-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
26 changed files
with
861 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Copyright 2016 FIX94 | ||
# This code is licensed to you under the terms of the GNU GPL, version 2; | ||
# see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt | ||
|
||
all: | ||
@$(MAKE) --no-print-directory -C loader | ||
@mv -f loader/loader.h exploit/loader.h | ||
@$(MAKE) --no-print-directory -C exploit | ||
@mkdir -p gci | ||
@mv -f exploit/*.gci gci | ||
|
||
clean: | ||
@$(MAKE) --no-print-directory -C loader clean | ||
@$(MAKE) --no-print-directory -C exploit clean | ||
rm -rf gci |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,3 @@ | ||
# pandoratomorrow-exploit-gc | ||
a exploit for splinter cell pandora tomorrow on gamecube | ||
A exploit for splinter cell pandora tomorrow on gamecube, you only need a method of injecting the .gci onto your memory card. | ||
This exploit will load a boot.dol converted with dol2gci (included in Home Bros.) from your memory card. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
# Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org> | ||
# GameCube Port Copyright 2016 FIX94 | ||
# This code is licensed to you under the terms of the GNU GPL, version 2; | ||
# see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt | ||
|
||
|
||
# Configuration: | ||
|
||
# What toolchain prefix should we use | ||
CROSS ?= powerpc-eabi- | ||
|
||
ifeq ($(OS),Windows_NT) | ||
FIXCRC = $(CURDIR)/pandoratomorrow_crc.exe | ||
else | ||
FIXCRC = $(CURDIR)/pandoratomorrow_crc | ||
endif | ||
|
||
# End of configuration. | ||
|
||
|
||
|
||
# Set CC, LD, OBJCOPY based on CROSS, unless they are set already | ||
|
||
ifeq ($(origin CC), default) | ||
CC := $(CROSS)gcc -m32 | ||
endif | ||
ifeq ($(origin LD), default) | ||
LD := $(CROSS)ld | ||
endif | ||
OBJCOPY ?= $(CROSS)objcopy | ||
|
||
|
||
# The compiler flags we need. | ||
|
||
CFLAGS := -Wall -W -O1 -ffreestanding -mno-eabi -mno-sdata -mcpu=750 | ||
|
||
|
||
# Build with "V=1" to see the commands executed; be quiet otherwise. | ||
|
||
ifeq ($(V),1) | ||
Q := | ||
else | ||
Q := @ | ||
MAKEFLAGS += --no-print-directory | ||
endif | ||
|
||
|
||
targets := gt7e.gci gt7p.gci gt7x.gci | ||
targets-short := gt7e gt7p gt7x | ||
|
||
objs := pandoratomorrow.o | ||
|
||
all: $(targets) | ||
|
||
$(targets): %.gci : %.dat %.hdr | ||
@echo " OUTPUT $@" | ||
$(Q)dd if=$(filter %.hdr,$^) of=$@ bs=1 count=16540 2>/dev/null | ||
$(Q)dd if=$(filter %.dat,$^) of=$@ bs=1 seek=16540 count=20480 2>/dev/null | ||
$(Q)dd if=$(filter %.hdr,$^) of=$@ bs=1 skip=37020 seek=37020 count=4004 2>/dev/null | ||
$(Q)$(FIXCRC) $@ | ||
|
||
dats := gt7e.dat gt7p.dat gt7x.dat | ||
|
||
$(dats): %.dat: %.elf | ||
@echo " OBJCOPY $@" | ||
$(Q)$(OBJCOPY) -Obinary $< $@ | ||
|
||
elfs := $(dats:.dat=.elf) | ||
|
||
gt7e.elf: baddr := 0x80488E40+0x405C | ||
gt7p.elf: baddr := 0x80489400+0x405C | ||
gt7x.elf: baddr := 0x80489400+0x405C | ||
$(elfs): %.elf: %.ld %.o $(objs) | ||
@echo " LINK $@" | ||
$(Q)$(LD) --defsym baddr=$(baddr) -T $^ -o $@ | ||
|
||
exploit-objs := $(elfs:.elf=.o) | ||
|
||
$(exploit-objs): %.o: start.S mapAfterName.bin | ||
@echo " ASSEMBLE $@" | ||
$(Q)$(CC) $(CFLAGS) -c $< -o $@ | ||
|
||
%.o: %.c | ||
@echo " COMPILE $@" | ||
$(Q)$(CC) $(CFLAGS) -c $< -o $@ | ||
|
||
clean: | ||
-rm -f $(targets) $(saves) $(elfs) $(exploit-objs) $(objs) $(slots) $(dats) loader.h |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org> | ||
GameCube Port Copyright 2016 FIX94 | ||
This code is licensed to you under the terms of the GNU GPL, version 2; | ||
see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */ | ||
|
||
OUTPUT_FORMAT("elf32-powerpc") | ||
OUTPUT_ARCH(powerpc:common) | ||
|
||
SECTIONS { | ||
card_getres = 0x80315E80; | ||
card_mountasync = 0x80319380; | ||
card_unmount = 0x803195BC; | ||
card_open = 0x8031A314; | ||
card_close = 0x8031A430; | ||
card_readasync = 0x8031AAC4; | ||
gx_setdrawdone = 0x8032430C; | ||
os_stopaudiosystem = 0x8032DFEC; | ||
os_disable_scheduler = 0x80332AE0; | ||
|
||
.pandoratomorrow baddr : | ||
{ | ||
gt7*.o(.start) | ||
*(.text) | ||
*(.rodata .rodata.*) | ||
*(.data) | ||
. = 0xFFC; | ||
*(.bss) | ||
. = 0x5000; | ||
} | ||
} |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org> | ||
GameCube Port Copyright 2016 FIX94 | ||
This code is licensed to you under the terms of the GNU GPL, version 2; | ||
see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */ | ||
|
||
OUTPUT_FORMAT("elf32-powerpc") | ||
OUTPUT_ARCH(powerpc:common) | ||
|
||
SECTIONS { | ||
card_getres = 0x80316664; | ||
card_mountasync = 0x80319B64; | ||
card_unmount = 0x80319DA0; | ||
card_open = 0x8031AAF8; | ||
card_close = 0x8031AC14; | ||
card_readasync = 0x8031B2A8; | ||
gx_setdrawdone = 0x80324868; | ||
os_stopaudiosystem = 0x8032E310; | ||
os_disable_scheduler = 0x80332D5C; | ||
|
||
.pandoratomorrow baddr : | ||
{ | ||
gt7*.o(.start) | ||
*(.text) | ||
*(.rodata .rodata.*) | ||
*(.data) | ||
. = 0xFFC; | ||
*(.bss) | ||
. = 0x5000; | ||
} | ||
} |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org> | ||
GameCube Port Copyright 2016 FIX94 | ||
This code is licensed to you under the terms of the GNU GPL, version 2; | ||
see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt */ | ||
|
||
OUTPUT_FORMAT("elf32-powerpc") | ||
OUTPUT_ARCH(powerpc:common) | ||
|
||
SECTIONS { | ||
card_getres = 0x80316664; | ||
card_mountasync = 0x80319B64; | ||
card_unmount = 0x80319DA0; | ||
card_open = 0x8031AAF8; | ||
card_close = 0x8031AC14; | ||
card_readasync = 0x8031B2A8; | ||
gx_setdrawdone = 0x80324868; | ||
os_stopaudiosystem = 0x8032E310; | ||
os_disable_scheduler = 0x80332D5C; | ||
|
||
.pandoratomorrow baddr : | ||
{ | ||
gt7*.o(.start) | ||
*(.text) | ||
*(.rodata .rodata.*) | ||
*(.data) | ||
. = 0xFFC; | ||
*(.bss) | ||
. = 0x5000; | ||
} | ||
} |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
// Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org> | ||
// GameCube Port Copyright 2016 FIX94 | ||
// This code is licensed to you under the terms of the GNU GPL, version 2; | ||
// see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt | ||
|
||
#include "loader.h" | ||
|
||
#define TO_ARAM 0 | ||
#define TO_MRAM 1 | ||
|
||
typedef unsigned int u32; | ||
typedef unsigned short u16; | ||
typedef unsigned char u8; | ||
typedef volatile unsigned int vu32; | ||
typedef volatile unsigned short vu16; | ||
|
||
typedef struct _cInfo | ||
{ | ||
int chan; | ||
int fnum; | ||
int offset; | ||
int length; | ||
u16 block; | ||
} cInfo; | ||
|
||
int card_getres(int chan); | ||
int card_mountasync(int chan, void* workArea, void *cb1, void *cb2); | ||
int card_unmount(int chan); | ||
int card_open(int chan, const char *path, cInfo *inf); | ||
int card_close(cInfo *inf); | ||
int card_readasync(cInfo *inf, void* addr, int length, int offset, void *cb); | ||
void gx_setdrawdone(void); | ||
void os_stopaudiosystem(void); | ||
void os_disable_scheduler(void); | ||
|
||
static void sync_cache(void *p, u32 n) | ||
{ | ||
u32 start, end; | ||
|
||
start = (u32)p & ~31; | ||
end = ((u32)p + n + 31) & ~31; | ||
n = (end - start) >> 5; | ||
|
||
while (n--) { | ||
asm("dcbst 0,%0 ; icbi 0,%0" : : "b"(p)); | ||
p += 32; | ||
} | ||
asm("sync ; isync"); | ||
} | ||
|
||
void *_memcpy(void *ptr, const void *src, int size) | ||
{ | ||
char* ptr2 = ptr; | ||
const char* src2 = src; | ||
while(size--) *ptr2++ = *src2++; | ||
return ptr; | ||
} | ||
|
||
void os_enable_interrupts() | ||
{ | ||
asm("mfmsr 3 ; ori 3, 3, 0x8000 ; mtmsr 3"); | ||
} | ||
|
||
void os_disable_interrupts() | ||
{ | ||
asm("mfmsr 3 ; rlwinm 3,3,0,17,15 ; mtmsr 3"); | ||
} | ||
|
||
void ar_dma(u32 type, u32 mram, u32 aram, u32 len) | ||
{ | ||
//interrupts are enabled so play it safe | ||
os_disable_interrupts(); | ||
while(*(vu16*)0xCC00500A & 0x200) ; | ||
*(vu16*)0xCC005020 = (mram>>16); | ||
*(vu16*)0xCC005022 = (mram&0xFFFF); | ||
*(vu16*)0xCC005024 = (aram>>16); | ||
*(vu16*)0xCC005026 = (aram&0xFFFF); | ||
*(vu16*)0xCC005028 = (type<<15)|(len>>16); | ||
*(vu16*)0xCC00502A = (len&0xFFFF); | ||
while(*(vu16*)0xCC00500A & 0x200) ; | ||
os_enable_interrupts(); | ||
} | ||
|
||
void __attribute__ ((noreturn)) _main() | ||
{ | ||
//game audio threads are still running | ||
//so we just disable threading to prevent the | ||
//game from randomly crashing on CARD access | ||
os_disable_scheduler(); | ||
//prevent BEEPing | ||
os_stopaudiosystem(); | ||
//use setdrawdone because the scheduler is | ||
//already disabled to prevent audio crashes | ||
gx_setdrawdone(); | ||
//enable interrupts for CARD access | ||
os_enable_interrupts(); | ||
//game id DOLX00 for boot.dol | ||
*(volatile u32*)0x80000000 = 0x444F4C58; | ||
*(volatile u16*)0x80000004 = 0x3030; | ||
sync_cache((void*)0x80000000, 6); | ||
//re-mount the memory card | ||
card_mountasync(0, (void*)0x81200000, (void*)0, (void*)0); | ||
int res; | ||
//we have interrupts enabled so we will | ||
//know when its not busy anymore luckily | ||
while((res = card_getres(0)) == -1) ; | ||
//open up boot.dol from memory card | ||
cInfo mInf; | ||
unsigned int boot_str[3]; boot_str[0] = 0x626F6F74; | ||
boot_str[1] = 0x2E646F6C; boot_str[2] = 0; | ||
card_open(0, ((char*)&boot_str), &mInf); | ||
u32 curOffset = 0; | ||
//copy until it returns error | ||
while(card_readasync(&mInf, (void*)0x80001800, 0x200, curOffset, (void*)0) == 0) | ||
{ | ||
int res; | ||
//we have interrupts enabled so we will | ||
//know when its not busy anymore luckily | ||
while((res = card_getres(0)) == -1) ; | ||
//this indirectly tells us the file is done | ||
if(res < 0) | ||
break; | ||
sync_cache((void*)0x80001800, 0x200); | ||
ar_dma(TO_ARAM, 0x1800, curOffset, 0x200); | ||
curOffset += 0x200; | ||
} | ||
//we are done | ||
card_close(&mInf); | ||
card_unmount(0); | ||
//not needed anymore | ||
os_disable_interrupts(); | ||
//copy our loader into mem | ||
_memcpy((void*)0x80001800, loader, loader_size); | ||
sync_cache((void*)0x80001800, loader_size); | ||
//jump to it | ||
__asm__ volatile( | ||
"lis 3, 0x8000\n" | ||
"ori 3, 3, 0x1800\n" | ||
"mtlr 3\n" | ||
"blr\n" | ||
); | ||
__builtin_unreachable(); | ||
} |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
// Copyright 2008-2009 Segher Boessenkool <segher@kernel.crashing.org> | ||
// GameCube Port Copyright 2016 FIX94 | ||
// This code is licensed to you under the terms of the GNU GPL, version 2; | ||
// see file LICENSE or http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt | ||
|
||
#define XSTR(x) #x | ||
#define ISTR(x) XSTR(x) | ||
|
||
.section .start,"ax" | ||
|
||
// Map Name string size, choose one that overflows stack | ||
.short 0x22C | ||
// Fill up Map Name | ||
.fill 0x228,1,'A' | ||
// Pointer to our code | ||
.long start | ||
// Further save info, not sure if needed | ||
.incbin "mapAfterName.bin" | ||
// Alignment | ||
.short 0 | ||
// Fill up so game does not interpret code below as 2nd save info | ||
.fill 0x4B0,1,0x00 | ||
|
||
start: | ||
// Disable interrupts | ||
mfmsr 3 ; rlwinm 3,3,0,17,15 ; mtmsr 3 | ||
|
||
// Go for it! | ||
b _main |
Oops, something went wrong.