Line 10: |
Line 10: |
| ===NATIVE_FIRM=== | | ===NATIVE_FIRM=== |
| ====Process9==== | | ====Process9==== |
− | The global boolean preventing [[FIRM|SAFE_FIRM]] from being launched is now set in Process9's crt0 if [[CONFIG9_Registers#CFG9_BOOTENV|CFG9_BOOTENV]] has bit0 set, that is to say, if it has been launched from a firmlaunch (this register is set to 1 just before a firmlaunch). The following code has also been added in the firmlaunch function itself: <code>if(!(CFG9_BOOTENV & 1) /* not a firmlaunch */ || (CFG9_BOOTENV & 6) /* firmlaunched from LGY_FIRM (if even possible at all) */) goto panic</code>.
| + | Exactly two functions were changed. |
| | | |
− | This is to fix [[3DS_System_Flaws#Process9|safehax]]. | + | The global boolean preventing [[FIRM|SAFE_FIRM]] from being launched is now set in Process9's main() if [[CONFIG9_Registers#CFG9_BOOTENV|CFG9_BOOTENV]] has bit0 set, that is to say, if it has been launched from a firmlaunch (this register is set to 1 just before a firmlaunch). The following code has also been added in the firmlaunch function itself, immediately after the code-block where the boolean is checked: <code>if(!(CFG9_BOOTENV & 1) /* not a firmlaunch */ || (CFG9_BOOTENV & 6) /* firmlaunched from LGY_FIRM (if even possible at all) */) goto panic</code>. |
| + | |
| + | This is to properly fix [[3DS_System_Flaws#Process9|safehax]]. |
| | | |
| ====New3DS kernel9loader==== | | ====New3DS kernel9loader==== |
Line 18: |
Line 20: |
| | | |
| ====ARM11 kernel==== | | ====ARM11 kernel==== |
− | There are at least, and likely, three changes: | + | There's exactly three code changes: |
| | | |
| * [[CONFIG11_Registers#CFG11_WIFIUNK|CFG11_WIFIUNK]] is now set to 0x10 in Kernel11's crt0 | | * [[CONFIG11_Registers#CFG11_WIFIUNK|CFG11_WIFIUNK]] is now set to 0x10 in Kernel11's crt0 |
Line 112: |
Line 114: |
| *r4 = val; | | *r4 = val; |
| Then len is used for a string data-copy(ASCII/UTF16), unless it's UTF16 and len is <=0. | | Then len is used for a string data-copy(ASCII/UTF16), unless it's UTF16 and len is <=0. |
| + | |
| + | ===[[Title_list|SNOTE_AP]]=== |
| + | This was updated with vuln fixes similar to the sound-app. |
| + | |
| + | LT_1004d6 |
| + | updated, prev ver @ LT_1004d6. |
| + | Added a func call for LT_1017c8 at 0x100508. |
| + | |
| + | LT_1017c8 |
| + | new func. |
| + | Only called by LT_1004d6. |
| + | return LT_10250c(0x405, 5, 0x5109d503); |
| + | |
| + | LT_103368 |
| + | updated, prev ver @ LT_1032f8. |
| + | The first func call was removed, it's now located in LT_1017c8. |
| + | |
| + | LT_11ea6c |
| + | updated, prev ver @ LT_11ea60. |
| + | Added the following: if(len>0xfe)*lenptr = 0xfe; |
| + | |
| + | LT_11f210 |
| + | updated, prev ver @ LT_11f1fc. |
| + | The following was added at 0x11f49c: if(len>0xfe)len=0xfe; |
| + | Before executing "return ~0x63;" this now calls LT_12f542. |
| + | minor other changes. |
| + | |
| + | LT_11f84c |
| + | updated, prev ver @ LT_11f828. |
| + | This now clears inr0+0x34 after calling L_14cabc. |
| + | |
| + | LT_11f9ac |
| + | updated, prev ver @ LT_11f984. |
| + | Added the following: if(len>0xfe)*lenptr=0xfe; |
| + | ==New 2DS XL Version== |
| + | On June 15, 2017 a new version of 11.4.0-37E was released pre-installed with the AU/NZ debut of the New 2DS XL model of the 3ds family. There are 13 updated titles over the base NUS version included this new model, apparently to ensure compatibility with the New 2DS XL's unique 3D-less hardware configuration. A list of changed titles can be found [https://gist.github.com/ihaveamac/bffc8694ac209207c8db86a98f6c4238 here]. |
| + | |
| + | ===[[MCU Services|MCU sysmodule]]=== |
| + | Differences between v8192 and v9216 (New2DSXL): |
| + | |
| + | * The SDK crt0 and functions seem to have been updated |
| + | * The MCU firmware has been moved into .rodata |
| + | * Other minor changes (?) |
| + | |
| + | The MCU firmware itself was updated, see below. |
| + | |
| + | ====MCU firmware==== |
| + | With <code>u16 *g_model = (u16 *)0x000ff908;</code>, the function that were actually changed are: |
| + | |
| + | * 00000189: adds <code>if(*g_model == 2DS) *g_model == N2DSXL;</code> in the function that converts model numbers to their XL versions. However the function hardcodes N3DS even on N2DSXL. |
| + | * <code>*(u8 *)0xffe3a |= (model == N3DS || model == N3DSXL) ? 8 : 0;</code> becomes <code>*(u8 *)0xffe3a |= (model == N3DS || model == N3DSXL || model == N2DSXL) ? 8 : 0</code> |
| + | * 00002be5 (previously 00002be1): |
| + | u8 *v = (u8 *)0xffe3b; |
| + | if(g_model == N3DS || g_model == N3DSXL) |
| + | { |
| + | v[0] = 0x54; |
| + | v[1] = 0x44; |
| + | } |
| + | +else if(g_model == N2DSXL) |
| + | +{ |
| + | + v[0] = 0x4e; |
| + | + v[1] = 0x3f; |
| + | +} |
| + | else |
| + | { |
| + | v[0] = 0x4b; |
| + | v[1] = 0x3d; |
| + | } |
| + | |
| + | Reminder: The MCU is similar to the rl78-g13 model; to build a reconstruct the MCU firmware, copy 0x1000 bytes after "jhl" ''twice'', and 0x1000 bytes thereafter. |
| | | |
| ==See Also== | | ==See Also== |