Homebrew [Custom Launcher] Spider3DSTools released

[Duo8]

There's also the game inside the VC player to think about. I would assume when you boot up the virtual console game, that it immediately boots up the rom inside it. If you replace the rom in memory, the game simply crashes because it's suddenly not the same game anymore. You might need to find a way of "soft resetting" the VC program to properly reload the rom as it has been changed from it's original state.

Imagine Mario going jumping around a level squishing Goombas. Then suddenly the memory is overwritten with a Castlevania rom or something. The VC app was actively loading that particular area of the rom into GPU for drawing sprites and stuff goes crazy as it's now loading random data that shouldn't be there because it's not the same game anymore, and now it's some random spot in the new rom.

Either Virtual Console or the game simply flips out because it wasn't booted properly and suddenly started at a memory offset it should not have. That's my guess on what's going on.

Oh yeah this might be it. The ROM is a different one but the previous ROM's data (like RAM) might still be left behind.

 

[Apache Thunder]

Well, I use the reset option on the bottom screen, I would think that's enough... right?

Not entirely. That's a messy way of doing things. You inject the rom and then you have to go back in and hit the reset function. Chances are it's already too late at that point and it crashed. You have to initiate the reset with your exploit payload. You can't rely on the end user doing that from within VC's interface.

Code gets processed very quickly. So the time it takes for someone to hit the reset button on the touchscreen interface will only mean more corruption as the VC is attempting to load the wrong parts of the rom because it still thinks it's a mario game or whatever the original game used to be.

 

[shutterbug2000]

games have patches applied....it could be that these patches break other games.....suppose a way to check your method is working would be to inject the same game and see if it still plays....also see if you can locate the patch file in ram and blank it out

Well, sure enough, It DOES work if I inject the same game. So, either the reset button DOESN'T clear the VC ram, or it's these patches.

 

[shutterbug2000]

Not entirely. That's a messy way of doing things. You inject the rom and then you have to go back in and hit the reset function. Chances are it's already too late at that point and it crashed. You have to initiate the reset with your exploit payload. You can't relay on the end user doing that from withen VC's interface.

Ahh. I see. How would I reset the ram from the exploit? Probably need access to the original code of the VC, right? Ram dumps work?

 

[Apache Thunder]

You'll probably have to reverse engineer the VC app itself and find the code in it's ram space. I'm not the right person to ask about that though.

The only thing I can suggest is dumping the memory space repeatedly in the same file. So that you can record what happens when the reset button is hit. That's assuming you can dump ram while the program is being interacted with.

 

[gamesquest1]

well im not sure if gameboy games have patches....some might some might not....only game i have decrypted just has

Spoiler

;Dmgazlp2.f61: ZeldaYumeDX

but for example a nes VC game has

Spoiler

;Format Sample
;[xxxx] ;User-defined Name (Max:31 chars)
;Mode = 1 ;1:Fixcode; 2:Fixvalue; 3:Mask; 4alette; 5ouble Frame Buffer
;Type = 0 ;0:Begin 1:End
;Index = 0 ;Index
;Address = x1F8000 ;ROM Address
;MemAddress = x2000 ;RAM Address
;Fixcode = 0 ;Mode1: Fixed Rom Code; Mode2: Fixed Value
;DelayFrame = 0 ;Delay Frame
;FadeFrame = 0 ;Fade Frame 0ff
;DarkEnable0 = 0 ;0ff, 1n (for Normal Mode)
;ReduceEnable0 = 0 ;0ff, 1n (for Normal Mode)
;MotionBEnable0 = 0 ;0ff, 1:Black Fade, 2:White Fade, 3:Frame Blend (for Normal Mode)
;Dark0 = 10 ;0~10 (for Normal Mode)
;ReduceColorR0 = 0 ;0~31 (for Normal Mode)
;ReduceColorG0 = 0 ;0~31 (for Normal Mode)
;ReduceColorB0 = 0 ;0~31 (for Normal Mode)
;MotionBlur0 = 31 ;0~31 (for Normal Mode)
;DarkEnable1 = 0 ;0ff, 1n (for Green Mode)
;ReduceEnable1 = 0 ;0ff, 1n (for Green Mode)
;MotionBEnable1 = 0 ;0ff, 1:Black Fade, 2:White Fade, 3:Frame Blend (for Green Mode)
;Dark1 = 10 ;0~10 (for Green Mode)
;ReduceColorR1 = 0 ;0~31 (for Green Mode)
;ReduceColorG1 = 0 ;0~31 (for Green Mode)
;ReduceColorB1 = 0 ;0~31 (for Green Mode)
;MotionBlur1 = 31 ;0~31 (for Green Mode)
;PaletteX = c31,31,31 ;X:0~15, cR,G,B (0~31)

;[BUG xxx]
;Mode = 1
;Address = 0x3083A
;Fixcode = 0x3

[NOA BUG 131]
Mode = 1
Address = 0x3F8EF
Fixcode = a3: 00 A2 00

[NOA BUG 131]
Mode = 1
Address = 0x3F9D2
Fixcode = 0x14

;[FPA193 Begin]
;Mode = 3
;Type = 0
;Index = 0x2
;Address = 0x37635
;DarkEnable0 = 1
;Dark0 = 6
;MotionBEnable0 = 3
;MotionBlur0 = 20
;ReduceEnable0 = 1
;ReduceColorR0 = 12
;ReduceColorG0 = 0
;ReduceColorB0 = 0
;
;[FPA193 End]
;Mode = 3
;Type = 1
;Index = 0x2
;Address = 0x37633
;DelayFrame = 0x78

;$A1AA:AD 11 07 LDA $0711 = #$76 A:3B
;$A1AD:4A LSR A:76
;$A1AE:29 01 AND #$01 A:3B
;$A1B0:A8 TAY A:01
;$A1B1:B9 A8 A1 LDA $A1A8,Y @ $A1A9 = #$16 A:01
;
;000361bah: AD 11 07 4A 29 01


[FPA193]
Mode = 11
Type = 0
Index = 2
Address = 0x361bd
Fixcode = a1: 03

;000361b8h: 0F 16 AD 11
[FPA193 color]
Mode = 1
Address = 0x361b8
Fixcode = a2: 0f 16

[FPA194 Begin]
Mode = 3
Type = 0
Index = 0x2
Address = 0x34CB
DarkEnable0 = 1
Dark0 = 7
MotionBEnable0 = 3
MotionBlur0 = 24

;0000e1b5h: 8D FB 7C A9 3F 9D 01 03
[FPA194 End]
Mode = 3
Type = 1
Index = 0x2
Address = 0xE1B5
DelayFrame = 0x3

;$A792:A9 10 LDA #$10 A:08
;$A794:8D FB 7C STA $7CFB = #$00 A:10
;$A797:60 RTS A:10
;
;000067a2h: A9 10 8D FB 7C 60 C9

[FPA195 273 Begin]
Mode = 3
Type = 0
Index = 0x2
Address = 0x67A2
DarkEnable0 = 1
Dark0 = 6
MotionBEnable0 = 3
MotionBlur0 = 20

;$A18E:AD FB 7C LDA $7CFB = #$10 A:00
;$A191:F0 53 BEQ $A1E6 A:10
;$A193:48 PHA A:10
;$A194:29 03 AND #$03 A:10
;$A196:A8 TAY A:00
;
;0000e1a2h: AD FB 7C F0 53 48 29 03 A8 CE FB

[FPA195 273 End]
Mode = 3
Type = 1
;Index = 0x2
Address = 0xe1a2
ConditionType = 0
ConditionValueA = a2: fb 7c
ConditionValueB = a2: 00 00
ConditionValueC = a2: 01 00
DelayFrame = 1

[FPA196 Begin]
Mode = 3
Type = 0
Index = 0x2
Address = 0x6930
DarkEnable0 = 1
Dark0 = 7
MotionBEnable0 = 3
MotionBlur0 = 20

[FPA196 End]
Mode = 3
Type = 1
Index = 0x2
Address = 0x6932
DelayFrame = 0x1E

;00016340h: 20 85 89 A0
[FPA198 ]
Mode = 1
Address = 0x16340
Fixcode = x10

[FPA199 ]
Mode = 1
Address = 0x148CD
Fixcode = a2: a9 18

;[FPA199 Begin]
;Mode = 3
;Type = 0
;Index = 0x2
;Address = 0x148CD
;DarkEnable0 = 1
;Dark0 = 7
;MotionBEnable0 = 3
;MotionBlur0 = 20
;
;[FPA199 End]
;Mode = 3
;Type = 1
;Index = 0x2
;Address = 0x148CF
;DelayFrame = 0x20
;

;000172c3h: A9 20 8D 11 07 AD 11
[FPA200]
Mode = 1
Address = 0x172c4
Fixcode = x10

look for the patch file in the root of romFS it will use the same name as the rom

 

[shutterbug2000]

You'll probably have to reverse engineer the VC app itself and find the code in it's ram space. I'm not the right person to ask about that though.

Well. What if I compared memory from a emulator's memory viewer with a ram dump. If I found the offset of the ram, I could just wipe that... Right?

 

[Apache Thunder]

The only thing I can suggest is dumping the memory space repeatedly in the same file. So that you can record what happens when the reset button is hit. That's assuming you can dump ram while the program is being interacted with. That or unpack the app itself and see how it handles loading the rom and what ever other things there might be.

 

[gamesquest1]

just one thing to note with this though...is that its not really all that viable a solution, for the basic reasoning that each time you swap the game you will be wiping the saves, so unless you have a lot of VC games to play with its not really a solution for lots of VC injects, more a cool proof of concept kind of thing

ofc for games that don't save it would be fine, but you still kinda loose save states

 

[Apache Thunder]

You can also try booting the VC game in one of the 3DS emulators out there. They usually make good debugging platforms. Not sure if they are far enough along to boot VC titles yet though.

 

[shutterbug2000]

just one thing to note with this though...is that its not really all that viable a solution, for the basic reasoning that each time you swap the game you will be wiping the saves, so unless you have a lot of VC games to play with its not really a solution for lots of VC injects, more a cool proof of concept kind of thing P

Well, what I was thinking for that was... Use the save-data backup of the 3DS on the home screen to store saves for as many games as you like(well, ok, not as many, but 15 or so )

 

[gamesquest1]

can you find the filenames in the ram....maybe you could bypass the patch by either changing the patches filename in ram to prevent it loading it when you reset....unless its kept in ram too....but just looking for the contents of the patch might work too

 

[yifan_lu]

Yes, it's still a big step ahead of smealum's work which is locked on user mode on intent. But it's still not concrete enough to provide something easy to use for the mass, I'm glad Yifan is working on the 3DS but I hope him or someone else will work on a CFW, I'm getting tired people avoiding this because of legal issues and stuff, we know it's possible, if had any skill that'd help achieving a CFW for the 3DS I'd already have done it, sadly I'm only a techie and I can't code anything complex nor doing any RE work...

I'm not making a CFW not because of I'm scared of legal issues. It's because I couldn't give less of a shit about CFW. Region free is the only thing I want in a hack. Everything else is just homebrew fun.

 

[zoogie]

I'm not making a CFW not because of I'm scared of legal issues. It's because I couldn't give less of a shit about CFW. Region free is the only thing I want in a hack. Everything else is just homebrew fun.

I hope you haven't lost interest in that .3dsx loader you were talking about. :3

 

[MemoryController]

Well the only thing we would want in a cfw is peek/poke syscalls in ARM9 and ARM11 kernels. The rest can be done in usermode (svc access patches etc.) I hope yifan_lu finishes his branch on github about ARM11 so small-time "devs" like me can at least write a kernel-memory dumper

 

[krisztian1997]

Well, sure enough, It DOES work if I inject the same game. So, either the reset button DOESN'T clear the VC ram, or it's these patches.

Try to dump the game and compare it to a gbc rom from other sources, I remember that someone said that the gbc games are a bit different in the memory compared to normal roms.

 

[Idaho]

I'm not making a CFW not because of I'm scared of legal issues. It's because I couldn't give less of a shit about CFW. Region free is the only thing I want in a hack. Everything else is just homebrew fun.

I wasn't specifically criticizing you, as gamequest1 stated it's not anyone's job and you're not a puppet giving people what they want if that's not what you want too but it's disappointing to see it hasn't happened yet.

I wasn't specifically thinking of a CFW but a way of launching homebrews conveniently with total access over the device, the work you achieved here contributes well to this, but it still requires something that'd launch final homebrews (something like the homebrew launcher from smea).

Edit : I just read on another topic that it's what you intend to do, if so then it's great (even better than a CFW imo) :3

 

[SLiV3R]

Maybe I didn't make myself c8lear, I'm glad the devs can have things to work with, I'm just saying that by now the work to achieve a CFW on the 3DS could have been done (it has already been done by a few people and kept "secret") and therefore bring homebrews to the mass could have been achieved but for some reasons it hasn't and all we see is devs releasing things for other devs since years now and still nothing of practical use for the mass except paid solutions (and as a user my frustration around this is getting bigger everyday) .

I'm glad I bought a Gateway as I don't have to deal with those issues but not everyone can and we should have better ways than buying a blackboxed flashcart to have homebrews on our 3DS(hacking shouldn't look like USSR)...

My guess is that the 3DS scene will end up looking like the PS3 scene, and damn the PS3 scene is the biggest failure in term of forming a community around hacking and reversing a device, nobody want all that work being wasted on creating something not worth the efforts...

There are articles in this subject On wololo.. There are at least five heavy arguments why 3ds/wiiu/psvita will never be like ds/wii/psp scenes.. One thing they don't mention is that Sony and Nintendo is offering a LOT if you have the latest fw. Yesterday there was an epsp exploit released for the vita. But many ppl are thinking like me - Nah, I would rather have access to psn then some custom access. The 3ds scene will never be like ds/psp/wii scenes. That should happened many years ago

 

[Henning B]

There are articles in this subject On wololo.. There are at least five heavy arguments why 3ds/wiiu/psvita will never be like ds/wii/psp scenes.. One thing they don't mention is that Sony and Nintendo is offering a LOT if you have the latest fw. Yesterday there was an epsp exploit released for the vita. But many ppl are thinking like me - Nah, I would rather have access to psn then some custom access. The 3ds scene will never be like ds/psp/wii scenes. That should happened many years ago

the 360 scene is pretty big, why would the 3ds scene not reach such heights?

 

[Idaho]

the 360 scene is pretty big, why would the 3ds scene not reach such heights?

too bad the libxenon project isn't what it aimed to be tho, there are so many libxenon homebrews I can't launch on my slim 360 because nobody maintained them alive and the stuff is all l33t requiring you to compile homebrews on your own using esoteric tools that only work on linux, then we have the homebrews designed for the original 360 OS but they're not as powerful as the libxenon ones...