Switch to Mii Maker after calling the payload.

coreinit.s

@@ -1,6 +1,7 @@
 
 ; constants for position calcs
 COREINIT_OFFSET equ (- 0xFE3C00)
+SYSAPP_OFFSET equ (0x01B75D00)
 
 ; coreinit gadgets
 MTCTR_R30_MR_R8R21_R7R29_R6R28_R5R27_R4R25_R3R24_BCTRL equ (COREINIT_OFFSET + 0x02002968)
@@ -17,3 +18,5 @@ IC_INVALIDATERANGE equ (0x02007CB0 + COREINIT_OFFSET)
 OSSAVESDONE_READYTORELEASE equ (0x0201D5B8 + COREINIT_OFFSET)
 OSRELEASEFOREGROUND equ (0x0201D5BC + COREINIT_OFFSET)
 OSFATAL equ (0x02015218 + COREINIT_OFFSET)
+_EXIT equ (0x02000980 + COREINIT_OFFSET)
+_SYSLaunchMiiStudio equ (0x020019D4 + SYSAPP_OFFSET)

haxchi_rop.s

@@ -118,10 +118,8 @@ rop_hook_start:
 .arm.big
 
 rop_start:
-	; do hachihachi cleanups so we can use everything safely
-	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
+	; quit out of GX2 so we can re-use it in core 0
 	call_func NERD_FASTWIIU_SHUTDOWN, 0, 0, 0, 0
-	call_func CORE_SHUTDOWN, 0, 0, 0, 0
 
 	; set up hbl_loader in core 0
 	call_func_6args NERD_CREATETHREAD, NERD_THREAD0OBJECT, LWZ_R0xAFC_MTLR_R0_ADDI_R1xAF8_BLR, 0x1007E7A8, thread0_param, 0x0, 0x0
@@ -200,6 +198,13 @@ rop_start:
 	call_func NERD_STARTTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
 	call_func NERD_JOINTHREAD, NERD_THREAD0OBJECT, 0x0, 0x0, 0x0
 
+	; clean up the rest of hachihachi
+	call_func HACHI_APPLICATION_SHUTDOWNANDDESTROY, HACHI_APPLICATION_PTR, 0, 0, 0
+	call_func CORE_SHUTDOWN, 0, 0, 0, 0
+
+	; on exit we want to go into mii studio directly
+	call_func _SYSLaunchMiiStudio, 0x0, 0x0, 0x0, 0x0
+
 	; prepare system for foreground release
 	call_func OSSAVESDONE_READYTORELEASE, 0, 0, 0, 0
 
@@ -214,7 +219,7 @@ rop_start:
 	call_func OSRELEASEFOREGROUND, 0, 0, 0, 0
 
 	; launch mii studio app
-	.word _START_EXIT
+	.word _EXIT
 
 	core0rop:
 		; switch codegen to RW
@@ -257,7 +262,7 @@ rop_start:
 		.halfword 0x0004 ; thread affinity (core2)
 
 	hbl_loader:
-		.incbin "hbl_loader.bin"
+		.incbin "code550.bin"
 	hbl_loader_end:
 
 .Close