jacking (jazelle hacking)

Go to file

Triss 4cd397b564 blep		2022-01-21 05:23:43 +01:00
bsp	stuff	2022-01-21 05:15:36 +01:00
rdb	stuff	2022-01-21 05:15:36 +01:00
.gitignore	stuff	2022-01-21 05:15:36 +01:00
Makefile	stuff	2022-01-21 05:15:36 +01:00
README.md	blep	2022-01-21 05:23:43 +01:00
arm926ejs_fx3.cfg	stuff	2022-01-21 05:15:36 +01:00
elf2img.py	stuff	2022-01-21 05:15:36 +01:00
main.c	stuff	2022-01-21 05:15:36 +01:00

README.md

Jacking (Jazelle hacking (Jean gazelle hacking))

Jazelle reverse engineering effort

not the first one, but hopefully one that properly documents some stuff

Workflow

Currently targetting the Cypress FX3.

Compiling

$ make

Needs an arm-none-eabi toolchain.

Running/debugging

Setup

$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"

Running code

$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf

Credits

FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/

Jazelle info this project is based on:

TODO

Figure out Jazelle stuff:
- Which bytecode instructions are supported on which Jazelle versions?
- How exactly does the stack work? (When a handler function is being called)
- How exactly does the Jazelle status register work?
- What control registers are there that influence the execution?
  - Is it possible to force execute a certain instruction using the handler instead of the default in-hardware execution?
  - ...
- How does one call regular ARM/Thumb code from inside Jazelle?
- ...
- Verify what Hackspire and libjz have, to check if it is correct
- Look at what Hackspire and libjz don't have and try to complete it
Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or 3DS homebrew with kernel privileges (and do tests on these to check for different Jazelle versions)