summaryrefslogtreecommitdiffstats
path: root/utils/hwpatcher/zxfi2.lua
diff options
context:
space:
mode:
Diffstat (limited to 'utils/hwpatcher/zxfi2.lua')
-rw-r--r--utils/hwpatcher/zxfi2.lua50
1 files changed, 50 insertions, 0 deletions
diff --git a/utils/hwpatcher/zxfi2.lua b/utils/hwpatcher/zxfi2.lua
new file mode 100644
index 0000000000..fc3bdf800b
--- /dev/null
+++ b/utils/hwpatcher/zxfi2.lua
@@ -0,0 +1,50 @@
+--[[
+Zen X-Fi2 1.23.01e NAND hacking
+required argument (in order):
+- path to firmware
+- path to output firmware
+- path to blob
+- path to stub
+]]--
+
+if #arg < 4 then
+ error("not enough argument to fuzep patcher")
+end
+
+local fw = hwp.load_file(arg[1])
+local irq_addr_pool = hwp.make_addr(0x4035e154, "play")
+local proxy_addr = arm.to_arm(hwp.make_addr(0x402f06f8, "play"))
+-- read old IRQ address pool
+local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool))
+print(string.format("Old IRQ address: %s", old_irq_addr))
+-- put stub at the beginning of the proxy
+local stub = hwp.load_bin_file(arg[4])
+local stub_info = hwp.section_info(stub, "")
+local stub_data = hwp.read(stub, hwp.make_addr(stub_info.addr, ""), stub_info.size)
+hwp.write(fw, proxy_addr, stub_data)
+local stub_addr = proxy_addr
+proxy_addr = hwp.inc_addr(proxy_addr, stub_info.size)
+-- modify irq
+hwp.write32(fw, irq_addr_pool, proxy_addr.addr)
+print(string.format("New IRQ address: %s", proxy_addr))
+-- in proxy, save registers
+arm.write_save_regs(fw, proxy_addr)
+proxy_addr = hwp.inc_addr(proxy_addr, 4)
+-- load blob
+local blob = hwp.load_bin_file(arg[3])
+local blob_info = hwp.section_info(blob, "")
+-- patch blob with stub address
+hwp.write32(blob, hwp.make_addr(blob_info.addr + 4, ""), stub_addr.addr)
+-- write it !
+local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size)
+hwp.write(fw, proxy_addr, blob_data)
+proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size)
+-- restore registers
+arm.write_restore_regs(fw, proxy_addr)
+proxy_addr = hwp.inc_addr(proxy_addr, 4)
+-- branch to old code
+local branch_to_old = arm.make_branch(old_irq_addr, false)
+arm.write_branch(fw, proxy_addr, branch_to_old, hwp.inc_addr(proxy_addr, 4))
+-- save
+hwp.save_file(fw, arg[2])
+