- Joined
- Aug 17, 2013
- Messages
- 1,199
- Trophies
- 1
- Location
- The Netherlands
- Website
- fizazy.com
- XP
- 1,676
- Country
That's fine, do you have any idea how to do it?
I know, I just don't understand how to actually pull it off. If anyone can write an "easy to follow" guide, it would be much appreciated!
"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.
Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."
^^ How EXACTLY would I do this process?
"It's pretty easy actually. Compile your ARM11 userland code (make sure it starts with a NOP), encrypt it with the shitty stream cipher described in my first post (along with the original part 2). Find the offset to the encrypted payload for your FW version (diff my annotated ROP payload with the go hax for your FW version, the gadgets are the same) and replace it with part 2 + your custom ARM code. and it will run.
Or what I did was replace two words in the first stage to skip the decryption. Then you don't have to bother encrypting/decrypting each time you make a change."
^^ How EXACTLY would I do this process?
Well, I understand what they're saying, it's just:
1.Where is the payload for a specific firmware(as in, what are the offsets for 4.5, etc.)?
2. How would I encrypt the program with the "stream cipher"?
P.S: No offense taken!
This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!
Ok, one last question: How do I get the "decrypted stage2", and what do I do if the homebrew is larger than that size?
- compile ARM11 code with armips or just write it in plain assembler (if you know what you do), load address is 0x009D2000
- copy decrypted stage2 in front of your arm11 code to forge a payload
- add padding to make it 0x4000 byte
this means
0x0 - 0x1B8F = original rop code or your own
0x1B90 - 0x3FFF = your arm11 code + padding
- then encrypt it with the pseudo-rng encryption
- finally copy it to the launcher.dat offset, based on your firmware, example: 7.1 - 9.4 is 0x1A000
Note: you get arm11 code execution, but this is not enough to do anything else than what is possible with ninjhax
to 1: 0x12000
to 2: write some code in vb/c/c++/c#/python/java/whatever...
This means your system crashed and nothing else, you did something wrong and it's impossible to guess what the cause was.
I understood all of that but I am having problems with decrypting it on pc, I tried writting a program in C# and then in C++ to read 4 bytes and add the addcipher to it but I get a lot of gibberish with both of the programs in the output file instead of ASM.
Well, it's "Partially" working now. It begins to load, but when the white screen slides in, it freezes, and I have to reset the system. This is farther then before, and if anyone knows what may be going on, please let me know!
Could you post the source (or solution, if you are using C#) of your program?
We might find the 'gibberish' problem.
I am not an expert in working with files in c++ so my code is very ugly http://pastebin.com/RDSQcUj8
key += 0xD5828281;
fread(&buffer, sizeof(int), 1, input);
buffer += key;
fwrite(&buffer, sizeof(int), 1, output);
key += 0xD5828281;
buffer += key;
fread(&buffer, sizeof(int), 1, input);
fwrite(&buffer, sizeof(int), 1, output);
should be
Why ? I first have to read the 4 bytes from the file then add the cipher.
uses a buffer of 0 in the original srcfread(&buffer, sizeof(int), 1, input);