Hacking [WIP] open source Kernel access on 3DS

Status
Not open for further replies.

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,977
Trophies
2
Age
26
Location
Las Vegas
XP
3,765
Country
United States
Cubic Ninja and Zelda OOT, that makes 2 for the N3DS, and these are not what could be called viable.

And even if an entry point would work on 9.5, you'll still never be able to get ARM11 kernel access on this.

They're plenty viable, they work and they work well, and the ROP itself cannot be patched regardless on either one (although OoT can be patched via eShop, but you can easily remove the update).
 
  • Like
Reactions: Margen67

173210

Well-Known Member
Member
Joined
Jan 22, 2014
Messages
245
Trophies
0
Age
26
Location
Japan
Website
173210.github.io
XP
683
Country
We are trying to hook functions, but I think we should confirm that the code is correct.
To confirm that, we should write addresses of the original functions instead of address of jump_table.

https://github.com/Aliak/OSKA/blob/master/oska.c#L260
Code:
void doArm9Hax(void)
{
#ifdef DEBUG_PROCESS
    printf("Setting up Arm9\n");
#endif
 
    int (*reboot)(int, int, int, int) = 0xFFF748C4;
 
    __asm__ ("clrex");
 
    CleanEntireDataCache();
    InvalidateEntireInstructionCache();
 
    // ARM9 code copied to FCRAM 0x23F00000
    //memcpy(0xF3F00000, ARM9_PAYLOAD, ARM9_PAYLOAD_LEN);
    // write function hook at 0xFFFF0C80
    //memcpy(0xEFFF4C80, 0x9D23AC, 0x9D2580);
 
    // write FW specific offsets to copied code buffer
    *(int *)(0xEFFF4C80 + 0x60) = 0xFFFD0000; // PDN regs
    *(int *)(0xEFFF4C80 + 0x64) = 0xFFFD2000; // PXI regs
    *(int *)(0xEFFF4C80 + 0x68) = 0xFFF84DDC; // where to return to from hook
 
    // patch function 0xFFF84D90 to jump to our hook
    *(int *)(0xFFF84DD4 + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
    *(int *)(0xFFF84DD4 + 4) = 0xFFFF0C80; // jump_table + 0
    // patch reboot start function to jump to our hook
    *(int *)(0xFFFF097C + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
    *(int *)(0xFFFF097C + 4) = 0x8F028C4; // jump_table + 4
 
    InvalidateEntireInstructionCache();
 
    printf("test1\n");
 
    reboot(0, 0, 2, 0); // trigger reboot
}
 
  • Like
Reactions: Margen67

shawnanastasio

Well-Known Member
Newcomer
Joined
May 15, 2011
Messages
98
Trophies
0
XP
199
Country
United States
Just curious; would it be potentially possible to launch Gateway's Launcher.dat through Cubic Ninja through this as opposed to the OoT exploit?
 
  • Like
Reactions: Margen67

Axido

Maker of TRASLApp
Member
Joined
Feb 12, 2014
Messages
1,294
Trophies
2
Age
32
XP
4,228
Country
Germany
Yes, this is what the Gateway team said they are working on

I wouldn't mind someone being working on it separately, so we might get it "sooner".
But I'm sure no capable dev would like to do GWs work and not get paid for that.
 

johovahs

Well-Known Member
Newcomer
Joined
Feb 5, 2015
Messages
76
Trophies
0
Age
36
XP
80
Country
United States
I wouldn't mind someone being working on it separately, so we might get it "sooner".
But I'm sure no capable dev would like to do GWs work and not get paid for that.

I don't really see the point in having someone waste their time on something that gateway is already reporting trying to do.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +1
    The Real Jdbye @ The Real Jdbye: @LeoTCK actually good quality products are dying out because they can't compete with dropshipped... +1