diff --git a/Makefile b/Makefile index 079c95f..fde8a81 100644 --- a/Makefile +++ b/Makefile @@ -6,14 +6,20 @@ else ZIP = zip endif -all: setup brainage kirby yoshids brainage.zip kirby.zip yoshids.zip +all: setup brainage kirby mariokartds sfcommand yoshids zeldaph brainage.zip kirby.zip mariokartds.zip sfcommand.zip yoshids.zip zeldaph.zip brainage: setup_brainage brainage.nds -kirby: setup_kirby kirby.nds +kirby: setup_kirby kirby.nds + +mariokartds: setup_mariokartds mariokartds.nds + +sfcommand: setup_sfcommand sfcommand.nds yoshids: setup_yoshids yoshids.nds +zeldaph: setup_zeldaph zeldaph.nds + setup: @cd option_select && make && cd .. @cd hbl_loader && make && cd .. @@ -27,10 +33,22 @@ setup_kirby: @rm -f defines.s haxchi_rop.bin haxchi_rop_hook.bin @cp -f kirby_defs.s defines.s +setup_mariokartds: + @rm -f defines.s haxchi_rop.bin haxchi_rop_hook.bin + @cp -f mariokartds_defs.s defines.s + +setup_sfcommand: + @rm -f defines.s haxchi_rop.bin haxchi_rop_hook.bin + @cp -f sfcommand_defs.s defines.s + setup_yoshids: @rm -f defines.s haxchi_rop.bin haxchi_rop_hook.bin @cp -f yoshids_defs.s defines.s +setup_zeldaph: + @rm -f defines.s haxchi_rop.bin haxchi_rop_hook.bin + @cp -f zeldaph_defs.s defines.s + brainage.nds: @armips haxchi_rop.s @armips haxchi.s @@ -41,27 +59,27 @@ kirby.nds: @armips haxchi.s @mv rom.nds kirby.nds +mariokartds.nds: + @armips haxchi_rop.s + @armips haxchi.s + @mv rom.nds mariokartds.nds + @cp mariokartds.nds newsmb.nds + +sfcommand.nds: + @armips haxchi_rop.s + @armips haxchi.s + @mv rom.nds sfcommand.nds + yoshids.nds: @armips haxchi_rop.s @armips haxchi.s @mv rom.nds yoshids.nds @cp yoshids.nds wwtouched.nds -brainage_cfw.nds: +zeldaph.nds: @armips haxchi_rop.s @armips haxchi.s - @mv rom.nds brainage_cfw.nds - -kirby_cfw.nds: - @armips haxchi_rop.s - @armips haxchi.s - @mv rom.nds kirby_cfw.nds - -yoshids_cfw.nds: - @armips haxchi_rop.s - @armips haxchi.s - @mv rom.nds yoshids_cfw.nds - @cp yoshids_cfw.nds wwtouched_cfw.nds + @mv rom.nds zeldaph.nds brainage.zip: $(ZIP) -JXjq9 brainage.zip brainage.nds @@ -69,12 +87,23 @@ brainage.zip: kirby.zip: $(ZIP) -JXjq9 kirby.zip kirby.nds +mariokartds.zip: + $(ZIP) -JXjq9 mariokartds.zip mariokartds.nds + $(ZIP) -JXjq9 newsmb.zip newsmb.nds + +sfcommand.zip: + $(ZIP) -JXjq9 sfcommand.zip sfcommand.nds + yoshids.zip: $(ZIP) -JXjq9 yoshids.zip yoshids.nds $(ZIP) -JXjq9 wwtouched.zip wwtouched.nds +zeldaph.zip: + $(ZIP) -JXjq9 zeldaph.zip zeldaph.nds + clean: - @rm -f *.bin defines.s brainage.nds brainage.zip kirby.nds kirby.zip wwtouched.nds wwtouched.zip yoshids.nds yoshids.zip + @rm -f *.bin defines.s brainage.nds brainage.zip kirby.nds kirby.zip mariokartds.nds mariokartds.zip \ + newsmb.nds newsmb.zip sfcommand.nds sfcommand.zip wwtouched.nds wwtouched.zip yoshids.nds yoshids.zip zeldaph.nds zeldaph.zip @cd option_select && make clean && cd .. @cd hbl_loader && make clean && cd .. @cd cfw_booter && make clean && cd .. diff --git a/README.md b/README.md index b3683e4..d66e08c 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,12 @@ make sure to replace YOUR_GAME_TITLE_ID with one of the following: 10179A00 - JPN Brain Age 10179B00 - US Brain Age 10179C00 - PAL Brain Training +10195600 - JPN Mario Kart DS +10195700 - US Mario Kart DS +10195800 - PAL Mario Kart DS +10195900 - JPN New Super Mario Bros +10195A00 - US New Super Mario Bros +10195B00 - PAL New Super Mario Bros 10198800 - JPN Yoshi's Island DS 10198900 - US Yoshi's Island DS 10198A00 - PAL Yoshi's Island DS @@ -38,6 +44,12 @@ make sure to replace YOUR_GAME_TITLE_ID with one of the following: 101A5500 - JPN Kirby Squeak Squad 101A5600 - US Kirby Squeak Squad 101A5700 - PAL Kirby Mouse Attack +101AC000 - JPN Star Fox Command +101AC100 - US Star Fox Command +101AC200 - PAL Star Fox Command +101C3600 - JPN Zelda Phantom Hourglass +101C3700 - US Zelda Phantom Hourglass +101C3800 - PAL Zelda Phantom Hourglass a config.txt can look like this for example: ``` diff --git a/brainage_defs.s b/brainage_defs.s index 714a650..b72cf80 100644 --- a/brainage_defs.s +++ b/brainage_defs.s @@ -1,14 +1,14 @@ ; game stack return address HAX_TARGET_ADDRESS equ (0x1076FAA4) - +; application memory pointer HACHI_APPLICATION_PTR equ (0x10A6E038) - +; arm9 rom location address ARM9_ROM_LOCATION equ (0x16220400) -ARM7_ROM_MEM2_START equ (0xEBDDFC00) ; constants for position calcs RPX_OFFSET equ (0x01800000) +ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000) ; rop-gadgets part 1 (used for all sorts of different things) LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C) diff --git a/hbl_loader/sd_loader/src/crt0.S b/hbl_loader/sd_loader/src/crt0.S new file mode 100644 index 0000000..c803619 --- /dev/null +++ b/hbl_loader/sd_loader/src/crt0.S @@ -0,0 +1,20 @@ + + .extern _main + .globl _start + +_start: + mflr 0 + stwu 1,-0x18(1) + stw 0,0x1C(1) + stw 3,8(1) + stw 4,0xC(1) + # jump to our main + bl _main + # launch original title + mtctr 3 + lwz 3,8(1) + lwz 4,0xC(1) + lwz 0,0x1C(1) + mtlr 0 + addi 1,1,0x18 + bctr diff --git a/hbl_loader/sd_loader/src/entry.c b/hbl_loader/sd_loader/src/entry.c index 6c81f98..ccfa427 100644 --- a/hbl_loader/sd_loader/src/entry.c +++ b/hbl_loader/sd_loader/src/entry.c @@ -272,8 +272,10 @@ static int LiWaitOneChunk(unsigned int * iRemainingBytes, const char *filename, if((mapOffset + blockSize) >= mem_area->size) { blockSize = mem_area->size - mapOffset; + //! this value is incremented later by blockSize, so set it to -blockSize for it to be 0 after copy + //! it makes smaller code then if(mapOffset == mem_area->size) after copy + mapOffset = -blockSize; mem_area = mem_area->next; - mapOffset = 0; } SC0x25_KernelCopyData(load_addressPhys + rpxBlockPos, address, blockSize); @@ -445,6 +447,26 @@ static int LoadFileToMem(private_data_t *private_data, const char *filepath, uns return success; } +static void setup_patches(private_data_t *private_data) +{ + //! setup necessary syscalls and hooks for HBL + kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl1 + (0x25 * 4)), (unsigned int)KernelCopyData); + kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl2 + (0x25 * 4)), (unsigned int)KernelCopyData); + kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl3 + (0x25 * 4)), (unsigned int)KernelCopyData); + kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl4 + (0x25 * 4)), (unsigned int)KernelCopyData); + kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl5 + (0x25 * 4)), (unsigned int)KernelCopyData); + + //! store physical address for later use + addrphys_LiWaitOneChunk = private_data->OSEffectiveToPhysical((void*)OS_SPECIFICS->addr_LiWaitOneChunk); + + u32 addr_my_PrepareTitle_hook = ((u32)my_PrepareTitle_hook) | 0x48000003; + DCFlushRange(&addr_my_PrepareTitle_hook, 4); + + //! create our copy syscall + SC0x25_KernelCopyData(OS_SPECIFICS->addr_PrepareTitle_hook, private_data->OSEffectiveToPhysical(&addr_my_PrepareTitle_hook), 4); + +} + static unsigned int load_elf_image (private_data_t *private_data, unsigned char *elfstart) { Elf32_Ehdr *ehdr; @@ -500,22 +522,6 @@ static unsigned int load_elf_image (private_data_t *private_data, unsigned char } } - //! setup hooks - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl1 + (0x25 * 4)), (unsigned int)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl2 + (0x25 * 4)), (unsigned int)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl3 + (0x25 * 4)), (unsigned int)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl4 + (0x25 * 4)), (unsigned int)KernelCopyData); - kern_write((void*)(OS_SPECIFICS->addr_KernSyscallTbl5 + (0x25 * 4)), (unsigned int)KernelCopyData); - - //! store physical address for later use - addrphys_LiWaitOneChunk = private_data->OSEffectiveToPhysical((void*)OS_SPECIFICS->addr_LiWaitOneChunk); - - u32 addr_my_PrepareTitle_hook = ((u32)my_PrepareTitle_hook) | 0x48000003; - DCFlushRange(&addr_my_PrepareTitle_hook, 4); - - //! create our copy syscall - SC0x25_KernelCopyData(OS_SPECIFICS->addr_PrepareTitle_hook, private_data->OSEffectiveToPhysical(&addr_my_PrepareTitle_hook), 4); - return ehdr->e_entry; } @@ -568,7 +574,7 @@ static const char *HBL_ELF_PATH = "/vol/external01/wiiu/apps/homebrew_launcher/h unsigned int _main(int argc, char **argv) { - private_data_t private_data; + private_data_t private_data; if(MAIN_ENTRY_ADDR != 0xC001C0DE) { @@ -593,6 +599,9 @@ unsigned int _main(int argc, char **argv) if(MAIN_ENTRY_ADDR == 0xDEADC0DE || MAIN_ENTRY_ADDR == 0) { + //! setup necessary syscalls and hooks for HBL before launching it + setup_patches(&private_data); + if(HBL_CHANNEL) { break; @@ -644,6 +653,7 @@ unsigned int _main(int argc, char **argv) } unsigned int entry = *(unsigned int*)OS_SPECIFICS->addr_OSTitle_main_entry; + //! if an application was an RPX launch then launch HBL again after return /*if(MAIN_ENTRY_ADDR == 0xC001C0DE) { diff --git a/kirby_defs.s b/kirby_defs.s index f1568fe..81df742 100644 --- a/kirby_defs.s +++ b/kirby_defs.s @@ -5,7 +5,7 @@ HAX_TARGET_ADDRESS equ (0x107968AC) HACHI_APPLICATION_PTR equ (0x10c8c938) ARM9_ROM_LOCATION equ (0x1643F200) -ARM7_ROM_MEM2_START equ (0xEBBC0E00) +ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000) ; constants for position calcs RPX_OFFSET equ (0x01800000) diff --git a/mariokartds_defs.s b/mariokartds_defs.s new file mode 100644 index 0000000..ad32780 --- /dev/null +++ b/mariokartds_defs.s @@ -0,0 +1,39 @@ + +; game stack return address +HAX_TARGET_ADDRESS equ (0x1077865C) +; application memory pointer +HACHI_APPLICATION_PTR equ (0x10A77038) +; arm9 rom location address +ARM9_ROM_LOCATION equ (0x16229400) + +; constants for position calcs +RPX_OFFSET equ (0x01800000) +ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000) + +; rop-gadgets part 1 (used for all sorts of different things) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x022031F8) +BCTRL equ (RPX_OFFSET + 0x02203130) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A04C8) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A00A0) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02005AB8) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02175AE8) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x022740A8) + +; rop-gadgets part 2 (only used to set up core 0 thread stack) +LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02017F88) +MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AB88C) +LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200EB28) +LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x020809E4) +LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02054DCC) +LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018010) +LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02145D64) +MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023700) + +; functions used from game +NERD_CREATETHREAD equ (RPX_OFFSET + 0x0221E0B8) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x0221E4D4) +NERD_JOINTHREAD equ (RPX_OFFSET + 0x0221DF64) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006944) +NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F138) +CORE_SHUTDOWN equ (RPX_OFFSET + 0x0221D434) +_START_EXIT equ (RPX_OFFSET + 0x02025F48) diff --git a/option_select/main.c b/option_select/main.c index 6d4baad..2cd0109 100644 --- a/option_select/main.c +++ b/option_select/main.c @@ -249,9 +249,8 @@ fileEnd: } if(pBuffer) MEMFreeToDefaultHeap(pBuffer); - if(hbl) - *(int*)0xF5E700FC = 0; //set SD_LOADER_FORCE_HBL to 0 - DCStoreRange((void*)0xF5E70000,0xA0); + + DCStoreRange((void*)0xF5E70000,0x100); uint32_t entry = (hbl ? 0x01800000 : 0x0180C000); return entry; } diff --git a/sfcommand_defs.s b/sfcommand_defs.s new file mode 100644 index 0000000..e1efdd4 --- /dev/null +++ b/sfcommand_defs.s @@ -0,0 +1,39 @@ + +; game stack return address +HAX_TARGET_ADDRESS equ (0x107968AC) +; application memory pointer +HACHI_APPLICATION_PTR equ (0x10C8C938) +; arm9 rom location address +ARM9_ROM_LOCATION equ (0x1643F200) + +; constants for position calcs +RPX_OFFSET equ (0x01800000) +ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000) + +; rop-gadgets part 1 (used for all sorts of different things) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02063D3C) +BCTRL equ (RPX_OFFSET + 0x02004158) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3670) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3248) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0200106C) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x021791C8) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277BA4) + +; rop-gadgets part 2 (only used to set up core 0 thread stack) +LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908) +MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEAB0) +LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8) +LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082E20) +LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x020578EC) +LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990) +LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x02149304) +MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC) + +; functions used from game +NERD_CREATETHREAD equ (RPX_OFFSET + 0x02221A48) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E64) +NERD_JOINTHREAD equ (RPX_OFFSET + 0x022218F4) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8) +NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C) +CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220DAC) +_START_EXIT equ (RPX_OFFSET + 0x0202699C) diff --git a/yoshids_defs.s b/yoshids_defs.s index 71cdb14..0987576 100644 --- a/yoshids_defs.s +++ b/yoshids_defs.s @@ -1,14 +1,14 @@ ; game stack return address HAX_TARGET_ADDRESS equ (0x1079B52C) - +; application memory pointer HACHI_APPLICATION_PTR equ (0x10C91938) - +; arm9 rom location address ARM9_ROM_LOCATION equ (0x16444200) -ARM7_ROM_MEM2_START equ (0xEBBBBE00) ; constants for position calcs RPX_OFFSET equ (0x01800000) +ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000) ; rop-gadgets part 1 (used for all sorts of different things) LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02206F7C) diff --git a/zeldaph_defs.s b/zeldaph_defs.s new file mode 100644 index 0000000..6239de0 --- /dev/null +++ b/zeldaph_defs.s @@ -0,0 +1,39 @@ + +; game stack return address (note: not ideal here) +HAX_TARGET_ADDRESS equ (0x10799CBC) +; application memory pointer +HACHI_APPLICATION_PTR equ (0x10C8F938) +; arm9 rom location address +ARM9_ROM_LOCATION equ (0x16443400) + +; constants for position calcs +RPX_OFFSET equ (0x01800000) +ARM7_ROM_MEM2_START equ (0xF0000000 - ARM9_ROM_LOCATION + 0x12000000) + +; rop-gadgets part 1 (used for all sorts of different things) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x0204AB1C) +BCTRL equ (RPX_OFFSET + 0x02003CF0) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A9E30) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A9A08) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02000BA8) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0217F988) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x0227E524) + +; rop-gadgets part 2 (only used to set up core 0 thread stack) +LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018548) +MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020B5270) +LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F0BC) +LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02088050) +LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205C438) +LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x020185D0) +LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214FAC4) +MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02023F14) + +; functions used from game +NERD_CREATETHREAD equ (RPX_OFFSET + 0x0222832C) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x02228748) +NERD_JOINTHREAD equ (RPX_OFFSET + 0x022281D8) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x020068C4) +NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201F97C) +CORE_SHUTDOWN equ (RPX_OFFSET + 0x022278FC) +_START_EXIT equ (RPX_OFFSET + 0x02025FB0)