Hacking Add menu to yifanlu 3ds injector?

[ely42]

Hello guys!

I'm currently trying (i'm newbie to programming...) to add a menu feature to yifanlu (the Reisyukaku fork)
modified sysmodule "loader". I want to add a menu that show up when launching the notifications applet (or anything else) while pressing a given key. But here is my problem, while compiling the loader module with the ctrulib hid functions loader become bigger than it would be to be injected. And I don't succeed to write to frammebuffer...

So I want to know three things:
- firstly is there a way to read the hid register (I tried with pointers but didn't work...) without using the hid shared memory with libctru's functions ?

- secondly, if I have to use all the code provided by ctrulib, is there a way to load some code from sdmmc and then execute it? This way, loader could be of the right size and my menu code could be as big as a normal homebrew.

- thirdly, why can't I write to framebuffer? I think it's the right address...

Thank you in advance guys !

PS: English is not my first language, sorry if there is mistakes.

The code that I added in the patch_code() function (except the "#define" parts, that is where it had to be):

#define BUTTON_A      (1 << 0)
#define BUTTON_L     (1 << 9)
#define BUTTON_B      (1 << 1)
#define HID (~*(u32 *)0x10146000)


//want to run that code only if A and L are pressed
//u8 key = (HID & 0xFFF) == ((BUTTON_A | BUTTON_L) & 0xFFF) ? 1 : 0;
if((progid == 0x000400300000A002) /*&& key == 1*/) { //EUR notifications applet
    int cnt;
    u8 *framebuffer = ((u32 *)0x18000000 + 0x48F000); //vram addr for bottom framebuffer
    while(1) {
        //want to break and launch title when B is pressed
        //key = (HID & 0xFFF) == ((BUTTON_A | BUTTON_L) & 0xFFF) ? 1 : 0;
        for(cnt = 0; cnt < 0x38400; cnt++) {
            framebuffer[cnt] = 0xFF;
        }
    }
}

 

[Swiftloke]

Huh. A useful thread! Congrats!
To me it looks more like code was your first language I can't make heads or tails of this lmao

 

[ely42]

Sorry man, like I said, I'm newbie
Basically if the launched program is the notifications applet then it write black pixels to the bottom framebuffer. But that don't work, so it only show the normals two white screens forever...

 

[yifan_lu]

I don't think you can use most of ctrulib in injector. I don't think you can get framebuffer access either. What you need to do is reverse home menu, find out where the right places to patch are, and then write the patch in assembly and inject it.

 

[ely42]

Outch, I'm not cell9 :/ But I will try it, I want to do computer studies afterall...
Thank you yifanlu

 

[Billy Acuña]

Wow, amazing!!!!
Don't give up dude.
Hope this gets to be a NTR alternative.

 

[Deleted User]

 

[ely42]

Wow, amazing!!!!
Don't give up dude.
Hope this gets to be a NTR alternative.

I'm a beginner you know, I will try to do something but it will not be any sort of a cfw But it I'll learn a lot

 

[Swiftloke]

Sorry man, like I said, I'm newbie
Basically if the launched program is the notifications applet then it write black pixels to the bottom framebuffer. But that don't work, so it only show the normals two white screens forever...

Oh no no no! What meant was I can't code for shit and that your code seemed really good but I didn't know, it was supposed to be a compliment D:

--------------------- MERGED ---------------------------

This

 

[ely42]

Oh no no no! What meant was I can't code for shit and that your code seemed really good but I didn't know, it was supposed to be a compliment D:

--------------------- MERGED ---------------------------


This

Oh, sorry I didn't understood My bad :/

 

[fuyukaidesu]

You can't cram everything into loader, there's a ~50kB limit.
I think the best way to do that would be to do it a bit like NTR, inject your code into HomeMenu, so you can open processes when they are launched.
I don't know much more, there are still things that can go wrong with injecting.
Currently, I'm toying around with yifan_lu's loader with Luma3DS, I can load and run binary patches for any title from SD, but a problem I have is that patching a simple string works one out of two times, and having a bit more complicated patch cause the 3DS to hang when loading a title.

 

[chaoskagami]

You can't cram everything into loader, there's a ~50kB limit.

Technically, you CAN expand the sysmodule section.

I don't think you can use most of ctrulib in injector. I don't think you can get framebuffer access either. What you need to do is reverse home menu, find out where the right places to patch are, and then write the patch in assembly and inject it.

^ From the horse's mouth. In sysmodules, and especially loader, you have access to near nothing aside from svc calls, basic startup code, and some of string.h/memory.h.

 

[shinyquagsire23]

Technically, you CAN expand the sysmodule section.



^ From the horse's mouth. In sysmodules, and especially loader, you have access to near nothing aside from svc calls, basic startup code, and some of string.h/memory.h.

You have access to every service and granting yourself access to SVC 0x7B (and anything else from that) really isn't that hard...

 

[chaoskagami]

You have access to every service and granting yourself access to SVC 0x7B (and anything else from that) really isn't that hard...

Process injection is a joke from loader. As in, very easy. And access to all the svc calls kind of helps.

While you're here, would you happen to know if there's a way to use svcControlMemory to get a decent amount of scratch space for loader? The docs on 3dbrew are near incoherent on how it works, and reading through the initial heap code in ctrulib isn't helping me since it's in the application region, not base like loader (and evidently I'm already loading an application there.)

 

[Billy Acuña]

Just a quiestion
Does cell9 the only one who reversed the home menu or another one (with less extremist mind) find out?

 

[chaoskagami]

Just a quiestion
Does cell9 the only one who reversed the home menu or another one (with less extremist mind) find out?

The injection offsets are pretty much public due to BootNTR being open source, fyi. NTR doesn't do fancy memory searches. I mean, that's just the offsets though. Plus, I'm pretty sure all the documentation on the HOME menu wouldn't exist on 3dbrew if it hadn't been done.

I personally think decompiling altmenu is more interesting.

 

[Billy Acuña]

The injection offsets are pretty much public due to BootNTR being open source, fyi. NTR doesn't do fancy memory searches.

What? Is NTR's code now public? But cell9 said that he never was to public his code cause of pro/neutral-piracy devs.
That's very inusual :/

 

[chaoskagami]

What? Is NTR's code now public? But cell9 said that he never was to public his code cause of pro/neutral-piracy devs.
That's very inusual :/

No, just BootNTR. The thing that loads NTR. It sets up the offsets for NTR.bin and that's it. NTR is closed as always.

https://github.com/44670/BootNTR

 

[Billy Acuña]

No, just BootNTR. The thing that loads NTR. It sets up the offsets for NTR.bin and that's it. NTR is closed as always.

https://github.com/44670/BootNTR

Ohh, in fact we still need to reverse some fuctions of home menu to get a NTR open source alternative...

 

[chaoskagami]

Ohh, in fact we still need to reverse some fuctions of home menu to get a NTR open source alternative...

There's other ways to achieve NTR-like functionality than copying NTR. NTR has some design flaws anyways, IMO.