Homebrew Homebrew Development

CalebW

CalebW

Fellow Temper
Member
Level 4
Joined
Jun 29, 2012
Messages
638
Trophies
0
Location
Texas
XP
545
Country
United States
nop90 said:
Me not yet. I scanned some parts of IO register memory, but at the moment I found only the 3D slider state register at 0x1014470C.

Still trying to figure out what are the other non zero values i found, in the hope to be able to swap framebuffers.

In the range I scanned (0x1012DFA0 - 0x10146BD6) nothing has values changing upon CPAD or touchscreen state.
Click to expand...
I know smea read the C-Pad state in his ctr HID.h, perhaps you could take a look at it...
 
K

Kane49

Well-Known Member
Member
Level 3
Joined
Nov 4, 2013
Messages
446
Trophies
0
Age
36
XP
343
Country
Gambia, The
The best thing right now would actually be to find out which sections of memory we are able to access :)
I mean we know we can access things around:

0x10000000-0x11500000 (or so)
0x20000000-0x28000000

But i suspect we have access to even more regions we just don't know about yet ^^
Too bad it immediately crashes once try to access non accessible memory :/
 
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
3,136
Country
Italy
CalebW said:
I know smea read the C-Pad state in his ctr HID.h, perhaps you could take a look at it...
Click to expand...

Smea in his HID.c module get the HID registers addresses, maps it to 0x1000000 and then initialize the HID. With the mapped handle he does exactly the same we do with the HID phisical address to check keys pressed.

In his code the CPAD is at 0x10000034 (i.e. Mapped HID address + 0xD*4) and Touchpad is at 0x100000C8 (i.e. Mapped HID address + 0x32 *4). Interesting but not usefull as long as we can't replicate his system calls. I'm making some experiment to make it work (yes I know: smea said it won't work, and Kane said it too - I'm stubborn as a mule) but I have very few time and can't go any faster.
 
K

Kane49

Well-Known Member
Member
Level 3
Joined
Nov 4, 2013
Messages
446
Trophies
0
Age
36
XP
343
Country
Gambia, The
nop90 said:
Smea in his HID.c module get the HID registers addresses, maps it to 0x1000000 and then initialize the HID. With the mapped handle he does exactly the same we do with the HID phisical address to check keys pressed.

In his code the CPAD is at 0x10000034 (i.e. Mapped HID address + 0xD*4) and Touchpad is at 0x100000C8 (i.e. Mapped HID address + 0x32 *4). Interesting but not usefull as long as we can't replicate his system calls. I'm making some experiment to make it work (yes I know: smea said it won't work, and Kane said it too - I'm stubborn as a mule) but I have very few time and can't go any faster.
Click to expand...


Thats why we need to find more accessible memory regions, there have to be some hints in there somewhere :)
 
kyogre123

kyogre123

Mexican Pride
Member
Level 8
Joined
Sep 23, 2013
Messages
2,920
Trophies
0
Age
34
XP
1,347
Country
Mexico
Hi. I was wondering if there's a launcher that is able to dump the whole 128MB of RAM or if it is even possible via software.
 
Huntereb

Huntereb

Well-Known Member
Member
Level 11
Joined
Sep 1, 2013
Messages
3,234
Trophies
0
Website
lewd.pics
XP
2,446
Country
United States
PewnyPL said:
Well, with emuNAND and redNAND it could be possible to find an exploit for newer firmwares. Maybe...
Click to expand...


True, this would be a great tool if anyone has the smarts to make one. Oh, and better yet, make a launcher that lets you replace specific lines of the RAM with your own modifications. ;)
 
PewnyPL

PewnyPL

Well-Known Member
Member
Level 10
Joined
Feb 2, 2014
Messages
771
Trophies
1
XP
2,174
Country
Poland
bkifft said:
so you've already mapped out the good and bad memory regions? or have you found a way to catch the illegal memory access interrupt?
Click to expand...

Smealum found a way to modify other processes RAM (to modify list of channels and such), so if it's possible to write to RAM, using a similair method it should be possible to read it too. Unless the HOME screen's RAM region is not protected (which is doubtful)
 
K

Kane49

Well-Known Member
Member
Level 3
Joined
Nov 4, 2013
Messages
446
Trophies
0
Age
36
XP
343
Country
Gambia, The
The
bkifft said:
so you've already mapped out the good and bad memory regions? or have you found a way to catch the illegal memory access interrupt?
Click to expand...

The 128mb of fcram isn't protected at all ^^
But yeah I found out they are all bad except the few mentioned ones
 
bkifft

bkifft

avowed Cuthwaldian
Member
Level 5
Joined
Jun 10, 2010
Messages
613
Trophies
0
XP
625
Country
Gambia, The
Kane49 said:
The

The 128mb of fcram isn't protected at all ^^
Click to expand...
yeah, but i was under the impression that it wasn't addressed as a continuous block in physical address space but segmented.

if that's not the case after all: yay!


edit: i could/should have RTFM and checked the wiki *innocent whistle*
 
kalimero

kalimero

Uncle Rupee
Member
Level 3
Joined
Jun 28, 2006
Messages
211
Trophies
0
XP
334
Country
Gambia, The

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: I'll just pretend like I know what's going on