Homebrew Homebrew Development

[DarkRaider8702]

I believe I have an idea on an exploit for the 3DS XL (old). Does anybody know about the Pokemon ORAS hacked pokemon deal? What you do is place files on your SD card and once in-game, you execute it by going into the browser and putting in a URL. I believe that this could load a bug into the game and could launch homebrew. Does anybody think this as a possible exploit?

 

[nop90]

I need some help in interpreting a piece of asm code that when ported in C, give me some problems:

push {r0, r1, r4, lr}
...
mov r2, #68 ; 0x44
ldr r1, [sp]
ldr r0, [pc, #20] # loads the value  0xffff8001 -> process handle
svc 0x00000054 # FlushProcessDataCache(Handle process, void const* addr, u32 size)

the value loaded in r1 from the top of the stack should be the value in r0 (first param of the function) pushed on the stack at the beginning. Is this correct?

 

[habababa]

I need some help in interpreting a piece of asm code that when ported in C, give me some problems:

push {r0, r1, r4, lr}
...
mov r2, #68 ; 0x44
ldr r1, [sp]
ldr r0, [pc, #20] # loads the value  0xffff8001 -> process handle
svc 0x00000054 # FlushProcessDataCache(Handle process, void const* addr, u32 size)

the value loaded in r1 from the top of the stack should be the value in r0 (first param of the function) pushed on the stack at the beginning. Is this correct?

yes, it should if sp wasnt modified in between the push and the ldr.
edit:
it could change if itheres a subroutine call inside the ... using the value of sp as one of its arguments like

mov  r0, sp
bl  impureFunc

 

[nop90]

Thanks, the SP register is unchanged betwhen the two instrunction.

There must be some other mistakes somewhere.

 

[Rinnegatamante]

Does 3DS Homebrew List on GBAtemp wiki won't be updated anymore?
I seen it lacks of latest homebrew releases/updates.

 

[Coto]

I need some help in interpreting a piece of asm code that when ported in C, give me some problems:

push {r0, r1, r4, lr}
...
mov r2, #68 ; 0x44
ldr r1, [sp]
ldr r0, [pc, #20] # loads the value  0xffff8001 -> process handle
svc 0x00000054 # FlushProcessDataCache(Handle process, void const* addr, u32 size)

the value loaded in r1 from the top of the stack should be the value in r0 (first param of the function) pushed on the stack at the beginning. Is this correct?

yes it should work, but make sure both r13 for [ push {r0, r1, r4, lr} ] is the same (CPSR & 0x1f) (processor mode bits) at the time [ ldr r1, [sp] fetch data ], or at least SP address must be the same.

http://www.heyrick.co.uk/armwiki/The_Status_register

-
Or.. are you sure there isn't STMxx Rn!,{...} or LDMxx Rn!,{...} between push & ldr ldr r1, [sp] as it may update the stack pointer.

-
Or..

For example THUMB code writeback the base address always for LDMIA/STMIA/PUSH/POP, so :

push r0,r1,r2 @sp=sp - ((4*3)-4) means sp[0] <= sp[2]

//considering the SP is not modified here

ldr r1, [sp] @ means *(sp[2])

@ and you want *(sp[0])

@so it would be:

ldr r1, [sp,#-((4*3)-4)] @ means *(sp[0])

 

[nop90]

yes it should work, but make sure both r13 for [ push {r0, r1, r4, lr} ] is the same (CPSR & 0x1f) (processor mode bits) at the time [ ldr r1, [sp] fetch data ], or at least SP address must be the same.

http://www.heyrick.co.uk/armwiki/The_Status_register

-
Or.. are you sure there isn't STMxx Rn!,{...} or LDMxx Rn!,{...} between push & ldr ldr r1, [sp] as it may update the stack pointer.

-
Or..

For example THUMB code writeback the base address always for LDMIA/STMIA/PUSH/POP, so :

push r0,r1,r2 @sp=sp - ((4*3)-4) means sp[0] <= sp[2]

//considering the SP is not modified here

ldr r1, [sp] @ means *(sp[2])

@ and you want *(sp[0])

@so it would be:

ldr r1, [sp,#-((4*3)-4)] @ means *(sp[0])

Thank you for your useful explaination. The missing part of the code only loads r2 and r3, tha writes r2 in the memory location pointed by r3.

BTW i'm not writing asm, i'm RE some code and writing it in c. And I already found my bug, it was a simply typo in the comments i wrote next the asm code. Reading data in little endian I swapped also the two ciphers in a byte

 

[Coto]

Thank you for your useful explaination. The missing part of the code only loads r2 and r3, tha writes r2 in the memory location pointed by r3.

BTW i'm not writing asm, i'm RE some code and writing it in c. And I already found my bug, it was a simply typo in the comments i wrote next the asm code. Reading data in little endian I swapped also the two ciphers in a byte

no problemo

 

[Technicmaster0]

Does 3DS Homebrew List on GBAtemp wiki won't be updated anymore?
I seen it lacks of latest homebrew releases/updates.

It's open for everyone to update it.

 

[Cyan]

Does 3DS Homebrew List on GBAtemp wiki won't be updated anymore?
I seen it lacks of latest homebrew releases/updates.

When I have time as it seems tj_cool and me are the only one working on it.
If developers added their own homebrew that would help. even just listing it with a link to the thread or git is enough. we can create the homebrew page later.

I don't crawl the existing homebrew threads to see if there are new version every days.
There are probably new blarg or 3Dnes?

 

[Rinnegatamante]

When I have time as it seems tj_cool and me are the only one working on it.
If developers added their own homebrew that would help. even just listing it with a link to the thread or git is enough. we can create the homebrew page later.

I don't crawl the existing homebrew threads to see if there are new version every days.
There are probably new blarg or 3Dnes?

Today i updated it a bit with some updates/releases but probably i missed something.

 

[MeisterFenster]

I have found an interesting "feature"

...
aptOpenSession();
//srvGetServiceHandle(&aptuHandle, "APT:U");
APT_PrepareToDoAppJump(NULL, 2, 0, mediatype_GAMECARD);
APT_DoAppJump(NULL,0,0,2,0);
//APT_HardwareResetAsync(NULL);
svcCloseHandle(aptuHandle);
aptCloseSession();
...

Please note: I am learning with try and error, and I have not really an idea why this is happening. It should in theory launch something (I am learning^^)

When I launch that in Ninjhax nothing happens for around 30sec or so, but after that cubic ninja crashes and I get the error "something... the system has to restart" BUT it does not restart. Instead you can just click ok and nothing happens and I am back in home menu.
But now all the buttons (including the home button) are disabled in games (tested CubicNinja, FlipNote Studio 3D and MiiPlaza) you have to restart your System to get them back to work. The touchscreen is also not working in game. The small Apps like the Browser are not affected by this, I tested this on a JP N3DS with 9.2.
And DownloadPlay crashes and restarts the System.

Maybe someone can explain me what is happening there.

 

[Tjessx]

I have found an interesting "feature"

...
aptOpenSession();
//srvGetServiceHandle(&aptuHandle, "APT:U");
APT_PrepareToDoAppJump(NULL, 2, 0, mediatype_GAMECARD);
APT_DoAppJump(NULL,0,0,2,0);
//APT_HardwareResetAsync(NULL);
svcCloseHandle(aptuHandle);
aptCloseSession();
...

Please note: I am learning with try and error, and I have not really an idea why this is happening. It should in theory launch something (I am learning^^)

When I launch that in Ninjhax nothing happens for around 30sec or so, but after that cubic ninja crashes and I get the error "something... the system has to restart" BUT it does not restart. Instead you can just click ok and nothing happens and I am back in home menu.
But now all the buttons (including the home button) are disabled in games (tested CubicNinja, FlipNote Studio 3D and MiiPlaza) you have to restart your System to get them back to work. The touchscreen is also not working in game. The small Apps like the Browser are not affected by this, I tested this on a JP N3DS with 9.2.
And DownloadPlay crashes and restarts the System.

Maybe someone can explain me what is happening there.

I'm not entirely sure, but i don't think you can do this in ninjrhax

 

[Rinnegatamante]

Why not? APT:U is a usermode wrapper for kernelmode ns service and is accessible through Ninjhax.

 

[Tjessx]

Why not? APT:U is a usermode wrapper for kernelmode ns service and is accessible through Ninjhax.

Jump from a game card to a game card?

 

[Tjessx]

Jump from a game card to a game card?

Unless you got it as a CIA of course

 

[Rinnegatamante]

Jump from a game card to a game card?

You cannot eject Cubic Ninja card while you are in ninjhax but technically, what he wrote can be executed through ninjhax.

 

[Apache Thunder]

I could see that being of use in the spiderhax version of Ninjhax (whenever that finally gets finished.... ). But I'm pretty sure you can't use it to launch unsigned CIAs. Perhaps an alternate method of region free maybe? Don't see much other use for this.

 

[Rinnegatamante]

Regionthree reboots console to start cartridges, so you lose emuNand (and so CIA imported support).
Maybe using LaunchTitle from ns:s service could prevent this.

 

[MeisterFenster]

An alternative method for regionthree is my goal. Smealum said that it would be possible somehow. It should be possible to launch a cartridge with ninjhax (even if it is cubic ninja, that would be a step forward).
This code also does something, but I dont know why. It crashes the games after ca. 25sec and the error "an error has occurred the system has to restart" appears but you can just click ok and the system does not restart. It will stay in home menu but when you start a game or for example System Settings all the button and the touchscreen are dead.