browserhax_cfg.php

<?php

function browserhaxcfg_handle_urlparams()
{
	global $ropchainparam, $ropchainselect, $arm11code_loadfromsd;
	$ropchainselect = 2;
	$arm11code_loadfromsd = 2; // download webkithax_tmp.bin over http
	
	//From here one can initialize $ropchainselect and $arm11code_loadfromsd by optionally checking the value of $ropchainparam which comes from URL param "rop".
}

function browserhaxcfg_handledefault()
{
	global $ropchainselect, $arm11code_loadfromsd;

	//This is the main config init function: from here one can initialize $ropchainselect and $arm11code_loadfromsd.
}

function browserhaxcfg_getbinparam_type3()
{
	//Return a string for the value of the "getbin" URL param for use with $getbinselect value3, which is used by browserhaxcfg_parsebinparam(). This is also the getbin URL param value used by the ROP generation code in 3dsbrowserhax_common.php for generating the arm11code payload URL(when $arm11code_loadfromsd is value 2).
	return "l792U0bD";
}

function browserhaxcfg_parsebinparam()
{
	global $getbinparam, $getbinselect;

	//This parses $getbinparam which comes from the "getbin" URL param, and initializes $getbinselect when matching value(s) for $getbinparam are found.

	if($getbinparam==browserhaxcfg_getbinparam_type3())
	{
		$getbinselect = 3;//3dsbrowserhax_common.php only uses $getbinselect value3 currently.
	}
}

function browserhaxcfg_getbinpath_val3()
{
	//Return a filepath string which will be loaded by 3dsbrowserhax_common.php itself, when a binary is requested via the "getbin" URL param with the $getbinselect variable set to value 3 (see browserhaxcfg_parsebinparam).
	return realpath(dirname(__FILE__)) . "/payloads/webkithax_tmp.bin";
}

function browserhaxcfg_getbinpath_ropchain2()
{
	//Return a filepath string which will be loaded by 3dsbrowserhax_common.php itself, for loading arm11code which will be embedded in the ROP when $arm11code_loadfromsd==0.
	return "<somefilepath>";
}

?>

get_ropbin_payload.php

<?php

$version = '';
if(isset($_REQUEST['version']))
{
	$version = $_REQUEST['version'];
}


$v = splitVersionString($version);
$ropbinPayloadFileName = getFilenameFromVersion($v);
$path = realpath(dirname(__FILE__)) . '/payloads/ropbin/' . $ropbinPayloadFileName . '.bin';

$con = file_get_contents($path);
if($con===FALSE)
{
    echo "Failed to open binary on the server ($path).";
}
else
{
    header('Content-Disposition: attachment; filename="'. $ropbinPayloadFileName .'.bin"');
    header('Content-Type: application/octet-stream');
    echo $con;
}
exit;

//////////////////////////////////////////////////////

function getRegion($v)
{
    if($v[5]=="USA")
    {
        return "U";
    }
    else if($v[5]=="EUR")
    {
        return "E";
    }
    else if($v[5]=="JPN")
    {
        return "J";
    }
}

function getFirmVersion($v)
{
    if($v[0]=="NEW")
    {
        return "N3DS";
    }else{
        if($v[1]<5)
        {
            return "PRE5";
        }else{
            return "POST5";
        }
    }
}

function getMenuVersion($v)
{
    if($v[1]==9)
    {
        if ($v[2]==0 || $v[2]==1)
        {
            return "11272";
        }
        else if ($v[2]==2)
        {
            return "12288";
        }
        else if ($v[2]==3)
        {
            return "13330";
        }
        else if ($v[2]==4)
        {
            return "14336";
        }
        else if ($v[2]==5)
        {
            return "15360";
        }
        else if ($v[2]==6)
        {
            return "16404";
        }
        else if ($v[2]==7)
        {
            return "17415";
        }
        else if ($v[2]==9 && $v[5]=="USA")
        {
            return "20480_usa";
        }
        else if ($v[2]>=8)
        {
            return "19456";
        }
    }else if($v[1]==10)
    {
        if($v[2]==0)
        {
            if ($v[5]=="USA")
            {
                return "20480_usa";
            }
            else
            {
                return "19456";
            }
        }else if($v[2]==1)
        {
            if ($v[5]=="USA")
            {
                return "21504_usa";
            }
            else
            {
                return "20480";
            }
        }else if($v[2]==2)
        {
            if ($v[5]=="USA")
            {
                return "22528_usa";
            }
            else
            {
                return "21504";
            }
        }else if($v[2]==3)
        {
            if ($v[5]=="USA")
            {
                return "23552_usa";
            }
            else
            {
                return "22528";
            }
        }else if($v[2]==4 || $v[2]==5)
        {
            if ($v[5]=="USA")
            {
                return "24578_usa";
            }
            else
            {
                return "23554";
            }
        }else if($v[2]>=6)
        {
            if ($v[5]=="USA")
            {
                return "25600_usa";
            }
            else
            {
                return "24576";
            }
        }
    }
}


function getMsetVersion($v)
{
    if($v[1] == 9 && $v[2] < 6)
    {
        return "8203";
    }
    else
    {
        return "9221";
    }
}

function getFilenameFromVersion($v)
{
    return getFirmVersion($v)."_".getRegion($v)."_".getMenuVersion($v)."_".getMsetVersion($v);
}

function splitVersionString($version)
{
    $v = explode('-', $version);
    return $v;
}

?>

setup_browserhax_site.sh

#!/bin/bash

shopt -s extglob

clean () {
    rm -rf ./!(setup_browserhax_site.sh|browserhax_cfg.php|get_ropbin_payload.php|conntest);
}

download_ropbin_payload () {
    echo -e "\nDownloading ropbin payload for $1";
    URL="http://smea.mtheall.com/get_ropbin_payload.php?version=${1}";
    LOCATION=$(curl -sI --url "$URL" | grep "Location:" | sed -e 's/Location: //' -e 's/\r//');
    echo -e "  Source: $LOCATION";
    OUTNAME=$(echo -n "$LOCATION" | sed -e 's|http://.*/||');
    OUTPATH="./payloads/ropbin/${OUTNAME}";
    curl -L -o "$OUTPATH" --urL "$URL";
}

download () {
    echo -e "Fetching browserhax code\n"
    git clone https://github.com/yellows8/browserhax_site.git
    echo ""
    git clone https://github.com/yellows8/browserhax_fright.git
    echo ""
    git clone https://github.com/yellows8/3ds_browserhax_common.git
    echo ""
    git clone https://github.com/yellows8/3ds_webkithax.git
    echo ""
    
    cp browserhax_site/!(README.md) ./
    cp browserhax_fright/!(README.md) ./
    cp 3ds_browserhax_common/!(README.md) ./
    cp 3ds_webkithax/!(README.md) ./
    
    ln -s 3dsbrowserhax.php 3dsbrowserhax_auto.php
    ln -s 3dsbrowserhax_webkit_r158724.php sliderhax.php
    ln -s 3dsbrowserhax_webkit_r106972.php spider28hax.php
    sed -i -e 's|/home/yellows8/browserhax/browserhax_cfg.php|browserhax_cfg.php|' './browserhax_fright.php'
    
    mkdir ./payloads
    
    # Download webkithax
    # getbin param might change, needs to match val from browserhax_cfg.php
    # user agents from https://www.3dbrew.org/wiki/Internet_Browser - this one is from New 3DS 9.9.0-26
    #USER_AGENT="Mozilla/5.0 (New Nintendo 3DS like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.15 Mobile NintendoBrowser/1.3.10126.US"
    #curl -A "$USER_AGENT" -o ./payloads/webkithax_tmp.bin http://yls8.mtheall.com/browserhax_fright.php?getbin=l792U0bD
    
    # OR
    
    # Compile webkithax (requires devkitARM is installed)
    echo -e "\nCompiling webkit hax payload"
    OUTPATH=./payloads/webkithax_tmp.bin make
    echo ""


    # Download the ropbin payload
    mkdir -p ./payloads/ropbin/
    download_ropbin_payload "OLD-9-2-0-20-USA"
    download_ropbin_payload "OLD-9-9-0-26-USA"
    download_ropbin_payload "NEW-9-2-0-20-USA"
    download_ropbin_payload "NEW-9-9-0-26-USA"
}


# parse command line params

if (( $# == 0 )); then
    clean
    download
fi

while (( $# > 0 ))
do
key="$1"

case $key in
    -c|--clean)
        clean
    ;;
    
    "")
        clean
        download
    ;;
    
    *)
        echo "Unknown option $key"
    ;;
esac
shift

done