# Jacking (Jazelle hacking (Jean gazelle hacking))

**Jazelle reverse engineering effort**

not the first one, but hopefully one that properly documents some stuff

## Workflow

Currently targetting the Cypress FX3.

### Compiling

```
$ make
```

Needs an `arm-none-eabi` toolchain.

### Running/debugging

#### Setup

```
$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"
```

#### Running code

```
$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf
```

## Credits

FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/

Jazelle info this project is based on:
* https://hackspire.org/index.php/Jazelle
* https://github.com/SonoSooS/libjz

## TODO

* Figure out Jazelle stuff:
  * [ ] Which bytecode instructions are supported on which Jazelle versions?
  * [x] How exactly does the stack work? (When a handler function is being called)
  * [ ] How exactly does the Jazelle status register work?
  * [ ] What control registers are there that influence the execution?
    * [ ] Is it possible to force execute a certain instruction using the handler
          instead of the default in-hardware execution?
    * [ ] ...
  * [ ] How does one call regular ARM/Thumb code from inside Jazelle?
  * [ ] ...
  * [ ] Verify what Hackspire and libjz have, to check if it is correct
  * [ ] Look at what Hackspire and libjz don't have and try to complete it
* [ ] Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or
      3DS homebrew with kernel privileges (and do tests on these to check for
      different Jazelle versions)