# Jacking (Jazelle hacking (Jean gazelle hacking)) **Jazelle reverse engineering effort** not the first one, but hopefully one that properly documents some stuff ## Workflow Currently targetting the Cypress FX3. ### Compiling ``` $ make ``` Needs an `arm-none-eabi` toolchain. ### Running/debugging #### Setup ``` $ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init" ``` #### Running code ``` $ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444 gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf ``` ## Credits FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/ Jazelle info this project is based on: * https://hackspire.org/index.php/Jazelle * https://github.com/SonoSooS/libjz ## TODO * Figure out Jazelle stuff: * Which bytecode instructions are supported on which Jazelle versions? * How exactly does the stack work? (When a handler function is being called) * How exactly does the Jazelle status register work? * What control registers are there that influence the execution? * Is it possible to force execute a certain instruction using the handler instead of the default in-hardware execution? * ... * ... * Verify what Hackspire and libjz have, to check if it is correct * Look at what Hackspire and libjz don't have and try to complete it * Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or 3DS homebrew with kernel privileges (and do tests on these to check for different Jazelle versions)