Hacking [WIP] open source Kernel access on 3DS

[173210]

good job! if arm9 becames a success, do you plan on an open source cfw?

Why do you have to ask that? OSKA is already open source.

 

[lpchaim]

Why do you have to ask that? OSKA is already open source.

Well, it might be because kernel access and CFW aren't necessarily linked in most people's minds. I think that line of thinking bleeds from the PSP or, to a lesser extent, PS3 scenes.
If I remember correctly from the KARL thread, granting access needs reboot-persistant patches that technically makes a patched OS CFW, even if not permanent, right?

 

[Monado_III]

How is this going to be different from KARL3DS? (outside of the fact this is open source, yay!)

 

[MrJason005]

How is this going to be different from KARL3DS? (outside of the fact this is open source, yay!)

it allows da pirattteezz

 

[Suiginou]

Uh, I think that's wrong past 0x4000. The add counter resets every 0x4000 bytes.

Here is a slight enhancement of ernie's program that decrypts each firmware region properly and to separate files.

...

Applying this to the GW 3.0 Launcher.dat yields a number of files (namely, offset_0x0A000.bin, offset_0x0E000.bin, offset_0x12000.bin, offset_0x16000.bin and offset_0x1A000.bin), but apparently none of them contain strings as one would expect (e.g. no instance of "save", case in-sensitive in either UTF8 or UTF16{L,B}E). Is there more obfuscation down the road or am I doing something wrong?

 

[apoptygma]

Name suggestion for this project - LENNY3DS

 

[omegart]

Name suggestion for this project - LENNY3DS

https://gbatemp.net/threads/wip-open-source-kernel-access-on-3ds.383534/page-4#post-5391390

 

[flipy]

Applying this to the GW 3.0 Launcher.dat yields a number of files (namely, offset_0x0A000.bin, offset_0x0E000.bin, offset_0x12000.bin, offset_0x16000.bin and offset_0x1A000.bin), but apparently none of them contain strings as one would expect (e.g. no instance of "save", case in-sensitive in either UTF8 or UTF16{L,B}E). Is there more obfuscation down the road or am I doing something wrong?

Same here, output is not useful, so I might be missing something or done something wrong.

 

[173210]

it allows da pirattteezz

SHUT UP unless you can write alternative codes of my source codes.
I know where pepole who make software for piracy for Nintendo in Japan will go.

 

[MrJason005]

SHUT UP unless you can write alternative codes of my source codes.
I know where pepole who make software for piracy for Nintendo in Japan will go.

My post was never meant to be taken seriously. The way I emphasized my sentence, my effort into making seem like a stereotype, and how crude it was written back that up. It was meant to be a joke, and it could interparted by some that it is in complete contrast with KARL.
I never meant to cause any harm to anyone involved, and if I indeed did I would like to give my sincerest apologies.

 

[PKNess]

Lets just say It's a open source CFW, we know can be done with it, but it no need to say it. Also, great work you guys, I am waiting to see al the job done.

 

[173210]

My post was never meant to be taken seriously. The way I emphasized my sentence, my effort into making seem like a stereotype, and how crude it was written back that up. It was meant to be a joke, and it could interparted by some that it is in complete contrast with KARL.
I never meant to cause any harm to anyone involved.

Anyway, please don't say anymore such a thing.

 

[173210]

Lets just say It's a open source CFW, we know can be done with it, but it no need to say it. Also, great work you guys, I am waiting to see al the job done.

Thank you for understanding. I'm working on the development...

 

[PKNess]

Thank you for understanding. I'm working on the development...

Thank to you guys to make such a thing, you people are the ones who makes all this scene keep going on!

 

[dubbz82]

How is this going to be different from KARL3DS? (outside of the fact this is open source, yay!)

This will allow for outside developers to grab the source code and improve upon it, making enhancements on it, updating it, and modifying it to their need. KARL3DS, you'll be at the whim of whatever the developers want to do (or not) with it. If there's bugs in the software, tough luck until if/when they fix it...

 

[shinyquagsire23]

This will allow for outside developers to grab the source code and improve upon it, making enhancements on it, updating it, and modifying it to their need. KARL3DS, you'll be at the whim of whatever the developers want to do (or not) with it. If there's bugs in the software, tough luck until if/when they fix it...

We have plans to open source pieces of our code as we go along. At the time however we realized that keeping ARM9 open was not a good idea (for several reasons), so we kept it closed for the time being. We would just prefer that our code not directly lead to the result of a warez loader, however there's still no point in keeping it closed if an exact equivalent is remaining open.

 

[173210]

We have plans to open source pieces of our code as we go along. At the time however we realized that keeping ARM9 open was not a good idea (for several reasons), so we kept it closed for the time being. We would just prefer that our code not directly lead to the result of a warez loader, however there's still no point in keeping it closed if an exact equivalent is remaining open.

I'm developing on my policy; I consider softwares should be as "free" as possible. It's the difference from piracy.

 

[flipy]

Thank you for understanding. I'm working on the development...

Thanks for your work, and thanks for your code, easy to follow using Yifan Lu explanations!
Not a ASM-guru, but at least can understand how the exploits work, and what is still missing.

We have plans to open source pieces of our code as we go along. At the time however we realized that keeping ARM9 open was not a good idea (for several reasons), so we kept it closed for the time being. We would just prefer that our code not directly lead to the result of a warez loader, however there's still no point in keeping it closed if an exact equivalent is remaining open.

Understandable, but let's keep the discussion off the thread if possible (your thread has been several times hijacked for the same reason).

 

[173210]

Can anyone dump 0xEFFF497C and 0xEFFF4980?

diff --git a/oska.c b/oska.c
index fbfbb87..a1e992e 100644
--- a/oska.c
+++ b/oska.c
@@ -284,6 +284,9 @@ int exploit()
 
        HB_ReprotectMemory(nopSlide, 4, 7, &result);
 
+      printf("0xEFFF497C: 0x%08" PRIx32 " 0x%08" PRIx32 "\n",
+              *(int32_t *)0xEFFF497C, *(int32_t *)0xEFFF4980);
+
        for (i = 0; i < sizeof(nopSlide) / sizeof(int32_t); i++)
                nopSlide[i] = 0xE1A00000; // ARM NOP instruction
        nopSlide[i-1] = 0xE12FFF1E; // ARM BX LR instruction

 

[flipy]

Can anyone dump 0xEFFF497C and 0xEFFF4980?

diff --git a/oska.c b/oska.c
index fbfbb87..a1e992e 100644
--- a/oska.c
+++ b/oska.c
@@ -284,6 +284,9 @@ int exploit()
 
        HB_ReprotectMemory(nopSlide, 4, 7, &result);
 
+      printf("0xEFFF497C: 0x%08" PRIx32 " 0x%08" PRIx32 "\n",
+              *(int32_t *)0xEFFF497C, *(int32_t *)0xEFFF4980);
+
        for (i = 0; i < sizeof(nopSlide) / sizeof(int32_t); i++)
                nopSlide[i] = 0xE1A00000; // ARM NOP instruction
        nopSlide[i-1] = 0xE12FFF1E; // ARM BX LR instruction

Crashes and causes a soft-reboot on 4.5.0-8E without printing anything on the screen.