Amaury Pouly | c9a028c | 2014-06-24 18:04:17 +0200 | [diff] [blame] | 1 | --[[ |
| 2 | Zen X-Fi3 1.00.25e hacking |
| 3 | required argument (in order): |
| 4 | - path to firmware |
| 5 | - path to output firmware |
| 6 | - path to blob |
| 7 | - path to stub |
| 8 | ]]-- |
| 9 | |
| 10 | if #arg < 4 then |
| 11 | error("not enough argument to fuzep patcher") |
| 12 | end |
| 13 | |
| 14 | local fw = hwp.load_file(arg[1]) |
| 15 | local irq_addr_pool = hwp.make_addr(0x405916f0) |
| 16 | local proxy_addr = arm.to_arm(hwp.make_addr(0x40384674)) |
| 17 | -- read old IRQ address pool |
| 18 | local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool)) |
| 19 | print(string.format("Old IRQ address: %s", old_irq_addr)) |
| 20 | -- put stub at the beginning of the proxy |
| 21 | local stub = hwp.load_bin_file(arg[4]) |
| 22 | local stub_info = hwp.section_info(stub, "") |
| 23 | local stub_data = hwp.read(stub, hwp.make_addr(stub_info.addr, ""), stub_info.size) |
| 24 | hwp.write(fw, proxy_addr, stub_data) |
| 25 | local stub_addr = proxy_addr |
| 26 | proxy_addr = hwp.inc_addr(proxy_addr, stub_info.size) |
| 27 | -- modify irq |
| 28 | hwp.write32(fw, irq_addr_pool, proxy_addr.addr) |
| 29 | print(string.format("New IRQ address: %s", proxy_addr)) |
| 30 | -- in proxy, save registers |
| 31 | arm.write_save_regs(fw, proxy_addr) |
| 32 | proxy_addr = hwp.inc_addr(proxy_addr, 4) |
| 33 | -- load blob |
| 34 | local blob = hwp.load_bin_file(arg[3]) |
| 35 | local blob_info = hwp.section_info(blob, "") |
| 36 | -- patch blob with stub address |
| 37 | hwp.write32(blob, hwp.make_addr(blob_info.addr + 4, ""), stub_addr.addr) |
| 38 | -- write it ! |
| 39 | local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size) |
| 40 | hwp.write(fw, proxy_addr, blob_data) |
| 41 | proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size) |
| 42 | -- restore registers |
| 43 | arm.write_restore_regs(fw, proxy_addr) |
| 44 | proxy_addr = hwp.inc_addr(proxy_addr, 4) |
| 45 | -- branch to old code |
| 46 | local branch_to_old = arm.make_branch(old_irq_addr, false) |
| 47 | arm.write_branch(fw, proxy_addr, branch_to_old, hwp.inc_addr(proxy_addr, 4)) |
| 48 | -- save |
| 49 | hwp.save_file(fw, arg[2]) |