Add menu to yifanlu 3ds injector?

Discussion in '3DS - Flashcards & Custom Firmwares' started by ely42, Jun 5, 2016.

  1. ely42
    OP

    ely42 Member

    Newcomer
    19
    7
    May 28, 2016
    France
    Hello guys!

    I'm currently trying (i'm newbie to programming...) to add a menu feature to yifanlu (the Reisyukaku fork)
    modified sysmodule "loader". I want to add a menu that show up when launching the notifications applet (or anything else) while pressing a given key. But here is my problem, while compiling the loader module with the ctrulib hid functions loader become bigger than it would be to be injected. And I don't succeed to write to frammebuffer...

    So I want to know three things:
    - firstly is there a way to read the hid register (I tried with pointers but didn't work...) without using the hid shared memory with libctru's functions ?

    - secondly, if I have to use all the code provided by ctrulib, is there a way to load some code from sdmmc and then execute it? This way, loader could be of the right size and my menu code could be as big as a normal homebrew.

    - thirdly, why can't I write to framebuffer? I think it's the right address...

    Thank you in advance guys ! :)

    PS: English is not my first language, sorry if there is mistakes.

    The code that I added in the patch_code() function (except the "#define" parts, that is where it had to be):
    Code:
    #define BUTTON_A      (1 << 0)
    #define BUTTON_L     (1 << 9)
    #define BUTTON_B      (1 << 1)
    #define HID (~*(u32 *)0x10146000)
    
    
    //want to run that code only if A and L are pressed
    //u8 key = (HID & 0xFFF) == ((BUTTON_A | BUTTON_L) & 0xFFF) ? 1 : 0;
    if((progid == 0x000400300000A002) /*&& key == 1*/) { //EUR notifications applet
        int cnt;
        u8 *framebuffer = ((u32 *)0x18000000 + 0x48F000); //vram addr for bottom framebuffer
        while(1) {
            //want to break and launch title when B is pressed
            //key = (HID & 0xFFF) == ((BUTTON_A | BUTTON_L) & 0xFFF) ? 1 : 0;
            for(cnt = 0; cnt < 0x38400; cnt++) {
                framebuffer[cnt] = 0xFF;
            }
        }
    }
     


  2. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,770
    1,520
    Jan 26, 2015
    United States
    Nowhere
    Huh. A useful thread! Congrats!
    To me it looks more like code was your first language I can't make heads or tails of this lmao
     
    Ricken likes this.
  3. ely42
    OP

    ely42 Member

    Newcomer
    19
    7
    May 28, 2016
    France
    Sorry man, like I said, I'm newbie :(
    Basically if the launched program is the notifications applet then it write black pixels to the bottom framebuffer. But that don't work, so it only show the normals two white screens forever...
     
  4. yifan_lu

    yifan_lu @yifanlu

    Member
    660
    1,373
    Apr 28, 2007
    United States
    I don't think you can use most of ctrulib in injector. I don't think you can get framebuffer access either. What you need to do is reverse home menu, find out where the right places to patch are, and then write the patch in assembly and inject it.
     
  5. ely42
    OP

    ely42 Member

    Newcomer
    19
    7
    May 28, 2016
    France
    Outch, I'm not cell9 :/ But I will try it, I want to do computer studies afterall... :)
    Thank you yifanlu :)
     
  6. Billy Acuña

    Billy Acuña GBAtemp Addict

    Member
    2,246
    1,337
    Oct 10, 2015
    Mexico
    Wow, amazing!!!!
    Don't give up dude.
    Hope this gets to be a NTR alternative.
     
  7. Deck of Noobs

    Deck of Noobs Politically Incorrect

    Member
    768
    1,123
    Apr 9, 2016
    United States
    3ds.guide
  8. ely42
    OP

    ely42 Member

    Newcomer
    19
    7
    May 28, 2016
    France
    I'm a beginner you know, I will try to do something but it will not be any sort of a cfw :( But it I'll learn a lot :)
     
    I pwned U! and Billy Acuña like this.
  9. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,770
    1,520
    Jan 26, 2015
    United States
    Nowhere
    Oh no no no! What meant was I can't code for shit and that your code seemed really good but I didn't know, it was supposed to be a compliment D:

    — Posts automatically merged - Please don't double post! —

    This
     
    Deck of Noobs likes this.
  10. ely42
    OP

    ely42 Member

    Newcomer
    19
    7
    May 28, 2016
    France
    Oh, sorry I didn't understood :wacko: My bad :/
     
  11. fuyukaidesu

    fuyukaidesu Member

    Newcomer
    48
    18
    Mar 2, 2015
    France
    You can't cram everything into loader, there's a ~50kB limit.
    I think the best way to do that would be to do it a bit like NTR, inject your code into HomeMenu, so you can open processes when they are launched.
    I don't know much more, there are still things that can go wrong with injecting.
    Currently, I'm toying around with yifan_lu's loader with Luma3DS, I can load and run binary patches for any title from SD, but a problem I have is that patching a simple string works one out of two times, and having a bit more complicated patch cause the 3DS to hang when loading a title.
     
  12. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    Technically, you CAN expand the sysmodule section.

    ^ From the horse's mouth. In sysmodules, and especially loader, you have access to near nothing aside from svc calls, basic startup code, and some of string.h/memory.h.
     
    Tomato Hentai likes this.
  13. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    You have access to every service and granting yourself access to SVC 0x7B (and anything else from that) really isn't that hard...
     
  14. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    Process injection is a joke from loader. As in, very easy. And access to all the svc calls kind of helps.

    While you're here, would you happen to know if there's a way to use svcControlMemory to get a decent amount of scratch space for loader? The docs on 3dbrew are near incoherent on how it works, and reading through the initial heap code in ctrulib isn't helping me since it's in the application region, not base like loader (and evidently I'm already loading an application there.)
     
    Last edited by chaoskagami, Jun 8, 2016
  15. Billy Acuña

    Billy Acuña GBAtemp Addict

    Member
    2,246
    1,337
    Oct 10, 2015
    Mexico
    Just a quiestion
    Does cell9 the only one who reversed the home menu or another one (with less extremist mind) find out?
     
  16. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    The injection offsets are pretty much public due to BootNTR being open source, fyi. NTR doesn't do fancy memory searches. I mean, that's just the offsets though. Plus, I'm pretty sure all the documentation on the HOME menu wouldn't exist on 3dbrew if it hadn't been done.

    I personally think decompiling altmenu is more interesting.
     
    Last edited by chaoskagami, Jun 8, 2016
  17. Billy Acuña

    Billy Acuña GBAtemp Addict

    Member
    2,246
    1,337
    Oct 10, 2015
    Mexico
    What? Is NTR's code now public? But cell9 said that he never was to public his code cause of pro/neutral-piracy devs.
    That's very inusual :/
     
  18. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    No, just BootNTR. The thing that loads NTR. It sets up the offsets for NTR.bin and that's it. NTR is closed as always.

    https://github.com/44670/BootNTR
     
  19. Billy Acuña

    Billy Acuña GBAtemp Addict

    Member
    2,246
    1,337
    Oct 10, 2015
    Mexico
    Ohh, in fact we still need to reverse some fuctions of home menu to get a NTR open source alternative... :(
     
  20. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    There's other ways to achieve NTR-like functionality than copying NTR. NTR has some design flaws anyways, IMO.
     
    Tomato Hentai likes this.