Views: 1,611,504 | Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search | 12-02-24 07:59 PM |
Guest: |
0 users reading Decompressed code.bin & 3DS Command Header? | 1 bot |
Main - Reverse-engineering - Decompressed code.bin & 3DS Command Header? | Hide post layouts | New reply |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 2/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Sorry if I posted in a wrong section of this forum. What i faced may be a little noobish. So this is more like discussion than released information.
I think all those Command Headers of services in 3dbrew should be legit, however i had not ever found part of any Header value in those decompressed code.bin of those system modules. Maybe the service module is placed when being initialized? These seems to be an initializer included in very beginning of code.bin. And? let me show you a little tool. I've written a little tool to recognize those NCCHs from a section file provided. Mostly it was made for the section NATIVE_FIRM_ARM11_1FF00000 of decrypted FIRM from 9.8.0J. With it i got those NCCHs of fs, loader, pm, pxi, sm. You could compile it with "gcc -O3" if you want. C Source of This tool URL How to get the section? Well still you could do it manually.. with hex editors, following offsets ctrtool tells you. BTW i had not ever successfully loaded any NCCH just with the ctr_ldr.py.. |
plutoo |
| ||
Member Normal user Level: 11 Posts: 9/19 EXP: 4803 Next: 1182 Since: 09-17-15 Last post: 3283 days ago Last view: 3207 days ago |
The NCCH's stored in the FIRM 0x1FF00000 section are not normal NCCH's, we call them FIRM NCCH's. They use a different padding scheme for the .code segment, and a lot of tools (ctrtool, etc) will not play nice with them.
I use the following I made a while back to extract them: https://github.com/plutooo/ctr/commit/52d7df6b7cc7896c31dc1cf767fe47df1827ed7d |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 5/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by plutoo Thanks for that. However i didn't know and already made a tool to extract those NCCHs from the section.... Any thoughts about the command header? It's quite weird for me. |
plutoo |
| ||
Member Normal user Level: 11 Posts: 10/19 EXP: 4803 Next: 1182 Since: 09-17-15 Last post: 3283 days ago Last view: 3207 days ago |
They were there last time I checked. Some modules are compiled to Thumb code instead of ARM, and those will not have the command-header values precalculated in the code. Instead they will call the unoptimized function to generate those dynamically. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 6/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by plutoo Then would there be some precalculated ones in other modules? I've tried cfg from 9.8 just minutes ago, and no such command header is found.. Maybe I'm silly? Whatever thanks for your patience answering me the question.Would try use a decrypted cfg from 4.1.. |
plutoo |
| ||
Member Normal user Level: 11 Posts: 11/19 EXP: 4803 Next: 1182 Since: 09-17-15 Last post: 3283 days ago Last view: 3207 days ago |
Yeah, and if there are no marshalled parameters by the kernel, the command header is not checked at all (that would be a useless check anyway, from a security pov). |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 7/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by plutoo Mind you tell me which system version of those system titles was checked, when those command header could be found? I've checked 4.1 cfg minutes ago, and I seemed to load it wrongly. Hex search produced no result of 0x00010082 inside its code.bin. However when checking 9.8 cfg there is quite a bulk of Thumb in its beginning.. Maybe I've searched a wrong module.. |
plutoo |
| ||
Member Normal user Level: 11 Posts: 12/19 EXP: 4803 Next: 1182 Since: 09-17-15 Last post: 3283 days ago Last view: 3207 days ago |
Yeah, probably. Most of them are actually ARM, shouldn't be too difficult to find one.. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 8/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by plutoo Then I would forget checking those inside Thumb modules. Oh so still i would have to use the outdated sig file or read myself. My question is solved totally, much thanks. Have a good day. |
Syphurith |
| ||
Member Normal user Level: 18 Posts: 14/59 EXP: 26133 Next: 3764 Since: 10-26-15 Last post: 3245 days ago Last view: 3195 days ago |
Posted by plutoo Sorry to disturb you again, but .... I've found a title hidden in FIRM, which is called PROCESS9, Titleid 0004013000003000. This is found in the SAFE_MODE FIRM, also 5 modules of their SAFE_MODE edition is found. Now this is the new link of the tool.. Here it goes If you'd like to play with it.. Eh.. Sorry this might already be known to you all, since Process9 is described on Page "FIRM" on 3dbrew. |
Main - Reverse-engineering - Decompressed code.bin & 3DS Command Header? | Hide post layouts | New reply |
Page rendered in 0.012 seconds. (2048KB of memory used) MySQL - queries: 28, rows: 83/83, time: 0.005 seconds. Acmlmboard 2.064 (2018-07-20) © 2005-2008 Acmlm, Xkeeper, blackhole89 et al. |