Change how arguments are sent to the start method

reswitched · Dec 7, 2017 · 44c5637 · 44c5637
1 parent b8d1dc9
commit 44c5637
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/exploit/runNro.js b/exploit/runNro.js
@@ -103,7 +103,8 @@ module.exports = (res, args) => {
 			utils.log("closing sm and jumping...");
 			sc.svcCloseHandle(sc.smHandle).assertOk();
 			sc.smHandle = undefined;
-			utils.log("returned " + utils.paddr(sc.call(utils.add2(sc.svcNroBase, 0x80), [libtransistorContext])));
+			var handle = sc.svcGetThreadId().assertOk();
+			utils.log("returned " + utils.paddr(sc.call(utils.add2(sc.svcNroBase, 0x80), [0, handle, libtransistorContext])));
 
 			var logBufferAddr = [libtransistorContext[6], libtransistorContext[7]];
 			var logLengthAddr = [libtransistorContext[8], libtransistorContext[9]];

diff --git a/exploit/svc.js b/exploit/svc.js
@@ -103,6 +103,23 @@ svcMixin.svcCreateSharedMemory = function (size, permission1, permission2) {
 	return this.svcWithResult(0x50, [handleBuffer, size, permission1, permission2]).replaceValue(handleBuffer[0]);
 };
 
+/*
+  Usages:
+  svcGetThreadId()
+  svcGetThreadId(tid)
+*/
+svcMixin.svcGetThreadId = function (tid) {
+	if (tid === undefined) {
+		tid = 0xffff8000;
+	}
+
+	if (typeof (tid) === 'number') { tid = [tid, 0]; }
+	if (!Array.isArray(tid)) { throw new Error('invalid tid type'); }
+
+	var handleBuffer = new Uint32Array(2);
+	return this.svcWithResult(0x25, [handleBuffer, tid]).replaceValue([handleBuffer[0], handleBuffer[1]]);
+};
+
 /*
   Usages:
   svcMapSharedMemory(handle, size)