Homebrew [Coming Soon] OTPless A9LH installation on N3DS (no 2.1 downgrade)

SciresM

Developer
OP
Developer
Joined
Mar 21, 2014
Messages
972
Trophies
3
Age
33
XP
8,253
Country
United States
To be honest, I don't think anybody should be sharing steps here. I don't want to sound elitist, but this is alpha software which could brick your 3ds (no disrespect to the devs - but I'm sure they would agree that this is a possibility at this stage). If you can't find the GitHub repo and figure this out without instructions, just wait for a release.

Not only do I agree this is a possibility, I am highly concerned about it, which is why I specifically say not to try it without a hardmod.
 

Myria

Well-Known Member
Member
Joined
Jul 24, 2014
Messages
464
Trophies
0
Age
42
XP
851
Country
United States
Well, it was certainly fun finding my first vuln... Sure it builds off of other stuff, but I found it with less than 4 months experience.... after that it was just waiting for everything to line up properly (which actually happened awhile ago, but it was thought to be un-exploitable). It's still insane to me that I actually found a vuln. Props to everyone who helped (as listed in the credits) and thanks to #Cakey for support and helping me through my noobness :)
Your insight was how to combine existing exploits to accomplish this task, plus the trick with AES-ECB. =^-^=

For others reading this reply, dark_samus's quip about "which actually happened a while ago" needs more context:

With this new exploit, whenever Nintendo released a new NATIVE_FIRM version--which isn't every update--he figuratively got to roll three dice 31 times. If they ever came up 666, he could do the exploit. Otherwise, he had to wait for another NATIVE_FIRM release to get 31 more chances.

With the release of 11.1.0's new NATIVE_FIRM, dark_samus rolled the dice 31 more times, but none came up 666. But then he reviewed his previous dice rolls.

dark_samus noticed that with the NATIVE_FIRM from firmware 10.0.0, one of his dice rolls he wrote down as being a near-miss of 665. Also, he noticed from his "picture" of the dice roll, the 5 was sitting slightly on its edge, jammed into a corner on his desk.

I took a look at his "picture" of the near-miss and noticed that the third die wasn't a 5; it was actually a 6. He had rolled 666 back in 10.0.0 but due to the borderline nature of the result, he had thought he didn't. Thus now OTP-less is possible.

The above description with dice is very figurative, since the true answer is a lot more complicated, involving such loveliness as ARM CPU condition flags and invalid opcodes.
 
Last edited by Myria, , Reason: deleting a word

dark_samus3

Well-Known Member
Member
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,042
Country
United States
Your insight was how to combine existing exploits to accomplish this task, plus the trick with AES-ECB. =^-^=

For others reading this reply, dark_samus's quip about "which actually happened a while ago" needs more context:

With this new exploit, whenever Nintendo released a new NATIVE_FIRM version--which isn't every update--he figuratively got to roll three dice 31 times. If they ever came up 666, he could do the exploit. Otherwise, he had to wait for another NATIVE_FIRM release to get 31 more chances.

With the release of 11.1.0's new NATIVE_FIRM, dark_samus rolled the dice 31 more times, but none came up 666. But then he reviewed his previous dice rolls.

dark_samus noticed that with the NATIVE_FIRM from firmware 10.0.0, one of his dice rolls he wrote down as being a near-miss of 665. Also, he noticed from his "picture" of the dice roll, the 5 was sitting slightly on its edge, jammed into a corner on his desk.

I took a look at his "picture" of the near-miss and noticed that the third die wasn't a 5; it was actually a 6. He had rolled 666 back in 10.0.0 but due to the borderline nature of the result, he had thought he didn't. Thus now OTP-less is possible.

The above description with dice is very figurative, since the true answer is a lot more complicated, involving such loveliness as ARM CPU condition flags and invalid opcodes.
I love this explanation... anyways, the trick with ECB is something you told me was possible (after I had asked about it), so in a way, you helped a lot with this... I'm sure with a bit of research I could have figured it out on my own anyways, but whatever I still count it :D
 

retrofan_k

Well-Known Member
Member
Joined
May 31, 2013
Messages
2,077
Trophies
2
Location
Caves
XP
2,462
Country
Belarus
Finally, a good reason to actually change to luma and get a9lh.

Nope. It's already simple enough right now to switch using the current method and guide.

--------------------- MERGED ---------------------------

of course it is, but you can't say it's released. noobs who brick using testing software were asking for it pretty much.

Your always gonna get some Billy Bob moron without a hardmod who will brick and wonder why.
 

Urbanshadow

Well-Known Member
Member
Joined
Oct 16, 2015
Messages
1,578
Trophies
0
Age
32
XP
1,712
Country
I'm trying to understand the vuln the best I can and from the looks of it, this may be one of the biggest hits to 3ds security yet. And yeah, N shooted in the foot yet again. I bet gateway people will feel stupid once they find this out. And of course they will get this.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Sicklyboy @ Sicklyboy:
    maaaaan that's so awesome but I also don't want to fork over a hundo for it
  • Veho @ Veho:
    The fuuuuu---
  • Veho @ Veho:
    I thought it was an actual xBox at that price.
  • Sicklyboy @ Sicklyboy:
    I wanna grab a 360 Slim and a 360 E one of these days. Missed the boat of getting them at their lowest though, once they were discontinued. Could've got them for cheap back when I was a broke 20 something working at Target, but then again, I was a broke 20 something working at Target
  • Veho @ Veho:
    Being broke is no fun.
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Leo could not withstand communism.
  • SylverReZ @ SylverReZ:
    Its OUR products to begin with lol.
    SylverReZ @ SylverReZ: Its OUR products to begin with lol.