b1l1s / qemu Goto Github PK

Specifically, the CSD or the CID specify the type of the card, which is ignored by the emulator. This leads to issues with sdmmc.c, where it returns the type of the card as being regular SD when it really should be detected as SDHC or SDXC.

One problem caused by this is that sector calculations for reading and writing are multiplied by 512 if not SDHC or SDXC, which if the card really is one of those can cause for the location information (sector * 512) to overflow. I observed the overflow by stepping through GDB. The same exact binary works on hardware.

I am unable to provide a quick example at the moment. My recommendation to reproduce is to get the CID and CSD of an SDXC card, set the faux card with qemu, then try to do a read or write using sdmmc.c (I was using my own lib's sdmmc.c, based on Normmatt's work). Stepping through the operation should at one point hit a line with if(handelSD.isSDHC == 0) sector_no <<= 9; -- that conditional is only hit if the card isn't SDHC. With an SDXC card that line executes in the emulator, works as intended on hardware.

Upon attempting to execute an arm9 payload (arm-softmmu/qemu-system-arm -kernel arm9loaderhax.bin -M ctr9)
qemu immediately crashes, outputting the following:

qemu: fatal: Trying to execute code outside RAM or ROM at 0x00010000

R00=00000000 R01=000002ff R02=00000100 R03=00000000
R04=00000000 R05=00000000 R06=00000000 R07=00000000
R08=00000000 R09=00000000 R10=00000000 R11=00000000
R12=00000000 R13=00000000 R14=00000000 R15=00010000
PSR=400001d3 -Z-- A svc32
FPSCR: 00000000
Abort trap: 6

I tried the latest release of Luma3DS(7.0.4 at the time of this writing) and the latest GodMode9 (v1.1.3)
I tried this on two different systems (first being macOS, second being Debian) to confirm that this wasn't an isolated issue.