Hacking Pasta CFW - A CFW that allows unsigned CIA to be installed on Old and New 3DS! (required ninjhax)

[Intronaut]

As for Smealum's quote, that is obviously easier said than done. It will require a lot of picking.

Yeah. Anyway, they are the same steps to finish SpiderNinja. SpiderNinja would be better than a spider port of Pasta, because the team will not lose time porting the changes to every entrypoint, and will focus in the main version.

But yeah, it's easy, but only for yifan_lu or smealum.

 

[Slushie3DS]

Yeah. Anyway, they are the same steps to finish SpiderNinja. SpiderNinja would be better than a spider port of Pasta, because the team will not lose time porting the changes to every entrypoint.

Have you the skill to accomplish that? It is certainly something the community as a whole could use very much, let alone this project. I am not even near qualified enough to conquer that, admittedly. I'll stick to tiny things.

 

[Alkéryn]

Yeah. Anyway, they are the same steps to finish SpiderNinja. SpiderNinja would be better than a spider port of Pasta, because the team will not lose time porting the changes to every entrypoint.

It is fun when in a console hacking scene we begin to give name based of others to finally have some funny names such as pasta, ninja, FBI, Karl oska^^

 

[hundshamer]

It is fun when in a console hacking scene we begin to give name based of others to finally have some funny names such as pasta, ninja, FBI, Karl oska^^

Karl Oska the FBI's pasta ninja

 

[Intronaut]

Have you the skill to accomplish that? It is certainly something the community as a whole could use very much, let alone this project. I am not even near qualified enough to conquer that, admittedly. I'll stick to tiny things.

Sadly no. I'm a programmer, but I don't know a lot about low-level programming languages (ASM for example), needed for kill threads and close handles .

 

[Alkéryn]

Sadly no. I'm a programmer, but I don't know a lot aboutlow-level programming languages (ASM for example), needed for kill threads and close handles .

If (!know)
{skill.learn();
}
Else{skill.practice();
}

 

[Slushie3DS]

Since Regionthree uses ns:s for the cart trick, is it safe to say the bold code could be snipped and replaced, allowing him to have done most of the work?

Spoiler: Regionthree Source:

.nds
.create "spider_rop.bin",0x0
;define constants
DLPLAY_CODE_LOC_VA equ 0x00192800
DLPLAY_CODE_LOC equ (DLPLAY_CODE_LOC_VA-0x00100000+0x03F50000+0x14000000)
DLPLAY_HOOK_LOC equ (0x03FF3500+0x14000000)
DLPLAY_NSSHANDLE_LOC_VA equ 0x001A5200
SPIDER_GSPHEAPBUF equ 0x18370000
SPIDER_ROP_LOC equ 0x08F01000
spiderRop:
;copy code to dlplay
;copy patch
.word 0x0010b5b4 ; pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF ; r0 (dst)
.word SPIDER_ROP_LOC+dlplayCode ; r1 (src)
.word dlplayCode_end-dlplayCode ; r2 (size)
.word 0xDEADC0DE ; r3 (garbage)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x00240B54 ; memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE ; r4 (garbage)
.word 0xDEADC0DE ; r5 (garbage)
.word 0xDEADC0DE ; r6 (garbage)
.word 0xDEADC0DE ; r7 (garbage)
.word 0xDEADC0DE ; r8 (garbage)
.word 0xDEADC0DE ; r9 (garbage)
.word 0xDEADC0DE ; r10 (garbage)
;flush data cache
.word 0x0010b5b4 ; pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C ; r0 (handle ptr)
.word 0xFFFF8001 ; r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF ; r2 (address)
.word 0x00000200 ; r3 (size)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x0012c1e0 ; GSPGPU_FlushDataCache
;send GX command
.word 0x0010c2fc ; pop {r0, pc}
.word 0x3D7C40+0x58 ; r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 ; pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand ; r1 (cmd addr)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x0012BF04 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
;sleep for a bit
.word 0x0010c2fc ; pop {r0, pc}
.word 500000000 ; r0 (half second)
.word 0x00228af4 ; pop {r1, pc}
.word 0x00000000 ; r1 (nothing)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x001041f8 ; svc 0xa | bx lr
;copy gsp interrupt handler table to linear heap
;flush data cache
.word 0x0010b5b4 ; pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C ; r0 (handle ptr)
.word 0xFFFF8001 ; r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF ; r2 (address)
.word 0x00000200 ; r3 (size)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x0012c1e0 ; GSPGPU_FlushDataCache
;send GX command
.word 0x0010c2fc ; pop {r0, pc}
.word 0x3D7C40+0x58 ; r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 ; pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand2 ; r1 (cmd addr)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x0012BF04 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
;sleep for a bit
.word 0x0010c2fc ; pop {r0, pc}
.word 500000000 ; r0 (half second)
.word 0x00228af4 ; pop {r1, pc}
.word 0x00000000 ; r1 (nothing)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x001041f8 ; svc 0xa | bx lr
;copy gsp interrupt handler table back to dlplay after patching it
;patch table
.word 0x0010b5b4 ; pop {r0, r1, r2, r3, r4, pc}
.word SPIDER_GSPHEAPBUF+0x90 ; r0 (dst)
.word SPIDER_ROP_LOC+dlplayHook ; r1 (src)
.word dlplayHook_end-dlplayHook ; r2 (size)
.word 0xDEADC0DE ; r3 (garbage)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x00240B54 ; memcpy (ends in LDMFD SP!, {R4-R10,LR})
.word 0xDEADC0DE ; r4 (garbage)
.word 0xDEADC0DE ; r5 (garbage)
.word 0xDEADC0DE ; r6 (garbage)
.word 0xDEADC0DE ; r7 (garbage)
.word 0xDEADC0DE ; r8 (garbage)
.word 0xDEADC0DE ; r9 (garbage)
.word 0xDEADC0DE ; r10 (garbage)
;flush data cache
.word 0x0010b5b4 ; pop {r0, r1, r2, r3, r4, pc}
.word 0x003DA72C ; r0 (handle ptr)
.word 0xFFFF8001 ; r1 (kprocess handle)
.word SPIDER_GSPHEAPBUF ; r2 (address)
.word 0x00000200 ; r3 (size)
.word 0xDEADC0DE ; r4 (garbage)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x0012c1e0 ; GSPGPU_FlushDataCache
;send GX command
.word 0x0010c2fc ; pop {r0, pc}
.word 0x3D7C40+0x58 ; r0 (nn__gxlow__CTR__detail__GetInterruptReceiver)
.word 0x00228af4 ; pop {r1, pc}
.word SPIDER_ROP_LOC+gxCommand3 ; r1 (cmd addr)
.word 0x0013035C ; pop {lr, pc}
.word 0x001057c4 ; lr (pop {pc})
.word 0x0012BF04 ; nn__gxlow__CTR__CmdReqQueueTx__TryEnqueue
;trigger spider crash to return to menu
.word 0xFFFFFFFF
; copy code stub to end of dlplay .text
.align 0x4
gxCommand:
.word 0x00000004 ;command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF ;source address
.word DLPLAY_CODE_LOC ;destination address
.word 0x200 ;size
.word 0xFFFFFFFF ; dim in
.word 0xFFFFFFFF ; dim out
.word 0x00000008 ; flags
.word 0x00000000 ; unused
; copy gsp interrupt handler ptr table to spider linear heap
.align 0x4
gxCommand2:
.word 0x00000004 ;command header (SetTextureCopy)
.word DLPLAY_HOOK_LOC ;source address
.word SPIDER_GSPHEAPBUF ;destination address
.word 0x200 ;size
.word 0xFFFFFFFF ; dim in
.word 0xFFFFFFFF ; dim out
.word 0x00000008 ; flags
.word 0x00000000 ; unused
; copy gsp interrupt handler ptr table back to dplay for spider linear heap
.align 0x4
gxCommand3:
.word 0x00000004 ;command header (SetTextureCopy)
.word SPIDER_GSPHEAPBUF ;source address
.word DLPLAY_HOOK_LOC ;destination address
.word 0x200 ;size
.word 0xFFFFFFFF ; dim in
.word 0xFFFFFFFF ; dim out
.word 0x00000008 ; flags
.word 0x00000000 ; unused
.align 0x4
dlplayCode:
ldr r0, =DLPLAY_NSSHANDLE_LOC_VA ; ns:s handle location
ldr r0, [r0]
mrc p15, 0, r1, c13, c0, 3
add r1, 0x80
ldr r2, =0x00100180 ; NSS:RebootSystem
str r2, [r1], #4
ldr r2, =0x00000001 ; flag
str r2, [r1], #4
ldr r2, =0x00000000 ; lower word PID (0 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 ; upper word PID
str r2, [r1], #4
ldr r2, =0x00000002 ; mediatype (2 for gamecard)
str r2, [r1], #4
ldr r2, =0x00000000 ; reserved
str r2, [r1], #4
ldr r2, =0x00000000 ; flag
str r2, [r1], #4
.word 0xef000032 ; svc 0x32 (sendsyncrequest)
;sleep forever and ever...
ldr r0, =0xFFFFFFFF
ldr r1, =0x0FFFFFFF
.word 0xef00000a ; svc 0xa (sleep)
.pool
dlplayCode_end:
.align 0x4
dlplayHook:
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
.word DLPLAY_CODE_LOC_VA, DLPLAY_CODE_LOC_VA
dlplayHook_end:
.Close

Sadly no. I'm a programmer, but I don't know a lot about low-level programming languages (ASM for example), needed for kill threads and close handles .

I know. Assembly makes my mind go fuzzy.

Edit: Logging off for the night. Won't see any responses until morning.

 

[Intronaut]

If (!know)
{skill.learn();
}
Else{skill.practice();
}

Yeah, good algorithm anyway.

Anyway: @Slushie3DS Did you see the source code of decrypt9? it is launched by spider and has access to ARM9. I was able to run some custom code through SPIDER, but not in ARM9

 

[nop90]

I'm gonna ask you a question, Why is .Cia the only method to run 3DS games for free?, is there any future for a CFW able to run .3ds or .3dz games?, like the flashcards for the DS with .nds.

CIA is a nintendo package for arm11 code that is easy to install with the standard 3DS services. That's all.

3DS files are cartrige dumps (but you can package homebrews in this format too). They are meant to be used with flash carts.

Writing a loader would be possible, but someone have to do it. I will try to do it not because I'm not so interested in making games playable.

Loading 3DSX format is more interesting, and the code is already available in the HB loader sources. The one thing missing thing in the code is a way to make memory executable after writing the code in memory (smealum uses it's custom HB service installed by ninjhax). We only need someone that wants to work on this.

I can't name anything he has written offhand, but I do know he is knowledgeable.

Smea is one dev I don't really feel is bad. He views differently than us, makes jokes, but I have spoken with him slightly and had a good time. I'm far from a great dev, mediocre is still generous, and he wasn't a dick to me.

I have a great admiration of smea work, the same for the other high skilled devs of the scene.

I only don't like some of their behaviours, like pontificating on moral or releasing protected code to disincentive newbys to research potentially pirating solutions.

IMHO, if they want to release something, the community will thank them. If not, it's ok. That's all.

 

[Arcanuskun]

CIA is a nintendo package for arm11 code that is easy to install with the standard 3DS services. That's all.

3DS files are cartrige dumps (but you can package homebrews in this format too). They are meant to be used with flash carts.

Writing a loader would be possible, but someone have to do it. I will try to do it not because I'm not so interested in making games playable.

Loading 3DSX format is more interesting, and the code is already available in the HB loader sources. The one thing missing thing in the code is a way to make memory executable after writing the code in memory (smealum uses it's custom HB service installed by ninjhax). We only need someone that wants to work on this.



I have a great admiration of smea work, the same for the other high skilled devs of the scene.

I only don't like some of their behaviours, like pontificating on moral or releasing protected code to disincentive newbys to research potentially pirating solutions.

IMHO, if they want to release something, the community will thank them. If not, it's ok. That's all.

Sorry for asking, but what is the update on spiderpasta?

 

[nop90]

Sorry for asking, but what is the update on spiderpasta?

SpiderPasta for 4.X is completed and now is in debugging (still crashes somewhere and I have to find where). I'm working alone but now I'm going to ask some help to the other PASTA devs to complete this step.

After this I planned to do the port to 9.X and then to return working on MSET entry point.

 

[Syphurith]

SpiderPasta for 4.X is completed and now is in debugging (still crashes somewhere and I have to find where). I'm working alone but now I'm going to ask some help to the other PASTA devs to complete this step.
After this I planned to do the port to 9.X and then to return working on MSET entry point.

Good luck, hope you could find it soon. Static checks go first.. Debugging is never a easy job.
Still there isn't a repo for those (<- forget that, i'm not asking for source). Hope i've not annoyed you with an issue days ago.

 

[Suiginou]

Good luck, hope you could find it soon. Static checks go first.. Debugging is never a easy job.
Still there isn't a repo for those (<- forget that, i'm not asking for source). Hope i've not annoyed you with an issue days ago.

Even moreso when each debugging cycle takes like a minute (remove SD from 3DS, insert SD in computer, stare code down and try to fix it, recompile, remove SD from computer, insert SD in 3DS, launch spider, repeat),

 

[Inaki]

Ego is always a bad thing. Helping other people is an exercise of ego suppression.

Let's put this sentence into a picture frame and save it. I truly agree with this.

Also, wtf, why should I or others accept the "piracy is bad" thing like set in stone and a real truth ?! as if it was a religiuos thing ?! Piracy, understood into one or more context can be a good thing, and a balancing thing for some companies vs populations, and I am not a "communist" kind of guy, on the contrary, but I think a lot of people don't think for themselves and just copy what the "good guys" say about piracy. I wonder how many of those truly believe in what they say and how many are just going for the politically correct thing.

Sad, very.

 

[rebirthz]

hello friends, i just have one question to ask before going to do this CFW,

i own the old 3ds that runs 4.x palatine cfw for now, as you guys know, it doesn't support any cia game that encrypted with 7.x or higher, and i will own cubic ninja soon,

and i saw that this pasta cfw relies on what sysnand you are running, that means if im still using the 4.x and upgrade to the pasta cfw

that could be no point right? it still cannot run the game with 7.x or higher right? not sure just from my understanding,

but if i want to run the game with 7.x or higher that means i have to upgrade my 3ds's sysnand to 8-9.2?

and what is the way can i do this, hope u guys help.

 

[zoogie]

You get much more reliable booting with mset pasta 4.x but the compatability will be the same.

You need cubic ninja currently to enjoy higher firmware pasta.

 

[Gadorach]

hello friends, i just have one question to ask before going to do this CFW,

i own the old 3ds that runs 4.x palatine cfw for now, as you guys know, it doesn't support any cia game that encrypted with 7.x or higher, and i will own cubic ninja soon,

and i saw that this pasta cfw relies on what sysnand you are running, that means if im still using the 4.x and upgrade to the pasta cfw

that could be no point right? it still cannot run the game with 7.x or higher right? not sure just from my understanding,

but if i want to run the game with 7.x or higher that means i have to upgrade my 3ds's sysnand to 8-9.2?

and what is the way can i do this, hope u guys help.

You're getting a copy of Cubic Ninja anyway, just update to 9.2 when it gets there and enjoy PastaCFW.

 

[rebirthz]

that's the good point mate, but i just need to play the latest game that 4.x firmware cannot run this,

from my guess, get updated by the Super smash bros to 8 and then install the pasta with cubic and all game 7.x could be run by this device right?

am i right?

--------------------- MERGED ---------------------------

You're getting a copy of Cubic Ninja anyway, just update to 9.2 when it gets there and enjoy PastaCFW.

sure man, but how do i get my machine to that version, if i just want to play the Stella glow which required 7.x higher, that means sysnand with 8.x is enough for running this game right?

 

[Gadorach]

that's the good point mate, but i just need to play the latest game that 4.x firmware cannot run this,

from my guess, get updated by the Super smash bros to 8 and then install the pasta with cubic and all game 7.x could be run by this device right?

am i right?

Or, you could update straight to 9.2 with SysUpdater and 3DNUS, and not need a game at all.

https://gbatemp.net/threads/how-to-...om-4-1-8-1-to-9-2-0-20-with-pasta-cfw.389187/

 

[rebirthz]

Or, you could update straight to 9.2 with SysUpdater and 3DNUS, and not need a game at all.

https://gbatemp.net/threads/how-to-...om-4-1-8-1-to-9-2-0-20-with-pasta-cfw.389187/

OMG, you save my life man, really thanks to you, i'll try this now!