[Question] Possible to introduce an arm9 kernel exploit in >= 9.3 using a9lh?

Discussion in '3DS - Flashcards & Custom Firmwares' started by ksanislo, May 5, 2016.

  1. ksanislo
    OP

    ksanislo GBAtemp Fan

    Member
    378
    218
    Feb 23, 2016
    United States
    Seattle, WA
    The technical side of this is a bit beyond what I'm capable of even trying to attempt, but it seems like it could be possible between A9LH and 3ds_injector (the loader replacement) to introduce an arm9 entry point for CFW firmware versions above 9.2 if they were booted through A9LH.

    The point of this would be to allow things that need arm9 access from within an updated CFW, where you have all of the normal system still avaliable, unlike a9lh alone where there's no network access and it can only be started from a reboot.

    Can anyone with deeper technical knowledge chime in on this?
     
  2. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,622
    1,195
    Oct 8, 2015
    Italy
    Hyrule Castle
    the real wuestion is why should we? to mkae that arm9 exploit avaiable we nned to boot it triugh another arm 9 exploit, cause it CAN'T be permanent
     
  3. ksanislo
    OP

    ksanislo GBAtemp Fan

    Member
    378
    218
    Feb 23, 2016
    United States
    Seattle, WA
    The point was already explained in the original post, when you boot an updated firmware above 9.2, you lose access to the arm9 as soon as A9LH starts the normal OS up. This means things like Decrypt9 can /only/ be run from A9LH. If we can introduce an intentional arm9 exploit, we could have access to the hardware AES engine from within higher firmware versions than 9.2 instead of either needing to boot a 9.2 emuNAND or write apps that need extended access to run under A9LH itself, where there is no network or any of the higher level API available. If we made our own kernel exploit, patched in while booting the updated OS, it would eliminate this limitation.
     
  4. Supster131

    Supster131 (づ。◕‿‿◕。)づ *:・゚✧

    Member
    3,175
    2,186
    Jan 19, 2016
    United States
    My Computer
    Yeah, it technically is.
    @Urbanshadow was working on an arm9 thread a while back, idk if he still is though.

    As @Filo97 stated, why? We can already boot arm9 apps through A9LH. This is why a lot of people ditched 9.2, because we don't need it anymore.
     
  5. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,622
    1,195
    Oct 8, 2015
    Italy
    Hyrule Castle
    ok, it is useful, but network isn't avaiable with arm9 n general, not only a9lh
     
  6. ksanislo
    OP

    ksanislo GBAtemp Fan

    Member
    378
    218
    Feb 23, 2016
    United States
    Seattle, WA
    Network would be available before switching execution into the arm9 though, and depending on how it was implemented since it would be an intentional exploit, it would probably even be possible to get access to run code or change AES keys on the A9 while still keeping the normal arm11 up and functional.
     
  7. zoogie

    zoogie simple pimp tool

    Member
    6,160
    7,782
    Nov 30, 2014
    United States
  8. yifan_lu

    yifan_lu @yifanlu

    Member
    642
    1,325
    Apr 28, 2007
    United States
    GBAtemp logic: we can't run arm9 code on an unhacked system without an exploit therefore we can't run arm9 code on a hacked system without an exploit.
     
    cell9, Flyingsky and CrispyYoshi like this.
  9. PaiiNSteven

    PaiiNSteven Newbie

    And throwback thursday; what about NTRCardhax? That still being worked on? Its been silent for a little while now.
     
  10. Plailect

    Plailect GBAtemp Advanced Fan

    Member
    516
    1,222
    Jan 30, 2016
    United States
    @Urbanshadow's CakesFW fork of CakesFW can hook traditional arm9 calls and run 9.2 only applications on latest firmware using arm9loaderhax.
     
    klear, Selver and ksanislo like this.
  11. Urbanshadow

    Urbanshadow GBAtemp Maniac

    Member
    1,289
    469
    Oct 16, 2015
    Heh I wish. Level of completion of arm9hook is certainly about 100% because you can really execute a bunch of arm9 instructions from a firm that was impossible to do before. Also from some time ago to right now, I added return status functionality, so now we can know from our arm11 cia how the execution went in arm9.

    But still the execution is very limited by space (13 KB is the maximum that ITCM will hold for us) and by context, as the whole home menu execution is paused when arm9 goes in and tries to resume afterwards, so any possible lock on data or hardware done by the system and messed up by any arm9 code could potentially crash the system inmediatly or when going back to arm11 execution. So you can't, for now, execute whatever code. It must be somewhat careful with the environment. For curious people, our code is handled like an assembler SVC call.

    The TODO, obviously is to increase that space by using FCRAM instead of ITCM (favoring size over speed) and starting the investigation of what could be safely made, and what dont. It should be theoretically possible to do memory dumps from whatever memory region. It should be also possible to break some amount of things without an inminent crash and just simply reboot the system when done.

    It is not near to be useful to the regular user right now.
     
    klear and Selver like this.