Homebrew [Release] Custom ROP loader HTML

[duke_srg]

Since Spider3DSTools have been recently released by yifan_lu I believe this html will be handy while debugging.
It eliminates the need of frame.html and browserify convertion. Just place LoadROP.dat with index.html on the server. LoadROP.dat must be 768 long or less (it will be padded with zeroes in JavaScript to run the exploit).

It is possible to specify ROP file name with HTTP GET parameter, like
http://dukesrg.no-ip.org/3ds/rop?MemoryDump.dat

It is also possible to patch filename or binary data inside ROP data
http://dukesrg.no-ip.org/3ds/rop?MemoryDump.dat&memdump.bin
in this case dmc:/memody.bin will be changed to dmc:/memdump.bin
The patching parameter may be one one of the following:
1. HEX (string with only 0-9,a-f,A-F characters used) - patch data bytes at offset 0x220 with this data
2. string (not HEX) - patch first filename found by "dmc:/" prefix (original string in ROP must be aligned to 2 bytes to be found)
3. HEX=HEX same as 1. but offset is specified before "="
4. HEX=string - patch string data bytes at offset specified before "=" character (offset will be alignet to 2 bytes)

ROP files available at the server:

Spoiler: MemoryDump

MemoryDump.dat
2nd string parameter substitutes default memory.bin

Spoiler: LoadROP

LoadROP.dat - for 1.7567 browser (fw 7.1+) E/J/U (C/K/T?) regions
LoadROP5.dat - for 1.7552 browser (fw 5.0-7.0) E/J/U (C/K/T?) regions
LoadROP4.dat - for 1.7498 browser (fw 4.x) E/J/U (C/K/T?) regions
2nd parameter substitutes default ROP.dat

Spoiler: LoadCode

LoadCode.dat - for 1.7567 browser (fw 7.1+) E/J/U (C/K/T?) regions
LoadCode5.dat - for 1.7552 browser (fw 5.0-7.0) E/J/U (C/K/T?) regions
LoadCode4.dat - for 1.7498 browser (fw 4.x) E/J/U (C/K/T?) regions
2nd string parameter substitutes default code.bin

Spoiler: RegionThree

RegionThree.dat - for 1.7567 browser (fw 7.1+) E/J/U (C/K/T?) regions
RegionThree5.dat - for 1.7552 browser (fw 5.0-7.0) E/J/U (C/K/T?) regions
RegionThree4.dat - for 1.7498 browser (fw 4.x) E/J/U (C/K/T?) regions
No parameters required

Spoiler: Gateway Launcher

GW17567.dat - for 1.7567 browser (fw 7.1+) E/J/U regions
GW17567C.dat - for 1.7567 browser (fw 7.1+) C region
GW17567K.dat - for 1.7567 browser (fw 7.1+) K region
GW17567T.dat - for 1.7567 browser (fw 7.1+) T region
GW17552.dat - for 1.7552 browser (fw 5.0-7.0) E/J/U regions
GW17552C.dat - for 1.7552 browser (fw 5.0-7.0) C region
GW17552K.dat - for 1.7552 browser (fw 5.0-7.0) K region
GW17552T.dat - for 1.7552 browser (fw 5.0-7.0) T region
GW17538K.dat - for 1.7538 browser (fw 4.x) K region
GW17538T.dat - for 1.7538 browser (fw 4.x) T region
GW17498.dat - for 1.7498 browser (fw 4.x) E/J/U (C/K/T?) regions
GW17455.dat - for 1.7455 browser (fw 2.1) E/J/U (C/K/T?) regions
GW17412.dat - for 1.7455 browser (fw 2.0) E/J/U (C/K/T?) regions
GW17567O.dat - for 1.7567 browser (fw 7.1+) E/J/U regions (old version)
GW17552O.dat - for 1.7552 browser (fw 5.0-7.0) E/J/U regions (old version)
GW17498O.dat - for 1.7498 browser (fw 4.x) E/J/U (C/K/T?) regions (old version)
GW17455O.dat - for 1.7455 browser (fw 2.1) E/J/U (C/K/T?) regions (old version)
GW17412O.dat - for 1.7455 browser (fw 2.0) E/J/U (C/K/T?) regions (old version)
2nd string parameter substitutes default Launcher.dat

Spoiler: DownloadCode

DownloadCode.dat - for 1.7567 browser (fw 7.1+) E/J/U (C/K/T?) regions
DownloadCode5.dat - for 1.7552 browser (fw 5.0-7.0) E/J/U (C/K/T?) regions
DownloadCode4.dat - for 1.7498 browser (fw 4.x) E/J/U (C/K/T?) regions
Special LoadCode version that requires code.bin data to be added to the end of the file and downloaded as one file with this ROP. 2nd parameter patches all ROP witn code.bin part.

Spoiler: Virtual Console ROM injector

VC.dat
GBCRomSwap by KazoWAR. DownloadCode based, i.e. have code.bin integrated and requires only GB/GBC rom file at SD card. 2nd parameter substitutes default rom.gbc, max filename with extension=25

Spoiler: Action Replay cheat code engine

arcode.dat
Based on [USER]KazoWAR[/USER] [Spider] ARCode, AR code patch offset is 0xE00, first 32-bit word is AR code lines count, then AR code data, macimum length is 27 lines. DownloadCode based, i.e. have code.bin integrated and do not require any files at SD card. Ex.: http://dukesrg.no-ip.org/3ds/rop?arcode.dat&E00=0100000076543210FEDCBA98 equals to AR cheat 01234567 89ABCDEF. For the ease just use 3DS online tools that allows copy-paste cheat code in common format is and get link or QR code

Spoiler: FCRAM dumper

memdump.dat
By KazoWAR [Spider] ARCode. 2nd parameter substitutes default FCRAM.bin, max filename with extension=10. DownloadCode based, i.e. have code.bin integrated and do not require any files at SD card. Ex.: http://dukesrg.no-ip.org/3ds/rop?memdump.dat&memdump.bin

Spoiler: Animal Crossing: New Leaf RAM editor

acnldump.dat - dump
acnlinjc.dat - inject
Based on Animal Crossing: New Leaf RAM editor. 2nd parameter substitutes default acnlram.bin. DownloadCode based, i.e. have code integrated and do not require acnldump.bin/acnlinjc.bin files at SD card

Spoiler: Spoof firmware

spoof.dat
Based on Spoof firmware by motezazer, DownloadCode based, i.e. have code.bin integrated and do not require any files at SD card. No parameters required

All those ROP chains proved to work on firmware 9.0-9.4 (the latest for the moment) if version is not noticed, but several may partly or fully working on 3DS browser version 1.7567 (i.e. firmware 7.1 and above). Can be easily launched on 3DS from 3DS Online Tools.
ROP chain sources is available at Spider3DSTools fork: https://github.com/dukesrg/Spider3DSTools

To do:
- multiple parameters

 

[duke_srg]

Changed default ROP filename to LoadROP.dat to avoid confusion. Implemented filename parameter substitution feature and also published html with ROPs on my site. Happy debugging!

 

[0xFFFF]

From the end-user point of view, what does this allows?

 

[duke_srg]

From the end-user point of view, what does this allows?

This is mostly for developers. Nothing worthy for users, at least for now.

 

[liomajor]

It would be brillant if this can allow to create xorpads on 9.2.0

 

[duke_srg]

It would be brillant if this can allow to create xorpads on 9.2.0

This will launch it if one of 3DS devs will make it

 

[duke_srg]

Added precompiled RegionThree.dat ROP file to load RegionThree without any additional files on SD. All credits to yifan_lu

 

[duke_srg]

GB/GBC VC injector ROP added

 

[Broadway]

Page not found or the web server is currently unavailable. Please contact the website administrator for help.

 

[duke_srg]

Page not found or the web server is currently unavailable. Please contact the website administrator for help.

Oops, sorry, it supposed to be http but not https, just fixed

 

[ProNiteBite]

I'm just really glad that this kind of stuff is more public now (I could have possibly taken it earlier, but it's easier with the HTML file in your hands), because several projects in the past are no longer available because the website they were hosted on were very secretive and didn't share any of the code. I'm glad that if anything fails, there will always be someone with a backup!

 

[duke_srg]

Updated VC injector -eliminated the need of custom code.bin and SD card file parameter pass
Added RegionThree ROP for firmware 4.x, based on smealum and yifanlu works

 

[duke_srg]

Optimized RegionThree ROP payloads and native Gateway Ultra ROP payloads added

 

[duke_srg]

Added LoadCode and LoadROP converted for firmware 4.x and 5.x/6.x (browser versions 1.7492 and 1.7552).
ROP.dat and code.bin must be for the same version, compiled for 9.x won't work!

 

[duke_srg]

Added Spider3DSTools fork link

 

[Raugo]

Hello, I,m trying to load the spider_rop_5x_6x.bin with the LoadCode5 but doesn't work I get the "An error has occured" message. I have the firmware 6.1. Does it work with this version?

 

[duke_srg]

Hello, I,m trying to load the spider_rop_5x_6x.bin with the LoadCode5 but doesn't work I get the "An error has occured" message. I have the firmware 6.1. Does it work with this version?

First, spider_rop is a ROP code, so LoadROP must be used. LoadCode is for ARM code. Second, it is already transferred to RegionThree5.dat, so no need to use another loader. Though 5/6 version was not tested, I just converted smea's version.

 

[Raugo]

I also tried to load the RegionThree5.dat but not work, gives the same error. Also I tried with LoadRop but neither worked. Can there be a problem with my version of firmware?

 

[duke_srg]

I also tried to load the RegionThree5.dat but not work, gives the same error. Also I tried with LoadRop but neither worked. Can there be a problem with my version of firmware?

Not sure for what version the original version 5x/6x was made by smea

 

[marc_max]

I have coded a simple universal VC loader HTML code where the user can specify the ROM name, and it seems it's working flawlessly :-)

<input type="text" value="romname.gbc" id="customvc" /> <input type="button" value="Accept" onclick="window.location='roploader.html?VC.dat&gbc/'+document.getElementById('customvc').value"/>