SciresM

## Loader_1_0_0.idc
#define UNLOADED_FILE   1
#include <idc.idc>

static main(void)
{
  // set 'loading idc file' mode
  set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS));
  GenInfo();            // various settings
  Segments();           // segmentation
  Enums();              // enumerations

## fusee_bct0_spec.txt
There'll be two stages in the core fusee payload, loading configuration from a shared ini file (https://en.wikipedia.org/wiki/INI_file).

- Stage 1 will be the actual exploit payload, and it will be fairly minimal:
    - It will initialize DRAM, and initialize the display.
    - It will load a filename and address for stage 2, loading stage 2 into DRAM and jumping to it.

- Stage 2 will be a "loader" -- it will be responsible for loading everything else into place prior to boot.
    - Stage 2 will be able to load arbitrarily many files to arbitrary load addresses off of the SD card.
        - Stage 2 will get a list of files to load from a "loadlist" key, with loadables delimited by "|" in the value.
        - For each loadable, a _path and _addr key will be used to identify a filename and where to load it to.

## boot2_5x.json
{
    "name" : "boot2.ProdBoot",
    "title_id" : "0x0100000000000008",
    "title_id_range_min" : "0x0100000000000008",
    "title_id_range_max" : "0x0100000000000008",
    "main_thread_stack_size" : "0x4000",
    "main_thread_priority" : 48,
    "default_cpu_id" : 3,
    "process_category" : 0,
    "pool_partition" : 2,

## quest_enc_set.py
def print_set(p):
    ind_lvl = 0
    def printf(s, lvl = ind_lvl):
        s = '%s%s' % ('    ' * ind_lvl, s)
        print s
        try:
            outf.write('%s\n' % s)
        except:
            pass
    printf('Pack: %s' % p)

## 5.x kernel SMC log + arb read patch
0xbc100: ; save start
mov x19, x0
mov x0, #0xC0000000
adrp x1, #0x15000
ldr x1, [x1, #0x730]
ldr x1, [x1]
add x0, x1, x0
adrp x1, #0x15000
ldr x1, [x1, #0x668]
ldr x1, [x1]

## test_pid_patch.c
#include <string.h>
#include <stdio.h>

#include <switch.h>

static Handle g_port;
static uint64_t g_procID;

#define MODULE_HBL 111

## nisasyst.py
import sys, os, struct, zlib
from Crypto.Cipher import AES

def u32(x):
    return (x & 0xFFFFFFFF)

KEY_MATERIAL = 'e413645fa69cafe34a76192843e48cbd691d1f9fba87e8a23d40e02ce13b0d534d10301576f31bc70b763a60cf07149cfca50e2a6b3955b98f26ca84a5844a8aeca7318f8d7dba406af4e45c4806fa4d7b736d51cceaaf0e96f657bb3a8af9b175d51b9bddc1ed475677260f33c41ddbc1ee30b46c4df1b24a25cf7cb6019794'

class sead_rand:
    '''Implements Splatoon 2's mersenne random generator.'''

## CMAC.py
# -*- coding: utf-8 -*-
#
# Hash/CMAC.py - Implements the CMAC algorithm
#
# ===================================================================
# The contents of this file are dedicated to the public domain.  To
# the extent that dedication to the public domain is not available,
# everyone is granted a worldwide, perpetual, royalty-free,
# non-exclusive license to exercise all rights associated with the
# contents of this file for any purpose whatsoever.

## bea.py
from struct import unpack as up
import sys, os, hashlib
import zstandard as zstd

dirs, files = None, None

def read_at(fp, off, len):
    fp.seek(off)
    return fp.read(len)

## nx_bootloader_uncompress.c
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>

typedef uint32_t u32;
typedef uint8_t u8;
	#define UNLOADED_FILE 1
	#include <idc.idc>

	static main(void)
	{
	// set 'loading idc file' mode
	set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC\|get_inf_attr(INF_GENFLAGS));
	GenInfo(); // various settings
	Segments(); // segmentation
	Enums(); // enumerations
	There'll be two stages in the core fusee payload, loading configuration from a shared ini file (https://en.wikipedia.org/wiki/INI_file).

	- Stage 1 will be the actual exploit payload, and it will be fairly minimal:
	- It will initialize DRAM, and initialize the display.
	- It will load a filename and address for stage 2, loading stage 2 into DRAM and jumping to it.

	- Stage 2 will be a "loader" -- it will be responsible for loading everything else into place prior to boot.
	- Stage 2 will be able to load arbitrarily many files to arbitrary load addresses off of the SD card.
	- Stage 2 will get a list of files to load from a "loadlist" key, with loadables delimited by "\|" in the value.
	- For each loadable, a _path and _addr key will be used to identify a filename and where to load it to.
	{
	"name" : "boot2.ProdBoot",
	"title_id" : "0x0100000000000008",
	"title_id_range_min" : "0x0100000000000008",
	"title_id_range_max" : "0x0100000000000008",
	"main_thread_stack_size" : "0x4000",
	"main_thread_priority" : 48,
	"default_cpu_id" : 3,
	"process_category" : 0,
	"pool_partition" : 2,
	def print_set(p):
	ind_lvl = 0
	def printf(s, lvl = ind_lvl):
	s = '%s%s' % (' ' * ind_lvl, s)
	print s
	try:
	outf.write('%s\n' % s)
	except:
	pass
	printf('Pack: %s' % p)
	0xbc100: ; save start
	mov x19, x0
	mov x0, #0xC0000000
	adrp x1, #0x15000
	ldr x1, [x1, #0x730]
	ldr x1, [x1]
	add x0, x1, x0
	adrp x1, #0x15000
	ldr x1, [x1, #0x668]
	ldr x1, [x1]
	#include <string.h>
	#include <stdio.h>

	#include <switch.h>

	static Handle g_port;
	static uint64_t g_procID;

	#define MODULE_HBL 111
	import sys, os, struct, zlib
	from Crypto.Cipher import AES

	def u32(x):
	return (x & 0xFFFFFFFF)

	KEY_MATERIAL = 'e413645fa69cafe34a76192843e48cbd691d1f9fba87e8a23d40e02ce13b0d534d10301576f31bc70b763a60cf07149cfca50e2a6b3955b98f26ca84a5844a8aeca7318f8d7dba406af4e45c4806fa4d7b736d51cceaaf0e96f657bb3a8af9b175d51b9bddc1ed475677260f33c41ddbc1ee30b46c4df1b24a25cf7cb6019794'

	class sead_rand:
	'''Implements Splatoon 2's mersenne random generator.'''
	# -- coding: utf-8 --
	#
	# Hash/CMAC.py - Implements the CMAC algorithm
	#
	# ===================================================================
	# The contents of this file are dedicated to the public domain. To
	# the extent that dedication to the public domain is not available,
	# everyone is granted a worldwide, perpetual, royalty-free,
	# non-exclusive license to exercise all rights associated with the
	# contents of this file for any purpose whatsoever.
	from struct import unpack as up
	import sys, os, hashlib
	import zstandard as zstd

	dirs, files = None, None

	def read_at(fp, off, len):
	fp.seek(off)
	return fp.read(len)
	#include <stdlib.h>
	#include <stdio.h>
	#include <stdint.h>
	#include <string.h>
	#include <stdbool.h>

	typedef uint32_t u32;
	typedef uint8_t u8;