diff --git a/crt0.S b/crt0.S index a51658b..4b91f25 100644 --- a/crt0.S +++ b/crt0.S @@ -1,8 +1,6 @@ -.extern __main + .extern __main .globl _start + _start: - # load proper stack - lis r1, 0x1ab5 - ori r1, r1, 0xd138 # jump to our main - bl __main + b __main diff --git a/gx2sploit b/gx2sploit index 60a162a..43ff7b2 160000 --- a/gx2sploit +++ b/gx2sploit @@ -1 +1 @@ -Subproject commit 60a162a019da4090406a97a8d3f8e49353270d47 +Subproject commit 43ff7b2aaea900e21fd07a197ae7bf46f12e78e4 diff --git a/launcher.c b/launcher.c index f791883..5db320e 100644 --- a/launcher.c +++ b/launcher.c @@ -8,68 +8,69 @@ /* Install functions */ static void InstallMain(private_data_t *private_data); -void wait(unsigned int coreinit_handle, unsigned int t) { - void (*OSYieldThread)(void); - OSDynLoad_FindExport(coreinit_handle, 0, "OSYieldThread", &OSYieldThread); +#define FORCE_SYSMENU (VPAD_BUTTON_ZL | VPAD_BUTTON_ZR | VPAD_BUTTON_L | VPAD_BUTTON_R) - while(t--) { - OSYieldThread(); - } -} - -void doBrowserShutdown(unsigned int coreinit_handle) { - void*(*memset)(void *dest, uint32_t value, uint32_t bytes); - void*(*OSAllocFromSystem)(uint32_t size, int align); - void (*OSFreeToSystem)(void *ptr); - - int(*IM_SetDeviceState)(int fd, void *mem, int state, int a, int b); - int(*IM_Close)(int fd); - int(*IM_Open)(); - - OSDynLoad_FindExport(coreinit_handle, 0, "memset", &memset); - OSDynLoad_FindExport(coreinit_handle, 0, "OSAllocFromSystem", &OSAllocFromSystem); - OSDynLoad_FindExport(coreinit_handle, 0, "OSFreeToSystem", &OSFreeToSystem); - - OSDynLoad_FindExport(coreinit_handle, 0, "IM_SetDeviceState", &IM_SetDeviceState); - OSDynLoad_FindExport(coreinit_handle, 0, "IM_Close", &IM_Close); - OSDynLoad_FindExport(coreinit_handle, 0, "IM_Open", &IM_Open); - - //Restart system to get lib access - int fd = IM_Open(); - void *mem = OSAllocFromSystem(0x100, 64); - memset(mem, 0, 0x100); - //set restart flag to force quit browser - IM_SetDeviceState(fd, mem, 3, 0, 0); - IM_Close(fd); - OSFreeToSystem(mem); - //wait a bit for browser end - wait(coreinit_handle, 0x3FFFF*0x4); -} +void PrepareScreen(private_data_t *private_data); /* ****************************************************************** */ /* ENTRY POINT */ /* ****************************************************************** */ void __main(void) { + + /* coreinit functions */ unsigned int coreinit_handle; OSDynLoad_Acquire("coreinit.rpl", &coreinit_handle); + /* coreinit os functions*/ + int (*OSForceFullRelaunch)(void); + void (*OSSleepTicks)(unsigned long long ticks); + void (*OSExitThread)(int); + unsigned long long(*OSGetTitleID)(); + + OSDynLoad_FindExport(coreinit_handle, 0, "OSForceFullRelaunch", &OSForceFullRelaunch); + OSDynLoad_FindExport(coreinit_handle, 0, "OSSleepTicks", &OSSleepTicks); + OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread); + OSDynLoad_FindExport(coreinit_handle, 0, "OSGetTitleID", &OSGetTitleID); + + /* sysapp functions */ + unsigned int sysapp_handle; + OSDynLoad_Acquire("sysapp.rpl", &sysapp_handle); + + int(*_SYSLaunchTitleWithStdArgsInNoSplash)(unsigned long long tid, void *ptr); + unsigned long long(*_SYSGetSystemApplicationTitleId)(int sysApp); + + OSDynLoad_FindExport(sysapp_handle, 0, "_SYSLaunchTitleWithStdArgsInNoSplash", &_SYSLaunchTitleWithStdArgsInNoSplash); + OSDynLoad_FindExport(sysapp_handle, 0, "_SYSGetSystemApplicationTitleId", &_SYSGetSystemApplicationTitleId); + + /* vpad functions */ + unsigned int vpad_handle; + OSDynLoad_Acquire("vpad.rpl", &vpad_handle); + + int(*VPADRead)(int controller, VPADData *buffer, unsigned int num, int *error); + OSDynLoad_FindExport(vpad_handle, 0, "VPADRead", &VPADRead); + + unsigned long long sysmenu = _SYSGetSystemApplicationTitleId(0); + + /* pre-menu button combinations which can be held on gamepad */ + int vpadError = -1; + VPADData vpad; + VPADRead(0, &vpad, 1, &vpadError); + if(vpadError == 0) { + if(((vpad.btns_d|vpad.btns_h) & FORCE_SYSMENU) == FORCE_SYSMENU) { + // menu launch backup code + _SYSLaunchTitleWithStdArgsInNoSplash(sysmenu, 0); + OSExitThread(0); + return; + } + } + + /* Get our memory functions */ unsigned int* functionPointer; void* (*p_memset)(void * dest, unsigned int value, unsigned int bytes); void (*_Exit)(int); - void (*OSYieldThread)(void); - int32_t (*OSGetCoreId)(void); - bool (*OSCreateThread)(void *thread, void *entry, int32_t argc, void *args, uint32_t *stack, uint32_t stack_size, int32_t priority, uint16_t attr); - int32_t (*OSResumeThread)(void *thread); - int32_t (*OSIsThreadTerminated)(void * thread); - OSDynLoad_FindExport(coreinit_handle, 0, "memset", &p_memset); OSDynLoad_FindExport(coreinit_handle, 0, "_Exit", &_Exit); - OSDynLoad_FindExport(coreinit_handle, 0, "OSCreateThread", &OSCreateThread); - OSDynLoad_FindExport(coreinit_handle, 0, "OSResumeThread", &OSResumeThread); - OSDynLoad_FindExport(coreinit_handle, 0, "OSYieldThread", &OSYieldThread); - OSDynLoad_FindExport(coreinit_handle, 0, "OSIsThreadTerminated", &OSIsThreadTerminated); - OSDynLoad_FindExport(coreinit_handle, 0, "OSGetCoreId", &OSGetCoreId); private_data_t private_data; p_memset(&private_data, 0, sizeof(private_data_t)); @@ -90,38 +91,21 @@ void __main(void) { uint32_t gx2_handle = 0; OSDynLoad_Acquire("gx2.rpl", &gx2_handle); - + void (*GX2Shutdown)(void); void (*GX2Init)(void *arg); - int32_t (*GX2GetMainCoreId)(void); - OSDynLoad_FindExport(gx2_handle, 0, "GX2Init", &GX2Init); OSDynLoad_FindExport(gx2_handle, 0, "GX2Shutdown", &GX2Shutdown); - OSDynLoad_FindExport(gx2_handle, 0, "GX2GetMainCoreId", &GX2GetMainCoreId); - - - void * thread = private_data.MEMAllocFromDefaultHeapEx(0x1000, 0x100); - void * stack = private_data.MEMAllocFromDefaultHeapEx(0x1000, 0x100); - OSCreateThread(thread, GX2Shutdown, 0, NULL, stack + 0x1000, 0x1000, 0, (1 << GX2GetMainCoreId()) | 0x10); - OSResumeThread(thread); - - while(OSIsThreadTerminated(thread) == 0){ - OSYieldThread(); - } - - private_data.MEMFreeToDefaultHeap(thread); - private_data.MEMFreeToDefaultHeap(stack); - - doBrowserShutdown(coreinit_handle); - + GX2Init(NULL); - wait(coreinit_handle, 0x3FFFF); - - if(OSGetCoreId() != GX2GetMainCoreId()) OSFatal("GX Not switched!"); - run_kexploit(coreinit_handle); GX2Shutdown(); - + /* Do SYSLaunchMiiStudio to boot HBL */ + + void (*SYSLaunchMiiStudio)(void) = 0; + OSDynLoad_FindExport(sysapp_handle, 0, "SYSLaunchMiiStudio", &SYSLaunchMiiStudio); + SYSLaunchMiiStudio(); + InstallMain(&private_data); Elf32_Ehdr *ehdr = (Elf32_Ehdr *) private_data.data_elf; @@ -160,8 +144,7 @@ void __main(void) { kern_write((void*)(KERN_SYSCALL_TBL_4 + (0x09 * 4)), (uint32_t) setIBAT0Addr); kern_write((void*)(KERN_SYSCALL_TBL_5 + (0x09 * 4)), (uint32_t) setIBAT0Addr); - void (*OSExitThread)(int); - OSDynLoad_FindExport(coreinit_handle, 0, "OSExitThread", &OSExitThread); + OSExitThread(0); } diff --git a/main_hook b/main_hook index c0db699..f4e393a 160000 --- a/main_hook +++ b/main_hook @@ -1 +1 @@ -Subproject commit c0db699b68763144496ae4111cf28a1be9c88743 +Subproject commit f4e393a885d2964dfa1e02efef53ece1ed68619d diff --git a/structs.h b/structs.h index b51e3ee..46e71b1 100644 --- a/structs.h +++ b/structs.h @@ -11,6 +11,7 @@ typedef struct { typedef struct { unsigned char *data_elf; unsigned int coreinit_handle; + unsigned long long sysmenuTitleID; /* function pointers */ void* (*memcpy)(void * dest, const void * src, int num); void* (*memset)(void * dest, unsigned int value, unsigned int bytes); @@ -27,7 +28,58 @@ typedef struct { int (*curl_easy_perform)(void *handle); void (*curl_easy_getinfo)(void *handle, unsigned int param, void *op); void (*curl_easy_cleanup)(void *handle); + + unsigned int (*OSScreenClearBufferEx)(unsigned int bufferNum, unsigned int temp); + unsigned int (*OSScreenFlipBuffersEx)(unsigned int bufferNum); + unsigned int (*OSScreenPutFontEx)(unsigned int bufferNum, unsigned int posX, unsigned int posY, const char * buffer); + } private_data_t; +typedef struct +{ + float x,y; +} Vec2D; + +typedef struct +{ + uint16_t x, y; /* Touch coordinates */ + uint16_t touched; /* 1 = Touched, 0 = Not touched */ + uint16_t invalid; /* 0 = All valid, 1 = X invalid, 2 = Y invalid, 3 = Both invalid? */ +} VPADTPData; + +typedef struct +{ + uint32_t btns_h; /* Held buttons */ + uint32_t btns_d; /* Buttons that are pressed at that instant */ + uint32_t btns_r; /* Released buttons */ + Vec2D lstick, rstick; /* Each contains 4-byte X and Y components */ + char unknown1c[0x52 - 0x1c]; /* Contains accelerometer and gyroscope data somewhere */ + VPADTPData tpdata; /* Normal touchscreen data */ + VPADTPData tpdata1; /* Modified touchscreen data 1 */ + VPADTPData tpdata2; /* Modified touchscreen data 2 */ + char unknown6a[0xa0 - 0x6a]; + uint8_t volume; + uint8_t battery; /* 0 to 6 */ + uint8_t unk_volume; /* One less than volume */ + char unknowna4[0xac - 0xa4]; +} VPADData; + +#define VPAD_BUTTON_A 0x8000 +#define VPAD_BUTTON_B 0x4000 +#define VPAD_BUTTON_X 0x2000 +#define VPAD_BUTTON_Y 0x1000 +#define VPAD_BUTTON_LEFT 0x0800 +#define VPAD_BUTTON_RIGHT 0x0400 +#define VPAD_BUTTON_UP 0x0200 +#define VPAD_BUTTON_DOWN 0x0100 +#define VPAD_BUTTON_ZL 0x0080 +#define VPAD_BUTTON_ZR 0x0040 +#define VPAD_BUTTON_L 0x0020 +#define VPAD_BUTTON_R 0x0010 +#define VPAD_BUTTON_PLUS 0x0008 +#define VPAD_BUTTON_MINUS 0x0004 +#define VPAD_BUTTON_HOME 0x0002 +#define VPAD_BUTTON_SYNC 0x0001 + #endif // STRUCTS_H