int cmd_rdboot(int argc, CmdArg* argv) { int i = 0; void* address = NULL; void(*hooker)(int flags, void* addr, void* phymem) = &hooked; if(argc != 1) { puts("usage: rdboot\n"); return 0; } // search for jump_to function if(strstr((char*) (TARGET_BASEADDR + 0x200), "n72ap")) { jump_to = patch_find(TARGET_BASEADDR, 0x30000, "\xf0\xb5\x03\xaf\x04\x1c\x15\x1c", 8); } else { // 80 B5 00 AF 04 46 15 46 jump_to = patch_find(TARGET_BASEADDR, 0x30000, "\x80\xb5\x00\xaf\x04\x46\x15\x46", 8); } printf("Found jump_to function at %p\n", jump_to); memcpy(jump_to, "\x00\x4b\x98\x47", 4); memcpy(jump_to+4, &hooker, 4); printf("Hooked jump_to function to call 0x%08x\n", hooker); //call address printf("Calling bootx\n"); return 0; }
void* find_jump_to() { void* bytes = NULL; if(strstr((char*) (TARGET_BASEADDR + 0x200), "n72ap")) { bytes = patch_find(TARGET_BASEADDR, 0x40000, "\xf0\xb5\x03\xaf\x04\x1c\x15\x1c", 8); bytes++; } else { bytes = patch_find(TARGET_BASEADDR, 0x40000, "\x80\xb5\x00\xaf\x04\x46\x15\x46", 8); bytes++; } return bytes; }
int cmd_fsboot(int argc, CmdArg* argv) { int i = 0; void* address = NULL; void(*hooker)(int flags, void* addr, void* phymem) = &hooked; if(argc != 1) { puts("usage: fsboot\n"); return 0; } // search for jump_to function if(strstr((char*) (IBOOT_BASEADDR + 0x200), "n72ap")) { jump_to = patch_find(IBOOT_BASEADDR, 0x30000, "\xf0\xb5\x03\xaf\x04\x1c\x15\x1c", 8); } else { // 80 B5 00 AF 04 46 15 46 jump_to = patch_find(IBOOT_BASEADDR, 0x30000, "\x80\xb5\x00\xaf\x04\x46\x15\x46", 8); } printf("Found jump_to function at %p\n", jump_to); memcpy(jump_to, "\x00\x4b\x98\x47", 4); memcpy(jump_to+4, &hooker, 4); printf("Hooked jump_to function to call 0x%08x\n", hooker); if(fsboot == NULL) { if(strstr((char*) (IBOOT_BASEADDR + 0x200), "n72ap")) { fsboot = patch_find(IBOOT_BASEADDR, 0x30000, "\xf0\xb5\x03\xaf\x11\x48", 6); } else if(strstr((char*) (IBOOT_BASEADDR + 0x200), "k66ap")) { fsboot = patch_find(IBOOT_BASEADDR, 0x30000, "\xf0\xb5\x03\xaf\x81\xb0", 6); } else { fsboot = patch_find(IBOOT_BASEADDR, 0x30000, "\xb0\xb5\x02\xaf\x11\x48", 6); } printf("Found fsboot function at %p\n", fsboot); } //call address //fsboot++; printf("Calling %p\n", fsboot); fsboot(); return 0; }
void* find_malloc() { void* bytes = patch_find(TARGET_BASEADDR, 0x40000, "\x80\xB5\x00\xAF\x01\x21\x00\x22", 8); if (bytes==NULL) return NULL; return bytes+1; }