Hacking Firmware Reverse Engineering (Info Dump)

[ryuutseku85]

When you mean 0x0 to 0x1 do you mean 0x0 to 0xFFF or something else ?

Thanks for this

 

[NWPlayer123]

Would it help to write something explaining how instructions work in each function eg how parameters are passed in and what all the registers are for, you can mostly rely on yagcd and examples

When you mean 0x0 to 0x1 do you mean 0x0 to 0xFFF or something else ?

Thanks for this

see above, it's the full memory range from 0x00000000 to 0xFFFFFFFF, 0x0 to 0xF is the very first digit, splits it up into 16 chunks

 

[NWPlayer123]

Question, what would one call the per-core kernel memory areas at 0xFFE04000, 0xFFE44000, 0xFFE84000, coreX_kernmem? It's per core so it's not really shared
get_core_kernarea is at FFF09658 on 5.5, just clears all but last 2 bits (to allow for 0, 1, and 2), then shifts left 18 bits (getting 0x00000, 0x40000, or 0x80000), then adds 0xFFE04000 to it which is the start of core0 (which will shift depending on the core number from pir)
the function right below it at FFF09668 is same thing but includes the move from pir to r12

 

[Datalogger]

"The quick brown fox jumps over 13 lazy dogs" ..Not sure what relevance it has yet.

The quote is commonly used in writing because it utilizes every letter in the alphabet. On wikapedia I found this info on the saying.

"""In the age of computers, this pangram is commonly used to display font samples and for testing computer keyboards. In cryptography, it is commonly used as a test vector for hash and encryption algorithms to verify their implementation, as well as to ensure alphabetic character set compatibility. Microsoft Word has a command to auto-type the sentence, in versions up to Word 2003, using the command =rand(), and in Microsoft Office Word 2007 and later using the command =rand.old().[10]"""

Like I revealed earlier. That text is found in the system font files without the 13.

That is NOT what the message says.
Someone made a mistake in decoding it and thought it said "The quick brown...."
They were mistaken and have since recanted that decoding of it.

 

[BurningDesire]

Hey @NWPlayer123 . I know this is a bump but the curiosity hasn't killed the cat yet and I tried downloading the 5.5.1 kernel with your nus grabber and this happened.

Starting NUS Download. Please be patient!
Downloading Title 00050010-1000400 v15702...
[=] Storing Encrypted Content...
- Downloading TMD...
+ Downloading TMD Failed...
Download failed: "Downloading TMD Failed:
The remote server returned an error: (401) Unauthorized. ):"
NUS Download Finished.

Do you think nintendo updated their servers?

 

[ryuutseku85]

Hey @NWPlayer123 . I know this is a bump but the curiosity hasn't killed the cat yet and I tried downloading the 5.5.1 kernel with your nus grabber and this happened.



Do you think nintendo updated their servers?

Try unwizard I test it last night and it work

 

[BurningDesire]

Try unwizard I test it last night and it work

Same error

tarting NUS Download. Please be patient!
Downloading Title 00050010-1000400 v15702...
[=] Storing Encrypted Content...
- Downloading TMD...
+ Downloading TMD Failed...
Download failed: "Downloading TMD Failed:
The remote server returned an error: (401) Unauthorized."

Edit: I also including the keys for decrypting

 

[RealityNinja]

Same error

tarting NUS Download. Please be patient!
Downloading Title 00050010-1000400 v15702...
[=] Storing Encrypted Content...
- Downloading TMD...
+ Downloading TMD Failed...
Download failed: "Downloading TMD Failed:
The remote server returned an error: (401) Unauthorized."

Edit: I also including the keys for decrypting

https://gbatemp.net/threads/nusgrabber-stopped-working.422286/#post-6247940
Maybe?

 

[BurningDesire]

https://gbatemp.net/threads/nusgrabber-stopped-working.422286/#post-6247940

I guess we know what that maintenance update was

 

[RealityNinja]

I guess we know what that maintenance update was

And it was already fixed.

 

[ryuutseku85]

Same error

tarting NUS Download. Please be patient!
Downloading Title 00050010-1000400 v15702...
[=] Storing Encrypted Content...
- Downloading TMD...
+ Downloading TMD Failed...
Download failed: "Downloading TMD Failed:
The remote server returned an error: (401) Unauthorized."

Edit: I also including the keys for decrypting

Get rid of the "-" and add a A ( from head ) at the end

 

[BurningDesire]

Get rid of the "-" and add a A ( from head ) at the end

You are amazing!

 

[ryuutseku85]

You are amazing!

Lol thanks but I am not , the person who create the program and explain how to use it are.

Attention look out to take your version

 

[BurningDesire]

Lol thanks but I am not , the person who create the program and explain are

In all legitness though thanks. I am now up to speed!

 

[BurningDesire]

So I have another question in IDA view every seg000: 00007804 spits out a dd and a bunch of crap after that ... How if I can convert those to strings?

 

[NWPlayer123]

So I have another question in IDA view every seg000: 00007804 spits out a dd and a bunch of crap after that ... How if I can convert those to strings?

Basic usage: press D to convert to data (there's a "carousel" rotate thing between different data types, first byte then short then word, can change it in options), you can select a number of bytes and hit A to make a string (I usually exclude the 00 null byte at the end and either convert it to byte short or word or if it's 3 bytes, select and hit A to turn it into one line), C lets you turn data into code (all instructions are 4 bytes so if the addr is not 0, 4, 8, C it's probably gonna complain), Q if you left stack pointer stuff on when compiling will turn the +var_8 to just the normal number.

 

[Sammi Husky]

Basic usage: press D to convert to data (there's a "carousel" rotate thing between different data types, first byte then short then word, can change it in options), you can select a number of bytes and hit A to make a string (I usually exclude the 00 null byte at the end and either convert it to byte short or word or if it's 3 bytes, select and hit A to turn it into one line), C lets you turn data into code (all instructions are 4 bytes so if the addr is not 0, 4, 8, C it's probably gonna complain), Q if you left stack pointer stuff on when compiling will turn the +var_8 to just the normal number.

So I have another question in IDA view every seg000: 00007804 spits out a dd and a bunch of crap after that ... How if I can convert those to strings?

To add to this, q will automatically turn 4 bytes at the cursor into a word. ctrl-o will attempt to convert into an offset (you can select a whole range of words and it'll attempt to turn as many as possible into offsets). You can also change words into floats as well, but you may need to go setup the data types in the database settings. Then float will be added to the cycle when you press D. (or just press q, then D). And iirc L is an alignment directive. (especially useful in the kernel.img since the functions are seperated by null bytes, alignment's will clean it right up). Alt-q will bring up a dialog to convert to any structures you define (like the memory table entries for example). Lastly, you can press P in a code location to attempt to convert it to a function, which will also run auto-analysis on it.

As far as strings go, there are more than one kind of string you can convert to. Sometimes you may need to convert to unicode and such. You can either change the default string type in settings, or you can use edit->strings->[option].

 

[BurningDesire]

To add to this, q will automatically turn 4 bytes at the cursor into a word. ctrl-o will attempt to convert into an offset (you can select a whole range of words and it'll attempt to turn as many as possible into offsets). You can also change words into floats as well, but you may need to go setup the data types in the database settings. Then float will be added to the cycle when you press D. (or just press q, then D). And iirc L is an alignment directive. (especially useful in the kernel.img since the functions are seperated by null bytes, alignment's will clean it right up). Alt-q will bring up a dialog to convert to any structures you define (like the memory table entries for example). Lastly, you can press P in a code location to attempt to convert it to a function, which will also run auto-analysis on it.

As far as strings go, there are more than one kind of string you can convert to. Sometimes you may need to convert to unicode and such. You can either change the default string type in settings, or you can use edit->strings->[option].

I'll say this. Even though the lack of kernel on 5.5.1 has left me uninspired to develop my game it has left me inspired to learn more then I ever could from just making a game. So while others are bitching about not having kernel I have learned that when you want to fight to get something and do it yourself you learn a whole lot more then just saying I'm entitled give it to me. So guys. If you want the exploit yourself make it. Or at least attempt to. If you fail you can still say to your friends. Yeah I worked on reverse engineering the espresso kernel. Did I succeed no. However I still learned much more then I ever would instead of just waiting and complaining so all I can say is

Thank you, thank you for making us wait. This has and still is a wonderful experience for knowledge. Guys quit complaining and start doing things your self.

Thank you to the guy above and @NWPlayer123 for responding to my question as well.

 

[NWPlayer123]

To add to this, q will automatically turn 4 bytes at the cursor into a word. ctrl-o will attempt to convert into an offset (you can select a whole range of words and it'll attempt to turn as many as possible into offsets). You can also change words into floats as well, but you may need to go setup the data types in the database settings. Then float will be added to the cycle when you press D. (or just press q, then D). And iirc L is an alignment directive. (especially useful in the kernel.img since the functions are seperated by null bytes, alignment's will clean it right up). Alt-q will bring up a dialog to convert to any structures you define (like the memory table entries for example). Lastly, you can press P in a code location to attempt to convert it to a function, which will also run auto-analysis on it.

As far as strings go, there are more than one kind of string you can convert to. Sometimes you may need to convert to unicode and such. You can either change the default string type in settings, or you can use edit->strings->[option].

Tru, I've rarely seen Unicode strings tho, either it's 1-byte ASCII or if it's a first party Nintendo game it'll probably have Japanese comments in Shift-JIS (you'll need to go to Options -> ASCII String Style -> Change encoding or set default encoding, right click and Insert then type in Shift-JIS [as spelled]) which you can tell when it ends cause each char takes up two bytes and you scroll down till you hit a null byte like usual. Also, wh, I never knew that alignment thing existed, how would I combine more than 4 bytes in .bss to eg a .space 0x30 cause I never figured it out and IDA gets some stuff wrong in disassembly

 

[troylly]

Since the exploit is patched,it wont be long before the release.I hope