[Released] Some developer tools for the privileged among us

Discussion in '3DS - Homebrew Development and Emulators' started by Archshift, Apr 3, 2015.

  1. Archshift
    OP

    Archshift Member

    Newcomer
    10
    22
    Apr 3, 2015
    United States
    By privileged, I obviously mean those of us who use libkhax! I've made a few tools that can take advantage of bootstrap's kernel access.

    First is service-patch. This tool, as the name suggests, is able to patch services in two ways.
    First of all, it patches the currently-running homebrew to have full service access, without ninjhax limitations. It does this by patching the PID of Cubic Ninja to zero, and all PIDs below five have automatic full access to all services.
    The tool also provides infrastructure to patch the code of any currently-running process. If you tried to do this with the debug SVCs, the process would crash on execution of whatever code you patched, but service-patch queries the location of the code under the kernel addressing-mode, and patches the code by directly accessing the memory.

    The next tool is i2c. As its name suggests as well, the program is able to access the I2C registers. This can be neat especially for ARM9 homebrew developers (rxTools comes to mind), as you can do such things as querying the current battery level from I2C. Check 3DBrew for all currently-known I2C functions.
    NOTE: ALWAYS BE CAREFUL MESSING AROUND WITH I2C AND BE SURE OF WHAT YOU'RE DOING. DEVELOPERS HAVE BRICKED THEIR 3DS DOING THINGS AS SIMPLE AS MESSING WITH THE LED REGISTERS.

    There's also dump-kernelmem. This dumps the kernel memory.

    I'd also like to give a quick mention to the bootstrap branch of Decrypt9. This has existed for quite a while already, but it's apparently been undiscovered so far! To run Decrypt9 from bootstrap, compile Decrypt9, then replace the payload.bin in bootstrap with Decrypt9.bin (renamed, of course, to payload.bin). It even supports the N3DS!

    Have fun developing!
     
    m0rt, Margen67, cearp and 9 others like this.


  2. ChrisX930

    ChrisX930 Banned

    Banned
    788
    317
    Sep 3, 2013
    Gambia, The
    Germany
    Thank you very much for this!
    I hope it works like I want :)
     
    Margen67 likes this.
  3. yifan_lu

    yifan_lu @yifanlu

    Member
    642
    1,325
    Apr 28, 2007
    United States
    Thank you! "The tool also provides infrastructure to patch the code of any currently-running process." Does this allow you to patch a process and return to home menu/launch another title? Because it would be nice to be able to, for example, patch NIM to bypass update checks and then open eshop.
     
    Margen67 likes this.
  4. Archshift
    OP

    Archshift Member

    Newcomer
    10
    22
    Apr 3, 2015
    United States
    Unfortunately all the tool can do is patch code, it doesn't do anything special to allow returning to home menu.

    From what I've been told on #3dsdev, it's not even feasible to return to home menu from Ninjhax because the RO exploit has so much fallout.
     
  5. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    When attempting to build service-patch. Nothing changed, just default source.
    I'm not much of a coder, just a tinkerer. Thought I'd point that out incase it's an error on your part or maybe me just being a noob. haha
     
  6. Archshift
    OP

    Archshift Member

    Newcomer
    10
    22
    Apr 3, 2015
    United States
    Oh, oops, I forgot that I had changed ctrulib to include svcBackdoor. I'll PR that change now.

    EDIT: Submitted a PR (https://github.com/smealum/ctrulib/pull/113), pull that version of ctrulib once it's merged or just merge my changes into your local ctrulib if you want.
     
  7. dubbz82

    dubbz82 GBAtemp Maniac

    Member
    1,494
    806
    Feb 2, 2014
    United States
    Spiffy, I'm going to stay the heck away though, until someone inevitably makes something with this. Very nice though
     
  8. yifan_lu

    yifan_lu @yifanlu

    Member
    642
    1,325
    Apr 28, 2007
    United States
    Yeah, I've been trying to get process patching to work with spider, but turns out that saving/restoring heap and restoring SVC 8 code is not enough because although it allows you to return from kernel, it crashes some service or something because closing spider gives you a black screen with the error message.
     
  9. josamilu

    josamilu GBAtemp Fan

    Member
    383
    213
    Feb 1, 2015
    Gambia, The
    Saturn is better than Jupiter :P
    Awsome release. I modified service-patch a bit and tried to compile it but got this error :
    Code:
    d:/devkitPro/ctrulib/service-patch-master/source/main.cpp: In function 'int main
    (int, char**)':
    d:/devkitPro/ctrulib/service-patch-master/source/main.cpp:105:38: error: 'svcBac
    kdoor' was not declared in this scope
        svcBackdoor(patch_process_wrapper);
                                          ^
    How can I fix this?
     
  10. dubbz82

    dubbz82 GBAtemp Maniac

    Member
    1,494
    806
    Feb 2, 2014
    United States


    Check 3 posts above yours.
     
    josamilu likes this.
  11. josamilu

    josamilu GBAtemp Fan

    Member
    383
    213
    Feb 1, 2015
    Gambia, The
    Saturn is better than Jupiter :P
    whoops xD I cross my heart that it wasn't there when I posted it :D thanks
     
  12. Suiginou

    Suiginou (null)

    Member
    565
    588
    Jun 26, 2012
    Gambia, The
    pc + 8
    Excellent news. Thank you very much, archshift.
     
  13. dela

    dela Advanced Member

    Newcomer
    78
    62
    Dec 6, 2014
    Italy
    Cagliari
    Release damn interesting, has already been a while that study through the suggestion of another dev, as decrypt9 works, and now this with your other release I've literally amazed.
     
  14. Archshift
    OP

    Archshift Member

    Newcomer
    10
    22
    Apr 3, 2015
    United States
    Oh, I also forgot to mention the existence of dump-kernelmem (which dumps kernelmem). This should work on recent versions of both O3DS and N3DS firmwares.

    Also, we now have a new method of gaining kernel access, libkhax, which is supposed to be very reliable!
     
    Margen67 and Suiginou like this.
  15. sanni

    sanni GBAtemp Regular

    Member
    133
    172
    Nov 7, 2003
    United States
    Soooo can we combine this service patch with the 3dsx version of FBI and install a newer browser version? Or other correctly signed cia's like system updates?
     
    Margen67 likes this.
  16. Archshift
    OP

    Archshift Member

    Newcomer
    10
    22
    Apr 3, 2015
    United States
    Yes, you can, although I take no responsibility for what FBI does to your 3DS ;)
     
    Margen67 likes this.
  17. dela

    dela Advanced Member

    Newcomer
    78
    62
    Dec 6, 2014
    Italy
    Cagliari
    Before I was giving you a look springs from your smartphone, I did not understand if it can enable svc "0x7c" in unsigned [KernelSetState (Type unsigned int, unsigned int Param0, Param1 unsigned int, unsigned int Param2)].
     
  18. MemoryController

    MemoryController Member

    Newcomer
    19
    12
    Sep 7, 2014
    Greece
    ThessalonĂ­ki
    It patches with nops the svc acl checks so you can call any syscall
     
    Margen67 likes this.
  19. urherenow

    urherenow GBAtemp Addict

    Member
    2,871
    835
    Mar 8, 2009
    United States
    Japan
    Slightly off topic- but can somebody pretty please do this and release a .3ds version of decrypt9 that will run on N3DS? Or really any way of running Decrypt9 on N3DS. Also, can this be used somehow to make rxtools work on N3DS?
     
    Margen67 likes this.
  20. Oishikatta

    Oishikatta GBAtemp Advanced Fan

    Member
    971
    545
    Oct 30, 2014
    United States

    You quoted his link to his bootstrap branch of Decrypt9 that compiles to .3dsx and runs on the N3DS via ninjahax.