#ifndef KEXPLOIT_H #define KEXPLOIT_H #include #include #include /* Wait times for CPU0 and CPU2 */ #define CPU0_WAIT_TIME 80 #define CPU2_WAIT_TIME 92 /* Gadget finding addresses */ #define JIT_ADDRESS 0x01800000 #define CODE_ADDRESS_START 0x0D800000 #define CODE_ADDRESS_END 0x0F848A0C /* Kernel addresses, stolen from Chadderz */ #define KERN_HEAP 0xFF200000 #define KERN_HEAP_PHYS 0x1B800000 #define KERN_SYSCALL_TBL_1 0xFFE84C70 // unknown #define KERN_SYSCALL_TBL_2 0xFFE85070 // works with games #define KERN_SYSCALL_TBL_3 0xFFE85470 // works with loader #define KERN_SYSCALL_TBL_4 0xFFEAAA60 // works with home menu #define KERN_SYSCALL_TBL_5 0xFFEAAE60 // works with browser (previously KERN_SYSCALL_TBL) #define KERN_CODE_READ 0xFFF023D4 #define KERN_CODE_WRITE 0xFFF023F4 #define KERN_ADDRESS_TBL 0xFFEAB7A0 #define KERN_DRVPTR (KERN_ADDRESS_TBL - 0x270) /* Browser PFID */ #define PFID_BROWSER 8 /* Kernel heap constants */ #define STARTID_OFFSET 0x08 #define METADATA_OFFSET 0x14 #define METADATA_SIZE 0x10 /* Size of a Cafe OS thread */ #define OSTHREAD_SIZE 0x1000 void run_kexploit(uint32_t coreinit_handle); void KernelWrite(uint32_t addr, const void *data, uint32_t length, uint32_t coreinit_handle); void KernelWriteU32(uint32_t addr, uint32_t value, uint32_t coreinit_handle); void KernelWriteU32FixedAddr(uint32_t addr, uint32_t value, uint32_t coreinit_handle); extern void SC_KernelCopyData(uint32_t dst, uint32_t src, uint32_t len); void *find_gadget(uint32_t code[], uint32_t length, uint32_t gadgets_start); /* Arbitrary read and write syscalls */ uint32_t __attribute__ ((noinline)) kern_read(const void *addr); void __attribute__ ((noinline)) kern_write(void *addr, uint32_t value); #endif /* KEXPLOIT_H */