Toggle sidebar

Homebrew Homebrew Development

  • Thread starter Thread starter aliak11
  • Start date Start date
  • Views Views 1,474,975
  • Replies Replies 6,048
  • Likes Likes 54
I believe I have an idea on an exploit for the 3DS XL (old). Does anybody know about the Pokemon ORAS hacked pokemon deal? What you do is place files on your SD card and once in-game, you execute it by going into the browser and putting in a URL. I believe that this could load a bug into the game and could launch homebrew. Does anybody think this as a possible exploit?
 
I need some help in interpreting a piece of asm code that when ported in C, give me some problems:

Code: 
push {r0, r1, r4, lr}
...
mov r2, #68 ; 0x44
ldr r1, [sp]
ldr r0, [pc, #20] # loads the value  0xffff8001 -> process handle
svc 0x00000054 # FlushProcessDataCache(Handle process, void const* addr, u32 size)

the value loaded in r1 from the top of the stack should be the value in r0 (first param of the function) pushed on the stack at the beginning. Is this correct?
 
nop90 said:
I need some help in interpreting a piece of asm code that when ported in C, give me some problems:

Code: 
push {r0, r1, r4, lr}
...
mov r2, #68 ; 0x44
ldr r1, [sp]
ldr r0, [pc, #20] # loads the value  0xffff8001 -> process handle
svc 0x00000054 # FlushProcessDataCache(Handle process, void const* addr, u32 size)

the value loaded in r1 from the top of the stack should be the value in r0 (first param of the function) pushed on the stack at the beginning. Is this correct?
Click to expand...
yes, it should if sp wasnt modified in between the push and the ldr.
edit:
it could change if itheres a subroutine call inside the ... using the value of sp as one of its arguments like
Code: 
mov  r0, sp
bl  impureFunc
 
Thanks, the SP register is unchanged betwhen the two instrunction.

There must be some other mistakes somewhere.
 
nop90 said:
I need some help in interpreting a piece of asm code that when ported in C, give me some problems:

Code: 
push {r0, r1, r4, lr}
...
mov r2, #68 ; 0x44
ldr r1, [sp]
ldr r0, [pc, #20] # loads the value  0xffff8001 -> process handle
svc 0x00000054 # FlushProcessDataCache(Handle process, void const* addr, u32 size)

the value loaded in r1 from the top of the stack should be the value in r0 (first param of the function) pushed on the stack at the beginning. Is this correct?
Click to expand...


yes it should work, but make sure both r13 for [ push {r0, r1, r4, lr} ] is the same (CPSR & 0x1f) (processor mode bits) at the time [ ldr r1, [sp] fetch data ], or at least SP address must be the same.

http://www.heyrick.co.uk/armwiki/The_Status_register

-
Or.. are you sure there isn't STMxx Rn!,{...} or LDMxx Rn!,{...} between push & ldr ldr r1, [sp] as it may update the stack pointer.

-
Or..

For example THUMB code writeback the base address always for LDMIA/STMIA/PUSH/POP, so :

push r0,r1,r2 @sp=sp - ((4*3)-4) means sp[0] <= sp[2]

//considering the SP is not modified here

ldr r1, [sp] @ means *(sp[2])

@ and you want *(sp[0])

@so it would be:

ldr r1, [sp,#-((4*3)-4)] @ means *(sp[0])
 
Coto said:
yes it should work, but make sure both r13 for [ push {r0, r1, r4, lr} ] is the same (CPSR & 0x1f) (processor mode bits) at the time [ ldr r1, [sp] fetch data ], or at least SP address must be the same.

http://www.heyrick.co.uk/armwiki/The_Status_register

-
Or.. are you sure there isn't STMxx Rn!,{...} or LDMxx Rn!,{...} between push & ldr ldr r1, [sp] as it may update the stack pointer.

-
Or..

For example THUMB code writeback the base address always for LDMIA/STMIA/PUSH/POP, so :

push r0,r1,r2 @sp=sp - ((4*3)-4) means sp[0] <= sp[2]

//considering the SP is not modified here

ldr r1, [sp] @ means *(sp[2])

@ and you want *(sp[0])

@so it would be:

ldr r1, [sp,#-((4*3)-4)] @ means *(sp[0])
Click to expand...

Thank you for your useful explaination. The missing part of the code only loads r2 and r3, tha writes r2 in the memory location pointed by r3.

BTW i'm not writing asm, i'm RE some code and writing it in c. And I already found my bug, it was a simply typo in the comments i wrote next the asm code. Reading data in little endian I swapped also the two ciphers in a byte :ha:
 
nop90 said:
Thank you for your useful explaination. The missing part of the code only loads r2 and r3, tha writes r2 in the memory location pointed by r3.

BTW i'm not writing asm, i'm RE some code and writing it in c. And I already found my bug, it was a simply typo in the comments i wrote next the asm code. Reading data in little endian I swapped also the two ciphers in a byte :ha:
Click to expand...


no problemo ^_^
 
Rinnegatamante said:
Does 3DS Homebrew List on GBAtemp wiki won't be updated anymore?
I seen it lacks of latest homebrew releases/updates.
Click to expand...
When I have time as it seems tj_cool and me are the only one working on it.
If developers added their own homebrew that would help. even just listing it with a link to the thread or git is enough. we can create the homebrew page later.

I don't crawl the existing homebrew threads to see if there are new version every days.
There are probably new blarg or 3Dnes?
 
Cyan said:
When I have time as it seems tj_cool and me are the only one working on it.
If developers added their own homebrew that would help. even just listing it with a link to the thread or git is enough. we can create the homebrew page later.

I don't crawl the existing homebrew threads to see if there are new version every days.
There are probably new blarg or 3Dnes?
Click to expand...

Today i updated it a bit with some updates/releases but probably i missed something.
 
  • Like
Reactions: SLiV3R and Cyan
I have found an interesting "feature"

Code: 
...
aptOpenSession();
//srvGetServiceHandle(&aptuHandle, "APT:U");
APT_PrepareToDoAppJump(NULL, 2, 0, mediatype_GAMECARD);
APT_DoAppJump(NULL,0,0,2,0);
//APT_HardwareResetAsync(NULL);
svcCloseHandle(aptuHandle);
aptCloseSession();
...

Please note: I am learning with try and error, and I have not really an idea why this is happening. It should in theory launch something (I am learning^^)

When I launch that in Ninjhax nothing happens for around 30sec or so, but after that cubic ninja crashes and I get the error "something... the system has to restart" BUT it does not restart. Instead you can just click ok and nothing happens and I am back in home menu.
But now all the buttons (including the home button) are disabled in games (tested CubicNinja, FlipNote Studio 3D and MiiPlaza) you have to restart your System to get them back to work. The touchscreen is also not working in game. The small Apps like the Browser are not affected by this, I tested this on a JP N3DS with 9.2.
And DownloadPlay crashes and restarts the System.

Maybe someone can explain me what is happening there.
 
MeisterFenster said:
I have found an interesting "feature"

Code: 
...
aptOpenSession();
//srvGetServiceHandle(&aptuHandle, "APT:U");
APT_PrepareToDoAppJump(NULL, 2, 0, mediatype_GAMECARD);
APT_DoAppJump(NULL,0,0,2,0);
//APT_HardwareResetAsync(NULL);
svcCloseHandle(aptuHandle);
aptCloseSession();
...

Please note: I am learning with try and error, and I have not really an idea why this is happening. It should in theory launch something (I am learning^^)

When I launch that in Ninjhax nothing happens for around 30sec or so, but after that cubic ninja crashes and I get the error "something... the system has to restart" BUT it does not restart. Instead you can just click ok and nothing happens and I am back in home menu.
But now all the buttons (including the home button) are disabled in games (tested CubicNinja, FlipNote Studio 3D and MiiPlaza) you have to restart your System to get them back to work. The touchscreen is also not working in game. The small Apps like the Browser are not affected by this, I tested this on a JP N3DS with 9.2.
And DownloadPlay crashes and restarts the System.

Maybe someone can explain me what is happening there.
Click to expand...

I'm not entirely sure, but i don't think you can do this in ninjrhax
 
I could see that being of use in the spiderhax version of Ninjhax (whenever that finally gets finished.... ). But I'm pretty sure you can't use it to launch unsigned CIAs. Perhaps an alternate method of region free maybe? Don't see much other use for this. :P
 
An alternative method for regionthree is my goal. Smealum said that it would be possible somehow. It should be possible to launch a cartridge with ninjhax (even if it is cubic ninja, that would be a step forward).
This code also does something, but I dont know why. It crashes the games after ca. 25sec and the error "an error has occurred the system has to restart" appears but you can just click ok and the system does not restart. It will stay in home menu but when you start a game or for example System Settings all the button and the touchscreen are dead.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

[WIP] SMW 3DS Port - Early Playable Demo by ZalgonEn

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Homebrew  [Progress update] LCE Minecraft 3ds

Gaming  any good rpgs on 3ds?