Jamais vu is a warmboot exploit for Switches on firmware 1.0.0 which is public but needs to be implemented.
@SciresM released a write up on how to achieve it
here and @TuxSH released sample code to take over the BPMP
Due to devs working on Atmosphere this isn't a priority at the moment but does anyone out there with the knowledge want to try it?
@SciresM released a write up on how to achieve it
here and @TuxSH released sample code to take over the BPMP
#define IRAM(a) ((void *)((a)-0x40000000+iramBaseVa))
#define BPMP_VECTOR_RESET (*(vu32 *)(vectorsBaseVa + 0x200))
#define CLK_RST_CONTROLLER_RST_DEV_L_SET_0 (*(vu32 *)(clockResetBaseVa + 0x300))
#define CLK_RST_CONTROLLER_RST_DEV_L_CLR_0 (*(vu32 *)(clockResetBaseVa + 0x304))
#define FLOW_CTLR_HALT_COP_EVENTS_0 (*(vu32 *)(flowControllerBaseVa + 4))
#define IRAM_PAYLOAD_ADDRESS 0x40030000 /* address to copy the payload to; arbitrary -- as long as TZ doesn't overwrite it */
u64 iramBaseVa, vectorsBaseVa, clockResetBaseVa, flowControllerBaseVa;
static Result fetchIoRegs(void) {
/* NOTE: you need to edit the NPDM for this function to work! */
Result rc;
rc = svcQueryIoMapping(&iramBaseVa, 0x40000000, 0x40000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&vectorsBaseVa, 0x6000F000, 0x1000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&clockResetBaseVa, 0x60006000, 0x1000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&flowControllerBaseVa, 0x60007000, 0x1000);
return rc;
}
void writePayload(void) {
memcpy(IRAM(IRAM_PAYLOAD_ADDRESS), bpmp_bin, bpmp_bin_size);
}
void resetBpmpExecutePayload(void) {
BPMP_VECTOR_RESET = IRAM_PAYLOAD_ADDRESS;
CLK_RST_CONTROLLER_RST_DEV_L_SET_0 = BIT(1); /* Assert BPMP reset */
svcSleepThread(2000); /* Values from 1.0 AM */
CLK_RST_CONTROLLER_RST_DEV_L_CLR_0 = BIT(1); /* Deassert BPMP reset */
FLOW_CTLR_HALT_COP_EVENTS_0 = 0;
svcSleepThread(1000 * 1000);
}
#define BPMP_VECTOR_RESET (*(vu32 *)(vectorsBaseVa + 0x200))
#define CLK_RST_CONTROLLER_RST_DEV_L_SET_0 (*(vu32 *)(clockResetBaseVa + 0x300))
#define CLK_RST_CONTROLLER_RST_DEV_L_CLR_0 (*(vu32 *)(clockResetBaseVa + 0x304))
#define FLOW_CTLR_HALT_COP_EVENTS_0 (*(vu32 *)(flowControllerBaseVa + 4))
#define IRAM_PAYLOAD_ADDRESS 0x40030000 /* address to copy the payload to; arbitrary -- as long as TZ doesn't overwrite it */
u64 iramBaseVa, vectorsBaseVa, clockResetBaseVa, flowControllerBaseVa;
static Result fetchIoRegs(void) {
/* NOTE: you need to edit the NPDM for this function to work! */
Result rc;
rc = svcQueryIoMapping(&iramBaseVa, 0x40000000, 0x40000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&vectorsBaseVa, 0x6000F000, 0x1000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&clockResetBaseVa, 0x60006000, 0x1000);
if(R_FAILED(rc)) return rc;
rc = svcQueryIoMapping(&flowControllerBaseVa, 0x60007000, 0x1000);
return rc;
}
void writePayload(void) {
memcpy(IRAM(IRAM_PAYLOAD_ADDRESS), bpmp_bin, bpmp_bin_size);
}
void resetBpmpExecutePayload(void) {
BPMP_VECTOR_RESET = IRAM_PAYLOAD_ADDRESS;
CLK_RST_CONTROLLER_RST_DEV_L_SET_0 = BIT(1); /* Assert BPMP reset */
svcSleepThread(2000); /* Values from 1.0 AM */
CLK_RST_CONTROLLER_RST_DEV_L_CLR_0 = BIT(1); /* Deassert BPMP reset */
FLOW_CTLR_HALT_COP_EVENTS_0 = 0;
svcSleepThread(1000 * 1000);
}
Due to devs working on Atmosphere this isn't a priority at the moment but does anyone out there with the knowledge want to try it?