diff --git a/README.md b/README.md index 1a48bbe..56a416a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Summary When Home Menu is starting up, it can load theme-data from the home-menu theme SD extdata. The flaw can be triggered from here. The ROP starts running at roughly the same time the LCD backlight gets turned on. -Although this triggers during Home Menu boot, this can't cause any true bricks: just remove the *SD card if any booting issues ever occur(or delete/rename the theme-cache extdata directory). Note that this also applies when the ROP causes a crash, like when the ROP is for a different version of Home Menu(this can also happen if you boot into a nandimage which has a different Home Menu version, but still uses the exact same SD data). +Although this triggers during Home Menu boot, this can't cause any true bricks: just remove the *SD card if any booting issues ever occur(or delete/rename the theme-cache extdata directory). Note that this also applies when the ROP causes a crash, like when the ROP is for a different version of Home Menu(this can also happen if you boot into a nandimage which has a different Home Menu version, but still uses the exact same SD data). However, it seems that normally(?) Home Menu crashes with this just result in Home Menu displaying the usual error dialog for system-applet crashes. Since this is a theme exploit, a normal theme can't be used unless you build with the THEMEDATA_PATH option below(the ROP runs a good while after the theme is loaded). Due to how this hax works, the theme is really only usable for BGM(as described below). @@ -44,7 +44,7 @@ Build options: * "USE_PADCHECK=val" When set, at the very start of the menu ROP it will check if the current HID PAD state is set to the specified value. When they match, it continues the ROP, otherwise it returns to the homemenu code. This is done before writing to the framebuffers. * "GAMECARD_PADCHECK=val" Similar to USE_PADCHECK except for BOOTGAMECARD: the BOOTGAMECARD ROP only gets executed when the specified HID PAD state matches the current one. After writing to framebufs the ROP will delay 3 seconds, then run this PADCHECK ROP. * "EXITMENU=1" Terminate homemenu X seconds(see source) after getting code exec under the launched process. -* "ENABLE_LOADROPBIN=1" Load a homemenu ropbin then stack-pivot to it, see the Makefile HEAPBUF_ROPBIN_* values for the load-address. When LOADSDPAYLOAD isn't used, the binary is the one specified by CODEBINPAYLOAD, otherwise it's loaded from "sd:/menuhax_ropbinpayload.bin". The binary size should be <=0x8000-bytes. +* "ENABLE_LOADROPBIN=1" Load a homemenu ropbin then stack-pivot to it, see the Makefile HEAPBUF_ROPBIN_* values for the load-address. When LOADSDPAYLOAD isn't used, the binary is the one specified by CODEBINPAYLOAD, otherwise it's loaded from "sd:/menuhax_ropbinpayload.bin". The binary size should be <=0x10000-bytes. * "ENABLE_HBLAUNCHER=1" When used with ENABLE_LOADROPBIN, setup the additional data needed by the hblauncher payload. * "MENUROP_PATH={path}" Use the specified path for the "menurop" directory, instead of the default one which requires running generate_menurop_addrs.sh. To use the prebuilt menurop headers included with this repo, the following can be used: "MENUROP_PATH=menurop_prebuilt". * "THEMEDATA_PATH={*decompressed* regular theme body_LZ filepath}" Build hax with the specified theme, instead of using the "default theme" one. When Home Menu starts the actual rendering however, the gfx for the theme doesn't display properly due to the hax. BGM works fine, therefore this should only used for BGM-only themes(where the themedata header is all-zero except for the version and BGM fields). Also note that compression during building takes a *lot* longer with this. @@ -58,8 +58,6 @@ When built with ENABLE_LOADROPBIN=1, this can boot into the homebrew-launcher if With the release archive, you have to hold down the L button while Home Menu is booting(at the time the ROP checks for it), in order to boot into the hblauncher payload. Otherwise, Home Menu will boot like normal. -Even with the latest git builds, hblauncher still doesn't work quite right when the app requires booting into another process. It works fine when booting into a different process isn't needed however. - # Installation To install the exploit for booting hblauncher, you *must* use the themehax_installer app. You must already have a way to boot into the hblauncher payload for running this app(which can include themehax if it's already setup): http://3dbrew.org/wiki/Homebrew_Exploits The app requires an Internet connection for setting up the hblauncher payload. Once the app is booted, all you have to do is confirm that you want to install, the app will then auto detect + install everything. diff --git a/themedata_payload.s b/themedata_payload.s index 683e6e0..fe833a2 100644 --- a/themedata_payload.s +++ b/themedata_payload.s @@ -345,7 +345,7 @@ COND_THROWFATALERR CALLFUNC_NOSP IFile_Open, (HEAPBUF + (IFile_ctx - _start)), (HEAPBUF + (sdfile_ropbin_path - _start)), 1, 0 COND_THROWFATALERR -CALLFUNC_NOSP IFile_Read, (HEAPBUF + (IFile_ctx - _start)), (HEAPBUF + (tmp_scratchdata - _start)), ROPBIN_BUFADR, 0x8000 +CALLFUNC_NOSP IFile_Read, (HEAPBUF + (IFile_ctx - _start)), (HEAPBUF + (tmp_scratchdata - _start)), ROPBIN_BUFADR, 0x10000 COND_THROWFATALERR ROP_SETLR ROP_POPPC @@ -359,7 +359,6 @@ ROP_SETLR ROP_POPPC #endif #ifdef ENABLE_HBLAUNCHER -CALLFUNC_NOSP MEMCPY, ROPBIN_BUFADR+0x8000, ROPBIN_BUFADR, 0x8000, 0 @ ropbin backup CALLFUNC_NOSP MEMSET32_OTHER, ROPBIN_BUFADR - (0x800*2), 0x800, 0, 0 @ paramblk CALLFUNC_NOSP GSPGPU_FlushDataCache, ROPBIN_BUFADR - (0x800*2), 0x11000, 0, 0 diff --git a/themehax_installer/Makefile b/themehax_installer/Makefile index e7ba6f9..13989be 100644 --- a/themehax_installer/Makefile +++ b/themehax_installer/Makefile @@ -32,7 +32,7 @@ SOURCES := source DATA := data INCLUDES := include -APP_TITLE := themehax_installer v1.1 +APP_TITLE := themehax_installer v1.2 APP_DESCRIPTION := Tool for installing Home Menu themehax, requires an Internet connection. APP_AUTHOR := yellows8 diff --git a/themehax_installer/source/themehax_installer.c b/themehax_installer/source/themehax_installer.c index a569933..5234409 100644 --- a/themehax_installer/source/themehax_installer.c +++ b/themehax_installer/source/themehax_installer.c @@ -240,7 +240,7 @@ Result http_getactual_payloadurl(char *requrl, char *outurl, u32 outurl_maxsize) ret = httpcOpenContext(&context, requrl, 0); if(ret!=0)return ret; - ret = httpcAddRequestHeaderField(&context, "User-Agent", "themehax_installer/v1.1"); + ret = httpcAddRequestHeaderField(&context, "User-Agent", "themehax_installer/v1.2"); if(ret!=0) { httpcCloseContext(&context); @@ -271,7 +271,7 @@ Result http_download_payload(char *url) ret = httpcOpenContext(&context, url, 0); if(ret!=0)return ret; - ret = httpcAddRequestHeaderField(&context, "User-Agent", "themehax_installer/v1.0"); + ret = httpcAddRequestHeaderField(&context, "User-Agent", "themehax_installer/v1.2"); if(ret!=0) { httpcCloseContext(&context); @@ -471,7 +471,7 @@ Result install_themehax() return ret; } - memset(filebuffer, 0, 0xa000); + memset(filebuffer, 0, 0x1a000); printf("Downloading the actual payload with HTTP...\n"); ret = http_download_payload(payloadurl); if(ret!=0) @@ -488,8 +488,11 @@ Result install_themehax() return ret; } + memcpy(&filebuffer[0xa000], &filebuffer[payloadinfo[0]], payloadinfo[1]); + memcpy(&filebuffer[0xa000+0x8000], &filebuffer[0xa000], payloadinfo[1]); + printf("Patching the menuropbin...\n"); - ret = patchPayload((u32*)&filebuffer[payloadinfo[0]], 0x1, (u32)new3dsflag); + ret = patchPayload((u32*)&filebuffer[0xa000], 0x1, (u32)new3dsflag); if(ret!=0) { printf("Patching failed: 0x%08x.\n", (unsigned int)ret); @@ -498,14 +501,14 @@ Result install_themehax() printf("Writing the menuropbin to SD...\n"); unlink("sdmc:/menuhax_ropbinpayload.bin"); - ret = archive_writefile(SDArchive, "/menuhax_ropbinpayload.bin", &filebuffer[payloadinfo[0]], payloadinfo[1]); + ret = archive_writefile(SDArchive, "/menuhax_ropbinpayload.bin", &filebuffer[0xa000], 0x10000); if(ret!=0) { printf("Failed to write the menurop to the SD file: 0x%08x.\n", (unsigned int)ret); return ret; } - memset(filebuffer, 0, 0xa000); + memset(filebuffer, 0, 0x1a000); printf("Enabling persistent themecache...\n"); ret = menu_enablethemecache_persistent();