arm11.s is not completed

[173210]

arm11.s includes hooks to enable to gain ARM9 access.

Yifan Lu reversed code is here. http://yifan.lu/2015/01/17/reversing-gateway-ultra-stage-3-owning-arm9-kernel/

// not called directly, offset determines jump
void jump_table(void)
{
  func_patch_hook();
  reboot_func();
}

void func_patch_hook(void)
{
  // data written from entry
  int pdn_regs;
  int pxi_regs;
  int (*func_hook_return)(void);

  // save context
  __asm__ ("stmfd sp!, {r0-r12,lr}")
  // TODO: Why is this needed?
  pxi_send(pxi_regs, 0);
  pxi_sync(pxi_regs);
  pxi_send(pxi_regs, 0x10000);
  pxi_recv(pxi_regs);
  pxi_recv(pxi_regs);
  pxi_recv(pxi_regs);
  // TODO: What does this do?
  *(char *)(pdn_regs + 0x230) = 2;
  for (i = 0; i < 16; i += 2); // busy spin
  *(char *)(pdn_regs + 0x230) = 0;
  for (i = 0; i < 16; i += 2); // busy spin
  // restore context and run the two instructions that were replaced
  __asm__ ("ldmfd sp!, {r0-r12,lr}\t\n"
           "ldr r0, =0x44836\t\n"
           "str r0, [r1]\t\n"
           "ldr pc, %0", func_hook_return);
}

// this is a patched version of function 0xFFFF097C
// stuff found in the original code are skipped
void reboot_func(void)
{
  ... // setup
  // disable all interrupts
  __asm__ ("mrs r0, cpsr\t\n"
           "orr r0, r0, #0x1C0\t\n"
           "msr cpsr_cx, r0" ::: "r0");
  while ( *(char *)0x10140000 & 1 ); // wait for powerup ready
  *(void **)0x2400000C = 0x23F00000; // our ARM9 payload
  ...
}

Reversed code of Gateway 3Ds is here.

    bf3c:   ea000000    b   0xbf44
    bf40:   ea000018    b   0xbfa8
    bf44:   e92d5fff    push    {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, sl, fp, ip, lr}
    bf48:   e3a00000    mov r0, #0
    bf4c:   eb00005e    bl  0xc0cc
    bf50:   eb000063    bl  0xc0e4
    bf54:   e3a00801    mov r0, #65536  ; 0x10000
    bf58:   eb00005b    bl  0xc0cc
    bf5c:   eb000065    bl  0xc0f8
    bf60:   eb000064    bl  0xc0f8
    bf64:   eb000063    bl  0xc0f8
    bf68:   e59f102c    ldr r1, [pc, #44]   ; 0xbf9c
    bf6c:   e3a00002    mov r0, #2
    bf70:   e5c10230    strb    r0, [r1, #560]  ; 0x230
    bf74:   e3a00010    mov r0, #16
    bf78:   eb00004f    bl  0xc0bc
    bf7c:   e3a00000    mov r0, #0
    bf80:   e5c10230    strb    r0, [r1, #560]  ; 0x230
    bf84:   e3a00010    mov r0, #16
    bf88:   eb00004b    bl  0xc0bc
    bf8c:   e8bd5fff    pop {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, sl, fp, ip, lr}
    bf90:   e59f0074    ldr r0, [pc, #116]  ; 0xc00c
    bf94:   e5810000    str r0, [r1]
    bf98:   e59ff004    ldr pc, [pc, #4]    ; 0xbfa4
    bf9c:   fffda008            ; <UNDEFINED> instruction: 0xfffda008
    bfa0:   fffcc48c            ; <UNDEFINED> instruction: 0xfffcc48c
    bfa4:   fff5045c            ; <UNDEFINED> instruction: 0xfff5045c
    bfa8:   e28f0064    add r0, pc, #100    ; 0xc014
    bfac:   e28f10c8    add r1, pc, #200    ; 0xc07c
    bfb0:   e59f2058    ldr r2, [pc, #88]   ; 0xc010
    bfb4:   e1a04002    mov r4, r2
    bfb8:   eb000000    bl  0xbfc0
    bfbc:   e12fff14    bx  r4
    bfc0:   e0413000    sub r3, r1, r0
    bfc4:   e1a01143    asr r1, r3, #2
    bfc8:   e3510000    cmp r1, #0
    bfcc:   da00000d    ble 0xc008
    bfd0:   e1b01e83    lsls    r1, r3, #29
    bfd4:   e2400004    sub r0, r0, #4
    bfd8:   e2421004    sub r1, r2, #4
    bfdc:   5a000001    bpl 0xbfe8
    bfe0:   e5b02004    ldr r2, [r0, #4]!
    bfe4:   e5a12004    str r2, [r1, #4]!
    bfe8:   e1b021c3    asrs    r2, r3, #3
    bfec:   0a000005    beq 0xc008
    bff0:   e5903004    ldr r3, [r0, #4]
    bff4:   e2522001    subs    r2, r2, #1
    bff8:   e5813004    str r3, [r1, #4]
    bffc:   e5b03008    ldr r3, [r0, #8]!
    c000:   e5a13008    str r3, [r1, #8]!
    c004:   1afffff9    bne 0xbff0
    c008:   e12fff1e    bx  lr
    c00c:   00044836    andeq   r4, r4, r6, lsr r8
    c010:   1ffffc00    svcne   0x00fffc00
    c014:   e3e0027e    mvn r0, #-536870905 ; 0xe0000007
    c018:   e3a01000    mov r1, #0
    c01c:   e5801000    str r1, [r0]
    c020:   e59f1040    ldr r1, [pc, #64]   ; 0xc068
    c024:   e59f2040    ldr r2, [pc, #64]   ; 0xc06c
    c028:   e5812000    str r2, [r1]
    c02c:   e59f803c    ldr r8, [pc, #60]   ; 0xc070
    c030:   e59fa03c    ldr sl, [pc, #60]   ; 0xc074
    c034:   e59f903c    ldr r9, [pc, #60]   ; 0xc078
    c038:   e10f0000    mrs r0, CPSR
    c03c:   e3800d07    orr r0, r0, #448    ; 0x1c0
    c040:   e123f000    msr CPSR_xc, r0
    c044:   e5d80000    ldrb    r0, [r8]
    c048:   e2100001    ands    r0, r0, #1
    c04c:   1afffffc    bne 0xc044
    c050:   e58a9000    str r9, [sl]
    c054:   e3e0027e    mvn r0, #-536870905 ; 0xe0000007
    c058:   e5901000    ldr r1, [r0]
    c05c:   e3510000    cmp r1, #0
    c060:   0afffffc    beq 0xc058
    c064:   e12fff11    bx  r1
    c068:   10163008    andsne  r3, r6, r8
    c06c:   00044846    andeq   r4, r4, r6, asr #16
    c070:   10140000    andsne  r0, r4, r0
    c074:   2400000c    strcs   r0, [r0], #-12
    c078:   23f00000    mvnscs  r0, #0
    c07c:   e3a00000    mov r0, #0
    c080:   ee080f15    mcr 15, 0, r0, cr8, cr5, {0}
    c084:   ee080f16    mcr 15, 0, r0, cr8, cr6, {0}
    c088:   ee080f17    mcr 15, 0, r0, cr8, cr7, {0}
    c08c:   ee070f9a    mcr 15, 0, r0, cr7, cr10, {4}
    c090:   e12fff1e    bx  lr
    c094:   e3a00000    mov r0, #0
    c098:   ee070f1e    mcr 15, 0, r0, cr7, cr14, {0}
    c09c:   ee070f9a    mcr 15, 0, r0, cr7, cr10, {4}
    c0a0:   e12fff1e    bx  lr
    c0a4:   e3a00000    mov r0, #0
    c0a8:   ee070f15    mcr 15, 0, r0, cr7, cr5, {0}
    c0ac:   ee070f95    mcr 15, 0, r0, cr7, cr5, {4}
    c0b0:   ee070fd5    mcr 15, 0, r0, cr7, cr5, {6}
    c0b4:   ee070f9a    mcr 15, 0, r0, cr7, cr10, {4}
    c0b8:   e12fff1e    bx  lr
    c0bc:   e2500002    subs    r0, r0, #2
    c0c0:   e1a00000    nop         ; (mov r0, r0)
    c0c4:   cafffffc    bgt 0xc0bc
    c0c8:   e12fff1e    bx  lr
    c0cc:   e51f1134    ldr r1, [pc, #-308] ; 0xbfa0
    c0d0:   e1d120b4    ldrh    r2, [r1, #4]
    c0d4:   e3120002    tst r2, #2
    c0d8:   1afffffc    bne 0xc0d0
    c0dc:   e5810008    str r0, [r1, #8]
    c0e0:   e12fff1e    bx  lr
    c0e4:   e51f014c    ldr r0, [pc, #-332] ; 0xbfa0
    c0e8:   e5d01003    ldrb    r1, [r0, #3]
    c0ec:   e3811040    orr r1, r1, #64 ; 0x40
    c0f0:   e5c01003    strb    r1, [r0, #3]
    c0f4:   e12fff1e    bx  lr
    c0f8:   e51f0160    ldr r0, [pc, #-352] ; 0xbfa0
    c0fc:   e1d010b4    ldrh    r1, [r0, #4]
    c100:   e3110c01    tst r1, #256    ; 0x100
    c104:   1afffffc    bne 0xc0fc
    c108:   e590000c    ldr r0, [r0, #12]
    c10c:   e12fff1e    bx  lr

[173210]

Thanks to Aliak and filpy, I got a dump of 0xFFFF097C which was hooked.

0xFFFF097C:   e28f0010        add     r0, pc, #16
0xFFFF0980:   e28f1044        add     r1, pc, #68     ; 0x44

I updated arm11.s with commit d503c0dc28fafcb88a31cbaf12914d59bbf324c4.

[173210]

hook0 is completed with commit bdc6d0b8982843fb5134e40155ed54df5cb539b2.

[darkpetrus]

I love you, marry me.

[173210]

I like a person who can write code :) Anyway, I had a problem when I reversing Gateway 3DS. Offset 0xBFC0

void memcpy64(const int32_t *top, const int32_t *btm, int32_t *dst)
{
    const int32_t *p;
    size_t n;

    n = (ptrdiff_t)btm - (ptrdiff_t)top;
    if (n < 4)
        return;

    top--;
    dst--;
    if (n & (1 << 29)) {
        *dst = *top;
        top++;
        dst++;
    }

    for (n >>= 3; n; n--) {
        dst[1] = top[1];
        dst[2] = top[2];
        top += 2;
        dst += 2;
    }
}

I can't understand why "if (n & (1 << 29))" is needed.

[motezazer]

Obfuscation ?

[173210]

Maybe.

[darkpetrus]

Nothing, was silly...

[173210]

arm9.s was completed with commit bb81d9a2cc59942230549a361cb2684fddfc85a7. But it has not been confirmed yet.

[AlecRalsten]

It still freezes at executing code under arm11 Kernel, not clearing the screen.

[173210]

I found a bug and fix with commit 17a5b206e7041b388e6bb345bb9e01052cbe1369.

[173210]

arm9-kernel branch is open now on KARL repository. https://github.com/shinyquagsire23/bootstrap/tree/arm9-kernel