Hacking [WIP] open source Kernel access on 3DS

[shinyquagsire23]

Cubic Ninja and Zelda OOT, that makes 2 for the N3DS, and these are not what could be called viable.

And even if an entry point would work on 9.5, you'll still never be able to get ARM11 kernel access on this.

They're plenty viable, they work and they work well, and the ROP itself cannot be patched regardless on either one (although OoT can be patched via eShop, but you can easily remove the update).

 

[173210]

We are trying to hook functions, but I think we should confirm that the code is correct.
To confirm that, we should write addresses of the original functions instead of address of jump_table.

https://github.com/Aliak/OSKA/blob/master/oska.c#L260

void doArm9Hax(void)
{
#ifdef DEBUG_PROCESS
    printf("Setting up Arm9\n");
#endif
 
    int (*reboot)(int, int, int, int) = 0xFFF748C4;
 
    __asm__ ("clrex");
 
    CleanEntireDataCache();
    InvalidateEntireInstructionCache();
 
    // ARM9 code copied to FCRAM 0x23F00000
    //memcpy(0xF3F00000, ARM9_PAYLOAD, ARM9_PAYLOAD_LEN);
    // write function hook at 0xFFFF0C80
    //memcpy(0xEFFF4C80, 0x9D23AC, 0x9D2580);
 
    // write FW specific offsets to copied code buffer
    *(int *)(0xEFFF4C80 + 0x60) = 0xFFFD0000; // PDN regs
    *(int *)(0xEFFF4C80 + 0x64) = 0xFFFD2000; // PXI regs
    *(int *)(0xEFFF4C80 + 0x68) = 0xFFF84DDC; // where to return to from hook
 
    // patch function 0xFFF84D90 to jump to our hook
    *(int *)(0xFFF84DD4 + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
    *(int *)(0xFFF84DD4 + 4) = 0xFFFF0C80; // jump_table + 0
    // patch reboot start function to jump to our hook
    *(int *)(0xFFFF097C + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
    *(int *)(0xFFFF097C + 4) = 0x8F028C4; // jump_table + 4
 
    InvalidateEntireInstructionCache();
 
    printf("test1\n");
 
    reboot(0, 0, 2, 0); // trigger reboot
}

 

[173210]

Does OSKA work fine?

 

[aliak11]

Does OSKA work fine?

Yes, it detects my kernel fine now.

 

[gudenau]

Doesn't the Arm9hax need to be in arm11 kernel mode?

 

[williamcesar2]

keep up the great work ! open... > closed...

 

[shawnanastasio]

Just curious; would it be potentially possible to launch Gateway's Launcher.dat through Cubic Ninja through this as opposed to the OoT exploit?

 

[zuxicovp]

Just curious; would it be potentially possible to launch Gateway's Launcher.dat through Cubic Ninja through this as opposed to the OoT exploit?

Yes, this is what the Gateway team said they are working on

 

[Axido]

Yes, this is what the Gateway team said they are working on

I wouldn't mind someone being working on it separately, so we might get it "sooner".
But I'm sure no capable dev would like to do GWs work and not get paid for that.

 

[173210]

Doesn't the Arm9hax need to be in arm11 kernel mode?

I guess so.

 

[froggestspirit]

Can any of this be used to port downgrading to 9.3?

 

[josamilu]

Can any of this be used to port downgrading to 9.3?

This uses Ninjhax, which don't work on 9.3, because one of the needed exploits was fixed.

 

[froggestspirit]

I'm not sure how it works, but I know that firmlaunch hax is still in 9.3, has anyone tried using that?

 

[gudenau]

I wouldn't mind someone being working on it separately, so we might get it "sooner".
But I'm sure no capable dev would like to do GWs work and not get paid for that.

I was going to do that, then they said they are. :-P

 

[shinyquagsire23]

I'm not sure how it works, but I know that firmlaunch hax is still in 9.3, has anyone tried using that?

memchunkhax isn't though, and ARM11 kernel is required to use firmlaunch hax, so in reality everything is still 9.2 or below, no open source/closed source exploit recreation changes that.

 

[minipablo]

Yes, it detects my kernel fine now.

So i deduce that oska is working properly now?

 

[173210]

So i deduce that oska is working properly now?

ARM9 Exploit won't work now.

 

[johovahs]

I wouldn't mind someone being working on it separately, so we might get it "sooner".
But I'm sure no capable dev would like to do GWs work and not get paid for that.

I don't really see the point in having someone waste their time on something that gateway is already reporting trying to do.

 

[173210]

I suggest we have milestones. My plan:
1. Get ARM11 kernel access -> Achieved
2. Release all ARM11 SVC -> Achieved
3. Hook ARM11 functions to gain ARM9 access -> Not confirmed
4. Get ARM9 access
5. Enable to reboot
6. Add patches
7. Add configurations
8. Add UI

 

[mordorer]

good job! if arm9 becames a success, do you plan on an open source cfw?