dimok789 · Maschell · May 13, 2017 · May 13, 2017 · May 13, 2017 · May 13, 2017
diff --git a/ios_fs/source/main.c b/ios_fs/source/main.c
@@ -22,7 +22,7 @@ void createDevThread_entry(int node_type, u32 *dev_handles)
             sdcard_init();
         }
     }
-    else if(node_type == NODE_TYPE_DEV_UMS)
+    /*else if(node_type == NODE_TYPE_DEV_UMS)
     {
         // instead of hooking into attach at 0x10732FBC...lets do this and let the system do the mount
         fs_attach_info_t * info = (fs_attach_info_t *)(*(u32*)0x1091C2E4);
@@ -44,7 +44,7 @@ void createDevThread_entry(int node_type, u32 *dev_handles)
             info = info->next;
         }
         while(info);
-    }
+    }*/
     else if(node_type == NODE_TYPE_DEV_ATFS) // ATFS is started right before ISFS for slc/slccmpt
     {
         cfw_config_t cfw_config;

diff --git a/ios_kernel/source/instant_patches.c b/ios_kernel/source/instant_patches.c
@@ -82,6 +82,9 @@ void instant_patches_setup(void)
         // down display launch image at this state
         *(volatile u32*)(_text_start - 4 - 0x05100000 + 0x13D80000) = 0;
 
+        // patch the read position for the cos xml's p4.mask(ios_fs) to read 0xFFFFFFFFFFFFFFFF
+        *(volatile u32*)(0x05002BBE - 0x05000000 + 0x081C0000) = (volatile u32*)THUMB_BL(0x05002BBE, patch_SD_access_check);
+
         ios_map_shared_info_t map_info;
         map_info.paddr = 0x050BD000 - 0x05000000 + 0x081C0000;
         map_info.vaddr = 0x050BD000;

diff --git a/ios_kernel/source/ios_acp_patches_asm.s b/ios_kernel/source/ios_acp_patches_asm.s
@@ -6,6 +6,6 @@ patch_wfs_partition_check:
 .globl acp_patches_table, acp_patches_table_end
 acp_patches_table:
 #          origin           data                                    size
-     .word 0xE00605D0,      patch_wfs_partition_check,              4
+#     .word 0xE00605D0,      patch_wfs_partition_check,              4
 acp_patches_table_end:
 
diff --git a/ios_kernel/source/ios_fs_patches.c b/ios_kernel/source/ios_fs_patches.c
@@ -81,13 +81,13 @@ void fs_run_patches(u32 ios_elf_start)
         //section_write_word(ios_elf_start, FS_USB_WRITE, ARM_B(FS_USB_WRITE, usbWrite_patch));
     }
 
-    section_write_word(ios_elf_start, 0x1070F87C, ARM_BL(0x1070F87C, FSA_AttachVolume_FillDescription_hook));
-    section_write_word(ios_elf_start, 0x10700EFC, ARM_BL(0x10700EFC, FSA_AsyncCommandCallback_hook));
+    //section_write_word(ios_elf_start, 0x1070F87C, ARM_BL(0x1070F87C, FSA_AttachVolume_FillDescription_hook));
+    //section_write_word(ios_elf_start, 0x10700EFC, ARM_BL(0x10700EFC, FSA_AsyncCommandCallback_hook));
     // patch mounting FAT and allow all devices instead of only SD card
-    section_write_word(ios_elf_start, 0x1078E074, 0xEA000002);
+    //section_write_word(ios_elf_start, 0x1078E074, 0xEA000002);
     // patch FSA_MakeQuota to not store command -> command is modified depending on wether it is USB FAT or not
-    section_write_word(ios_elf_start, 0x1070BE0C, 0xE1A00000);
-    section_write_word(ios_elf_start, 0x1070BE00, ARM_BL(0x1070BE00, FSA_MakeQuota_asm_hook));
+    //section_write_word(ios_elf_start, 0x1070BE0C, 0xE1A00000);
+    //section_write_word(ios_elf_start, 0x1070BE00, ARM_BL(0x1070BE00, FSA_MakeQuota_asm_hook));
 
     section_write_word(ios_elf_start, FS_CREATEDEVTHREAD_HOOK, ARM_B(FS_CREATEDEVTHREAD_HOOK, createDevThread_hook));
 

diff --git a/ios_kernel/source/ios_mcp_patches.c b/ios_kernel/source/ios_mcp_patches.c
@@ -46,6 +46,8 @@ void mcp_run_patches(u32 ios_elf_start)
 
     section_write_word(ios_elf_start, 0x05056718, ARM_BL(0x05056718, _text_start));
 
+    section_write_word(ios_elf_start, 0x05002BBE, THUMB_BL(0x05002BBE, patch_SD_access_check));
+
     if(cfw_config.syshaxXml)
     {
         section_write(ios_elf_start, 0x050600DC, "/vol/system/config/syshax.xml", 0x20);

diff --git a/ios_kernel/source/ios_mcp_patches_asm.s b/ios_kernel/source/ios_mcp_patches_asm.s
@@ -34,7 +34,7 @@ mcp_patches_table:
      .word 0x05052C44,      patch_IOSC_VerifyPubkeySign,            8
      .word 0x05052A90,      patch_cert_verification,                8
      .word 0x05054D6C,      patch_cached_cert_check,                8
-     .word 0x0502ADF6,      patch_wfs_partition_check,              4
+#     .word 0x0502ADF6,      patch_wfs_partition_check,              4
 #     .word 0x05014AD8,      patch_wfs_partition_check,              4
 # over an hour, MCP crash prevention
      .word 0x05022474,      0xFFFFFFFF,                             4

diff --git a/ios_kernel/source/kernel_patches.c b/ios_kernel/source/kernel_patches.c
@@ -130,7 +130,7 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
         mcp_run_patches(ios_elf_start);
         kernel_run_patches(ios_elf_start);
         fs_run_patches(ios_elf_start);
-        acp_run_patches(ios_elf_start);
+        //acp_run_patches(ios_elf_start);
 
         if(cfw_config.redNAND && cfw_config.seeprom_red)
             bsp_run_patches(ios_elf_start);

diff --git a/ios_mcp/source/main.c b/ios_mcp/source/main.c
@@ -29,3 +29,17 @@ int _startMainThread(void)
     }
     return 0;
 }
+
+void patch_SD_access_check(void) {
+    __asm__ volatile(
+        ".thumb\n"
+        //clobbered instructions
+        "add r0, r7, r2\n"
+        //app.permissions.r2.mask seems to be 0xFFFFFFFFFFFFFFFF for every application
+        "ldr r1, =0x32\n"
+        "sub r3, r3, #7\n"
+        "strb r1, [r3]\n"
+        //this instruction was also clobbered but we use r1 so we do it after our patch stuff
+        "movs r1, #0\n"
+        "bx lr");
+}