jacking (jazelle hacking)
Go to file
Triss cb54b4d409 rpi baremetal stuff 2022-01-29 19:09:46 +01:00
bsp stuff 2022-01-22 02:18:05 +01:00
rdb stuff 2022-01-21 05:15:36 +01:00
rpi rpi baremetal stuff 2022-01-29 19:09:46 +01:00
zynq port stuff to rpi and zynq 2022-01-29 02:26:40 +01:00
.gitignore unfinished stuff, also zynq 2022-01-24 02:12:57 +01:00
Makefile instruction enumeration, simple rpi test stuff 2022-01-28 23:58:46 +01:00
README.md stuff 2022-01-22 02:18:05 +01:00
arm926ejs_fx3.cfg stuff 2022-01-21 05:15:36 +01:00
elf2img.py stuff 2022-01-21 05:15:36 +01:00
jazelle.c rpi baremetal stuff 2022-01-29 19:09:46 +01:00
main.c stuff 2022-01-22 02:18:05 +01:00
nl-glue.c stuff 2022-01-22 02:18:05 +01:00

README.md

Jacking (Jazelle hacking (Jean gazelle hacking))

Jazelle reverse engineering effort

not the first one, but hopefully one that properly documents some stuff

Workflow

Currently targetting the Cypress FX3.

Compiling

$ make

Needs an arm-none-eabi toolchain.

Running/debugging

Setup

$ openocd -f ./arm926ejs_fx3.cfg -c "transport select jtag" -c "adapter speed 1000" -c "init"

Running code

$ printf 'reset halt\nload_image jazelle.elf\nexit\n' | nc localhost 4444
$ arm-none-eabi-gdb -ex 'target extended-remote localhost:3333' -ex 'set $pc=_start' -ex 'b jazelle_exec' -ex c jazelle.elf

Credits

FX3 base code: gratuitously stolen from https://github.com/zeldin/fx3lafw/

Jazelle info this project is based on:

TODO

  • Figure out Jazelle stuff:
    • Which bytecode instructions are supported on which Jazelle versions?
    • How exactly does the stack work? (When a handler function is being called)
    • How exactly does the Jazelle status register work?
    • What control registers are there that influence the execution?
      • Is it possible to force execute a certain instruction using the handler instead of the default in-hardware execution?
      • ...
    • How does one call regular ARM/Thumb code from inside Jazelle?
    • ...
    • Verify what Hackspire and libjz have, to check if it is correct
    • Look at what Hackspire and libjz don't have and try to complete it
  • Port this code to the ARM11 using either Raspberry Pi v1 baremetal, or 3DS homebrew with kernel privileges (and do tests on these to check for different Jazelle versions)