added ninjhax entry code

ninjhax/include/brahma.h

@@ -0,0 +1,32 @@
+#pragma once
+
+#include "exploitdata.h"
+
+s32 load_arm9_payload (char *filename);
+s32 load_arm9_payload_from_mem (u8* data, u32 dsize);
+void redirect_codeflow (u32 *dst_addr, u32 *src_addr);
+void do_gshax_copy (void *dst, void *src, u32 len);
+void priv_write_four (u32 address);
+void user_clear_icache (void);
+s32 corrupt_svcCreateThread (void);
+s32 map_arm9_payload (void);
+s32 map_arm11_payload (void);
+void exploit_arm9_race_condition (void);
+void repair_svcCreateThread (void);
+s32 get_exploit_data (struct exploit_data *data);
+s32 firm_reboot ();
+
+#define BRAHMA_NETWORK_PORT 80
+
+#define ARM_JUMPOUT 0xE51FF004 // LDR PC, [PC, -#04]
+#define ARM_RET     0xE12FFF1E // BX LR
+#define ARM_NOP     0xE1A00000 // NOP
+
+static u8  *g_ext_arm9_buf;
+static u32 g_ext_arm9_size = 0;
+static s32 g_ext_arm9_loaded = 0;
+
+extern void *arm11_start;
+extern void *arm11_end;
+extern void *arm9_start;
+extern void *arm9_end;

ninjhax/include/exploitdata.h

@@ -0,0 +1,204 @@
+#pragma once
+
+#define SYS_MODEL_NONE    0
+#define SYS_MODEL_OLD_3DS 1
+#define SYS_MODEL_NEW_3DS 2
+
+#define PA_EXC_HANDLER_BASE        0x1FFF4000
+#define PA_FCRAM_BASE              0x20000000
+#define OFFS_FCRAM_MAPPED_FIRM     0x04000000
+#define OFFS_FCRAM_ARM9_PAYLOAD    0x03F00000
+#define OFFS_EXC_HANDLER_UNUSED    0xC80
+#if OFFS_FCRAM_ARM9_PAYLOAD >= OFFS_FCRAM_MAPPED_FIRM
+   #error ERRROR: Invalid ARM9 payload offset
+#endif
+#define ARM9_PAYLOAD_MAX_SIZE (OFFS_FCRAM_MAPPED_FIRM - OFFS_FCRAM_ARM9_PAYLOAD)
+
+/* any changes to this structure must also be applied to
+   the data structure following the 'arm11_globals_start'
+   label of arm11.s */
+typedef struct arm11_shared_data {
+	u32 va_pdn_regs;
+	u32 va_pxi_regs;
+	u32 va_hook1_ret;
+};
+
+typedef struct exploit_data {
+
+	u32 firm_version;
+	u32 sys_model; // mask
+
+	u32 va_patch_createthread;
+	u32 va_patch_hook1;
+	u32 va_patch_hook2;
+	u32 va_hook1_ret;
+
+	u32 va_fcram_base;
+	u32 va_exc_handler_base_W;
+	u32 va_exc_handler_base_X;
+	u32 va_kernelsetstate;
+
+	u32 va_pdn_regs;
+	u32 va_pxi_regs;
+};
+
+static struct exploit_data g_expdata;
+static struct arm11_shared_data g_arm11shared;
+
+// add all vulnerable systems below
+static const struct exploit_data supported_systems[] = {
+	{
+		0x022E0000,        // FIRM version
+		SYS_MODEL_NEW_3DS, // model
+		0xDFF83837,        // VA of CreateThread code to corrupt
+		0xDFFE7A50,        // VA of 1st hook for firmlaunch
+		0xDFFF4994,        // VA of 2nd hook for firmlaunch
+		0xFFF28A58,        // VA of return address from 1st hook 
+		0xE0000000,        // VA of FCRAM
+		0xDFFF4000,        // VA of lower mapped exception handler base
+		0xFFFF0000,        // VA of upper mapped exception handler base
+		0xFFF158F8,        // VA of the KernelSetState syscall (upper mirror)
+		0xFFFBE000,        // VA PDN registers
+		0xFFFC0000         // VA PXI registers		
+	},
+	{
+		0x022C0600,        // FIRM version
+		SYS_MODEL_NEW_3DS, // model
+		0xDFF83837,        // VA of CreateThread code to corrupt
+		0xDFFE7A50,        // VA of 1st hook for firmlaunch
+		0xDFFF4994,        // VA of 2nd hook for firmlaunch
+		0xFFF28A58,        // VA of return address from 1st hook 
+		0xE0000000,        // VA of FCRAM
+		0xDFFF4000,        // VA of lower mapped exception handler base
+		0xFFFF0000,        // VA of upper mapped exception handler base
+		0xFFF158F8,        // VA of the KernelSetState syscall (upper mirror)
+		0xFFFBE000,        // VA PDN registers
+		0xFFFC0000         // VA PXI registers		
+	},
+	{
+		0x02220000,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83C9F,
+		0xEFFE4DD4,
+		0xEFFF497C,
+		0xFFF84DDC,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF748C4,
+		0xFFFD0000,
+		0xFFFD2000
+	},
+	{
+		0x02230600,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83737,
+		0xEFFE55BC,
+		0xEFFF4978,
+		0xFFF765C4,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF64B94,
+		0xFFFD0000,
+		0xFFFD2000
+	},
+	{
+		0x022E0000,
+		SYS_MODEL_OLD_3DS,
+		0xDFF8383F,
+		0xDFFE59D0,
+		0xDFFF4974,
+		0xFFF279D8,
+		0xE0000000,
+		0xDFFF4000,
+		0xFFFF0000,
+		0xFFF151C0,
+		0xFFFC2000,
+		0xFFFC4000
+	},
+	{
+		0x022C0600,
+		SYS_MODEL_OLD_3DS,
+		0xDFF8376F,
+		0xDFFE4F28,
+		0xDFFF4974,
+		0xFFF66F30,
+		0xE0000000,
+		0xDFFF4000,
+		0xFFFF0000,
+		0xFFF54BAC,
+		0xFFFBE000,
+		0xFFFC0000
+	},
+	{
+		0x02280000,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83733,
+		0xEFFE5B30,
+		0xEFFF4974,
+		0xFFF76B38,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF54BAC,
+		0xFFFD0000,
+		0xFFFD2000
+	},
+	{
+		0x02270400,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83737,
+		0xEFFE5B34,
+		0xEFFF4978,
+		0xFFF76B3C,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF64AB0,
+		0xFFFD0000,
+		0xFFFD2000
+	},
+	{
+		0x02250000,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83733,
+		0xEFFE5AE8,
+		0xEFFF4978,
+		0xFFF76AF0,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF64A78,
+		0xFFFD0000,
+		0xFFFD2000
+	},
+	{
+		0x02260000,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83733,
+		0xEFFE5AE8,
+		0xEFFF4978,
+		0xFFF76AF0,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF64A78,
+		0xFFFD0000,
+		0xFFFD2000
+	},
+	{
+		0x02240000,
+		SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
+		0xEFF83733,
+		0xEFFE55B8,
+		0xEFFF4978,
+		0xFFF765C0,
+		0xF0000000,
+		0xEFFF4000,
+		0xFFFF0000,
+		0xFFF64B90,
+		0xFFFD0000,
+		0xFFFD2000
+	}
+};

ninjhax/include/hid.h

@@ -0,0 +1,4 @@
+#pragma once
+
+u32 wait_key (void);
+void wait_any_key (void);

ninjhax/include/menus.h

@@ -0,0 +1,42 @@
+#pragma once
+
+#include "textmenu.h"
+
+#define BRAHMADIR "/brahma/"
+
+s32 print_menu (s32 idx, struct menu_t *menu);
+s32 print_file_list (s32 idx, struct menu_t *menu);
+s32 print_main_menu (s32 idx, struct menu_t *menu);
+
+s32 get_filename (s32 idx, char *buf, u32 size);
+
+s32 menu_cb_load (s32 idx, void *param);
+s32 menu_cb_choose_file (s32 idx, void *param);
+s32 menu_cb_run (s32 idx, void *param);
+s32 menu_cb_recv (s32 idx, void *param);
+s32 menu_cb_patch_svc (s32 idx, void *param);
+
+static const struct menu_t g_main_menu = {
+	3,
+	{
+		{"Load ARM9 payload", &menu_cb_choose_file},
+		{"Receive ARM9 payload", &menu_cb_recv},
+		{"Run ARM9 payload", &menu_cb_run}
+	}
+};
+
+static const struct menu_t g_file_list = {
+	10,
+	{
+		{"Slot 0", &menu_cb_load},
+		{"Slot 1", &menu_cb_load},
+		{"Slot 2", &menu_cb_load},
+		{"Slot 3", &menu_cb_load},
+		{"Slot 4", &menu_cb_load},
+		{"Slot 5", &menu_cb_load},
+		{"Slot 6", &menu_cb_load},
+		{"Slot 7", &menu_cb_load},
+		{"Slot 8", &menu_cb_load},
+		{"Slot 9", &menu_cb_load}
+	}
+};

ninjhax/include/sochlp.h

@@ -0,0 +1,9 @@
+#pragma once
+
+#define SOC_ALIGN       0x1000
+#define SOC_BUFFERSIZE  0x100000
+
+u32 soc_init (void);
+u32 soc_exit (void);
+
+static u32 *SOC_buffer = 0;

ninjhax/include/textmenu.h

@@ -0,0 +1,20 @@
+#pragma once
+
+typedef int menu_func_t (s32, void *);
+
+typedef struct menu_elem_t {
+	const char *name;
+	menu_func_t *func;
+} _menu_elem_t; 
+
+typedef struct menu_t {
+	s32 element_count;
+	struct menu_elem_t element[];
+} _menu_t;
+
+s32 menu_get_element_count (struct menu_t *menu);
+s32 menu_is_valid_index (s32 idx, struct menu_t *menu);
+s32 menu_update_index (s32 idx, struct menu_t *menu);
+const char *menu_get_element_name (s32 idx, struct menu_t *menu);
+menu_func_t *menu_get_element_function (s32 idx, struct menu_t *menu);
+s32 menu_execute_function (s32 idx, struct menu_t *menu, void *param);

ninjhax/include/utils.h

@@ -0,0 +1,4 @@
+#pragma once
+
+void InvalidateEntireInstructionCache (void);
+void InvalidateEntireDataCache (void);