int main() { getSrvHandle(&srvHandle); aptInit(); gspGpuInit(); Handle hidHandle; Handle hidMemHandle; srv_getServiceHandle(srvHandle, &hidHandle, "hid:USER"); HIDUSER_GetInfo(hidHandle, &hidMemHandle); svc_mapMemoryBlock(hidMemHandle, 0x10000000, 0x1, 0x10000000); HIDUSER_Init(hidHandle); while(1) { u32 PAD=((u32*)0x10000000)[7]; renderEffect(); swapBuffers(); copyBuffer(); u32 regData=PAD|0x01000000; GSPGPU_WriteHWRegs(gspGpuHandle, 0x202A04, (u8*)®Data, 4); svc_sleepThread(1000000000); } svc_exitProcess(); return 0; }
void aptInit() { Handle aptuHandle; //initialize APT stuff, escape load screen srv_getServiceHandle(srvHandle, &aptuHandle, "APT:U"); APT_GetLockHandle(aptuHandle, 0x0, NULL); svc_closeHandle(aptuHandle); svc_sleepThread(0x50000); srv_getServiceHandle(srvHandle, &aptuHandle, "APT:U"); APT_Initialize(aptuHandle, 0x300, &APTevents[0], &APTevents[1]); svc_closeHandle(aptuHandle); svc_sleepThread(0x50000); srv_getServiceHandle(srvHandle, &aptuHandle, "APT:U"); APT_Enable(aptuHandle, 0x0); svc_closeHandle(aptuHandle); svc_sleepThread(0x50000); }
void hidInit(u32* sharedMem) { if(!sharedMem)sharedMem=(u32*)HID_SHAREDMEM_DEFAULT; srv_getServiceHandle(NULL, &hidHandle, "hid:USER"); HIDUSER_GetInfo(NULL, &hidMemHandle); hidSharedMem=sharedMem; svc_mapMemoryBlock(hidMemHandle, (u32)hidSharedMem, 0x1, 0x10000000); HIDUSER_Init(NULL); }
static Result __apt_initservicehandle() { Result ret=0; u32 i; if(__apt_servicestr) { return srv_getServiceHandle(NULL, &_aptuHandle, __apt_servicestr); } for(i=0; i<3; i++) { ret = srv_getServiceHandle(NULL, &_aptuHandle, (char*)__apt_servicenames[i]); if(ret==0) { __apt_servicestr = (char*)__apt_servicenames[i]; return ret; } } *(u32*)0xdeadbabe = ret; return ret; }
int main() { initSrv(); aptInit(APPID_APPLICATION); gspGpuInit(); hidInit(NULL); Handle fsuHandle; srv_getServiceHandle(NULL, &fsuHandle, "fs:USER"); FSUSER_Initialize(fsuHandle); Handle fileHandle; u32 bytesRead; FS_archive sdmcArchive=(FS_archive){0x9, (FS_path){PATH_EMPTY, 1, (u8*)""}}; FS_path filePath=(FS_path){PATH_CHAR, 10, (u8*)"/test.bin"}; FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, sdmcArchive, filePath, FS_OPEN_READ, FS_ATTRIBUTE_NONE); FSFILE_Read(fileHandle, &bytesRead, 0x0, (u32*)gspHeap, 0x46500); FSFILE_Close(fileHandle); aptSetupEventHandler(); while(!aptGetStatus()) { u32 PAD=hidSharedMem[7]; renderEffect(); swapBuffers(); copyBuffer(); u32 regData=PAD|0x01000000; GSPGPU_WriteHWRegs(NULL, 0x202A04, ®Data, 4); svc_sleepThread(1000000000); } svc_closeHandle(fsuHandle); hidExit(); gspGpuInit(); aptExit(); svc_exitProcess(); return 0; }
void gspGpuInit() { //do stuff with GPU... srv_getServiceHandle(srvHandle, &gspGpuHandle, "gsp::Gpu"); GSPGPU_AcquireRight(gspGpuHandle, 0x0); GSPGPU_SetLcdForceBlack(gspGpuHandle, 0x0); //set subscreen to blue u32 regData=0x01FF0000; GSPGPU_WriteHWRegs(gspGpuHandle, 0x202A04, (u8*)®Data, 4); //grab main left screen framebuffer addresses GSPGPU_ReadHWRegs(gspGpuHandle, 0x400468, (u8*)&topLeftFramebuffers, 8); //convert PA to VA (assuming FB in VRAM) topLeftFramebuffers[0]+=0x7000000; topLeftFramebuffers[1]+=0x7000000; //setup our gsp shared mem section u8 threadID; Handle gspEvent, gspSharedMemHandle; svc_createEvent(&gspEvent, 0x0); GSPGPU_RegisterInterruptRelayQueue(gspGpuHandle, gspEvent, 0x1, &gspSharedMemHandle, &threadID); svc_mapMemoryBlock(gspSharedMemHandle, 0x10002000, 0x3, 0x10000000); //map GSP heap svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x2000000, 0x10003, 0x3); //wait until we can write stuff to it svc_waitSynchronization1(gspEvent, 0x55bcb0); //GSP shared mem : 0x2779F000 gxCmdBuf=(u32*)(0x10002000+0x800+threadID*0x200); currentBuffer=0; }
int __attribute__ ((section (".text.a11.entry"))) _main() { svc_sleepThread(0x10000000); // Get framebuffer addresses uint32_t regs[10]; regs[0] = 0xDEADBABE; regs[1] = 0xBABEDADA; //FIXME where do these reg addresses come from? _GSPGPU_ReadHWRegs(gspHandle, 0x400468, ®s[0+2], 8); // framebuffer 1 top left & framebuffer 2 top left _GSPGPU_ReadHWRegs(gspHandle, 0x400494, ®s[2+2], 8); // framebuffer 1 top right & framebuffer 2 top right _GSPGPU_ReadHWRegs(gspHandle, 0x400568, ®s[4+2], 8); // framebuffer 1 bottom & framebuffer 2 bottom _GSPGPU_ReadHWRegs(gspHandle, 0x400478, ®s[6+2], 4); // framebuffer select top _GSPGPU_ReadHWRegs(gspHandle, 0x400578, ®s[7+2], 4); // framebuffer select bottom //patch gsp event handler addr to kill gsp thread ASAP, PA 0x267CF418 *((u32*)(0x003F8418+0x10+4*0x4))=0x002CA520; //svc 0x9 addr flashScreen(); svc_sleepThread(0x10000000); // Read the main payload to 0x17F00000(0x23F00000 pa) u32* buffer = (work_buffer + 0x10000/sizeof(u32)); IFILE file; unsigned int readBytes; _memset(&file, 0, sizeof(file)); IFile_Open(&file, L"dmc:/arm9.bin", 1); const uint32_t block_size = 0x10000; for(u32 i = 0; i < 0x20000u; i += block_size) { IFile_Read(&file, &readBytes, (void*)buffer, block_size); GSPGPU_FlushDataCache(buffer, block_size); GX_SetTextureCopy(buffer, (void *)(0x17F00000 + i), block_size, 0, 0, 0, 0, 8); if(readBytes != block_size) break; } // Copy the magic to 0x18410000 // Copy it twice to make it easier to find and avoid catching the wrong one buffer[0] = MAGIC_WORD; buffer[1] = MAGIC_WORD; if(regs[6+2]) { buffer[2] = regs[0+2]; buffer[3] = regs[2+2]; } else { buffer[2] = regs[1+2]; buffer[3] = regs[3+2]; } if(regs[7+2]) buffer[4] = regs[4+2]; else buffer[4] = regs[5+2]; // Grab access to PS Handle port; svc_connectToPort(&port, "srv:pm"); srv_RegisterClient(&port); u32 proc = 0; svc_getProcessId(&proc, 0xFFFF8001); srvUnregisterProcess(&port, proc); srvRegisterProcess(&port, proc, 0x18, (const void*)&access_bin[0]); Handle ps_handle = 0; srv_getServiceHandle(&port, &ps_handle, "ps:ps"); svc_sleepThread(0x10000000); // Perform the exploit Result res = PS_VerifyRsaSha256(&ps_handle); // We do not expect reaching here return 0; }
int main() { initSrv(); aptInit(APPID_APPLICATION); gspGpuInit(); hidInit(NULL); Handle fsuHandle; srv_getServiceHandle(NULL, &fsuHandle, "fs:USER"); FSUSER_Initialize(fsuHandle); aptSetupEventHandler(); init_map(); int i; int j; int p=4; int d=0; int q; int frogx = 0; int frogy = 0; int carx[6][9]; int logx[5][6]; // Cant use rand. //for(d=1;d<6;d++){ // while(p>4){ // p = rand(); // } // carx[d]=26+p; for(d=0;d<8;d++){ carx[0][d]=26; if(d<5){ logx[0][d]=26; } d++; } for(d=1;d<8;d++){ if(d<5){ logx[0][d]=0; } carx[0][d]=0; d++; } for(q=0;q<8;q++){ for(d=1; d<6; d++){ if(q<5){ if(d<5){ logx[d][q]=26+p+6; } } carx[d][q]=26+p +6; p=p+6; } p=0; q++; } p= 0; for(q=1;q<8;q++){ for(d=1;d<5;d++){ if(q<5){ if(d<5){ logx[d][q] = p-6; } } carx[d][q]=p-6; p=p-6; } p=0; q++; } while(!aptGetStatus()){ u32 PAD=hidSharedMem[7]; if (PAD == BUTTON_UP){ frogy+= 1; } else if (PAD == BUTTON_DOWN){ frogy+= -1; } else if (PAD == BUTTON_LEFT){ frogx+= -1; } else if (PAD == BUTTON_RIGHT){ frogx+=1; } u32 regData=PAD|0x01000000; init_map(); for(i=0;i<6;i++){ for(j=0;j<8;j++){ draw_car(carx[i][j],15+j*15); if(i<5){ if(j<5){ draw_logs(logx[i][j],150+j*15); } } } } draw_frog(frogx,frogy); //Checks Colition for(i=0;i<6;i++){ for(j=0;j<8;j++){ if(frogy==j+1){ if(frogx==carx[i][j]){ frogy =0; frogx =0; } } } } //Checks if frog in poodle if(frogy >9){ for(i=0;i<5;i++){ for(j=0;j<5;j++){ if(frogy==j+10){ if(frogx==logx[i][j] || frogx==logx[i][j]+1 || frogx==logx[i][j]+2){ frogx= frogx -1; } else{ frogx =0; frogy =0; } } } } } //reinitialize the cars :D // Cant use f*****g rand //for(p=0;p<6;p++){ // if(carx[p]==0){ // d=5; // while(d>4){ // d = rand(); // } // carx[p]= 26+d; // } // else { // carx[p]=carx[p]-1; // } //} for(i=0;i<6;i++){ for(j=0;j<9;j=j+2){ if(i<5){ if(j<5){ if(logx[i][j]==0){ logx[i][j]=26; } else{ logx[i][j]=logx[i][j]-1; } } } if(carx[i][j]==0){ carx[i][j] =26; } else{ carx[i][j]=carx[i][j]-1; } } } for(i=0;i<6;i++){ for(j=1;j<9;j=j+2){ if(i<5){ if(j<5){ if(logx[i][j]==26){ logx[i][j]=0; } else{ logx[i][j]=logx[i][j]+1; } } } if(carx[i][j]==26){ carx[i][j]=0; } else{ carx[i][j]= carx[i][j]+1; } } } copyBuffer(); swapBuffers(); GSPGPU_WriteHWRegs(NULL, 0x202A04, ®Data, 4); svc_sleepThread(220000000); } svc_closeHandle(fsuHandle); hidExit(); gspGpuInit(); aptExit(); svc_exitProcess(); return 0; }
void run3dsx(Handle executable, u32* argbuf) { initSrv(); gspGpuInit(); // free extra data pages if any freeDataPages(0x14000000); freeDataPages(0x30000000); // reset menu ropbin (in case of a crash) { u32 _argbuf = 0; svc_controlMemory((u32*)&gspHeap, 0x0, 0x0, 0x01000000, 0x10003, 0x3); patchMenuRop(1, &_argbuf, 4); svc_controlMemory((u32*)&gspHeap, (u32)gspHeap, 0x0, 0x01000000, MEMOP_FREE, 0x0); } // duplicate service list on the stack // also add hid:SPVR as hid:USER if appropriate // (for backwards compat as old homebrew only supports hid:USER) u8 serviceBuffer[0x4+0xC*(_serviceList.num + 1)]; service_list_t* serviceList = (service_list_t*)serviceBuffer; serviceList->num = _serviceList.num; int i; for(i=0; i<_serviceList.num; i++) { memcpy(serviceList->services[i].name, _serviceList.services[i].name, 8); svc_duplicateHandle(&serviceList->services[i].handle, _serviceList.services[i].handle); } // handle hid:USER missing case { Handle hidUSER = 0; if(srv_getServiceHandle(NULL, &hidUSER, "hid:USER") && !srv_getServiceHandle(NULL, &hidUSER, "hid:SPVR")) { memcpy(serviceList->services[serviceList->num].name, "hid:USER", 8); serviceList->services[serviceList->num].handle = hidUSER; serviceList->num++; }else svc_closeHandle(hidUSER); } vu32* targetProcessIndex = &_targetProcessIndex; if(*targetProcessIndex == -2) { // create local copy of process map u32 _customProcessBuffer[0x40]; memorymap_t* const _customProcessMap = (memorymap_t*)_customProcessBuffer; memcpy(_customProcessBuffer, customProcessBuffer, sizeof(_customProcessBuffer)); // adjust it given the information we now have such as text size, data location and size... MemInfo minfo; PageInfo pinfo; // get .text info Result ret = svc_queryMemory(&minfo, &pinfo, 0x00100000); _customProcessMap->header.text_end = minfo.size + 0x00100000; // get rodata info ret = svc_queryMemory(&minfo, &pinfo, _customProcessMap->header.text_end); _customProcessMap->header.data_address = minfo.size + _customProcessMap->header.text_end; // get data info ret = svc_queryMemory(&minfo, &pinfo, _customProcessMap->header.data_address); _customProcessMap->header.data_size = minfo.size; // setup 3dsx with custom local map setup3dsx(executable, (memorymap_t*)_customProcessMap, serviceList, argbuf); }else setup3dsx(executable, (memorymap_t*)app_maps[*targetProcessIndex], serviceList, argbuf); FSFILE_Close(executable); gspGpuExit(); exitSrv(); // grab ns:s handle Handle nssHandle = 0x0; for(i=0; i<_serviceList.num; i++)if(!strcmp(_serviceList.services[i].name, "ns:s"))nssHandle=_serviceList.services[i].handle; if(!nssHandle)*(vu32*)0xCAFE0001=0; // use ns:s to launch/kill process and invalidate icache in the process // Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000003702LL, 0x1); Result ret = NSS_LaunchTitle(&nssHandle, 0x0004013000002A02LL, 0x1); if(ret)*(u32*)0xCAFE0002=ret; svc_sleepThread(100*1000*1000); // ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000003702LL, 100*1000*1000); ret = NSS_TerminateProcessTID(&nssHandle, 0x0004013000002A02LL, 100*1000*1000); if(ret)*(u32*)0xCAFE0003=ret; // invalidate_icache(); // free heap (has to be the very last thing before jumping to app as contains bss) u32 out; svc_controlMemory(&out, (u32)_heap_base, 0x0, _heap_size, MEMOP_FREE, 0x0); start_execution(); }
void _aptOpenSession() { svc_waitSynchronization1(_aptLockHandle, U64_MAX); srv_getServiceHandle(NULL, &_aptuHandle, __apt_servicestr); }