diff --git a/Makefile b/Makefile index 3ef32cd..3b7a97c 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ dir_build := build dir_mset := CakeHax dir_out := out dir_emu := emunand -dir_thread := thread +dir_reboot := reboot dir_ninjhax := CakeBrah ASFLAGS := -mlittle-endian -mcpu=arm946e-s -march=armv5te @@ -33,16 +33,28 @@ objects_cfw = $(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \ .PHONY: all -all: launcher emunand thread ninjhax +all: launcher emunand emunando3ds reboot reboot2 rebootntr reboot2ntr ninjhax .PHONY: launcher launcher: $(dir_out)/$(name).dat .PHONY: emunand -emunand: $(dir_out)/rei/emunand/emunand.bin +emunand: $(dir_out)/rei-n3ds/emunand/emunand.bin -.PHONY: thread -thread: $(dir_out)/rei/thread/arm9.bin +.PHONY: emunando3ds +emunand: $(dir_out)/rei-o3ds/emunand/emunand.bin + +.PHONY: reboot +reboot: $(dir_out)/rei-o3ds/reboot/reboot1.bin + +.PHONY: reboot2 +reboot: $(dir_out)/rei-o3ds/reboot/reboot2.bin + +.PHONY: rebootntr +reboot: $(dir_out)/ntr-o3ds/reboot/reboot1.bin + +.PHONY: reboot2ntr +reboot: $(dir_out)/ntr-o3ds/reboot/reboot2.bin .PHONY: ninjhax ninjhax: $(dir_out)/3ds/$(name) @@ -54,7 +66,7 @@ clean: rm -rf $(dir_out) $(dir_build) .PHONY: $(dir_out)/$(name).dat -$(dir_out)/$(name).dat: $(dir_build)/main.bin $(dir_out)/rei/ +$(dir_out)/$(name).dat: $(dir_build)/main.bin $(dir_out)/rei-n3ds/ $(dir_out)/rei-o3ds/ @$(MAKE) $(FLAGS) -C $(dir_mset) launcher dd if=$(dir_build)/main.bin of=$@ bs=512 seek=144 @@ -63,20 +75,40 @@ $(dir_out)/3ds/$(name): @$(MAKE) $(FLAGS) -C $(dir_ninjhax) @mv $(dir_out)/$(name).3dsx $@ @mv $(dir_out)/$(name).smdh $@ + +$(dir_out)/rei-n3ds/: $(dir_data)/firmware.bin + @mkdir -p "$(dir_out)/rei-n3ds" + @cp -av $(dir_data)/firmware.bin $@ + +$(dir_out)/rei-o3ds/: $(dir_data)/firmwareo3ds.bin + @mkdir -p "$(dir_out)/rei-o3ds" + @cp -av $(dir_data)/firmwareo3ds.bin $(dir_out)/rei-o3ds/firmware.bin -$(dir_out)/rei/: $(dir_data)/firmware.bin $(dir_data)/splash.bin $(dir_data)/RAM.txt - @mkdir -p "$(dir_out)/rei" - @cp -av $(dir_data)/* $@ - -$(dir_out)/rei/thread/arm9.bin: $(dir_thread) - @$(MAKE) $(FLAGS) -C $(dir_thread) - @mkdir -p "$(dir_out)/rei/thread" - @mv $(dir_thread)/arm9.bin $(dir_out)/rei/thread - -$(dir_out)/rei/emunand/emunand.bin: $(dir_emu)/emuCode.s +$(dir_out)/rei-n3ds/emunand/emunand.bin: $(dir_emu)/emuCode.s @armips $< - @mkdir -p "$(dir_out)/rei/emunand" - @mv emunand.bin $(dir_out)/rei/emunand + @mkdir -p "$(dir_out)/rei-n3ds/emunand" + @mv emunand.bin $(dir_out)/rei-n3ds/emunand + +$(dir_out)/rei-o3ds/emunand/emunand.bin: $(dir_emu)/emuCodeo3ds.s + @armips $< + @mkdir -p "$(dir_out)/rei-o3ds/emunand" + @mv emunand.bin $(dir_out)/rei-o3ds/emunand + +$(dir_out)/rei-o3ds/reboot/reboot1.bin: $(dir_reboot)/rebootCode.s + @armips $< + @mkdir -p "$(dir_out)/rei-o3ds/reboot" + @mv reboot1.bin $(dir_out)/rei-o3ds/reboot + +$(dir_out)/rei-o3ds/reboot/reboot2.bin: $(dir_reboot)/rebootCode.s + @mv reboot2.bin $(dir_out)/rei-o3ds/reboot + +$(dir_out)/ntr-o3ds/reboot/reboot1.bin: $(dir_reboot)/rebootCodeNtr.s + @armips $< + @mkdir -p "$(dir_out)/ntr-o3ds/reboot" + @mv reboot1.bin $(dir_out)/ntr-o3ds/reboot + +$(dir_out)/ntr-o3ds/reboot/reboot2.bin: $(dir_reboot)/rebootCodeNtr.s + @mv reboot2.bin $(dir_out)/ntr-o3ds/reboot $(dir_build)/main.bin: $(dir_build)/main.elf $(OC) -S -O binary $< $@ diff --git a/data/RAM.txt b/data/RAM.txt deleted file mode 100644 index 5a62826..0000000 --- a/data/RAM.txt +++ /dev/null @@ -1 +0,0 @@ -536870912 \ No newline at end of file diff --git a/data/firmware.bin b/data/firmware.bin deleted file mode 100644 index c478972..0000000 Binary files a/data/firmware.bin and /dev/null differ diff --git a/data/splash.bin b/data/splash.bin deleted file mode 100644 index 17c09b8..0000000 Binary files a/data/splash.bin and /dev/null differ diff --git a/emunand/emuCodeo3ds.s b/emunand/emuCodeo3ds.s new file mode 100644 index 0000000..49caf96 --- /dev/null +++ b/emunand/emuCodeo3ds.s @@ -0,0 +1,50 @@ +.nds + +sdmmc equ 0x434D4453 ;dummy + +.create "emunand.bin", 0x0801A4C0 +.org 0x0801A4C0 +.arm +nand_sd: + ; Original code that still needs to be executed. + mov r4, r0 + mov r5, r1 + mov r7, r2 + mov r6, r3 + ; End. + + ; If we're already trying to access the SD, return. + ldr r2, [r0, #4] + ldr r1, =sdmmc + cmp r2, r1 + beq nand_sd_ret + + str r1, [r0, #4] ; Set object to be SD + ldr r2, [r0, #8] ; Get sector to read + cmp r2, #0 ; For GW compatibility, see if we're trying to read the ncsd header (sector 0) + + ldr r3, =nand_offset + ldr r3, [r3] + add r2, r3 ; Add the offset to the NAND in the SD. + + ldreq r3, =ncsd_header_offset + ldreq r3, [r3] + addeq r2, r3 ; If we're reading the ncsd header, add the offset of that sector. + + str r2, [r0, #8] ; Store sector to read + + nand_sd_ret: + ; Restore registers. + mov r1, r5 + mov r2, r7 + mov r3, r6 + + ; Return 4 bytes behind where we got called, + ; due to the offset of this function being stored there. + mov r0, lr + add r0, #4 + bx r0 +.pool +nand_offset: .ascii "NAND" ; for rednand this should be 1 +ncsd_header_offset: .ascii "NCSD" ; depends on nand manufacturer + emunand type (GW/RED) +.close diff --git a/reboot/rebootCode.s b/reboot/rebootCode.s new file mode 100644 index 0000000..a7597d7 --- /dev/null +++ b/reboot/rebootCode.s @@ -0,0 +1,159 @@ +.nds + +firm_size equ 0x000EA000 +firm_addr equ 0x24000000 +fopen equ 0x08059D10 +fread equ 0x0804CC54 +pxi_wait_recv equ 0x08054134 + +.macro svc, num + .if isArm() + .word 0xEF000000 | num + .else + .if num > 0xFF + .error "bitch you crazu" + .endif + .halfword 0xDF00 | num + .endif +.endmacro + +.create "reboot1.bin", 0x080849DC +.org 0x080849DC +.arm +patch005: + ldr r0, =0x2000E000 + mov r1, #0x200 + mov r2, #0 + add r1, r1, r0 +@@memset_loop: + str r2, [r0] + add r0, r0, #4 + cmp r0, r1 + blt @@memset_loop + ldr r0, =0x2000E000 + ldr r1, =firm_fname + mov r2, #1 + blx fopen + ldr r0, =0x2000E000 + ldr r1, =0x2000E100 + mov r2, #firm_addr + mov r3, #firm_size + blx fread + + ldr r4, =0x44846 + blx pxi_wait_recv + cmp r0, r4 + bne patch005 + mov r2, #0 + mov r3, r2 + mov r1, r2 + mov r0, r2 + svc 0x7C + ldr r0, =0x80FF4FC + svc 0x7B + +@@inf_loop: + b @@inf_loop +.pool +firm_fname: +.close + +.create "reboot2.bin", 0x080933CC +.org 0x080933CC +.arm + stmfd sp!, {r4-r11,lr} + sub sp, sp, #0x3C + mrc p15, 0, r0, c2, c0, 0 ; dcacheable + mrc p15, 0, r12, c2, c0, 1 ; icacheable + mrc p15, 0, r1, c3, c0, 0 ; write bufferable + mrc p15, 0, r2, c5, c0, 2 ; daccess + mrc p15, 0, r3, c5, c0, 3 ; iaccess + ldr r4, =0x18000035 ; 0x18000000 128M + bic r2, r2, #0xF0000 ; unprotect region 4 + bic r3, r3, #0xF0000 ; unprotect region 4 + orr r0, r0, #0x10 ; dcacheable region 4 + orr r2, r2, #0x30000 ; region 4 r/w + orr r3, r3, #0x30000 ; region 4 r/w + orr r12, r12, #0x10 ; icacheable region 4 + orr r1, r1, #0x10 ; write bufferable region 4 + mcr p15, 0, r0, c2, c0, 0 + mcr p15, 0, r12, c2, c0, 1 + mcr p15, 0, r1, c3, c0, 0 ; write bufferable + mcr p15, 0, r2, c5, c0, 2 ; daccess + mcr p15, 0, r3, c5, c0, 3 ; iaccess + mcr p15, 0, r4, c6, c4, 0 ; region 4 (hmmm) + + mrc p15, 0, r0, c2, c0, 0 ; dcacheable + mrc p15, 0, r1, c2, c0, 1 ; icacheable + mrc p15, 0, r2, c3, c0, 0 ; write bufferable + orr r0, r0, #0x20 ; dcacheable region 5 + orr r1, r1, #0x20 ; icacheable region 5 + orr r2, r2, #0x20 ; write bufferable region 5 + mcr p15, 0, r0, c2, c0, 0 ; dcacheable + mcr p15, 0, r1, c2, c0, 1 ; icacheable + mcr p15, 0, r2, c3, c0, 0 ; write bufferable + + mov r4, #firm_addr + add r3, r4, #0x40 + ldr r0, [r3] ; offset + add r0, r0, r4 ; src + ldr r1, [r3,#4] ; dst + ldr r2, [r3,#8] ; size + bl memcpy32 + add r3, r4, #0x70 + ldr r0, [r3] + add r0, r0, r4 ; src + ldr r1, [r3,#4] ; dst + ldr r2, [r3,#8] ; size + bl memcpy32 + add r3, r4, #0xA0 + ldr r0, [r3] + add r0, r0, r4 ; src + ldr r1, [r3,#4] ; dst + ldr r2, [r3,#8] ; size + bl memcpy32 + mov r2, #0 + mov r1, r2 +@flush_cache: + mov r0, #0 + mov r3, r2, lsl#30 +@flush_cache_inner_loop: + orr r12, r3, r0, lsl#5 + mcr p15, 0, r1, c7, c10, 4 ; drain write buffer + mcr p15, 0, r12, c7, c14, 2 ; clean and flush dcache entry (index and segment) + add r0, r0, #1 + cmp r0, #0x20 + bcc @flush_cache_inner_loop + add r2, r2, #1 + cmp r2, #4 + bcc @flush_cache + mcr p15, 0, r1, c7, c10, 4 ; drain write buffer +@mpu_enable: + ldr r0, =0x42078 ; alt vector select, enable itcm + mcr p15, 0, r0, c1, c0, 0 + mcr p15, 0, r1, c7, c5, 0 ; flush dcache + mcr p15, 0, r1, c7, c6, 0 ; flush icache + mcr p15, 0, r1, c7, c10, 4 ; drain write buffer + mov r0, #firm_addr + mov r1, 0X1FFFFFFC + ldr r2, [r0,#8] ; arm11 entry + str r2, [r1] + ldr r0, [r0,#0xC] ; arm9 entry + add sp, sp, #0x3C + ldmfd sp!, {r4-r11,lr} + bx r0 +.pool +memcpy32: ; memcpy32(void *src, void *dst, unsigned int size) + mov r12, lr + stmfd sp!, {r0-r4} + add r2, r2, r0 +@memcpy_loop: + ldr r3, [r0], #4 + str r3, [r1], #4 + cmp r0, r2 + blt @memcpy_loop + ldmfd sp!, {r0-r4} + mov lr, r12 + bx lr +.pool +.close diff --git a/reboot/rebootCodeNtr.s b/reboot/rebootCodeNtr.s new file mode 100644 index 0000000..6caab83 --- /dev/null +++ b/reboot/rebootCodeNtr.s @@ -0,0 +1,159 @@ +.nds + +firm_size equ 0x000EB000 +firm_addr equ 0x24000000 +fopen equ 0x0805B180 +fread equ 0x0804D9B0 +pxi_wait_recv equ 0x08055178 + +.macro svc, num + .if isArm() + .word 0xEF000000 | num + .else + .if num > 0xFF + .error "bitch you crazu" + .endif + .halfword 0xDF00 | num + .endif +.endmacro + +.create "reboot1.bin", 0x080859C8 +.org 0x080859C8 +.arm +patch005: + ldr r0, =0x2000E000 + mov r1, #0x200 + mov r2, #0 + add r1, r1, r0 +@@memset_loop: + str r2, [r0] + add r0, r0, #4 + cmp r0, r1 + blt @@memset_loop + ldr r0, =0x2000E000 + ldr r1, =firm_fname + mov r2, #1 + blx fopen + ldr r0, =0x2000E000 + ldr r1, =0x2000E100 + mov r2, #firm_addr + mov r3, #firm_size + blx fread + + ldr r4, =0x44846 + blx pxi_wait_recv + cmp r0, r4 + bne patch005 + mov r2, #0 + mov r3, r2 + mov r1, r2 + mov r0, r2 + svc 0x7C + ldr r0, =0x80FF4FC + svc 0x7B + +@@inf_loop: + b @@inf_loop +.pool +firm_fname: +.close + +.create "reboot2.bin", 0x08094454 +.org 0x08094454 +.arm + stmfd sp!, {r4-r11,lr} + sub sp, sp, #0x3C + mrc p15, 0, r0, c2, c0, 0 ; dcacheable + mrc p15, 0, r12, c2, c0, 1 ; icacheable + mrc p15, 0, r1, c3, c0, 0 ; write bufferable + mrc p15, 0, r2, c5, c0, 2 ; daccess + mrc p15, 0, r3, c5, c0, 3 ; iaccess + ldr r4, =0x18000035 ; 0x18000000 128M + bic r2, r2, #0xF0000 ; unprotect region 4 + bic r3, r3, #0xF0000 ; unprotect region 4 + orr r0, r0, #0x10 ; dcacheable region 4 + orr r2, r2, #0x30000 ; region 4 r/w + orr r3, r3, #0x30000 ; region 4 r/w + orr r12, r12, #0x10 ; icacheable region 4 + orr r1, r1, #0x10 ; write bufferable region 4 + mcr p15, 0, r0, c2, c0, 0 + mcr p15, 0, r12, c2, c0, 1 + mcr p15, 0, r1, c3, c0, 0 ; write bufferable + mcr p15, 0, r2, c5, c0, 2 ; daccess + mcr p15, 0, r3, c5, c0, 3 ; iaccess + mcr p15, 0, r4, c6, c4, 0 ; region 4 (hmmm) + + mrc p15, 0, r0, c2, c0, 0 ; dcacheable + mrc p15, 0, r1, c2, c0, 1 ; icacheable + mrc p15, 0, r2, c3, c0, 0 ; write bufferable + orr r0, r0, #0x20 ; dcacheable region 5 + orr r1, r1, #0x20 ; icacheable region 5 + orr r2, r2, #0x20 ; write bufferable region 5 + mcr p15, 0, r0, c2, c0, 0 ; dcacheable + mcr p15, 0, r1, c2, c0, 1 ; icacheable + mcr p15, 0, r2, c3, c0, 0 ; write bufferable + + mov r4, #firm_addr + add r3, r4, #0x40 + ldr r0, [r3] ; offset + add r0, r0, r4 ; src + ldr r1, [r3,#4] ; dst + ldr r2, [r3,#8] ; size + bl memcpy32 + add r3, r4, #0x70 + ldr r0, [r3] + add r0, r0, r4 ; src + ldr r1, [r3,#4] ; dst + ldr r2, [r3,#8] ; size + bl memcpy32 + add r3, r4, #0xA0 + ldr r0, [r3] + add r0, r0, r4 ; src + ldr r1, [r3,#4] ; dst + ldr r2, [r3,#8] ; size + bl memcpy32 + mov r2, #0 + mov r1, r2 +@flush_cache: + mov r0, #0 + mov r3, r2, lsl#30 +@flush_cache_inner_loop: + orr r12, r3, r0, lsl#5 + mcr p15, 0, r1, c7, c10, 4 ; drain write buffer + mcr p15, 0, r12, c7, c14, 2 ; clean and flush dcache entry (index and segment) + add r0, r0, #1 + cmp r0, #0x20 + bcc @flush_cache_inner_loop + add r2, r2, #1 + cmp r2, #4 + bcc @flush_cache + mcr p15, 0, r1, c7, c10, 4 ; drain write buffer +@mpu_enable: + ldr r0, =0x42078 ; alt vector select, enable itcm + mcr p15, 0, r0, c1, c0, 0 + mcr p15, 0, r1, c7, c5, 0 ; flush dcache + mcr p15, 0, r1, c7, c6, 0 ; flush icache + mcr p15, 0, r1, c7, c10, 4 ; drain write buffer + mov r0, #firm_addr + mov r1, 0X1FFFFFFC + ldr r2, [r0,#8] ; arm11 entry + str r2, [r1] + ldr r0, [r0,#0xC] ; arm9 entry + add sp, sp, #0x3C + ldmfd sp!, {r4-r11,lr} + bx r0 +.pool +memcpy32: ; memcpy32(void *src, void *dst, unsigned int size) + mov r12, lr + stmfd sp!, {r0-r4} + add r2, r2, r0 +@memcpy_loop: + ldr r3, [r0], #4 + str r3, [r1], #4 + cmp r0, r2 + blt @memcpy_loop + ldmfd sp!, {r0-r4} + mov lr, r12 + bx lr +.pool +.close diff --git a/source/crypto.c b/source/crypto.c old mode 100644 new mode 100755 index ec9b8b1..8a9c254 --- a/source/crypto.c +++ b/source/crypto.c @@ -353,57 +353,70 @@ int rsa_verify(const void* data, u32 size, const void* sig, u32 mode) return memcmp(dataHash, decSig + (sigSize - SHA_256_HASH_SIZE), SHA_256_HASH_SIZE) == 0; } -void xor(u8 *dest, u8 *data1, u8 *data2, u32 size){ - int i; for(i = 0; i < size; i++) *(dest+i) = *(data1+i) ^ *(data2+i); -} - /**************************************************************** * Nand/FIRM Crypto stuff ****************************************************************/ -const u8 memeKey[0x10] = { - 0x52, 0x65, 0x69, 0x20, 0x69, 0x73, 0x20, 0x62, 0x65, 0x73, 0x74, 0x20, 0x67, 0x69, 0x72, 0x6C -}; + +//Get Nand CTR key +void getNandCTR(u8 *buf, u8 console) { + u8 *addr = console ? (u8*)0x080D8BBC : (u8*)0x080D797C; + u8 keyLen = 0x10; //CTR length + addr += 0x0F; + while (keyLen --) { *(buf++) = *(addr--); } +} + +//Read firm0 from NAND and write to buffer +void nandFirm0(u8 *outbuf, const u32 size, u8 console){ + u8 CTR[0x10]; + getNandCTR(CTR, console); + aes_advctr(CTR, 0x0B130000/0x10, AES_INPUT_BE | AES_INPUT_NORMAL); + sdmmc_nand_readsectors(0x0B130000 / 0x200, size / 0x200, outbuf); + aes_use_keyslot(0x06); + aes(outbuf, outbuf, size / AES_BLOCK_SIZE, CTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL); +} //Emulates the Arm9loader process -void arm9loader(void *armHdr){ +void arm9loader(void *armHdr, u8 mode){ //Nand key#2 (0x12C10) u8 key2[0x10] = { - 0x10, 0x5A, 0xE8, 0x5A, 0x4A, 0x21, 0x78, 0x53, 0x0B, 0x06, 0xFA, 0x1A, 0x5E, 0x2A, 0x5C, 0xBC + 0x42, 0x3F, 0x81, 0x7A, 0x23, 0x52, 0x58, 0x31, 0x6E, 0x75, 0x8E, 0x3A, 0x39, 0x43, 0x2E, 0xD0 }; - + //Firm keys u8 keyX[0x10]; u8 keyY[0x10]; u8 CTR[0x10]; - u32 slot = 0x16; + u32 slot = mode ? 0x16 : 0x15; //Setup keys needed for arm9bin decryption - xor(key2, key2, memeKey, 0x10); memcpy((u8*)keyY, (void *)((uintptr_t)armHdr+0x10), 0x10); memcpy((u8*)CTR, (void *)((uintptr_t)armHdr+0x20), 0x10); u32 size = atoi((void *)((uintptr_t)armHdr+0x30)); - //Set 0x11 to key2 for the arm9bin and misc keys - aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL); - aes_use_keyslot(0x11); - - //Set 0x16 keyX, keyY and CTR - aes((u8*)keyX, (void *)((uintptr_t)armHdr+0x60), 1, NULL, AES_ECB_DECRYPT_MODE, 0); - aes_setkey(slot, (u8*)keyX, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL); + if(mode){ + //Set 0x11 to key2 for the arm9bin and misc keys + aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL); + aes_use_keyslot(0x11); + aes((u8*)keyX, (void *)((uintptr_t)armHdr+0x60), 1, NULL, AES_ECB_DECRYPT_MODE, 0); + aes_setkey(slot, (u8*)keyX, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL); + } + aes_setkey(slot, (u8*)keyY, AES_KEYY, AES_INPUT_BE | AES_INPUT_NORMAL); aes_setiv((u8*)CTR, AES_INPUT_BE | AES_INPUT_NORMAL); aes_use_keyslot(slot); //Decrypt arm9bin aes((void *)(armHdr+0x800), (void *)(armHdr+0x800), size/AES_BLOCK_SIZE, CTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL); - - //Set keys 0x19..0x1F keyXs - u8* decKey = (void *)((uintptr_t)armHdr+0x89824); - aes_use_keyslot(0x11); - for(slot = 0x19; slot < 0x20; slot++) { - aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL); - aes(decKey, (void *)((uintptr_t)armHdr+0x89814), 1, NULL, AES_ECB_DECRYPT_MODE, 0); - aes_setkey(slot, (u8*)decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL); - *(u8 *)((void *)((uintptr_t)armHdr+0x89814+0xF)) += 1; + + if(mode){ + //Set keys 0x19..0x1F keyXs + u8* decKey = (void *)((uintptr_t)armHdr+0x89824); + aes_use_keyslot(0x11); + for(slot = 0x19; slot < 0x20; slot++) { + aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL); + aes(decKey, (void *)((uintptr_t)armHdr+0x89814), 1, NULL, AES_ECB_DECRYPT_MODE, 0); + aes_setkey(slot, (u8*)decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL); + *(u8 *)((void *)((uintptr_t)armHdr+0x89814+0xF)) += 1; + } } } \ No newline at end of file diff --git a/source/crypto.h b/source/crypto.h old mode 100644 new mode 100755 index ce49bbe..197132f --- a/source/crypto.h +++ b/source/crypto.h @@ -129,10 +129,10 @@ void sha(void* res, const void* src, u32 size, u32 mode); void rsa_setkey(u32 keyslot, const void* mod, const void* exp, u32 mode); void rsa_use_keyslot(u32 keyslot); int rsa_verify(const void* data, u32 size, const void* sig, u32 mode); -void xor(u8 *dest, u8 *data1, u8 *data2, u32 size); //NAND/FIRM stuff -extern const u8 memeKey[0x10]; -void arm9loader(void *armHdr); +void getNandCTR(u8 *buf, u8 console); +void nandFirm0(u8 *outbuf, const u32 size, u8 console); +void arm9loader(void *armHdr, u8 mode); #endif /*__CRYPTO_H*/ diff --git a/source/draw.c b/source/draw.c index 29994c8..d0e7b3b 100644 --- a/source/draw.c +++ b/source/draw.c @@ -8,6 +8,8 @@ #include "fs.h" #include "memory.h" +static struct fb* fb = (struct fb*) 0x23FFFE00; + void clearScreen(void){ memset(fb->top_left, 0, 0x38400); memset(fb->top_right, 0, 0x38400); @@ -16,6 +18,6 @@ void clearScreen(void){ void loadSplash(void){ clearScreen(); - fileRead(fb->top_left, "/rei/splash.bin", 0x46500); - unsigned i,t; for(t=120;t>0;t--){for(i=0xFFFF;i>0;i--);}; //Ghetto sleep func + if(fileRead(fb->top_left, "/rei/splash.bin", 0x46500) != 0) return; + unsigned i,t; for(t=220;t>0;t--){for(i=0xFFFF;i>0;i--);}; //Ghetto sleep func } \ No newline at end of file diff --git a/source/draw.h b/source/draw.h index b61232b..f1306a9 100644 --- a/source/draw.h +++ b/source/draw.h @@ -6,11 +6,11 @@ #include "types.h" -static struct fb { +struct fb { u8 *top_left; u8 *top_right; u8 *bottom; -} *fb = (struct fb *)0x23FFFE00; +}; void clearScreen(void); void loadSplash(void); \ No newline at end of file diff --git a/source/emunand.c b/source/emunand.c index 81841a8..e09ed32 100644 --- a/source/emunand.c +++ b/source/emunand.c @@ -24,7 +24,7 @@ void getEmunandSect(u32 *off, u32 *head){ void getSDMMC(void *pos, u32 *off, u32 size){ //Look for struct code unsigned char pattern[] = {0x01, 0x21, 0x20, 0x18, 0x20, 0x30}; - *off = memsearch(pos, pattern, size, 4); + *off = (u32)memsearch(pos, pattern, size, 6); //Get DCD values unsigned char buf[4]; @@ -43,14 +43,22 @@ void getSDMMC(void *pos, u32 *off, u32 size){ void getEmuRW(void *pos, u32 size, u32 *readOff, u32 *writeOff){ //Look for read/write code unsigned char pattern[] = {0x04, 0x00, 0x0D, 0x00, 0x17, 0x00, 0x1E, 0x00, 0xC8, 0x05}; - - *readOff = memsearch(pos, pattern, size, 4); - *writeOff = memsearch(readOff, pattern, 0x1000, 4); - //fileWrite(readOff, "/readoff.bin", 4); - *readOff = 0x240CEC40; - *writeOff = 0x240CEC80; + + *writeOff = (u32)memsearch(pos, pattern, size, 10); + *readOff = (u32)memsearch((void *)(*writeOff - 0x1000), pattern, 0x1000, 10); } -void getMPU(void *pos, u32 *off){ - *off = 0x2407D7D4; +void getMPU(void *pos, u32 *off, u32 size){ + //Look for MPU code + unsigned char pattern[] = {0x03, 0x00, 0x24, 0x00, 0x00, 0x00, 0x10}; + + *off = (u32)memsearch(pos, pattern, size, 7); +} + +void getEmuCode(void *pos, u32 *off, u32 size){ + void *proc9 = memsearch(pos, "Process9", size, 8); + unsigned char pattern[] = {0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF}; + + //We're looking for the last spot before Process9 + *off = (u32)memsearch(pos, pattern, size - (size - (u32)(proc9 - pos)), 6) + 0xF; } \ No newline at end of file diff --git a/source/emunand.h b/source/emunand.h index 0856046..7304423 100644 --- a/source/emunand.h +++ b/source/emunand.h @@ -14,6 +14,7 @@ void getEmunandSect(u32 *off, u32 *head); void getSDMMC(void *pos, u32 *off, u32 size); void getEmuRW(void *pos, u32 size, u32 *readOff, u32 *writeOff); -void getMPU(void *pos, u32 *off); +void getMPU(void *pos, u32 *off, u32 size); +void getEmuCode(void *pos, u32 *off, u32 size); #endif \ No newline at end of file diff --git a/source/firm.c b/source/firm.c old mode 100644 new mode 100755 index eef6c7c..853a30f --- a/source/firm.c +++ b/source/firm.c @@ -11,78 +11,121 @@ #include "emunand.h" #include "crypto.h" -const firmHeader *firmLocation = (firmHeader *)0x24000000; +firmHeader *firmLocation = (firmHeader *)0x24000000; firmSectionHeader *section; -u32 emuOffset = 0, - emuHeader = 0, - emuRead = 0, - emuWrite = 0, - sdmmcOffset = 0, - firmSize = 0, - mpuOffset = 0; +u32 firmSize = 0; +u8 mode = 1, + console = 1; +u16 pressed; //Load firm into FCRAM -void loadFirm(void){ - //Read FIRM from SD card and write to FCRAM - const char firmPath[] = "/rei/firmware.bin"; - firmSize = fileSize(firmPath); - fileRead((u8*)firmLocation, firmPath, firmSize); - - //Decrypt firmware blob - u8 firmIV[0x10] = {0}; - aes_setkey(0x16, memeKey, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL); - aes_use_keyslot(0x16); - aes((u8*)firmLocation, (u8*)firmLocation, firmSize / AES_BLOCK_SIZE, firmIV, AES_CBC_DECRYPT_MODE, AES_INPUT_BE | AES_INPUT_NORMAL); - - //Parse firmware +u8 loadFirm(void){ + + if(PDN_MPCORE_CFG == 1) console = 0; + pressed = HID_PAD; section = firmLocation->section; - arm9loader((u8*)firmLocation + section[2].offset); + + //If L and R are pressed, boot SysNAND with the NAND FIRM + if((pressed & BUTTON_L1R1) == BUTTON_L1R1){ + mode = 0; + //Read FIRM from NAND and write to FCRAM + firmSize = console ? 0xF2C00 : 0xE9000; + nandFirm0((u8*)firmLocation, firmSize, console); + if(memcmp((u8*)firmLocation, "FIRM", 4) != 0) return 1; + } + //Load FIRM from SDCard + else{ + const char firmPath[] = "/rei/firmware.bin"; + firmSize = fileSize(firmPath); + if (!firmSize) return 1; + fileRead((u8*)firmLocation, firmPath, firmSize); + if((((u32)section[2].address >> 8) & 0xFF) != (console ? 0x60 : 0x68)) return 1; + } + + if(console) arm9loader((u8*)firmLocation + section[2].offset, mode); + + return 0; } //Nand redirection -void loadEmu(void){ - +u8 loadEmu(void){ + + u32 emuOffset = 0, + emuHeader = 0, + emuRead = 0, + emuWrite = 0, + sdmmcOffset = 0, + mpuOffset = 0, + emuCodeOffset = 0; + //Read emunand code from SD - u32 code = emuCode(); - const char path[] = "/rei/emunand/emunand.bin"; - u32 size = fileSize(path); - fileRead((u8*)code, path, size); - + getEmuCode(firmLocation, &emuCodeOffset, firmSize); + const char path[] = "/rei/emunand/emunand.bin"; + u32 size = fileSize(path); + if (!size) return 1; + fileRead((u8*)emuCodeOffset, path, size); + //Find and patch emunand related offsets - u32 *pos_sdmmc = memsearch(code, "SDMC", size, 4); - u32 *pos_offset = memsearch(code, "NAND", size, 4); - u32 *pos_header = memsearch(code, "NCSD", size, 4); - getSDMMC(firmLocation, &sdmmcOffset, firmSize); + u32 *pos_sdmmc = memsearch((u32*)emuCodeOffset, "SDMC", size, 4); + u32 *pos_offset = memsearch((u32*)emuCodeOffset, "NAND", size, 4); + u32 *pos_header = memsearch((u32*)emuCodeOffset, "NCSD", size, 4); + getSDMMC(firmLocation, &sdmmcOffset, firmSize); getEmunandSect(&emuOffset, &emuHeader); getEmuRW(firmLocation, firmSize, &emuRead, &emuWrite); - getMPU(firmLocation, &mpuOffset); - *pos_sdmmc = sdmmcOffset; - *pos_offset = emuOffset; - *pos_header = emuHeader; - + getMPU(firmLocation, &mpuOffset, firmSize); + *pos_sdmmc = sdmmcOffset; + *pos_offset = emuOffset; + *pos_header = emuHeader; + //Add emunand hooks + if(!console) nandRedir[5] = 0xA4; memcpy((u8*)emuRead, nandRedir, sizeof(nandRedir)); memcpy((u8*)emuWrite, nandRedir, sizeof(nandRedir)); - + //Set MPU for emu code region memcpy((u8*)mpuOffset, mpu, sizeof(mpu)); + + return 0; } //Patches -void patchFirm(){ +u8 patchFirm(void){ + + //If L is pressed, boot SysNAND with the SDCard FIRM + if(mode && !(pressed & BUTTON_L1)) if (loadEmu()) return 1; + //Disable signature checks - memcpy((u8*)sigPatch(1), sigPat1, sizeof(sigPat1)); - memcpy((u8*)sigPatch(2), sigPat2, sizeof(sigPat2)); - - //Create arm9 thread - fileRead((u8*)threadCode(), "/rei/thread/arm9.bin", 0); - memcpy((u8*)threadHook(1), th1, sizeof(th1)); - memcpy((u8*)threadHook(2), th2, sizeof(th2)); + u32 sigOffset = 0, + sigOffset2 = 0; + getSignatures(firmLocation, firmSize, &sigOffset, &sigOffset2); + memcpy((u8*)sigOffset, sigPat1, sizeof(sigPat1)); + memcpy((u8*)sigOffset2, sigPat2, sizeof(sigPat2)); + + //Apply reboot patch and write patched FIRM + if(!console && mode && + ((fileSize("/rei/reversereboot") > 0) == (pressed & BUTTON_A))){ + u32 rebootOffset = 0, + rebootOffset2 = 0; + getReboot(firmLocation, firmSize, &rebootOffset, &rebootOffset2); + char path[] = "/rei/reboot/reboot1.bin"; + u32 size = fileSize(path); + if (!size) return 1; + fileRead((u8*)rebootOffset, path, size); + memcpy((u8*)rebootOffset + size, L"sdmc:", 10); + memcpy((u8*)rebootOffset + size + 10, L"" PATCHED_FIRM_PATH, sizeof(PATCHED_FIRM_PATH) * 2); + path[18] = '2'; + size = fileSize(path); + if (!size) return 1; + fileRead((u8*)rebootOffset2, path, size); + if (fileWrite((u8*)firmLocation, PATCHED_FIRM_PATH, firmSize) != 0) return 1; + } + + return 0; } //Firmlaunchhax void launchFirm(void){ - + //Set MPU __asm__ ( "msr cpsr_c, #0xDF\n\t" //Set system mode, disable interrupts @@ -117,5 +160,5 @@ void launchFirm(void){ *(u32 *)0x1FFFFFF8 = (u32)firmLocation->arm11Entry; //Final jump to arm9 binary - ((void (*)())0x801B01C)(); + console ? ((void (*)())0x801B01C)() : ((void (*)())firmLocation->arm9Entry)(); } \ No newline at end of file diff --git a/source/firm.h b/source/firm.h index 81717c1..afc2ad4 100644 --- a/source/firm.h +++ b/source/firm.h @@ -8,10 +8,16 @@ #include "types.h" -void loadSplash(void); -void loadFirm(void); -void loadEmu(void); -void patchFirm(void); +#define PDN_MPCORE_CFG (*(u8*)0x10140FFC) +#define HID_PAD ((~*(u16*)0x10146000) & 0xFFF) +#define BUTTON_L1R1 (3 << 8) +#define BUTTON_L1 (1 << 9) +#define BUTTON_A 1 +#define PATCHED_FIRM_PATH "/rei/patched_firmware.bin" + +u8 loadFirm(void); +u8 loadEmu(void); +u8 patchFirm(void); void launchFirm(void); #endif \ No newline at end of file diff --git a/source/font.h b/source/font.h deleted file mode 100644 index fb86a6f..0000000 --- a/source/font.h +++ /dev/null @@ -1,144 +0,0 @@ -/* - This file was autogenerated by raw2c. -Visit http://www.devkitpro.org -*/ - -//--------------------------------------------------------------------------------- -#ifndef _font_h_ -#define _font_h_ -//--------------------------------------------------------------------------------- -static const unsigned char font[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0x81, 0xa5, 0x81, 0xbd, 0x99, 0x81, 0x7e, - 0x7e, 0xff, 0xdb, 0xff, 0xc3, 0xe7, 0xff, 0x7e, 0x6c, 0xfe, 0xfe, 0xfe, 0x7c, 0x38, 0x10, 0x00, - 0x10, 0x38, 0x7c, 0xfe, 0x7c, 0x38, 0x10, 0x00, 0x3c, 0x3c, 0x18, 0xff, 0xe7, 0x18, 0x3c, 0x00, - 0x10, 0x38, 0x7c, 0xfe, 0xee, 0x10, 0x38, 0x00, 0x00, 0x00, 0x18, 0x3c, 0x3c, 0x18, 0x00, 0x00, - 0xff, 0xff, 0xe7, 0xc3, 0xc3, 0xe7, 0xff, 0xff, 0x00, 0x3c, 0x66, 0x42, 0x42, 0x66, 0x3c, 0x00, - 0xff, 0xc3, 0x99, 0xbd, 0xbd, 0x99, 0xc3, 0xff, 0x0f, 0x07, 0x0f, 0x7d, 0xcc, 0xcc, 0xcc, 0x78, - 0x3c, 0x66, 0x66, 0x66, 0x3c, 0x18, 0x7e, 0x18, 0x08, 0x0c, 0x0a, 0x0a, 0x08, 0x78, 0xf0, 0x00, - 0x18, 0x14, 0x1a, 0x16, 0x72, 0xe2, 0x0e, 0x1c, 0x10, 0x54, 0x38, 0xee, 0x38, 0x54, 0x10, 0x00, - 0x80, 0xe0, 0xf8, 0xfe, 0xf8, 0xe0, 0x80, 0x00, 0x02, 0x0e, 0x3e, 0xfe, 0x3e, 0x0e, 0x02, 0x00, - 0x18, 0x3c, 0x5a, 0x18, 0x5a, 0x3c, 0x18, 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x00, 0x66, 0x00, - 0x7f, 0xdb, 0xdb, 0xdb, 0x7b, 0x1b, 0x1b, 0x00, 0x1c, 0x22, 0x38, 0x44, 0x44, 0x38, 0x88, 0x70, - 0x00, 0x00, 0x00, 0x00, 0x7e, 0x7e, 0x7e, 0x00, 0x18, 0x3c, 0x5a, 0x18, 0x5a, 0x3c, 0x18, 0x7e, - 0x18, 0x3c, 0x5a, 0x18, 0x18, 0x18, 0x18, 0x00, 0x18, 0x18, 0x18, 0x18, 0x5a, 0x3c, 0x18, 0x00, - 0x00, 0x18, 0x0c, 0xfe, 0x0c, 0x18, 0x00, 0x00, 0x00, 0x30, 0x60, 0xfe, 0x60, 0x30, 0x00, 0x00, - 0x00, 0x00, 0xc0, 0xc0, 0xc0, 0xfe, 0x00, 0x00, 0x00, 0x24, 0x42, 0xff, 0x42, 0x24, 0x00, 0x00, - 0x00, 0x10, 0x38, 0x7c, 0xfe, 0xfe, 0x00, 0x00, 0x00, 0xfe, 0xfe, 0x7c, 0x38, 0x10, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3c, 0x3c, 0x18, 0x18, 0x00, 0x18, 0x00, - 0x6c, 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x6c, 0xfe, 0x6c, 0xfe, 0x6c, 0x6c, 0x00, - 0x10, 0x7c, 0xd0, 0x7c, 0x16, 0xfc, 0x10, 0x00, 0x00, 0x66, 0xac, 0xd8, 0x36, 0x6a, 0xcc, 0x00, - 0x38, 0x4c, 0x38, 0x78, 0xce, 0xcc, 0x7a, 0x00, 0x30, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x18, 0x30, 0x60, 0x60, 0x60, 0x30, 0x18, 0x00, 0x60, 0x30, 0x18, 0x18, 0x18, 0x30, 0x60, 0x00, - 0x00, 0x66, 0x3c, 0xff, 0x3c, 0x66, 0x00, 0x00, 0x00, 0x30, 0x30, 0xfc, 0x30, 0x30, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x10, 0x20, 0x00, 0x00, 0x00, 0xfc, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x06, 0x0c, 0x18, 0x30, 0x60, 0xc0, 0x00, - 0x7c, 0xce, 0xde, 0xf6, 0xe6, 0xe6, 0x7c, 0x00, 0x18, 0x38, 0x78, 0x18, 0x18, 0x18, 0x7e, 0x00, - 0x7c, 0xc6, 0x06, 0x1c, 0x70, 0xc6, 0xfe, 0x00, 0x7c, 0xc6, 0x06, 0x3c, 0x06, 0xc6, 0x7c, 0x00, - 0x1c, 0x3c, 0x6c, 0xcc, 0xfe, 0x0c, 0x1e, 0x00, 0xfe, 0xc0, 0xfc, 0x06, 0x06, 0xc6, 0x7c, 0x00, - 0x7c, 0xc6, 0xc0, 0xfc, 0xc6, 0xc6, 0x7c, 0x00, 0xfe, 0xc6, 0x0c, 0x18, 0x30, 0x30, 0x30, 0x00, - 0x7c, 0xc6, 0xc6, 0x7c, 0xc6, 0xc6, 0x7c, 0x00, 0x7c, 0xc6, 0xc6, 0x7e, 0x06, 0xc6, 0x7c, 0x00, - 0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x10, 0x20, - 0x0c, 0x18, 0x30, 0x60, 0x30, 0x18, 0x0c, 0x00, 0x00, 0x00, 0x7e, 0x00, 0x00, 0x7e, 0x00, 0x00, - 0x60, 0x30, 0x18, 0x0c, 0x18, 0x30, 0x60, 0x00, 0x78, 0xcc, 0x0c, 0x18, 0x30, 0x00, 0x30, 0x00, - 0x7c, 0x82, 0x9e, 0xa6, 0x9e, 0x80, 0x7c, 0x00, 0x7c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0x00, - 0xfc, 0x66, 0x66, 0x7c, 0x66, 0x66, 0xfc, 0x00, 0x7c, 0xc6, 0xc0, 0xc0, 0xc0, 0xc6, 0x7c, 0x00, - 0xfc, 0x66, 0x66, 0x66, 0x66, 0x66, 0xfc, 0x00, 0xfe, 0x62, 0x68, 0x78, 0x68, 0x62, 0xfe, 0x00, - 0xfe, 0x62, 0x68, 0x78, 0x68, 0x60, 0xf0, 0x00, 0x7c, 0xc6, 0xc6, 0xc0, 0xce, 0xc6, 0x7e, 0x00, - 0xc6, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0x00, 0x3c, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00, - 0x1e, 0x0c, 0x0c, 0x0c, 0xcc, 0xcc, 0x78, 0x00, 0xe6, 0x66, 0x6c, 0x78, 0x6c, 0x66, 0xe6, 0x00, - 0xf0, 0x60, 0x60, 0x60, 0x62, 0x66, 0xfe, 0x00, 0x82, 0xc6, 0xee, 0xfe, 0xd6, 0xc6, 0xc6, 0x00, - 0xc6, 0xe6, 0xf6, 0xde, 0xce, 0xc6, 0xc6, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, - 0xfc, 0x66, 0x66, 0x7c, 0x60, 0x60, 0xf0, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xd6, 0xde, 0x7c, 0x06, - 0xfc, 0x66, 0x66, 0x7c, 0x66, 0x66, 0xe6, 0x00, 0x7c, 0xc6, 0xc0, 0x7c, 0x06, 0xc6, 0x7c, 0x00, - 0x7e, 0x5a, 0x5a, 0x18, 0x18, 0x18, 0x3c, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, - 0xc6, 0xc6, 0xc6, 0xc6, 0x6c, 0x38, 0x10, 0x00, 0xc6, 0xc6, 0xd6, 0xfe, 0xee, 0xc6, 0x82, 0x00, - 0xc6, 0x6c, 0x38, 0x38, 0x38, 0x6c, 0xc6, 0x00, 0x66, 0x66, 0x66, 0x3c, 0x18, 0x18, 0x3c, 0x00, - 0xfe, 0xc6, 0x8c, 0x18, 0x32, 0x66, 0xfe, 0x00, 0x78, 0x60, 0x60, 0x60, 0x60, 0x60, 0x78, 0x00, - 0xc0, 0x60, 0x30, 0x18, 0x0c, 0x06, 0x02, 0x00, 0x78, 0x18, 0x18, 0x18, 0x18, 0x18, 0x78, 0x00, - 0x10, 0x38, 0x6c, 0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, - 0x30, 0x20, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, - 0xe0, 0x60, 0x60, 0x7c, 0x66, 0x66, 0x7c, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc0, 0xc6, 0x7c, 0x00, - 0x1c, 0x0c, 0x0c, 0x7c, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, - 0x1c, 0x36, 0x30, 0x78, 0x30, 0x30, 0x78, 0x00, 0x00, 0x00, 0x76, 0xcc, 0xcc, 0x7c, 0x0c, 0x78, - 0xe0, 0x60, 0x6c, 0x76, 0x66, 0x66, 0xe6, 0x00, 0x18, 0x00, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00, - 0x00, 0x0c, 0x00, 0x1c, 0x0c, 0x0c, 0xcc, 0x78, 0xe0, 0x60, 0x66, 0x6c, 0x78, 0x6c, 0xe6, 0x00, - 0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0xcc, 0xfe, 0xd6, 0xd6, 0xd6, 0x00, - 0x00, 0x00, 0xdc, 0x66, 0x66, 0x66, 0x66, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, - 0x00, 0x00, 0xdc, 0x66, 0x66, 0x7c, 0x60, 0xf0, 0x00, 0x00, 0x7c, 0xcc, 0xcc, 0x7c, 0x0c, 0x1e, - 0x00, 0x00, 0xde, 0x76, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x00, 0x7c, 0xc0, 0x7c, 0x06, 0x7c, 0x00, - 0x10, 0x30, 0xfc, 0x30, 0x30, 0x34, 0x18, 0x00, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, - 0x00, 0x00, 0xc6, 0xc6, 0x6c, 0x38, 0x10, 0x00, 0x00, 0x00, 0xc6, 0xd6, 0xd6, 0xfe, 0x6c, 0x00, - 0x00, 0x00, 0xc6, 0x6c, 0x38, 0x6c, 0xc6, 0x00, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0x7c, 0x0c, 0xf8, - 0x00, 0x00, 0xfc, 0x98, 0x30, 0x64, 0xfc, 0x00, 0x0e, 0x18, 0x18, 0x30, 0x18, 0x18, 0x0e, 0x00, - 0x18, 0x18, 0x18, 0x00, 0x18, 0x18, 0x18, 0x00, 0xe0, 0x30, 0x30, 0x18, 0x30, 0x30, 0xe0, 0x00, - 0x76, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x6c, 0xc6, 0xc6, 0xfe, 0x00, - 0x7c, 0xc6, 0xc0, 0xc0, 0xc6, 0x7c, 0x18, 0x70, 0xcc, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, - 0x0e, 0x10, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, 0x7c, 0x82, 0x38, 0x0c, 0x7c, 0xcc, 0x76, 0x00, - 0xcc, 0x00, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, 0xe0, 0x10, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, - 0x30, 0x30, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x7c, 0xc0, 0xc0, 0x7c, 0x18, 0x70, - 0x7c, 0x82, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, 0xc6, 0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, - 0xe0, 0x10, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, 0x66, 0x00, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00, - 0x7c, 0x82, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00, 0xe0, 0x10, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00, - 0xc6, 0x00, 0x7c, 0xc6, 0xfe, 0xc6, 0xc6, 0x00, 0x38, 0x38, 0x7c, 0xc6, 0xfe, 0xc6, 0xc6, 0x00, - 0x0e, 0x10, 0xfe, 0x60, 0x78, 0x60, 0xfe, 0x00, 0x00, 0x00, 0x7c, 0x12, 0x7e, 0xd0, 0x7e, 0x00, - 0x7e, 0xc8, 0xc8, 0xfe, 0xc8, 0xc8, 0xce, 0x00, 0x7c, 0x82, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, - 0xc6, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0xe0, 0x10, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, - 0x7c, 0x82, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, 0xe0, 0x10, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, - 0xcc, 0x00, 0xcc, 0xcc, 0xcc, 0x7c, 0x0c, 0xf8, 0xc6, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, - 0xc6, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x18, 0x7c, 0xd6, 0xd0, 0xd6, 0x7c, 0x18, 0x00, - 0x38, 0x6c, 0x60, 0xf0, 0x60, 0xf2, 0xdc, 0x00, 0x66, 0x3c, 0x18, 0x7e, 0x18, 0x7e, 0x18, 0x00, - 0xf8, 0xcc, 0xf8, 0xc4, 0xcc, 0xde, 0xcc, 0x06, 0x0e, 0x1b, 0x18, 0x3c, 0x18, 0x18, 0xd8, 0x70, - 0x0e, 0x10, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, 0x0e, 0x10, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00, - 0x0e, 0x10, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x0e, 0x10, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, - 0x66, 0x98, 0xdc, 0x66, 0x66, 0x66, 0x66, 0x00, 0x66, 0x98, 0xe6, 0xf6, 0xde, 0xce, 0xc6, 0x00, - 0x38, 0x0c, 0x3c, 0x34, 0x00, 0x7e, 0x00, 0x00, 0x38, 0x6c, 0x6c, 0x38, 0x00, 0x7c, 0x00, 0x00, - 0x30, 0x00, 0x30, 0x60, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xc0, 0xc0, 0x00, 0x00, - 0x00, 0x00, 0x00, 0xfc, 0x0c, 0x0c, 0x00, 0x00, 0xc0, 0xc8, 0xd0, 0xfe, 0x46, 0x8c, 0x1e, 0x00, - 0xc0, 0xc8, 0xd0, 0xec, 0x5c, 0xbe, 0x0c, 0x00, 0x18, 0x00, 0x18, 0x18, 0x3c, 0x3c, 0x18, 0x00, - 0x00, 0x36, 0x6c, 0xd8, 0x6c, 0x36, 0x00, 0x00, 0x00, 0xd8, 0x6c, 0x36, 0x6c, 0xd8, 0x00, 0x00, - 0x22, 0x88, 0x22, 0x88, 0x22, 0x88, 0x22, 0x88, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa, - 0xdb, 0x77, 0xdb, 0xee, 0xdb, 0x77, 0xdb, 0xee, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, - 0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0xf8, 0x18, 0x18, 0x18, - 0x36, 0x36, 0x36, 0x36, 0xf6, 0x36, 0x36, 0x36, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x36, 0x36, 0x36, - 0x00, 0x00, 0xf8, 0x18, 0xf8, 0x18, 0x18, 0x18, 0x36, 0x36, 0xf6, 0x06, 0xf6, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x00, 0x00, 0xfe, 0x06, 0xf6, 0x36, 0x36, 0x36, - 0x36, 0x36, 0xf6, 0x06, 0xfe, 0x00, 0x00, 0x00, 0x36, 0x36, 0x36, 0x36, 0xfe, 0x00, 0x00, 0x00, - 0x18, 0x18, 0xf8, 0x18, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0x18, 0x18, 0x18, - 0x18, 0x18, 0x18, 0x18, 0x1f, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0xff, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x1f, 0x18, 0x18, 0x18, - 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0xff, 0x18, 0x18, 0x18, - 0x18, 0x18, 0x1f, 0x18, 0x1f, 0x18, 0x18, 0x18, 0x36, 0x36, 0x36, 0x36, 0x37, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x37, 0x30, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0x30, 0x37, 0x36, 0x36, 0x36, - 0x36, 0x36, 0xf7, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xf7, 0x36, 0x36, 0x36, - 0x36, 0x36, 0x37, 0x30, 0x37, 0x36, 0x36, 0x36, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, - 0x36, 0x36, 0xf7, 0x00, 0xf7, 0x36, 0x36, 0x36, 0x18, 0x18, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00, - 0x36, 0x36, 0x36, 0x36, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0x18, 0x18, 0x18, - 0x00, 0x00, 0x00, 0x00, 0xff, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x3f, 0x00, 0x00, 0x00, - 0x18, 0x18, 0x1f, 0x18, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x18, 0x1f, 0x18, 0x18, 0x18, - 0x00, 0x00, 0x00, 0x00, 0x3f, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0xff, 0x36, 0x36, 0x36, - 0x18, 0x18, 0xff, 0x18, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x1f, 0x18, 0x18, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, - 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x74, 0xcc, 0xc8, 0xdc, 0x76, 0x00, 0x78, 0xcc, 0xd8, 0xcc, 0xc6, 0xc6, 0xdc, 0x40, - 0xfe, 0x62, 0x60, 0x60, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x02, 0x7e, 0xec, 0x6c, 0x6c, 0x48, 0x00, - 0xfe, 0x62, 0x30, 0x18, 0x30, 0x62, 0xfe, 0x00, 0x00, 0x00, 0x7e, 0xd0, 0xc8, 0xc8, 0x70, 0x00, - 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xf8, 0x80, 0x00, 0x00, 0x7e, 0xd8, 0x18, 0x18, 0x10, 0x00, - 0x38, 0x10, 0x7c, 0xd6, 0xd6, 0x7c, 0x10, 0x38, 0x7c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0x7c, 0x00, - 0x7c, 0xc6, 0xc6, 0xc6, 0x6c, 0x28, 0xee, 0x00, 0x3c, 0x22, 0x18, 0x7c, 0xcc, 0xcc, 0x78, 0x00, - 0x00, 0x00, 0x66, 0x99, 0x99, 0x66, 0x00, 0x00, 0x00, 0x06, 0x7c, 0x9e, 0xf2, 0x7c, 0xc0, 0x00, - 0x00, 0x00, 0x7c, 0xc0, 0xf8, 0xc0, 0x7c, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x00, - 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0x00, 0x18, 0x18, 0x7e, 0x18, 0x18, 0x00, 0x7e, 0x00, - 0x30, 0x18, 0x0c, 0x18, 0x30, 0x00, 0x7c, 0x00, 0x18, 0x30, 0x60, 0x30, 0x18, 0x00, 0x7c, 0x00, - 0x0e, 0x1b, 0x1b, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xd8, 0xd8, 0x70, - 0x00, 0x18, 0x00, 0x7e, 0x00, 0x18, 0x00, 0x00, 0x00, 0x76, 0xdc, 0x00, 0x76, 0xdc, 0x00, 0x00, - 0x38, 0x6c, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0f, 0x0c, 0x0c, 0x0c, 0xec, 0x6c, 0x3c, 0x00, - 0xd8, 0x6c, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x30, 0xc0, 0xf0, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x3c, 0x3c, 0x3c, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - -}; -const int font_size = sizeof(font); -//--------------------------------------------------------------------------------- -#endif //_font_h_ -//--------------------------------------------------------------------------------- diff --git a/source/fs.c b/source/fs.c index c9fa177..c57f598 100644 --- a/source/fs.c +++ b/source/fs.c @@ -31,7 +31,7 @@ int unmountSD() int fileReadOffset(u8 *dest, const char *path, u32 size, u32 offset){ FRESULT fr; FIL fp; - u32 br = 0; + unsigned int br = 0; fr = f_open(&fp, path, FA_READ); if (fr != FR_OK)goto error; @@ -61,7 +61,7 @@ int fileRead(u8 *dest, const char *path, u32 size){ int fileWrite(const u8 *buffer, const char *path, u32 size){ FRESULT fr; FIL fp; - u32 br = 0; + unsigned int br = 0; if(f_open(&fp, path, FA_WRITE | FA_OPEN_ALWAYS) == FR_OK){ fr = f_write(&fp, buffer, size, &br); diff --git a/source/main.c b/source/main.c index b425273..e7409c7 100644 --- a/source/main.c +++ b/source/main.c @@ -10,12 +10,11 @@ #include "firm.h" #include "draw.h" -int main(){ +u8 main(){ mountSD(); loadSplash(); - loadFirm(); - loadEmu(); - patchFirm(); + if (loadFirm()) return 1; + if (patchFirm()) return 1; launchFirm(); return 0; } \ No newline at end of file diff --git a/source/patches.c b/source/patches.c index f91cf33..c099479 100644 --- a/source/patches.c +++ b/source/patches.c @@ -5,14 +5,7 @@ */ #include "patches.h" - -#define FIRM 0x24000000 - -#define KERNEL9 (FIRM + 0x68400) -#define PROC9 (FIRM + 0x7F100) - -#define K9_ADDR 0x08006000 -#define P9_ADDR 0x08028000 +#include "memory.h" /************************************************** * Patches @@ -26,6 +19,7 @@ u8 mpu[0x2C] = { //MPU shit 0x00, 0x00, 0x00, 0x20, 0x01, 0x01, 0x01, 0x01, 0x03, 0x06, 0x20, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x01, 0x01, 0x01, 0x03, 0x06, 0x1C, 0x00, 0x00, 0x00, 0x02, 0x08 }; + u8 nandRedir[0x08] = {0x00, 0x4C, 0xA0, 0x47, 0xC0, 0xA5, 0x01, 0x08}; //Branch to emunand function /* @@ -34,38 +28,24 @@ u8 nandRedir[0x08] = {0x00, 0x4C, 0xA0, 0x47, 0xC0, 0xA5, 0x01, 0x08}; //Bran u8 sigPat1[2] = {0x00, 0x20}; u8 sigPat2[4] = {0x00, 0x20, 0x70, 0x47}; -/* -* Arm9 thread -*/ -u8 th1[4] = {0x2C, 0xF0, 0x9F, 0xE5}; //ldr pc, =0x08006070 -u8 th2[4] = {0x70, 0x60, 0x00, 0x08}; //0x08006070 - - - /************************************************** * Functions **************************************************/ -//Where the emunand code is stored in firm -u32 emuCode(void){ - return KERNEL9 + (0x0801A5C0 - K9_ADDR); +void getSignatures(void *pos, u32 size, u32 *off, u32 *off2){ + //Look for signature checks + unsigned char pattern[] = {0xC0, 0x1C, 0x76, 0xE7, 0x20}; + unsigned char pattern2[] = {0x70, 0xB5, 0x22, 0x4D, 0x0C}; + + *off = (u32)memsearch(pos, pattern, size, 5); + *off2 = (u32)memsearch(pos, pattern2, size, 5); } -//Where thread code is stored in firm -u32 threadCode(void){ - return KERNEL9 + (0x08006070 - K9_ADDR); -} +void getReboot(void *pos, u32 size, u32 *off, u32 *off2){ + //Look for FIRM reboot code + unsigned char pattern[] = {0x8D, 0xE5, 0x00, 0xC0, 0x91, 0xE5}; + unsigned char pattern2[] = {0xF0, 0x4F, 0x2D, 0xE9, 0x3C}; -//Offsets to redirect to thread code -u32 threadHook(u8 val){ - return val == 1 ? - PROC9 + (0x08085198 - P9_ADDR): - PROC9 + (0x080851CC - P9_ADDR); -} - -//Offsets to redirect to thread code -u32 sigPatch(u8 val){ - return val == 1 ? - PROC9 + (0x08062B08 - P9_ADDR) : - PROC9 + (0x0805C31C - P9_ADDR); + *off = (u32)memsearch(pos, pattern, size, 6) + 2; + *off2 = (u32)memsearch(pos, pattern2, size, 5); } \ No newline at end of file diff --git a/source/patches.h b/source/patches.h index e887128..5c28488 100644 --- a/source/patches.h +++ b/source/patches.h @@ -15,17 +15,11 @@ u8 mpu[0x2C]; u8 nandRedir[0x08]; u8 sigPat1[2]; u8 sigPat2[4]; -u8 th1[4]; -u8 th2[4]; /************************************************** * Functions **************************************************/ -u32 emuCode(void); -u32 mpuCode(void); -u32 threadCode(void); -u32 threadHook(u8 val); -u32 emuHook(u8 val); -u32 sigPatch(u8 val); +void getSignatures(void *pos, u32 size, u32 *off, u32 *off2); +void getReboot(void *pos, u32 size, u32 *off, u32 *off2); #endif \ No newline at end of file diff --git a/thread/3ds.ld b/thread/3ds.ld deleted file mode 100644 index a04c2c9..0000000 --- a/thread/3ds.ld +++ /dev/null @@ -1,24 +0,0 @@ -OUTPUT_FORMAT("elf32-littlearm", "elf32-littlearm", "elf32-littlearm") -OUTPUT_ARCH(arm) - -/*0x080C3EE0*/ -ENTRY(_start) - -SECTIONS -{ - . = 0x08006070; - start_addr = .; - .text.start : { *(.text.start) } - .text : { *(.text) *(.text*) } - .rodata : { *(.rodata) *(.rodata*) } - .data : { *(.data) *(.data*) } - .bss : { *(.bss) *(.bss*) } - /*. = ALIGN(32);*/ - /*.stack : { - stack_start = .; - . += 0x40; - . = ALIGN(32); - stack_end = .; - }*/ - total_size = . - start_addr; -} \ No newline at end of file diff --git a/thread/Makefile b/thread/Makefile deleted file mode 100644 index 9ea9a0b..0000000 --- a/thread/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -ifeq ($(strip $(DEVKITARM)),) -$(error "Please set DEVKITARM in your environment. export DEVKITARM=devkitARM") -endif - -include $(DEVKITARM)/ds_rules - -SFLAGS=-c -mcpu=arm946e-s -march=armv5te -mlittle-endian -fshort-wchar -CFLAGS=$(SFLAGS) -std=c99 - -all: - $(CC) -g source/thread.c source/lib.c $(CFLAGS) - $(CC) -g source/_start.s source/FS.s -I source $(SFLAGS) - $(CC) -nostdlib -T 3ds.ld _start.o thread.o lib.o FS.o - $(OBJCOPY) -O binary a.out arm9.bin - rm -f *.o *.out - \ No newline at end of file diff --git a/thread/source/FS.h b/thread/source/FS.h deleted file mode 100644 index d7d9fcc..0000000 --- a/thread/source/FS.h +++ /dev/null @@ -1,16 +0,0 @@ -/* -* FS.h -* by Reisyukaku -* Copyright (c) 2015 All Rights Reserved -*/ - -#ifndef FS_H -#define FS_H -#include -extern unsigned int fopen9(void *handle, wchar_t* name, unsigned int flag); -extern void fwrite9(void* handle, unsigned int* bytesWritten, void* dst, unsigned int size); -extern void fread9(void* handle, unsigned int* bytesRead, void *src, unsigned int size); -extern void fsize9(void *handle, long *size); -extern void fclose9(void *handle); - -#endif \ No newline at end of file diff --git a/thread/source/FS.s b/thread/source/FS.s deleted file mode 100644 index 23e200c..0000000 --- a/thread/source/FS.s +++ /dev/null @@ -1,57 +0,0 @@ -# -# FS.s -# by Reisyukaku -# Copyright (c) 2015 All Rights Reserved -#/ - -.text - -.thumb -.global fopen9 -.type fopen9, %function - fopen9: - push {r0-r6, lr} - ldr r4, =0x08059D0D - blx r4 - pop {r0-r6, pc} -.pool - -.thumb -.global fwrite9 -.type fwrite9, %function - fwrite9: - push {r4, lr} - ldr r4, =0x0805B20D - blx r4 - pop {r4, pc} -.pool - -.thumb -.global fread9 -.type fread9, %function - fread9: - push {r4, lr} - ldr r4, =0x0804CC15 - blx r4 - pop {r4, pc} -.pool - -.thumb -.global fclose9 -.type fclose9, %function - fclose9: - push {r4, lr} - ldr r4, =0x08052DA1 - blx r4 - pop {r4, pc} -.pool - -.thumb -.global fsize9 -.type fsize9, %function - fsize9: - push {r4, lr} - ldr r4, =0x0805B0E9 - blx r4 - pop {r4, pc} -.pool \ No newline at end of file diff --git a/thread/source/_start.s b/thread/source/_start.s deleted file mode 100644 index 368b25d..0000000 --- a/thread/source/_start.s +++ /dev/null @@ -1,20 +0,0 @@ -.arm -.global _start -_start: - push {r0-r12 , lr} - ldr r0, =0x08000c00 - mov r1, #0xA00 - mov r2, #0x0 - thread_stack_loop: - str r2, [r0], #0x4 - subs r1, r1, #4 - bgt thread_stack_loop - mov r0, #0x3F @ thread priority - ldr r1, =thread @ thread_addr - mov r2, #0x0 @ arg - ldr r3, =0x08000c00 @ StackTop - ldr r4, =0xFFFFFFFE - svc 0x8 - pop {r0-r12 , lr} - ldr r0, =0x080E3408 - ldr pc, =0x0808519C \ No newline at end of file diff --git a/thread/source/lib.c b/thread/source/lib.c deleted file mode 100644 index c086335..0000000 --- a/thread/source/lib.c +++ /dev/null @@ -1,54 +0,0 @@ -#include "lib.h" - -void *memset(void * ptr, int value, unsigned int num){ - unsigned char *p = ptr; - while (num) { - *p++ = value; - num--; - } - return ptr; -} - -int strcomp(char* s1, char* s2, unsigned int size){ - for(int i = 0; i < size*2; i++){ - if(s1[i] != s2[i]) return 0; - } - return 1; -} - -void strcopy(char* dest, char* source, unsigned int size){ - for(int i = 0; i < size*2; i++) dest[i] = source[i]; -} - -int memcmp(void* buf1, void* buf2, int size){ - int equal = 0; - for(int i = 0; i < size; i++){ - if(*((unsigned char*)buf1 + i) != *((unsigned char*)buf2 + i)){ - equal = i; - break; - } - } - return equal; -} - -int atoi(const char* nptr){ - int result = 0, - position = 1; - const char* p = nptr; - - while(*p) ++p; - - for(--p; p >= nptr; p--){ - if(*p < 0x30 || *p > 0x39) break; - else{ - result += (position) * (*p - 0x30); - position *= 10; - } - } - result = ((nptr[0] == '-')? -result : result); - return result; -} - -unsigned isPressed(unsigned bitfield){ - return ((~*(unsigned *)0x10146000) & 0xFFF) == (bitfield & 0xFFF) ? 1 : 0; -} \ No newline at end of file diff --git a/thread/source/lib.h b/thread/source/lib.h deleted file mode 100644 index d0a3ba5..0000000 --- a/thread/source/lib.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef LIB_H -#define LIB_H - -#define BUTTON_A (1 << 0) -#define BUTTON_B (1 << 1) -#define BUTTON_SELECT (1 << 2) -#define BUTTON_START (1 << 3) -#define BUTTON_RIGHT (1 << 4) -#define BUTTON_LEFT (1 << 5) -#define BUTTON_UP (1 << 6) -#define BUTTON_DOWN (1 << 7) -#define BUTTON_R1 (1 << 8) -#define BUTTON_L1 (1 << 9) -#define BUTTON_X (1 << 10) -#define BUTTON_Y (1 << 11) -#define BUTTON_ZL (1 << 14) -#define BUTTON_ZR (1 << 15) - -void* memset(void * ptr, int value, unsigned int num); -int strcomp(char* s1, char*s2, unsigned int size); -void strcopy(char* dest, char* source, unsigned int size); -int memcmp(void* buf1, void* buf2, int size); -int atoi(const char* nptr); -unsigned isPressed(unsigned bitfield); - -#endif \ No newline at end of file diff --git a/thread/source/thread.c b/thread/source/thread.c deleted file mode 100644 index 9a3616a..0000000 --- a/thread/source/thread.c +++ /dev/null @@ -1,59 +0,0 @@ -/* -* thread.c -* by Reisyukaku -* Copyright (c) 2015 All Rights Reserved -*/ - -#include -#include -#include "thread.h" -#include "lib.h" -#include "FS.h" - -//ram stuff -#define VRAM (unsigned char*)0x18000000 -#define FCRAM (unsigned char*)0x20000000 -#define FCRAM_EXT (unsigned char*)0x28000000 - -//file stuff -#define READ 0 -#define WRITE 1 - -unsigned char handle[32]; - -void fileReadWrite(void *buf, void *path, int size, char rw){ - unsigned int br = 0; - memset(&handle, 0, 32); - fopen9(&handle, path, 6); - if(rw == 0) fread9(&handle, &br, buf, size); - else fwrite9(&handle, &br, buf, size); - fclose9(&handle); -} - -void memdump(void* filename, void* buf, unsigned int size){ - fileReadWrite(buf, filename, size, WRITE); - memset(VRAM+0x1E6000, 0xFF, 0x46500); -} - -void patches(void){ - //Change version string - for(int i = 0; i < 0x600000; i+=4){ - if(strcomp((void*)0x27B00000 - i, (void*)L"Ver.", 4)){ - if(strcomp((void*)0x27B00000 - i + 0x28, (void*)"T_ver_00", 4)) strcopy((void*)0x27B00000 - i, (void*)L"\uE024Rei", 4); - } - } -} - -void thread(void){ - while(1){ - if(isPressed(BUTTON_START | BUTTON_X)){ - unsigned char buf[0x10] = {0}; - int loc = 0; - fileReadWrite(buf, L"sdmc:/rei/RAM.txt", 0x20, READ); - loc = atoi(buf); - memdump(L"sdmc:/RAMdmp.bin", (void*)loc, 0x10000); - } - patches(); - } - __asm("SVC 0x09"); -} \ No newline at end of file diff --git a/thread/source/thread.h b/thread/source/thread.h deleted file mode 100644 index 5c47aec..0000000 --- a/thread/source/thread.h +++ /dev/null @@ -1,6 +0,0 @@ -/* -* thread.h -* by Reisyukaku -*/ - -void thread(void); \ No newline at end of file