Hacking BootNTR New Version Research

[Favna]

Just to update the info on the thread: requested dumps given to Astro over discord

 

[astronautlevel]

The loader module was changed in the new update (so I wasn't completely correct on Arm11 not being changed in 11.2. it was). This change means PASLR will be enabled for all future games using the 11.x SDK.

But CFW replaces the loader entirely and disables PASLR stuff entirely as a result, so this effectively means no change at all if you are using a CFW like Luma 3DS.

Stuff other than the loader was changed.

From 3dbrew:

ARM11-kernel
3 functions were updated.

The first one is the actual handler function for svcWaitSynchronizationN.

After incrementing the counter with ldrex/strex, the last two functions now load the counter with plain ldr and executes kernelpanic() when it's zero.

Other than meaning NTR will need an update, it also means that slowhax is rip.

 

[jesus.cocano]

Other than meaning NTR will need an update, it also means that slowhax is rip.

It means that there is no solution for the moment?

 

[Noroxus]

The loader module was changed in the new update (so I wasn't completely correct on Arm11 not being changed in 11.2. it was). This change means PASLR will be enabled for all future games using the 11.x SDK.

But CFW replaces the loader entirely and disables PASLR stuff entirely as a result, so this effectively means no change at all if you are using a CFW like Luma 3DS.

PASLR on every future game.... dear god. RIP entrypoints

 

[runetoonxx2]

help ntr freezing on new3ds on patching svc check 0-0 plz

 

[nl255]

PASLR on every future game.... dear god. RIP entrypoints

Don't worry, smea has already said he is going to work on it.

 

[Favna]

help ntr freezing on new3ds on patching svc check 0-0 plz

read the last couple of pages. it needs to be updated. be patient.

 

[Noroxus]

Don't worry, smea has already said he is going to work on it.

Yeah, I know.
Kinda annoying to deal with though.... *sigh* Nintendo should just give up already.

 

[Txustra]

What is PASLR?

 

[Noroxus]

What is PASLR?

Pseudo Address Space Layout Randomization

 

[runetoonxx2]

where can i get an 11.0 firmware.bin?

 

[Dracari]

where can i get an 11.0 firmware.bin?

search "That Iso site" its against GABTemp Rules to hand out links to it.

 

[Posghetti]

where can i get an 11.0 firmware.bin?

that iso site

 

[runetoonxx2]

kk thx

 

[astronautlevel]

Thanks @Aurora Wright for being awesome as always, credit to her for finding the new offsets for the debug cache.

New release, should actually support 11.2 without freezing this time: https://github.com/astronautlevel2/BootNTR/releases/tag/3.4.2

 

[Nanquitas]

Awesome !

Thanks @Aurora Wright !

 

[astronautlevel]

Okay, I'm actually going to seriously begin work on a program to find the offsets automatically provided an axiwram dump. This should make updating NTR much easier for future NFIRM updates.

 

[Nanquitas]

Yep, I don't mind helping.

And the automatic patcher should be merged into BootNTR when it'll be working.

 

[Aurora Wright]

To update the offsets you take an axiwram dump of the already supported FIRM and one of the new FIRM (use BootNTR to make them, you need to use a version which doesn't support both FIRMs).
Then take the offsets in main.c and use this https://www.3dbrew.org/wiki/Virtual_address_mapping_New3DS_v11.1 (on Old 3DS 0xFFF20000 virt -> 0x1FFDD000 physical - thanks to TuxSH for this). axiwram starts at 0x1FF80000, so in the dump consider offsets as relative to that. Having found the location of the patches, copy some bytes and find them in the new FIRM axiwram, then reverse the calculation (phys -> virt).

 

[Nanquitas]

A huge thank you for the explanation !!