Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
Tools/

*.bin
*.exe
*.xdb
*.xex
*.idb
*.elf

# Special files to include:
!Stage4_CleanHvData_Retail_17559.bin
!xke_update.bin
!update_data.bin

# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates

# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/

# Visual Studio 2015 cache/options directory
.vs/

# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
# but not Directory.Build.rsp, as it configures directory-level build defaults
!Directory.Build.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.tlog
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc

# Chutzpah Test files
_Chutzpah*

# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb

*.htm
/Stage3/ObjLink/ObjLink/Properties/launchSettings.json
188 changes: 188 additions & 0 deletions Common/BadUpdateExploit_Data.asm
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@


#---------------------------------------------------------
# Temporary data we copy to some writable section of memory defined in the game config.
#---------------------------------------------------------

# Always ensure the data segment is aligned to a 16 byte boundary from the assembler's point
# of view or else the addresses calculated with EXPLOIT_DATA can be mismatched between files
# that use the data segment.
.align 4

_data_segment_start:

_hdd_symlink_mount_str:
.ascii "\\System??\\PAYLOAD:"
hdd_symlink_mount_str_length = . - _hdd_symlink_mount_str
.byte 0x00
.align 2

_hdd_symlink_path_str:
.ifdef DEBUG_BUILD
.ascii "\\Device\\Harddisk0\\Partition1\\BadUpdatePayload"
.else
.ascii "\\Device\\Mass0\\BadUpdatePayload"
.endif
hdd_symlink_path_str_length = . - _hdd_symlink_path_str
.byte 0x00
.align 2

_hdd_symlink_mount:
.short hdd_symlink_mount_str_length
.short hdd_symlink_mount_str_length + 1
.long hdd_symlink_mount_str

_hdd_symlink_path:
.short hdd_symlink_path_str_length
.short hdd_symlink_path_str_length + 1
.long hdd_symlink_path_str

_flash_symlink_mount_str:
.ascii "\\System??\\Flash:"
flash_symlink_mount_str_length = . - _flash_symlink_mount_str
.byte 0x00
.align 2

_flash_symlink_path_str:
.ascii "\\Device\\Flash"
flash_symlink_path_str_length = . - _flash_symlink_path_str
.byte 0x00
.align 2

_flash_symlink_mount:
.short flash_symlink_mount_str_length
.short flash_symlink_mount_str_length + 1
.long flash_symlink_mount_str

_flash_symlink_path:
.short flash_symlink_path_str_length
.short flash_symlink_path_str_length + 1
.long flash_symlink_path_str

_smc_command_buffer:
.fill 0x10, 1, 0x00

_second_stage_chain_address:
.long second_stage_chain_addressA

_second_stage_chain_size:
.long second_stage_max_size

_read_file_bytes_read:
.long 0x00000000

_load_add_store_scratch:
.long 0x00000000

_read_file_handle:
.long 0x00000000

_read_file_size:
.long 0x00000000

_read_file_scratch:
.long 0x00000000

_secondary_payload_file_path:
.ascii "PAYLOAD:\\BadUpdateExploit-2ndStage.bin"
.byte 0x00
.align 2

_pPayloadCipherText:
.long 0x00000000

_pPayloadCipherText2:
.long 0x00000000

_PayloadCipherTextPhysAddr:
.long 0x00000000

_pPayloadCipherTextSizeValue:
.long 0x00000000

_PayloadCipherTextSizeValuePhysAddr:
.long 0x00000000

_BootAnimCodePagePhysAddr:
.long 0x00000000

_memcpy_cipher_text_src_addr:
.long 0x00000000

_memcpy_cipher_text_dst_addr:
.long 0x00000000

_memcpy_cipher_text_scratch:
.long 0x00000000

_abOracleData:
.fill 0x10, 1, 0x00

_flash_bootanim_path:
.ascii "\\Device\\Flash\\GamerProfile.xex"
.byte 0x00
.align 2

_bootanim_module_handle:
.long 0x00000000

_CipherTextScratchBuffer:
.long 0x00000000

_pEncryptedVirtualAddress:
.long EncryptedVirtualAddress

_third_stage_payload_file_path:
.ascii "PAYLOAD:\\BadUpdateExploit-3rdStage.bin"
.byte 0x00
.align 2

# If the stack goes too low in XAM, it bugchecks (at least, I think that's what's going on...). So we use a hardcoded higher address.
_overwrite_loop_secondary_buffer_address:
.long overwrite_loop_secondary_buffer_address_hardcoded

_overwrite_loop_secondary_buffer_size:
.long secondary_overwrite_loop_max_size

_overwrite_loop_stack_address:
.long 0x00000000
.long 0x00000000

_overwrite_cipher_text_stack_address:
.long 0x00000000

_memcmp_if_call_ptr:
.long stack_pivot # gadget address for memcmp == 0
.long __restgprlr_30 # gadget address for memcmp != 0

_arithmetic_scratch1:
.long 0x00000000

_data_segment_ptr:
.long RuntimeDataSegmentAddress

_test_file_path:
.ascii "PAYLOAD:\\test.bin"
.byte 0x00
.align 2

_StatusToLedValues:
.long 0x00000000
.long 0x00000000

_new_task_attributes:
.long 0xA4280002
.long 0x00000005
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x00000000

_data_segment_end:


75 changes: 75 additions & 0 deletions Common/BadUpdateExploit_Data_h.asm
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@


#---------------------------------------------------------
# Header for the data segment, contains pre-calculated addresses for all runtime data.
#---------------------------------------------------------

.macro EXPLOIT_DATA sym
.set \sym, RuntimeDataSegmentAddress + (_\sym - _data_segment_start)
.endm

# Symlink data:
EXPLOIT_DATA hdd_symlink_mount_str
EXPLOIT_DATA hdd_symlink_path_str
EXPLOIT_DATA hdd_symlink_mount
EXPLOIT_DATA hdd_symlink_path

EXPLOIT_DATA flash_symlink_mount_str
EXPLOIT_DATA flash_symlink_path_str
EXPLOIT_DATA flash_symlink_mount
EXPLOIT_DATA flash_symlink_path

# Misc data:
EXPLOIT_DATA smc_command_buffer
EXPLOIT_DATA read_file_bytes_read
EXPLOIT_DATA load_add_store_scratch
EXPLOIT_DATA read_file_handle
EXPLOIT_DATA read_file_size
EXPLOIT_DATA read_file_scratch

EXPLOIT_DATA pPayloadCipherText
EXPLOIT_DATA pPayloadCipherText2
EXPLOIT_DATA PayloadCipherTextPhysAddr
EXPLOIT_DATA pPayloadCipherTextSizeValue
EXPLOIT_DATA PayloadCipherTextSizeValuePhysAddr
EXPLOIT_DATA abOracleData
EXPLOIT_DATA BootAnimCodePagePhysAddr

EXPLOIT_DATA memcpy_cipher_text_src_addr
EXPLOIT_DATA memcpy_cipher_text_dst_addr
EXPLOIT_DATA memcpy_cipher_text_scratch

EXPLOIT_DATA flash_bootanim_path
EXPLOIT_DATA bootanim_module_handle

EXPLOIT_DATA new_task_attributes

.set EncryptedVirtualAddress, 0x8D000000
EXPLOIT_DATA CipherTextScratchBuffer
EXPLOIT_DATA pEncryptedVirtualAddress

EXPLOIT_DATA arithmetic_scratch1

# Secondary payload data:
.set second_stage_max_size, 3 * 1024 * 1024 # 3MB max size
.set second_stage_offset, 0x300
EXPLOIT_DATA second_stage_chain_address
EXPLOIT_DATA second_stage_chain_size
EXPLOIT_DATA secondary_payload_file_path

.set secondary_overwrite_loop_max_size, 1 * 1024 * 1024 # 1MB max size
EXPLOIT_DATA overwrite_loop_secondary_buffer_address
EXPLOIT_DATA overwrite_loop_secondary_buffer_size
EXPLOIT_DATA overwrite_loop_stack_address
EXPLOIT_DATA overwrite_cipher_text_stack_address

EXPLOIT_DATA memcmp_if_call_ptr

# Third stage payload data:
.set third_stage_max_size, 0x00010000 # 64k max size
EXPLOIT_DATA third_stage_payload_file_path

# Misc debug data:
EXPLOIT_DATA data_segment_ptr
EXPLOIT_DATA test_file_path
EXPLOIT_DATA StatusToLedValues
Loading