For (too?) long, I've staid aside of DSi homebrew. Partly because there's little the camera could offer to my projects and I don't really need more than 4MiB of RAM, but mostly because until recently, running homebrew on that device felt like an arm race with Nintendo. You need to break into the machine through exploits the same way you'd take control of someone else's server on Internet and that has a taste of dark side I'm not fan of. Plus, once you've managed to get into things, you then have to install more permanent modification if you want to be sure to be able to do the same the next day, since Nintendo could ban the vulnerable software you've used to gain access (if you were lucky enough to have it on your device on first place).
But one post on hackaday might well change all this. Nathan Farlow has found a way to use the web browser shipped with the DSi firmware to execute arbitrary code.
He just had to get his code into the right spot. For this he employed what’s known as a NOP sled; basically a long list of commands that do nothing, which if jumped into, will slide into his exploit code. In modern browsers a good way to allocate a chunk of memory and fill it would be a Float32Array, but since this is a 2008 browser, a smattering of RGBA canvases will do.
Ultimately, that will execute a boot.nds
file from the SD card, such as a homebrew launcher.
At the start of the chain is an html document with some NDS binary embedded as "shellcode" in the html <script>
part, plus some javascript to exploit the use-after-free bug of the browser. The payload.c featured in the stylehax repository contains actually just a little loop to inject the 'true payload' at some dedicated location (held as a blob into payload.h). And that true payload comes from another repository (well, actually, that second repository contains many exploits, but the one we'll use is the 'minitw' one, according to payload.h)
As soon as the 'payload.c' part is running, we already have access to most resources of the DSi. The goal of minitwlpayload is to setup the proper context for the default bootloader of the devkitpro project embedded into the .nds (yes, that comes from a third repository :P) The bootloader will mostly run on the ARM7 core, which is the only one to have access to SD card registers on the DSi. There will be many passme-loop-synchronization-points until we're ready to execute the NDS or DSi code contained in boot.nds, one for each ARM9 function we want to execute between two ARM7 functions.
page web canvas HTML5 comme si c'était du code machine. Et surprise, c'est du code machine, cette fois-ci! Enfoncé, HTML Quest ;-)
One question remains, though: how does ARM9 exploit trigger execution of custom code on the ARM7 ? It looks like the answer lies within the following snippet of exploit.c:
memcpy16(VRAM_C, decrbegin, decrsize); // writing custom code into VRAM at 0x6000000
VRAM_C_CR = VRAM_ENABLE | VRAM_C_ARM7_0x06000000;
// now inserting a jump at the start of ARM7-dedicated memory area.
*(vu32*)0x2380000 = 0xE51FF004; // ldr pc, =0x06000000
*(vu32*)0x2380004 = 0x06000000; // (constant for above)
debug_color(0,15,0); // dark green
IPC_SendSync(1); // MAGIC!
For some reason, when we trigger an IPC IRQ on the ARM7 with code 1 (out of 16 possible codes), it executes code from the start of the ARM7 area again, where we have installed our trampoline to VRAM. Why does it behave so ? I guess the reason lies in some line of code for the ARM7 code in the TWL sdk, sealed in a vault at Kyoto ... I presume I'll have to accept it without further understanding.
exomizer/exodecrunch
One notable action of exploit.c from minitwlpayload is to "decrunch" the embedded bootloader into VRAM where it will execute, that is, to undo the compression performed by the exomizer tool invoked by dsi/exploits/minitwlpayload/Makefile.
- it packs the 'bootloader' from devkitpro github from 6KiB into a bit more than 4KiB. Unsure whether it was critical to use in this context :-P
- ndsload.bin is just an 'objcopy' binary-extraction of the ndsload.elf
- https://bitbucket.org/magli143/exomizer/src/master/src/Makefile could be the source for the exomizer tool, but I fail to get why it would need a 6502 emulator ... (I guess this is linked to the 'self-extracting for C64, Apple II and BBC micro' feature)
Possibly, such steps could make sense for larger payloads or for other exploits where the amount of data we can embed is limited (remember, there has even been exploits involving QR code readers)
that reminds me of the DSi unlaunch thread !
ReplyDeleteCe n'est pas compliqué
ReplyDeletePourquoi n'utilises-tu pas simplement Flipnote Lenny ? c'était nettement plus confortable.
ReplyDeleteEh bien, cher collègue, entre autres parce que je n'ai pas trouvé les sources de ce cher Lenny (et jusqu'à cet après midi, je ne me souvenais pas que j'avais fini par installer flipnote studio sur ma DaiSi ^^"
ReplyDeleteHmm ... J'ai su établir assez de correspondance entre le code recompilé et celui présent dans la page index.html de stylehax. En revanche, je n'arrive pas encore à ce que la DSi fonctionne sur mon wifi spécial homebrew :-P
ReplyDelete