Merged my changes

There you have it!

Makefile

@@ -20,7 +20,7 @@ dir_build := build
 dir_mset := CakeHax
 dir_out := out
 dir_emu := emunand
-dir_thread := thread
+dir_reboot := reboot
 dir_ninjhax := CakeBrah
 
 ASFLAGS := -mlittle-endian -mcpu=arm946e-s -march=armv5te
@@ -33,16 +33,28 @@ objects_cfw = $(patsubst $(dir_source)/%.s, $(dir_build)/%.o, \
 
 
 .PHONY: all
-all: launcher emunand thread ninjhax
+all: launcher emunand emunando3ds reboot reboot2 rebootntr reboot2ntr ninjhax
 
 .PHONY: launcher
 launcher: $(dir_out)/$(name).dat 
 
 .PHONY: emunand
-emunand: $(dir_out)/rei/emunand/emunand.bin
+emunand: $(dir_out)/rei-n3ds/emunand/emunand.bin
 
-.PHONY: thread
+.PHONY: emunando3ds
-thread: $(dir_out)/rei/thread/arm9.bin
+emunand: $(dir_out)/rei-o3ds/emunand/emunand.bin
+
+.PHONY: reboot
+reboot: $(dir_out)/rei-o3ds/reboot/reboot1.bin
+
+.PHONY: reboot2
+reboot: $(dir_out)/rei-o3ds/reboot/reboot2.bin
+
+.PHONY: rebootntr
+reboot: $(dir_out)/ntr-o3ds/reboot/reboot1.bin
+
+.PHONY: reboot2ntr
+reboot: $(dir_out)/ntr-o3ds/reboot/reboot2.bin
 
 .PHONY: ninjhax
 ninjhax: $(dir_out)/3ds/$(name)
@@ -54,7 +66,7 @@ clean:
 	rm -rf $(dir_out) $(dir_build)
 
 .PHONY: $(dir_out)/$(name).dat
-$(dir_out)/$(name).dat: $(dir_build)/main.bin $(dir_out)/rei/
+$(dir_out)/$(name).dat: $(dir_build)/main.bin $(dir_out)/rei-n3ds/ $(dir_out)/rei-o3ds/
 	@$(MAKE) $(FLAGS) -C $(dir_mset) launcher
 	dd if=$(dir_build)/main.bin of=$@ bs=512 seek=144
     
@@ -64,19 +76,39 @@ $(dir_out)/3ds/$(name):
 	@mv $(dir_out)/$(name).3dsx $@
 	@mv $(dir_out)/$(name).smdh $@
 
-$(dir_out)/rei/: $(dir_data)/firmware.bin $(dir_data)/splash.bin $(dir_data)/RAM.txt
+$(dir_out)/rei-n3ds/: $(dir_data)/firmware.bin
-	@mkdir -p "$(dir_out)/rei"
+	@mkdir -p "$(dir_out)/rei-n3ds"
-	@cp -av $(dir_data)/* $@
+	@cp -av $(dir_data)/firmware.bin $@
 
-$(dir_out)/rei/thread/arm9.bin: $(dir_thread)
+$(dir_out)/rei-o3ds/: $(dir_data)/firmwareo3ds.bin
-	@$(MAKE) $(FLAGS) -C $(dir_thread)
+	@mkdir -p "$(dir_out)/rei-o3ds"
-	@mkdir -p "$(dir_out)/rei/thread"
+	@cp -av $(dir_data)/firmwareo3ds.bin $(dir_out)/rei-o3ds/firmware.bin
-	@mv $(dir_thread)/arm9.bin $(dir_out)/rei/thread
     
-$(dir_out)/rei/emunand/emunand.bin: $(dir_emu)/emuCode.s
+$(dir_out)/rei-n3ds/emunand/emunand.bin: $(dir_emu)/emuCode.s
 	@armips $<
-	@mkdir -p "$(dir_out)/rei/emunand"
+	@mkdir -p "$(dir_out)/rei-n3ds/emunand"
-	@mv emunand.bin $(dir_out)/rei/emunand
+	@mv emunand.bin $(dir_out)/rei-n3ds/emunand
+
+$(dir_out)/rei-o3ds/emunand/emunand.bin: $(dir_emu)/emuCodeo3ds.s
+	@armips $<
+	@mkdir -p "$(dir_out)/rei-o3ds/emunand"
+	@mv emunand.bin $(dir_out)/rei-o3ds/emunand
+
+$(dir_out)/rei-o3ds/reboot/reboot1.bin: $(dir_reboot)/rebootCode.s
+	@armips $<
+	@mkdir -p "$(dir_out)/rei-o3ds/reboot"
+	@mv reboot1.bin $(dir_out)/rei-o3ds/reboot
+
+$(dir_out)/rei-o3ds/reboot/reboot2.bin: $(dir_reboot)/rebootCode.s
+	@mv reboot2.bin $(dir_out)/rei-o3ds/reboot
+
+$(dir_out)/ntr-o3ds/reboot/reboot1.bin: $(dir_reboot)/rebootCodeNtr.s
+	@armips $<
+	@mkdir -p "$(dir_out)/ntr-o3ds/reboot"
+	@mv reboot1.bin $(dir_out)/ntr-o3ds/reboot
+
+$(dir_out)/ntr-o3ds/reboot/reboot2.bin: $(dir_reboot)/rebootCodeNtr.s
+	@mv reboot2.bin $(dir_out)/ntr-o3ds/reboot
 
 $(dir_build)/main.bin: $(dir_build)/main.elf
 	$(OC) -S -O binary $< $@

data/RAM.txt

@@ -1 +0,0 @@
-536870912

emunand/emuCodeo3ds.s

@@ -0,0 +1,50 @@
+.nds
+
+sdmmc equ 0x434D4453	;dummy
+
+.create "emunand.bin", 0x0801A4C0
+.org 0x0801A4C0
+.arm
+nand_sd:
+    ; Original code that still needs to be executed.
+    mov r4, r0
+    mov r5, r1
+    mov r7, r2
+    mov r6, r3
+    ; End.
+
+    ; If we're already trying to access the SD, return.
+    ldr r2, [r0, #4]
+    ldr r1, =sdmmc
+    cmp r2, r1
+    beq nand_sd_ret
+
+    str r1, [r0, #4]  ; Set object to be SD
+    ldr r2, [r0, #8]  ; Get sector to read
+    cmp r2, #0  ; For GW compatibility, see if we're trying to read the ncsd header (sector 0)
+
+    ldr r3, =nand_offset
+    ldr r3, [r3]
+    add r2, r3  ; Add the offset to the NAND in the SD.
+
+    ldreq r3, =ncsd_header_offset
+    ldreq r3, [r3]
+    addeq r2, r3  ; If we're reading the ncsd header, add the offset of that sector.
+
+    str r2, [r0, #8]  ; Store sector to read
+
+    nand_sd_ret:
+        ; Restore registers.
+        mov r1, r5
+        mov r2, r7
+        mov r3, r6
+
+        ; Return 4 bytes behind where we got called,
+        ;   due to the offset of this function being stored there.
+        mov r0, lr
+        add r0, #4
+        bx r0
+.pool
+nand_offset:		.ascii "NAND"       ; for rednand this should be 1
+ncsd_header_offset:	.ascii "NCSD"       ; depends on nand manufacturer + emunand type (GW/RED)
+.close

reboot/rebootCode.s

@@ -0,0 +1,159 @@
+.nds
+
+firm_size equ 0x000EA000
+firm_addr equ 0x24000000
+fopen equ 0x08059D10
+fread equ 0x0804CC54
+pxi_wait_recv equ 0x08054134
+
+.macro svc, num
+	.if isArm()
+		.word 0xEF000000 | num
+	.else
+		.if num > 0xFF
+			.error "bitch you crazu"
+		.endif
+		.halfword 0xDF00 | num
+	.endif
+.endmacro
+
+.create "reboot1.bin", 0x080849DC
+.org 0x080849DC
+.arm
+patch005:
+	ldr r0, =0x2000E000
+	mov r1, #0x200
+	mov r2, #0
+	add r1, r1, r0
+@@memset_loop:
+	str r2, [r0]
+	add r0, r0, #4
+	cmp r0, r1
+	blt @@memset_loop
+	ldr r0, =0x2000E000
+	ldr r1, =firm_fname
+	mov r2, #1
+	blx fopen
+	ldr r0, =0x2000E000
+	ldr r1, =0x2000E100
+	mov r2, #firm_addr
+	mov r3, #firm_size
+	blx fread
+
+	ldr r4, =0x44846
+	blx pxi_wait_recv
+	cmp r0, r4
+	bne patch005
+	mov r2, #0
+	mov r3, r2
+	mov r1, r2
+	mov r0, r2
+	svc 0x7C
+	ldr r0, =0x80FF4FC
+	svc 0x7B
+
+@@inf_loop:
+	b @@inf_loop
+.pool
+firm_fname:
+.close
+
+.create "reboot2.bin", 0x080933CC
+.org 0x080933CC
+.arm
+	stmfd sp!, {r4-r11,lr}
+	sub sp, sp, #0x3C
+	mrc p15, 0, r0, c2, c0, 0	; dcacheable
+	mrc p15, 0, r12, c2, c0, 1	; icacheable
+	mrc p15, 0, r1, c3, c0, 0	; write bufferable
+	mrc p15, 0, r2, c5, c0, 2	; daccess
+	mrc p15, 0, r3, c5, c0, 3	; iaccess
+	ldr r4, =0x18000035			; 0x18000000 128M
+	bic r2, r2, #0xF0000		; unprotect region 4
+	bic r3, r3, #0xF0000		; unprotect region 4
+	orr r0, r0, #0x10			; dcacheable region 4
+	orr r2, r2, #0x30000		; region 4 r/w
+	orr r3, r3, #0x30000		; region 4 r/w
+	orr r12, r12, #0x10			; icacheable region 4
+	orr r1, r1, #0x10			; write bufferable region 4
+	mcr p15, 0, r0, c2, c0, 0
+	mcr p15, 0, r12, c2, c0, 1
+	mcr p15, 0, r1, c3, c0, 0	; write bufferable
+	mcr p15, 0, r2, c5, c0, 2	; daccess
+	mcr p15, 0, r3, c5, c0, 3	; iaccess
+	mcr p15, 0, r4, c6, c4, 0	; region 4 (hmmm)
+
+	mrc p15, 0, r0, c2, c0, 0	; dcacheable
+	mrc p15, 0, r1, c2, c0, 1	; icacheable
+	mrc p15, 0, r2, c3, c0, 0	; write bufferable
+	orr r0, r0, #0x20			; dcacheable region 5
+	orr r1, r1, #0x20			; icacheable region 5
+	orr r2, r2, #0x20			; write bufferable region 5
+	mcr p15, 0, r0, c2, c0, 0	; dcacheable
+	mcr p15, 0, r1, c2, c0, 1	; icacheable
+	mcr p15, 0, r2, c3, c0, 0	; write bufferable
+
+	mov r4, #firm_addr
+	add r3, r4, #0x40
+	ldr r0, [r3]				; offset
+	add r0, r0, r4				; src
+	ldr r1, [r3,#4]				; dst
+	ldr r2, [r3,#8]				; size
+	bl memcpy32
+	add r3, r4, #0x70
+	ldr r0, [r3]
+	add r0, r0, r4				; src
+	ldr r1, [r3,#4]				; dst
+	ldr r2, [r3,#8]				; size
+	bl memcpy32
+	add r3, r4, #0xA0
+	ldr r0, [r3]
+	add r0, r0, r4				; src
+	ldr r1, [r3,#4]				; dst
+	ldr r2, [r3,#8]				; size
+	bl memcpy32
+	mov r2, #0
+	mov r1, r2
+@flush_cache:
+	mov r0, #0
+	mov r3, r2, lsl#30
+@flush_cache_inner_loop:
+	orr r12, r3, r0, lsl#5
+	mcr p15, 0, r1, c7, c10, 4	; drain write buffer
+	mcr p15, 0, r12, c7, c14, 2	; clean and flush dcache entry (index and segment)
+	add r0, r0, #1
+	cmp r0, #0x20
+	bcc @flush_cache_inner_loop
+	add r2, r2, #1
+	cmp r2, #4
+	bcc @flush_cache
+	mcr p15, 0, r1, c7, c10, 4	; drain write buffer
+@mpu_enable:
+	ldr r0, =0x42078			; alt vector select, enable itcm
+	mcr p15, 0, r0, c1, c0, 0
+	mcr p15, 0, r1, c7, c5, 0	; flush dcache
+	mcr p15, 0, r1, c7, c6, 0	; flush icache
+	mcr p15, 0, r1, c7, c10, 4	; drain write buffer
+	mov r0, #firm_addr
+	mov r1, 0X1FFFFFFC
+	ldr r2, [r0,#8]				; arm11 entry
+	str r2, [r1]
+	ldr r0, [r0,#0xC]			; arm9 entry
+	add sp, sp, #0x3C
+	ldmfd sp!, {r4-r11,lr}
+	bx r0
+.pool
+memcpy32: ; memcpy32(void *src, void *dst, unsigned int size)
+	mov r12, lr
+	stmfd sp!, {r0-r4}
+	add r2, r2, r0
+@memcpy_loop:
+	ldr r3, [r0], #4
+	str r3, [r1], #4
+	cmp r0, r2
+	blt @memcpy_loop
+	ldmfd sp!, {r0-r4}
+	mov lr, r12
+	bx lr
+.pool
+.close

reboot/rebootCodeNtr.s

@@ -0,0 +1,159 @@
+.nds
+
+firm_size equ 0x000EB000
+firm_addr equ 0x24000000
+fopen equ 0x0805B180
+fread equ 0x0804D9B0
+pxi_wait_recv equ 0x08055178
+
+.macro svc, num
+	.if isArm()
+		.word 0xEF000000 | num
+	.else
+		.if num > 0xFF
+			.error "bitch you crazu"
+		.endif
+		.halfword 0xDF00 | num
+	.endif
+.endmacro
+
+.create "reboot1.bin", 0x080859C8
+.org 0x080859C8
+.arm
+patch005:
+	ldr r0, =0x2000E000
+	mov r1, #0x200
+	mov r2, #0
+	add r1, r1, r0
+@@memset_loop:
+	str r2, [r0]
+	add r0, r0, #4
+	cmp r0, r1
+	blt @@memset_loop
+	ldr r0, =0x2000E000
+	ldr r1, =firm_fname
+	mov r2, #1
+	blx fopen
+	ldr r0, =0x2000E000
+	ldr r1, =0x2000E100
+	mov r2, #firm_addr
+	mov r3, #firm_size
+	blx fread
+
+	ldr r4, =0x44846
+	blx pxi_wait_recv
+	cmp r0, r4
+	bne patch005
+	mov r2, #0
+	mov r3, r2
+	mov r1, r2
+	mov r0, r2
+	svc 0x7C
+	ldr r0, =0x80FF4FC
+	svc 0x7B
+
+@@inf_loop:
+	b @@inf_loop
+.pool
+firm_fname:
+.close
+
+.create "reboot2.bin", 0x08094454
+.org 0x08094454
+.arm
+	stmfd sp!, {r4-r11,lr}
+	sub sp, sp, #0x3C
+	mrc p15, 0, r0, c2, c0, 0	; dcacheable
+	mrc p15, 0, r12, c2, c0, 1	; icacheable
+	mrc p15, 0, r1, c3, c0, 0	; write bufferable
+	mrc p15, 0, r2, c5, c0, 2	; daccess
+	mrc p15, 0, r3, c5, c0, 3	; iaccess
+	ldr r4, =0x18000035			; 0x18000000 128M
+	bic r2, r2, #0xF0000		; unprotect region 4
+	bic r3, r3, #0xF0000		; unprotect region 4
+	orr r0, r0, #0x10			; dcacheable region 4
+	orr r2, r2, #0x30000		; region 4 r/w
+	orr r3, r3, #0x30000		; region 4 r/w
+	orr r12, r12, #0x10			; icacheable region 4
+	orr r1, r1, #0x10			; write bufferable region 4
+	mcr p15, 0, r0, c2, c0, 0
+	mcr p15, 0, r12, c2, c0, 1
+	mcr p15, 0, r1, c3, c0, 0	; write bufferable
+	mcr p15, 0, r2, c5, c0, 2	; daccess
+	mcr p15, 0, r3, c5, c0, 3	; iaccess
+	mcr p15, 0, r4, c6, c4, 0	; region 4 (hmmm)
+
+	mrc p15, 0, r0, c2, c0, 0	; dcacheable
+	mrc p15, 0, r1, c2, c0, 1	; icacheable
+	mrc p15, 0, r2, c3, c0, 0	; write bufferable
+	orr r0, r0, #0x20			; dcacheable region 5
+	orr r1, r1, #0x20			; icacheable region 5
+	orr r2, r2, #0x20			; write bufferable region 5
+	mcr p15, 0, r0, c2, c0, 0	; dcacheable
+	mcr p15, 0, r1, c2, c0, 1	; icacheable
+	mcr p15, 0, r2, c3, c0, 0	; write bufferable
+
+	mov r4, #firm_addr
+	add r3, r4, #0x40
+	ldr r0, [r3]				; offset
+	add r0, r0, r4				; src
+	ldr r1, [r3,#4]				; dst
+	ldr r2, [r3,#8]				; size
+	bl memcpy32
+	add r3, r4, #0x70
+	ldr r0, [r3]
+	add r0, r0, r4				; src
+	ldr r1, [r3,#4]				; dst
+	ldr r2, [r3,#8]				; size
+	bl memcpy32
+	add r3, r4, #0xA0
+	ldr r0, [r3]
+	add r0, r0, r4				; src
+	ldr r1, [r3,#4]				; dst
+	ldr r2, [r3,#8]				; size
+	bl memcpy32
+	mov r2, #0
+	mov r1, r2
+@flush_cache:
+	mov r0, #0
+	mov r3, r2, lsl#30
+@flush_cache_inner_loop:
+	orr r12, r3, r0, lsl#5
+	mcr p15, 0, r1, c7, c10, 4	; drain write buffer
+	mcr p15, 0, r12, c7, c14, 2	; clean and flush dcache entry (index and segment)
+	add r0, r0, #1
+	cmp r0, #0x20
+	bcc @flush_cache_inner_loop
+	add r2, r2, #1
+	cmp r2, #4
+	bcc @flush_cache
+	mcr p15, 0, r1, c7, c10, 4	; drain write buffer
+@mpu_enable:
+	ldr r0, =0x42078			; alt vector select, enable itcm
+	mcr p15, 0, r0, c1, c0, 0
+	mcr p15, 0, r1, c7, c5, 0	; flush dcache
+	mcr p15, 0, r1, c7, c6, 0	; flush icache
+	mcr p15, 0, r1, c7, c10, 4	; drain write buffer
+	mov r0, #firm_addr
+	mov r1, 0X1FFFFFFC
+	ldr r2, [r0,#8]				; arm11 entry
+	str r2, [r1]
+	ldr r0, [r0,#0xC]			; arm9 entry
+	add sp, sp, #0x3C
+	ldmfd sp!, {r4-r11,lr}
+	bx r0
+.pool
+memcpy32: ; memcpy32(void *src, void *dst, unsigned int size)
+	mov r12, lr
+	stmfd sp!, {r0-r4}
+	add r2, r2, r0
+@memcpy_loop:
+	ldr r3, [r0], #4
+	str r3, [r1], #4
+	cmp r0, r2
+	blt @memcpy_loop
+	ldmfd sp!, {r0-r4}
+	mov lr, r12
+	bx lr
+.pool
+.close

source/crypto.c

@@ -353,43 +353,54 @@ int rsa_verify(const void* data, u32 size, const void* sig, u32 mode)
 	return memcmp(dataHash, decSig + (sigSize - SHA_256_HASH_SIZE), SHA_256_HASH_SIZE) == 0;
 }
 
-void xor(u8 *dest, u8 *data1, u8 *data2, u32 size){
-    int i; for(i = 0; i < size; i++) *(dest+i) = *(data1+i) ^ *(data2+i);
-}
-
 /****************************************************************
 *                   Nand/FIRM Crypto stuff
 ****************************************************************/
-const u8 memeKey[0x10] = {
+
-    0x52, 0x65, 0x69, 0x20, 0x69, 0x73, 0x20, 0x62, 0x65, 0x73, 0x74, 0x20, 0x67, 0x69, 0x72, 0x6C
+//Get Nand CTR key
-};
+void getNandCTR(u8 *buf, u8 console) {
+    u8 *addr = console ? (u8*)0x080D8BBC : (u8*)0x080D797C;
+    u8 keyLen = 0x10; //CTR length
+    addr += 0x0F;
+    while (keyLen --) { *(buf++) = *(addr--); }
+}
+
+//Read firm0 from NAND and write to buffer
+void nandFirm0(u8 *outbuf, const u32 size, u8 console){
+    u8 CTR[0x10];
+    getNandCTR(CTR, console);
+    aes_advctr(CTR, 0x0B130000/0x10, AES_INPUT_BE | AES_INPUT_NORMAL);
+    sdmmc_nand_readsectors(0x0B130000 / 0x200, size / 0x200, outbuf);
+    aes_use_keyslot(0x06);
+    aes(outbuf, outbuf, size / AES_BLOCK_SIZE, CTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
+}
 
 //Emulates the Arm9loader process
-void arm9loader(void *armHdr){    
+void arm9loader(void *armHdr, u8 mode){
     //Nand key#2 (0x12C10)
     u8 key2[0x10] = {
-        0x10, 0x5A, 0xE8, 0x5A, 0x4A, 0x21, 0x78, 0x53, 0x0B, 0x06, 0xFA, 0x1A, 0x5E, 0x2A, 0x5C, 0xBC
+        0x42, 0x3F, 0x81, 0x7A, 0x23, 0x52, 0x58, 0x31, 0x6E, 0x75, 0x8E, 0x3A, 0x39, 0x43, 0x2E, 0xD0
     };
 
     //Firm keys
     u8 keyX[0x10];
     u8 keyY[0x10];
     u8 CTR[0x10];
-    u32 slot = 0x16;
+    u32 slot = mode ? 0x16 : 0x15;
     
     //Setup keys needed for arm9bin decryption
-    xor(key2, key2, memeKey, 0x10);
     memcpy((u8*)keyY, (void *)((uintptr_t)armHdr+0x10), 0x10);
     memcpy((u8*)CTR, (void *)((uintptr_t)armHdr+0x20), 0x10);
     u32 size = atoi((void *)((uintptr_t)armHdr+0x30));
 
-    //Set 0x11 to key2 for the arm9bin and misc keys
+    if(mode){
-    aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
+        //Set 0x11 to key2 for the arm9bin and misc keys
-    aes_use_keyslot(0x11);
+        aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
+        aes_use_keyslot(0x11);
+        aes((u8*)keyX, (void *)((uintptr_t)armHdr+0x60), 1, NULL, AES_ECB_DECRYPT_MODE, 0);
+        aes_setkey(slot, (u8*)keyX, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
+    }
 
-    //Set 0x16 keyX, keyY and CTR
-    aes((u8*)keyX, (void *)((uintptr_t)armHdr+0x60), 1, NULL, AES_ECB_DECRYPT_MODE, 0);
-    aes_setkey(slot, (u8*)keyX, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
     aes_setkey(slot, (u8*)keyY, AES_KEYY, AES_INPUT_BE | AES_INPUT_NORMAL);
     aes_setiv((u8*)CTR, AES_INPUT_BE | AES_INPUT_NORMAL);
     aes_use_keyslot(slot);
@@ -397,13 +408,15 @@ void arm9loader(void *armHdr){
     //Decrypt arm9bin
     aes((void *)(armHdr+0x800), (void *)(armHdr+0x800), size/AES_BLOCK_SIZE, CTR, AES_CTR_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
 
-    //Set keys 0x19..0x1F keyXs
+    if(mode){
-    u8* decKey = (void *)((uintptr_t)armHdr+0x89824);
+        //Set keys 0x19..0x1F keyXs
-    aes_use_keyslot(0x11);
+        u8* decKey = (void *)((uintptr_t)armHdr+0x89824);
-    for(slot = 0x19; slot < 0x20; slot++) {
+        aes_use_keyslot(0x11);
-        aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
+        for(slot = 0x19; slot < 0x20; slot++) {
-        aes(decKey, (void *)((uintptr_t)armHdr+0x89814), 1, NULL, AES_ECB_DECRYPT_MODE, 0);
+            aes_setkey(0x11, (u8*)key2, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
-        aes_setkey(slot, (u8*)decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
+            aes(decKey, (void *)((uintptr_t)armHdr+0x89814), 1, NULL, AES_ECB_DECRYPT_MODE, 0);
-        *(u8 *)((void *)((uintptr_t)armHdr+0x89814+0xF)) += 1;
+            aes_setkey(slot, (u8*)decKey, AES_KEYX, AES_INPUT_BE | AES_INPUT_NORMAL);
+            *(u8 *)((void *)((uintptr_t)armHdr+0x89814+0xF)) += 1;
+        }
     }
 }

source/crypto.h

@@ -129,10 +129,10 @@ void sha(void* res, const void* src, u32 size, u32 mode);
 void rsa_setkey(u32 keyslot, const void* mod, const void* exp, u32 mode);
 void rsa_use_keyslot(u32 keyslot);
 int rsa_verify(const void* data, u32 size, const void* sig, u32 mode);
-void xor(u8 *dest, u8 *data1, u8 *data2, u32 size);
 
 //NAND/FIRM stuff
-extern const u8 memeKey[0x10];
+void getNandCTR(u8 *buf, u8 console);
-void arm9loader(void *armHdr);
+void nandFirm0(u8 *outbuf, const u32 size, u8 console);
+void arm9loader(void *armHdr, u8 mode);
 
 #endif /*__CRYPTO_H*/

source/draw.c

@@ -8,6 +8,8 @@
 #include "fs.h"
 #include "memory.h"
 
+static struct fb* fb = (struct fb*) 0x23FFFE00;
+
 void clearScreen(void){
     memset(fb->top_left, 0, 0x38400);
     memset(fb->top_right, 0, 0x38400);
@@ -16,6 +18,6 @@ void clearScreen(void){
 
 void loadSplash(void){
     clearScreen();
-    fileRead(fb->top_left, "/rei/splash.bin", 0x46500);
+    if(fileRead(fb->top_left, "/rei/splash.bin", 0x46500) != 0) return;
-    unsigned i,t; for(t=120;t>0;t--){for(i=0xFFFF;i>0;i--);}; //Ghetto sleep func
+    unsigned i,t; for(t=220;t>0;t--){for(i=0xFFFF;i>0;i--);}; //Ghetto sleep func
 }

source/draw.h

@@ -6,11 +6,11 @@
 
 #include "types.h"
 
-static struct fb {
+struct fb {
     u8 *top_left;
     u8 *top_right;
     u8 *bottom;
-} *fb = (struct fb *)0x23FFFE00;
+};
 
 void clearScreen(void);
 void loadSplash(void);

source/emunand.c

@@ -24,7 +24,7 @@ void getEmunandSect(u32 *off, u32 *head){
 void getSDMMC(void *pos, u32 *off, u32 size){
     //Look for struct code
     unsigned char pattern[] = {0x01, 0x21, 0x20, 0x18, 0x20, 0x30};
-    *off = memsearch(pos, pattern, size, 4);
+    *off = (u32)memsearch(pos, pattern, size, 6);
     
     //Get DCD values
     unsigned char buf[4];
@@ -44,13 +44,21 @@ void getEmuRW(void *pos, u32 size, u32 *readOff, u32 *writeOff){
     //Look for read/write code
     unsigned char pattern[] = {0x04, 0x00, 0x0D, 0x00, 0x17, 0x00, 0x1E, 0x00, 0xC8, 0x05};
 
-    *readOff = memsearch(pos, pattern, size, 4);
+    *writeOff = (u32)memsearch(pos, pattern, size, 10);
-    *writeOff = memsearch(readOff, pattern, 0x1000, 4);
+    *readOff = (u32)memsearch((void *)(*writeOff - 0x1000), pattern, 0x1000, 10);
-	//fileWrite(readOff, "/readoff.bin", 4);
-    *readOff = 0x240CEC40;
-    *writeOff = 0x240CEC80;
 }
 
-void getMPU(void *pos, u32 *off){
+void getMPU(void *pos, u32 *off, u32 size){
-    *off = 0x2407D7D4; 
+    //Look for MPU code
+    unsigned char pattern[] = {0x03, 0x00, 0x24, 0x00, 0x00, 0x00, 0x10};
+
+    *off = (u32)memsearch(pos, pattern, size, 7);
+}
+
+void getEmuCode(void *pos, u32 *off, u32 size){
+    void *proc9 = memsearch(pos, "Process9", size, 8);
+    unsigned char pattern[] = {0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF};
+
+    //We're looking for the last spot before Process9
+    *off = (u32)memsearch(pos, pattern, size - (size - (u32)(proc9 - pos)), 6) + 0xF;
 }

source/emunand.h

@@ -14,6 +14,7 @@
 void getEmunandSect(u32 *off, u32 *head);
 void getSDMMC(void *pos, u32 *off, u32 size);
 void getEmuRW(void *pos, u32 size, u32 *readOff, u32 *writeOff);
-void getMPU(void *pos, u32 *off);
+void getMPU(void *pos, u32 *off, u32 size);
+void getEmuCode(void *pos, u32 *off, u32 size);
 
 #endif

source/firm.c

@@ -11,73 +11,116 @@
 #include "emunand.h"
 #include "crypto.h"
 
-const firmHeader *firmLocation = (firmHeader *)0x24000000;
+firmHeader *firmLocation = (firmHeader *)0x24000000;
 firmSectionHeader *section;
-u32 emuOffset = 0,
+u32 firmSize = 0;
+u8  mode = 1,
+    console = 1;
+u16 pressed;
+
+//Load firm into FCRAM
+u8 loadFirm(void){
+
+    if(PDN_MPCORE_CFG == 1) console = 0;
+    pressed = HID_PAD;
+    section = firmLocation->section;
+
+    //If L and R are pressed, boot SysNAND with the NAND FIRM
+    if((pressed & BUTTON_L1R1) == BUTTON_L1R1){
+        mode = 0;
+        //Read FIRM from NAND and write to FCRAM
+        firmSize = console ? 0xF2C00 : 0xE9000;
+        nandFirm0((u8*)firmLocation, firmSize, console);
+        if(memcmp((u8*)firmLocation, "FIRM", 4) != 0) return 1;
+    }
+    //Load FIRM from SDCard
+    else{
+        const char firmPath[] = "/rei/firmware.bin";
+        firmSize = fileSize(firmPath);
+        if (!firmSize) return 1;
+        fileRead((u8*)firmLocation, firmPath, firmSize);
+        if((((u32)section[2].address >> 8) & 0xFF) != (console ? 0x60 : 0x68)) return 1;
+    }
+
+    if(console) arm9loader((u8*)firmLocation + section[2].offset, mode);
+
+    return 0;
+}
+
+//Nand redirection
+u8 loadEmu(void){
+
+    u32 emuOffset = 0,
     emuHeader = 0,
     emuRead = 0,
     emuWrite = 0,
     sdmmcOffset = 0,
-    firmSize = 0,
+    mpuOffset = 0,
-    mpuOffset = 0;
+    emuCodeOffset = 0;
-
-//Load firm into FCRAM
-void loadFirm(void){
-    //Read FIRM from SD card and write to FCRAM
-	const char firmPath[] = "/rei/firmware.bin";
-	firmSize = fileSize(firmPath);
-    fileRead((u8*)firmLocation, firmPath, firmSize);
-    
-    //Decrypt firmware blob
-    u8 firmIV[0x10] = {0};
-    aes_setkey(0x16, memeKey, AES_KEYNORMAL, AES_INPUT_BE | AES_INPUT_NORMAL);
-    aes_use_keyslot(0x16);
-    aes((u8*)firmLocation, (u8*)firmLocation, firmSize / AES_BLOCK_SIZE, firmIV, AES_CBC_DECRYPT_MODE, AES_INPUT_BE | AES_INPUT_NORMAL);
-    
-    //Parse firmware
-    section = firmLocation->section;
-    arm9loader((u8*)firmLocation + section[2].offset);
-}
-
-//Nand redirection
-void loadEmu(void){
 
     //Read emunand code from SD
-    u32 code = emuCode();
+    getEmuCode(firmLocation, &emuCodeOffset, firmSize);
-	const char path[] = "/rei/emunand/emunand.bin";
+    const char path[] = "/rei/emunand/emunand.bin";
-	u32 size = fileSize(path);
+    u32 size = fileSize(path);
-    fileRead((u8*)code, path, size);
+    if (!size) return 1;
+    fileRead((u8*)emuCodeOffset, path, size);
 
     //Find and patch emunand related offsets
-	u32 *pos_sdmmc = memsearch(code, "SDMC", size, 4);
+    u32 *pos_sdmmc = memsearch((u32*)emuCodeOffset, "SDMC", size, 4);
-    u32 *pos_offset = memsearch(code, "NAND", size, 4);
+    u32 *pos_offset = memsearch((u32*)emuCodeOffset, "NAND", size, 4);
-    u32 *pos_header = memsearch(code, "NCSD", size, 4);
+    u32 *pos_header = memsearch((u32*)emuCodeOffset, "NCSD", size, 4);
-	getSDMMC(firmLocation, &sdmmcOffset, firmSize);
+    getSDMMC(firmLocation, &sdmmcOffset, firmSize);
     getEmunandSect(&emuOffset, &emuHeader);
     getEmuRW(firmLocation, firmSize, &emuRead, &emuWrite);
-    getMPU(firmLocation, &mpuOffset);
+    getMPU(firmLocation, &mpuOffset, firmSize);
-	*pos_sdmmc = sdmmcOffset;
+    *pos_sdmmc = sdmmcOffset;
-	*pos_offset = emuOffset;
+    *pos_offset = emuOffset;
-	*pos_header = emuHeader;
+    *pos_header = emuHeader;
 
     //Add emunand hooks
+    if(!console) nandRedir[5] = 0xA4;
     memcpy((u8*)emuRead, nandRedir, sizeof(nandRedir));
     memcpy((u8*)emuWrite, nandRedir, sizeof(nandRedir));
 
     //Set MPU for emu code region
     memcpy((u8*)mpuOffset, mpu, sizeof(mpu));
+
+    return 0;
 }
 
 //Patches
-void patchFirm(){
+u8 patchFirm(void){
-    //Disable signature checks
-    memcpy((u8*)sigPatch(1), sigPat1, sizeof(sigPat1));
-    memcpy((u8*)sigPatch(2), sigPat2, sizeof(sigPat2));
 
-    //Create arm9 thread
+    //If L is pressed, boot SysNAND with the SDCard FIRM
-    fileRead((u8*)threadCode(), "/rei/thread/arm9.bin", 0);
+    if(mode && !(pressed & BUTTON_L1)) if (loadEmu()) return 1;
-    memcpy((u8*)threadHook(1), th1, sizeof(th1));
+
-    memcpy((u8*)threadHook(2), th2, sizeof(th2));
+    //Disable signature checks
+    u32 sigOffset = 0,
+    sigOffset2 = 0;
+    getSignatures(firmLocation, firmSize, &sigOffset, &sigOffset2);
+    memcpy((u8*)sigOffset, sigPat1, sizeof(sigPat1));
+    memcpy((u8*)sigOffset2, sigPat2, sizeof(sigPat2));
+
+    //Apply reboot patch and write patched FIRM
+    if(!console && mode &&
+       ((fileSize("/rei/reversereboot") > 0) == (pressed & BUTTON_A))){
+        u32 rebootOffset = 0,
+        rebootOffset2 = 0;
+        getReboot(firmLocation, firmSize, &rebootOffset, &rebootOffset2);
+        char path[] = "/rei/reboot/reboot1.bin";
+        u32 size = fileSize(path);
+        if (!size) return 1;
+        fileRead((u8*)rebootOffset, path, size);
+        memcpy((u8*)rebootOffset + size, L"sdmc:", 10);
+        memcpy((u8*)rebootOffset + size + 10, L"" PATCHED_FIRM_PATH, sizeof(PATCHED_FIRM_PATH) * 2);
+        path[18] = '2';
+        size = fileSize(path);
+        if (!size) return 1;
+        fileRead((u8*)rebootOffset2, path, size);
+        if (fileWrite((u8*)firmLocation, PATCHED_FIRM_PATH, firmSize) != 0) return 1;
+    }
+
+    return 0;
 }
 
 //Firmlaunchhax
@@ -117,5 +160,5 @@ void launchFirm(void){
     *(u32 *)0x1FFFFFF8 = (u32)firmLocation->arm11Entry;
     
     //Final jump to arm9 binary
-    ((void (*)())0x801B01C)();
+    console ? ((void (*)())0x801B01C)() : ((void (*)())firmLocation->arm9Entry)();
 }

source/firm.h

@@ -8,10 +8,16 @@
 
 #include "types.h"
 
-void loadSplash(void);
+#define PDN_MPCORE_CFG     (*(u8*)0x10140FFC)
-void loadFirm(void);
+#define HID_PAD            ((~*(u16*)0x10146000) & 0xFFF)
-void loadEmu(void);
+#define BUTTON_L1R1        (3 << 8)
-void patchFirm(void);
+#define BUTTON_L1          (1 << 9)
+#define BUTTON_A           1
+#define PATCHED_FIRM_PATH  "/rei/patched_firmware.bin"
+
+u8 loadFirm(void);
+u8 loadEmu(void);
+u8 patchFirm(void);
 void launchFirm(void);
 
 #endif

source/font.h

@@ -1,144 +0,0 @@
-/*
-  This file was autogenerated by raw2c.
-Visit http://www.devkitpro.org
-*/
-
-//---------------------------------------------------------------------------------
-#ifndef _font_h_
-#define _font_h_
-//---------------------------------------------------------------------------------
-static const unsigned char font[] = {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7e, 0x81, 0xa5, 0x81, 0xbd, 0x99, 0x81, 0x7e,
-    0x7e, 0xff, 0xdb, 0xff, 0xc3, 0xe7, 0xff, 0x7e, 0x6c, 0xfe, 0xfe, 0xfe, 0x7c, 0x38, 0x10, 0x00,
-    0x10, 0x38, 0x7c, 0xfe, 0x7c, 0x38, 0x10, 0x00, 0x3c, 0x3c, 0x18, 0xff, 0xe7, 0x18, 0x3c, 0x00,
-    0x10, 0x38, 0x7c, 0xfe, 0xee, 0x10, 0x38, 0x00, 0x00, 0x00, 0x18, 0x3c, 0x3c, 0x18, 0x00, 0x00,
-    0xff, 0xff, 0xe7, 0xc3, 0xc3, 0xe7, 0xff, 0xff, 0x00, 0x3c, 0x66, 0x42, 0x42, 0x66, 0x3c, 0x00,
-    0xff, 0xc3, 0x99, 0xbd, 0xbd, 0x99, 0xc3, 0xff, 0x0f, 0x07, 0x0f, 0x7d, 0xcc, 0xcc, 0xcc, 0x78,
-    0x3c, 0x66, 0x66, 0x66, 0x3c, 0x18, 0x7e, 0x18, 0x08, 0x0c, 0x0a, 0x0a, 0x08, 0x78, 0xf0, 0x00,
-    0x18, 0x14, 0x1a, 0x16, 0x72, 0xe2, 0x0e, 0x1c, 0x10, 0x54, 0x38, 0xee, 0x38, 0x54, 0x10, 0x00,
-    0x80, 0xe0, 0xf8, 0xfe, 0xf8, 0xe0, 0x80, 0x00, 0x02, 0x0e, 0x3e, 0xfe, 0x3e, 0x0e, 0x02, 0x00,
-    0x18, 0x3c, 0x5a, 0x18, 0x5a, 0x3c, 0x18, 0x00, 0x66, 0x66, 0x66, 0x66, 0x66, 0x00, 0x66, 0x00,
-    0x7f, 0xdb, 0xdb, 0xdb, 0x7b, 0x1b, 0x1b, 0x00, 0x1c, 0x22, 0x38, 0x44, 0x44, 0x38, 0x88, 0x70,
-    0x00, 0x00, 0x00, 0x00, 0x7e, 0x7e, 0x7e, 0x00, 0x18, 0x3c, 0x5a, 0x18, 0x5a, 0x3c, 0x18, 0x7e,
-    0x18, 0x3c, 0x5a, 0x18, 0x18, 0x18, 0x18, 0x00, 0x18, 0x18, 0x18, 0x18, 0x5a, 0x3c, 0x18, 0x00,
-    0x00, 0x18, 0x0c, 0xfe, 0x0c, 0x18, 0x00, 0x00, 0x00, 0x30, 0x60, 0xfe, 0x60, 0x30, 0x00, 0x00,
-    0x00, 0x00, 0xc0, 0xc0, 0xc0, 0xfe, 0x00, 0x00, 0x00, 0x24, 0x42, 0xff, 0x42, 0x24, 0x00, 0x00,
-    0x00, 0x10, 0x38, 0x7c, 0xfe, 0xfe, 0x00, 0x00, 0x00, 0xfe, 0xfe, 0x7c, 0x38, 0x10, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3c, 0x3c, 0x18, 0x18, 0x00, 0x18, 0x00,
-    0x6c, 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x6c, 0xfe, 0x6c, 0xfe, 0x6c, 0x6c, 0x00,
-    0x10, 0x7c, 0xd0, 0x7c, 0x16, 0xfc, 0x10, 0x00, 0x00, 0x66, 0xac, 0xd8, 0x36, 0x6a, 0xcc, 0x00,
-    0x38, 0x4c, 0x38, 0x78, 0xce, 0xcc, 0x7a, 0x00, 0x30, 0x10, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
-    0x18, 0x30, 0x60, 0x60, 0x60, 0x30, 0x18, 0x00, 0x60, 0x30, 0x18, 0x18, 0x18, 0x30, 0x60, 0x00,
-    0x00, 0x66, 0x3c, 0xff, 0x3c, 0x66, 0x00, 0x00, 0x00, 0x30, 0x30, 0xfc, 0x30, 0x30, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x10, 0x20, 0x00, 0x00, 0x00, 0xfc, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x06, 0x0c, 0x18, 0x30, 0x60, 0xc0, 0x00,
-    0x7c, 0xce, 0xde, 0xf6, 0xe6, 0xe6, 0x7c, 0x00, 0x18, 0x38, 0x78, 0x18, 0x18, 0x18, 0x7e, 0x00,
-    0x7c, 0xc6, 0x06, 0x1c, 0x70, 0xc6, 0xfe, 0x00, 0x7c, 0xc6, 0x06, 0x3c, 0x06, 0xc6, 0x7c, 0x00,
-    0x1c, 0x3c, 0x6c, 0xcc, 0xfe, 0x0c, 0x1e, 0x00, 0xfe, 0xc0, 0xfc, 0x06, 0x06, 0xc6, 0x7c, 0x00,
-    0x7c, 0xc6, 0xc0, 0xfc, 0xc6, 0xc6, 0x7c, 0x00, 0xfe, 0xc6, 0x0c, 0x18, 0x30, 0x30, 0x30, 0x00,
-    0x7c, 0xc6, 0xc6, 0x7c, 0xc6, 0xc6, 0x7c, 0x00, 0x7c, 0xc6, 0xc6, 0x7e, 0x06, 0xc6, 0x7c, 0x00,
-    0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x30, 0x10, 0x20,
-    0x0c, 0x18, 0x30, 0x60, 0x30, 0x18, 0x0c, 0x00, 0x00, 0x00, 0x7e, 0x00, 0x00, 0x7e, 0x00, 0x00,
-    0x60, 0x30, 0x18, 0x0c, 0x18, 0x30, 0x60, 0x00, 0x78, 0xcc, 0x0c, 0x18, 0x30, 0x00, 0x30, 0x00,
-    0x7c, 0x82, 0x9e, 0xa6, 0x9e, 0x80, 0x7c, 0x00, 0x7c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0x00,
-    0xfc, 0x66, 0x66, 0x7c, 0x66, 0x66, 0xfc, 0x00, 0x7c, 0xc6, 0xc0, 0xc0, 0xc0, 0xc6, 0x7c, 0x00,
-    0xfc, 0x66, 0x66, 0x66, 0x66, 0x66, 0xfc, 0x00, 0xfe, 0x62, 0x68, 0x78, 0x68, 0x62, 0xfe, 0x00,
-    0xfe, 0x62, 0x68, 0x78, 0x68, 0x60, 0xf0, 0x00, 0x7c, 0xc6, 0xc6, 0xc0, 0xce, 0xc6, 0x7e, 0x00,
-    0xc6, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0xc6, 0x00, 0x3c, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00,
-    0x1e, 0x0c, 0x0c, 0x0c, 0xcc, 0xcc, 0x78, 0x00, 0xe6, 0x66, 0x6c, 0x78, 0x6c, 0x66, 0xe6, 0x00,
-    0xf0, 0x60, 0x60, 0x60, 0x62, 0x66, 0xfe, 0x00, 0x82, 0xc6, 0xee, 0xfe, 0xd6, 0xc6, 0xc6, 0x00,
-    0xc6, 0xe6, 0xf6, 0xde, 0xce, 0xc6, 0xc6, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00,
-    0xfc, 0x66, 0x66, 0x7c, 0x60, 0x60, 0xf0, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xd6, 0xde, 0x7c, 0x06,
-    0xfc, 0x66, 0x66, 0x7c, 0x66, 0x66, 0xe6, 0x00, 0x7c, 0xc6, 0xc0, 0x7c, 0x06, 0xc6, 0x7c, 0x00,
-    0x7e, 0x5a, 0x5a, 0x18, 0x18, 0x18, 0x3c, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00,
-    0xc6, 0xc6, 0xc6, 0xc6, 0x6c, 0x38, 0x10, 0x00, 0xc6, 0xc6, 0xd6, 0xfe, 0xee, 0xc6, 0x82, 0x00,
-    0xc6, 0x6c, 0x38, 0x38, 0x38, 0x6c, 0xc6, 0x00, 0x66, 0x66, 0x66, 0x3c, 0x18, 0x18, 0x3c, 0x00,
-    0xfe, 0xc6, 0x8c, 0x18, 0x32, 0x66, 0xfe, 0x00, 0x78, 0x60, 0x60, 0x60, 0x60, 0x60, 0x78, 0x00,
-    0xc0, 0x60, 0x30, 0x18, 0x0c, 0x06, 0x02, 0x00, 0x78, 0x18, 0x18, 0x18, 0x18, 0x18, 0x78, 0x00,
-    0x10, 0x38, 0x6c, 0xc6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
-    0x30, 0x20, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00,
-    0xe0, 0x60, 0x60, 0x7c, 0x66, 0x66, 0x7c, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc0, 0xc6, 0x7c, 0x00,
-    0x1c, 0x0c, 0x0c, 0x7c, 0xcc, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00,
-    0x1c, 0x36, 0x30, 0x78, 0x30, 0x30, 0x78, 0x00, 0x00, 0x00, 0x76, 0xcc, 0xcc, 0x7c, 0x0c, 0x78,
-    0xe0, 0x60, 0x6c, 0x76, 0x66, 0x66, 0xe6, 0x00, 0x18, 0x00, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00,
-    0x00, 0x0c, 0x00, 0x1c, 0x0c, 0x0c, 0xcc, 0x78, 0xe0, 0x60, 0x66, 0x6c, 0x78, 0x6c, 0xe6, 0x00,
-    0x38, 0x18, 0x18, 0x18, 0x18, 0x18, 0x3c, 0x00, 0x00, 0x00, 0xcc, 0xfe, 0xd6, 0xd6, 0xd6, 0x00,
-    0x00, 0x00, 0xdc, 0x66, 0x66, 0x66, 0x66, 0x00, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00,
-    0x00, 0x00, 0xdc, 0x66, 0x66, 0x7c, 0x60, 0xf0, 0x00, 0x00, 0x7c, 0xcc, 0xcc, 0x7c, 0x0c, 0x1e,
-    0x00, 0x00, 0xde, 0x76, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x00, 0x7c, 0xc0, 0x7c, 0x06, 0x7c, 0x00,
-    0x10, 0x30, 0xfc, 0x30, 0x30, 0x34, 0x18, 0x00, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00,
-    0x00, 0x00, 0xc6, 0xc6, 0x6c, 0x38, 0x10, 0x00, 0x00, 0x00, 0xc6, 0xd6, 0xd6, 0xfe, 0x6c, 0x00,
-    0x00, 0x00, 0xc6, 0x6c, 0x38, 0x6c, 0xc6, 0x00, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0x7c, 0x0c, 0xf8,
-    0x00, 0x00, 0xfc, 0x98, 0x30, 0x64, 0xfc, 0x00, 0x0e, 0x18, 0x18, 0x30, 0x18, 0x18, 0x0e, 0x00,
-    0x18, 0x18, 0x18, 0x00, 0x18, 0x18, 0x18, 0x00, 0xe0, 0x30, 0x30, 0x18, 0x30, 0x30, 0xe0, 0x00,
-    0x76, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x38, 0x6c, 0xc6, 0xc6, 0xfe, 0x00,
-    0x7c, 0xc6, 0xc0, 0xc0, 0xc6, 0x7c, 0x18, 0x70, 0xcc, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00,
-    0x0e, 0x10, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, 0x7c, 0x82, 0x38, 0x0c, 0x7c, 0xcc, 0x76, 0x00,
-    0xcc, 0x00, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, 0xe0, 0x10, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00,
-    0x30, 0x30, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, 0x00, 0x00, 0x7c, 0xc0, 0xc0, 0x7c, 0x18, 0x70,
-    0x7c, 0x82, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, 0xc6, 0x00, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00,
-    0xe0, 0x10, 0x7c, 0xc6, 0xfe, 0xc0, 0x7c, 0x00, 0x66, 0x00, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00,
-    0x7c, 0x82, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00, 0xe0, 0x10, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00,
-    0xc6, 0x00, 0x7c, 0xc6, 0xfe, 0xc6, 0xc6, 0x00, 0x38, 0x38, 0x7c, 0xc6, 0xfe, 0xc6, 0xc6, 0x00,
-    0x0e, 0x10, 0xfe, 0x60, 0x78, 0x60, 0xfe, 0x00, 0x00, 0x00, 0x7c, 0x12, 0x7e, 0xd0, 0x7e, 0x00,
-    0x7e, 0xc8, 0xc8, 0xfe, 0xc8, 0xc8, 0xce, 0x00, 0x7c, 0x82, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00,
-    0xc6, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0xe0, 0x10, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00,
-    0x7c, 0x82, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00, 0xe0, 0x10, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00,
-    0xcc, 0x00, 0xcc, 0xcc, 0xcc, 0x7c, 0x0c, 0xf8, 0xc6, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00,
-    0xc6, 0x00, 0xc6, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x18, 0x7c, 0xd6, 0xd0, 0xd6, 0x7c, 0x18, 0x00,
-    0x38, 0x6c, 0x60, 0xf0, 0x60, 0xf2, 0xdc, 0x00, 0x66, 0x3c, 0x18, 0x7e, 0x18, 0x7e, 0x18, 0x00,
-    0xf8, 0xcc, 0xf8, 0xc4, 0xcc, 0xde, 0xcc, 0x06, 0x0e, 0x1b, 0x18, 0x3c, 0x18, 0x18, 0xd8, 0x70,
-    0x0e, 0x10, 0x78, 0x0c, 0x7c, 0xcc, 0x76, 0x00, 0x0e, 0x10, 0x38, 0x18, 0x18, 0x18, 0x3c, 0x00,
-    0x0e, 0x10, 0x7c, 0xc6, 0xc6, 0xc6, 0x7c, 0x00, 0x0e, 0x10, 0xcc, 0xcc, 0xcc, 0xcc, 0x76, 0x00,
-    0x66, 0x98, 0xdc, 0x66, 0x66, 0x66, 0x66, 0x00, 0x66, 0x98, 0xe6, 0xf6, 0xde, 0xce, 0xc6, 0x00,
-    0x38, 0x0c, 0x3c, 0x34, 0x00, 0x7e, 0x00, 0x00, 0x38, 0x6c, 0x6c, 0x38, 0x00, 0x7c, 0x00, 0x00,
-    0x30, 0x00, 0x30, 0x60, 0xc6, 0xc6, 0x7c, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xc0, 0xc0, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0xfc, 0x0c, 0x0c, 0x00, 0x00, 0xc0, 0xc8, 0xd0, 0xfe, 0x46, 0x8c, 0x1e, 0x00,
-    0xc0, 0xc8, 0xd0, 0xec, 0x5c, 0xbe, 0x0c, 0x00, 0x18, 0x00, 0x18, 0x18, 0x3c, 0x3c, 0x18, 0x00,
-    0x00, 0x36, 0x6c, 0xd8, 0x6c, 0x36, 0x00, 0x00, 0x00, 0xd8, 0x6c, 0x36, 0x6c, 0xd8, 0x00, 0x00,
-    0x22, 0x88, 0x22, 0x88, 0x22, 0x88, 0x22, 0x88, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa, 0x55, 0xaa,
-    0xdb, 0x77, 0xdb, 0xee, 0xdb, 0x77, 0xdb, 0xee, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18,
-    0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x18, 0xf8, 0x18, 0x18, 0x18,
-    0x36, 0x36, 0x36, 0x36, 0xf6, 0x36, 0x36, 0x36, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x36, 0x36, 0x36,
-    0x00, 0x00, 0xf8, 0x18, 0xf8, 0x18, 0x18, 0x18, 0x36, 0x36, 0xf6, 0x06, 0xf6, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x00, 0x00, 0xfe, 0x06, 0xf6, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0xf6, 0x06, 0xfe, 0x00, 0x00, 0x00, 0x36, 0x36, 0x36, 0x36, 0xfe, 0x00, 0x00, 0x00,
-    0x18, 0x18, 0xf8, 0x18, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0x18, 0x18, 0x18,
-    0x18, 0x18, 0x18, 0x18, 0x1f, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0xff, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x1f, 0x18, 0x18, 0x18,
-    0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x18, 0x18, 0x18, 0x18, 0xff, 0x18, 0x18, 0x18,
-    0x18, 0x18, 0x1f, 0x18, 0x1f, 0x18, 0x18, 0x18, 0x36, 0x36, 0x36, 0x36, 0x37, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x37, 0x30, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3f, 0x30, 0x37, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0xf7, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xf7, 0x36, 0x36, 0x36,
-    0x36, 0x36, 0x37, 0x30, 0x37, 0x36, 0x36, 0x36, 0x00, 0x00, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00,
-    0x36, 0x36, 0xf7, 0x00, 0xf7, 0x36, 0x36, 0x36, 0x18, 0x18, 0xff, 0x00, 0xff, 0x00, 0x00, 0x00,
-    0x36, 0x36, 0x36, 0x36, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0xff, 0x18, 0x18, 0x18,
-    0x00, 0x00, 0x00, 0x00, 0xff, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x3f, 0x00, 0x00, 0x00,
-    0x18, 0x18, 0x1f, 0x18, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x18, 0x1f, 0x18, 0x18, 0x18,
-    0x00, 0x00, 0x00, 0x00, 0x3f, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0xff, 0x36, 0x36, 0x36,
-    0x18, 0x18, 0xff, 0x18, 0xff, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xf8, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x1f, 0x18, 0x18, 0x18, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0, 0xf0,
-    0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x74, 0xcc, 0xc8, 0xdc, 0x76, 0x00, 0x78, 0xcc, 0xd8, 0xcc, 0xc6, 0xc6, 0xdc, 0x40,
-    0xfe, 0x62, 0x60, 0x60, 0x60, 0x60, 0xf0, 0x00, 0x00, 0x02, 0x7e, 0xec, 0x6c, 0x6c, 0x48, 0x00,
-    0xfe, 0x62, 0x30, 0x18, 0x30, 0x62, 0xfe, 0x00, 0x00, 0x00, 0x7e, 0xd0, 0xc8, 0xc8, 0x70, 0x00,
-    0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xf8, 0x80, 0x00, 0x00, 0x7e, 0xd8, 0x18, 0x18, 0x10, 0x00,
-    0x38, 0x10, 0x7c, 0xd6, 0xd6, 0x7c, 0x10, 0x38, 0x7c, 0xc6, 0xc6, 0xfe, 0xc6, 0xc6, 0x7c, 0x00,
-    0x7c, 0xc6, 0xc6, 0xc6, 0x6c, 0x28, 0xee, 0x00, 0x3c, 0x22, 0x18, 0x7c, 0xcc, 0xcc, 0x78, 0x00,
-    0x00, 0x00, 0x66, 0x99, 0x99, 0x66, 0x00, 0x00, 0x00, 0x06, 0x7c, 0x9e, 0xf2, 0x7c, 0xc0, 0x00,
-    0x00, 0x00, 0x7c, 0xc0, 0xf8, 0xc0, 0x7c, 0x00, 0x00, 0x7c, 0xc6, 0xc6, 0xc6, 0xc6, 0xc6, 0x00,
-    0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0x00, 0x18, 0x18, 0x7e, 0x18, 0x18, 0x00, 0x7e, 0x00,
-    0x30, 0x18, 0x0c, 0x18, 0x30, 0x00, 0x7c, 0x00, 0x18, 0x30, 0x60, 0x30, 0x18, 0x00, 0x7c, 0x00,
-    0x0e, 0x1b, 0x1b, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0x18, 0xd8, 0xd8, 0x70,
-    0x00, 0x18, 0x00, 0x7e, 0x00, 0x18, 0x00, 0x00, 0x00, 0x76, 0xdc, 0x00, 0x76, 0xdc, 0x00, 0x00,
-    0x38, 0x6c, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x18, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0f, 0x0c, 0x0c, 0x0c, 0xec, 0x6c, 0x3c, 0x00,
-    0xd8, 0x6c, 0x6c, 0x6c, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x30, 0xc0, 0xf0, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x3c, 0x3c, 0x3c, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-
-};
-const int font_size = sizeof(font);
-//---------------------------------------------------------------------------------
-#endif //_font_h_
-//---------------------------------------------------------------------------------

source/fs.c

@@ -31,7 +31,7 @@ int unmountSD()
 int fileReadOffset(u8 *dest, const char *path, u32 size, u32 offset){
     FRESULT fr;
     FIL fp;
-    u32 br = 0;
+    unsigned int br = 0;
 
     fr = f_open(&fp, path, FA_READ);
     if (fr != FR_OK)goto error;
@@ -61,7 +61,7 @@ int fileRead(u8 *dest, const char *path, u32 size){
 int fileWrite(const u8 *buffer, const char *path, u32 size){
     FRESULT fr;
     FIL fp;
-    u32 br = 0;
+    unsigned int br = 0;
 
     if(f_open(&fp, path, FA_WRITE | FA_OPEN_ALWAYS) == FR_OK){
         fr = f_write(&fp, buffer, size, &br);

source/main.c

@@ -10,12 +10,11 @@
 #include "firm.h"
 #include "draw.h"
 
-int main(){
+u8 main(){
     mountSD();
     loadSplash();
-    loadFirm();
+    if (loadFirm()) return 1;
-    loadEmu();
+    if (patchFirm()) return 1;
-    patchFirm();
     launchFirm();
     return 0;
 }

source/patches.c

@@ -5,14 +5,7 @@
 */
 
 #include "patches.h"
-
+#include "memory.h"
-#define FIRM 0x24000000
-
-#define KERNEL9 (FIRM + 0x68400)
-#define PROC9 (FIRM + 0x7F100)
-
-#define K9_ADDR 0x08006000
-#define P9_ADDR 0x08028000
 
 /**************************************************
 *                   Patches
@@ -26,6 +19,7 @@ u8 mpu[0x2C] = {    //MPU shit
     0x00, 0x00, 0x00, 0x20, 0x01, 0x01, 0x01, 0x01, 0x03, 0x06, 0x20, 0x00, 0x00, 0x00, 0x00, 0x08, 
     0x01, 0x01, 0x01, 0x01, 0x03, 0x06, 0x1C, 0x00, 0x00, 0x00, 0x02, 0x08
     };
+
 u8 nandRedir[0x08] = {0x00, 0x4C, 0xA0, 0x47, 0xC0, 0xA5, 0x01, 0x08};    //Branch to emunand function
 
 /*
@@ -34,38 +28,24 @@ u8 nandRedir[0x08] = {0x00, 0x4C, 0xA0, 0x47, 0xC0, 0xA5, 0x01, 0x08};    //Bran
 u8 sigPat1[2] = {0x00, 0x20};
 u8 sigPat2[4] = {0x00, 0x20, 0x70, 0x47};
 
-/*
-*   Arm9 thread
-*/
-u8 th1[4] = {0x2C, 0xF0, 0x9F, 0xE5};   //ldr pc, =0x08006070
-u8 th2[4] = {0x70, 0x60, 0x00, 0x08};   //0x08006070
-
-
-
 /**************************************************
 *                   Functions
 **************************************************/
 
-//Where the emunand code is stored in firm
+void getSignatures(void *pos, u32 size, u32 *off, u32 *off2){
-u32 emuCode(void){
+    //Look for signature checks
-    return KERNEL9 + (0x0801A5C0 - K9_ADDR);
+    unsigned char pattern[] = {0xC0, 0x1C, 0x76, 0xE7, 0x20};
+    unsigned char pattern2[] = {0x70, 0xB5, 0x22, 0x4D, 0x0C};
+
+    *off = (u32)memsearch(pos, pattern, size, 5);
+    *off2 = (u32)memsearch(pos, pattern2, size, 5);
 }
 
-//Where thread code is stored in firm
+void getReboot(void *pos, u32 size, u32 *off, u32 *off2){
-u32 threadCode(void){
+    //Look for FIRM reboot code
-    return KERNEL9 + (0x08006070 - K9_ADDR);
+    unsigned char pattern[] = {0x8D, 0xE5, 0x00, 0xC0, 0x91, 0xE5};
-}
+    unsigned char pattern2[] = {0xF0, 0x4F, 0x2D, 0xE9, 0x3C};
 
-//Offsets to redirect to thread code
+    *off = (u32)memsearch(pos, pattern, size, 6) + 2;
-u32 threadHook(u8 val){
+    *off2 = (u32)memsearch(pos, pattern2, size, 5);
-    return val == 1 ? 
-            PROC9 + (0x08085198 - P9_ADDR): 
-            PROC9 + (0x080851CC - P9_ADDR);
-}
-
-//Offsets to redirect to thread code
-u32 sigPatch(u8 val){
-    return val == 1 ?
-            PROC9 + (0x08062B08 - P9_ADDR) :
-            PROC9 + (0x0805C31C - P9_ADDR);
 }

source/patches.h

@@ -15,17 +15,11 @@ u8 mpu[0x2C];
 u8 nandRedir[0x08];
 u8 sigPat1[2];
 u8 sigPat2[4];
-u8 th1[4];
-u8 th2[4];
 
 /**************************************************
 *                   Functions
 **************************************************/
-u32 emuCode(void);
+void getSignatures(void *pos, u32 size, u32 *off, u32 *off2);
-u32 mpuCode(void);
+void getReboot(void *pos, u32 size, u32 *off, u32 *off2);
-u32 threadCode(void);
-u32 threadHook(u8 val);
-u32 emuHook(u8 val);
-u32 sigPatch(u8 val);
 
 #endif

thread/3ds.ld

@@ -1,24 +0,0 @@
-OUTPUT_FORMAT("elf32-littlearm", "elf32-littlearm", "elf32-littlearm")
-OUTPUT_ARCH(arm)
-
-/*0x080C3EE0*/
-ENTRY(_start)
-
-SECTIONS
-{
-  . = 0x08006070;
-  start_addr = .;
-  .text.start : { *(.text.start) }
-  .text       : { *(.text) *(.text*) }
-  .rodata     : { *(.rodata) *(.rodata*) }
-  .data       : { *(.data) *(.data*) }
-  .bss        : { *(.bss) *(.bss*) }
-  /*. = ALIGN(32);*/
-  /*.stack : {
-    stack_start = .;
-    . += 0x40;
-    . = ALIGN(32);
-    stack_end = .;
-  }*/
-  total_size = . - start_addr;
-}

thread/Makefile

@@ -1,16 +0,0 @@
-ifeq ($(strip $(DEVKITARM)),)
-$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
-endif
-
-include $(DEVKITARM)/ds_rules
-
-SFLAGS=-c -mcpu=arm946e-s -march=armv5te -mlittle-endian -fshort-wchar
-CFLAGS=$(SFLAGS) -std=c99
-
-all:
-	$(CC) -g source/thread.c source/lib.c $(CFLAGS)
-	$(CC) -g source/_start.s source/FS.s -I source $(SFLAGS)
-	$(CC) -nostdlib -T 3ds.ld _start.o thread.o lib.o FS.o
-	$(OBJCOPY) -O binary a.out arm9.bin
-	rm -f *.o *.out
-	

thread/source/FS.h

@@ -1,16 +0,0 @@
-/*
-*   FS.h
-*       by Reisyukaku
-*   Copyright (c) 2015 All Rights Reserved
-*/
-
-#ifndef FS_H
-#define FS_H
-#include <stdio.h>
-extern unsigned int fopen9(void *handle, wchar_t* name, unsigned int flag);
-extern void fwrite9(void* handle, unsigned int* bytesWritten, void* dst, unsigned int size);
-extern void fread9(void* handle, unsigned int* bytesRead, void *src, unsigned int size);
-extern void fsize9(void *handle, long *size);
-extern void fclose9(void *handle);
-
-#endif

thread/source/FS.s

@@ -1,57 +0,0 @@
-#
-#   FS.s
-#       by Reisyukaku
-#   Copyright (c) 2015 All Rights Reserved
-#/
-
-.text
-
-.thumb
-.global fopen9
-.type fopen9, %function
-	fopen9:
-		push {r0-r6, lr}
-		ldr r4, =0x08059D0D
-		blx r4
-		pop {r0-r6, pc}
-.pool
-
-.thumb
-.global fwrite9
-.type fwrite9, %function
-	fwrite9:
-		push {r4, lr}
-		ldr r4, =0x0805B20D
-		blx r4
-		pop {r4, pc}
-.pool
-
-.thumb
-.global fread9
-.type fread9, %function
-	fread9:
-		push {r4, lr}
-		ldr r4, =0x0804CC15
-		blx r4
-		pop {r4, pc}
-.pool
-
-.thumb
-.global fclose9
-.type fclose9, %function
-	fclose9:
-		push {r4, lr}
-		ldr r4, =0x08052DA1
-		blx r4
-		pop {r4, pc}
-.pool
-
-.thumb
-.global fsize9
-.type fsize9, %function
-    fsize9:
-        push {r4, lr}
-        ldr r4, =0x0805B0E9
-        blx r4
-        pop {r4, pc}
-.pool

thread/source/_start.s

@@ -1,20 +0,0 @@
-.arm
-.global _start
-_start:
-	push {r0-r12 , lr}
-	ldr r0, =0x08000c00
-	mov r1, #0xA00
-	mov r2, #0x0
-	thread_stack_loop:
-		str r2, [r0], #0x4
-		subs r1, r1, #4
-		bgt thread_stack_loop
-	mov r0, #0x3F @ thread priority
-	ldr r1, =thread @ thread_addr
-	mov r2, #0x0 @ arg
-	ldr r3, =0x08000c00 @ StackTop
-	ldr r4, =0xFFFFFFFE
-	svc 0x8
-	pop {r0-r12 , lr}
-	ldr r0, =0x080E3408
-	ldr pc, =0x0808519C

thread/source/lib.c

@@ -1,54 +0,0 @@
-#include "lib.h"
-
-void *memset(void * ptr, int value, unsigned int num){
-    unsigned char *p = ptr;
-    while (num) {
-        *p++ = value;
-        num--;
-    }
-    return ptr;
-}
-
-int strcomp(char* s1, char* s2, unsigned int size){
-    for(int i = 0; i < size*2; i++){
-        if(s1[i] != s2[i]) return 0;
-    }
-    return 1;
-}
-
-void strcopy(char* dest, char* source, unsigned int size){
-	for(int i = 0; i < size*2; i++) dest[i] = source[i];
-}
-
-int memcmp(void* buf1, void* buf2, int size){
-	int equal = 0;
-	for(int i = 0; i < size; i++){
-		if(*((unsigned char*)buf1 + i) != *((unsigned char*)buf2 + i)){
-			equal = i;
-			break;
-		}
-	}
-	return equal;
-}
-
-int atoi(const char* nptr){
-    int result   = 0,
-        position = 1;
-    const char* p = nptr;
-    
-    while(*p) ++p;
-
-    for(--p; p >= nptr; p--){
-        if(*p < 0x30 || *p > 0x39) break;
-        else{
-            result += (position) * (*p - 0x30);
-            position *= 10;
-        }
-    }
-    result = ((nptr[0] == '-')? -result : result);
-    return result;
-}
-
-unsigned isPressed(unsigned bitfield){
-	return ((~*(unsigned *)0x10146000) & 0xFFF) == (bitfield & 0xFFF) ? 1 : 0;
-}

thread/source/lib.h

@@ -1,26 +0,0 @@
-#ifndef LIB_H
-#define LIB_H
-
-#define BUTTON_A      (1 << 0)
-#define BUTTON_B      (1 << 1)
-#define BUTTON_SELECT (1 << 2)
-#define BUTTON_START  (1 << 3)
-#define BUTTON_RIGHT  (1 << 4)
-#define BUTTON_LEFT   (1 << 5)
-#define BUTTON_UP     (1 << 6)
-#define BUTTON_DOWN   (1 << 7)
-#define BUTTON_R1     (1 << 8)
-#define BUTTON_L1     (1 << 9)
-#define BUTTON_X      (1 << 10)
-#define BUTTON_Y      (1 << 11)
-#define BUTTON_ZL     (1 << 14)
-#define BUTTON_ZR     (1 << 15)
-
-void* memset(void * ptr, int value, unsigned int num);
-int strcomp(char* s1, char*s2, unsigned int size);
-void strcopy(char* dest, char* source, unsigned int size);
-int memcmp(void* buf1, void* buf2, int size);
-int atoi(const char* nptr);
-unsigned isPressed(unsigned bitfield);
-
-#endif

thread/source/thread.c

@@ -1,59 +0,0 @@
-/*
-*   thread.c
-*       by Reisyukaku
-*   Copyright (c) 2015 All Rights Reserved
-*/
-
-#include <wchar.h>
-#include <stdio.h>
-#include "thread.h"
-#include "lib.h"
-#include "FS.h"
-
-//ram stuff
-#define VRAM (unsigned char*)0x18000000
-#define FCRAM (unsigned char*)0x20000000
-#define FCRAM_EXT (unsigned char*)0x28000000
-
-//file stuff
-#define READ 0
-#define WRITE 1
-
-unsigned char handle[32];
-
-void fileReadWrite(void *buf, void *path, int size, char rw){
-    unsigned int br = 0;
-    memset(&handle, 0, 32);
-    fopen9(&handle, path, 6);
-    if(rw == 0) fread9(&handle, &br, buf, size);
-    else fwrite9(&handle, &br, buf, size);
-    fclose9(&handle);
-}
-
-void memdump(void* filename, void* buf, unsigned int size){
-	fileReadWrite(buf, filename, size, WRITE);
-	memset(VRAM+0x1E6000, 0xFF, 0x46500);
-}
-
-void patches(void){
-    //Change version string
-    for(int i = 0; i < 0x600000; i+=4){
-        if(strcomp((void*)0x27B00000  - i, (void*)L"Ver.", 4)){
-            if(strcomp((void*)0x27B00000  - i + 0x28, (void*)"T_ver_00", 4)) strcopy((void*)0x27B00000 - i, (void*)L"\uE024Rei", 4);
-        }
-	}
-}
-
-void thread(void){
-	while(1){
-        if(isPressed(BUTTON_START | BUTTON_X)){
-            unsigned char buf[0x10] = {0};
-            int loc = 0;
-            fileReadWrite(buf, L"sdmc:/rei/RAM.txt", 0x20, READ);
-            loc = atoi(buf);
-            memdump(L"sdmc:/RAMdmp.bin", (void*)loc, 0x10000);
-        }
-        patches();
-	}
-	__asm("SVC 0x09");
-}

thread/source/thread.h

@@ -1,6 +0,0 @@
-/*
-*   thread.h
-*       by Reisyukaku
-*/
-
-void thread(void);