4dsdev
Views: 1,610,090 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 11-23-24 11:41 AM
Guest:

0 users reading Staplehax -- Ninjhax with kernel access | 1 bot

Main - Homebrew projects - Staplehax -- Ninjhax with kernel access Hide post layouts | New reply

Pages: 1 2
StapleButter
Posted on 05-21-15 06:53 PM (rev. 2 of 05-21-15 06:55 PM) Link | #130
Staplehax basically mixes Ninjhax and libkhax together to provide more capabilities to homebrew, as well as a saner environment.


https://github.com/StapleButter/Staplehax


It can load homebrew, but it's still far from done.



Original GBAtemp post:
The idea popped up somewhere in the blargSNES thread, when someone pointed me to Myria's libkhax. A library for gaining ARM11 kernel access from userland, and getting access to all the services. And all without too much side effects on the system. Pretty cool shit.


People have been embedding it in their homebrews to gain CSND access or other fun things. It's nice, but we're doing it wrong. Exploits are the homebrew loader's job. Homebrew apps should be built to run in all the possible scenarios. Not to mention the issues there are with that.


The base idea here is to combine Ninjhax and libkhax to provide such an environment. Hence the name of the project-- I'm not doing anything awesome really, I'm merely playing Lego with existing code. smealum and Myria deserve most of the credit.


How will it work?

We first use Ninjhax's first two stages -- CubicNinja exploit and gspwn -- to load the secondary payload.
Secondary payload uses libkhax to gain all the needed access. Loads a process that will basically be an adapted implementation of the HB service (service responsible for loading .3dsx files, among other fun things). Then uses it to launch the Homebrew Launcher, and kills the CubicNinja process.

Details may vary depending on potential roadblocks I'd encounter, but this is the basic process.


What changes over Ninjhax?

More possibilities, since you aren't tied to the browser's permissions. Also, a saner homebrew environment, free of some of Ninjhax's side effects (like breaking most of APT).

Other than that, most things will remain the same. Legohax will run on the same firmwares as Ninjhax, that is, no hax for 9.3 and up. (the exploit used by libkhax was fixed in this firmware version)

You will just be getting the QR codes from a different place. Oh also, it should also be possible to provide little apps for switching to Legohax or to Ninjhax if you already have one of them installed. The initial payload will remain mostly the same.


What are the possibilities exactly?

Access to all the SVCs. Including SVC 0x7B (kernel-mode backdoor) if you want to get fancy, and the oh-so-useful SVC 0x74.

Maybe access to all the services, if that is stable (it involves patching the process's PID to zero-- not sure how it'd work with multiple processes having the same PID). Otherwise, we will compile a satisfying service list (think https://github.com/StapleButter/blargSnes/blob/master/cci/cia.rsf#L168 plus New3DS services).

Hopefully working APT shit!

Oh, and some other funny shit we could do:

* ranged cache invalidate/flush, could be useful for the dynarec-powered emulators out there (probably faster than trashing the whole caches)
* patching the DSP service to allow loading unsigned binaries (not useful until one is made, though)
* rainbow ponies


when do you release azgafsgaefgaefgs

When it's done.


I will let you guys know.


____________________
blargSNES -- SNES emu for 3DS
More cool stuff

VinsCool
Posted on 05-21-15 07:50 PM Link | #131
Hi. Great work, I can't wait to see more :)

As of now, is it usable in its current form? Or is it unfinished to actually be usable now?

____________________
~ I like to read people's bullshit, always funny.
Anti-piracy, homebrew and legal stuff only.

Knows some C, but very ignorant to real hacking stuff.
Awaiting KARL3DS

StapleButter
Posted on 05-21-15 07:52 PM Link | #132
Kinda usable, considering it can load some homebrew. But couldn't run the homebrew launcher. And there are still other issues with it.

____________________
blargSNES -- SNES emu for 3DS
More cool stuff

VinsCool
Posted on 05-21-15 07:52 PM Link | #133
Keep up the good work! :)

____________________
~ I like to read people's bullshit, always funny.
Anti-piracy, homebrew and legal stuff only.

Knows some C, but very ignorant to real hacking stuff.
Awaiting KARL3DS

StapleButter
Posted on 05-21-15 07:55 PM Link | #134
I'm not even sure I want to continue tbh.

____________________
blargSNES -- SNES emu for 3DS
More cool stuff

profi200
Posted on 05-21-15 08:01 PM Link | #135
I just registered. As long as this place doesn't get flooded by GBAfail trolls i will stay.

And on topic: Nice work :)

VinsCool
Posted on 05-21-15 08:03 PM Link | #136
Posted by StapleButter
I'm not even sure I want to continue tbh.

Well, it is opensource, so this is a good start :D

____________________
~ I like to read people's bullshit, always funny.
Anti-piracy, homebrew and legal stuff only.

Knows some C, but very ignorant to real hacking stuff.
Awaiting KARL3DS

filfat
Posted on 05-21-15 09:10 PM Link | #137

Posted by profi200
I just registered. As long as this place doesn't get flooded by GBAfail trolls i will stay.

And on topic: Nice work :)

This forum needs a like button!


On topic: Awesome! :)

____________________
CEO @ filfat Studios AB
https://www.filfatstudios.com

Margen67
(post deleted) #144

WhoAmI?
Posted on 05-25-15 12:24 AM Link | #155
AAAwww. I hope this project does get somewhere. I think the dev is doing a great job! I do understand that this isn't easy stuff to be working with...

Would be cool if there was a "release" branch on Github... I can't compile this for 9.2.0-20E, since I don't have the right development tools.

coto
Posted on 05-25-15 12:35 AM Link | #157
Posted by profi200
I just registered. As long as this place doesn't get flooded by GBAfail trolls i will stay.

And on topic: Nice work :)


I just read this, can't be more 100% agreed.

Let's hope the staplepowers vanquish most useless trolls / crap posts ever born. There is way too much talent around to let it go because of children.

-

To do not derail this topic I would like to add something:

besides the rainbow ponies I want to know if the 3DS has mirrored FCRAM addresses , (NDS does with MPU and cached areas) because that speed ups most emulators. Like from 2% to 80%. I mean the physical linear memory the MMU takes to create protected pages of virtual addresses.

profi200
Posted on 05-25-15 10:14 AM Link | #158
Iirc there are no mirrors but i think you can setup mirrors if you have enough permissions. With such large mem compared to the DS however i don't know if that would be useful.

pseudov
Posted on 05-27-15 04:50 PM Link | #159
Bonjour! Hopefully, this project is continued. So far, this is the only homebrew solution for browserless systems on 5.0 - 9.2

It compiles successfully, but without the proper blowfish_processed.bin, the generated files are unusable. Have tried going through both a ramdump and code.bin from exefs, but all I've come up with are the default arrays for blowfish. Any hints for calculating/extracting the blowfish stuff are greatly appreciated.

StapleButter
Posted on 05-27-15 05:18 PM Link | #160
There are the Blowfish init arrays, and the raw key (0x48 bytes). You need to run the Blowfish init on that to get the processed key data (0x1048 bytes).

____________________
blargSNES -- SNES emu for 3DS
More cool stuff

pseudov
Posted on 05-27-15 05:38 PM Link | #161
Thanks for the quick reply, StapleButter :)

Hope I can figure that out when I get home from work.

pseudov
Posted on 05-28-15 06:10 AM Link | #162
Aaaand I still haven't figured it out. XORed the blowfish init arrays with what I assume the raw key is. Tried a lot of different possible keys, but still failed.

Is that 0x48 bytes from a ramdump or from code.bin?

StapleButter
Posted on 05-28-15 02:39 PM Link | #163
The original 0x48 bytes can be found in the original code.bin.


However, if you have a ramdump, you can get the processed keydata directly, that'll save you a whole lotta time.



Oh and Staplehax is probably not very useful under its current form. It's hardcoded to fetch shit from my computer over the local network, so eh.

____________________
blargSNES -- SNES emu for 3DS
More cool stuff

pseudov
Posted on 05-29-15 06:17 AM Link | #164
Oh man, still nothing after two long nights. ARM assembly is definitely not my thing. Is there supposed to be something useful at 0x1048 bytes? Or should I concentrate on the key at 0x48 bytes?

Even if it's hardcoded to your local network, I figured I might still be able to use it by manually transferring the payload files through Savedatafiler (I have access to another 3DS). That is, once I get this darn blowfish_processed.bin :)

pseudov
Posted on 06-04-15 04:57 AM Link | #169
I feel like an idiot now. I thought the 0x48 and 0x1028 bytes you mentioned were offsets, not sizes. Nonetheless, any other hints are very much appreciated.

pseudov
Posted on 06-10-15 09:57 PM (rev. 2 of 06-10-15 09:59 PM) Link | #202
Managed to compile Staplehax with the correct blowfish_processed.bin, but it freezes at the loading screen. It hangs at
hax = khaxInit();
and doesn't return an error code, which makes debugging hard (for me, at least)

This is on an old 9.2.0-20U
Pages: 1 2

Main - Homebrew projects - Staplehax -- Ninjhax with kernel access Hide post layouts | New reply

Page rendered in 0.022 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 103/103, time: 0.006 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2018-07-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.