diff --git a/Makefile b/Makefile index 37c17d6..ad60d8f 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,7 @@ emunand: $(dir_out)/rei/emunand/emunand.bin thread: $(dir_out)/rei/thread/arm9.bin .PHONY: ninjhax -ninjhax: $(dir_out)/3ds/ +ninjhax: $(dir_out)/3ds/ReiNand .PHONY: clean clean: @@ -56,11 +56,11 @@ $(dir_out)/ReiNand.dat: $(dir_build)/main.bin $(dir_out)/rei/ @$(MAKE) $(FLAGS) -C $(dir_mset) launcher dd if=$(dir_build)/main.bin of=$@ bs=512 seek=256 -$(dir_out)/3ds/: +$(dir_out)/3ds/ReiNand: @mkdir -p "$(dir_out)/3ds/ReiNand" @$(MAKE) -C $(dir_ninjhax) - @cp -av $(dir_ninjhax)/ninjhax.3dsx $(dir_out)/3ds/ReiNand/ReiNand.3dsx - @cp -av $(dir_ninjhax)/ninjhax.smdh $(dir_out)/3ds/ReiNand/ReiNand.smdh + @cp -av $(dir_ninjhax)/ReiNand.3dsx $@ + @cp -av $(dir_ninjhax)/ReiNand.smdh $@ $(dir_out)/rei/: $(dir_data)/firmware.bin $(dir_data)/splash.bin @mkdir -p "$(dir_out)/rei" diff --git a/README.md b/README.md index b02cfd2..0c2b151 100644 --- a/README.md +++ b/README.md @@ -28,10 +28,10 @@ Pre-compiled version can still be found on my [pastebin](http://pastebin.com/c5A **Credits:** -Cakes team for teaching me a few things and just being helpful in general! And for ROP/mset related code. + Cakes team for teaching me a few things and just being helpful in general! And for ROP/mset related code. -3DBREW for saving me plenty of reverse engineering time. + 3DBREW for saving me plenty of reverse engineering time. -Patois for Brahma code. + Patois for Brahma code. -Me (Rei) for coding everything else. \ No newline at end of file + Me (Rei) for coding everything else. \ No newline at end of file diff --git a/ninjhax/Makefile b/ninjhax/Makefile index 1cf3dd1..dc1f852 100644 --- a/ninjhax/Makefile +++ b/ninjhax/Makefile @@ -26,10 +26,9 @@ include $(DEVKITARM)/3ds_rules # - icon.png # - /default_icon.png #--------------------------------------------------------------------------------- -TARGET := $(notdir $(CURDIR)) +TARGET := ReiNand BUILD := build SOURCES := source -DATA := data INCLUDES := include APP_TITLE := ReiNAND APP_DESCRIPTION := N3DS CFW @@ -78,7 +77,6 @@ export DEPSDIR := $(CURDIR)/$(BUILD) CFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c))) CPPFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp))) SFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s))) -BINFILES := $(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*))) payload.bin #--------------------------------------------------------------------------------- # use CXX for linking C++ projects, CC for standard C @@ -94,8 +92,7 @@ else endif #--------------------------------------------------------------------------------- -export OFILES := $(addsuffix .o,$(BINFILES)) \ - $(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o) +export OFILES := $(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o) export INCLUDE := $(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \ $(foreach dir,$(LIBDIRS),-I$(dir)/include) \ @@ -119,20 +116,17 @@ endif .PHONY: $(BUILD) clean all #--------------------------------------------------------------------------------- -all: payload.bin $(BUILD) +all: $(BUILD) $(BUILD): @echo $(SFILES) @[ -d $@ ] || mkdir -p $@ @make --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile -payload.bin : - @cd data/payload && make #--------------------------------------------------------------------------------- clean: @echo clean ... @rm -fr $(BUILD) $(TARGET).3dsx $(OUTPUT).smdh $(TARGET).elf - @cd data/payload && make clean #--------------------------------------------------------------------------------- else diff --git a/ninjhax/data/payload/Makefile b/ninjhax/data/payload/Makefile deleted file mode 100644 index 3377528..0000000 --- a/ninjhax/data/payload/Makefile +++ /dev/null @@ -1,134 +0,0 @@ -#--------------------------------------------------------------------------------- -.SUFFIXES: -#--------------------------------------------------------------------------------- - -ifeq ($(strip $(DEVKITARM)),) -$(error "Please set DEVKITARM in your environment. export DEVKITARM=devkitARM") -endif - -include $(DEVKITARM)/ds_rules - -#--------------------------------------------------------------------------------- -# TARGET is the name of the output -# BUILD is the directory where object files & intermediate files will be placed -# SOURCES is a list of directories containing source code -# DATA is a list of directories containing data files -# INCLUDES is a list of directories containing header files -# SPECS is the directory containing the important build and link files -#--------------------------------------------------------------------------------- -export TARGET := $(shell basename $(CURDIR)) -BUILD := build -SOURCES := source source/fatfs source/decryptor -DATA := data -INCLUDES := include source source/fatfs - -#--------------------------------------------------------------------------------- -# Setup some defines -#--------------------------------------------------------------------------------- - -#--------------------------------------------------------------------------------- -# options for code generation -#--------------------------------------------------------------------------------- -ARCH := -mthumb -mthumb-interwork - -CFLAGS := -g -Wall -O2\ - -march=armv5te -mtune=arm946e-s -fomit-frame-pointer\ - -ffast-math -std=c99 -mthumb\ - $(ARCH) - -CFLAGS += $(INCLUDE) -DARM9 - -CXXFLAGS := $(CFLAGS) -fno-rtti -fno-exceptions - -ASFLAGS := -g $(ARCH) -LDFLAGS = -nostartfiles -g --specs=../stub.specs $(ARCH) -Wl,-Map,$(TARGET).map - -LIBS := - -#--------------------------------------------------------------------------------- -# list of directories containing libraries, this must be the top level containing -# include and lib -#--------------------------------------------------------------------------------- -LIBDIRS := - -#--------------------------------------------------------------------------------- -# no real need to edit anything past this point unless you need to add additional -# rules for different file extensions -#--------------------------------------------------------------------------------- -ifneq ($(BUILD),$(notdir $(CURDIR))) -#--------------------------------------------------------------------------------- - -export OUTPUT := $(CURDIR) - -export VPATH := $(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \ - $(foreach dir,$(DATA),$(CURDIR)/$(dir)) - -export DEPSDIR := $(CURDIR)/$(BUILD) - -CFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c))) -CPPFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp))) -SFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s))) -BINFILES := $(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*))) - -#--------------------------------------------------------------------------------- -# use CXX for linking C++ projects, CC for standard C -#--------------------------------------------------------------------------------- -ifeq ($(strip $(CPPFILES)),) -#--------------------------------------------------------------------------------- - export LD := $(CC) -#--------------------------------------------------------------------------------- -else -#--------------------------------------------------------------------------------- - export LD := $(CXX) -#--------------------------------------------------------------------------------- -endif -#--------------------------------------------------------------------------------- - -export OFILES := $(addsuffix .o,$(BINFILES)) \ - $(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o) - -export INCLUDE := $(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \ - $(foreach dir,$(LIBDIRS),-I$(dir)/include) \ - -I$(CURDIR)/$(BUILD) - -export LIBPATHS := $(foreach dir,$(LIBDIRS),-L$(dir)/lib) - -.PHONY: $(BUILD) clean all - -#--------------------------------------------------------------------------------- -all: $(BUILD) - -$(BUILD): - @[ -d $@ ] || mkdir -p $@ - @make --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile - -#--------------------------------------------------------------------------------- -clean: - @echo clean ... - @rm -fr $(BUILD) $(OUTPUT).elf $(OUTPUT).bin - - -#--------------------------------------------------------------------------------- -else - -DEPENDS := $(OFILES:.o=.d) - -#--------------------------------------------------------------------------------- -# main targets -#--------------------------------------------------------------------------------- -$(OUTPUT).bin : $(OUTPUT).elf -$(OUTPUT).elf : $(OFILES) - - -#--------------------------------------------------------------------------------- -%.bin: %.elf - @$(OBJCOPY) -O binary $< $@ - @rm $< - @echo built ... $(notdir $@) - --include $(DEPENDS) - - -#--------------------------------------------------------------------------------------- -endif -#--------------------------------------------------------------------------------------- diff --git a/ninjhax/data/payload/source/main.c b/ninjhax/data/payload/source/main.c deleted file mode 100644 index 2cab283..0000000 --- a/ninjhax/data/payload/source/main.c +++ /dev/null @@ -1,50 +0,0 @@ -#include -#include -#include - -void* (*reiNand)() = 0x08000030; - -void main() -{ - /*int fbfound = 0; - unsigned char* screen = 0x20000000; - for(int i = 0; i < 0x30; i++){ - if( *((unsigned int*)(screen + i + 0)) == 0xABADF00D && - *((unsigned int*)(screen + i + 4)) == 0xDEADBEEF ){ - fbfound = 1; - screen += i; - } - } - if(!fbfound){ - screen = 0x20046500; - for(int i = 0; i < 0x30; i++){ - if( *((unsigned int*)(screen + i + 0)) == 0xABADF00D && - *((unsigned int*)(screen + i + 4)) == 0xDEADBEEF ){ - fbfound = 1; - screen += i; - } - } - } - */ - *((unsigned int*)0x080FFFC0) = 0x20000000; - *((unsigned int*)0x080FFFC4) = 0x20046500; - *((unsigned int*)0x080FFFD8) = 0; - - unsigned int* buf = 0x20400000; - unsigned int base = 0x67893421; - unsigned int seed = 0x12756342; - for(int i = 0; i < 400*1024/4; i++){ - buf[i] ^= base; - base += seed; - } - - unsigned char*src = 0x20400000; - unsigned char*dst = 0x08000000; - for(int i = 0; i < 320*1024; i++){ - dst[i] = src[i]; - } - - *(unsigned int*)0x10000020 = 0; - *(unsigned int*)0x10000020 = 0x340; - reiNand(); -} diff --git a/ninjhax/data/payload/source/start.s b/ninjhax/data/payload/source/start.s deleted file mode 100644 index 15bbb25..0000000 --- a/ninjhax/data/payload/source/start.s +++ /dev/null @@ -1,75 +0,0 @@ -@--------------------------------------------------------------------------------- - .section ".init" -@--------------------------------------------------------------------------------- - .global _start - .extern main - .align 4 - .arm -@--------------------------------------------------------------------------------- - b _start - NOP - NOP - NOP -_start: - MSR CPSR_c, #0xDF - LDR R0, =0x2078 - MCR p15, 0, R0,c1,c0, 0 - LDR R0, =0xFFFF001D - LDR R1, =0x1FF801D - LDR R2, =0x8000027 - LDR R3, =0x10000021 - LDR R4, =0x10100025 - LDR R5, =0x20000035 - LDR R6, =0x2800801B - LDR R7, =0x1800002D - LDR R8, =0x33333336 - LDR R9, =0x60600666 - MOV R10, #0x25 - MOV R11, #0x25 - MOV R12, #0x25 - MCR p15, 0, R0,c6,c0, 0 - MCR p15, 0, R1,c6,c1, 0 - MCR p15, 0, R2,c6,c2, 0 - MCR p15, 0, R3,c6,c3, 0 - MCR p15, 0, R4,c6,c4, 0 - MCR p15, 0, R5,c6,c5, 0 - MCR p15, 0, R6,c6,c6, 0 - MCR p15, 0, R7,c6,c7, 0 - MCR p15, 0, R8,c5,c0, 2 - MCR p15, 0, R9,c5,c0, 3 - MCR p15, 0, R10,c3,c0, 0 - MCR p15, 0, R11,c2,c0, 0 - MCR p15, 0, R12,c2,c0, 1 - LDR R0, =0x2800800C - MCR p15, 0, R0,c9,c1, 0 - MOV R0, #0x1E - MCR p15, 0, R0,c9,c1, 1 - - MOV R12, #0 - loc_9D3D54: - MOV R0, #0 - MOV R2, R12,LSL#30 - loc_9D3D5C: - ORR R1, R2, R0,LSL#5 - MCR p15, 0, R1,c7,c14, 2 - ADD R0, R0, #1 - CMP R0, #0x20 - BCC loc_9D3D5C - ADD R12, R12, #1 - CMP R12, #4 - BCC loc_9D3D54 - MOV R0, #0 - MCR p15, 0, R0,c7,c10, 4 - - MOV R0, #0 - MCR p15, 0, R0,c7,c5, 0 - - LDR R0, =0x5307D - MCR p15, 0, R0,c1,c0, 0 - - ldr r3, =main; - blx r3 - -InfiniteLoop: - b InfiniteLoop -.pool diff --git a/ninjhax/data/payload/stub.ld b/ninjhax/data/payload/stub.ld deleted file mode 100644 index f96e346..0000000 --- a/ninjhax/data/payload/stub.ld +++ /dev/null @@ -1,164 +0,0 @@ -OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm", "elf32-littlearm") -OUTPUT_ARCH(arm) -ENTRY(_start) - -MEMORY - { - ram : ORIGIN = 0x23F00000, LENGTH = 128K - } - -SECTIONS -{ - .init : - { - __text_start = . ; - KEEP (*(.init)) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - .plt : { *(.plt) } >ram = 0xff - - .text : /* ALIGN (4): */ - { - *(.text .stub .text.* .gnu.linkonce.t.*) - KEEP (*(.text.*personality*)) - /* .gnu.warning sections are handled specially by elf32.em. */ - *(.gnu.warning) - *(.glue_7t) *(.glue_7) *(.vfp11_veneer) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - - .fini : - { - KEEP (*(.fini)) - } >ram =0xff - - __text_end = . ; - - .rodata : - { - *(.rodata) - *all.rodata*(*) - *(.roda) - *(.rodata.*) - *(.gnu.linkonce.r*) - SORT(CONSTRUCTORS) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - - .ARM.extab : { *(.ARM.extab* .gnu.linkonce.armextab.*) } >ram - __exidx_start = .; - .ARM.exidx : { *(.ARM.exidx* .gnu.linkonce.armexidx.*) } >ram - __exidx_end = .; - -/* Ensure the __preinit_array_start label is properly aligned. We - could instead move the label definition inside the section, but - the linker would then create the section even if it turns out to - be empty, which isn't pretty. */ - . = ALIGN(32 / 8); - PROVIDE (__preinit_array_start = .); - .preinit_array : { KEEP (*(.preinit_array)) } >ram = 0xff - PROVIDE (__preinit_array_end = .); - PROVIDE (__init_array_start = .); - .init_array : { KEEP (*(.init_array)) } >ram = 0xff - PROVIDE (__init_array_end = .); - PROVIDE (__fini_array_start = .); - .fini_array : { KEEP (*(.fini_array)) } >ram = 0xff - PROVIDE (__fini_array_end = .); - - .ctors : - { - /* gcc uses crtbegin.o to find the start of the constructors, so - we make sure it is first. Because this is a wildcard, it - doesn't matter if the user does not actually link against - crtbegin.o; the linker won't look for a file to match a - wildcard. The wildcard also means that it doesn't matter which - directory crtbegin.o is in. */ - KEEP (*crtbegin.o(.ctors)) - KEEP (*(EXCLUDE_FILE (*crtend.o) .ctors)) - KEEP (*(SORT(.ctors.*))) - KEEP (*(.ctors)) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - - .dtors : - { - KEEP (*crtbegin.o(.dtors)) - KEEP (*(EXCLUDE_FILE (*crtend.o) .dtors)) - KEEP (*(SORT(.dtors.*))) - KEEP (*(.dtors)) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - - .eh_frame : - { - KEEP (*(.eh_frame)) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - - .gcc_except_table : - { - *(.gcc_except_table) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - } >ram = 0xff - .jcr : { KEEP (*(.jcr)) } >ram = 0 - .got : { *(.got.plt) *(.got) } >ram = 0 - - .data ALIGN(4) : { - __data_start = ABSOLUTE(.); - *(.data) - *(.data.*) - *(.gnu.linkonce.d*) - CONSTRUCTORS - . = ALIGN(4); - __data_end = ABSOLUTE(.) ; - } >ram = 0xff - - .bss ALIGN(4) : - { - __bss_start = ABSOLUTE(.); - __bss_start__ = ABSOLUTE(.); - *(.dynbss) - *(.gnu.linkonce.b*) - *(.bss*) - *(COMMON) - . = ALIGN(4); /* REQUIRED. LD is flaky without it. */ - __bss_end__ = ABSOLUTE(.); - __end__ = ABSOLUTE(.); - } >ram - - /* Stabs debugging sections. */ - .stab 0 : { *(.stab) } - .stabstr 0 : { *(.stabstr) } - .stab.excl 0 : { *(.stab.excl) } - .stab.exclstr 0 : { *(.stab.exclstr) } - .stab.index 0 : { *(.stab.index) } - .stab.indexstr 0 : { *(.stab.indexstr) } - .comment 0 : { *(.comment) } - /* DWARF debug sections. - Symbols in the DWARF debugging sections are relative to the beginning - of the section so we begin them at 0. */ - /* DWARF 1 */ - .debug 0 : { *(.debug) } - .line 0 : { *(.line) } - /* GNU DWARF 1 extensions */ - .debug_srcinfo 0 : { *(.debug_srcinfo) } - .debug_sfnames 0 : { *(.debug_sfnames) } - /* DWARF 1.1 and DWARF 2 */ - .debug_aranges 0 : { *(.debug_aranges) } - .debug_pubnames 0 : { *(.debug_pubnames) } - /* DWARF 2 */ - .debug_info 0 : { *(.debug_info) } - .debug_abbrev 0 : { *(.debug_abbrev) } - .debug_line 0 : { *(.debug_line) } - .debug_frame 0 : { *(.debug_frame) } - .debug_str 0 : { *(.debug_str) } - .debug_loc 0 : { *(.debug_loc) } - .debug_macinfo 0 : { *(.debug_macinfo) } - /* SGI/MIPS DWARF 2 extensions */ - .debug_weaknames 0 : { *(.debug_weaknames) } - .debug_funcnames 0 : { *(.debug_funcnames) } - .debug_typenames 0 : { *(.debug_typenames) } - .debug_varnames 0 : { *(.debug_varnames) } - .stack 0x80000 : { _stack = .; *(.stack) } - /* These must appear regardless of . */ -} diff --git a/ninjhax/data/payload/stub.specs b/ninjhax/data/payload/stub.specs deleted file mode 100644 index b6c2098..0000000 --- a/ninjhax/data/payload/stub.specs +++ /dev/null @@ -1,5 +0,0 @@ -%rename link old_link - -*link: -%(old_link) -T ../stub.ld%s - diff --git a/ninjhax/data/payload/tools/Launcher.dat b/ninjhax/data/payload/tools/Launcher.dat deleted file mode 100644 index c00994d..0000000 Binary files a/ninjhax/data/payload/tools/Launcher.dat and /dev/null differ diff --git a/ninjhax/data/payload/tools/LauncherTemplate.dat b/ninjhax/data/payload/tools/LauncherTemplate.dat deleted file mode 100644 index 3bb3d1c..0000000 Binary files a/ninjhax/data/payload/tools/LauncherTemplate.dat and /dev/null differ diff --git a/ninjhax/data/payload/tools/fill_with_zero.exe b/ninjhax/data/payload/tools/fill_with_zero.exe deleted file mode 100644 index d45cda1..0000000 Binary files a/ninjhax/data/payload/tools/fill_with_zero.exe and /dev/null differ diff --git a/ninjhax/data/payload/tools/insert.py b/ninjhax/data/payload/tools/insert.py deleted file mode 100644 index 461ff75..0000000 --- a/ninjhax/data/payload/tools/insert.py +++ /dev/null @@ -1,16 +0,0 @@ -import sys; -import os - -f1 = 0 -f2 = 0 -f3 = 0 - -f1size = 0 - -with open(sys.argv[1], "rb+") as file1: - with open(sys.argv[2], "rb") as file2: - f1 = file1.read() - f2 = file2.read() - file1.seek(int(sys.argv[3], 16), os.SEEK_SET) - file1.write(f2); - \ No newline at end of file diff --git a/ninjhax/include/menus.h b/ninjhax/include/menus.h deleted file mode 100644 index 46a2efc..0000000 --- a/ninjhax/include/menus.h +++ /dev/null @@ -1,42 +0,0 @@ -#pragma once - -#include "textmenu.h" - -#define BRAHMADIR "/brahma/" - -s32 print_menu (s32 idx, struct menu_t *menu); -s32 print_file_list (s32 idx, struct menu_t *menu); -s32 print_main_menu (s32 idx, struct menu_t *menu); - -s32 get_filename (s32 idx, char *buf, u32 size); - -s32 menu_cb_load (s32 idx, void *param); -s32 menu_cb_choose_file (s32 idx, void *param); -s32 menu_cb_run (s32 idx, void *param); -s32 menu_cb_recv (s32 idx, void *param); -s32 menu_cb_patch_svc (s32 idx, void *param); - -static const struct menu_t g_main_menu = { - 3, - { - {"Load ARM9 payload", &menu_cb_choose_file}, - {"Receive ARM9 payload", &menu_cb_recv}, - {"Run ARM9 payload", &menu_cb_run} - } -}; - -static const struct menu_t g_file_list = { - 10, - { - {"Slot 0", &menu_cb_load}, - {"Slot 1", &menu_cb_load}, - {"Slot 2", &menu_cb_load}, - {"Slot 3", &menu_cb_load}, - {"Slot 4", &menu_cb_load}, - {"Slot 5", &menu_cb_load}, - {"Slot 6", &menu_cb_load}, - {"Slot 7", &menu_cb_load}, - {"Slot 8", &menu_cb_load}, - {"Slot 9", &menu_cb_load} - } -}; diff --git a/ninjhax/include/sochlp.h b/ninjhax/include/sochlp.h deleted file mode 100644 index 34939ad..0000000 --- a/ninjhax/include/sochlp.h +++ /dev/null @@ -1,9 +0,0 @@ -#pragma once - -#define SOC_ALIGN 0x1000 -#define SOC_BUFFERSIZE 0x100000 - -u32 soc_init (void); -u32 soc_exit (void); - -static u32 *SOC_buffer = 0; diff --git a/ninjhax/include/textmenu.h b/ninjhax/include/textmenu.h deleted file mode 100644 index fa6f018..0000000 --- a/ninjhax/include/textmenu.h +++ /dev/null @@ -1,20 +0,0 @@ -#pragma once - -typedef int menu_func_t (s32, void *); - -typedef struct menu_elem_t { - const char *name; - menu_func_t *func; -} _menu_elem_t; - -typedef struct menu_t { - s32 element_count; - struct menu_elem_t element[]; -} _menu_t; - -s32 menu_get_element_count (struct menu_t *menu); -s32 menu_is_valid_index (s32 idx, struct menu_t *menu); -s32 menu_update_index (s32 idx, struct menu_t *menu); -const char *menu_get_element_name (s32 idx, struct menu_t *menu); -menu_func_t *menu_get_element_function (s32 idx, struct menu_t *menu); -s32 menu_execute_function (s32 idx, struct menu_t *menu, void *param); diff --git a/ninjhax/source/arm11.s b/ninjhax/source/arm11.s index 72c9a97..69d19b6 100644 --- a/ninjhax/source/arm11.s +++ b/ninjhax/source/arm11.s @@ -96,7 +96,7 @@ wait_arm11_loop: BX R1 pa_hijack_arm9_dst: .long 0x1FFFFC00 - pa_arm11_code: .long 0x1FFFFFF8 + pa_arm11_code: .long 0x1FFFFFFC pa_pxi_regs: .long 0x10163000 some_pxi_cmd: .long 0x44846 pa_firm_header: .long 0x24000000 diff --git a/ninjhax/source/arm9.s b/ninjhax/source/arm9.s deleted file mode 100644 index e4b0b1d..0000000 --- a/ninjhax/source/arm9.s +++ /dev/null @@ -1,24 +0,0 @@ -.arm -.align 4 -.code 32 -.text - -@ default ARM9 payload, simply launches FIRM (reboots without clearing mem) -.global arm9_start -arm9_start: - B skipvars - - @ offs 4, will contain backup copy of FIRM ARM9 - @ entry point so execution can be returned to FIRM - pa_arm9_entrypoint_backup: .long 0xFFFF0000 - -skipvars: - STMFD SP!, {R0-R12,LR} - - @ insert your funky stuff here - LDMFD SP!, {R0-R12,LR} - - LDR PC, pa_arm9_entrypoint_backup - -.global arm9_end -arm9_end: diff --git a/ninjhax/source/brahma.c b/ninjhax/source/brahma.c index 6a356f8..d745d36 100644 --- a/ninjhax/source/brahma.c +++ b/ninjhax/source/brahma.c @@ -10,7 +10,9 @@ #include #include "brahma.h" #include "exploitdata.h" +#include "utils.h" +GSP_FramebufferInfo topFramebufferInfo, bottomFramebufferInfo; /* should be the very first call. allocates heap buffer for ARM9 payload */ @@ -318,9 +320,7 @@ s32 map_arm9_payload (void) { dst = (void *)(g_expdata.va_fcram_base + OFFS_FCRAM_ARM9_PAYLOAD); if (!g_ext_arm9_loaded) { - // defaul ARM9 payload - src = &arm9_start; - size = (u8 *)&arm9_end - (u8 *)&arm9_start; + return 0; } else { // external ARM9 payload @@ -426,6 +426,18 @@ priv_firm_reboot (void) { asm volatile ("add sp, sp, #8\t\n"); repair_svcCreateThread(); + + // Save the framebuffers for arm9, + u32 *save = (u32 *)(g_expdata.va_fcram_base + 0x3FFFE00); + save[0] = topFramebufferInfo.framebuf0_vaddr; + save[1] = topFramebufferInfo.framebuf1_vaddr; + save[2] = bottomFramebufferInfo.framebuf0_vaddr; + + // Working around a GCC bug to translate the va address to pa... + save[0] += 0xC000000; // (pa FCRAM address - va FCRAM address) + save[1] += 0xC000000; + save[2] += 0xC000000; + exploit_arm9_race_condition(); asm volatile ("movs r0, #0\t\n" diff --git a/ninjhax/source/main.c b/ninjhax/source/main.c index 887ad2c..7387951 100644 --- a/ninjhax/source/main.c +++ b/ninjhax/source/main.c @@ -1,19 +1,7 @@ #include <3ds.h> -#include #include -#include -#include #include "brahma.h" #include "hid.h" -#include "menus.h" -#include "sochlp.h" -#include "payload_bin.h" - -s32 quick_boot_firm (s32 load_from_disk) { - if (load_from_disk) - load_arm9_payload_from_mem(payload_bin, payload_bin_size); - firm_reboot(); -} s32 main (void) { // Initialize services @@ -25,27 +13,27 @@ s32 main (void) { sdmcInit(); hbInit(); qtmInit(); - - Handle fileHandle; - u32 bytesRead; - FS_archive sdmcArchive=(FS_archive){ARCH_SDMC, (FS_path){PATH_EMPTY, 1, (u8*)""}}; - FS_path filePath=FS_makePath(PATH_CHAR, "/reiNand.dat"); - Result ret=FSUSER_OpenFileDirectly(NULL, &fileHandle, sdmcArchive, filePath, FS_OPEN_READ, FS_ATTRIBUTE_NONE); - if(ret) goto EXIT; - FSFILE_Read(fileHandle, &bytesRead, 0x20000, 0x14400000, 320*1024); - FSFILE_Close(fileHandle); - - consoleInit(GFX_BOTTOM, NULL); - if (brahma_init()) { - quick_boot_firm(1); - printf("[!] Quickload failed\n"); - brahma_exit(); + + gfxSwapBuffers(); + + u32 payload_size = 0x10000; + void *payload = malloc(payload_size); + + FILE *fp = fopen("/reiNand.dat", "r"); + if (!fp) goto exit; + fseek(fp, 0x20000, SEEK_SET); + fread(payload, payload_size, 1, fp); + fclose(fp); + + if (brahma_init()) { + load_arm9_payload_from_mem(payload, payload_size); + firm_reboot(); + brahma_exit(); + } + +exit: + if (payload) free(payload); - } else { - printf("* BRAHMA *\n\n[!]Not enough memory\n"); - wait_any_key(); - } - EXIT: hbExit(); sdmcExit(); fsExit(); @@ -53,6 +41,5 @@ s32 main (void) { hidExit(); aptExit(); srvExit(); - // Return to hbmenu - return 0; + return 0; } diff --git a/ninjhax/source/menus.c b/ninjhax/source/menus.c deleted file mode 100644 index 4bc8f89..0000000 --- a/ninjhax/source/menus.c +++ /dev/null @@ -1,171 +0,0 @@ -#include -#include <3ds.h> -#include "menus.h" - -s32 print_menu (s32 idx, struct menu_t *menu) { - s32 i; - s32 newidx; - s32 count = menu_get_element_count(menu); - - newidx = menu_update_index(idx, menu); - for (i=0; id_name; - } - else { - filename = "---"; - } - if (newidx == i) - printf("[ %s ] %s\n", menu_get_element_name(i, menu), filename); - else - printf(" %s %s\n", menu_get_element_name(i, menu), filename); - } - closedir(dp); - } - else { - printf("[!] Could not open '%s'\n", BRAHMADIR); - } - - printf("===========================\n\n"); - printf("A: Confirm\n"); - printf("B: Back\n"); - - return newidx; -} - -s32 print_main_menu (s32 idx, struct menu_t *menu) { - s32 newidx = 0; - consoleClear(); - - printf("\n* BRAHMA *\n\n\n"); - printf("===========================\n"); - newidx = print_menu(idx, menu); - printf("===========================\n\n"); - printf("A: Confirm\n"); - printf("B: Exit\n"); - - return newidx; -} - -s32 get_filename (s32 idx, char *buf, u32 size) { - DIR *dp; - struct dirent *entry; - s32 result = 0; - s32 numfiles = 0; - - if((dp = opendir(BRAHMADIR)) && buf && size) { - while((entry = readdir(dp)) != NULL) { - if (numfiles == idx) { - snprintf(buf, size-1, "%s%s", BRAHMADIR, entry->d_name); - result = 1; - break; - } - numfiles++; - } - closedir(dp); - } - return result; -} - -s32 menu_cb_recv (s32 idx, void *param) { - return recv_arm9_payload(); -} - -s32 menu_cb_load(s32 idx, void *param) { - char filename[256]; - s32 result = 0; - - if (param) { - if (get_filename(*(u32 *)param, &filename, sizeof(filename))) { - printf("[+] Loading %s\n", filename); - result = load_arm9_payload(filename); - } - } - return result; -} - -s32 menu_cb_choose_file (s32 idx, void *param) { - s32 curidx = idx; - s32 loaded = 0; - - while (aptMainLoop()) { - gspWaitForVBlank(); - - curidx = print_file_list(curidx, &g_file_list); - u32 kDown = wait_key(); - - if (kDown & KEY_B) { - break; - } - else if (kDown & KEY_A) { - consoleClear(); - loaded = menu_execute_function(curidx, &g_file_list, &curidx); - printf("%s\n", loaded? "[+] Success":"[!] Failure"); - wait_any_key(); - if (loaded) - break; - } - else if (kDown & KEY_UP) { - curidx--; - } - else if (kDown & KEY_DOWN) { - curidx++; - } - gfxFlushBuffers(); - gfxSwapBuffers(); - } - return 0; -} - -s32 menu_cb_run (s32 idx, void *param) { - s32 fail_stage; - - /* we're kinda screwed if the exploit fails - and soc has been deinitialized. not sure - whether cleaning up here improves existing - problems with using sockets either */ - soc_exit(); - printf("[+] Running ARM9 payload\n"); - fail_stage = firm_reboot(); - - char *msg; - switch (fail_stage) { - case 1: - msg = "[!] ARM11 exploit failed"; - break; - case 2: - msg = "[!] ARM9 exploit failed"; - break; - default: - msg = "[!] Unexpected error"; - } - printf("%s\n", msg); - return 1; -} diff --git a/ninjhax/source/sochlp.c b/ninjhax/source/sochlp.c deleted file mode 100644 index 29a3913..0000000 --- a/ninjhax/source/sochlp.c +++ /dev/null @@ -1,27 +0,0 @@ -#include <3ds.h> -#include "sochlp.h" - -u32 soc_init (void) { - Result ret; - u32 result = 0; - - SOC_buffer = (u32*)memalign(SOC_ALIGN, SOC_BUFFERSIZE); - if (SOC_buffer != 0) { - ret = SOC_Initialize(SOC_buffer, SOC_BUFFERSIZE); - if (ret == 0) { - result = 1; - } else { - free(SOC_buffer); - } - } - return result; -} - -u32 soc_exit (void) { - if (SOC_buffer) { - SOC_Shutdown(); - free(SOC_buffer); - SOC_buffer = 0; - } - return 0; -} diff --git a/ninjhax/source/textmenu.c b/ninjhax/source/textmenu.c deleted file mode 100644 index 29c99fd..0000000 --- a/ninjhax/source/textmenu.c +++ /dev/null @@ -1,45 +0,0 @@ -#include <3ds.h> -#include "textmenu.h" - -s32 menu_get_element_count (struct menu_t *menu) { - s32 i = 0; - - if (menu) { - i = menu->element_count; - } - return i; -} - -s32 menu_is_valid_index (s32 idx, struct menu_t *menu) { - return (menu != 0 && (idx >= 0 && idx < menu_get_element_count(menu))); -} - -s32 menu_update_index (s32 idx, struct menu_t *menu) { - s32 newidx = 0; - s32 count = menu_get_element_count(menu); - - newidx = idx < 0 ? count - 1 : idx >= count ? 0 : idx; - - return newidx; -} - -const char *menu_get_element_name (s32 idx, struct menu_t *menu) { - return menu_is_valid_index(idx, menu) ? menu->element[idx].name : 0; -} - -menu_func_t *menu_get_element_function (s32 idx, struct menu_t *menu) { - return menu_is_valid_index(idx, menu) ? menu->element[idx].func : 0; -} - -s32 menu_execute_function (s32 idx, struct menu_t *menu, void *param) { - s32 result = 0; - menu_func_t *f; - - if (menu_is_valid_index(idx, menu)) { - f = menu_get_element_function(idx, menu); - if (f) - result = f(idx, param); - } - - return result; -}