int main(void) { u8 *payload, *stage2; int payload_size, result; #ifdef DEBUG debug_init(); #endif DPRINTF("Stage 1.5 lan hello.\n"); result = gelic_init(); if (result != 0) goto error; payload = (void *)MKA(0x700000);//alloc(MAX_PAYLOAD_SIZE, 0x27); if (!payload) goto error; payload_size = gelic_recv_data(payload, MAX_PAYLOAD_SIZE); if (payload_size <= 0) goto error; DPRINTF("Receive data: %d\n", payload_size); stage2 = alloc(payload_size, 0x27); if (!stage2) goto error; memcpy(stage2, payload, payload_size); clear_icache(stage2, payload_size); memset(payload, 0, payload_size); //dealloc(payload, 0x27); result = gelic_deinit(); if (result != 0) goto error; /*result = mm_deinit(); if (result != 0) goto error;*/ f_desc_t desc; desc.addr = stage2; DPRINTF("Calling stage2...\n"); debug_end(); void (* stage2_func)(void) = (void *)&desc; stage2_func(); return 0; error: lv1_panic(0); return -1; }
int crt0(uint64_t r3, uint64_t r4, uint64_t r5, uint64_t r6) { f_desc_t f; int (* overwritten)(uint64_t, uint64_t, uint64_t, uint64_t); memcpy((void *)overwritten_symbol, restore, sizeof(restore)); clear_icache((void *)overwritten_symbol, sizeof(restore)); f.addr = (void *)overwritten_symbol; f.toc = (void *)TOC; overwritten = (void *)&f; main(); return overwritten(r3, r4, r5, r6); }
void hooked(int flags, void* addr, int phymem) { // patch kernel printf("Entered hooked jump_to function!!!\n"); printf("Patching kernel\n"); patch_kernel((void*)(LOADADDR - 0x1000000), 0xA00000); printf("Replace hooking code with original\n"); if(strstr((char*) (IBOOT_BASEADDR + 0x200), "n72ap")) { memcpy(jump_to, "\xf0\xb5\x03\xaf\x04\x1c\x15\x1c", 8); } else { memcpy(jump_to, "\x80\xb5\x00\xaf\x04\x46\x15\x46", 8); } clear_icache(); jump_to++; printf("Calling %p\n", jump_to); jump_to(flags, addr, phymem); }
void machine_cache_sync(void *pc_start, void *pc_end, bool flush_icache) { clear_icache(pc_start, pc_end); }
static inline void cache_exec_after_store (void) { flush_dcache (); clear_icache (); }