Triss 0a7914e3f7 | ||
---|---|---|
bsp | ||
rdb | ||
rpi | ||
zynq | ||
.gitignore | ||
Makefile | ||
README.md | ||
arm926ejs_fx3.cfg | ||
elf2img.py | ||
jazelle.c | ||
main.c | ||
nl-glue.c |
README.md
Jacking (Jazelle hacking (Jean gazelle hacking))
Jazelle reverse engineering effort
not the first one, but hopefully one that properly documents some stuff
Workflow
Currently targetting the Cypress FX3.
Compiling
$ make
Needs an arm-none-eabi
toolchain.
Running/debugging
Setup
$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"
Running code
$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf
Credits
FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/
Jazelle info this project is based on:
TODO
- Figure out Jazelle stuff:
- Which bytecode instructions are supported on which Jazelle versions?
- How exactly does the stack work? (When a handler function is being called)
- How exactly does the Jazelle status register work?
- What control registers are there that influence the execution?
- Is it possible to force execute a certain instruction using the handler instead of the default in-hardware execution?
- ...
- How does one call regular ARM/Thumb code from inside Jazelle?
- ...
- Verify what Hackspire and libjz have, to check if it is correct
- Look at what Hackspire and libjz don't have and try to complete it
- Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or 3DS homebrew with kernel privileges (and do tests on these to check for different Jazelle versions)