Homebrew Clarification Thread - What is going on?

Status
Not open for further replies.

perkel

Well-Known Member
Member
Joined
Dec 28, 2015
Messages
240
Trophies
0
Age
37
XP
299
Country
Poland
Isn't this subject to the same problem mentioned in other contexts, including Wii-U hacking? Namely, the hackers should keep the exploit secret, because as soon as you publish it, Nintendo is going to patch it, and that's bad in the long run.

And how do you prevent Nintendo Engineers from downloading hack themselves and run it through their tools to see what it does ?

They have all keys and access they want, know how, engineers and so on.
 

Mrrraou

Well-Known Member
Member
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
And how do you prevent Nintendo Engineers from downloading hack themselves and run it through their tools to see what it does ?

They have all keys and access they want, know how, engineers and so on.
The exploits were already released. So it's going to be patched.
 

Mrrraou

Well-Known Member
Member
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
Also, a question: Isn't there an old kernel9 exploit which was patched, but above 9.2? If so, could menchunkhax2 be used in combination with this to give full access on whatever version didn't patch it?
firmlaunchhax was actually an arm9 kernel exploit that was used on 9.2 and lower that was patched on 9.5
 

Xenon Hacks

Well-Known Member
Member
Joined
Nov 13, 2014
Messages
7,414
Trophies
1
Age
31
XP
4,700
Country
United States
No. There is a way to USE these keys, not to OBTAIN them.
I always appreciate your work/posts think you can go into more detail and share what you know?

--------------------- MERGED ---------------------------

The Pasta team is the one working on rxTools right now?
rxTools is open source anyone can make a commit.
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
1
Website
keybase.io
XP
907
Country
France
  • arm9loaderhax is a way to inject a payload directly into a N3DS bootrom (just after the the firm boot). This is like a CFW coldboot N3DS-only.

It requires hardware, you need the firmware blob to "decrypt" into a branch point, the problem is, the Kernel9 loader uses a hash derived from a per 3DS OTP (which you don't know) in other to decrypt keys stored in NAND, most particularly key #2 which you replace with a garbage key in the hope of obtaining the branch point mentioned above (used to get the Kernel9 loader to jump to your payload), since you can't predict the output, you can't generalize this hack as it needs trials and errors for each units, therefore requires a way to write the nand using hardware.

  • There is a way to get the key that blocks emuNAND 9.6+ on N3DS (it unlocks the new layer of security added to ARM9 bootrom on the N3DS).

No, there isn't, you only gain code execution AFTER the Kernel9 loader runs, this means you can't read the OTP and keyslot 0x11 gets cleared, not to mention you would be replacing the NAND key #2 used to decrypt the new Kernel9 with garbage anyway (since that's required for this hack to work in the first place) good luck decrypting 9.6+ kernel9 this way...

  • There is also a way to calculate the AES key of the console, which is pretty cool to be honest.

There is not an "AES key of the console" what you can do is to calculate/bruteforce the constant used by the key scrambler and use that to generate missing KeyX for known normal (AES) keys + KeyY and of course bypass the keyscrambler all together.

You need to keep in mind that :

- there aren't a lot of normal keys in the wild, only the one used by NFC and used by the WiiU, so you won't be getting a lot of KeyX

- most of the keyX are set in write only keyslots (which can be used as arguments for the key scrambler) which are set by the bootrom and cannot be read, therefore you won't be able to get the normal key even if you do know KeyY and have the keyscrambler operations + constant figured out.

(You need keyX + keyY to generate a normal key, likewise you need Normal key + keyY to generate KeyX)
 

motezazer

Well-Known Member
Member
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
I always appreciate your work/posts think you can go into more detail and share what you know?
That's not complicated.
When the flaw is exploited, the N3DS keys are loaded, but the 0x11 key used to generate them was cleared, so you can't generate the keys again. You can only use them (write-only keyslots).
 

Xenon Hacks

Well-Known Member
Member
Joined
Nov 13, 2014
Messages
7,414
Trophies
1
Age
31
XP
4,700
Country
United States
Wasn't it that Roxas stopped coding and he passed the work to the Pasta team?
Yes but anyone can make a commit https://github.com/roxas75/rxTools
this is getting off topic

--------------------- MERGED ---------------------------

That's not complicated.
When the flaw is exploited, the N3DS keys are loaded, but the 0x11 key used to generate them was cleared, so you can't generate the keys again. You can only use them (write-only keyslots).
And just like that my hopes and dreams have been crushed, guess im staying on 9.2 with 9.5 Emunand thanks for the info.
 
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: https://thedirect.com/culture/marvel-dc-hollywood-stars-endorsing-donald-trump