Thread Status:
Not open for further replies.
  1. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy
    Member

    Joined:
    Nov 18, 2012
    Messages:
    1,970
    Country:
    United States
    They're plenty viable, they work and they work well, and the ROP itself cannot be patched regardless on either one (although OoT can be patched via eShop, but you can easily remove the update).
     
    Margen67 likes this.
  2. 173210

    173210 GBAtemp Regular
    Member

    Joined:
    Jan 22, 2014
    Messages:
    245
    Country:
    We are trying to hook functions, but I think we should confirm that the code is correct.
    To confirm that, we should write addresses of the original functions instead of address of jump_table.

    https://github.com/Aliak/OSKA/blob/master/oska.c#L260
    Code:
    void doArm9Hax(void)
    {
    #ifdef DEBUG_PROCESS
        printf("Setting up Arm9\n");
    #endif
     
        int (*reboot)(int, int, int, int) = 0xFFF748C4;
     
        __asm__ ("clrex");
     
        CleanEntireDataCache();
        InvalidateEntireInstructionCache();
     
        // ARM9 code copied to FCRAM 0x23F00000
        //memcpy(0xF3F00000, ARM9_PAYLOAD, ARM9_PAYLOAD_LEN);
        // write function hook at 0xFFFF0C80
        //memcpy(0xEFFF4C80, 0x9D23AC, 0x9D2580);
     
        // write FW specific offsets to copied code buffer
        *(int *)(0xEFFF4C80 + 0x60) = 0xFFFD0000; // PDN regs
        *(int *)(0xEFFF4C80 + 0x64) = 0xFFFD2000; // PXI regs
        *(int *)(0xEFFF4C80 + 0x68) = 0xFFF84DDC; // where to return to from hook
     
        // patch function 0xFFF84D90 to jump to our hook
        *(int *)(0xFFF84DD4 + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
        *(int *)(0xFFF84DD4 + 4) = 0xFFFF0C80; // jump_table + 0
        // patch reboot start function to jump to our hook
        *(int *)(0xFFFF097C + 0) = 0xE51FF004; // ldr pc, [pc, #-4]
        *(int *)(0xFFFF097C + 4) = 0x8F028C4; // jump_table + 4
     
        InvalidateEntireInstructionCache();
     
        printf("test1\n");
     
        reboot(0, 0, 2, 0); // trigger reboot
    }
     
    Margen67 likes this.
  3. 173210

    173210 GBAtemp Regular
    Member

    Joined:
    Jan 22, 2014
    Messages:
    245
    Country:
    Does OSKA work fine?
     
    Margen67 likes this.
  4. aliak11

    OP aliak11 Pokemon Master
    Member

    Joined:
    Dec 5, 2010
    Messages:
    195
    Country:
    United States
    Yes, it detects my kernel fine now.
     
    Margen67, w0dash and Lord Prime like this.
  5. gudenau

    gudenau Largely ignored
    Member

    Joined:
    Jul 7, 2010
    Messages:
    3,651
    Country:
    United States
    Doesn't the Arm9hax need to be in arm11 kernel mode?
     
  6. williamcesar2

    williamcesar2 GBAtemp Advanced Fan
    Member

    Joined:
    Jun 21, 2013
    Messages:
    669
    Country:
    United States
    keep up the great work ! open... > closed...
     
    Cyberdrive and Margen67 like this.
  7. shawnanastasio

    shawnanastasio Advanced Member
    Newcomer

    Joined:
    May 15, 2011
    Messages:
    98
    Country:
    United States
    Just curious; would it be potentially possible to launch Gateway's Launcher.dat through Cubic Ninja through this as opposed to the OoT exploit?
     
    Margen67 likes this.
  8. zuxicovp

    zuxicovp Advanced Member
    Newcomer

    Joined:
    Jan 25, 2015
    Messages:
    82
    Country:
    United States
    Yes, this is what the Gateway team said they are working on
     
    Margen67 likes this.
  9. Axido

    Axido GBAtemp Maniac
    Member

    Joined:
    Feb 12, 2014
    Messages:
    1,043
    Country:
    Germany
    I wouldn't mind someone being working on it separately, so we might get it "sooner".
    But I'm sure no capable dev would like to do GWs work and not get paid for that.
     
  10. 173210

    173210 GBAtemp Regular
    Member

    Joined:
    Jan 22, 2014
    Messages:
    245
    Country:
    I guess so.
     
  11. froggestspirit

    froggestspirit D/P/Pt Demix Guy
    Member

    Joined:
    Jul 28, 2011
    Messages:
    1,268
    Country:
    United States
    Can any of this be used to port downgrading to 9.3?
     
    Margen67 likes this.
  12. josamilu

    josamilu GBAtemp Fan
    Member

    Joined:
    Feb 1, 2015
    Messages:
    383
    Country:
    Gambia, The
    This uses Ninjhax, which don't work on 9.3, because one of the needed exploits was fixed.
     
  13. froggestspirit

    froggestspirit D/P/Pt Demix Guy
    Member

    Joined:
    Jul 28, 2011
    Messages:
    1,268
    Country:
    United States
    I'm not sure how it works, but I know that firmlaunch hax is still in 9.3, has anyone tried using that?
     
    Margen67 likes this.
  14. gudenau

    gudenau Largely ignored
    Member

    Joined:
    Jul 7, 2010
    Messages:
    3,651
    Country:
    United States
    I was going to do that, then they said they are. :-P
     
  15. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy
    Member

    Joined:
    Nov 18, 2012
    Messages:
    1,970
    Country:
    United States
    memchunkhax isn't though, and ARM11 kernel is required to use firmlaunch hax, so in reality everything is still 9.2 or below, no open source/closed source exploit recreation changes that.
     
  16. minipablo

    minipablo Member
    Newcomer

    Joined:
    Aug 3, 2014
    Messages:
    41
    Country:
    So i deduce that oska is working properly now?
     
    Margen67 likes this.
  17. 173210

    173210 GBAtemp Regular
    Member

    Joined:
    Jan 22, 2014
    Messages:
    245
    Country:
    ARM9 Exploit won't work now.
     
  18. johovahs

    johovahs Advanced Member
    Newcomer

    Joined:
    Feb 5, 2015
    Messages:
    76
    Country:
    United States
    I don't really see the point in having someone waste their time on something that gateway is already reporting trying to do.
     
  19. 173210

    173210 GBAtemp Regular
    Member

    Joined:
    Jan 22, 2014
    Messages:
    245
    Country:
    I suggest we have milestones. My plan:
    1. Get ARM11 kernel access -> Achieved
    2. Release all ARM11 SVC -> Achieved
    3. Hook ARM11 functions to gain ARM9 access -> Not confirmed
    4. Get ARM9 access
    5. Enable to reboot
    6. Add patches
    7. Add configurations
    8. Add UI
     
  20. mordorer

    mordorer Advanced Member
    Newcomer

    Joined:
    Jan 17, 2015
    Messages:
    83
    Country:
    Italy
    good job! if arm9 becames a success, do you plan on an open source cfw?
     
Loading...

Hide similar threads Similar threads with keywords - Kernel, source, access

Thread Status:
Not open for further replies.