Result runStub(Handle nssHandle, memorymap_t* m, u8* code_data)
{
u32 tmp;
// flush code we're about to copy
void* src_adr = (void*)(code_data);
void* dst_adr = (void*)(FIRM_APPMEMALLOC_LINEAR - m->processLinearOffset);
Result ret = GSPGPU_FlushDataCache(NULL, src_adr, HANS_LOADER_SIZE);
if(ret)return ret;
// need to load those now because we're about to unmap bss
Handle local_gspGpuHandle = gspGpuHandle;
Handle local_gspSharedMemHandle = gspSharedMemHandle;
void (*local_stub)(Handle gsp, Handle nss, Handle gspMem) = stub;
// free GSP heap
svc_controlMemory(&tmp, (u32)gspHeap, 0x0, gspHeap_size, MEMOP_FREE, 0x0);
// start copying code
doGspwn(src_adr, dst_adr, HANS_LOADER_SIZE);
// // free heap (includes bss !)
// svc_controlMemory(&tmp, (u32)0x08000000, 0x0, _heap_size, MEMOP_FREE, 0x0);
local_stub(local_gspGpuHandle, nssHandle, local_gspSharedMemHandle);
return 0;
}
void gspGpuInit()
{
gspInit();
GSPGPU_AcquireRight(NULL, 0x0);
GSPGPU_SetLcdForceBlack(NULL, 0x0);
//set subscreen to blue
u32 regData=0x01FF0000;
GSPGPU_WriteHWRegs(NULL, 0x202A04, ®Data, 4);
//grab main left screen framebuffer addresses
GSPGPU_ReadHWRegs(NULL, 0x400468, (u32*)&topLeftFramebuffers, 8);
//convert PA to VA (assuming FB in VRAM)
topLeftFramebuffers[0]+=0x7000000;
topLeftFramebuffers[1]+=0x7000000;
//setup our gsp shared mem section
u8 threadID;
svc_createEvent(&gspEvent, 0x0);
GSPGPU_RegisterInterruptRelayQueue(NULL, gspEvent, 0x1, &gspSharedMemHandle, &threadID);
svc_mapMemoryBlock(gspSharedMemHandle, 0x10002000, 0x3, 0x10000000);
//map GSP heap
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x2000000, 0x10003, 0x3);
//wait until we can write stuff to it
svc_waitSynchronization1(gspEvent, 0x55bcb0);
//GSP shared mem : 0x2779F000
gxCmdBuf=(u32*)(0x10002000+0x800+threadID*0x200);
currentBuffer=0;
}
void* getOutputBaseAddr()
{
//map GSP heap
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x01000000, 0x10003, 0x3);
return &gspHeap[0x00100000];
}
void freeDataPages(u32 address)
{
MemInfo minfo;
PageInfo pinfo;
Result ret = svc_queryMemory(&minfo, &pinfo, address);
if(!ret)
{
u32 tmp;
svc_controlMemory(&tmp, minfo.base_addr, 0x0, minfo.size, 0x1, 0x0);
}
}
void runTitle(u8 mediatype, u32* argbuf, u32 argbuflength, u32 tid_low, u32 tid_high)
{
initSrv();
gspGpuInit();
// free extra data pages if any
freeDataPages(0x14000000);
freeDataPages(0x30000000);
// allocate gsp heap
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x02000000, 0x10003, 0x3);
// put new argv buffer on stack
u32 argbuffer[0x200];
u32 argbuffer_length = argbuflength;
memcpy(argbuffer, argbuf, argbuflength);
argbuffer[0]++;
memorymap_t* mmap = getMmapArgbuf(argbuffer, argbuffer_length);
// grab fs:USER handle
Handle fsuserHandle = 0x0;
int i; for(i=0; i<_serviceList.num; i++)if(!strcmp(_serviceList.services[i].name, "fs:USER"))fsuserHandle=_serviceList.services[i].handle;
if(!fsuserHandle)*(vu32*)0xCAFE0001=0;
getProcessMap(fsuserHandle, mediatype, tid_low, tid_high, mmap, (u32*)gspHeap);
argbuffer_length = (u32)((void*)mmap - (void*)argbuffer) + size_memmap(*mmap);
gspGpuExit();
exitSrv();
// free heap (has to be the very last thing before jumping to app as contains bss)
u32 out; svc_controlMemory(&out, (u32)_heap_base, 0x0, _heap_size, MEMOP_FREE, 0x0);
_changeProcess(-2, argbuffer, argbuffer_length);
}
void gspGpuExit()
{
GSPGPU_UnregisterInterruptRelayQueue(NULL);
//unmap GSP shared mem
svc_unmapMemoryBlock(gspSharedMemHandle, 0x10002000);
svc_closeHandle(gspSharedMemHandle);
svc_closeHandle(gspEvent);
gspExit();
//free GSP heap
svc_controlMemory((u32*)&gspHeap, (u32)gspHeap, 0x0, 0x2000000, MEMOP_FREE, 0x0);
}
void changeProcess(int processId, u32* argbuf, u32 argbuflength)
{
initSrv();
gspGpuInit();
// free extra data pages if any
freeDataPages(0x14000000);
freeDataPages(0x30000000);
// allocate gsp heap
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x01000000, 0x10003, 0x3);
patchMenuRop(processId, argbuf, argbuflength);
// grab waitLoop stub
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00200000], 0x100);
doGspwn((u32*)(MENU_LOADEDROP_BUFADR-0x100), (u32*)&gspHeap[0x00200000], 0x100);
svc_sleepThread(20*1000*1000);
// patch it
u32* patchArea = (u32*)&gspHeap[0x00200000];
for(int i=0; i<0x100/4; i++)
{
if(patchArea[i] == 0xBABEBAD0)
{
patchArea[i-1] = patchArea[i+1];
break;
}
}
// copy it back
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00200000], 0x100);
doGspwn((u32*)&gspHeap[0x00200000], (u32*)(MENU_LOADEDROP_BUFADR-0x100), 0x100);
svc_sleepThread(20*1000*1000);
// ghetto dcache invalidation
// don't judge me
int i, j;//, k;
// for(k=0; k<0x2; k++)
for(j=0; j<0x4; j++)
for(i=0; i<0x01000000/0x4; i+=0x4)
((u32*)gspHeap)[i+j]^=0xDEADBABE;
//exit to menu
// _aptExit();
exitSrv();
// do that at the end so that release right is one of the last things to happen
{
GSPGPU_UnregisterInterruptRelayQueue(NULL);
//unmap GSP shared mem
svc_unmapMemoryBlock(gspSharedMemHandle, 0x10002000);
svc_closeHandle(gspSharedMemHandle);
svc_closeHandle(gspEvent);
//free GSP heap
svc_controlMemory((u32*)&gspHeap, (u32)gspHeap, 0x0, 0x01000000, MEMOP_FREE, 0x0);
Handle _gspGpuHandle = gspGpuHandle;
// free heap (has to be the very last thing before jumping to app as contains bss)
u32 out; svc_controlMemory(&out, (u32)_heap_base, 0x0, _heap_size, MEMOP_FREE, 0x0);
GSPGPU_ReleaseRight(&_gspGpuHandle);
svc_closeHandle(_gspGpuHandle);
}
svc_exitProcess();
}
void run3dsx(Handle executable, u32* argbuf)
{
initSrv();
gspGpuInit();
// free extra data pages if any
freeDataPages(0x14000000);
freeDataPages(0x30000000);
// reset menu ropbin (in case of a crash)
{
u32 _argbuf = 0;
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x01000000, 0x10003, 0x3);
patchMenuRop(1, &_argbuf, 4);
svc_controlMemory((u32*)&gspHeap, (u32)gspHeap, 0x0, 0x01000000, MEMOP_FREE, 0x0);
}
// duplicate service list on the stack
// also add hid:SPVR as hid:USER if appropriate
// (for backwards compat as old homebrew only supports hid:USER)
u8 serviceBuffer[0x4+0xC*(_serviceList.num + 1)];
service_list_t* serviceList = (service_list_t*)serviceBuffer;
serviceList->num = _serviceList.num;
int i;
for(i=0; i<_serviceList.num; i++)
{
memcpy(serviceList->services[i].name, _serviceList.services[i].name, 8);
svc_duplicateHandle(&serviceList->services[i].handle, _serviceList.services[i].handle);
}
// handle hid:USER missing case
{
Handle hidUSER = 0;
if(srv_getServiceHandle(NULL, &hidUSER, "hid:USER") && !srv_getServiceHandle(NULL, &hidUSER, "hid:SPVR"))
{
memcpy(serviceList->services[serviceList->num].name, "hid:USER", 8);
serviceList->services[serviceList->num].handle = hidUSER;
serviceList->num++;
}else svc_closeHandle(hidUSER);
}
vu32* targetProcessIndex = &_targetProcessIndex;
if(*targetProcessIndex == -2)
{
// create local copy of process map
u32 _customProcessBuffer[0x40];
memorymap_t* const _customProcessMap = (memorymap_t*)_customProcessBuffer;
memcpy(_customProcessBuffer, customProcessBuffer, sizeof(_customProcessBuffer));
// adjust it given the information we now have such as text size, data location and size...
MemInfo minfo;
PageInfo pinfo;
// get .text info
Result ret = svc_queryMemory(&minfo, &pinfo, 0x00100000);
_customProcessMap->header.text_end = minfo.size + 0x00100000;
// get rodata info
ret = svc_queryMemory(&minfo, &pinfo, _customProcessMap->header.text_end);
_customProcessMap->header.data_address = minfo.size + _customProcessMap->header.text_end;
// get data info
ret = svc_queryMemory(&minfo, &pinfo, _customProcessMap->header.data_address);
_customProcessMap->header.data_size = minfo.size;
// setup 3dsx with custom local map
setup3dsx(executable, (memorymap_t*)_customProcessMap, serviceList, argbuf);
}else setup3dsx(executable, (memorymap_t*)app_maps[*targetProcessIndex], serviceList, argbuf);
FSFILE_Close(executable);
gspGpuExit();
exitSrv();
// grab ns:s handle
Handle nssHandle = 0x0;
for(i=0; i<_serviceList.num; i++)if(!strcmp(_serviceList.services[i].name, "ns:s"))nssHandle=_serviceList.services[i].handle;
if(!nssHandle)*(vu32*)0xCAFE0001=0;
// use ns:s to launch/kill process and invalidate icache in the process
// Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000003702LL, 0x1);
Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000002A02LL, 0x1);
if(ret)*(u32*)0xCAFE0002=ret;
svc_sleepThread(100*1000*1000);
// ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000003702LL, 100*1000*1000);
ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000002A02LL, 100*1000*1000);
if(ret)*(u32*)0xCAFE0003=ret;
// invalidate_icache();
// free heap (has to be the very last thing before jumping to app as contains bss)
u32 out; svc_controlMemory(&out, (u32)_heap_base, 0x0, _heap_size, MEMOP_FREE, 0x0);
start_execution();
}
