Hacking Booting CFW successfully

[miamore]

i dont know where I read the thread. but I'm pretty sure and for what I can remember, there was one thread that someone (a forum member) fixed Govanify CFW files, i dont know if boot.bin or Launcher.dat.. so that you'll have successful CFW boot without having to press the nintendo DS profile randomly for limited seconds. can someone link me? I cant seem to find it. Thanks

 

[bannana2]

i dont know where I read the thread. but I'm pretty sure and for what I can remember, there was one thread that someone (a forum member) fixed Govanify CFW files, i dont know if boot.bin or Launcher.dat.. so that you'll have successful CFW boot without having to press the nintendo DS profile randomly for limited seconds. can someone link me? I cant seem to find it. Thanks

I can help you with that, but you'll need to PM me for details. I don't want it released yet.

 

[miamore]

I can help you with that, but you'll need to PM me for details. I don't want it released yet.

pmed you dude. or started a conversation with you :-)

 

[miamore]

pmed you dude. or started a conversation with you :-)

for what I can remember the poster is referring to arm9_code.bin or arm11_code.bin that seems to be the problem. which makes the CFW booting unsuccessful.

 

[Margen67]

I can help you with that, but you'll need to PM me for details. I don't want it released yet.

I'll gladly "test" it for you : ^)

 

[josamilu]

I think everyone wants to test it for you

 

[VerseHell]

http://gbatemp.net/threads/release-pbt-cfw-import-cias-on-your-sysnand.383242/

I didn't test it very much as I have a Gateway, but i found it was less instable, but maybe it's just me...

 

[williamcesar2]

solved?

 

[nop90]

http://gbatemp.net/threads/release-pbt-cfw-import-cias-on-your-sysnand.383242/

I didn't test it very much as I have a Gateway, but i found it was less instable, but maybe it's just me...

It's the same. maybe a little more stable when in CTRServer mode, that is much more unstable than normal use.

The problems during the boot, on the base of what I understood reversing the code, depends on the way the cache is invalidated before hacking the interupt vector to get arm11 user mode code execution.

bl func_00000a70 @ ClearScreen(Black)
bl func_00001a1c @ ARM11_Exploit -> this always work (cyan screen). If it would fail the top screen will be red.
bl func_00000b9c @ Clear and invalidate cache. Here is where it hangs
movs r0, #255 @ 0xff = white
bl func_00000a70; ClearScreen(white) -> It worked :-)

The funtion that clear and invalidate data cache isn't the problems, it's called several times before. So i think that it's how the Interrupt hack is performed.

If you have other information them are welcome. otherwise please stop of arguing on thing you don't understand.

 

[miamore]

file sent to me. i'll test it later.. I'll update you guys

 

[williamcesar2]

file sent to me. i'll test it later.. I'll update you guys

Take care ! lol

 

[metaljay]

if you need another tester let me know, have a hard NAND mod so not fussed

 

[pastaconsumer]

I need to hold (in my case) R every time I boot CFW... Is there a way to change this to auto boot when Launcher.dat is loaded?

 

[johovahs]

What do you mean? Do you want to change the left to a right trigger? And you do know that holding down the trigger to enter cfw is not needed once BBM is installed.

 

[pastaconsumer]

What do you mean? Do you want to change the left to a right trigger? And you do know that holding down the trigger to enter cfw is not needed once BBM is installed.

I changed a value in boot.bin to use the R button instead of the L... I actually didn't know that after a CIA manager was installed I could just tap DS Profile Settings. I have not had much luck.

 

[johovahs]

Using a class 10 card really helps with boot success. I tested a class 4 to test and it took about 6 or 7 times to boot into. But for the class 10 it takes about 1 to 3 times. So possibly try check that first if you don't have a class 10.

 

[bannana2]

Still working on stuff here guys. I do believe we can make this good enough for a release guys. Lets work together to make it happ'n capp'n.

 

[bannana2]

.cpu arm946e-s
.arch armv5te
.arm
.section .text.start
.global _start
_start:
nop
nop
nop - different/added
blx MainCode
ldr r0, =0x1FF8000 @ Instruction TCM
bx r0
mov r0, #255

ldr r4, =0x04 - different
adr r0, boot_bin - very different


fail_junk2:

ldr r0, =0xDEADBEEF
BEQ end_cond -different
BEQ set_byte - different


MainCode:

push {r4, lr}
sub sp, sp, #0xA8
mov r4, #0
add r1, sp, #0xB0+-0xA8 - different
adr r0, boot_bin
mov r2, #0x0F - different
str r4, [sp, #0xB0+-0xB0] - different
str r4, [sp, #0xB0+-0xAC] - different.
bl CopyStringToMemory










carefully look at the differences in this code and the original. One that st4rk has is on github. I'm working based on that. Thus far, this method has a bigger success rate than the changes I have made previously.

 

[bannana2]

It's the same. maybe a little more stable when in CTRServer mode, that is much more unstable than normal use.

The problems during the boot, on the base of what I understood reversing the code, depends on the way the cache is invalidated before hacking the interupt vector to get arm11 user mode code execution.

bl func_00000a70 @ ClearScreen(Black)
bl func_00001a1c @ ARM11_Exploit -> this always work (cyan screen). If it would fail the top screen will be red.
bl func_00000b9c @ Clear and invalidate cache. Here is where it hangs
movs r0, #255 @ 0xff = white
bl func_00000a70; ClearScreen(white) -> It worked :-)

The funtion that clear and invalidate data cache isn't the problems, it's called several times before. So i think that it's how the Interrupt hack is performed.

If you have other information them are welcome. otherwise please stop of arguing on thing you don't understand.

Oh, thank you sir. This helps me a lot.

 

[Digital.One.Entity]

I love U banana2