4dsdev
Views: 1,611,499 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 12-02-24 07:35 PM
Guest:

0 users reading Decompressed code.bin & 3DS Command Header? | 1 bot

Main - Reverse-engineering - Decompressed code.bin & 3DS Command Header? Hide post layouts | New reply


Syphurith
Posted on 10-29-15 11:18 AM (rev. 2 of 10-29-15 03:00 PM) Link | #600
Sorry if I posted in a wrong section of this forum. What i faced may be a little noobish. So this is more like discussion than released information.

I think all those Command Headers of services in 3dbrew should be legit, however i had not ever found part of any Header value in those decompressed code.bin of those system modules. Maybe the service module is placed when being initialized? These seems to be an initializer included in very beginning of code.bin.

And? let me show you a little tool.
I've written a little tool to recognize those NCCHs from a section file provided. Mostly it was made for the section NATIVE_FIRM_ARM11_1FF00000 of decrypted FIRM from 9.8.0J. With it i got those NCCHs of fs, loader, pm, pxi, sm. You could compile it with "gcc -O3" if you want. C Source of This tool URL
How to get the section? Well still you could do it manually.. with hex editors, following offsets ctrtool tells you.
BTW i had not ever successfully loaded any NCCH just with the ctr_ldr.py..

plutoo
Posted on 10-29-15 02:30 PM Link | #602
The NCCH's stored in the FIRM 0x1FF00000 section are not normal NCCH's, we call them FIRM NCCH's. They use a different padding scheme for the .code segment, and a lot of tools (ctrtool, etc) will not play nice with them.

I use the following I made a while back to extract them:
https://github.com/plutooo/ctr/commit/52d7df6b7cc7896c31dc1cf767fe47df1827ed7d

Syphurith
Posted on 10-29-15 02:59 PM (rev. 2 of 10-29-15 03:02 PM) Link | #604
Posted by plutoo
I use the following I made a while back to extract them:
https://github.com/plutooo/ctr/commit/52d7df6b7cc7896c31dc1cf767fe47df1827ed7d

Thanks for that. However i didn't know and already made a tool to extract those NCCHs from the section....
Any thoughts about the command header? It's quite weird for me.

plutoo
Posted on 10-29-15 03:02 PM Link | #605
They were there last time I checked. Some modules are compiled to Thumb code instead of ARM, and those will not have the command-header values precalculated in the code. Instead they will call the unoptimized function to generate those dynamically.

Syphurith
Posted on 10-29-15 03:10 PM (rev. 3 of 10-29-15 03:13 PM) Link | #606
Posted by plutoo
They were there last time I checked. Some modules are compiled to Thumb code instead of ARM, and those will not have the command-header values precalculated in the code. Instead they will call the unoptimized function to generate those dynamically.

Then would there be some precalculated ones in other modules? I've tried cfg from 9.8 just minutes ago, and no such command header is found.. Maybe I'm silly?
Whatever thanks for your patience answering me the question.Would try use a decrypted cfg from 4.1..

plutoo
Posted on 10-29-15 03:11 PM Link | #607
Yeah, and if there are no marshalled parameters by the kernel, the command header is not checked at all (that would be a useless check anyway, from a security pov).

Syphurith
Posted on 10-29-15 03:33 PM Link | #608
Posted by plutoo
Yeah, and if there are no marshalled parameters by the kernel, the command header is not checked at all (that would be a useless check anyway, from a security pov).

Mind you tell me which system version of those system titles was checked, when those command header could be found? I've checked 4.1 cfg minutes ago, and I seemed to load it wrongly. Hex search produced no result of 0x00010082 inside its code.bin.
However when checking 9.8 cfg there is quite a bulk of Thumb in its beginning.. Maybe I've searched a wrong module..

plutoo
Posted on 10-29-15 03:36 PM Link | #609
Yeah, probably. Most of them are actually ARM, shouldn't be too difficult to find one..

Syphurith
Posted on 10-29-15 03:42 PM Link | #610
Posted by plutoo
Yeah, probably. Most of them are actually ARM, shouldn't be too difficult to find one..

Then I would forget checking those inside Thumb modules.
Oh so still i would have to use the outdated sig file or read myself.
My question is solved totally, much thanks. Have a good day.

Syphurith
Posted on 10-30-15 04:05 PM (rev. 2 of 10-30-15 04:12 PM) Link | #623
Posted by plutoo
==Snip==

Sorry to disturb you again, but .... I've found a title hidden in FIRM, which is called PROCESS9, Titleid 0004013000003000.
This is found in the SAFE_MODE FIRM, also 5 modules of their SAFE_MODE edition is found.
Now this is the new link of the tool.. Here it goes If you'd like to play with it..
Eh.. Sorry this might already be known to you all, since Process9 is described on Page "FIRM" on 3dbrew.


Main - Reverse-engineering - Decompressed code.bin & 3DS Command Header? Hide post layouts | New reply

Page rendered in 0.025 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 83/83, time: 0.013 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2018-07-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.