#pragma once #define SYS_MODEL_NONE 0 #define SYS_MODEL_OLD_3DS 1 #define SYS_MODEL_NEW_3DS 2 #define PA_EXC_HANDLER_BASE 0x1FFF4000 #define PA_FCRAM_BASE 0x20000000 #define OFFS_FCRAM_MAPPED_FIRM 0x04000000 #define OFFS_FCRAM_ARM9_PAYLOAD 0x03F00000 #define OFFS_EXC_HANDLER_UNUSED 0xC80 #if OFFS_FCRAM_ARM9_PAYLOAD >= OFFS_FCRAM_MAPPED_FIRM #error ERRROR: Invalid ARM9 payload offset #endif #define ARM9_PAYLOAD_MAX_SIZE (OFFS_FCRAM_MAPPED_FIRM - OFFS_FCRAM_ARM9_PAYLOAD) /* any changes to this structure must also be applied to the data structure following the 'arm11_globals_start' label of arm11.s */ typedef struct arm11_shared_data { u32 va_pdn_regs; u32 va_pxi_regs; u32 va_hook1_ret; }; typedef struct exploit_data { u32 firm_version; u32 sys_model; // mask u32 va_patch_createthread; u32 va_patch_hook1; u32 va_patch_hook2; u32 va_hook1_ret; u32 va_fcram_base; u32 va_exc_handler_base_W; u32 va_exc_handler_base_X; u32 va_kernelsetstate; u32 va_pdn_regs; u32 va_pxi_regs; }; static struct exploit_data g_expdata; static struct arm11_shared_data g_arm11shared; // add all vulnerable systems below static const struct exploit_data supported_systems[] = { { 0x022E0000, // FIRM version SYS_MODEL_NEW_3DS, // model 0xDFF83837, // VA of CreateThread code to corrupt 0xDFFE7A50, // VA of 1st hook for firmlaunch 0xDFFF4994, // VA of 2nd hook for firmlaunch 0xFFF28A58, // VA of return address from 1st hook 0xE0000000, // VA of FCRAM 0xDFFF4000, // VA of lower mapped exception handler base 0xFFFF0000, // VA of upper mapped exception handler base 0xFFF158F8, // VA of the KernelSetState syscall (upper mirror) 0xFFFBE000, // VA PDN registers 0xFFFC0000 // VA PXI registers }, { 0x022C0600, // FIRM version SYS_MODEL_NEW_3DS, // model 0xDFF83837, // VA of CreateThread code to corrupt 0xDFFE7A50, // VA of 1st hook for firmlaunch 0xDFFF4994, // VA of 2nd hook for firmlaunch 0xFFF28A58, // VA of return address from 1st hook 0xE0000000, // VA of FCRAM 0xDFFF4000, // VA of lower mapped exception handler base 0xFFFF0000, // VA of upper mapped exception handler base 0xFFF158F8, // VA of the KernelSetState syscall (upper mirror) 0xFFFBE000, // VA PDN registers 0xFFFC0000 // VA PXI registers }, { 0x02220000, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83C9F, 0xEFFE4DD4, 0xEFFF497C, 0xFFF84DDC, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF748C4, 0xFFFD0000, 0xFFFD2000 }, { 0x02230600, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83737, 0xEFFE55BC, 0xEFFF4978, 0xFFF765C4, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF64B94, 0xFFFD0000, 0xFFFD2000 }, { 0x022E0000, SYS_MODEL_OLD_3DS, 0xDFF8383F, 0xDFFE59D0, 0xDFFF4974, 0xFFF279D8, 0xE0000000, 0xDFFF4000, 0xFFFF0000, 0xFFF151C0, 0xFFFC2000, 0xFFFC4000 }, { 0x022C0600, SYS_MODEL_OLD_3DS, 0xDFF8376F, 0xDFFE4F28, 0xDFFF4974, 0xFFF66F30, 0xE0000000, 0xDFFF4000, 0xFFFF0000, 0xFFF54BAC, 0xFFFBE000, 0xFFFC0000 }, { 0x02280000, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83733, 0xEFFE5B30, 0xEFFF4974, 0xFFF76B38, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF54BAC, 0xFFFD0000, 0xFFFD2000 }, { 0x02270400, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83737, 0xEFFE5B34, 0xEFFF4978, 0xFFF76B3C, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF64AB0, 0xFFFD0000, 0xFFFD2000 }, { 0x02250000, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83733, 0xEFFE5AE8, 0xEFFF4978, 0xFFF76AF0, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF64A78, 0xFFFD0000, 0xFFFD2000 }, { 0x02260000, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83733, 0xEFFE5AE8, 0xEFFF4978, 0xFFF76AF0, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF64A78, 0xFFFD0000, 0xFFFD2000 }, { 0x02240000, SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS, 0xEFF83733, 0xEFFE55B8, 0xEFFF4978, 0xFFF765C0, 0xF0000000, 0xEFFF4000, 0xFFFF0000, 0xFFF64B90, 0xFFFD0000, 0xFFFD2000 } };