Hacking Official Corbenik - Another CFW for advanced users (with bytecode patches!)

[The Catboy]

Title downgrade fix is broken, firmlaunch hook appears broken on n3ds. Disabling firmlaunch hooks seemed to solve it. (http://nus.cdn.c.shop.nintendowifi.net/ccs/download/0004013820000002/0000002d for n3ds)

Delete native.dec if you haven't.

How do you get the URL, exactly?

I didn't do these steps at first, but once I distabled to reboot hook and deleted the native.dec, I was able to boot into corbenik again

--------------------- MERGED ---------------------------

I hate to double post, but this fix is really a bandage for the issue. Without the hook, DSi/GBA games will not work, even on your new3DS. But it still does basically let you boot into Corbenik, even if you end up loosing some features

 

[Svaethier]

So we need the 11.3 nfirm for o3ds and n3ds? Can someone link the URL to download these or pm me it?

 

[The Catboy]

So we need the 11.3 nfirm for o3ds and n3ds? Can someone link the URL to download these or pm me it?

I really won't suggest updating your OFW until Corbenik updates. We did find a workaround, but by doing so, we've disabled reboot patches. Which means High memory games/DSi/GBA games won't work on the old3DS and GBA/DSi won't work on the new3DS.

 

[chaoskagami]

Nintendo broke shit. =_=;

And there's more than just that wrong here; for some reason, it's now incapable of retrieving the titlekey from the CETK as on CDN right now.

My humble recommendation; hold off on the update. I'm currently rendered unbootable until I fix this mess.

 

[The Catboy]

Nintendo broke shit. =_=;

And there's more than just that wrong here; for some reason, it's now incapable of retrieving the titlekey from the CETK as on CDN right now.

My humble recommendation; hold off on the update. I'm currently rendered unbootable until I fix this mess.

We did posted a workaround on the previous page. You have to disable the reboot patches and delete the native.dec

 

[chaoskagami]

We did posted a workaround on the previous page. You have to disable the reboot patches and delete the native.dec

That relies on native.key existing from a previous successful setup. It fails to extract the correct decTitleKey now from the cetk.

 

[The Catboy]

That relies on native.key existing from a previous successful setup. It fails to extract the correct decTitleKey now from the cetk.

Oh, gg. Do you have a NAND backup?

 

[ih8ih8sn0w]

If it's of any use, logs of firmlaunch hook crashing with 11.3 nfirm.

Spoiler: cba to upload it elsewhere, I only enabled verbose logging, emunand, and firmlaunch hook

arena: 1762616
ordblks: 4
uordblks: 1758768
fordblks: 3848
reboot: proc9 mem @ 08028000
reboot: firmlaunch @ fffffff0
Data abort.
cpsr:600000df sp:27efff30 pc:23f03134
r0:23f0313c r1:00000001 r2:00000000 r3:0000008e
r4:00000000 r5:fffffff0 r6:24150c50 r7:00000000
r8:23f0ea0c r9:00000000 r10:23f0e948 r11:23f0e930
r12:23f227a0
Cannot continue. Halting.

 

[The Catboy]

If it's of any use, logs of firmlaunch hook crashing with 11.3 nfirm.

Spoiler: cba to upload it elsewhere, I only enabled verbose logging, emunand, and firmlaunch hook

arena: 1762616
ordblks: 4
uordblks: 1758768
fordblks: 3848
reboot: proc9 mem @ 08028000
reboot: firmlaunch @ fffffff0
Data abort.
cpsr:600000df sp:27efff30 pc:23f03134
r0:23f0313c r1:00000001 r2:00000000 r3:0000008e
r4:00000000 r5:fffffff0 r6:24150c50 r7:00000000
r8:23f0ea0c r9:00000000 r10:23f0e948 r11:23f0e930
r12:23f227a0
Cannot continue. Halting.

Corbenik actually uses an older reboot hook from Luma3DS (a heavily modified one, but still based on it.) Somewhere along the line Luma3ds updated their hook, but no one else followed because there was no reason to at the time. It seems that update is what kept Luma3DS safe, but everyone using the older code suffered. This is also what happened to SaltFW, but a quick update of the code fixed it.

 

[Arck]

I just love this CFW, but I have a question:
Is it possible to boot without external firm files ?

 

[metroid maniac]

Corbenik actually uses an older reboot hook from Luma3DS (a heavily modified one, but still based on it.) Somewhere along the line Luma3ds updated their hook, but no one else followed because there was no reason to at the time. It seems that update is what kept Luma3DS safe, but everyone using the older code suffered. This is also what happened to SaltFW, but a quick update of the code fixed it.

I hope that means it's a simple fix, to pull the updated reboot hook from Luma again.

 

[The Catboy]

I hope that means it's a simple fix, to pull the updated reboot hook from Luma again.

It's half the issue, the other half is still the Native_firm update. Really I don't know how hard these are to fix

 

[chaoskagami]

Corbenik actually uses an older reboot hook from Luma3DS (a heavily modified one, but still based on it.) Somewhere along the line Luma3ds updated their hook, but no one else followed because there was no reason to at the time. It seems that update is what kept Luma3DS safe, but everyone using the older code suffered. This is also what happened to SaltFW, but a quick update of the code fixed it.

I hope that means it's a simple fix, to pull the updated reboot hook from Luma again.

Half correct. Corbenik uses the offset seeking of Luma, but the reboot assembly code is pretty much Cakes converted to gas syntax (rather than armips; I hate armips.)

If it were that simple, I'd have already pushed. Putting the fix into place seems to get the correct offsets, but results in a black screen on firmlaunch. So, there's something else wrong and I can't in good faith push something utterly broken.

I just love this CFW, but I have a question:
Is it possible to boot without external firm files ?

https://gbatemp.net/threads/corbeni...-bytecode-patches.429612/page-90#post-7027477

 

[DestructiveSword]

Can I use Corbenik on 11.3?

 

[The Catboy]

Can I use Corbenik on 11.3?

http://gbatemp.net/threads/corbenik...-bytecode-patches.429612/page-93#post-7074625
Reboot patches are being worked on
Just hold off on the update and wait until Corbenik is updated

 

[GravitySuitCollector]

I hope things are going ok with figuring out the reboot hook + 11.3. This update sounds like quite the headache for several cfws, especially those without firm protection. I went ahead and checked out the 11.3 update, and now I'm restoring an 11.2 backup. It was more of a brief test than anything else (wanted to see if the Kecleon Luma patch booted ok, since I have that on CTR NAND as a backup).

Also, is there a database of patches people have made for corbenik/skeith anywhere? I'd like to check them out if possible, and see what's available.

 

[chaoskagami]

I hope things are going ok with figuring out the reboot hook + 11.3. This update sounds like quite the headache for several cfws, especially those without firm protection. I went ahead and checked out the 11.3 update, and now I'm restoring an 11.2 backup. It was more of a brief test than anything else (wanted to see if the Kecleon Luma patch booted ok, since I have that on CTR NAND as a backup).

Also, is there a database of patches people have made for corbenik/skeith anywhere? I'd like to check them out if possible, and see what's available.

It's going fine-ish. At this point it's less fixing the hook, more refactoring since I'm switching the method to be reentrant like Luma. I'm not comfortable with pushing it to master until I'm finished, but I *should* probably push to a branch.

tl;dr I already fixed the hook, but I'm changing things around so it's going to take a tad longer (and until I finish, it still won't "work" to actually boot GBA/DS games)

All the patches are mostly in the release; there's not much besides what's provided.

 

[Gray_Jack]

It's going fine-ish. At this point it's less fixing the hook, more refactoring since I'm switching the method to be reentrant like Luma. I'm not comfortable with pushing it to master until I'm finished, but I *should* probably push to a branch.

tl;dr I already fixed the hook, but I'm changing things around so it's going to take a tad longer (and until I finish, it still won't "work" to actually boot GBA/DS games)

After completed, do you intend to patch svc 0x59?

 

[Wolfvak]

After completed, do you intend to patch svc 0x59?

That should be pretty easy to do if svc 0x59 doesnt return any value, and it still might be doable even if it does.

The instruction svc 0x59 encodes to 590000ef (according to radare2 -aarm 'svc 0x59') so all you have to do is look for that pattern in the GSP module and replace it with a NOP (preferably one which has the conditional bits set to never execute). If svc 0x59 sets r0 to some return value, you'll have to replace it with mov r0, #<insert return value here>.

(The above statement assumes it's running in ARM mode. If it's Thumb code, you'll want to look for another pattern but the main idea is the same)

That's one way to do it, but if any other application/sysmodule attempts to use it it'll have to be disabled straight from the source: the ARM11 kernel. That's a bit more complicated to do definitely not impossible.

 

[Gray_Jack]

That should be pretty easy to do if svc 0x59 doesnt return any value, and it still might be doable even if it does.

The instruction svc 0x59 encodes to 590000ef (according to radare2 -aarm 'svc 0x59') so all you have to do is look for that pattern in the GSP module and replace it with a NOP (preferably one which has the conditional bits set to never execute). If svc 0x59 sets r0 to some return value, you'll have to replace it with mov r0, #<insert return value here>.

(The above statement assumes it's running in ARM mode. If it's Thumb code, you'll want to look for another pattern but the main idea is the same)

That's one way to do it, but if any other application/sysmodule attempts to use it it'll have to be disabled straight from the source: the ARM11 kernel. That's a bit more complicated to do definitely not impossible.

I would prefer a universal patch, so your second option would be the best option, thought more complicated.

And thanks for the info, I just did a patch for the GSP module and it works just fine :3