+1

.gitignore

··· 1 1 build/ 2 2 out/ 3 3 package/ 4 4 + extras/LaunchDashlaunch 4 5 *.exe 5 6 *.xex 6 7 *.dll

+2

README.md

··· 76 76 * French (Canadian) - by [needmorepaper](https://github.com/needmorepaper) 77 77 * Portuguese (Portugal) - by [Animadoria](https://github.com/Animadoria) 78 78 * Portuguese (Brazilian) - by [Xyozus](https://github.com/Xyozus) 79 79 + * Swedish - by [Tozzi89](https://github.com/Tozzi89) 79 80 * German - by [tuxuser](https://github.com/tuxuser) 81 81 + * Italian - by [Razorbacktrack](https://github.com/Razorbacktrack) 80 82 * Polish - by [chackAJMCPE](https://github.com/chackAJMCPE) and [DoruDoLasu](https://github.com/DoruDoLasu) 81 83 * Russian - by [eversiege](https://github.com/eversiege) and [veselcraft](https://github.com/veselcraft) 82 84 * Korean - by [Helloyunho](https://github.com/Helloyunho)

+1 -1

include/version.h

··· 1 1 - #define FREEMYXE_VERSION L"beta4" 1 1 + #define FREEMYXE_VERSION L"beta-dev"

+111 -15

source/FreeMyXe.c

··· 113 113 L"Hypervisor \u548C\u5185\u6838\u5DF2\u88AB\u4FEE\u8865\uFF01\n\n\u4F60\u7684 CPU \u5BC6\u94A5\u662F\uFF1A\n%S\n\nFreeMyXe \u7684\u6E90\u4EE3\u7801\uFF1A\ngithub.com/FreeMyXe/FreeMyXe\n\n\u73A9\u5F97\u5F00\u5FC3\uFF01" 114 114 }; 115 115 116 116 + // translation provided by Tozzi89 117 117 + LocalisationMessages_t swedish = { 118 118 + L"Snart b\u00F6rjar patchning av hypervisor och k\u00E4rnan...\n\nDin CPU nyckel \u00E4r:\n%S\n\nSkriv ner och spara p\u00E5 s\u00E4kert st\u00E4lle!", 119 119 + L"OK", 120 120 + L"Jippi!!", 121 121 + L"Starta XeLL ist\u00E4llet", 122 122 + L"Kunde inte starta XeLL?! Vi tar och patchar hypervisor och k\u00E4rnan \u00E4nd\u00E5...", 123 123 + L"Hypervisor och k\u00E4rnan har blivit patchad!\n\nDin CPU nyckel \u00E4r:\n%S\n\nK\u00E4llkoden f\u00F6r FreeMyXe:\ngithub.com/FreeMyXe/FreeMyXe\n\nHa s\u00E5 kul!" 124 124 + }; 125 125 + 126 126 + // translation provided by Razorbacktrack 127 127 + LocalisationMessages_t italian = { 128 128 + L"Sto per iniziare a patchare l'Hypervisor e il kernel...\n\nLa tua CPU Key \u00E8:\n%S\n\nScrivila e conservala accuratamente!", 129 129 + L"OK", 130 130 + L"Fantastico!", 131 131 + L"Avvia XeLL invece", 132 132 + L"Non riesco ad avviare XeLL?! Beh, patcher\u00F2 comunque l'Hypervisor e il kernel...", 133 133 + L"L'Hypervisor e il kernel sono stati patchati!\n\nLa tua CPU Key \u00E8:\n%S\n\nCodice sorgente di FreeMyXe:\ngithub.com/FreeMyXe/FreeMyXe\n\nDivertiti!" 134 134 + }; 135 135 + 116 136 LocalisationMessages_t *currentLocalisation = &english; 117 137 118 138 static LPWSTR buttons[1] = {L"OK"}; ··· 164 184 0x38, 0x80, 0x00, 0x07, 0x7C, 0x21, 0x20, 0x78, 0x7C, 0x35, 0xEB, 0xA6, 0x48, 0x00, 0x11, 0xC2 165 185 }; 166 186 167 167 - // the XEX key derivation patches for 17559 168 168 - static uint8_t xex_key_derivation_bytecode[] = 169 169 - { 170 170 - 0x2B, 0x3C, 0x00, 0x00, 0x41, 0x9A, 0x00, 0x30, 0x2F, 0x03, 0x00, 0x00, 0x40, 0x9A, 0x00, 0x10, 171 171 - 0x38, 0x80, 0x00, 0xF0, 0x48, 0x00, 0x00, 0x18, 0x60, 0x00, 0x00, 0x00, 0x2B, 0x1D, 0x00, 0x00, 172 172 - 0x38, 0x9F, 0x04, 0x40, 0x40, 0x9A, 0x00, 0x08, 0x38, 0x80, 0x00, 0x54, 0x7F, 0x83, 0xE3, 0x78, 173 173 - 0x4B, 0xFF, 0x65, 0xC1, 0x3B, 0xE0, 0x00, 0x00, 174 174 - }; 175 175 - 176 187 // dashlaunch loading kernel bytecode for 17559 177 188 static uint8_t dashlaunch_loading_bytecode[176] = 178 189 { ··· 187 198 0x41, 0x9A, 0x00, 0x0C, 0x7F, 0xFF, 0xFB, 0x78, 0x4B, 0xFF, 0xFF, 0xEC, 0x4B, 0xFF, 0xC4, 0x44, 188 199 0x5C, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5C, 0x46, 0x6C, 0x61, 0x73, 0x68, 0x5C, 0x6C, 0x61, 189 200 0x75, 0x6E, 0x63, 0x68, 0x2E, 0x78, 0x65, 0x78, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34, 0x56, 0x78, 190 190 - } ; 201 201 + }; 202 202 + 203 203 + // devkit xex encryption key (LOL) 204 204 + static uint8_t devkit_xex_aes_key[] = 205 205 + { 206 206 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 207 207 + }; 191 208 209 209 + // devkit xex public key 210 210 + static uint8_t devkit_xex_pirs_public_key[] = 211 211 + { 212 212 + 0x00, 0x00, 0x00, 0x20, // cqw 213 213 + 0x00, 0x00, 0x00, 0x03, // dwPubExp 214 214 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // qwReserved 215 215 + // aqwM 216 216 + 0xC9, 0x1C, 0x35, 0x77, 0xC8, 0xBF, 0xA0, 0x6B, 0x64, 0x2F, 0x4E, 0x6C, 0x73, 0x99, 0xAC, 0xE5, 217 217 + 0x84, 0xE7, 0xAB, 0x2E, 0xE4, 0xDB, 0xAE, 0x1E, 0x3E, 0x06, 0x70, 0x62, 0x4A, 0xA2, 0xAD, 0x99, 218 218 + 0xE1, 0x76, 0x70, 0x61, 0xE6, 0xBE, 0x93, 0x27, 0x6D, 0x5D, 0x97, 0xFD, 0x73, 0x30, 0x76, 0x3A, 219 219 + 0xB8, 0x70, 0x5C, 0xC0, 0xBE, 0x8F, 0x1B, 0x3D, 0x4C, 0x5D, 0x85, 0x65, 0x98, 0x8C, 0x4C, 0x6B, 220 220 + 0xCC, 0xBE, 0xD0, 0xC5, 0xA7, 0x43, 0xAA, 0x6C, 0x56, 0x91, 0x0F, 0xF8, 0xE8, 0xBD, 0x90, 0x4D, 221 221 + 0xB8, 0xD9, 0xA3, 0xF1, 0x3B, 0x6E, 0x71, 0xDB, 0xB0, 0xE0, 0xF5, 0x1A, 0x8E, 0x80, 0x39, 0xC2, 222 222 + 0x4E, 0x3A, 0x81, 0x42, 0xC5, 0x6E, 0xB9, 0x49, 0x44, 0xF4, 0x8D, 0xC5, 0x84, 0x51, 0xC8, 0x1B, 223 223 + 0x7D, 0xBC, 0x45, 0x59, 0xD0, 0xE3, 0xF2, 0x97, 0xEF, 0xA0, 0x39, 0xEA, 0x1C, 0xF9, 0x48, 0x66, 224 224 + 0x66, 0x4E, 0x8B, 0xD0, 0x22, 0xAB, 0xDB, 0x90, 0x1E, 0xBC, 0xD8, 0x3D, 0x91, 0xA7, 0x89, 0x7C, 225 225 + 0x72, 0x07, 0xDA, 0x63, 0xAA, 0xF3, 0x3E, 0xED, 0xD5, 0x87, 0x66, 0x7B, 0xF2, 0x28, 0x9C, 0xB3, 226 226 + 0x40, 0x54, 0x22, 0x65, 0x44, 0x10, 0x2A, 0xD2, 0xB0, 0x48, 0x4C, 0xF9, 0x9E, 0x6F, 0xA4, 0x76, 227 227 + 0x9F, 0x18, 0xD0, 0x4D, 0xAD, 0xA5, 0x6E, 0xFC, 0x9E, 0xC2, 0xA4, 0xCF, 0xB3, 0xEC, 0xC8, 0x05, 228 228 + 0xED, 0x8C, 0x08, 0xED, 0x25, 0x13, 0xCC, 0xBB, 0x16, 0x60, 0x1A, 0x8A, 0xC7, 0x4B, 0x68, 0x93, 229 229 + 0x7F, 0x95, 0x27, 0x1A, 0xCC, 0x7B, 0xAC, 0x29, 0xD4, 0xB7, 0x41, 0x9B, 0x0A, 0x99, 0x60, 0x02, 230 230 + 0xA6, 0xE9, 0xA7, 0xC2, 0x78, 0xF5, 0xC0, 0xB8, 0xBB, 0x9D, 0x88, 0x16, 0x71, 0x64, 0x81, 0x07, 231 231 + 0x2C, 0x5B, 0x33, 0xE5, 0x1C, 0xFA, 0x00, 0x02, 0xD7, 0x49, 0x2F, 0x13, 0xB1, 0xC1, 0x7F, 0xBF 232 232 + }; 233 233 + 234 234 + // shellcode that will decrypt devkit xexs with the devkit AES key 235 235 + static uint8_t devkit_xex_loading_shellcode[] = 236 236 + { 237 237 + 0x2B, 0x3C, 0x00, 0x00, 0x41, 0x9A, 0x00, 0x30, 0x2F, 0x03, 0x00, 0x01, 0x40, 0x9A, 0x00, 0x10, 238 238 + 0x38, 0x80, 0x00, 0xF0, 0x48, 0x00, 0x00, 0x18, 0x60, 0x00, 0x00, 0x00, 0x2B, 0x1D, 0x00, 0x00, 239 239 + 0x38, 0x9F, 0x04, 0x40, 0x40, 0x9A, 0x00, 0x08, 0x38, 0x80, 0x00, 0x54, 0x7F, 0x83, 0xE3, 0x78, 240 240 + 0x4B, 0xFF, 0x65, 0xC1, 0x3B, 0xE0, 0x00, 0x00, 241 241 + }; 192 242 193 243 // this doesn't work! 194 244 void ApplyXeBuildPatches(uint8_t *patch_data) ··· 334 384 case XC_LANGUAGE_KOREAN: 335 385 currentLocalisation = &korean; 336 386 break; 387 387 + case XC_LANGUAGE_SWEDISH: 388 388 + currentLocalisation = &swedish; 389 389 + break; 390 390 + case XC_LANGUAGE_ITALIAN: 391 391 + currentLocalisation = &italian; 392 392 + break; 337 393 case XC_LANGUAGE_PORTUGUESE: 338 394 if (XGetLocale() == XC_LOCALE_BRAZIL) 339 395 currentLocalisation = &brazilian_portuguese; ··· 411 467 WriteHypervisorUInt32(0x0002CAE8, LI(3, 0)); 412 468 HypervisorClearCache(0x0002CAE8); 413 469 // XEX AES key derivation 414 414 - WriteHypervisor(0x00029B08, xex_key_derivation_bytecode, sizeof(xex_key_derivation_bytecode)); 415 415 - HypervisorClearCache(0x00029B08); 470 470 + //WriteHypervisor(0x00029B08, xex_key_derivation_bytecode, sizeof(xex_key_derivation_bytecode)); 471 471 + //HypervisorClearCache(0x00029B08); 416 472 // HvxCreateImageMapping hash check patch 417 473 WriteHypervisorUInt32(0x0002CAE8, LI(3, 0)); 418 474 HypervisorClearCache(0x0002CAE8); ··· 436 492 WriteHypervisorUInt32(0x0000813C, 0x48000030); // HvxKeysGetKey skip over key_flags check 437 493 HypervisorClearCache(0x0000813C); 438 494 495 495 + DbgPrint("Writing XEX encryption patches...\n"); 496 496 + // write the devkit keys 497 497 + WriteHypervisor(0x000000F0, devkit_xex_aes_key, sizeof(devkit_xex_aes_key)); 498 498 + WriteHypervisor(0x0003F800, devkit_xex_pirs_public_key, sizeof(devkit_xex_pirs_public_key)); 499 499 + // write the address of the devkit PIRS key at 0xE8 500 500 + WriteHypervisorUInt64(0xE8, 0x800001060003F800); 501 501 + // write the devkit key shellcode 502 502 + WriteHypervisor(0x00029B08, devkit_xex_loading_shellcode, sizeof(devkit_xex_loading_shellcode)); 503 503 + WriteHypervisorUInt32(0x00029AFC, 0xE8C000E8); // set r6 in XeCryptSigVerify call to value of 0xE8 504 504 + WriteHypervisorUInt32(0x00029B04, 0x4BFF6B7D); // put the branch to XeCryptSigVerify back 505 505 + HypervisorClearCache(0x00029AFC); 506 506 + HypervisorClearCache(0x00029B08); 507 507 + 439 508 DbgPrint("HV patched! Patching kernel\n"); 440 509 441 510 { ··· 455 524 WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnTrue); 456 525 HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 457 526 527 527 + // patch XeCryptBnQwBeSigVerify 528 528 + XexGetProcedureAddress(hKernel, 358, &pdwFunction); 529 529 + WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnTrue); 530 530 + HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 531 531 + 458 532 // patch UsbdIsDeviceAuthenticated 459 533 XexGetProcedureAddress(hKernel, 745, &pdwFunction); 460 534 WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnTrue); ··· 519 593 valTo = 0x4e80002000000000; // blr 520 594 WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction) + 0x10, valTo); 521 595 HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 596 596 + 597 597 + // XeKeysRevokeIsValid 598 598 + pdwFunction = (PDWORD)0x8010AF30; 599 599 + WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnTrue); 600 600 + HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 601 601 + 602 602 + // XeKeysRevokeIsRevoked 603 603 + pdwFunction = (PDWORD)0x8010B0E8; 604 604 + WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnZero); 605 605 + HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 606 606 + 607 607 + // _XeKeysRevokeIsRevoked 608 608 + pdwFunction = (PDWORD)0x8010B278; 609 609 + WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnZero); 610 610 + HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 611 611 + 612 612 + // XeKeysRevokeConvertError 613 613 + pdwFunction = (PDWORD)0x8010B3F8; 614 614 + WriteHypervisorUInt64_RMCI(MmGetPhysicalAddress(pdwFunction), returnZero); 615 615 + HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 522 616 } 523 617 524 524 - // flush the tlb so we can write to data segments now 618 618 + DbgPrint("Removing BadUpdate POST syscall...\n"); 619 619 + SetUsingFreeboot(1); 620 620 + WriteHypervisorUInt32(0x00015FD0 + (0xD * 4), 0x00002540); 621 621 + 622 622 + // flush the tlb so we can write to rdata and text segments now 525 623 KeFlushEntireTb(); 526 624 527 625 DbgPrint("Applying XAM patches...\n"); ··· 542 640 543 641 // syslink ping patch - 30ms check in CXnIp::IpRecvKeyExXbToXb 544 642 POKE_32(0x81754230, NOP); 545 545 - 546 546 - //ApplyXeBuildPatches(xebuild_17559_hvkern_patchset); 547 643 548 644 DbgPrint("Done\n"); 549 645