Homebrew Homebrew Development

CalebW

CalebW

Fellow Temper
Member
Level 4
Joined
Jun 29, 2012
Messages
638
Trophies
0
Location
Texas
XP
525
Country
United States
nop90 said:
Me not yet. I scanned some parts of IO register memory, but at the moment I found only the 3D slider state register at 0x1014470C.

Still trying to figure out what are the other non zero values i found, in the hope to be able to swap framebuffers.

In the range I scanned (0x1012DFA0 - 0x10146BD6) nothing has values changing upon CPAD or touchscreen state.
Click to expand...
I know smea read the C-Pad state in his ctr HID.h, perhaps you could take a look at it...
 
K

Kane49

Well-Known Member
Member
Level 3
Joined
Nov 4, 2013
Messages
446
Trophies
0
Age
34
XP
343
Country
Gambia, The
The best thing right now would actually be to find out which sections of memory we are able to access :)
I mean we know we can access things around:

0x10000000-0x11500000 (or so)
0x20000000-0x28000000

But i suspect we have access to even more regions we just don't know about yet ^^
Too bad it immediately crashes once try to access non accessible memory :/
 
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
2,983
Country
Italy
CalebW said:
I know smea read the C-Pad state in his ctr HID.h, perhaps you could take a look at it...
Click to expand...

Smea in his HID.c module get the HID registers addresses, maps it to 0x1000000 and then initialize the HID. With the mapped handle he does exactly the same we do with the HID phisical address to check keys pressed.

In his code the CPAD is at 0x10000034 (i.e. Mapped HID address + 0xD*4) and Touchpad is at 0x100000C8 (i.e. Mapped HID address + 0x32 *4). Interesting but not usefull as long as we can't replicate his system calls. I'm making some experiment to make it work (yes I know: smea said it won't work, and Kane said it too - I'm stubborn as a mule) but I have very few time and can't go any faster.
 
K

Kane49

Well-Known Member
Member
Level 3
Joined
Nov 4, 2013
Messages
446
Trophies
0
Age
34
XP
343
Country
Gambia, The
nop90 said:
Smea in his HID.c module get the HID registers addresses, maps it to 0x1000000 and then initialize the HID. With the mapped handle he does exactly the same we do with the HID phisical address to check keys pressed.

In his code the CPAD is at 0x10000034 (i.e. Mapped HID address + 0xD*4) and Touchpad is at 0x100000C8 (i.e. Mapped HID address + 0x32 *4). Interesting but not usefull as long as we can't replicate his system calls. I'm making some experiment to make it work (yes I know: smea said it won't work, and Kane said it too - I'm stubborn as a mule) but I have very few time and can't go any faster.
Click to expand...


Thats why we need to find more accessible memory regions, there have to be some hints in there somewhere :)
 
kyogre123

kyogre123

Mexican Pride
Member
Level 8
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
32
XP
1,327
Country
Mexico
Hi. I was wondering if there's a launcher that is able to dump the whole 128MB of RAM or if it is even possible via software.
 
Huntereb

Huntereb

Well-Known Member
Member
Level 11
Joined
Sep 1, 2013
Messages
3,235
Trophies
0
Website
lewd.pics
XP
2,421
Country
United States
PewnyPL said:
Well, with emuNAND and redNAND it could be possible to find an exploit for newer firmwares. Maybe...
Click to expand...


True, this would be a great tool if anyone has the smarts to make one. Oh, and better yet, make a launcher that lets you replace specific lines of the RAM with your own modifications. ;)
 
PewnyPL

PewnyPL

Well-Known Member
Member
Level 9
Joined
Feb 2, 2014
Messages
745
Trophies
0
XP
1,786
Country
Poland
bkifft said:
so you've already mapped out the good and bad memory regions? or have you found a way to catch the illegal memory access interrupt?
Click to expand...

Smealum found a way to modify other processes RAM (to modify list of channels and such), so if it's possible to write to RAM, using a similair method it should be possible to read it too. Unless the HOME screen's RAM region is not protected (which is doubtful)
 
K

Kane49

Well-Known Member
Member
Level 3
Joined
Nov 4, 2013
Messages
446
Trophies
0
Age
34
XP
343
Country
Gambia, The
The
bkifft said:
so you've already mapped out the good and bad memory regions? or have you found a way to catch the illegal memory access interrupt?
Click to expand...

The 128mb of fcram isn't protected at all ^^
But yeah I found out they are all bad except the few mentioned ones
 
bkifft

bkifft

avowed Cuthwaldian
Member
Level 5
Joined
Jun 10, 2010
Messages
613
Trophies
0
XP
624
Country
Gambia, The
Kane49 said:
The

The 128mb of fcram isn't protected at all ^^
Click to expand...
yeah, but i was under the impression that it wasn't addressed as a continuous block in physical address space but segmented.

if that's not the case after all: yay!


edit: i could/should have RTFM and checked the wiki *innocent whistle*
 
kalimero

kalimero

Uncle Rupee
Member
Level 3
Joined
Jun 28, 2006
Messages
211
Trophies
0
XP
334
Country
Gambia, The
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: https://youtube.com/shorts/mSSVwQ9i-UU?feature=share