loadExecReboot(int r0, int r1, int r2, uint32_t hiId, uint32_t loId)
{
const size_t pathLen = 64;
wchar_t path[pathLen];
size_t read;
P9File f;
p9FileInit(f);
swprintf(path, pathLen, L"sdmc:/" FIRM_PATH_FMT, hiId, loId);
p9Open(f, path, 1);
p9Read(f, &read, (void *)FIRM_ADDR, FIRM_SIZE);
p9Close(f);
p9FileInit(f);
swprintf(path, pathLen, L"sdmc:/" FIRM_PATCH_PATH_FMT, hiId, loId);
p9Open(f, path, 1);
p9Read(f, &read, (void *)PATCH_ADDR, PATCH_SIZE);
p9Close(f);
while (p9RecvPxi() != 0x44846);
svcKernelSetState(SVC_KERNEL_STATE_INIT, hiId, loId,
SVC_KERNEL_STATE_TITLE_COMPAT);
if (loId != TID_CTR_NATIVE_FIRM && loId != TID_KTR_NATIVE_FIRM)
nandSector = 0;
svcBackdoor((void *)execReboot);
__builtin_unreachable();
}
static u32 svc_7b(backdoor_fn entry, u32* args)
{
backdoor_args = args;
backdoor_entry = entry;
svcBackdoor(backdoor_wrap);
return backdoor_rv;
}
static Result svc_7b(backdoor_fn entry, void* args)
{
backdoor_args = (u32)args;
backdoor_entry = entry;
__asm__ volatile("cpsid aif \n\t");
svcBackdoor(backdoor_wrap);
__asm__ volatile("cpsie aif \n\t");
return (Result)backdoor_args;
}
void patch_srv(void) {
APT_CheckNew3DS(&is_n3ds);
u32 pid1;
svcGetProcessId(&pid1, 0xFFFF8001);
// Set the current process id (PID) to 0
svcBackdoor(&patch_pid);
u32 pid2;
svcGetProcessId(&pid2, 0xFFFF8001);
// Re-initialize srv connection. It will consider this the process with id 0
// so we will have access to any service
srvExit();
srvInit();
// Once we tricked srv we can restore the real PID
svcBackdoor(&restore_pid);
u32 pid3;
svcGetProcessId(&pid3, 0xFFFF8001);
printf("%lu=%lu=%lu %lu=0 %s %s\n", pid1, pid_backup, pid3, pid2, patch_result, unpatch_result);
}
void svchax_init(void)
{
extern u32 __service_ptr;
if (__ctr_svchax)
return;
if(__service_ptr)
{
if((*(u8*)0x1FF80002 > 0x2F) || (*(u8*)0x1FF80003 != 0x2))
return;
saved_vram_value = *(u32*)0x1F000008;
memchunkhax_write_pair(get_7B_access_ctrl_ptr(), 0x1F000000);
svcBackdoor(k_restore_vram_value);
}
svcBackdoor(k_enable_all_svc);
__ctr_svchax = 1;
}
/* perform firmlaunch. load ARM9 payload before calling this
function. otherwise, calling this function simply reboots
the handheld */
s32 firm_reboot (void) {
s32 fail_stage = 0;
fail_stage++; /* platform or firmware not supported, ARM11 exploit failure */
if (setup_exploit_data()) {
fail_stage++; /* failure while trying to corrupt svcCreateThread() */
if (khaxInit() == 0) {
fail_stage++; /* Firmlaunch failure, ARM9 exploit failure*/
svcBackdoor(priv_firm_reboot);
}
}
/* we do not intend to return ... */
return fail_stage;
}
int KernelBackdoor(int (*callback)(void))
{
backdoor_callback = callback;
svcBackdoor(KernelBackdoorTargetWrapper);
return backdoor_ret;
}
int main()
{
// Initialize services
/* srvInit(); // mandatory
aptInit(); // mandatory
hidInit(NULL); // input (buttons, screen)*/
gfxInitDefault(); // graphics
/* fsInit();
sdmcInit();
hbInit();
qtmInit();*/
consoleInit(GFX_BOTTOM, NULL);
consoleClear();
test_am_access_outer(1); // test before libkhax
haxInit(); // Performing svchax to grant all services access
printf("backdoor returned %08lx\n", (svcBackdoor(dump_chunk_wrapper), g_backdoorResult));
test_am_access_outer(2); // test after libkhax
printf("khax demo main finished\n");
printf("Press X to exit\n");
while (aptMainLoop())
{
// Wait next screen refresh
gspWaitForVBlank();
// Read which buttons are currently pressed
hidScanInput();
u32 kDown = hidKeysDown();
(void) kDown;
u32 kHeld = hidKeysHeld();
(void) kHeld;
// If START is pressed, break loop and quit
if (kDown & KEY_X){
break;
}
//consoleClear();
// Flush and swap framebuffers
gfxFlushBuffers();
gfxSwapBuffers();
}
// Exit services
/* qtmExit();
hbExit();
sdmcExit();
fsExit();*/
gfxExit();
/* hidExit();
aptExit();
srvExit();*/
// Return to hbmenu
return 0;
}
int kernelBackdoor(int (*callback)(void)) {
kernelCallback = callback;
svcBackdoor(kernelBackdoorWrapper);
return backdoorReturn;
}
