2022-01-21 04:15:36 +00:00
|
|
|
# Jacking (Jazelle hacking (Jean gazelle hacking))
|
|
|
|
|
|
|
|
**Jazelle reverse engineering effort**
|
|
|
|
|
|
|
|
not the first one, but hopefully one that properly documents some stuff
|
|
|
|
|
|
|
|
## Workflow
|
|
|
|
|
|
|
|
Currently targetting the Cypress FX3.
|
|
|
|
|
|
|
|
### Compiling
|
|
|
|
|
|
|
|
```
|
|
|
|
$ make
|
|
|
|
```
|
|
|
|
|
|
|
|
Needs an `arm-none-eabi` toolchain.
|
|
|
|
|
|
|
|
### Running/debugging
|
|
|
|
|
|
|
|
#### Setup
|
|
|
|
|
|
|
|
```
|
|
|
|
$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"
|
|
|
|
```
|
|
|
|
|
|
|
|
#### Running code
|
|
|
|
|
|
|
|
```
|
|
|
|
$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
|
2022-01-22 01:16:16 +00:00
|
|
|
$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf
|
2022-01-21 04:15:36 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Credits
|
|
|
|
|
|
|
|
FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/
|
|
|
|
|
|
|
|
Jazelle info this project is based on:
|
|
|
|
* https://hackspire.org/index.php/Jazelle
|
|
|
|
* https://github.com/SonoSooS/libjz
|
2022-01-21 04:19:51 +00:00
|
|
|
|
|
|
|
## TODO
|
|
|
|
|
|
|
|
* Figure out Jazelle stuff:
|
2022-01-22 01:16:16 +00:00
|
|
|
* [ ] Which bytecode instructions are supported on which Jazelle versions?
|
|
|
|
* [x] How exactly does the stack work? (When a handler function is being called)
|
|
|
|
* [ ] How exactly does the Jazelle status register work?
|
|
|
|
* [ ] What control registers are there that influence the execution?
|
|
|
|
* [ ] Is it possible to force execute a certain instruction using the handler
|
|
|
|
instead of the default in-hardware execution?
|
|
|
|
* [ ] ...
|
|
|
|
* [ ] How does one call regular ARM/Thumb code from inside Jazelle?
|
|
|
|
* [ ] ...
|
|
|
|
* [ ] Verify what Hackspire and libjz have, to check if it is correct
|
|
|
|
* [ ] Look at what Hackspire and libjz don't have and try to complete it
|
|
|
|
* [ ] Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or
|
|
|
|
3DS homebrew with kernel privileges (and do tests on these to check for
|
|
|
|
different Jazelle versions)
|