Hacking Booting CFW successfully

miamore

Well-Known Member
OP
Member
Joined
Feb 24, 2015
Messages
107
Trophies
0
Age
33
XP
100
Country
France
i dont know where I read the thread. but I'm pretty sure and for what I can remember, there was one thread that someone (a forum member) fixed Govanify CFW files, i dont know if boot.bin or Launcher.dat.. so that you'll have successful CFW boot without having to press the nintendo DS profile randomly for limited seconds. can someone link me? I cant seem to find it. Thanks:)
 
  • Like
Reactions: Margen67

bannana2

Well-Known Member
Member
Joined
Nov 11, 2008
Messages
244
Trophies
0
Age
34
Location
Spring Hill, KS
XP
430
Country
United States
i dont know where I read the thread. but I'm pretty sure and for what I can remember, there was one thread that someone (a forum member) fixed Govanify CFW files, i dont know if boot.bin or Launcher.dat.. so that you'll have successful CFW boot without having to press the nintendo DS profile randomly for limited seconds. can someone link me? I cant seem to find it. Thanks:)
I can help you with that, but you'll need to PM me for details. I don't want it released yet.
 
  • Like
Reactions: Margen67

nop90

Well-Known Member
Member
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
2,986
Country
Italy
http://gbatemp.net/threads/release-pbt-cfw-import-cias-on-your-sysnand.383242/

I didn't test it very much as I have a Gateway, but i found it was less instable, but maybe it's just me...

It's the same. maybe a little more stable when in CTRServer mode, that is much more unstable than normal use.

The problems during the boot, on the base of what I understood reversing the code, depends on the way the cache is invalidated before hacking the interupt vector to get arm11 user mode code execution.

Code:
bl func_00000a70 @ ClearScreen(Black)
bl func_00001a1c @ ARM11_Exploit -> this always work (cyan screen). If it would fail the top screen will be red.
bl func_00000b9c @ Clear and invalidate cache. Here is where it hangs
movs r0, #255 @ 0xff = white
bl func_00000a70; ClearScreen(white) -> It worked :-)

The funtion that clear and invalidate data cache isn't the problems, it's called several times before. So i think that it's how the Interrupt hack is performed.

If you have other information them are welcome. otherwise please stop of arguing on thing you don't understand.
 

johovahs

Well-Known Member
Newcomer
Joined
Feb 5, 2015
Messages
76
Trophies
0
Age
35
XP
70
Country
United States
What do you mean? Do you want to change the left to a right trigger? And you do know that holding down the trigger to enter cfw is not needed once BBM is installed.
 

pastaconsumer

Well-Known Member
Member
Joined
Oct 12, 2014
Messages
971
Trophies
1
XP
2,355
Country
United States
What do you mean? Do you want to change the left to a right trigger? And you do know that holding down the trigger to enter cfw is not needed once BBM is installed.

I changed a value in boot.bin to use the R button instead of the L... I actually didn't know that after a CIA manager was installed I could just tap DS Profile Settings. I have not had much luck.
 

johovahs

Well-Known Member
Newcomer
Joined
Feb 5, 2015
Messages
76
Trophies
0
Age
35
XP
70
Country
United States
Using a class 10 card really helps with boot success. I tested a class 4 to test and it took about 6 or 7 times to boot into. But for the class 10 it takes about 1 to 3 times. So possibly try check that first if you don't have a class 10.
 

bannana2

Well-Known Member
Member
Joined
Nov 11, 2008
Messages
244
Trophies
0
Age
34
Location
Spring Hill, KS
XP
430
Country
United States
.cpu arm946e-s
.arch armv5te
.arm
.section .text.start
.global _start
_start:
nop
nop
nop - different/added
blx MainCode
ldr r0, =0x1FF8000 @ Instruction TCM
bx r0
mov r0, #255

ldr r4, =0x04 - different
adr r0, boot_bin - very different


fail_junk2:

ldr r0, =0xDEADBEEF
BEQ end_cond -different
BEQ set_byte - different


MainCode:

push {r4, lr}
sub sp, sp, #0xA8
mov r4, #0
add r1, sp, #0xB0+-0xA8 - different
adr r0, boot_bin
mov r2, #0x0F - different
str r4, [sp, #0xB0+-0xB0] - different
str r4, [sp, #0xB0+-0xAC] - different.
bl CopyStringToMemory










carefully look at the differences in this code and the original. One that st4rk has is on github. I'm working based on that. Thus far, this method has a bigger success rate than the changes I have made previously.
 

bannana2

Well-Known Member
Member
Joined
Nov 11, 2008
Messages
244
Trophies
0
Age
34
Location
Spring Hill, KS
XP
430
Country
United States
It's the same. maybe a little more stable when in CTRServer mode, that is much more unstable than normal use.

The problems during the boot, on the base of what I understood reversing the code, depends on the way the cache is invalidated before hacking the interupt vector to get arm11 user mode code execution.

Code:
bl func_00000a70 @ ClearScreen(Black)
bl func_00001a1c @ ARM11_Exploit -> this always work (cyan screen). If it would fail the top screen will be red.
bl func_00000b9c @ Clear and invalidate cache. Here is where it hangs
movs r0, #255 @ 0xff = white
bl func_00000a70; ClearScreen(white) -> It worked :-)

The funtion that clear and invalidate data cache isn't the problems, it's called several times before. So i think that it's how the Interrupt hack is performed.

If you have other information them are welcome. otherwise please stop of arguing on thing you don't understand.
Oh, thank you sir. This helps me a lot.
 

You may also like...

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://i.imgur.com/IXlPrt6.jpeg