wait really? lol that was quick. maybe you could post it here or add it to /contrib/ until we get proper svc replacement routines
- Thread starter chaoskagami
- Start date
- Views 247,499
- Replies 2,153
- Likes 60
wait really? lol that was quick. maybe you could post it here or add it to /contrib/ until we get proper svc replacement routines
- Joined
- Mar 26, 2016
- Messages
- 1,365
- Trophies
- 1
- Location
- ↑↑↓↓←→←→BA
- Website
- github.com
- XP
- 2,287
- Country
Replacing it in the ARM11 kernel is easy, but due to the terrible VM implementation, this probably needs to be done from C-side for now in the same place as svcBackdoor. I was planning to do that once I fixed firmlaunch.
I'll probably revert to the old behaviour where svcs are stored in a directory and named by index at some point here. If nintendo keeps making these sorts of changes, I'm going to need to.
I'm hesitant to merge that @Gray_Jack, since it will likely lose it's use immediately after I merge it. Although I suppose it won't hurt anything, I feel it's better to target the issue at the source.
By the way, I've *mostly* finished the firmlaunch refactor and it does work now. It's contained in the usual wip branch. I'm going to do a bit more cleanup before I merge it to master, but if you checkout that branch and compile it it *will* work. There's a couple of big differences to keep in mind, however;
1) Corbenik is now at 0x24F00000
2) arm9loaderhax.bin is a stub that gets corbenik there
Turns out the arm11 issues I was having were due to the arm11 entrypoint being 0x1FFFFFFC under firmlaunch, e.g. not the same as brahma/arm9loaderhax
I'd still think it's better to do it from the VM. Doing the arithmetic from itself would be too slow though, I'd suggest having a new instruction called gotosvc which places the VM pointer right at the beginning of the svc routine (not sure how to handle it for ARM9 or ARM11, maybe have gotosvc9 and gotosvc11? idk)
why the new address though?
- Joined
- Mar 26, 2016
- Messages
- 1,365
- Trophies
- 1
- Location
- ↑↑↓↓←→←→BA
- Website
- github.com
- XP
- 2,287
- Country
Here's multiple food-for-thought things on this front:
1) Sometimes one would want to modify a svc's code. Sometimes we just want to replace the code completely. We'd have to handle both cases.
2) While such a instruction would place us at the svc itself, this isn't sufficient for svcs that don't exist.
3) Adding more instructions to the VM for specific use cases that could be resolved by adding proper arithmetic support seems like a waste. If we have to add instructions, I can, but that just seems like way too much functionality abstracted.
It allows me to avoid the pathchanging nonsense that comes with recalling a payload from firmlaunch. Then again, I also could have just made a copy of the payload in the prefix...
In retrospect, holy s**t did I overcomplicate things, actually. Maybe I'll just revert that bunch of changes and rebase.
EDIT: Reverted. Hard.
Last edited by chaoskagami,
1) That can be done with just a couple of instructions...
Code:
push lr
mov lr, pc
ldr pc, [pc]
pop pc
.word <address where your code to be executed is>2) That's true... you could reserve a bit of space for each svc in unused ARM9/AXI WRAM for these though.
3) It all depends on how well the arithmetic operations are implemented.
Good to see you've come back to your senses...
- Joined
- Mar 26, 2016
- Messages
- 1,365
- Trophies
- 1
- Location
- ↑↑↓↓←→←→BA
- Website
- github.com
- XP
- 2,287
- Country
From bytecode, you mean replacing the svc's code with something like that? Stub svc calls are two instructions long, you could end up trampling on other code, unless I'm misunderstanding what you're suggesting.
There's not a hell of a lot of AXIWRAM available out of actually used data contained in it. Plus, I'm not sure it's so easy to jump there from the way things are set up.
Ideally decent enough to decode a branch instruction.
I can only blame being half-asleep as per usual.
Last edited by chaoskagami,
No, I meant replacing *proper* svc calls (say, 0x59 for example) to divert somewhere else where there's more space. For stubbed ones... yeah, it'd be really annoying.
That's quite true xD
Me too, it was supposed to be a quick an temporary fix till you or someone did it a future-proof fix
- Joined
- Jul 13, 2014
- Messages
- 6,043
- Trophies
- 2
- Age
- 25
- Location
- https://gs2012.xyz
- Website
- gs2012.xyz
- XP
- 6,012
- Country
Make one. Edit: Sorry I posted that picture from my phone and didn't realize how massive it would be. inb4 that's what she said.
Attachments
Last edited by Navonod,
Thanks a lot for this. 
I'm glad to see it working on 11.3
I think I might have run into an interesting bug when running the latest skeith build on my o3ds, 11.3.0-3U a9lh'd with SysNAND only (commit hash dd3f41655202f291d2742430037d466ee4e8867c). Unfortunately, it doesn't seem to occur when I enabled logging, so no log, just my word. :x If nobody else can replicate it, then chalk it up to my 3ds.
First, my settings:
I also have a splash, if that means anything. A picture of it when glitched:
Basically, all I need to do is enter and exit the Configuration menu multiple times without booting firmware or rebooting. It then somehow enables Step-through, along with a glitched menu display. There might also be some errors of sorts on trying to boot firmware (doesn't succeed in booting, mentions emunand which I don't have o_o). Something about NAND image is invalid and it powers itself off. Here's an example of the text:
It's sort of interesting and a bit weird, but I don' t think it's a fatal flaw. I've attached my splash files in case they were the problem (idk why they would be, though); I made a zip of the skeith files/structure from my 3ds, but it's too big to attach to a post in gbatemp. I don't think it's necessary to, though, if it's just my system doing this.
I'm glad to see it working on 11.3I think I might have run into an interesting bug when running the latest skeith build on my o3ds, 11.3.0-3U a9lh'd with SysNAND only (commit hash dd3f41655202f291d2742430037d466ee4e8867c). Unfortunately, it doesn't seem to occur when I enabled logging, so no log, just my word. :x If nobody else can replicate it, then chalk it up to my 3ds.
First, my settings:
Options (enabled/values)
* System module inject
* svcBackdoor Fixup
* Firmlaunch Hook
* Autoboot
* Dim Background
7 Accent color
3 Brightness
Patches
* Signature Fix
* FIRM Protection
* Region Free HOME (Loader)
* Block Cart Update / Cart RF (Loader)
* Block eShop Updates (Loader)
* RO Signature Fix (Loader)
* Download Play Region Fix (Loader)
* Verbose ErrDisp (Loader)
* Settings Version String
* TWL Patches (2/2 - o3ds)
* TWL Patches ((1/2 - new3ds)
* AGB Signature Fix
* AGB BootscreenS
* System module inject
* svcBackdoor Fixup
* Firmlaunch Hook
* Autoboot
* Dim Background
7 Accent color
3 Brightness
Patches
* Signature Fix
* FIRM Protection
* Region Free HOME (Loader)
* Block Cart Update / Cart RF (Loader)
* Block eShop Updates (Loader)
* RO Signature Fix (Loader)
* Download Play Region Fix (Loader)
* Verbose ErrDisp (Loader)
* Settings Version String
* TWL Patches (2/2 - o3ds)
* TWL Patches ((1/2 - new3ds)
* AGB Signature Fix
* AGB BootscreenS
I also have a splash, if that means anything. A picture of it when glitched:
Basically, all I need to do is enter and exit the Configuration menu multiple times without booting firmware or rebooting. It then somehow enables Step-through, along with a glitched menu display. There might also be some errors of sorts on trying to boot firmware (doesn't succeed in booting, mentions emunand which I don't have o_o). Something about NAND image is invalid and it powers itself off. Here's an example of the text:
reboot: proc9 mem @ 08028000
reboot: proc9 off @ 24155000
reboot: firmlaunch @ 241b1b58
reboot: fopen @ 08059e35
emunand: free space @ 241527c0
emunand: size is 81600 bytes
emunand: read in emunand code
emunand: selected NAND image is not valid.
reboot: proc9 off @ 24155000
reboot: firmlaunch @ 241b1b58
reboot: fopen @ 08059e35
emunand: free space @ 241527c0
emunand: size is 81600 bytes
emunand: read in emunand code
emunand: selected NAND image is not valid.
Last edited by GravitySuitCollector,
- Joined
- Mar 26, 2016
- Messages
- 1,365
- Trophies
- 1
- Location
- ↑↑↓↓←→←→BA
- Website
- github.com
- XP
- 2,287
- Country
Thanks a lot for this.
I think I might have run into an interesting bug when running the latest skeith build on my o3ds, 11.3.0-3U a9lh'd with SysNAND only (commit hash dd3f41655202f291d2742430037d466ee4e8867c). Unfortunately, it doesn't seem to occur when I enabled logging, so no log, just my word. :x If nobody else can replicate it, then chalk it up to my 3ds.
First, my settings:
Options (enabled/values)
* System module inject
* svcBackdoor Fixup
* Firmlaunch Hook
* Autoboot
* Dim Background
7 Accent color
3 Brightness
Patches
* Signature Fix
* FIRM Protection
* Region Free HOME (Loader)
* Block Cart Update / Cart RF (Loader)
* Block eShop Updates (Loader)
* RO Signature Fix (Loader)
* Download Play Region Fix (Loader)
* Verbose ErrDisp (Loader)
* Settings Version String
* TWL Patches (2/2 - o3ds)
* TWL Patches ((1/2 - new3ds)
* AGB Signature Fix
* AGB BootscreenS
I also have a splash, if that means anything. A picture of it when glitched:
Basically, all I need to do is enter and exit the Configuration menu multiple times without booting firmware or rebooting. It then somehow enables Step-through, along with a glitched menu display. There might also be some errors of sorts on trying to boot firmware (doesn't succeed in booting, mentions emunand which I don't have o_o). Something about NAND image is invalid and it powers itself off. Here's an example of the text:
It's sort of interesting and a bit weird, but I don' t think it's a fatal flaw. I've attached my splash files in case they were the problem (idk why they would be, though); I made a zip of the skeith files/structure from my 3ds, but it's too big to attach to a post in gbatemp. I don't think it's necessary to, though, if it's just my system doing this.reboot: proc9 mem @ 08028000
reboot: proc9 off @ 24155000
reboot: firmlaunch @ 241b1b58
reboot: fopen @ 08059e35
emunand: free space @ 241527c0
emunand: size is 81600 bytes
emunand: read in emunand code
emunand: selected NAND image is not valid.
Yeah, that's not normal at all. How many times is "multiple times"? Three? Ten? Thirty?
I have no clue what could cause that, aside from some form of uncontrolled memory corruption (which ends up clobbering the configuration file.) The bigger question is how the menu is corrupted with that type of bug; that's within .data or .rodata, so it'd have to be clobbering the program too, never mind just malloc()'d memory after bss.
Can you test without both splashes (and with only one screen) and see if the issue occurs? The only thing I can think of is somehow there's an OOM condition.
Last edited by chaoskagami,
I can't seem to find any issue in the boot splashes.
But of course I did test other things. I tested to see if it will boot on 11.3 for both the old3DS and new3DS, which if did. Then tested to see if it worked with the reboot patches, which it did Then of course tested HMM games on the old3DS and DSi/GBA on both new and old3DS. Everything worked just fine!
But there is one error I am running into, which I logged to post
These errors only happen after the first boot. After rebooting the system, this error no longer happens and the system functions as normal.
But of course I did test other things. I tested to see if it will boot on 11.3 for both the old3DS and new3DS, which if did. Then tested to see if it worked with the reboot patches, which it did
Then of course tested HMM games on the old3DS and DSi/GBA on both new and old3DS. Everything worked just fine!But there is one error I am running into, which I logged to post
Code:
Cache: Title Downgrade Fix (11.0+ NFIRM)
Version: 10
cache: 0004013800000002
cache: 0004013820000002
Cache: Block NIM Updates (Loader)
Version: 10
cache: 0004013000002C02
Cache: Block eShop Updates (Loader)
Version: 10
cache: 0004013000002C02
Cache: TWL Patches (2/2 - o3ds)
Version: 10
cache: 0004013800000102
Cache: Fake Friends Version (Loader)
Version: 10
cache: 0004013000003202
Cache: SecureInfo_A Signature Fix (Loader)
Version: 10
cache: 0004013000001702
Cache: FIRM Protection
Version: 10
cache: 0004013800000002
cache: 0004013820000002
Cache: AGB Bootscreen
Version: 10
cache: 0004013800000202
cache: 0004013820000202
Cache: Settings Version String (Loader)
Version: 10
cache: 0004001000021000
cache: 0004001000020000
cache: 0004001000022000
cache: 0004001000026000
cache: 0004001000027000
cache: 0004001000028000
Cache: AGB Signature Fix
Version: 10
cache: 0004013800000202
cache: 0004013820000202
Cache: TWL Patches (1/2 - new3ds)
Version: 10
cache: 0004013820000102
Cache: Region Free HOME (Loader)
Version: 10
cache: 0004003000008F02
cache: 0004003000008202
cache: 0004003000009802
cache: 000400300000A102
cache: 000400300000A902
cache: 000400300000B102
Cache: Download Play Region Fix (Loader)
Version: 10
cache: 0004013000002802
Cache: Signature Fix
Version: 10
cache: 0004013800000002
cache: 0004013820000002
Cache: Block Cart Update / Cart RF (Loader)
Version: 10
cache: 0004013000008002
Cache: Disable SVC Permission Checks
Version: 1
cache: 0004013800000002
cache: 0004013820000002
Cache: FIRM Protection (2.x)
Version: 1
cache: 0004013800000002
cache: 0004013800000003
cache: 0004013820000003
Cache: Remove Outlines - Pokemon S/M (Loader)
Version: 1
cache: 0004000000164800
cache: 0004000000175E00
TWL Patches (2/2 - o3ds)
AGB Bootscreen
AGB Signature Fix
Title Downgrade Fix (11.0+ NFIRM)
FIRM Protection
Signature Fix
Disable SVC Permission Checks
FIRM Protection (2.x)
reboot: proc9 mem @ 08028000
reboot: proc9 off @ 27150590
reboot: firmlaunch @ 271ad0e8
reboot: fopen @ 08059e35
svc: 0x7B (backdoor) missing.
Svc: backdoor is 64 bytes
Svc: Read code to 271359b8
svc: Injected 0x7B.
Module: Grow 11 units
Data abort.
cpsr:200000df sp:27effb84 pc:098e46a0
r0:23f0d8f4 r1:270f8e90 r2:271be698 r3:12726000
r4:30000008 r5:00000000 r6:00000000 r7:00000000
r8:00000000 r9:00000854 r10:23f22218 r11:271be698
r12:23f2295c
Cannot continue. Halting.
Code:
Cache: Title Downgrade Fix (11.0+ NFIRM)
Version: 10
cache: 0004013800000002
cache: 0004013820000002
Cache: Block NIM Updates (Loader)
Version: 10
cache: 0004013000002C02
Cache: Block eShop Updates (Loader)
Version: 10
cache: 0004013000002C02
Cache: TWL Patches (2/2 - o3ds)
Version: 10
cache: 0004013800000102
Cache: Fake Friends Version (Loader)
Version: 10
cache: 0004013000003202
Cache: SecureInfo_A Signature Fix (Loader)
Version: 10
cache: 0004013000001702
Cache: FIRM Protection
Version: 10
cache: 0004013800000002
cache: 0004013820000002
Cache: AGB Bootscreen
Version: 10
cache: 0004013800000202
cache: 0004013820000202
Cache: Settings Version String (Loader)
Version: 10
cache: 0004001000021000
cache: 0004001000020000
cache: 0004001000022000
cache: 0004001000026000
cache: 0004001000027000
cache: 0004001000028000
Cache: AGB Signature Fix
Version: 10
cache: 0004013800000202
cache: 0004013820000202
Cache: TWL Patches (1/2 - new3ds)
Version: 10
cache: 0004013820000102
Cache: Region Free HOME (Loader)
Version: 10
cache: 0004003000008F02
cache: 0004003000008202
cache: 0004003000009802
cache: 000400300000A102
cache: 000400300000A902
cache: 000400300000B102
Cache: Download Play Region Fix (Loader)
Version: 10
cache: 0004013000002802
Cache: Signature Fix
Version: 10
cache: 0004013800000002
cache: 0004013820000002
Cache: Block Cart Update / Cart RF (Loader)
Version: 10
cache: 0004013000008002
Cache: RO Signature Fix (Loader)
Version: 10
cache: 0004013000003702
Cache: Disable SVC Permission Checks
Version: 1
cache: 0004013800000002
cache: 0004013820000002
Cache: FIRM Protection (2.x)
Version: 1
cache: 0004013800000002
cache: 0004013800000003
cache: 0004013820000003
Cache: Remove Outlines - Pokemon S/M (Loader)
Version: 1
cache: 0004000000164800
cache: 0004000000175E00
TWL Patches (1/2 - new3ds)
AGB Bootscreen
AGB Signature Fix
Title Downgrade Fix (11.0+ NFIRM)
FIRM Protection
Signature Fix
Disable SVC Permission Checks
reboot: proc9 mem @ 08028000
reboot: proc9 off @ 27153240
reboot: firmlaunch @ 271afd98
reboot: fopen @ 08059e31
svc: 0x7B (backdoor) missing.
Svc: backdoor is 64 bytes
Svc: Read code to 271371a8
svc: Injected 0x7B.
Module: Grow 11 units
Data abort.
cpsr:a00000df sp:27effb84 pc:9b1fe750
r0:23f0d8f4 r1:270f9340 r2:271c6b48 r3:a4037c00
r4:30000008 r5:030b0f0f r6:070b0f0e r7:0f0f0e0f
r8:4d0f8f0f r9:000008b4 r10:23f22218 r11:271c6b48
r12:23f2295c
Cannot continue. Halting.
Last edited by The Catboy,
Fourth time exiting out of Configuration is when it magically turns on step-through. Still did it with only top splash, and with no splash (doesn't with splash off and logging on, entered/exited config over 20 times).
Maybe if you find this does happen for other people, and it isn't just my skeith install that's borked, you could just set some sort of reboot variable thing (on config exit, sets CFW to load and reboots, once CFW's loaded, unset menu loading; separate from autoboot setting, sort of a run once thing). It would probably be a quick, hacky way to take care of the problem...? The bizarre part is the no logging. :c Maybe someone else can test it real quick, and see if other o3dses respond similarly (system starts up just fine after reboot, and it has the settings from before).
Maybe if you find this does happen for other people, and it isn't just my skeith install that's borked, you could just set some sort of reboot variable thing (on config exit, sets CFW to load and reboots, once CFW's loaded, unset menu loading; separate from autoboot setting, sort of a run once thing). It would probably be a quick, hacky way to take care of the problem...? The bizarre part is the no logging. :c Maybe someone else can test it real quick, and see if other o3dses respond similarly (system starts up just fine after reboot, and it has the settings from before).
Can someone help me with language emulation? I don't understand how to do it. I'm currently trying to translate Miitopia into English. I turned on the option to enable language emulation.
- Joined
- Dec 2, 2013
- Messages
- 1,303
- Trophies
- 0
- Age
- 30
- Location
- Sault Ste. Marie, Michigan
- Website
- s6.zetaboards.com
- XP
- 384
- Country
It doesn't work like that, language emulation just allows you to run games that aren't region free on your systems
