Hacking Official Corbenik - Another CFW for advanced users (with bytecode patches!)

[The Catboy]

It redirects mystery gift in Pokemon X/Y/OR/AS to SALT's clone servers. They archive previous mystery gifts. See here, here: https://mys.salthax.org/ , https://gbatemp.net/threads/pokemon-xyoras-mystery-machine-mystery-gift-spoofer.422613/

It performs the same functionality as the official patcher shinyquagsire23 has. You can punch in any number listed on the salthax page to get previous mystery gifts.

I will take a look at that tomorrow since I am off work tomorrow and have to dick around with stuff.
BTW, I am still trying to break your CFW. I've been fucking around with reboot patches pretty hard and giving them a very serious run for their money. Thus far, nothing special has happened. This including running an out-of-region game (EU version of Smash) with the reboot patches, still reboots like normal. Starting a memory heavy game before everything loads (MH4) then quickly closing the game, which actually caused me a soft lock on several other CFW's (can't replicate as it seems to have been fixed in all of them. But basically just left me with a black screen and I would have to hard reset.) I wasn't able to get a soft lock, which is good.
I would also like to mention that your CFW does load on ShadowNAND's A9LH.

@chaoskagami
Am i able to brick if it goes wrong

Your system is safe, trust me, I've been testing the shit out of this CFW for old3DS.

 

[chaoskagami]

sorry i quoted the wrong post i meant would i brick if the brahma thing bricks

Brahma outright doesn't work. You'll just blackscreen. When I was a9lh'ing my other 3DS, I tested it.

I will take a look at that tomorrow since I am off work tomorrow and have to dick around with stuff.
BTW, I am still trying to break your CFW. I've been fucking around with reboot patches pretty hard and giving them a very serious run for their money. Thus far, nothing special has happened. This including running an out-of-region game (EU version of Smash) with the reboot patches, still reboots like normal. Starting a memory heavy game before everything loads (MH4) then quickly closing the game, which actually caused me a soft lock on several other CFW's (can't replicate as it seems to have been fixed in all of them. But basically just left me with a black screen and I would have to hard reset.) I wasn't able to get a soft lock, which is good.
I would also like to mention that your CFW does load on ShadowNAND's A9LH.



Your system is safe, trust me, I've been testing the shit out of this CFW for old3DS.

The 'safe' bit is up for debate until I test FIRM Protection. There's theoretically nothing wrong with it, though.

 

[Deleted User]

ok
Edit: Well i hope you add support because this is a very versatile cfw

 

[Elveman]

Enjoying the shiny Yvelta? ;P

just playing with random events. I just love the idea of Mystery Machine. It's like Fake GTS in gens 4/5 (I've spent a lot of time chatting on Pokecheck). And it works perfectly

 

[The Catboy]

The 'safe' bit is up for debate until I test FIRM Protection. There's theoretically nothing wrong with it, though.

Do you mean that high memory mode might not have FIRM protection? I am a little confused.
My confusion aside, I am still not able to break your code no matter what stupid thing I throw at it.

 

[chaoskagami]

Do you mean that high memory mode might not have FIRM protection? I am a little confused.
My confusion aside, I am still not able to break your code no matter what stupid thing I throw at it.

No system update has hit yet, so FIRM protection hasn't recieved the proper testing to ensure it really does work. I'm going to probably do some testing with a downgraded emunand to make sure it does what it's supposed to. It should, since it's literally the same fix as Luma, but it doesn't change that I haven't actually run an update with it on.

 

[The Catboy]

No system update has hit yet, so FIRM protection hasn't recieved the proper testing to ensure it really does work. I'm going to probably do some testing with a downgraded emunand to make sure it does what it's supposed to. It should, since it's literally the same fix as Luma.

If it's the same fix as Luma3DS, then I am 90% sure it should work. Since I know SaltFW uses the same patches and I was able to update all of my systems running SaltFW.
Still, testing would be the best bet. I would test it myself, but I lack any system with an emuNAND. I might give it a testing myself tomorrow.

 

[chaoskagami]

If it's the same fix as Luma3DS, then I am 90% sure it should work. Since I know SaltFW uses the same patches and I was able to update all of my systems running SaltFW.
Still, testing would be the best bet. I would test it myself, but I lack any system with an emuNAND. I might give it a testing myself tomorrow.

Despite being a reimplementation in bytecode, it's the same fix. Assuming nothing is wrong with the VM, it should work.

 

[DjoeN]

Well, the mystery machine part isn't working :/
Unless i forgot something?

boot into Cobernik and start Pokémon Omega Ruby (or any other compatible Pokemon game) then use any code from the salthax page it always gives me an incorrect code

My current config to test it with:

Setup:
- O3DS - SysNAND 9.2 / EmuNAND 11.0
- Corbenik//r184: 6b9f56df
- Firmware: 11.0.0 (00000052)
- GBA Firmware (AGB): 6.0.0 (0000000b)
- DSi Firmware (TWL): 6.2.0 (00000016)

Spoiler: My Corbenik Configuration

Options:
General Options
- [x] svcBackdoor Fixup
- [x] Reboot Hook
- [x] Use EmuNAND
- [0] Index
- [x] Autoboot
- [ ] Silent mode

Loader Options
- [x] Use Loader Replacement
- [ ] Language Emulation
- [ ] Load Code Sections
- [ ] Dump Title Code Sections
- [ ] + System Titles

Developer Options
- [ ] Step Through
- [ ] Verbose
- [ ] Logging

Patches:
- [x] Title Downgrade Fix (11.0 NFIRM)
- [x] AGB Bootscreen
- [x] AGB Signature fix
- [x] Block Cart Updates (Loader)
- [x] Block eShop Updates (Loader)
- [x] Block NIM updates (Loader)
- [x] ErrDisp devmode (Loader)
- [ ] Fake Friends module version (Loader)
- [ ] ARM11 XN Disable
- [x] MSET Version (Loader)
- [ ] Force Testmenu (Loader)
- [x] FIRM Protect
- [x] Region free HOME (Loader)
- [x] RO signature fix (Loader)
- [ ] SecureInfo_A Signature Fix (Loader)
- [x] Signature Fix
- [x] TWL Patches
- [ ] Developer UNITINFO
- [x] MysteryMachine Patcher (Loader)

 

[chaoskagami]

Well, the mystery machine part isn't working :/
Unless i forgot something?

boot into Cobernik and start Pokémon Omega Ruby (or any other compatible Pokemon game) then use any code from the salthax page it always gives me an incorrect code

My current config to test it with:

Setup:
- O3DS - SysNAND 9.2 / EmuNAND 11.0
- Corbenik//r184: 6b9f56df
- Firmware: 11.0.0 (00000052)
- GBA Firmware (AGB): 6.0.0 (0000000b)
- DSi Firmware (TWL): 6.2.0 (00000016)

Spoiler: My Corbenik Configuration

Options:
General Options
- [x] svcBackdoor Fixup
- [x] Reboot Hook
- [x] Use EmuNAND
- [0] Index
- [x] Autoboot
- [ ] Silent mode

Loader Options
- [x] Use Loader Replacement
- [ ] Language Emulation
- [ ] Load Code Sections
- [ ] Dump Title Code Sections
- [ ] + System Titles

Developer Options
- [ ] Step Through
- [ ] Verbose
- [ ] Logging

Patches:
- [x] Title Downgrade Fix (11.0 NFIRM)
- [x] AGB Bootscreen
- [x] AGB Signature fix
- [x] Block Cart Updates (Loader)
- [x] Block eShop Updates (Loader)
- [x] Block NIM updates (Loader)
- [x] ErrDisp devmode (Loader)
- [ ] Fake Friends module version (Loader)
- [ ] ARM11 XN Disable
- [x] MSET Version (Loader)
- [ ] Force Testmenu (Loader)
- [x] FIRM Protect
- [x] Region free HOME (Loader)
- [x] RO signature fix (Loader)
- [ ] SecureInfo_A Signature Fix (Loader)
- [x] Signature Fix
- [x] TWL Patches
- [ ] Developer UNITINFO
- [x] MysteryMachine Patcher (Loader)

It should work...unless the copy you're testing on has a different titleID than legitimate copies that I'm testing for. Enable 'Logging' and 'Verbose', save the config, then boot the console, and launch pokemon. Then upload the 'loader.log' here. Pokemon is a global release, meaning all regions have the same TID.

Oh, and for some unknown reason, entering a code sometimes screws up. I'm not sure why. In this case hitting 'Internet' will randomly hand out gifts you don't yet have as registered. I've tested this mostly with Omega and X.


EDIT: BTW, people building git will now need to check out submodules and have a native host gcc. You'll notice that the UI looks a little different now. ;P

 

[Kirtai]

The current way Corbenik functions is meant as a tool. It's not meant as a one-click noob-friendly thing, nor will it ever be. This is a strength, not a weakness. It's a conscious design decision, and mostly my philosophy on how things should work.

I have different design goals than other CFWs that I believe are mutually incompatible with a noob-friendly approach. This means that I expose more unsafe toggles and give more control over what it does and how it does so. I'm catering to a different (and much smaller) userbase, and I don't intend to change this.

I get the feeling that corbenik will be used for a lot of experiments which other cfw authors may import into their firmwares once they've been tested & polished and made noob-proof. A win/win. Any thoughts on that?

 

[chaoskagami]

I get the feeling that corbenik will be used for a lot of experiments which other cfw authors may import into their firmwares once they've been tested & polished and made noob-proof. A win/win. Any thoughts on that?

Hey, it's GPLv3. I don't care.

 

[Wolfvak]

I get the feeling that corbenik will be used for a lot of experiments which other cfw authors may import into their firmwares once they've been tested & polished and made noob-proof. A win/win. Any thoughts on that?

Seeing how noob-proof CFWs are self contained, I doubt their authors will want to include hardcoded patches to the main binary. This is an advantage of the patching system, which is also implemented in ReiNAND (although not even close to how Corbenik does it)

 

[Orkna]

So, the "1100"-version in MSET is intentional?

Btw, love this CFW. Alternating between this and Luma.

 

[Kirtai]

Seeing how noob-proof CFWs are self contained, I doubt their authors will want to include hardcoded patches to the main binary. This is an advantage of the patching system, which is also implemented in ReiNAND (although not even close to how Corbenik does it)

Oh, I don't mean directly copying stuff. It just seems to me that the bytecode technique allows for much quicker and easier (and more dangerous) tests & experiments which would be out of scope for other CFWs but could still provide them with valuable information.

 

[chaoskagami]

Seeing how noob-proof CFWs are self contained, I doubt their authors will want to include hardcoded patches to the main binary. This is an advantage of the patching system, which is also implemented in ReiNAND (although not even close to how Corbenik does it)

ReiNAND allows changing the search patterns and replacements, basically.

I'm pretty sure it's probably not worth the effort to import my code, honestly. I do a lot differently than pretty much everything and importing would imply importing ~80% of the code. The other thing that somewhat makes this infeasible is Corbenik is really NOT meant to be used in a self-contained manner in any way.

So, the "1100"-version in MSET is intentional?

Btw, love this CFW. Alternating between this and Luma.

I omitted the dots to make a reference. Otherwise, it's the same data as the official version, just a different format. The official format is 'Ver. %d.%d.%d-%d%lu'. I set it to '.hack//%d%d%d:%d%lu'

 

[Orkna]

ReiNAND allows changing the search patterns and replacements, basically.

I'm pretty sure it's probably not worth the effort to import my code, honestly. I do a lot differently than pretty much everything and importing would imply importing ~80% of the code. The other thing that somewhat makes this infeasible is Corbenik is really NOT meant to be used in a self-contained manner in any way.



I omitted the dots to make a reference. Otherwise, it's the same data as the official version, just a different format. The official format is 'Ver. %d.%d.%d-%d%lu'. I set it to '.hack//%d%d%d:%d%lu'

Ok, great. Nothing breaks if I change it myself?

 

[Wolfvak]

Ok, great. Nothing breaks if I change it myself?

Do not make it longer than the original string.

 

[chaoskagami]

Ok, great. Nothing breaks if I change it myself?

If you're planning on making a custom version string - just make sure not to exceed the current size (it's a hard limit)

 

[Orkna]

Ok, thanks! I like the dots. OCD? Yes,