version 3

Author: GaryOderNichts

.gitignore

@@ -1,12 +1,11 @@
 .vscode/
-arm_kernel_fw_launcher/build/
-arm_kernel_region_free/build/
-arm_kernel_loadfile/build
-arm_kernel_loadfile/mcp/build
+sd_kernels/out
+sd_kernels/sd_kernels.zip
+
+**/build/
 
 bluubomb
 *.bin
 *.bin.h
 *.elf
 *_syms.h
-*.rpx

Makefile

@@ -1,21 +1,23 @@
-.PHONY:	all clean arm_kernel_loadfile arm_kernel_fw_launcher arm_kernel_region_free
+.PHONY:	all clean arm_kernel arm_user sd_kernels
 
-all: bluubomb arm_kernel_loadfile arm_kernel_fw_launcher arm_kernel_region_free
+all: arm_user arm_kernel bluubomb sd_kernels
+	@echo All done!
 
 clean:
+	@$(MAKE) --no-print-directory -C arm_user clean
+	@$(MAKE) --no-print-directory -C arm_kernel clean
 	rm -f bluubomb
-	@$(MAKE) --no-print-directory -C arm_kernel_loadfile clean
-	@$(MAKE) --no-print-directory -C arm_kernel_fw_launcher clean
-	@$(MAKE) --no-print-directory -C arm_kernel_region_free clean
+	@$(MAKE) -j1 --no-print-directory -C sd_kernels clean
 
-bluubomb: bluubomb.c adapter.c bdaddr.c sdp.c
-	gcc -std=gnu11 -Wall -o bluubomb bluubomb.c adapter.c bdaddr.c sdp.c -lbluetooth
+arm_user:
+	@$(MAKE) -j1 --no-print-directory -C arm_user
 
-arm_kernel_loadfile:
-	@$(MAKE) -j1 --no-print-directory -C arm_kernel_loadfile
+arm_kernel:
+	@$(MAKE) -j1 --no-print-directory -C arm_kernel
 
-arm_kernel_fw_launcher:
-	@$(MAKE) -j1 --no-print-directory -C arm_kernel_fw_launcher
+bluubomb: bluubomb.c adapter.c bdaddr.c sdp.c
+	gcc -std=gnu11 -Wall -o bluubomb bluubomb.c adapter.c bdaddr.c sdp.c -lbluetooth
 
-arm_kernel_region_free:
-	@$(MAKE) -j1 --no-print-directory -C arm_kernel_region_free
+sd_kernels:
+	@echo Building SD kernels...
+	@$(MAKE) -j1 --no-print-directory -C sd_kernels

README.md

@@ -12,35 +12,38 @@ Not to be confused with [BlueBomb](https://github.com/Fullmetal5/bluebomb) for t
 - A PC or VM running a version of Linux which is able to run the custom build of BlueZ  
 
 ## How to use
-1. Run `sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev` to install the required dependencies.
-1. Clone https://github.com/rnconrad/WiimoteEmulator
+1. Run `sudo apt install build-essential libbluetooth-dev libglib2.0-dev libdbus-1-dev git` to install the required dependencies.
+1. Run `git clone https://github.com/rnconrad/WiimoteEmulator && cd WiimoteEmulator`.
 1. Run `source ./build-custom.sh` to build BlueZ.  
-Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps.
+Don't worry if building the emulator itself fails due to missing SDL headers. Just continue with the next steps.  
 1. Stop the already running bluetooth service `sudo systemctl disable --now bluetooth`
 1. Run the custom built bluetoothd `sudo ./bluez-4.101/dist/sbin/bluetoothd -d -n`
-1. Download the `bluubomb` binary and the kernel binary of your choice from the [releases page](https://github.com/GaryOderNichts/bluubomb/releases).
+1. Download the `bluubomb` binary and the `sd_kernels.zip` from the [releases page](https://github.com/GaryOderNichts/bluubomb/releases).  
+Copy a kernel binary of your choice from the `sd_kernels.zip` to the root of your SD Card and rename it to `bluu_kern.bin`.  
 Take a look at [Kernel binaries](#kernel-binaries) for more information.
-1. Make the bluubomb file executable by running `chmod +x bluubomb`
-1. Power on the Wii U and press the sync button.
-1. Run `sudo ./bluubomb arm_kernel.bin` and wait for the pairing process to complete.  
+1. Power on the Wii U, insert your SD Card and press the sync button.
+1. Open a new terminal and make the bluubomb file executable by running `chmod +x bluubomb`
+1. Run `sudo ./bluubomb` and wait for the pairing process to complete.  
 This might take a minute.  
 If you get a warning about Simple Pairing mode read [the Simple Pairing mode section below](#simple-pairing-mode). 
 
-Write down the Wii U's bd address that should be displayed after the pairing is complete.  
-You can now run `sudo ./bluubomb arm_kernel.bin <bdaddr here>` to connect directly to the Wii U and skip the pairing process.
+Write down the Wii U's bluetooth device address that's displayed after the pairing is complete.  
+You can now run `sudo ./bluubomb <bdaddr here>` to connect directly to the Wii U and skip the pairing process.
 
 ## Kernel binaries
 
-### arm_kernel_loadfile
+### loadrpx.bin
 Launches a launch.rpx from the root of your SD card on the next application launch.
 
-### arm_kernel_fw_launcher
-Launches a fw.img from the root of your SD card on the next OS relaunch (for example when exiting System Settings).  
-
-### arm_kernel_region_free
+### regionfree.bin
 Applies IOSU patches to temporarily remove region restrictions.  
 This should be helpful if you've locked yourself out of your applications due to permanent region modifications.
 
+### wupserver.bin
+Launches a wupserver instance directly after using bluubomb.  
+This gets you full system access remotely via [wupclient](https://github.com/dimok789/mocha/blob/master/ios_mcp/wupclient.py) (replace the IP in line 29 with the one of your Wii U).  
+This works without having to leave the controller pairing screen.
+
 ## Simple Pairing mode
 
 On some devices the simple pairing mode can't be disabled by bluubomb.  

arm_kernel_region_free/Makefile arm_kernel/Makefilearm_kernel_region_free/Makefile renamed to arm_kernel/Makefile

@@ -62,6 +62,8 @@ LIBDIRS	:=
 ifneq ($(BUILD),$(notdir $(CURDIR)))
 #---------------------------------------------------------------------------------
 
+export TARGETNAME := $(TARGET)
+
 export OUTPUT	:= $(CURDIR)/$(TARGET)
 export TOPDIR	:= $(CURDIR)
 
@@ -98,7 +100,7 @@ $(BUILD):
 #---------------------------------------------------------------------------------
 clean:
 	@echo clean ...
-	@rm -fr $(BUILD) $(TARGET).elf $(TARGET).bin
+	@rm -fr $(BUILD) $(TARGET).elf $(TARGET).bin $(TARGET).bin.h
 
 #---------------------------------------------------------------------------------
 else
@@ -108,14 +110,18 @@ DEPENDS := $(OFILES:.o=.d)
 #---------------------------------------------------------------------------------
 # main targets
 #---------------------------------------------------------------------------------
-all	:	$(OUTPUT).bin
+all	:	$(OUTPUT).bin.h
 
 $(OUTPUT).elf	:	$(OFILES)
 
 $(OUTPUT).bin: $(OUTPUT).elf
 	@echo "built ... $(notdir $@)"
 	@$(OBJCOPY) -j .text -j .rodata -j .data -O binary $(OUTPUT).elf $@
 
+$(OUTPUT).bin.h: $(OUTPUT).bin
+	@raw2c $<
+	@cp $(TARGETNAME).c $@
+
 $(OFILES_SRC) : $(HFILES_BIN)
 
 #-------------------------------------------------------------------------------

arm_kernel_fw_launcher/link.ld arm_kernel/link.ldarm_kernel_fw_launcher/link.ld renamed to arm_kernel/link.ld

@@ -1,7 +1,6 @@
 OUTPUT_ARCH(arm)
 
-SECTIONS
-{
+SECTIONS {
     . = (0x08135000);
 
     .text : {
@@ -14,13 +13,11 @@ SECTIONS
     .data : {
         *(.data*)
     }
-    .bss : {
+    /* .bss : {
         *(.bss*)
-        *(COMMON*)
-    }
+    } */
 
     /DISCARD/ : {
         *(*);
     }
 }
-

arm_kernel_fw_launcher/source/crt0.s arm_kernel/source/crt0.sarm_kernel_fw_launcher/source/crt0.s renamed to arm_kernel/source/crt0.s

@@ -2,6 +2,8 @@
 
 #include <stdint.h>
 
+#define ALIGNAS(x, align)  (((x) + ((align) - 1)) & ~((align) - 1))
+
 // Kernel functions
 
 #define kernel_memcpy               ((void* (*)(void*, const void*, int)) 0x08131D04)

arm_kernel_region_free/source/imports.h arm_kernel/source/imports.harm_kernel_region_free/source/imports.h renamed to arm_kernel/source/imports.h

@@ -0,0 +1,55 @@
+#include <stdlib.h>
+#include "imports.h"
+
+#include "../../arm_user/arm_user.bin.h"
+
+#define ARM_BL(addr, func) (0xEB000000 | ((((uint32_t)(func) - (uint32_t)(addr) - 8) >> 2) & 0x00FFFFFF))
+
+#define SD_KERNEL_CODE_LOCATION 0x08135400
+
+int kernel_syscall_0x81(void* ptr, uint32_t size)
+{
+    // copy the custom kernel code
+    kernel_memcpy((void*) SD_KERNEL_CODE_LOCATION, ptr, size);
+
+    // jump to it
+    ((void (*)(void)) 0x08135400)();
+
+    return 0;
+}
+
+int _main()
+{
+    // disable interrupts and mmu
+    int level = kernel_disable_interrupts();
+    uint32_t control_register = disable_mmu();
+
+    // patch kernel_error_handler
+    *(volatile uint32_t*) 0x08129a24 = 0xe12fff1e; // bx lr
+
+    // replace the custom kernel syscall
+    *(volatile uint32_t*) 0x0812cd2c = ARM_BL(0x0812cd2c, kernel_syscall_0x81);
+
+    // patch ios-pad fsa handle check to always succeed
+    *(volatile uint32_t*) 0x11f7f418 = 0xe3a00001; // mov r0, #1
+    *(volatile uint32_t*) 0x11f7f41c = 0xe12fff1e; // bx lr
+
+    // give everything full access to fsa (we need this to access the sd from ios-pad)
+    *(volatile uint32_t*) 0x107043e4 = 0xe3e02000; // mvn r2, #0
+    *(volatile uint32_t*) 0x107043e8 = 0xe3e03000; // mvn r3, #0
+
+    // load arm_user
+    kernel_memcpy((void*) 0x11f85800, arm_user, arm_user_size);
+
+    // reenable mmu
+    restore_mmu(control_register);
+
+    // invalidate all cache
+    // kernel_invalidate_dcache(0x081298BC, 0x4001);
+    kernel_invalidate_icache();
+
+    // restore interrupts
+    kernel_enable_interrupts(level);
+
+    return 0;
+}