Homebrew [Released] Some developer tools for the privileged among us

[Archshift]

By privileged, I obviously mean those of us who use libkhax! I've made a few tools that can take advantage of bootstrap's kernel access.

First is service-patch. This tool, as the name suggests, is able to patch services in two ways.
First of all, it patches the currently-running homebrew to have full service access, without ninjhax limitations. It does this by patching the PID of Cubic Ninja to zero, and all PIDs below five have automatic full access to all services.
The tool also provides infrastructure to patch the code of any currently-running process. If you tried to do this with the debug SVCs, the process would crash on execution of whatever code you patched, but service-patch queries the location of the code under the kernel addressing-mode, and patches the code by directly accessing the memory.

The next tool is i2c. As its name suggests as well, the program is able to access the I2C registers. This can be neat especially for ARM9 homebrew developers (rxTools comes to mind), as you can do such things as querying the current battery level from I2C. Check 3DBrew for all currently-known I2C functions.
NOTE: ALWAYS BE CAREFUL MESSING AROUND WITH I2C AND BE SURE OF WHAT YOU'RE DOING. DEVELOPERS HAVE BRICKED THEIR 3DS DOING THINGS AS SIMPLE AS MESSING WITH THE LED REGISTERS.

There's also dump-kernelmem. This dumps the kernel memory.

I'd also like to give a quick mention to the bootstrap branch of Decrypt9. This has existed for quite a while already, but it's apparently been undiscovered so far! To run Decrypt9 from bootstrap, compile Decrypt9, then replace the payload.bin in bootstrap with Decrypt9.bin (renamed, of course, to payload.bin). It even supports the N3DS!

Have fun developing!

 

[ChrisX930]

Thank you very much for this!
I hope it works like I want

 

[yifan_lu]

Thank you! "The tool also provides infrastructure to patch the code of any currently-running process." Does this allow you to patch a process and return to home menu/launch another title? Because it would be nice to be able to, for example, patch NIM to bypass update checks and then open eshop.

 

[Archshift]

Unfortunately all the tool can do is patch code, it doesn't do anything special to allow returning to home menu.

From what I've been told on #3dsdev, it's not even feasible to return to home menu from Ninjhax because the RO exploit has so much fallout.

 

[Shadowtrance]

c:/Users/teron_000/Desktop/GIT-REPOS/service-patch/source/main.cpp:17:38: error: 'svcBackdoor' was not declared in this scope
svcBackdoor(patch_process_wrapper);

When attempting to build service-patch. Nothing changed, just default source.
I'm not much of a coder, just a tinkerer. Thought I'd point that out incase it's an error on your part or maybe me just being a noob. haha

 

[Archshift]

Oh, oops, I forgot that I had changed ctrulib to include svcBackdoor. I'll PR that change now.

EDIT: Submitted a PR (https://github.com/smealum/ctrulib/pull/113), pull that version of ctrulib once it's merged or just merge my changes into your local ctrulib if you want.

 

[dubbz82]

Spiffy, I'm going to stay the heck away though, until someone inevitably makes something with this. Very nice though

 

[yifan_lu]

Unfortunately all the tool can do is patch code, it doesn't do anything special to allow returning to home menu.

From what I've been told on #3dsdev, it's not even feasible to return to home menu from Ninjhax because the RO exploit has so much fallout.

Yeah, I've been trying to get process patching to work with spider, but turns out that saving/restoring heap and restoring SVC 8 code is not enough because although it allows you to return from kernel, it crashes some service or something because closing spider gives you a black screen with the error message.

 

[josamilu]

Awsome release. I modified service-patch a bit and tried to compile it but got this error :

d:/devkitPro/ctrulib/service-patch-master/source/main.cpp: In function 'int main
(int, char**)':
d:/devkitPro/ctrulib/service-patch-master/source/main.cpp:105:38: error: 'svcBac
kdoor' was not declared in this scope
    svcBackdoor(patch_process_wrapper);
                                      ^

How can I fix this?

 

[dubbz82]

Awsome release. I modified service-patch a bit and tried to compile it but got this error :

d:/devkitPro/ctrulib/service-patch-master/source/main.cpp: In function 'int main
(int, char**)':
d:/devkitPro/ctrulib/service-patch-master/source/main.cpp:105:38: error: 'svcBac
kdoor' was not declared in this scope
    svcBackdoor(patch_process_wrapper);
                                      ^

How can I fix this?

Check 3 posts above yours.

 

[josamilu]

Check 3 posts above yours.

whoops xD I cross my heart that it wasn't there when I posted it thanks

 

[Suiginou]

Excellent news. Thank you very much, archshift.

 

[dela]

Release damn interesting, has already been a while that study through the suggestion of another dev, as decrypt9 works, and now this with your other release I've literally amazed.

 

[Archshift]

Oh, I also forgot to mention the existence of dump-kernelmem (which dumps kernelmem). This should work on recent versions of both O3DS and N3DS firmwares.

Also, we now have a new method of gaining kernel access, libkhax, which is supposed to be very reliable!

 

[sanni]

Soooo can we combine this service patch with the 3dsx version of FBI and install a newer browser version? Or other correctly signed cia's like system updates?

 

[Archshift]

Yes, you can, although I take no responsibility for what FBI does to your 3DS

 

[dela]

Before I was giving you a look springs from your smartphone, I did not understand if it can enable svc "0x7c" in unsigned [KernelSetState (Type unsigned int, unsigned int Param0, Param1 unsigned int, unsigned int Param2)].

 

[MemoryController]

It patches with nops the svc acl checks so you can call any syscall

 

[urherenow]

I'd also like to give a quick mention to the bootstrap branch of Decrypt9. This has existed for quite a while already, but it's apparently been undiscovered so far! To run Decrypt9 from bootstrap, compile Decrypt9, then replace the payload.bin in bootstrap with Decrypt9.bin (renamed, of course, to payload.bin). It even supports the N3DS!

Slightly off topic- but can somebody pretty please do this and release a .3ds version of decrypt9 that will run on N3DS? Or really any way of running Decrypt9 on N3DS. Also, can this be used somehow to make rxtools work on N3DS?

 

[Oishikatta]

Slightly off topic- but can somebody pretty please do this and release a .3ds version of decrypt9 that will run on N3DS? Or really any way of running Decrypt9 on N3DS. Also, can this be used somehow to make rxtools work on N3DS?

You quoted his link to his bootstrap branch of Decrypt9 that compiles to .3dsx and runs on the N3DS via ninjahax.