jacking/README.md

# Jacking (Jazelle hacking (Jean gazelle hacking))

**Jazelle reverse engineering effort**

not the first one, but hopefully one that properly documents some stuff

## Workflow

Currently targetting the Cypress FX3.

### Compiling

```
$ make
```

Needs an `arm-none-eabi` toolchain.

### Running/debugging

#### Setup

```
$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"
```

#### Running code

```
$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf
```

## Credits

FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/

Jazelle info this project is based on:
* https://hackspire.org/index.php/Jazelle
* https://github.com/SonoSooS/libjz

## TODO

* Figure out Jazelle stuff:
  * [ ] Which bytecode instructions are supported on which Jazelle versions?
  * [x] How exactly does the stack work? (When a handler function is being called)
  * [ ] How exactly does the Jazelle status register work?
  * [ ] What control registers are there that influence the execution?
    * [ ] Is it possible to force execute a certain instruction using the handler
          instead of the default in-hardware execution?
    * [ ] ...
  * [ ] How does one call regular ARM/Thumb code from inside Jazelle?
  * [ ] ...
  * [ ] Verify what Hackspire and libjz have, to check if it is correct
  * [ ] Look at what Hackspire and libjz don't have and try to complete it
* [ ] Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or
      3DS homebrew with kernel privileges (and do tests on these to check for
      different Jazelle versions)
stuff 2022-01-21 04:15:36 +00:00			`# Jacking (Jazelle hacking (Jean gazelle hacking))`

			`Jazelle reverse engineering effort`

			`not the first one, but hopefully one that properly documents some stuff`

			`## Workflow`

			`Currently targetting the Cypress FX3.`

			`### Compiling`

			```
			`$ make`
			```

			Needs an `arm-none-eabi` toolchain.

			`### Running/debugging`

			`#### Setup`

			```
			`$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"`
			```

			`#### Running code`

			```
			`$ printf 'reset halt\nload_image jazelle.elf\nexit\n' \| nc localhost 4444`
stuff 2022-01-22 01:16:16 +00:00			`$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf`
stuff 2022-01-21 04:15:36 +00:00			```

			`## Credits`

			`FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/`

			`Jazelle info this project is based on:`
			`* https://hackspire.org/index.php/Jazelle`
			`* https://github.com/SonoSooS/libjz`
todo section 2022-01-21 04:19:51 +00:00
			`## TODO`

			`* Figure out Jazelle stuff:`
stuff 2022-01-22 01:16:16 +00:00			`* [ ] Which bytecode instructions are supported on which Jazelle versions?`
			`* [x] How exactly does the stack work? (When a handler function is being called)`
			`* [ ] How exactly does the Jazelle status register work?`
			`* [ ] What control registers are there that influence the execution?`
			`* [ ] Is it possible to force execute a certain instruction using the handler`
			`instead of the default in-hardware execution?`
			`* [ ] ...`
			`* [ ] How does one call regular ARM/Thumb code from inside Jazelle?`
			`* [ ] ...`
			`* [ ] Verify what Hackspire and libjz have, to check if it is correct`
			`* [ ] Look at what Hackspire and libjz don't have and try to complete it`
			`* [ ] Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or`
			`3DS homebrew with kernel privileges (and do tests on these to check for`
			`different Jazelle versions)`