205 lines
4.2 KiB
C
205 lines
4.2 KiB
C
#pragma once
|
|
|
|
#define SYS_MODEL_NONE 0
|
|
#define SYS_MODEL_OLD_3DS 1
|
|
#define SYS_MODEL_NEW_3DS 2
|
|
|
|
#define PA_EXC_HANDLER_BASE 0x1FFF4000
|
|
#define PA_FCRAM_BASE 0x20000000
|
|
#define OFFS_FCRAM_MAPPED_FIRM 0x04000000
|
|
#define OFFS_FCRAM_ARM9_PAYLOAD 0x03F00000
|
|
#define OFFS_EXC_HANDLER_UNUSED 0xC80
|
|
#if OFFS_FCRAM_ARM9_PAYLOAD >= OFFS_FCRAM_MAPPED_FIRM
|
|
#error ERRROR: Invalid ARM9 payload offset
|
|
#endif
|
|
#define ARM9_PAYLOAD_MAX_SIZE (OFFS_FCRAM_MAPPED_FIRM - OFFS_FCRAM_ARM9_PAYLOAD)
|
|
|
|
/* any changes to this structure must also be applied to
|
|
the data structure following the 'arm11_globals_start'
|
|
label of arm11.s */
|
|
typedef struct arm11_shared_data {
|
|
u32 va_pdn_regs;
|
|
u32 va_pxi_regs;
|
|
u32 va_hook1_ret;
|
|
};
|
|
|
|
typedef struct exploit_data {
|
|
|
|
u32 firm_version;
|
|
u32 sys_model; // mask
|
|
|
|
u32 va_patch_createthread;
|
|
u32 va_patch_hook1;
|
|
u32 va_patch_hook2;
|
|
u32 va_hook1_ret;
|
|
|
|
u32 va_fcram_base;
|
|
u32 va_exc_handler_base_W;
|
|
u32 va_exc_handler_base_X;
|
|
u32 va_kernelsetstate;
|
|
|
|
u32 va_pdn_regs;
|
|
u32 va_pxi_regs;
|
|
};
|
|
|
|
static struct exploit_data g_expdata;
|
|
static struct arm11_shared_data g_arm11shared;
|
|
|
|
// add all vulnerable systems below
|
|
static const struct exploit_data supported_systems[] = {
|
|
{
|
|
0x022E0000, // FIRM version
|
|
SYS_MODEL_NEW_3DS, // model
|
|
0xDFF83837, // VA of CreateThread code to corrupt
|
|
0xDFFE7A50, // VA of 1st hook for firmlaunch
|
|
0xDFFF4994, // VA of 2nd hook for firmlaunch
|
|
0xFFF28A58, // VA of return address from 1st hook
|
|
0xE0000000, // VA of FCRAM
|
|
0xDFFF4000, // VA of lower mapped exception handler base
|
|
0xFFFF0000, // VA of upper mapped exception handler base
|
|
0xFFF158F8, // VA of the KernelSetState syscall (upper mirror)
|
|
0xFFFBE000, // VA PDN registers
|
|
0xFFFC0000 // VA PXI registers
|
|
},
|
|
{
|
|
0x022C0600, // FIRM version
|
|
SYS_MODEL_NEW_3DS, // model
|
|
0xDFF83837, // VA of CreateThread code to corrupt
|
|
0xDFFE7A50, // VA of 1st hook for firmlaunch
|
|
0xDFFF4994, // VA of 2nd hook for firmlaunch
|
|
0xFFF28A58, // VA of return address from 1st hook
|
|
0xE0000000, // VA of FCRAM
|
|
0xDFFF4000, // VA of lower mapped exception handler base
|
|
0xFFFF0000, // VA of upper mapped exception handler base
|
|
0xFFF158F8, // VA of the KernelSetState syscall (upper mirror)
|
|
0xFFFBE000, // VA PDN registers
|
|
0xFFFC0000 // VA PXI registers
|
|
},
|
|
{
|
|
0x02220000,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83C9F,
|
|
0xEFFE4DD4,
|
|
0xEFFF497C,
|
|
0xFFF84DDC,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF748C4,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
},
|
|
{
|
|
0x02230600,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83737,
|
|
0xEFFE55BC,
|
|
0xEFFF4978,
|
|
0xFFF765C4,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF64B94,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
},
|
|
{
|
|
0x022E0000,
|
|
SYS_MODEL_OLD_3DS,
|
|
0xDFF8383F,
|
|
0xDFFE59D0,
|
|
0xDFFF4974,
|
|
0xFFF279D8,
|
|
0xE0000000,
|
|
0xDFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF151C0,
|
|
0xFFFC2000,
|
|
0xFFFC4000
|
|
},
|
|
{
|
|
0x022C0600,
|
|
SYS_MODEL_OLD_3DS,
|
|
0xDFF8376F,
|
|
0xDFFE4F28,
|
|
0xDFFF4974,
|
|
0xFFF66F30,
|
|
0xE0000000,
|
|
0xDFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF54BAC,
|
|
0xFFFBE000,
|
|
0xFFFC0000
|
|
},
|
|
{
|
|
0x02280000,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83733,
|
|
0xEFFE5B30,
|
|
0xEFFF4974,
|
|
0xFFF76B38,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF54BAC,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
},
|
|
{
|
|
0x02270400,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83737,
|
|
0xEFFE5B34,
|
|
0xEFFF4978,
|
|
0xFFF76B3C,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF64AB0,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
},
|
|
{
|
|
0x02250000,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83733,
|
|
0xEFFE5AE8,
|
|
0xEFFF4978,
|
|
0xFFF76AF0,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF64A78,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
},
|
|
{
|
|
0x02260000,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83733,
|
|
0xEFFE5AE8,
|
|
0xEFFF4978,
|
|
0xFFF76AF0,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF64A78,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
},
|
|
{
|
|
0x02240000,
|
|
SYS_MODEL_OLD_3DS | SYS_MODEL_NEW_3DS,
|
|
0xEFF83733,
|
|
0xEFFE55B8,
|
|
0xEFFF4978,
|
|
0xFFF765C0,
|
|
0xF0000000,
|
|
0xEFFF4000,
|
|
0xFFFF0000,
|
|
0xFFF64B90,
|
|
0xFFFD0000,
|
|
0xFFFD2000
|
|
}
|
|
};
|