API tools faq
paste
Advertisement
Guest User

Gateway 3DS payload exploit code - enjoy!

a guest
Nov 2nd, 2014
8,713
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ARM 6.68 KB | None | 0 0
raw download clone embed print report
  1. / ************************************************************** /
  2.  
  3. void gw_entry2 (void)
  4. {
  5.  
  6. // GW started using 0x080f7250 area 0x0420 length for data area
  7. memset (0x080f7250, 0, 0x0420);
  8.  
  9. // Set system mode, disable interrupts, the stack is set to 0x080f0000
  10. set_cpsr (0xdf);
  11. sp = 0x080f0000;
  12.  
  13. // Enable memory area 3, 0x10000000-0x18000000, corresponding IO space
  14. mcr (c6, c3, 0, 0x10000035);
  15.  
  16. // The following code to enable the region 4, and open the cache and so on.
  17. r0 = mrc (c2, c0, 0); // data cacheable bit
  18. r12 = mrc (c2, c0, 1); // inst cacheable bit
  19. r1 = mrc (c3, c0, 0); // data writeable
  20. r2 = mrc (c5, c0, 2); // data access permission
  21. r3 = mrc (c5, c0, 3); // inst access permission
  22. r2 & = 0xfff0ffff; // area 4
  23. r3 & = 0xfff0ffff; // area 4
  24. r2 | = 0x00030000; // all rw
  25. r3 | = 0x00030000; // all rw
  26. r0 | = 0x00000010; // area 4
  27. r12 | = 0x00000010; // area 4
  28. r1 | = 0x00000010; // area 4
  29. mcr (c2, c0, 0, r0);
  30. mcr (c2, c0, 1, r12);
  31. mcr (c3, c0, 0, r1);
  32. mcr (c5, c0, 2, r2);
  33. mcr (c5, c0, 3, r3);
  34. // Enable memory area 3, 0x18000000-0x20000000, corresponding AXI space for the kernel arm11
  35. mcr (c6, c4, 0, 0x18000035); // 0x18000000-0x20000000
  36.  
  37.  
  38. // Open area of cache and buffer 5
  39. r0 = mrc (c2, c0, 0);
  40. r1 = mrc (c2, c0, 1);
  41. r2 = mrc (c3, c0, 0);
  42. r0 | = 0x20;
  43. r1 | = 0x20;
  44. r2 | = 0x20;
  45. mcr (c2, c0, 0, r0);
  46. mcr (c2, c0, 1, r1);
  47. mcr (c3, c0, 0, r2);
  48.  
  49. // The exception service arm9 set to loop
  50. * (U32 *) (0x08000004) = 0x080f03f8; // 08007b1c IRQ
  51. * (U32 *) (0x08000014) = 0x080f03f8; // 08007cdc SVC
  52. * (U32 *) (0x0800001c) = 0x080f03f8; // 08007fbc
  53. * (U32 *) (0x08000024) = 0x080f03f8; // 08007b18
  54. * (U32 *) (0x0800002c) = 0x080f03f8; // 08007b14
  55.  
  56. // Skip to main
  57. sub_80F0B04 (var_80F0004);
  58.  
  59. }
  60.  
  61.  
  62. // The code running on arm11
  63. //
  64. / Void sub_80F04B8 (void)
  65. {
  66. CLREX (); // Exclusive cleared
  67. CPS (0x13); // enter SVC mode
  68.  
  69. r0 = mrc (c0, c0, 5);
  70. // Cpu0: fff3fb00
  71. // Cpu1: fff3fb80
  72. // R0 pointing this cpu
  73. // R2 point to another cpu
  74. r0 = (r0 & 3) 0xfff3fb80: 0xfff3fb00;?
  75. r2 = r0 ^ 0x80;
  76.  
  77. // Write the address in r0 r0 own place, to synchronize another cpu
  78. [R0] = r0;
  79. [R0 + 4] + = 1;
  80.  
  81. r1 = 0;
  82. mcr (c7, c14, 0); // clear and invalid data cache
  83. mcr (c7, c10, 4); // data sync
  84.  
  85. r3 = [r2];
  86. // If another cpu finished running
  87. if (r3 == r2 || r3 == 0xaabbccdd){
  88. [R0] = 0xaabbccdd; // this cpu run to completion flag
  89. while (1) {
  90. // Fffeff00 is irq controller
  91. [0xfffeff00] = 0x000f0008;
  92. mcr (c7, c14, 0); // clear and invalid data cache
  93. mcr (c7, c10, 4); // data sync
  94. // Wait arm9 write r0. If the address is on the implementation, and then continue to wait
  95. r3 = [r0];
  96. if (r3! = 0xaabbccdd){
  97. (* R3) ();
  98. }
  99. }
  100. }
  101.  
  102. // If another CPU irq has not occurred
  103. // Switch to the irq mode, proceed irq
  104. CPS (0x12);
  105. _exc_irq_fff6263c ();
  106. }
  107.  
  108.  
  109. void sub_80F0B04 (u8 * param)
  110. {
  111. var_10c = param;
  112. memset (var_5c, 0, 16);
  113. var_18 = 0;
  114.  
  115. _try_again:
  116.  
  117. // Copy function sub_80F0498 to 0x1FFF4B40 at length 0xd0
  118. // 1fff4b40 corresponding virtual address ffff4b40 arm11
  119. sub_80F6EE0 ();
  120. _flush_dcache_80F6ED0 ();
  121. // 1FFF4018 = EA0002CE
  122. // For 1FFF4018 patch, jump to 1FFF4B40 Office
  123. // Arm11 virtual address: ffff0018 irq vector
  124. sub_80F6F04 ();
  125. _flush_dcache_80F6ED0 ();
  126.  
  127.  
  128. // Wait arm11 code to run
  129. while (1) {
  130. // 1ffdfb00 -> fff3fb00
  131. // Fff3fb80
  132. _flush_dcache_single (0x1ffdfb00, 0x100);
  133. var_1c = * (u32 *) (0x1ffdfb00);
  134. var_20 = * (u32 *) (0x1ffdfb80);
  135. if (var_1c == 0xaabbccdd && var_20 == 0xaabbccdd)
  136. break;
  137. }
  138. // At this point arm11 already under control
  139.  
  140.  
  141. // Unknown PDN register
  142. * (U8 *) (0x10141230) = 0x02;
  143. delay_80F0AB8 (10);
  144. * (U8 *) (0x10141230) = 0x03;
  145. delay_80F0AB8 (10);
  146.  
  147. // Disable NDMA?
  148. var_14 = 0;
  149. while (var_14 <8) {
  150. r2 = var_14;
  151. r3 = r2;
  152. r3 << = 3; // r2 * 8
  153. r3 - = r2; // r2 * 7
  154. r3 << = 2; // r3 = var_14 * 28
  155.  
  156. r3 = 0x1000201c + var_14 * 28; // NDMA?
  157. r2 = r3;
  158. r3 = 0x1000201c + var_14 * 28;
  159. r3 = [r3];
  160. r3 & = 0x7fffffff;
  161. [R3] = r3;
  162.  
  163. var_14 + = 1;
  164. }
  165.  
  166. // XDMA
  167. * (U32 *) (0x1000c020) = 0;
  168. * (U32 *) (0x1000c02c) = 0xffffffff;
  169.  
  170. // Make the code run fff82840 at arm11
  171. * (U32 *) (0x1ffdfb00) = 0xfff82840;
  172. * (U32 *) (0x1ffdfb80) = 0xfff82840;
  173. _flush_dcache_80F6ED0 ();
  174.  
  175. // Initialize the sd card and file system
  176. var_18 = disable_irq_80F6EC8 ();
  177. _sdmmc_hw_init_80F24F4 ();
  178. _sdmmc_card_init_80F2644 ();
  179. r3 = _fatfs_init (& var_104);
  180. if (r3)
  181. goto _try_again;
  182.  
  183. // Resume interrupted
  184. set_cpsr (var_18);
  185.  
  186. // Set of unknown pxi communication
  187. while (1) {
  188. r0 = _pxi_recv_80F6B58 ();
  189. if (r0 == 0x00044836)
  190. break;
  191.  
  192. r0 = _pxi_recv_80F6B58 ();
  193. if (r0 == 0x00348e43)
  194. while (1);
  195. }
  196.  
  197. _pxi_send_80F6B68 (0x00964536);
  198. while (1) {
  199. r0 = _pxi_recv_80F6B58 ();
  200. if (r0 == 0x00044837)
  201. break;
  202. }
  203.  
  204. _pxi_recv_80F6B58 ();
  205. _pxi_recv_80F6B58 ();
  206.  
  207. while (1) {
  208. r0 = _pxi_recv_80F6B58 ();
  209. if (r0 == 0x00044846)
  210. break;
  211. }
  212.  
  213. // Open Launcher.dat file
  214. var_24 = _fat_open_80F189C ("LAUNCHER.DAT");
  215.  
  216. r3 = var_10c;
  217. r3 = [r3]; // data offset
  218. var_28 = _fat_seek_80F1B34 (r3);
  219.  
  220. Loop // read the file
  221. // Start from Launcher.dat of 0xE680 total of three pieces of data:
  222. // Load Address 1: 0x1ff00000 length 0x00037a00
  223. // Load Address 2: 0x1ff80000 length 0x0002f000
  224. // Load Address 3: 0x08006800 length 0x00087a00
  225. // Aes decrypt each piece of data first, and then ras_sha256 check.
  226. var_c = 0;
  227. while (var_c <3) {
  228. r3 = var_C * 264 + 0x14;
  229. r3 + = var_10c;
  230. var_2c = r3;
  231.  
  232. var_60 = 0;
  233. var_10 = 0;
  234. while ([var_2c + 4]> var_10) {
  235. r2 = [var_2c + 0]; // dest
  236. r1 = var_10 + r2;
  237. r2 = [var_2c + 4]; // size
  238. r3 = r2-var_10;
  239. if (r3> 0x4000)
  240. r3 = 0x4000;
  241. r2 = r3 & 0xffff;
  242.  
  243. // Fat_read (u8 * buf, int size, int * read_size);
  244. _fat_read_80F1970 (r1, r2, & var_60);
  245. var_10 + = var_60;
  246. }
  247.  
  248. if ([var_2c + 4]! = var_10)
  249. while (1);
  250.  
  251. // Calculate sha256 signature
  252. _sha256_init_80F29B4 (& var_c8);
  253. r2 = [var_2c + 0]; // dest
  254. r3 = [var_2c + 4]; // size
  255. _sha256_update (& var_c8, r2, r3);
  256. _sha256_final (& var_c8, & var_4c);
  257.  
  258. // Sha256 signature verification
  259. r0 = sub_80F2174 (var_2c + 8, 0x100, & var_4c);
  260. if (r0 == 0)
  261. while (1);
  262.  
  263. _memset_80F6E1C (var_D8, 0, 0x10);
  264. _memset_80F6E1C (var_5C, 0, 0x10);
  265.  
  266. _aes_decrypt_80F0AD4 (var_10c + 4, & var_5c, [var_2c + 0], [var_2c + 0], [var_2c + 4]);
  267.  
  268. var_c + = 1;
  269. }
  270.  
  271.  
  272. // Arm11 firm entry
  273. [0x1ffffffc] = 0x1ffab034;
  274.  
  275. _flush_dcache_80F6ED0 ();
  276. _flush_icache_80F6EFC ();
  277. sub_80F6EB8 ();
  278.  
  279. // IRQ
  280. [0x10001000] = 0;
  281. [0x10001004] = 0xffffffff;
  282. // CONFIG
  283. [0x10000010] .b = 0x0c;
  284. // NTRCARD
  285. [0x10164000] .h = 0;
  286. [0x10164004] = 0;
  287. // CTRCARD
  288. [0x10004000] = 0;
  289. [0x10005000] = 0;
  290. // IRQ
  291. [0x10001004] = 0xffffffff;
  292.  
  293. // Unknown PDN register
  294. [0x10141200] = 0x0001007e;
  295. _delay_80F0AB8 (10);
  296. [0x10141200] = 0x0001007f;
  297. _delay_80F0AB8 (10);
  298.  
  299. // Final gw jump to your code:
  300. // Arm9 firm entry
  301. (* 0x0801b01c) ();
  302. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!