Toggle sidebar

Homebrew Homebrew Development

  • Thread starter Thread starter aliak11
  • Start date Start date
  • Views Views 1,478,226
  • Replies Replies 6,048
  • Likes Likes 54
Slashmolder said:
Has anyone been running into stability problems for payloads >=16KB?
My code will only work about 1/2 the time if it's larger than 16KB.
Click to expand...


Yeah thats a problem, the best way is to load a binary into memory during the rop chain and simply run that.
I have an example in the archive i posted, that includes a whole mini filesystem but changing that should be easy :)
 
@seagal112 Good Work, i compile your emulator with Pokémon Red, and *TAN DAN*

10299403_502586173197732_50584110_n.jpg

Yeap, working fine(an bit of delay, but work) :]
 
  • Like
Reactions: Celice and emo kid 68
Let me try and have another shot at my response. I was going to ignore the following post
williamcesar2 said:
Why the mystery ? show him the way
Click to expand...
but seagal112 right after that (the very next post) confused me.
I thought I had been clear-ish.
seagal112 said:
sorry, I have no idea :wacko:
Click to expand...
originally,
jocopoco said:
Just a question on code, im debugging your launcher.dat with my emu and I find the swi 0x7b, what does it do?
Click to expand...

My re-edited response with Kane49 's comment
Bug_Checker_ said:
Here is a NOT SO SUBTLE clue
undocumented on 3dbrew ( by the_powers_that_be )

http://3dbrew.org/wiki/SVC

static inline void sudo(void *addr)
{
register void *_r0 asm ("r0") = addr;
asm volatile ( "SVC 0x7B" : : "r"(_r0) );
}

http://lmgtfy.com/?q="swi"+"svc"+"arm"
Click to expand...
Kane49 said:
Mystery ? i called the friggin function sudo, everyone and their mother should know what it does.
Click to expand...
I would like to say publicly that Kane49 was the source of the code but since I wasn't sure if he was the original author and didn't know if he would want the attribution(or perhaps unwanted attention) and I didn't credit him like I should have.

btw Kane49 did you ever have a chance to examine the code tied to SVC 0x7A ?
DisableExecuteNever(unsigned int Addr, unsigned int Size) (Stubbed for regular kernel beginning with 2.0.0-2)
It looks like it might be interesting but I don't know - never seen it.
 
Kane49 said:
Mystery ? i called the friggin function sudo, everyone and their mother should know what it does.
Click to expand...

No actually, everyone is left guessing. Does the 3DS has a superuser and and an environment with user privileges? Is there a subset of sys calls that require elevated privileges? The function name only vaguely alludes to something, doesn't actually explain anything.
 
Bug_Checker_ said:
Let me try and have another shot at my response. I was going to ignore the following post
but seagal112 right after that (the very next post) confused me.
I thought I had been clear-ish.
originally,


My re-edited response with Kane49 's comment
[/spoiler]
I would like to say publicly that Kane49 was the source of the code but since I wasn't sure if he was the original author and didn't know if he would want the attribution(or perhaps unwanted attention) and I didn't credit him like I should have.

btw Kane49 did you ever have a chance to examine the code tied to SVC 0x7A ?
DisableExecuteNever(unsigned int Addr, unsigned int Size) (Stubbed for regular kernel beginning with 2.0.0-2)
It looks like it might be interesting but I don't know - never seen it.
Click to expand...


supervisor call 0x7A does nothing but return a fatal error, not implemented, not supported result code.
 
Bond697 said:
supervisor call 0x7A does nothing but return a fatal error, not implemented, not supported result code.
Click to expand...
Could one not extract the original code, pre-stub, and replace the stub in a new firmware loaded through NAND redirection to test this function's actual intended result?
 
Bond697 said:
supervisor call 0x7A does nothing but return a fatal error, not implemented, not supported result code.
Click to expand...


Yes, I understand it doesn't work now( since 2.0.0-2+ ) but similar to what Gadorach said.
Gadorach said:
Could one not extract the original code, pre-stub, and replace the stub in a new firmware loaded through NAND redirection to test this function's actual intended result?
Click to expand...

But not even re-implementing the SVC 0x7A but analyzing what the original code looked like in 1.0.0-0 and 1.1.0-1 that was called by 0x7A .

And out of curiosity, has anyone tried NAND redirection to an older firmware? And does it work?
 
TheCruel said:
btw Kane49 did you ever have a chance to examine the code tied to SVC 0x7A ?
DisableExecuteNever(unsigned int Addr, unsigned int Size) (Stubbed for regular kernel beginning with 2.0.0-2)
It looks like it might be interesting but I don't know - never seen it.
Click to expand...


Did you really get that from my source ? because its not 0x7A but 0x7B


TheCruel said:
No actually, everyone is left guessing. Does the 3DS has a superuser and and an environment with user privileges? Is there a subset of sys calls that require elevated privileges? The function name only vaguely alludes to something, doesn't actually explain anything.
Click to expand...
If you dont know the question its unlikely the answer will help you
 
If anybody is tired of having to switch between the gateway profile installer and the homebrew profile installer to run hombrew, then you can use this little tool I made to convert it to a gateway compatible Launcher.dat.

http://filetrip.net/3ds-downloads/utilities/download-hbconverter-1-0-f32815.html

Just put the Launcher.dat in the same directory and run the exe and enter e for encrypt - That's all, you will then have a GW compatible hb file. The only small issue is that the rare hb's less than 0x9000 (about 36Kb) need to have file sizes in multiples of 16 bytes in order for the AES library to convert them. But its a simple thing to fix with a hex editor and a little padding.
 
  • Like
Reactions: Ericthegreat, redact, Flame and 1 other person
seagal112 said:
Hi!

Its time for another little demo of gb emulation.

This time I'm using heig-boy code instead of giibii, the result is a more faster emulator , and 512 ks roms working :)

Tried zelda and works ok, but of course: no saving, no fun.

Here is an example for download, with free game : Hungry are the dead. It really worth the play, but better on a real gbc or a gbc color emu :P

https://dl.dropboxusercontent.com/u/72398546/3dsgbemu_hungryarethedead.rar

And this is the game included ;)

http://pdroms.de/files/gameboy/hungry-are-the-dead-31-10-2000

Enjoy!
Click to expand...
Really amazing! Will you share the source code?

Btw, has anyone of you guys tryed to play with the CSND register, in order to have sounds in these homebrews?
 
Kane49 said:
Yeah thats a problem, the best way is to load a binary into memory during the rop chain and simply run that.
I have an example in the archive i posted, that includes a whole mini filesystem but changing that should be easy :)
Click to expand...

Though it works loading a binary into FCRAM and running it with the ARM9 processor is incredibly slow. I have a feeling the instruction cache wasn't designed to work when loading from FCRAM.
For now just using the internal fopen/fread I'm loading a larger ARM9 payload. 8090000-080FF000 should be a pretty safe region to use for what I'm doing.

Bug_Checker_ said:
But not even re-implementing the SVC 0x7A but analyzing what the original code looked like in 1.0.0-0 and 1.1.0-1 that was called by 0x7A .

And out of curiosity, has anyone tried NAND redirection to an older firmware? And does it work?
Click to expand...


SVC 0x7A was stubed starting with 2.0.0-2. Since this is a 4.X exploit we don't easily have dumps for older firmware data. It's possible to get them but there's not too much motivation to look at older code.

Firmware redirection to older firmwares should be possible but the hard part would be getting the old firmware in the first place setup correctly. I'm not sure why you'd want that though.
 
  • Like
Reactions: st4rk
Slashmolder said:
Though it works loading a binary into FCRAM and running it with the ARM9 processor is incredibly slow. I have a feeling the instruction cache wasn't designed to work when loading from FCRAM.
For now just using the internal fopen/fread I'm loading a larger ARM9 payload. 8090000-080FF000 should be a pretty safe region to use for what I'm doing.




SVC 0x7A was stubed starting with 2.0.0-2. Since this is a 4.X exploit we don't easily have dumps for older firmware data. It's possible to get them but there's not too much motivation to look at older code.

Firmware redirection to older firmwares should be possible but the hard part would be getting the old firmware in the first place setup correctly. I'm not sure why you'd want that though.
Click to expand...


experience !!!
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Gaming  any good rpgs on 3ds?

Hacking  Modding Reassurance

GodMode9 wont launch, holding START just goes to home screen