Skip to content

Instantly share code, notes, and snippets.

Avatar

Jannik Vogel JayFoxRox

View GitHub Profile
@JayFoxRox
JayFoxRox / ATAPI_12__inquiry.c
Created Mar 16, 2020
Analysis of SDG605B x010 firmware
View ATAPI_12__inquiry.c
void FUN_CODE_33cd_12__handle_INQUIRY(void)
{
// EVPD must be zero
if (BYTE_INTMEM_9b & 1) {
FUN_CODE_27e2_error_tracking_probably(SPC_SK_ILLEGAL_REQUEST,0x24,0);
return;
}
// Page code must be zero
@JayFoxRox
JayFoxRox / notes.md
Created Jan 21, 2020
IDC Script and information about Hitachi-LG GDR-8050L (Original Xbox Drive)
View notes.md

(This information stems from a french forum post which I'll not link here to avoid legal issues)

I believe this information is about the 360 variant of the drive.

According to TheSpecialist the firmware has a checksum which is verified at the start of the firmware at offset 0x000099. By patching the bytes C8 23 FC in CC 23 00 the checksum is bypassed and the console starts without problem!

Addresses in firmware (47DH):

@JayFoxRox
JayFoxRox / code.rb
Last active Aug 27, 2019
Futurama Easter-Egg
View code.rb
# Based on research using https://github.com/JayFoxRox/futurama-tools
# LABEL: [{'name': '@@action@@aEgg', 'path': 'Level1\\Level1-1\\Level1-1A.fis', 'address': 28580, 'type': 40, 'unk4': 385, 'locals': [{'name': 'eggdoor', 'offset': 0, 'type': 27}, {'name': 't_next', 'offset': 216, 'type': 12}, {'name': 't_hit', 'offset': 220, 'type': 12}]}]
function StageA:@@action@@aEgg {
.stack_size 0
.extra_stack_size 224
.local Door eggdoor # Offset 0
.local Trigger t_next # Offset 216
.local Trigger t_hit # Offset 220
@JayFoxRox
JayFoxRox / nxdk-rdt-proto.md
Created Jul 14, 2018
nxdk-rdt protocol specification (failed attempt iirc?)
View nxdk-rdt-proto.md

nxdk-rdt Protocol specification

This protocol was designed to be simple to understand and implement.

However, nxdk-rdt only provides helper functions which are enough to inject your own code into an Xbox. nxdk-rdt itself does not provide a high-level set of functions to do anything useful on their own. To find out how to create these high-level functions using nxdk-rdt, see the examples section.

Reasons for this design are:

View blah.md
diff --git a/build.sh b/build.sh
index 86031fc8fe..5ab64ecaa2 100755
--- a/build.sh
+++ b/build.sh
@@ -50,7 +50,7 @@ set -x # Print commands from now on
        --disable-curl \
        --disable-vnc \
        --disable-docs \
- --disable-tools \
@JayFoxRox
JayFoxRox / README.md
Last active Apr 22, 2018
OpenSWE1R Disassembly Completeness Script
View README.md

Horrible code ahead!

I wrote this as a small motivation for my RE efforts. It was rushed together, so please be careful when using it.

Needs a clone of the OpenSWE1R wiki in "openswe1r.wiki" folder. Also requires a decopilation of the game binary using "Retargetable Decompiler" (retdec) which must be passed as argument to completeness.py

I'm not sure when I wrote this script and wether it was for the patched version or the demo version. I seem to have ran it for one of the patched binaries though.

@JayFoxRox
JayFoxRox / convert.sh
Created Jan 7, 2018
N64 ROM (z64) to ELF
View convert.sh
#!/usr/bin/bash
# Get entry point from N64 ROM
dd if=test.z64 bs=1 skip=8 count=4 of=entrypoint >& /dev/null
# Convert entrypoint to little endian
#mips-elf-objcopy -I binary -O binary --reverse-bytes=4 entrypoint entrypoint
# Construct an ELF
mips-elf-objcopy -I binary test.z64 -O elf32-bigmips -B mips --adjust-section-vma .data+0x80000000 foo.elf
# Patch to MIPS III
printf '\x20\x00\x00\x00' | dd bs=1 seek=36 count=4 conv=notrunc of=foo.elf >& /dev/null
View jfr-plans-2017.md

JayFoxRox Projects 2017 (plans and wishes)

XQEMU Plans

  1. Create emuwell, an open-source MCPX ROM + Flash
  2. Create dump-xbox, an open-source xboxkrnl.exe and HDD image dumper
  3. Create an open-source RPC tool (NXDK-RDT or nv2a-re / xbox-re) to remote control an Xbox
  4. Add basic travis CI support for the Linux version of XQEMU
  5. Integrate unit tests through the remote tool to automatically test XQEMU on travis using all of the above tools (and a hidden xboxkrnl.exe)
  6. Document usage of freecell and gain permission for ss_sector_range; create portable flashing tool to make XGD dumping easier
@JayFoxRox
JayFoxRox / broken
Created Aug 31, 2016
Super Mario 3D Land (Shining Stars hang)
View broken
[ 0.000000] Common.Filesystem <Warning> common/file_util.cpp:CreateFullPath:207: path exists /home/fox/.config/citra-emu/qt-config.ini
[ 0.111388] Frontend <Error> citra_qt/game_list.cpp:PopulateAsync:84: Could not find game list folder at /home/fox/Data/Games/3DS
[ 0.111430] Frontend <Info> citra_qt/main.cpp:BootGame:317: Citra starting...
[ 0.116982] Service.FS <Info> core/file_sys/archive_sdmc.cpp:ArchiveFactory_SDMC:21: Directory /home/fox/.local/share/citra-emu/sdmc/ set as SDMC.
[ 0.117032] Common.Filesystem <Warning> common/file_util.cpp:CreateFullPath:207: path exists /home/fox/.local/share/citra-emu/sdmc/
[ 0.117051] Service.FS <Info> core/file_sys/archive_savedata.cpp:ArchiveFactory_SaveData:42: Directory /home/fox/.local/share/citra-emu/sdmc/Nintendo 3DS/00000000000000000000000000000000/00000000000000000000000000000000/title/ set as SaveData.
[ 0.117067] Service.FS <Info> core/file_sys/archive_extsavedata.cpp:ArchiveFactory_ExtSaveData:62: Directory /home/fox/.local/share/citra-emu/sd
@JayFoxRox
JayFoxRox / Can
Last active Jul 4, 2016
Citra Forum OSX Reports
View Can
Process: citra-qt [805]
Path: /Users/USER/Downloads/*/citra-qt.app/Contents/MacOS/citra-qt
Identifier: com.citra-emu.citra
Version: ???
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: citra-qt [805]
User ID: 501
Date/Time: 2016-06-12 08:46:15.028 +0100