Homebrew The bootroms

Suiginou · Jun 17, 2016

windwakr said:
Didn't someone say you might possibly be able to dump it with a CTR-debugger? Someone is selling one:
http://assemblergames.com/l/threads...o-capture-and-3ds-partner-ctr-debugger.48004/

Summoning @yifanlu even though I know he won't share the bootroms if he gets them.

Conn0r · Jun 17, 2016

Suiginou said:
Summoning @yifanlu even though I know he won't share the bootroms if he gets them.

Dude. If anyone "dumps the bootrom" they'd share it immediately. There's no reason not to. Nintendo can't patch it.

PabloMK7 · Jun 17, 2016

Suiginou said:
Summoning @yifanlu even though I know he won't share the bootroms if he gets them.

That tag doesn't work.

Summoning @yifan_lu v2

WeedZ · Jun 17, 2016

Conn0r said:
Dude. If anyone "dumps the bootrom" they'd share it immediately. There's no reason not to. Nintendo can't patch it.

Their political stance on contributing to piracy? Not sure about yifanlu, but most named hackers in this scene won't share anything unless they can implement their own method of security.

PabloMK7 · Jun 17, 2016

Just a silly question, will the bootrom keys/data allow us to fake ncch signatures?

ihaveahax · Jun 17, 2016

PabloMK7 said:
Just a silly question, will the bootrom keys/data allow us to fake ncch signatures?

no, the bootrom probably doesn't contain signing keys.

Asia81 · Jun 17, 2016

Edited...

Suiginou · Jun 17, 2016

Conn0r said:
Dude. If anyone "dumps the bootrom" they'd share it immediately. There's no reason not to. Nintendo can't patch it.

Ask Normmatt anytime how he sees that.

FR0ZN · Jun 17, 2016

Just thinking out loud here:

We know from A9LH that FIRM consists of a ARM9 Loader and the encrypted ARM9 binary.
But is the ARM9 Loader also encrypted? If it is, do we have access to this key so we can change it just like Key #2?

If so, maybe we can apply the same technique for ARM9 Loader this time ? So a payload runs instead of ARM9 Loader?

Phantom64 · Jun 17, 2016

So... This is even more than A9LH?

cearp · Jun 17, 2016

Conn0r said:
Dude. If anyone "dumps the bootrom" they'd share it immediately. There's no reason not to. Nintendo can't patch it.

you don't know how some devs think...!
not all are about sharing, whatever their reason may be.

oops, this guy was already quoted twice about this lol, anyway, yeah not everyone has the same mindset as yourself!

astronautlevel · Jun 17, 2016

Conn0r said:
Dude. If anyone "dumps the bootrom" they'd share it immediately. There's no reason not to. Nintendo can't patch it.

As much as I wish that would be the case it isn't, bootrom has actually already been confirmed to be dumped yet people don't share it...

--------------------- MERGED ---------------------------

iCEQB said:
Just thinking out loud here:

We know from A9LH that FIRM consists of a ARM9 Loader and the encrypted ARM9 binary.
But is the ARM9 Loader also encrypted? If it is, do we have access to this key so we can change it just like Key #2?

If so, maybe we can apply the same technique for ARM9 Loader this time ? So a payload runs instead of ARM9 Loader?

Bootrum locks itself before the arm9loader runs.

FR0ZN · Jun 17, 2016

astronautlevel said:
Bootrum locks itself before the arm9loader runs.

Are you sure it's not the next component in the bootchain? How did Nintendo set the CFG_SYSPROT9 for OTP after the 2.1.0 update? They can't update the bootrom.
But let's say what you say is true ... on N3DS ARM9 Loader (which my theory exploits here) is the one which sets the locking register according to this?:

https://www.3dbrew.org/wiki/CONFIG_Registers#CFG_SYSPROT9

Says: On New 3DS, the above is instead done by the Kernel9 loader.

yifan_lu · Jun 17, 2016

PabloMK7 said:
That tag doesn't work.

Summoning @yifan_lu v2

I know how to get it, I just don't have the funds to do so. Especially since I don't care that much about getting the bootrom. But if I do stumble upon it of course I'll share; otherwise I won't even mention it.

Suiginou · Jun 17, 2016

iCEQB said:
Are you sure it's not the next component in the bootchain? How did Nintendo set the CFG_SYSPROT9 for OTP after the 2.1.0 update? They can't update the bootrom.
But let's say what you say is true ... on N3DS ARM9 Loader (which my theory exploits here) is the one which sets the locking register according to this?:

https://www.3dbrew.org/wiki/CONFIG_Registers#CFG_SYSPROT9

Says: On New 3DS, the above is instead done by the Kernel9 loader.

That's about the OTP region, not bit0 for the bootrom.

yifan_lu said:
I know how to get it, I just don't have the funds to do so. Especially since I don't care that much about getting the bootrom. But if I do stumble upon it of course I'll share; otherwise I won't even mention it.

Maybe someone else has the funds. Might be worth just posting the theory on your blog?

astronautlevel · Jun 17, 2016

iCEQB said:
Are you sure it's not the next component in the bootchain? How did Nintendo set the CFG_SYSPROT9 for OTP after the 2.1.0 update? They can't update the bootrom.
But let's say what you say is true ... on N3DS ARM9 Loader (which my theory exploits here) is the one which sets the locking register according to this?:

https://www.3dbrew.org/wiki/CONFIG_Registers#CFG_SYSPROT9

Says: On New 3DS, the above is instead done by the Kernel9 loader.

Well, let's get the full context for your quote

On Old 3DS, NATIVE_FIRM reads CFG_SYSPROT9 to know whether it has previously initialized the TWL console-unique keys using the OTP data. After setting the TWL console-unique keys, NATIVE_FIRM sets CFG_SYSPROT9 bit 1 to disable the OTP area. In subsequent FIRM launches prior to the next reset, NATIVE_FIRM will see that the OTP area is disabled, and skip this step.

On New 3DS, the above is instead done by the Kernel9 loader.

What the kernel9 loader does is lock CFG_SYSPROT9 bit 1, which disables OTP - this is why downgrading to 2.1 allows us to get OTP as it's the FIRM, not the bootrom, that locks the OTP registers.

cearp · Jun 17, 2016

yifan_lu said:
I know how to get it, I just don't have the funds to do so. Especially since I don't care that much about getting the bootrom. But if I do stumble upon it of course I'll share; otherwise I won't even mention it.

funds? how much would it cost to get the hardware or whatever to do it? (assuming someone has not much hardware for this stuff)
(not interested in setting up a fundraiser haha, just curious!)

astronautlevel · Jun 17, 2016

cearp said:
funds? how much would it cost to get the hardware or whatever to do it? (assuming someone has not much hardware for this stuff)
(not interested in setting up a fundraiser haha, just curious!)

I asked the person who said that he was selling them for a cost estimate on the CTR-DEBUGGER unit, but he hasn't responded yet. I can imagine it would be at least somewhat expensive, however.

sirocyl · Jun 17, 2016

I'm going to assume @yifan_lu's method is involving either decapping the chip, or performing the exception-vector timing attack from hardware as outlined earlier in the thread?

astronautlevel · Jun 17, 2016

sirocyl said:
I'm going to assume @yifan_lu's method is involving either decapping the chip, or performing the exception-vector timing attack from hardware as outlined earlier in the thread?

yifan_lu said:
The FPGA is just an Altria Cyclone. The SDK references JTAG although the PARTNER Debugger does not use it. The existence of the files and symbols means that perhaps we can reconfigure the FPGA to enable JTAG access. With JTAG you can freeze the unit on boot and dump the boot rom.

Homebrew The bootroms

(null)

Well-Known Member

Red Yoshi! ^ω^

Possibly an Enlightened Being

Red Yoshi! ^ω^

Well-Known Member

Yuri Lover ~

(null)

Well-Known Member

Banned!

瓜老外

Well-Known Member

Well-Known Member

@yifanlu

(null)

Well-Known Member

瓜老外

Well-Known Member

Are we Geniuses or what?

Well-Known Member

Similar threads

Popular threads in this forum