From 9726341710dd2609091da267531dd09c0a4e117e Mon Sep 17 00:00:00 2001 From: scilor Date: Mon, 19 Apr 2021 21:50:11 +0200 Subject: [PATCH] Update patches for 3.1.0 (WIP, crashes) --- .../bootmanager/sd/revvox/boot/ngCfg.json | 4 +- .../sd/revvox/boot/patch/blockCheck.310.json | 11 ++++ .../boot/patch/blockCheckRemove.310.json | 12 ++++ .../sd/revvox/boot/patch/enableWeb.310.json | 56 +++++++++++++++++++ .../revvox/boot/patch/enableWeb.dev.310.json | 56 +++++++++++++++++++ .../sd/revvox/boot/patch/noHide.308.json | 21 ++++++- .../sd/revvox/boot/patch/noHideA.308.json | 9 ++- .../sd/revvox/boot/patch/noPass3.305.json | 8 +-- .../sd/revvox/boot/patch/noPrivacy.310.json | 11 ++++ .../bootmanager/sd/revvox/boot/patch/swd.json | 11 +++- .../sd/revvox/boot/patch/uidCheck.307.json | 6 +- wiki/OFWPatches.md | 6 +- 12 files changed, 188 insertions(+), 23 deletions(-) create mode 100644 sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json create mode 100644 sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json create mode 100644 sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.310.json create mode 100644 sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.dev.310.json create mode 100644 sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json index cf2ed0ee..c57ecdb0 100644 --- a/sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/ngCfg.json @@ -29,14 +29,14 @@ "watchdog": true, "ofwFix": true, "ofwSimBL": true, - "patches": ["blockCheck.307", "blockCheckRemove.308", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"] + "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"] }, "ofw3": { "checkHash": true, "hashFile": false, "watchdog": true, "ofwFix": true, - "patches": ["blockCheck.307", "blockCheckRemove.308", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"] + "patches": ["blockCheck.310", "blockCheckRemove.310", "noCerts.305", "noChargWake.305", "noHide.308", "noPass3.305", "noPrivacy.305", "uidCheck.307"] }, "cfw1": { "checkHash": false, diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json new file mode 100644 index 00000000..9ce92b22 --- /dev/null +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json @@ -0,0 +1,11 @@ +{ + "general": { + "_desc": "Removes check for tag blocks count > 8", + "_memPos": "3.1.0=0x1B23E", + "_fwVer": "3.1.0" + }, + "searchAndReplace": [{ + "search": ["e7", "f7", "75", "fb", "48", "45", "4f", "f0", "06", "00", "08", "bf", "08", "26"], + "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "26", "00"] + }] +} \ No newline at end of file diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json new file mode 100644 index 00000000..702d0282 --- /dev/null +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json @@ -0,0 +1,12 @@ +{ + "general": { + "_desc": "Allows tags with block count <8", + "_memPos": "0x1B16A", + "_memPosFw": "3.1.0", + "_fwVer": "3.1.0" + }, + "searchAndReplace": [{ + "search": ["e7", "f7", "d7", "fb", "09", "9a", "06", "46", "03", "46", "00", "28"], + "replace": ["00", "20", "00", "bf", "??", "??", "??", "??", "??", "??", "??", "??"] + }] +} diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.310.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.310.json new file mode 100644 index 00000000..fb31b1dd --- /dev/null +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.310.json @@ -0,0 +1,56 @@ +{ + "general": { + "_desc": "Enable Webinterface without going into AP Mode", + "_memPos": "", + "_fwVer": "3.1.0" + }, + "positions": [{ + "_id": 0, + "_name": "Prepare/CloseWifiConfigOnDoubleEar?", + "_fwVer": "3.1.0", + "offset": 0, + "search": ["10", "b5", "04", "46", "1e", "f0", "1e", "fd", "02", "46"] + }, { + "_id": 1, + "_name": "SetTonieMode/BluePulse", + "_fwVer": "3.0.5+", + "offset": 0, + "search": ["70", "b5", "14", "4e", "14", "4a", "0d", "46", "31", "68", "52", "f8", "20", "30", "52", "f8", "21", "20", "12", "49", "04", "46", "41", "f2", "fb", "70"] + }], + "searchAndReplace": [{ + "_desc": "Keep in WiFi in ROLE_STA instead of switching to ROLE_AP", + "_memPos": "3.1.0=0x2163E", + "_fwVer": "3.1.0", + "search": [ + "00", "2b", "0c", "db", "02", "20" + ], + "replace": [ + "??", "??", "??", "??", "00", "??" + ] + },{ + "_desc": "Disable check on SlDrvCmd result", + "_fwVer": "3.0.5+", + "search": [ + "00", "2b", "06", "db" + ], + "replace": [ + "??", "??", "00", "bf" + ] + },{ + "_desc": "Branch to tonie mode (instead of blue pulsing)", + "_fwVer": "3.0.8+", + "search": [ + "10", "21", + "06", "20", + "??", "f7", "??", "??", + "??", "??" + ], + + "replace": [ + "??", "??", + "??", "??", + "??", "??", "??", "??", + "06", "e0" + ] + }] +} diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.dev.310.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.dev.310.json new file mode 100644 index 00000000..1cea1796 --- /dev/null +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/enableWeb.dev.310.json @@ -0,0 +1,56 @@ +{ + "general": { + "_desc": "Enable Webinterface without going into AP Mode", + "_memPos": "", + "_fwVer": "3.1.0" + }, + "positions": [{ + "_id": 0, + "_name": "Prepare/CloseWifiConfigOnDoubleEar?", + "_fwVer": "3.1.0", + "offset": 0, + "search": ["10", "b5", "04", "46", "1e", "f0", "1e", "fd", "02", "46"] + }, { + "_id": 1, + "_name": "SetTonieMode/BluePulse", + "_fwVer": "3.0.5+", + "offset": 0, + "search": ["70", "b5", "14", "4e", "14", "4a", "0d", "46", "31", "68", "52", "f8", "20", "30", "52", "f8", "21", "20", "12", "49", "04", "46", "41", "f2", "fb", "70"] + }], + "searchAndReplace": [{ + "_desc": "Keep in WiFi in ROLE_STA instead of switching to ROLE_AP", + "_memPos": "3.1.0=0x2163E", + "_fwVer": "3.1.0", + "search": [ + "00", "2b", "0c", "db", "02", "20" + ], + "replace": [ + "??", "??", "??", "??", "00", "??" + ] + },{ + "_desc": "Disable check on SlDrvCmd result", + "_fwVer": "3.0.5+", + "search": [ + "00", "2b", "06", "db" + ], + "replace": [ + "??", "??", "00", "bf" + ] + },{ + "_desc": "Branch to tonie mode (instead of blue pulsing)", + "_fwVer": "3.0.8+", + "search": [ + "10", "21", + "06", "20", + {"asm":{"instr": "bl", "param":"p1", "length": 4}}, + "??", "??" + ], + + "replace": [ + "??", "??", + "??", "??", + "??", "??", "??", "??", + "06", "e0" + ] + }] +} diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHide.308.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHide.308.json index 86829310..427acf01 100644 --- a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHide.308.json +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHide.308.json @@ -2,10 +2,25 @@ "general": { "_desc": "Do not hide files, if they are marked as deprecated from server. Breaks updating tonie (creative/live) content.", "_memPos": "", - "_fwVer": "3.0.8" + "_fwVer": "3.0.8+" }, + "positions": [{ + "_id": 0, + "_name": "f_chmod_hide", + "offset": 0, + "search": ["f0", "b5", "8f", "b0", "0e"] + }], "searchAndReplace": [{ - "search": ["01", "21", "1c", "a8", "fc", "f7", "77", "fa"], - "replace": ["??", "??", "??", "??", "00", "bf", "00", "bf"] + "search": [ + "01", "21", + "1c", "a8", + "??", "f7", "??", "??" + ], + "replace": [ + "??", "??", + "??", "??", + "00", "bf", "00", "bf" + ] }] } + diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHideA.308.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHideA.308.json index 4f6013cc..729a3614 100644 --- a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHideA.308.json +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noHideA.308.json @@ -1,12 +1,11 @@ { "general": { "_desc": "Always unhides files (instead of hiding them)", - "_memPos": "", - "_fwVer": "3.0.8" + "_memPos": "3.0.8=0x142DC, 3.1.0=0x16ED2", + "_fwVer": "3.0.8+" }, "searchAndReplace": [{ - "search": ["00", "29", "14", "bf", "02", "27", "00", "27"], - "replace": ["??", "??", "??", "??", "00", "??", "??", "??"] + "search": ["14", "bf", "02", "27", "00", "27"], + "replace": ["??", "??", "00", "??", "??", "??"] }] } - diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json index 3b327720..e478ab06 100644 --- a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json @@ -8,22 +8,22 @@ "_id": 0, "_name": "rfidFieldRegisterSet?", "offset": 0, - "search": ["73", "b5", "11", "4d", "2a", "78"] + "search": ["??", "b5", "11", "??", "??", "78", "2a", "b9", "??", "??", "??", "??", "4f", "f4", "a9", "50"] },{ "_id": 1, "_name": "rfidReset?", "offset": 0, - "search": ["73", "b5", "2f", "4e", "33", "78"] + "search": ["??", "b5", "??", "??", "??", "78", "??", "46", "33", "b1", "00", "22"] },{ "_id": 2, "_name": "bne LAB_AfterPwSuccess", "offset": 4, - "search": ["05", "28", "04", "46"], + "search": ["05", "28", "??", "46"], "deasmAddress": true }], "searchAndReplace": [{ "search": ["4f", "f0", "??", "31", "??", "aa", "00", "20", "??", "91", "??", "??", "??", "??", "05", "28", - "04", "46", "??", "d1", + "??", "46", "??", "d1", "??", "49", "??", "48", "??", "??", "??", "??"], diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json new file mode 100644 index 00000000..286790a5 --- /dev/null +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json @@ -0,0 +1,11 @@ +{ + "general": { + "_desc": "Removes ENABLE PRIVACY to keep the tags readable", + "_memPos": "3.1.0=0x1B2BC", + "_fwVer": "3.1.0" + }, + "searchAndReplace": [{ + "search": ["11", "21", "38", "46", "8d", "f8", "76", "90", "f2", "f7", "f4", "ff"], + "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf"] + }] +} diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/swd.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/swd.json index be16d1c2..56ffa7ee 100644 --- a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/swd.json +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/swd.json @@ -5,7 +5,12 @@ "_fwVer": "" }, "searchAndReplace": [{ - "search": ["0b", "2d", "04", "f1", "0c", "04", "ee", "d1", "a8", "4d", "2b", "68", "4f", "f4", "87", "64", "43", "f0", "02", "03", "2b", "60", "01", "21", "0f", "20", "??", "??", "??", "??", "23", "68", "40", "f2", "14", "47", "9b", "6a", "08", "21", "12", "20", "98", "47"], - "replace": ["0a", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "00", "bf"] + "_desc": "Skip last iteration", + "search": ["01", "??", "0b", "??", "??", "f1", "0c", "??", "ee", "d1"], + "replace": ["??", "??", "0a", "??", "??", "??", "??", "??", "??", "??"] + }, { + "_desc": "NOP call ROMAPI", + "search": ["08", "21", "12", "20", "98", "47"], + "replace": ["??", "??", "??", "??", "00", "bf"] }] -} \ No newline at end of file +} diff --git a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/uidCheck.307.json b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/uidCheck.307.json index 3e531c1c..89353ae5 100644 --- a/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/uidCheck.307.json +++ b/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/uidCheck.307.json @@ -1,11 +1,11 @@ { "general": { "_desc": "Removes UID validation (E0 04 03) to allow SLIX and SLIX2 tags", - "_memPos": "", + "_memPos": "3.0.7=0xB7B4, 3.0.8=0x1F28, 3.1.0=0x194A0", "_fwVer": "3.0.7+" }, "searchAndReplace": [{ - "search": ["bd", "f8", "42", "20", "4e", "f2", "04", "03", "9a", "42", "40", "f0", "??", "80", "9d", "f8", "41", "30", "03", "2b", "40", "f0", "??", "80"], - "replace": ["??", "??", "??", "??", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf"] + "search": ["9a", "42", "40", "f0", "??", "80", "9d", "f8", "??", "30", "03", "2b", "40", "f0", "??", "??"], + "replace": ["??", "??", "00", "bf", "00", "bf", "??", "??", "??", "??", "??", "??", "00", "bf", "00", "bf"] }] } diff --git a/wiki/OFWPatches.md b/wiki/OFWPatches.md index 81c3dd23..ac9c3e48 100644 --- a/wiki/OFWPatches.md +++ b/wiki/OFWPatches.md @@ -8,10 +8,10 @@ This patch clears the paths to the certificates. This way the box will abort the ## Alternative Tags (SLIX / SLIX2) If you want to use alternative tags those patches will help you. Even other iso15693 tags may work. -### Block count >8 ([blockCheck.307.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.307.json)) +### Block count >8 ([blockCheck.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.310.json) / [blockCheck.307.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheck.307.json)) Usally the toniebox checks if the tag has exactly 8 blocks. The check allows the tag to have more than that. (ex. SLIX or SLIX2) -### Block count <=8 ([blockCheckRemove.308.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.308.json)) +### Block count <=8 ([blockCheckRemove.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.310.json) / [blockCheckRemove.308.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/blockCheckRemove.308.json)) Usally the toniebox checks if the tag has exactly 8 blocks. The check allows the tag to have less than that. ### No privacy password ([noPass3.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPass3.305.json)) @@ -38,7 +38,7 @@ Usally the toniebox sets the file attribute hidden of the tonie file for all liv ### Disable charger wakeup ([noChargWake.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noChargWake.305.json)) The toniebox won't wakeup anymore if it is put onto the charger. ***Attention, this patch is only working if you disconnect the battery for a second before loading the patched ofw. If you start the unpatched ofw once, you will have to disconnect the battery again*** -### Disable privacy mode ([noPrivacy.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.305.json)) +### Disable privacy mode ([noPrivacy.310.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.310.json) / [noPrivacy.305.json](https://github.com/toniebox-reverse-engineering/hackiebox_cfw_ng/blob/master/sd-bootloader-ng/bootmanager/sd/revvox/boot/patch/noPrivacy.305.json)) Usally the toniebox puts every tag into privacy mode after reading it. This patch disables that, so you can easily read the UID with any standard iso15693 reader like your phone.