From fc0b05ab9d339f28adcc90eb665a66ca910b4557 Mon Sep 17 00:00:00 2001 From: orboditilt <45944072+orboditilt@users.noreply.github.com> Date: Thu, 24 Jan 2019 17:22:30 +0100 Subject: [PATCH] Switch to Mii Maker after calling the payload. --- coreinit.s | 3 +++ haxchi_rop.s | 15 ++++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/coreinit.s b/coreinit.s index 865304b..b56708a 100644 --- a/coreinit.s +++ b/coreinit.s @@ -1,6 +1,7 @@ ; constants for position calcs COREINIT_OFFSET equ (- 0xFE3C00) +SYSAPP_OFFSET equ (0x01B75D00) ; coreinit gadgets MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968) @@ -17,3 +18,5 @@ IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET) OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET) OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET) OSFATAL equ (0x02015218 + COREINIT_OFFSET) +_EXIT equ (0x02000980 + COREINIT_OFFSET) +_SYSLaunchMiiStudio equ (0x020019D4 + SYSAPP_OFFSET) diff --git a/haxchi_rop.s b/haxchi_rop.s index c9b99ed..78bb9e3 100644 --- a/haxchi_rop.s +++ b/haxchi_rop.s @@ -118,10 +118,8 @@ rop_hook_start: .arm.big rop_start: - ; do hachihachi cleanups so we can use everything safely - call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0 + ; quit out of GX2 so we can re-use it in core 0 call_func NERD_FASTWIIU_SHUTDOWN, 0, 0, 0, 0 - call_func CORE_SHUTDOWN, 0, 0, 0, 0 ; set up hbl_loader in core 0 call_func_6args NERD_CREATETHREAD, NERD_THREAD0OBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread0_param, 0x0, 0x0 @@ -200,6 +198,13 @@ rop_start: call_func NERD_STARTTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0 call_func NERD_JOINTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0 + ; clean up the rest of hachihachi + call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0 + call_func CORE_SHUTDOWN, 0, 0, 0, 0 + + ; on exit we want to go into mii studio directly + call_func _SYSLaunchMiiStudio, 0x0, 0x0, 0x0, 0x0 + ; prepare system for foreground release call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0 @@ -214,7 +219,7 @@ rop_start: call_func OSRELEASEFOREGROUND, 0, 0, 0, 0 ; launch mii studio app - .word _START_EXIT + .word _EXIT core0rop: ; switch codegen to RW @@ -257,7 +262,7 @@ rop_start: .halfword 0x0004 ; thread affinity (core2) hbl_loader: - .incbin "hbl_loader.bin" + .incbin "code550.bin" hbl_loader_end: .Close