Toggle sidebar

Homebrew [Custom Launcher] Spider3DSTools released

  • Thread starter Thread starter Lord Prime
  • Start date Start date
  • Views Views 156,562
  • Replies Replies 748
  • Likes Likes 17
Slushie3DS said:
Wouldn't the virtual console still be there if you are not? I don't see why it wouldn't. Are you having problems initializing? I'm a bit lost.
Click to expand...
It's still unknown how the 3ds tells the VC to initiate the gba mode due this you can't just inject a gba Rom
 
Ok, so I've ran into a issue. The roms, even for NES, seem to not be fitting into the ram. It just crashes the browser. I'm going to upload source right now, and see what everyone thinks.

Code: 
/*
* uvloader.c - Userland Vita Loader entry point
* Copyright 2012 Yifan Lu
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*    http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
 
#define START_SECTION __attribute__ ((section (".text.start"), naked))
 
// make sure code is PIE
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif
 
int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;
 
int uvl_entry();
 
/********************************************//**
*  \brief Starting point from exploit
*
*  Call this from your exploit to run UVLoader.
*  It will first cache all loaded modules and
*  attempt to resolve its own NIDs which
*  should only depend on sceLibKernel.
*  \returns Zero on success, otherwise error
***********************************************/
 
int START_SECTION
uvl_start ()
{
    __asm__ volatile (".word 0xE1A00000");
    uvl_entry();
    __asm__ volatile ("bx lr");
}
 
/********************************************//**
*  \brief Entry point of UVLoader
*
*  \returns Zero on success, otherwise error
***********************************************/
int
uvl_entry ()
{
 
        int rom[4097] = {
//SNIP! No roms for you!
};
 
        unsigned int addr;
    void *this = 0x08F10000;
    int *written = 0x08F01000;
    int *buf = 0x18410000;
 
    int i;
 
    //IFile_Open(this, L"dmc:/mem-0xFFFF0000.bin", 6);
    svcSleepThread (0x400000LL);
                addr = 0x168002AD;
                GSPGPU_FlushDataCache(addr, 0x10000);
                GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
                GSPGPU_FlushDataCache(buf, 0x10000);
                for(i = 0; i < 4095; i++){
                buf[(i)] = rom[i + 1];
                //flashes mostly black screen on the bottom screen for a few frames, this is so i know the program is running and not frozen
                GSPGPU_FlushDataCache(0x18000000, 0x00038400);
                GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
                svcSleepThread(0x400000LL);
                GSPGPU_FlushDataCache(0x18000000, 0x00038400);
                GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
                svcSleepThread(0x400000LL);
                }
                GSPGPU_FlushDataCache(buf, 0x10000);
                GX_SetTextureCopy(buf ,addr, 0x10000, 0, 0, 0, 0, 8);
                GSPGPU_FlushDataCache(addr, 0x10000);
                svcSleepThread(0x400000LL);
    return 0;
}
 
 
 
/********************************************//**
*  \brief Exiting point for loaded application
*
*  This hooks on to exit() call and cleans up
*  after the application is unloaded.
*  \returns Zero on success, otherwise error
***********************************************/
int
uvl_exit (int status)
{
    return 0;
}
 
shutterbug2000 said:
Ok, so I've ran into a issue. The roms, even for NES, seem to not be fitting into the ram. It just crashes the browser. I'm going to upload source right now, and see what everyone thinks.

Code: 
/*
* uvloader.c - Userland Vita Loader entry point
* Copyright 2012 Yifan Lu
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*    http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
 
#define START_SECTION __attribute__ ((section (".text.start"), naked))
 
// make sure code is PIE
#ifndef __PIE__
#error "Must compile with -fPIE"
#endif
 
int(*IFile_Open)(void *this, const short *path, int flags) = 0x0022FE08;
int(*IFile_Write)(void *this, unsigned int *written, void *src, unsigned int len) = 0x00168764;
int (*GX_SetTextureCopy)(void *input_buffer, void *output_buffer, unsigned int size, int in_x, int in_y, int out_x, int out_y, int flags) = 0x0011DD48;
int (*GSPGPU_FlushDataCache)(void *addr, unsigned int len) = 0x00191504;
int (*svcSleepThread)(unsigned long long nanoseconds) = 0x0023FFE8;
 
int uvl_entry();
 
/********************************************//**
*  \brief Starting point from exploit
*
*  Call this from your exploit to run UVLoader.
*  It will first cache all loaded modules and
*  attempt to resolve its own NIDs which
*  should only depend on sceLibKernel.
*  \returns Zero on success, otherwise error
***********************************************/
 
int START_SECTION
uvl_start ()
{
    __asm__ volatile (".word 0xE1A00000");
    uvl_entry();
    __asm__ volatile ("bx lr");
}
 
/********************************************//**
*  \brief Entry point of UVLoader
*
*  \returns Zero on success, otherwise error
***********************************************/
int
uvl_entry ()
{
 
        int rom[4097] = {
//SNIP! No roms for you!
};
 
        unsigned int addr;
    void *this = 0x08F10000;
    int *written = 0x08F01000;
    int *buf = 0x18410000;
 
    int i;
 
    //IFile_Open(this, L"dmc:/mem-0xFFFF0000.bin", 6);
    svcSleepThread (0x400000LL);
                addr = 0x168002AD;
                GSPGPU_FlushDataCache(addr, 0x10000);
                GX_SetTextureCopy(addr, buf, 0x10000, 0, 0, 0, 0, 8);
                GSPGPU_FlushDataCache(buf, 0x10000);
                for(i = 0; i < 4095; i++){
                buf[(i)] = rom[i + 1];
                //flashes mostly black screen on the bottom screen for a few frames, this is so i know the program is running and not frozen
                GSPGPU_FlushDataCache(0x18000000, 0x00038400);
                GX_SetTextureCopy(0x18000000, 0x1F48F000, 0x00038400, 0, 0, 0, 0, 8);
                svcSleepThread(0x400000LL);
                GSPGPU_FlushDataCache(0x18000000, 0x00038400);
                GX_SetTextureCopy(0x18000000, 0x1F4C7800, 0x00038400, 0, 0, 0, 0, 8);
                svcSleepThread(0x400000LL);
                }
                GSPGPU_FlushDataCache(buf, 0x10000);
                GX_SetTextureCopy(buf ,addr, 0x10000, 0, 0, 0, 0, 8);
                GSPGPU_FlushDataCache(addr, 0x10000);
                svcSleepThread(0x400000LL);
    return 0;
}
 
 
 
/********************************************//**
*  \brief Exiting point for loaded application
*
*  This hooks on to exit() call and cleans up
*  after the application is unloaded.
*  \returns Zero on success, otherwise error
***********************************************/
int
uvl_exit (int status)
{
    return 0;
}
Click to expand...
It may be helpful to point out whee you're injecting the ROM, seeing as how that is the problem. I can't help much, but I'm sure others can.
 
shutterbug2000 said:
Ok, so I've ran into a issue. The roms, even for NES, seem to not be fitting into the ram. It just crashes the browser. I'm going to upload source right now, and see what everyone thinks.
Click to expand...

"int rom[4097] ="
4096 * 4 = 16384, // 16 KB
A rom is bigger than 16384 bytes...
For example Zelda Link DX is 1 MB -> 0x100000.

And from my own Zelda dump, the "rom:/agb.bin" is loaded @ 0x168002B0, not 0x168002AD.

gudenaurock said:
How where the addresses for GX_SetTextureCopy GSPGPU_FlushDataCache and svcSleepThread found? I need to find a couple other methods.
Click to expand...
Make a ram dump from 0x100000 - 0x400000, this is the ram address where the spider ".code" is loaded and then search them...
 
Beware when using ifile_read and ifile_write of a) address of function isn't the same address used for ROP because of the stack saving instruction skips and b) it's not reading/writing junk data at the start of your buffer.
 
Falo said:
"int rom[4097] ="
4096 * 4 = 16384, // 16 KB
A rom is bigger than 16384 bytes...
For example Zelda Link DX is 1 MB -> 0x100000.

And from my own Zelda dump, the "rom:/agb.bin" is loaded @ 0x168002B0, not 0x168002AD.


Make a ram dump from 0x100000 - 0x400000, this is the ram address where the spider ".code" is loaded and then search them...
Click to expand...

It just has the names in plain text?
 
gudenaurock said:
It just has the names in plain text?
Click to expand...
No but if you know what to look for then you can find them, use IDA pro.

Example:
nn::gxlow::CTR::Gpu::FlushDataCache(nn::Handle, unsigned int, unsigned int)
has command header 0x80082, just search for it and then you will find:

Code: 
ROM:0012C1E0 ; nn::gxlow::CTR::Gpu::FlushDataCache(nn::Handle, unsigned int, unsigned int)
ROM:0012C1E0 _ZN2nn5gxlow3CTR3Gpu14FlushDataCacheENS_6HandleEjj ; CODE XREF: sub_191500+2Cp
ROM:0012C1E0                STMFD          SP!, {R4-R6,LR}
ROM:0012C1E4                MRC            p15, 0, R4,c13,c0, 3
ROM:0012C1E8                LDR            R5, =0x80082
ROM:0012C1EC                MOV            R12, #0
ROM:0012C1F0                STR            R5, [R4,#0x80]!
ROM:0012C1F4                ADD            R6, R4, #4
ROM:0012C1F8                STR            R1, [R4,#0x10]
ROM:0012C1FC                STMIA          R6, {R2,R3,R12}
ROM:0012C200                LDR            R0, [R0]
ROM:0012C204                BL              _ZN2nn3svc15SendSyncRequestENS_6HandleE ; nn::svc::SendSyncRequest(nn::Handle)
ROM:0012C208                AND            R1, R0, #0x80000000
ROM:0012C20C                CMP            R1, #0
ROM:0012C210                LDRGE          R0, [R4,#4]
ROM:0012C214                LDMFD          SP!, {R4-R6,PC}
ROM:0012C214 ; End of function nn::gxlow::CTR::Gpu::FlushDataCache(nn::Handle,uint,uint)

this function gets called from sub_191500, GSPGPU_FlushDataCache is @ 0x00191504 -> found!
 
Falo said:
No but if you know what to look for then you can find them, use IDA pro.

Example:
nn::gxlow::CTR::Gpu::FlushDataCache(nn::Handle, unsigned int, unsigned int)
has command header 0x80082, just search for it and then you will find:

Code: 
ROM:0012C1E0 ; nn::gxlow::CTR::Gpu::FlushDataCache(nn::Handle, unsigned int, unsigned int)
ROM:0012C1E0 _ZN2nn5gxlow3CTR3Gpu14FlushDataCacheENS_6HandleEjj ; CODE XREF: sub_191500+2Cp
ROM:0012C1E0                STMFD          SP!, {R4-R6,LR}
ROM:0012C1E4                MRC            p15, 0, R4,c13,c0, 3
ROM:0012C1E8                LDR            R5, =0x80082
ROM:0012C1EC                MOV            R12, #0
ROM:0012C1F0                STR            R5, [R4,#0x80]!
ROM:0012C1F4                ADD            R6, R4, #4
ROM:0012C1F8                STR            R1, [R4,#0x10]
ROM:0012C1FC                STMIA          R6, {R2,R3,R12}
ROM:0012C200                LDR            R0, [R0]
ROM:0012C204                BL              _ZN2nn3svc15SendSyncRequestENS_6HandleE ; nn::svc::SendSyncRequest(nn::Handle)
ROM:0012C208                AND            R1, R0, #0x80000000
ROM:0012C20C                CMP            R1, #0
ROM:0012C210                LDRGE          R0, [R4,#4]
ROM:0012C214                LDMFD          SP!, {R4-R6,PC}
ROM:0012C214 ; End of function nn::gxlow::CTR::Gpu::FlushDataCache(nn::Handle,uint,uint)

this function gets called from sub_191500, GSPGPU_FlushDataCache is @ 0x00191504 -> found!
Click to expand...

One more question, how are the command headers found?
 
I plan to write a PC box editor for Pokemon XY/ORAS. Please continually bother me (via alerts or PMs) until I've released it or have further news.

In the future, I'll be needing help from people with international copies and possibly on different firmware versions! Please stay in touch with me or check this thread at least every week or so.

EDIT: The code SciresM posted searches for the PC data in RAM, nullifying any regional or FW differences.
 
  • Like
Reactions: jamieyello
Well, not sure what to do. My "rom" array, when really big, just simply crashes the browser when trying to create.

Code: 
int rom[393232];

This line is the issue. Any ideas? I'm using IFile_Read to buf, and then to that rom array.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Website for finding alternative games for 3DS

Hardware  2 Broken 3DSes, need help

Gaming  any good rpgs on 3ds?

Hacking  Modding Reassurance