Hacking [WIP] open source Kernel access on 3DS

[Kirbs]

Will this use cubic ninja to work?

 

[173210]

Crashes and causes a soft-reboot on 4.5.0-8E without printing anything on the screen.

Does it crash without my printf?

 

[173210]

Will this use cubic ninja to work?

Yes, of course.

 

[flipy]

Does it crash without my printf?

Right, no text is printed.

 

[173210]

Right, no text is printed.

Can you try OSKA without my printf code?

 

[flipy]

Can you try OSKA without my printf code?

OSKA boots fine without printf.
It hangs and returns to home with a warning followed by a soft-reboot.
Do you have a boot.3dsx that I can try? (to eliminate bad builds on my end)

Edit: tried printing a test string and it gets printed.
Edit2: tried printing both memory addresses separated, but it hanged on both

 

[173210]

OSKA boots fine without printf.
It hangs and returns to home with a warning followed by a soft-reboot.
Do you have a boot.3dsx that I can try? (to eliminate bad builds on my end)

Edit: tried printing a test string and it gets printed.
Edit2: tried printing both memory addresses separated, but it hanged on both

I think it crashes because it try to access kernel memory.
Write printf in arm11Kexec and try again.

diff --git a/oska.c b/oska.c
index fbfbb87..0877d80 100644
--- a/oska.c
+++ b/oska.c
@@ -257,6 +257,9 @@ static void __attribute__((naked)) arm11Kexec()
 
        __asm__("add sp, sp, #8\n");
 
+      printf("0xEFFF497C: 0x%08" PRIx32 ", 0x%08" PRIx32 "\n",
+              *(int *)0xEFFF497C, *(int *)0xEFFF4980);
+
        buf[0] = 0xF00FF00F;
 
        // Fix up memory

 

[flipy]

I think it crashes because it try to access kernel memory.
Write printf in arm11Kexec and try again.

diff --git a/oska.c b/oska.c
index fbfbb87..0877d80 100644
--- a/oska.c
+++ b/oska.c
@@ -257,6 +257,9 @@ static void __attribute__((naked)) arm11Kexec()
 
        __asm__("add sp, sp, #8\n");
 
+      printf("0xEFFF497C: 0x%08" PRIx32 ", 0x%08" PRIx32 "\n",
+              *(int *)0xEFFF497C, *(int *)0xEFFF4980);
+
        buf[0] = 0xF00FF00F;
 
        // Fix up memory

Now something is printed, but is garbage and can't be recognized.
Compiler complains about types being printed: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'int' [-Wformat=]

 

[173210]

Now something is printed, but is garbage and can't be recognized.
Compiler complains about types being printed: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'int' [-Wformat=]

I forgot int32_t. Anyway, printf may not work on supervisor mode.
If so, this code should work.

diff --git a/oska.c b/oska.c
index fbfbb87..d6f1c1e 100644
--- a/oska.c
+++ b/oska.c
@@ -14,6 +14,7 @@ static int32_t *buf;
static int32_t *createThreadPatchPtr;
static int32_t *svcPatchPtr;
static int svcIsPatched = 0;
+static int32_t dump[2];
 
// Uncomment to have progress printed w/ printf
#define DEBUG_PROCESS
@@ -271,7 +272,9 @@ static void __attribute__((naked)) arm11Kexec()
        InvalidateAllIcache();
        CleanAllDcache();
 
-      arm9Exploit();
+      // arm9Exploit();
+      dump[0] = *(int32_t *)0xEFFF497C;
+      dump[1] = *(int32_t *)0xEFFF4980;
 
        __asm__("movs r0, #0\n"
                "pop {pc}\n");
@@ -317,6 +320,8 @@ int exploit()
                :: "i"(arm11Kexec) : "r0");
#ifdef DEBUG_PROCESS
        if (svcIsPatched) {
+              printf("dump = { 0x%08" PRIx32 ", 0x%08" PRIx32 "\n",
+                      dump[0], dump[1]);
                printf("Testing SVC 0x7B\n");
                __asm__("ldr r0, =%0\n"
                        "svc #0x7B\n"

 

[flipy]

I forgot int32_t. Anyway, printf may not work on supervisor mode.
If so, this code should work.

diff --git a/oska.c b/oska.c
index fbfbb87..d6f1c1e 100644
--- a/oska.c
+++ b/oska.c
@@ -14,6 +14,7 @@ static int32_t *buf;
static int32_t *createThreadPatchPtr;
static int32_t *svcPatchPtr;
static int svcIsPatched = 0;
+static int32_t dump[2];
 
// Uncomment to have progress printed w/ printf
#define DEBUG_PROCESS
@@ -271,7 +272,9 @@ static void __attribute__((naked)) arm11Kexec()
        InvalidateAllIcache();
        CleanAllDcache();
 
-      arm9Exploit();
+      // arm9Exploit();
+      dump[0] = *(int32_t *)0xEFFF497C;
+      dump[1] = *(int32_t *)0xEFFF4980;
 
        __asm__("movs r0, #0\n"
                "pop {pc}\n");
@@ -317,6 +320,8 @@ int exploit()
                :: "i"(arm11Kexec) : "r0");
#ifdef DEBUG_PROCESS
        if (svcIsPatched) {
+              printf("dump = { 0x%08" PRIx32 ", 0x%08" PRIx32 "\n",
+                      dump[0], dump[1]);
                printf("Testing SVC 0x7B\n");
                __asm__("ldr r0, =%0\n"
                        "svc #0x7B\n"

Not always svcIsPatched returns true.
Result:

dump = { 0xe28f0010, 0xe28f1044 }

 

[173210]

Not always svcIsPatched returns true.
Result:

dump = { 0xe28f0010, 0xe28f1044 }

Thank you for your report.

 

[173210]

By the way, OSKA doesn't have license agreements.
To prevent others from using our code with closed softwares, we should license our code under copyleft license.
I often use GPLv3. If you agree to use GPLv3, please like this post. If you disagree, please write your opinion.

 

[Datalogger]

Two quick questions.

Does it help to have someone run this patch on a N3DSXL with 9.0.0-20U ?
If so, are any of the patches posted earlier left applied to what's on the GIT, or just the last one?

Using just this one patch I get
dump = { 0x00000000, 0x00000000

 

[gudenau]

Pro tip:
PXI/PDN is diffrent on >= 9.0.0 then on < 9.0.0.

 

[173210]

Two quick questions.

Does it help to have someone run this patch on a N3DSXL with 9.0.0-20U ?
If so, are any of the patches posted earlier left applied to what's on the GIT, or just the last one?

Using just this one patch I get
dump = { 0x00000000, 0x00000000

The patch has not been completed yet.
I'll tell you the progress of the development as soon as possible to get your report for OSKA's behavior and make our project more democratic.

 

[powersaver]

173210, please allow PM.

 

[Datalogger]

The patch has not been completed yet.
I'll tell you the progress of the development as soon as possible to get your report for OSKA's behavior and make our project more democratic.

OK, Thanks.
Just seeing if there's anything I can do to help out...
I've got plenty experience with DevkitPro from my wii days.

 

[173210]

173210, please allow PM.

Changed settings.

 

[ody81]

By the way, OSKA doesn't have license agreements.
To prevent others from using our code with closed softwares, we should license our code under copyleft license.
I often use GPLv3. If you agree to use GPLv3, please like this post. If you disagree, please write your opinion.

That's a great idea, the gpl is there for a reason so you should use it.

It doesn't detract from the project in any way.

By the way, good for you guys and good luck. I also think certain software should be free and open sourced for the masses

 

[Datalogger]

I just now finished reading what yifan.lu said about the ARM9 Kernel exploit.
Quite the interesting read...