1.7 KiB
1.7 KiB
Jacking (Jazelle hacking (Jean gazelle hacking))
Jazelle reverse engineering effort
not the first one, but hopefully one that properly documents some stuff
Workflow
Currently targetting the Cypress FX3.
Compiling
$ make
Needs an arm-none-eabi
toolchain.
Running/debugging
Setup
$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"
Running code
$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf
Credits
FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/
Jazelle info this project is based on:
TODO
- Figure out Jazelle stuff:
- Which bytecode instructions are supported on which Jazelle versions?
- How exactly does the stack work? (When a handler function is being called)
- How exactly does the Jazelle status register work?
- What control registers are there that influence the execution?
- Is it possible to force execute a certain instruction using the handler instead of the default in-hardware execution?
- ...
- How does one call regular ARM/Thumb code from inside Jazelle?
- ...
- Verify what Hackspire and libjz have, to check if it is correct
- Look at what Hackspire and libjz don't have and try to complete it
- Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or 3DS homebrew with kernel privileges (and do tests on these to check for different Jazelle versions)