From 9aee8ab7c0ddf5cd24717fb2c0e61fc10b696263 Mon Sep 17 00:00:00 2001
From: chaoskagami <chaos.kagami@gmail.com>
Date: Thu, 9 Jun 2016 21:37:27 -0400
Subject: [PATCH] Apparently I had broken svcBackdoor back >50 commits (before
 stable-1) - so fix it (and temporarily remove extra functionality)

---
 source/patch/svc.c | 93 ++++++++++++++++------------------------------
 1 file changed, 32 insertions(+), 61 deletions(-)

diff --git a/source/patch/svc.c b/source/patch/svc.c
index 27b27ae..15df995 100644
--- a/source/patch/svc.c
+++ b/source/patch/svc.c
@@ -1,82 +1,53 @@
 #include "patch_file.h"
 
-// This code handles replacement of services. This includes backdoor, but not
-// just backdoor.
-// Any service can be replaced provided there's enough space within the
-// exception page.
+uint8_t *arm11Section1 = NULL;
+uint32_t *svc_tab_open = NULL, *exceptionsPage = NULL, *svcTable = NULL;
+int svc_offs_init = 0;
 
-// Please note that the actual code for services is in `external/service`.
-
-uint32_t *
-getSvcAndExceptions(uint8_t *pos, uint32_t size, uint32_t **exceptionsPage)
-{
-    uint8_t pattern[] = { 0x00, 0xB0, 0x9C, 0xE5 }; // cpsid aif
-
-    *exceptionsPage = (uint32_t *)memfind(pos, size, pattern, 4) - 0xB;
-
-    uint32_t svcOffset = (-(((*exceptionsPage)[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8;                             // Branch offset + 8 for prefetch
-    uint32_t *svcTable = (uint32_t *)(pos + *(uint32_t *)(pos + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); // SVC handler address
-    while (*svcTable)
-        svcTable++; // Look for SVC0 (NULL)
-
-    return svcTable;
-}
-
-uint32_t *freeSpace = NULL;
+// This code handles restoration of backdoor
 
 PATCH(services)
 {
-    // Make sure svcBackdoor is there.
-    uint8_t *arm11Section1 = (uint8_t *)firm_loc + firm_loc->section[1].offset;
-    uint32_t *exceptionsPage;
-    uint32_t *svcTable = getSvcAndExceptions(arm11Section1, firm_loc->section[1].size, &exceptionsPage);
-
-    fprintf(stderr, "Svc: table at %x\n", (uint32_t)svcTable);
-
-    char str[] = PATH_SVC "/00.bin";
-    char *at = str + (strlen(str) - 6);
-    // FIXME - This is really slow. Some way to optimize it?
-    for (uint32_t i = 0; i <= 0xf; i++) {
-        // Get string for svc.
-        at[0] = ("0123456789abcdef")[i];
-
-        for (uint32_t j = 0; j < 0xf; j++) {
-            uint32_t svc = (i << 4) & j; // Actual svc index.
+    if (svc_offs_init == 0) {
+        arm11Section1 = (uint8_t *)firm_loc + firm_loc->section[1].offset;
 
-            // Refuse to replace non-NULL services unless the user has it enabled.
-            // Also don't bother checking for non-null svc files (it's slow.)
-            if (svcTable[svc] && !config.options[OPTION_REPLACE_ALLOCATED_SVC])
-                continue;
+        uint8_t pattern[] = { 0x00, 0xB0, 0x9C, 0xE5 }; // cpsid aif
 
-            // This is just hexdump. Nothing complicated.
-            at[1] = ("0123456789abcdef")[j];
+        exceptionsPage = (uint32_t *)memfind(arm11Section1, firm_loc->section[1].size, pattern, 4) - 0xB;
 
-            FILE *data = fopen(str, "r");
-            if (!data)
-                continue; // No file for svc. Move on.
+        uint32_t svcOffset = (-(((exceptionsPage)[2] & 0xFFFFFF) << 2) & (0xFFFFFF << 2)) - 8; // Branch offset + 8 for prefetch
+        svcTable = (uint32_t *)(arm11Section1 + *(uint32_t *)(arm11Section1 + 0xFFFF0008 - svcOffset - 0xFFF00000 + 8) - 0xFFF00000); // SVC handler address
+        while (*svcTable)
+            svcTable++; // Look for SVC0 (NULL)
 
-            // TODO - We can just fread directly to freeSpace with a little reordering.
-
-            uint32_t size = fsize(data);
+        // Skip to free space
+        for (svc_tab_open = exceptionsPage; *svc_tab_open != 0xFFFFFFFF; svc_tab_open++)
+            ;
+        svc_offs_init = 1;
+    }
 
-            fprintf(stderr, "Svc: %s, %d bytes\n", at, size);
+    // Make sure svcBackdoor is there.
+    if (!svcTable[0x7B]) {
+        fprintf(stderr, "svc: 0x7B (backdoor) missing.\n");
 
-            if (!freeSpace)
-                for (freeSpace = exceptionsPage; *freeSpace != 0xFFFFFFFF; freeSpace++)
-                    ;
+        FILE *data = fopen(PATH_SVC "/7b.bin", "r");
+        uint32_t size = fsize(data);
 
-            fprintf(stderr, "Svc: Copy code to %x\n", (uint32_t)freeSpace);
+        fprintf(stderr, "Svc: 7b, %d bytes\n", size);
+        fprintf(stderr, "Svc: Copy code to %x\n", (uint32_t)svc_tab_open);
 
-            fread(freeSpace, 1, size, data);
+        fread(svc_tab_open, 1, size, data);
 
-            fclose(data);
+        fclose(data);
 
-            svcTable[svc] = 0xFFFF0000 + ((uint8_t *)freeSpace - (uint8_t *)exceptionsPage);
+        //		memcpy(svc_tab_open, svcbackdoor, sizeof(svcbackdoor));
+        svcTable[0x7B] = 0xFFFF0000 + ((uint8_t *)svc_tab_open - (uint8_t *)exceptionsPage);
 
-            freeSpace += size;
+        svc_tab_open += size;
 
-            fprintf(stderr, "Svc: entry set as %x\n", svcTable[svc]);
-        }
+        fprintf(stderr, "svc: Injected 0x7B.\n");
+    } else {
+        fprintf(stderr, "svc: No change needed.\n");
     }
 
     return 0;
-- 
2.39.5