 0);
+	    while(1);
+    }
+    memcpy((void*)0x23F00000, minib9s, 0x10000);
     //patchSvcReplyAndReceive11();
     //doFirmlaunch();
     //*(u32*)NULL=42;