Skip to content

Instantly share code, notes, and snippets.

@hax0kartik

hax0kartik/main.c

Last active April 7, 2018 03:05
Show Gist options
  • Save hax0kartik/7dd94def3a054f433aa2479fa4330656 to your computer and use it in GitHub Desktop.
Save hax0kartik/7dd94def3a054f433aa2479fa4330656 to your computer and use it in GitHub Desktop.
Download ZIP
Code to get the pointers required for firmlaunchhax
Raw
main.c
#include <3ds.h>
#include <stdio.h>
#include "csvc.h"
#define PA_PTR(addr) (void *)((u32)(addr) | 1 << 31)
int main()
{
gfxInitDefault();
consoleInit(GFX_TOP, NULL);
printf("press A to search for offsets. Press B to dump axiwram\n");
//int i = 0;
/*
u32 *pa = svcConvertVAToPA((void*)(0xE0000000), false);
printf("FCRAM VA %lX PA %p\n", 0xE0000000, pa);
pa = svcConvertVAToPA((void*)(0xDFFE7A50), false);
printf("hook1 VA %lX PA %p\n", 0xDFFE7A50, pa);
pa = svcConvertVAToPA((void*)(0xDFFF4994), false);
printf("hook2 VA %lx PA %p\n", 0xDFFF4994, pa);
pa = svcConvertVAToPA((void*)(0xFFFBE000), false);
printf("PDN Regs VA %lx PA %p\n", 0xFFFBE000, pa);
pa = svcConvertVAToPA((void*)(0xFFF28A58), false);
printf("Return address VA %lx PA %p\n", 0xFFF28A58, pa);
pa = svcConvertVAToPA((void*)(0xDFFF4000), false);
printf("Lower Exception Handler base VA %lx PA %p\n", 0xDFFF4000, pa);
pa = svcConvertVAToPA((void*)(0xFFFF0000), false);
printf("Upper Exception Handler base VA %lx PA %p\n", 0xFFFF0000, pa);
*/
u32 *pa = svcConvertVAToPA((void*)(0x002F5d00), false);
printf("VA %lx -> PA %p\n", 0x002F5d00, pa);
u32 fcram_pa = 0x20000000;
u32 hook1_pa = 0x1ffe7a50;
u32 hook2_pa = 0x1fff4994;
u32 pdn_regs_pa = 0x10141000;
u32 pxi_regs_pa = 0x10163000;
u32 return_pa = 0x1ffe7a58;
u32 exception_base = 0x1fff4000;
u32 kernel_set_state = 0x1ff958f8;
const u32 base = 0xDFF00000;
printf("Running kernel: %X", osGetFirmVersion());
while(aptMainLoop())
{
hidScanInput();
if(keysDown() & KEY_A)
{
printf("Started\n");
u32 i = 0;
do
{
u32 *pa = svcConvertVAToPA((void*)(base + i), false);
if((u32)pa == fcram_pa) printf("FCRAM found at VA %lX\n", (u32)base + i);
else if((u32)pa == hook1_pa) printf("Hook1 found at VA %lX\n", (u32)base + i);
else if((u32)pa == hook2_pa) printf("Hook2 found at VA %lX\n", (u32)base + i);
else if((u32)pa == pdn_regs_pa) printf("PDN_REGS_BASE found at VA %lX\n", (u32)base + i);
else if((u32)pa == pxi_regs_pa) printf("PXI_REGS_BASE found at VA %lX\n", (u32)base + i);
else if((u32)pa == kernel_set_state) printf("kernel_set_state found at VA %lX\n", (u32)base + i);
else if((u32)pa == return_pa) printf("Return PA found at VA %lX\n", (u32)base + i);
else if((u32)pa == exception_base)printf("Exception base found at VA %lX\n", (u32)base + i);
i += 4;
if(base + i == 0xFFFFFFFF + 1) break;
}while(1);
printf("done\n");
}
if(keysDown() & KEY_B)
{
printf("started\n");
FILE *file = fopen("axiwram.dmp", "wb+");
for(int i = 0x1ff80000; i != 0x20000004; i += 4)
{
u32 *val = PA_PTR((void*)(i));
fwrite(val, 4, 1, file);
}
fclose(file);
printf("done\n");
}
if(keysDown() & KEY_X)
{
printf("started\n");
for(int i = 0x1ff80000; i != 0x20000004; i+=4)
{
u32 *val = PA_PTR((void*)(i));
//printf("val: %lX\n", *val);
if(val[0] == 0xE28F0010) { hook2_pa = i; }
if(val[0] == 0xE3A00080 && val[1] == 0xE5810000 && val[3] == 0xE5901000){ hook1_pa = i - 16; return_pa = i - 8; }
if(val[0] == 0xE1A00000 && val[2] == 0xE24DD014){ kernel_set_state = i + 8; }
}
printf("hook1_pa : %lX\n", hook1_pa);
printf("hook2_pa : %lX\n", hook2_pa);
printf("hook1 return : %lX\n", return_pa);
printf("svcKernelSetState : %lX\n", kernel_set_state);
exception_base = svcConvertVAToPA((void*)0xFFFF0000, false);
printf("Exception base: %lX\n", exception_base);
}
if(keysDown() & KEY_START)
break;
}
gfxExit();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment