Homebrew [Coming Soon] OTPless A9LH installation on N3DS (no 2.1 downgrade)

dark_samus3

dark_samus3

Well-Known Member
Member
Level 10
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,142
Country
United States
Chuu said:
slightly off topic, but how do you even go about finding your own vulns?
Click to expand...
learn to code, then learn low level programming, then learn how to reverse engineer. After all that:
1. Reverse lots and lots of code
2. stare at reversed code
3. investigate areas that look interesting
4. determine if interesting areas are exploitable
5. ???
6. profit (or don't, if it was un-exploitable)

If you understand low level things, you'll likely understand how one might take code down a path it was never intended to have. If you really like, start with some simple buffer overflow tutorials

in this case, I actually didn't need to do any RE, as this just builds off of the arm9loaderhax flaw, and is a rather simple data manipulation
 
Last edited by dark_samus3,
  • Like
Reactions: awtgrduzwt5r9, peteruk and Gray_Jack
Urbanshadow

Urbanshadow

Well-Known Member
Member
Level 9
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
33
XP
1,723
Country
Clydefrosch said:
is it really? it only works on already exploitable systems and just makes something currently easy a bit easier.
Click to expand...

In terms of difficulty, pwning the arm11 sandbox to grant arm9 control is way harder, but chaining exploits to grab a boot time locked, cryptographic sensible data (otp) in such a beautiful and simple way shreds the whole arm9loader security investments to pieces.

This thing here nullifies any extra effort besides of arm9 control (yeah, that may be not much, but still) to fully pwn the hardware boot process, until it gets patched.

What I was trying to say is that right now, downgrading to 2.1 for N3DS systems (the riskier ones) could become useless.
This narrows the whole a9lh process to just having downgrade access to 9.2 or direct access to arm9 code execution.

And by my understanding, if carefully done could be way safer than a downgrade+update process, even with ctrnand backups.
 
Last edited by Urbanshadow,
SciresM

SciresM

Developer
OP
Developer
Level 19
Joined
Mar 21, 2014
Messages
973
Trophies
3
Age
33
XP
8,298
Country
United States
Urbanshadow said:
In terms of difficulty, pwning the arm11 sandbox to grant arm9 control is way harder, but chaining exploits to grab a boot time locked, cryptographic sensible data (otp) in such a beautiful and simple way shreds the whole arm9loader security investments to pieces.

This thing here nullifies any extra effort besides of arm9 control (yeah, that may be not much, but still) to fully pwn the hardware boot process, until it gets patched.
Click to expand...

It's not patchable -- Nintendo can't revoke the firmware file they signed, and this works by writing that firmware to NAND.

This will always be possible so long as you have arm9 code execution.
 
  • Like
Reactions: Queno138
dark_samus3

dark_samus3

Well-Known Member
Member
Level 10
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,142
Country
United States
SciresM said:
It's not patchable -- Nintendo can't revoke the firmware file they signed, and this works by writing that firmware to NAND.

This will always be possible so long as you have arm9 code execution.
Click to expand...
They could do some nasty tricks, but it really wouldn't be worth it for them at this point
 
  • Like
Reactions: awtgrduzwt5r9, Urbanshadow and peteruk
S

swnny

Active Member
Newcomer
Level 1
Joined
Mar 30, 2016
Messages
43
Trophies
0
Age
32
XP
96
Country
Maybe a bit of a noob question, but I'll ask anyway. (its not about o3DS! :D)
I've being using 9.2 menuhax + emunand for months now on my NEW 3DS and all my installs, saves, etc are on emunand. With this OPTless method/tool I no longer have an excuse to not install A9LH. Question is, would it be possible, and how, to migrate all my stuff from emunand to a9lh'ed sysnand?
 
linuxares

linuxares

The inadequate, autocratic beast!
Global Moderator
Level 26
Joined
Aug 5, 2007
Messages
13,384
Trophies
2
XP
18,309
Country
Sweden
Nice work @dark_samus3 ! Props to you and all the people that helped!

To the people that are looking for this, I say as I always said to people that wish to hack their 3DS. Wait for the guide to update!!!!
 
capito27

capito27

Well-Known Member
Member
Level 7
Joined
Jan 19, 2015
Messages
874
Trophies
0
XP
1,230
Country
Swaziland
dark_samus3 said:
They could do some nasty tricks, but it really wouldn't be worth it for them at this point
Click to expand...
short of blocking memory access to the landing area of the jump from arm9, they can't really, from the code i read, Key0 is used in place of Key0 (if i read right), which is used to generate other keys, so it would be annoying for them to poison the key and handle the weird cases where people reboot or shutdown mid update, they won't do that then. they won't be preventing to overwrite to firm0/1 from arm9...because that would be kinda stupid and inf not impossible, pretty close to it.
the magic of OTPless a9lh install process, is that at the end it only relies on 3 modifiable things : firm0 partition to be replaced with 10.0 NFirm, secret keysector 1 to be replaced by key in slot 0 (if i read right the code) and to be able to setup arbitrary memory which will survive a reboot.
The first requirement, we can take it for granted, as arm9 kinda has full access to nand memory, so there's that.
the second requirement, as i said earlier, short of poisoning the key we use to trigger the initial otpless jump, they can't do much about
the last requirement, i would be tempted to say that there is no way to change the logic of the mcu reboot to not clear arm9 memory, but they already updated mcu firm in the past, so we never know, but i'd say that if they were to fix otpless, they'd go for 3, as it would be the safer to implement imo.

but do they really wanna go all the way to simply slow down a9lh install ? because they can't really FIX future a9lh install, since the old method is kinda... unpatchable in software only form.
 
  • Like
Reactions: Elveman
dark_samus3

dark_samus3

Well-Known Member
Member
Level 10
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,142
Country
United States
capito27 said:
short of blocking memory access to the landing area of the jump from arm9, they can't really, from the code i read, Key0 is used in place of Key0 (if i read right), which is used to generate other keys, so it would be annoying for them to poison the key and handle the weird cases where people reboot or shutdown mid update, they won't do that then. they won't be preventing to overwrite to firm0/1 from arm9...because that would be kinda stupid and inf not impossible, pretty close to it.
the magic of OTPless a9lh install process, is that at the end it only relies on 3 modifiable things : firm0 partition to be replaced with 10.0 NFirm, secret keysector 1 to be replaced by key in slot 0 (if i read right the code) and to be able to setup arbitrary memory which will survive a reboot.
The first requirement, we can take it for granted, as arm9 kinda has full access to nand memory, so there's that.
the second requirement, as i said earlier, short of poisoning the key we use to trigger the initial otpless jump, they can't do much about
the last requirement, i would be tempted to say that there is no way to change the logic of the mcu reboot to not clear arm9 memory, but they already updated mcu firm in the past, so we never know, but i'd say that if they were to fix otpless, they'd go for 3, as it would be the safer to implement imo.

but do they really wanna go all the way to simply slow down a9lh install ? because they can't really FIX future a9lh install, since the old method is kinda... unpatchable in software only form.
Click to expand...
There's an easy trick they could do. New arm9loader which re-encrypts the secret sector with some encryption mode other than ECB :P the keys stay the same, OTPless goes away, if you update beyond a certain point, anyways
 
  • Like
Reactions: Urbanshadow and peteruk
P

PaiiNSteven

Guest
I just bought a DSi cart like two minutes ago. What the fuck.
In all seriousness this is awesome progress! Nice job guys!
 
Redirr

Redirr

X11 Extreme.
Member
Level 5
Joined
Dec 4, 2014
Messages
539
Trophies
0
Location
São Paulo, Brazil
XP
587
Country
Brazil
Clector said:
Yes, but I guess they may like to first try to work in patch the DSiWareHaxx Nand dump and restore since that let people downgrade.
Click to expand...
Hope you guys could use this otp less in 11.0 FW pachted with DSiwarehaxx. So i dont need to downgrade to 9.2 anymore...

Ive been doing some downgrade service here and i bricked a new 3ds downgrading from 11.0 to 9.2.

I didn't try otpless yet. Im very scare at momento. But i wanna try it soom. Hope its envolve to a 11.0 pachted FW for no need to downgrade.
 
P

PaiiNSteven

Guest
Will we be able to get the OTP without dging? There was a theory to get it on 9.6 when it loads into the cache, can we do this instead of dging all the way to 2.1?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

So what's the current state of hacking and freeshop?

Hacking Homebrew  Animal Crossing New Leaf (ACNL) help: data corrupt??

Homebrew Homebrew game  Flappy Bird for 3DS, but with a dog

Hacking  Can you install a legit cia and keep the game? + Question about 3ds modding

Pokemon Ultra Sun/Moon from piracy site doesn't work

Accidentally snapped sd card in half, what to do now?

Hacking Homebrew  3DS System Transfer Questions

Hardware Homebrew  Rehid fork w/ sliders - Save your 3ds from broken sliders!

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: Ken will love his Microsoft Deck lol