loadExecReboot(int r0, int r1, int r2, uint32_t hiId, uint32_t loId) { const size_t pathLen = 64; wchar_t path[pathLen]; size_t read; P9File f; p9FileInit(f); swprintf(path, pathLen, L"sdmc:/" FIRM_PATH_FMT, hiId, loId); p9Open(f, path, 1); p9Read(f, &read, (void *)FIRM_ADDR, FIRM_SIZE); p9Close(f); p9FileInit(f); swprintf(path, pathLen, L"sdmc:/" FIRM_PATCH_PATH_FMT, hiId, loId); p9Open(f, path, 1); p9Read(f, &read, (void *)PATCH_ADDR, PATCH_SIZE); p9Close(f); while (p9RecvPxi() != 0x44846); svcKernelSetState(SVC_KERNEL_STATE_INIT, hiId, loId, SVC_KERNEL_STATE_TITLE_COMPAT); if (loId != TID_CTR_NATIVE_FIRM && loId != TID_KTR_NATIVE_FIRM) nandSector = 0; svcBackdoor((void *)execReboot); __builtin_unreachable(); }
static u32 svc_7b(backdoor_fn entry, u32* args) { backdoor_args = args; backdoor_entry = entry; svcBackdoor(backdoor_wrap); return backdoor_rv; }
static Result svc_7b(backdoor_fn entry, void* args) { backdoor_args = (u32)args; backdoor_entry = entry; __asm__ volatile("cpsid aif \n\t"); svcBackdoor(backdoor_wrap); __asm__ volatile("cpsie aif \n\t"); return (Result)backdoor_args; }
void patch_srv(void) { APT_CheckNew3DS(&is_n3ds); u32 pid1; svcGetProcessId(&pid1, 0xFFFF8001); // Set the current process id (PID) to 0 svcBackdoor(&patch_pid); u32 pid2; svcGetProcessId(&pid2, 0xFFFF8001); // Re-initialize srv connection. It will consider this the process with id 0 // so we will have access to any service srvExit(); srvInit(); // Once we tricked srv we can restore the real PID svcBackdoor(&restore_pid); u32 pid3; svcGetProcessId(&pid3, 0xFFFF8001); printf("%lu=%lu=%lu %lu=0 %s %s\n", pid1, pid_backup, pid3, pid2, patch_result, unpatch_result); }
void svchax_init(void) { extern u32 __service_ptr; if (__ctr_svchax) return; if(__service_ptr) { if((*(u8*)0x1FF80002 > 0x2F) || (*(u8*)0x1FF80003 != 0x2)) return; saved_vram_value = *(u32*)0x1F000008; memchunkhax_write_pair(get_7B_access_ctrl_ptr(), 0x1F000000); svcBackdoor(k_restore_vram_value); } svcBackdoor(k_enable_all_svc); __ctr_svchax = 1; }
/* perform firmlaunch. load ARM9 payload before calling this function. otherwise, calling this function simply reboots the handheld */ s32 firm_reboot (void) { s32 fail_stage = 0; fail_stage++; /* platform or firmware not supported, ARM11 exploit failure */ if (setup_exploit_data()) { fail_stage++; /* failure while trying to corrupt svcCreateThread() */ if (khaxInit() == 0) { fail_stage++; /* Firmlaunch failure, ARM9 exploit failure*/ svcBackdoor(priv_firm_reboot); } } /* we do not intend to return ... */ return fail_stage; }
int KernelBackdoor(int (*callback)(void)) { backdoor_callback = callback; svcBackdoor(KernelBackdoorTargetWrapper); return backdoor_ret; }
int main() { // Initialize services /* srvInit(); // mandatory aptInit(); // mandatory hidInit(NULL); // input (buttons, screen)*/ gfxInitDefault(); // graphics /* fsInit(); sdmcInit(); hbInit(); qtmInit();*/ consoleInit(GFX_BOTTOM, NULL); consoleClear(); test_am_access_outer(1); // test before libkhax haxInit(); // Performing svchax to grant all services access printf("backdoor returned %08lx\n", (svcBackdoor(dump_chunk_wrapper), g_backdoorResult)); test_am_access_outer(2); // test after libkhax printf("khax demo main finished\n"); printf("Press X to exit\n"); while (aptMainLoop()) { // Wait next screen refresh gspWaitForVBlank(); // Read which buttons are currently pressed hidScanInput(); u32 kDown = hidKeysDown(); (void) kDown; u32 kHeld = hidKeysHeld(); (void) kHeld; // If START is pressed, break loop and quit if (kDown & KEY_X){ break; } //consoleClear(); // Flush and swap framebuffers gfxFlushBuffers(); gfxSwapBuffers(); } // Exit services /* qtmExit(); hbExit(); sdmcExit(); fsExit();*/ gfxExit(); /* hidExit(); aptExit(); srvExit();*/ // Return to hbmenu return 0; }
int kernelBackdoor(int (*callback)(void)) { kernelCallback = callback; svcBackdoor(kernelBackdoorWrapper); return backdoorReturn; }