From 3b005e9a39da0059d9b4f5a2ae1a2462dc050aba Mon Sep 17 00:00:00 2001
From: FIX94 <fix94.1@gmail.com>
Date: Fri, 16 Dec 2016 23:33:30 +0100
Subject: [PATCH] -added anti move/delete protection of the ds vc title when in
 CBHC CFW NOTE: this change (as well as the last update) do NOT AFFECT MOCHA
 CFW, they only affect my internal CBHC CFW which you can enable by just
 setting it to autoboot system menu which will give you full signature and
 region patching as well as this protection and re-applying patches on
 reloads; overall letting your wiiu and the menu run as they would normally

---
 dsrom/CBHC/Makefile                           |  10 +-
 .../source/{wupserver.c => getbins.c}         |  11 ++
 dsrom/CBHC/arm_kernel/source/getbins.h        |  17 +++
 dsrom/CBHC/arm_kernel/source/main.c           | 122 ++++++++++--------
 dsrom/CBHC/arm_kernel/source/reload.c         |  22 ++--
 dsrom/CBHC/arm_kernel/source/wupserver.h      |   8 --
 dsrom/CBHC/main.c                             |  21 ++-
 dsrom/CBHC/titleprot/Makefile                 |  76 +++++++++++
 dsrom/CBHC/titleprot/ccd00.ld                 |  16 +++
 dsrom/CBHC/titleprot/ccd00.specs              |   4 +
 dsrom/CBHC/titleprot/source/crt0.s            |  23 ++++
 installer/src/main.c                          |   2 +-
 release/wiiu/apps/cbhc/meta.xml               |   4 +-
 13 files changed, 257 insertions(+), 79 deletions(-)
 rename dsrom/CBHC/arm_kernel/source/{wupserver.c => getbins.c} (50%)
 create mode 100644 dsrom/CBHC/arm_kernel/source/getbins.h
 delete mode 100644 dsrom/CBHC/arm_kernel/source/wupserver.h
 create mode 100644 dsrom/CBHC/titleprot/Makefile
 create mode 100644 dsrom/CBHC/titleprot/ccd00.ld
 create mode 100644 dsrom/CBHC/titleprot/ccd00.specs
 create mode 100644 dsrom/CBHC/titleprot/source/crt0.s

diff --git a/dsrom/CBHC/Makefile b/dsrom/CBHC/Makefile
index 1d460f3..fbe0755 100644
--- a/dsrom/CBHC/Makefile
+++ b/dsrom/CBHC/Makefile
@@ -16,11 +16,16 @@ FIRMWARE = 550
 
 all: clean setup main
 
-$(CURDIR)/payload/arm_kernel_bin.h:  $(CURDIR)/payload/wupserver_bin.h $(CURDIR)/payload/arm_user_bin.h
+$(CURDIR)/payload/arm_kernel_bin.h:  $(CURDIR)/payload/titleprot_bin.h $(CURDIR)/payload/wupserver_bin.h $(CURDIR)/payload/arm_user_bin.h
 	@$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f  $(CURDIR)/arm_kernel/Makefile
 	@-mkdir -p $(CURDIR)/payload
 	@cp -p $(CURDIR)/arm_kernel/arm_kernel_bin.h $@
 
+$(CURDIR)/payload/titleprot_bin.h:
+	@$(MAKE) --no-print-directory -C $(CURDIR)/titleprot -f  $(CURDIR)/titleprot/Makefile
+	@-mkdir -p $(CURDIR)/payload
+	@cp -p $(CURDIR)/titleprot/titleprot_bin.h $@
+
 $(CURDIR)/payload/wupserver_bin.h:
 	@$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f  $(CURDIR)/../../wupserver/Makefile
 	@-mkdir -p $(CURDIR)/payload
@@ -46,5 +51,6 @@ clean:
 	rm -rf $(build) payload
 	rm -rf CBHC.elf CBHC.map
 	$(MAKE) --no-print-directory -C $(CURDIR)/arm_user -f  $(CURDIR)/arm_user/Makefile clean
-	@$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f  $(CURDIR)/../../wupserver/Makefile clean
+	$(MAKE) --no-print-directory -C $(CURDIR)/titleprot -f  $(CURDIR)/titleprot/Makefile clean
+	$(MAKE) --no-print-directory -C $(CURDIR)/../../wupserver -f  $(CURDIR)/../../wupserver/Makefile clean
 	$(MAKE) --no-print-directory -C $(CURDIR)/arm_kernel -f  $(CURDIR)/arm_kernel/Makefile clean
diff --git a/dsrom/CBHC/arm_kernel/source/wupserver.c b/dsrom/CBHC/arm_kernel/source/getbins.c
similarity index 50%
rename from dsrom/CBHC/arm_kernel/source/wupserver.c
rename to dsrom/CBHC/arm_kernel/source/getbins.c
index eb47efa..2e128b8 100644
--- a/dsrom/CBHC/arm_kernel/source/wupserver.c
+++ b/dsrom/CBHC/arm_kernel/source/getbins.c
@@ -1,5 +1,16 @@
+#include "../../payload/titleprot_bin.h"
 #include "../../payload/wupserver_bin.h"
 
+const unsigned char *get_titleprot_bin()
+{
+	return titleprot_bin;
+}
+
+unsigned int get_titleprot_bin_len()
+{
+	return titleprot_bin_len;
+}
+
 const unsigned char *get_wupserver_bin()
 {
 	return wupserver_bin;
diff --git a/dsrom/CBHC/arm_kernel/source/getbins.h b/dsrom/CBHC/arm_kernel/source/getbins.h
new file mode 100644
index 0000000..5587642
--- /dev/null
+++ b/dsrom/CBHC/arm_kernel/source/getbins.h
@@ -0,0 +1,17 @@
+
+#ifndef _GETBINS_H_
+#define _GETBINS_H_
+
+#define titleprot_addr 0x0510D984
+#define wupserver_addr 0x0510E570
+
+#define titleprot_phys (titleprot_addr - 0x05100000 + 0x13D80000)
+#define wupserver_phys (wupserver_addr - 0x05100000 + 0x13D80000)
+
+const unsigned char *get_titleprot_bin();
+unsigned int get_titleprot_bin_len();
+
+const unsigned char *get_wupserver_bin();
+unsigned int get_wupserver_bin_len();
+
+#endif
diff --git a/dsrom/CBHC/arm_kernel/source/main.c b/dsrom/CBHC/arm_kernel/source/main.c
index 7431844..d3422e8 100644
--- a/dsrom/CBHC/arm_kernel/source/main.c
+++ b/dsrom/CBHC/arm_kernel/source/main.c
@@ -3,7 +3,7 @@
 #include "reload.h"
 #include "elf_patcher.h"
 #include "../../payload/arm_user_bin.h"
-#include "wupserver.h"
+#include "getbins.h"
 static const char repairData_set_fault_behavior[] = {
 	0xE1,0x2F,0xFF,0x1E,0xE9,0x2D,0x40,0x30,0xE5,0x93,0x20,0x00,0xE1,0xA0,0x40,0x00,
 	0xE5,0x92,0x30,0x54,0xE1,0xA0,0x50,0x01,0xE3,0x53,0x00,0x01,0x0A,0x00,0x00,0x02,
@@ -43,7 +43,10 @@ static const char os_launch_hook[] = {
 
 static const char sd_path[] = "/vol/sdcard";
 
-#define wupserver_phys (0x0510E570 - 0x05100000 + 0x13D80000)
+#define LAUNCH_SYSMENU 0
+#define LAUNCH_HBL 1
+#define LAUNCH_MOCHA 2
+#define LAUNCH_CFW_IMG 3
 
 int _main()
 {
@@ -57,15 +60,18 @@ int _main()
 
 	unsigned int control_register = disable_mmu();
 
+	/* copy in ds vc title id to protect from moving/deleting */
+	kernel_memcpy((void*)(get_titleprot_bin()+get_titleprot_bin_len()-8), (void*)0x01E70108, 4);
+
+	/* get value CBHC used to boot up */
+	unsigned int launchmode = *(volatile u32*)0x01E7010C;
+
 	/* Save the request handle so we can reply later */
 	*(volatile u32*)0x01E10000 = *(volatile u32*)0x1016AD18;
 
 	/* Patch kernel_error_handler to BX LR immediately */
 	*(volatile u32*)0x08129A24 = 0xE12FFF1E;
 
-	/* apply IOS ELF launch hook (thanks dimok!) */
-	*(volatile u32*)0x0812A120 = ARM_BL(0x0812A120, kernel_launch_ios);
-
 	void * pset_fault_behavior = (void*)0x081298BC;
 	kernel_memcpy(pset_fault_behavior, (void*)repairData_set_fault_behavior, sizeof(repairData_set_fault_behavior));
 
@@ -79,61 +85,75 @@ int _main()
 	void * pUserBinDest = (void*)0x101312D0;
 	kernel_memcpy(pUserBinDest, (void*)pUserBinSource, sizeof(arm_user_bin));
 
-	// overwrite mcp_d_r code with wupserver
-	*(unsigned int*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
-	kernel_memcpy((void*)wupserver_phys, get_wupserver_bin(), get_wupserver_bin_len());
-	invalidate_dcache((u32)wupserver_phys, get_wupserver_bin_len());
-	invalidate_icache();
+	if(launchmode != LAUNCH_MOCHA)
+	{
+		// nop out memcmp hash checks
+		*(volatile u32*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
 
-	// replace ioctl 0x62 code with jump to wupserver
-	*(unsigned int*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
-	*(unsigned int*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
-	*(unsigned int*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
-	*(unsigned int*)(0x05026BB4 - 0x05000000 + 0x081C0000) = 0x0510E570; // wupserver code
+		// patch OS launch sig check
+		*(volatile u32*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
 
-	// fix 10 minute timeout that crashes MCP after 10 minutes of booting
-	*(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT
+		// patch MCP authentication check
+		*(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr
 
-	// patch cached cert check
-	*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
-	*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
+		// fix 10 minute timeout that crashes MCP after 10 minutes of booting
+		*(volatile u32*)(0x05022474 - 0x05000000 + 0x081C0000) = 0xFFFFFFFF; // NEW_TIMEOUT
 
-	// patch cert verification
-	*(volatile u32*)(0x05052A90 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
-	*(volatile u32*)(0x05052A94 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
+		// replace ioctl 0x62 code with jump to wupserver
+		*(volatile u32*)(0x05026BA8 - 0x05000000 + 0x081C0000) = 0x47780000; // bx pc
+		*(volatile u32*)(0x05026BAC - 0x05000000 + 0x081C0000) = 0xE59F1000; // ldr r1, [pc]
+		*(volatile u32*)(0x05026BB0 - 0x05000000 + 0x081C0000) = 0xE12FFF11; // bx r1
+		*(volatile u32*)(0x05026BB4 - 0x05000000 + 0x081C0000) = wupserver_addr; // wupserver code
 
-	// patch MCP authentication check
-	*(volatile u32*)(0x05014CAC - 0x05000000 + 0x081C0000) = 0x20004770; // mov r0, #0; bx lr
+		// patch cert verification
+		*(volatile u32*)(0x05052A90 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0x05052A94 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 
-	// patch IOSC_VerifyPubkeySign to always succeed
-	*(volatile u32*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
-	*(volatile u32*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
+		// patch IOSC_VerifyPubkeySign to always succeed
+		*(volatile u32*)(0x05052C44 - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0x05052C48 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 
-	// patch OS launch sig check
-	*(volatile u32*)(0x0500A818 - 0x05000000 + 0x081C0000) = 0x20002000; // mov r0, #0; mov r0, #0
+		// patch cached cert check
+		*(volatile u32*)(0x05054D6C - 0x05000000 + 0x081C0000) = 0xE3A00000; // mov r0, 0
+		*(volatile u32*)(0x05054D70 - 0x05000000 + 0x081C0000) = 0xE12FFF1E; // bx lr
 
-	// patch default title id
-	*(volatile u32*)(0x050B817C - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70100;
-	*(volatile u32*)(0x050B8180 - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70104;
+		// change system.xml to syshax.xml
+		*(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; // ysha
+		*(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm
 
-	// allow custom bootLogoTex and bootMovie.h264
-	*(volatile u32*)(0xE0030D68 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
-	*(volatile u32*)(0xE0030D34 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; // ysha
+		*(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; // x.xm
 
-	// allow any region title launch
-	*(volatile u32*)(0xE0030498 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
+		// jump to titleprot code (titleprot_addr+4)
+		*(volatile u32*)(0x05107F70 - 0x05100000 + 0x13D80000) = 0xF005FD0A; //bl (titleprot_addr+4)
+		// overwrite mcp_d_r code with titleprot
+		*(volatile u32*)titleprot_phys = 0x20004770; // mov r0, #0; bx lr
+		kernel_memcpy((void*)(titleprot_phys+4), get_titleprot_bin(), get_titleprot_bin_len());
+		invalidate_dcache((u32)(titleprot_phys+4), get_titleprot_bin_len());
+		invalidate_icache();
 
-	// force check USB storage on load
-	*(volatile u32*)(0xE012202C - 0xE0000000 + 0x12900000) = 0x00000001; // find USB flag
+		// overwrite mcp_d_r code with wupserver
+		*(volatile u32*)(0x0510E56C - 0x05100000 + 0x13D80000) = 0x47700000; //bx lr
+		kernel_memcpy((void*)wupserver_phys, get_wupserver_bin(), get_wupserver_bin_len());
+		invalidate_dcache((u32)wupserver_phys, get_wupserver_bin_len());
+		invalidate_icache();
 
-	// nop out memcmp hash checks
-	*(volatile u32*)(0x040017E0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-	*(volatile u32*)(0x040019C4 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-	*(volatile u32*)(0x04001BB0 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
-	*(volatile u32*)(0x04001D40 - 0x04000000 + 0x08280000) = 0xE3A00000; // mov r0, #0
+		// apply IOS ELF launch hook (thanks dimok!)
+		*(volatile u32*)0x0812A120 = ARM_BL(0x0812A120, kernel_launch_ios);
+
+		// allow any region title launch
+		*(volatile u32*)(0xE0030498 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
+
+		// allow custom bootLogoTex and bootMovie.h264
+		*(volatile u32*)(0xE0030D68 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
+		*(volatile u32*)(0xE0030D34 - 0xE0000000 + 0x12900000) = 0xE3A00000; // mov r0, #0
+	}
 
 	//custom fw.img reboot
-	if(*(volatile u32*)0x01E70120 == 1)
+	if(launchmode == LAUNCH_CFW_IMG)
 	{
 		int i;
 		for (i = 0; i < 32; i++)
@@ -148,12 +168,12 @@ int _main()
 			((char*)(0x05059938 - 0x05000000 + 0x081C0000))[i] = os_launch_hook[i];
 	}
 
-	// change system.xml to syshax.xml
-	*(volatile u32*)(0x050600F0 - 0x05060000 + 0x08220000) = 0x79736861; //ysha
-	*(volatile u32*)(0x050600F4 - 0x05060000 + 0x08220000) = 0x782E786D; //x.xm
+	// patch default title id to system menu
+	*(volatile u32*)(0x050B817C - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70100;
+	*(volatile u32*)(0x050B8180 - 0x05074000 + 0x08234000) = *(volatile u32*)0x01E70104;
 
-	*(volatile u32*)(0x05060114 - 0x05060000 + 0x08220000) = 0x79736861; //ysha
-	*(volatile u32*)(0x05060118 - 0x05060000 + 0x08220000) = 0x782E786D; //x.xm
+	// force check USB storage on load
+	*(volatile u32*)(0xE012202C - 0xE0000000 + 0x12900000) = 0x00000001; // find USB flag
 
 	*(volatile u32*)(0x1555500) = 0;
 
diff --git a/dsrom/CBHC/arm_kernel/source/reload.c b/dsrom/CBHC/arm_kernel/source/reload.c
index 22aa77b..5aff760 100644
--- a/dsrom/CBHC/arm_kernel/source/reload.c
+++ b/dsrom/CBHC/arm_kernel/source/reload.c
@@ -3,7 +3,7 @@
 #include "utils.h"
 #include "reload.h"
 #include "elf_patcher.h"
-#include "wupserver.h"
+#include "getbins.h"
 
 extern char __file_start, __file_end;
 
@@ -40,7 +40,7 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 		section_write_word(ios_elf_start, 0x05026BA8, 0x47780000); // bx pc
 		section_write_word(ios_elf_start, 0x05026BAC, 0xE59F1000); // ldr r1, [pc]
 		section_write_word(ios_elf_start, 0x05026BB0, 0xE12FFF11); // bx r1
-		section_write_word(ios_elf_start, 0x05026BB4, 0x0510E570); // wupserver code
+		section_write_word(ios_elf_start, 0x05026BB4, wupserver_addr); // wupserver code
 
 		// patch cert verification
 		section_write_word(ios_elf_start, 0x05052A90, 0xE3A00000); // mov r0, #0
@@ -55,15 +55,21 @@ void kernel_launch_ios(u32 launch_address, u32 L, u32 C, u32 H)
 		section_write_word(ios_elf_start, 0x05054D70, 0xE12FFF1E); // bx lr
 
 		// change system.xml to syshax.xml
-		section_write_word(ios_elf_start, 0x050600F0, 0x79736861); //ysha
-		section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); //x.xm
+		section_write_word(ios_elf_start, 0x050600F0, 0x79736861); // ysha
+		section_write_word(ios_elf_start, 0x050600F4, 0x782E786D); // x.xm
 
-		section_write_word(ios_elf_start, 0x05060114, 0x79736861); //ysha
-		section_write_word(ios_elf_start, 0x05060118, 0x782E786D); //x.xm
+		section_write_word(ios_elf_start, 0x05060114, 0x79736861); // ysha
+		section_write_word(ios_elf_start, 0x05060118, 0x782E786D); // x.xm
+
+		// jump to titleprot code (titleprot_addr+4)
+		section_write_word(ios_elf_start, 0x05107F70, 0xF005FD0A); //bl (titleprot_addr+4)
+		// overwrite mcp_d_r code with titleprot
+		section_write_word(ios_elf_start, titleprot_addr, 0x20004770); // mov r0, #0; bx lr
+		section_write(ios_elf_start, titleprot_addr+4, get_titleprot_bin(), get_titleprot_bin_len());
 
 		// overwrite mcp_d_r code with wupserver
-		section_write_word(ios_elf_start, 0x0510E56C, 0x47700000); //bx lr
-		section_write(ios_elf_start, 0x0510E570, get_wupserver_bin(), get_wupserver_bin_len());
+		section_write_word(ios_elf_start, 0x0510E56C, 0x47700000); // bx lr
+		section_write(ios_elf_start, wupserver_addr, get_wupserver_bin(), get_wupserver_bin_len());
 
 		// apply IOS ELF launch hook (thanks dimok!)
 		section_write_word(ios_elf_start, 0x0812A120, ARM_BL(0x0812A120, kernel_launch_ios));
diff --git a/dsrom/CBHC/arm_kernel/source/wupserver.h b/dsrom/CBHC/arm_kernel/source/wupserver.h
deleted file mode 100644
index a456229..0000000
--- a/dsrom/CBHC/arm_kernel/source/wupserver.h
+++ /dev/null
@@ -1,8 +0,0 @@
-
-#ifndef _WUPSERVER_H_
-#define _WUPSERVER_H_
-
-const unsigned char *get_wupserver_bin();
-unsigned int get_wupserver_bin_len();
-
-#endif
diff --git a/dsrom/CBHC/main.c b/dsrom/CBHC/main.c
index 460b21b..43d97ae 100644
--- a/dsrom/CBHC/main.c
+++ b/dsrom/CBHC/main.c
@@ -38,7 +38,7 @@ static unsigned int getButtonsDown(unsigned int padscore_handle, unsigned int vp
 #define SD_HBL_PATH "/vol/external01/wiiu/apps/homebrew_launcher/homebrew_launcher.elf"
 #define SD_MOCHA_PATH "/vol/external01/wiiu/apps/mocha/mocha.elf"
 
-static const char *verChar = "CBHC v1.3 by FIX94";
+static const char *verChar = "CBHC v1.4 by FIX94";
 
 #define DEFAULT_DISABLED 0
 #define DEFAULT_SYSMENU 1
@@ -230,6 +230,13 @@ uint32_t __main(void)
 	OSScreenSetBufferEx(1, (void*)(0xF4000000 + screen_buf0_size));
 	OSScreenEnable(1);
 
+	unsigned long long(*OSGetTitleID)();
+	OSDynLoad_FindExport(coreinit_handle, 0, "OSGetTitleID", &OSGetTitleID);
+	unsigned int dsvcid = (unsigned int)(OSGetTitleID(0) & 0xFFFFFFFF);
+
+	char verInfStr[64];
+	__os_snprintf(verInfStr,64,"%s (DS Title %08X)", verChar, dsvcid);
+
 	unsigned int padscore_handle;
 	OSDynLoad_Acquire("padscore.rpl", &padscore_handle);
 
@@ -265,7 +272,7 @@ uint32_t __main(void)
 		goto cbhc_menu;
 
 	OSScreenClearBuffer(0);
-	OSScreenPutFont(0, 0, verChar);
+	OSScreenPutFont(0, 0, verInfStr);
 	OSScreenPutFont(0, 1, "Autobooting...");
 	OSScreenFlipBuffers();
 
@@ -291,7 +298,7 @@ uint32_t __main(void)
 		goto doIOSUexploit;
 
 	OSScreenClearBuffer(0);
-	OSScreenPutFont(0, 0, verChar);
+	OSScreenPutFont(0, 0, verInfStr);
 	OSScreenPutFont(0, 1, "Entering Menu...");
 	OSScreenFlipBuffers();
 	waitCnt = 30;
@@ -365,8 +372,7 @@ cbhc_menu:	;
 		if(redraw)
 		{
 			OSScreenClearBuffer(0);
-			OSScreenPutFont(0, 0, verChar);
-
+			OSScreenPutFont(0, 0, verInfStr);
 			char printStr[64];
 			__os_snprintf(printStr,64,"%c Boot System Menu", 0 == PosX ? '>' : ' ');
 			OSScreenPutFont(0, 1, printStr);
@@ -408,8 +414,9 @@ doIOSUexploit:
 	OSScreenFlipBuffers();
 
 	memcpy((void*)0xF5E70100, &sysmenu, 8);
-	*(volatile unsigned int*)0xF5E70120 = (launchmode == LAUNCH_CFW_IMG);
-	DCStoreRange((void*)0xF5E70100, 0x40);
+	*(volatile unsigned int*)0xF5E70108 = dsvcid;
+	*(volatile unsigned int*)0xF5E7010C = launchmode;
+	DCStoreRange((void*)0xF5E70100, 0x20);
 
 	int (*OSForceFullRelaunch)(void);
 	OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch);
diff --git a/dsrom/CBHC/titleprot/Makefile b/dsrom/CBHC/titleprot/Makefile
new file mode 100644
index 0000000..78d3ea0
--- /dev/null
+++ b/dsrom/CBHC/titleprot/Makefile
@@ -0,0 +1,76 @@
+ifeq ($(strip $(DEVKITARM)),)
+$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
+endif
+
+ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
+export PATH:=$(DEVKITARM)/bin:$(PATH)
+endif
+
+CC = arm-none-eabi-gcc
+# LINK = arm-none-eabi-gcc
+LINK = arm-none-eabi-ld
+AS = arm-none-eabi-as
+OBJCOPY = arm-none-eabi-objcopy
+CFLAGS += -Wall -mbig-endian -std=c99 -mcpu=arm926ej-s -Os -s -mthumb -I$(DEVKITPRO)/libnds/include
+LDFLAGS += --script=ccd00.ld -EB -L"$(DEVKITARM)/arm-none-eabi/lib"
+
+CFILES = $(wildcard source/*.c)
+BINFILES = $(wildcard data/*.*)
+OFILES = $(CFILES:source/%.c=build/%.o)
+DFILES = $(CFILES:source/%.c=build/%.d)
+SFILES = $(wildcard source/*.s)
+OFILES += $(SFILES:source/%.s=build/%.o)
+OFILES += $(BINFILES:data/%=build/%.o)
+PROJECTNAME = ${shell basename "$(CURDIR)"}
+CWD = "$(CURDIR)""
+
+#---------------------------------------------------------------------------------
+# canned command sequence for binary data, taken from devkitARM
+#---------------------------------------------------------------------------------
+define bin2o
+	bin2s $< | $(AS) -o $(@)
+	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
+	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
+	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
+endef
+
+.PHONY:=all dirs
+
+all: dirs $(PROJECTNAME).bin $(PROJECTNAME)_bin.h
+
+dirs:
+	@mkdir -p build
+
+$(PROJECTNAME).bin: $(PROJECTNAME).elf
+#	$(OBJCOPY) -O binary $< $@
+	$(OBJCOPY) -j .text -j .rodata -O binary $< $@
+
+$(PROJECTNAME)_bin.h: $(PROJECTNAME).bin
+	xxd -i $< | sed "s/unsigned/static const unsigned/g;s/$(PROJECTNAME)$*/$(PROJECTNAME)/g" > $@
+
+$(PROJECTNAME).elf: $(OFILES)
+	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(sort $(filter-out build/crt0.o, $(OFILES)))
+
+clean:
+	@rm -f build/*.o build/*.d
+	@rmdir build 2>/nul; true
+	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin $(PROJECTNAME)_bin.h
+	@echo "all cleaned up !"
+
+-include $(DFILES)
+
+build/%.o: source/%.c
+	$(CC) $(CFLAGS) -c $< -o $@
+	@$(CC) -MM $< > build/$*.d
+
+build/%.o: source/%.s
+	$(CC) $(CFLAGS) -xassembler-with-cpp -c $< -o $@
+	@$(CC) -MM $< > build/$*.d
+
+build/%.bin.o: data/%.bin
+	@echo $(notdir $<)
+	@$(bin2o)
+
+build/%.tga.o: data/%.tga
+	@echo $(notdir $<)
+	@$(bin2o)
diff --git a/dsrom/CBHC/titleprot/ccd00.ld b/dsrom/CBHC/titleprot/ccd00.ld
new file mode 100644
index 0000000..aacaae3
--- /dev/null
+++ b/dsrom/CBHC/titleprot/ccd00.ld
@@ -0,0 +1,16 @@
+OUTPUT_ARCH(arm)
+
+MEMORY
+{
+	RAMX (rx) : ORIGIN = 0x0510D988, LENGTH = 0x0000134
+}
+
+SECTIONS
+{
+	.text : {
+		build/crt0.o(.init)
+		*(.text)
+		*(.rodata)
+	}
+}
+
diff --git a/dsrom/CBHC/titleprot/ccd00.specs b/dsrom/CBHC/titleprot/ccd00.specs
new file mode 100644
index 0000000..ccff243
--- /dev/null
+++ b/dsrom/CBHC/titleprot/ccd00.specs
@@ -0,0 +1,4 @@
+%rename link old_link
+
+*link:
+%(old_link) -T ./ccd00.ld%s
diff --git a/dsrom/CBHC/titleprot/source/crt0.s b/dsrom/CBHC/titleprot/source/crt0.s
new file mode 100644
index 0000000..8efde36
--- /dev/null
+++ b/dsrom/CBHC/titleprot/source/crt0.s
@@ -0,0 +1,23 @@
+.section ".init"
+.thumb
+.syntax unified
+
+.globl _start
+
+_start:
+	ldr r0, =#0x00050000
+	cmp r0, r1
+	bne nomatch
+	ldr r0, =#0x00000000 @will be written in by CBHC
+	cmp r0, r2
+	beq match
+nomatch:
+	@orignal code
+	movs r0, #0x9F
+	movs r3, #0x9F
+	bx lr
+match:
+	@return delete error
+	movs r0, #0
+	ldr r3, =#(0x05108236+1)
+	bx r3
diff --git a/installer/src/main.c b/installer/src/main.c
index b03b94b..0ba1e11 100644
--- a/installer/src/main.c
+++ b/installer/src/main.c
@@ -125,7 +125,7 @@ int availSort(const void *c1, const void *c2)
 void printhdr_noflip()
 {
 #ifdef CB
-	println_noflip(0,"CBHC v1.3 by FIX94");
+	println_noflip(0,"CBHC v1.4 by FIX94");
 #else
 	println_noflip(0,"Haxchi v2.3u1 by FIX94");
 #endif
diff --git a/release/wiiu/apps/cbhc/meta.xml b/release/wiiu/apps/cbhc/meta.xml
index 08ae718..61ec169 100644
--- a/release/wiiu/apps/cbhc/meta.xml
+++ b/release/wiiu/apps/cbhc/meta.xml
@@ -2,9 +2,9 @@
 <app version="1">
   <name>CBHC</name>
   <coder>FIX94</coder>
-  <version>1.2</version>
+  <version>1.4</version>
   <url>https://github.com/FIX94/haxchi</url>
-  <release_date>20161213200000</release_date>
+  <release_date>20161216200000</release_date>
   <short_description>Coldboot Haxchi Installer</short_description>
   <long_description>WARNING! This will install Coldboot Haxchi on your system.
 ONLY USE THIS IF YOU ARE WILLING TO TAKE A RISK OF BRICKING YOUR CONSOLE.