Homebrew SigHax Updates and Discussion Thread

adrifcastr · Jan 21, 2017

Rayanson said:
Hello, I'm not too much into hacking & stuff (I don't even understand you're talking about here)

But I heard that we will be able to play non légit CIA with this

My question is, will sighax be able to work with my device since I only installed soundhax & fasthax? Or will it need me to go through the whole 3ds.guide tuto?

Since one of my screws can't be opened anymore, my sd card is somehow locked inside my device, fortunately I installed ftpdb si I can still move files from my computer to my device but in 3ds.guide they say that I should remove th sd card to pursue the tutorial...

I really hope I'll be able to install it to play games I can't buy

This thread is actually not meant for noob support. just take a knife brake up the back plate then go through plailects guide and get a9lh

--------------------- MERGED ---------------------------

Rayanson said:
Hello, I'm not too much into hacking & stuff (I don't even understand you're talking about here)

But I heard that we will be able to play non légit CIA with this

My question is, will sighax be able to work with my device since I only installed soundhax & fasthax? Or will it need me to go through the whole 3ds.guide tuto?

Since one of my screws can't be opened anymore, my sd card is somehow locked inside my device, fortunately I installed ftpdb si I can still move files from my computer to my device but in 3ds.guide they say that I should remove th sd card to pursue the tutorial...

I really hope I'll be able to install it to play games I can't buy

and by the way, in the OP I have explained everything, as detailed as possible

thekarter104 · Jan 21, 2017

Urbanshadow said:
To install i guess. I genuinely doubt the difference in boot speed would be noticeable on a daily basis.

Unless we modify the NAND to delete Miiverse, eShop, NNID, some settings, some other unneeded things to load the Home Menu faster.
Well, I'm fine what we have now lol. For people who want instant loading times: Go play N64!

adrifcastr · Jan 21, 2017

updated the OP a little bit xD

Roboman · Jan 21, 2017

Urbanshadow said:
You guys keep repeating this as a prerecorded message, but very few to no one of you is gonna re the system firm to make a "cfw" (I bet we are only going to put luma's patches in a decrypted firm for the users to sign, but still). There is a very good point of getting the system's OTP. That being having the system's OTP (laugh now).

You don't want to install a9lh, fine. OK. Wait until decrypted "cfw"s step by, sighax one of those and put it in with arm9 access.
In the meantime "cfw"s start having chainloaders and such, I find very valuable having arm9loader code execution. In the end, I perfectly can firmlaunch any of your sighaxed "cfw"s in files instead of flashing them every time.

OK let me say this a bit more concisely.
You can load arm9loaderhax.bin with sighax.
There is nothing special about sighax vs a9lh other than the:
Smaller footprint
Marginally faster boot
Can be installed without otp
-making installation super simple
Can actually dump the (full) otp!

This will obsolete any future installation of a9lh, although upgrading a9lh to sighax isn't needed in most cases.

adrifcastr · Jan 21, 2017

Roboman said:
OK let me say this a bit more concisely.
You can load arm9loaderhax.bin with sighax.
There is nothing special about sighax vs a9lh other than the:
Smaller footprint
Marginally faster boot
Can be installed without otp
-making installation super simple
Can actually dump the (full) otp!

This will obsolete any future installation of a9lh, although upgrading a9lh to sighax isn't needed in most cases.

have you actually read the OP? or actually noticed the SignatureHax Part? Skipping Signature verifications? Signing NAND Images? Custom OS?, Show me your A9LH Custom OS then.

metroid maniac · Jan 21, 2017

addi33 said:
have you actually read the OP? or actually noticed the SignatureHax Part? Skipping Signature verifications? Signing NAND Images? Custom OS?, Show me your A9LH Custom OS then.

Any sort of custom OS you would build to be directly run using sighax can be just as easily chainloaded from a9lh.

adrifcastr · Jan 21, 2017

metroid maniac said:
Any sort of custom OS you would build to be directly run using sighax can be just as easily chainloaded from a9lh.

then tell me how do you flash an unsigned NAND Image with A9LH I really want to know how this works then, Mr. IKNowAbsolutelyEverything

metroid maniac · Jan 21, 2017

addi33 said:
then tell me how do you flash an unsigned NAND Image with A9LH I really want to know how this works then, Mr. IKNowAbsolutelyEverything

For starters, a NAND image isn't signed. The NCSD header and FIRM0/1 partitions are. Other NAND partitions like CTRNAND, TWLNAND and TWL's photo partition can't be and aren't signed, only encrypted.

Being able to execute a fakesigned FIRM isn't special. You can gain boottime arm9 code execution-! Just like we can now with a9lh.
Any patched or replacement FIRM you would execute straight out of the FIRM0/1 partition can be loaded from elsewhere using an a9lh payload. There's nothing new that can be done after installing either hax in terms of the software you can run.

Using an unsigned NCSD header might be more interesting tbh. It contains the partition table written so you may be able to resize TWLNAND to allow more space for DSiWare. It's not much but it's something.

Urbanshadow · Jan 21, 2017

Roboman said:
OK let me say this a bit more concisely.
You can load arm9loaderhax.bin with sighax.
There is nothing special about sighax vs a9lh other than the:
Smaller footprint
Marginally faster boot
Can be installed without otp
-making installation super simple
Can actually dump the (full) otp!

This will obsolete any future installation of a9lh, although upgrading a9lh to sighax isn't needed in most cases.

Up to this point in this... let's call it argument, I won't bother anymore. I think I made my point clear in previous posts and other threads. I don't believe in the whole a9lh vs sighax thing you guys got here. They are not exclusive. They are not making any other obsolete. Sighax just provides firm signature bypass. A9lh just provides code execution in arm9loader. Each can be used to install the other one.

Software signed with sighax could do whatever. I believe the correct thing to do is just keep everything we have working still working. Just extend capabilities. It's just easier for everybody. I believe CFWing everything like the psp is not a clever move (not when you could boot any firm you want at any given time with current methods).

For me, the hot topics of sighax are: 1) OTP grabbing in any firm version (even future) 2) bricked+no backup system hardmod recovery (if one of the two firm partitions is still intact in that nand)

Zan' · Jan 22, 2017

Urbanshadow said:
For me, the hot topics of sighax are: 1) OTP grabbing in any firm version (even future) 2) bricked+no backup system hardmod recovery (if one of the two firm partitions is still intact in that nand)

About 1)
It's not exactly true. SigHax does not provide that.
You will need some way to install the SigHax FIRM, which is not "any firm", but a modified spoofed signature FIRM.
This would have to have a patch to not lock out the OTP to allow you to dump it.
And therefore you'd only be able to dump the OTP on the patched SigHax FIRM.
2.) Also not 100% true, but let's not get into that.

Urbanshadow · Jan 22, 2017

Zan' said:
About 1)
It's not exactly true. SigHax does not provide that.
You will need some way to install the SigHax FIRM, which is not "any firm", but a modified spoofed signature FIRM.
This would have to have a patch to not lock out the OTP to allow you to dump it.
And therefore you'd only be able to dump the OTP on the patched SigHax FIRM.
2.) Also not 100% true, but let's not get into that.

They're both one hardmod away from you, if that's what you mean. Otherwise, yeah.

RednaxelaNnamtra · Jan 22, 2017

Zan' said:
About 1)
It's not exactly true. SigHax does not provide that.
You will need some way to install the SigHax FIRM, which is not "any firm", but a modified spoofed signature FIRM.
This would have to have a patch to not lock out the OTP to allow you to dump it.
And therefore you'd only be able to dump the OTP on the patched SigHax FIRM.
2.) Also not 100% true, but let's not get into that.

its not true, you could install whatever you want as firm because of sighax. This means there could be a arm9loaderhax.bin loader, that is directly executed after the bootrom. This means the otp is not locked, so you could simply dump it.

In short all that sighax allow us is arm9 code execution before arm9loader. What we launch there is completely our own decission.

Wolfvak · Jan 22, 2017

RednaxelaNnamtra said:
its not true, you could install whatever you want as firm because of sighax. This means there could be a arm9loaderhax.bin loader, that is directly executed after the bootrom. This means the otp is not locked, so you could simply dump it.

In short all that sighax allow us is arm9 code execution before arm9loader. What we launch there is completely our own decission.

We should keep in mind that FIRM/arm9loader does some nice initialization for us, like MPU region settings and cache fluff. If we ever got sighax up and running the loader would have to replicate it as best as possible, otherwise some payloads would be broken due to A9LH assumptions and such (#cacheishell).

EDIT: I like to call this "a9lh fuckery"

Zan' · Jan 24, 2017

RednaxelaNnamtra said:
its not true, you could install whatever you want as firm because of sighax. This means there could be a arm9loaderhax.bin loader, that is directly executed after the bootrom. This means the otp is not locked, so you could simply dump it.

In short all that sighax allow us is arm9 code execution before arm9loader. What we launch there is completely our own decission.

Except you forgot you need the FIRM to be ran to even execute the patches from the a9lh.bin
You can also not install whatever you want unless ypu don't care of your device actually booting.

RednaxelaNnamtra · Jan 24, 2017

Zan' said:
Except you forgot you need the FIRM to be ran to even execute the patches from the a9lh.bin

No you don't, even in a9lh you get acces to the arm9 processor before the real firm is runing (the 3ds thinks its jumping to it, but because of the decrypion keys we changed, its just garbage code, that jumps to our code placed in memory).
To run the os of the 3DS we need the firm, but like luma is doing it, you could simply load it from the ctr nand and patch it, AFTER you execute your own code, and BEFORE jumping to/starting it.
The only thing that is needed when we load payloads using sighax, is the initalisation Wolfvak mentiont, but its still something we will be able to do by our own, if we want too.

Wolfvak · Jan 24, 2017

Zan' said:
Except you forgot you need the FIRM to be ran to even execute the patches from the a9lh.bin
You can also not install whatever you want unless ypu don't care of your device actually booting.

As I said, we'll probably have to initialize some devices manually, but other than that I don't get what you're talking about...
We would already have "FIRM" execution. Our code would be FIRM itself.

Zan' · Jan 24, 2017

RednaxelaNnamtra said:
No you don't, even in a9lh you get acces to the arm9 processor before the real firm is runing (the 3ds thinks its jumping to it, but because of the decrypion keys we changed, its just garbage code, that jumps to our code placed in memory).
To run the os of the 3DS we need the firm, but like luma is doing it, you could simply load it from the ctr nand and patch it, AFTER you execute your own code, and BEFORE jumping to/starting it.
The only thing that is needed when we load payloads using sighax, is the initalisation Wolfvak mentiont, but its still something we will be able to do by our own, if we want too.

Well I am not even going to try to explain where you're wrong.

Facts are:
You need a FIRM that is loaded by the bootrom, therefore it needs a signature that checks out to be valid. (Sighax verification exploit)
Then you can run anything that actually does run. You still need to somehow actually do the base load for the firmware, which FIRM does currently.
Then the a9lh payload applies patches.

If you "payload loader", which has a sighax signature only loads your a9lh.bin your device won't boot. Unless it does necessary initilization.
And now we're back to what I said - You can then only dump the otp with this exact FIRM (replaced by whatever you put there)
It can't be dumped from any FIRM. Nor can you inject simply anything into the FIRM partition.

Wolfvak said:
As I said, we'll probably have to initialize some devices manually, but other than that I don't get what you're talking about...
We would already have "FIRM" execution. Our code would be FIRM itself.

We don't have FIRM execution.
A9LH runs after A VALID FIRM is ran.
It works as a payload which hasn't been cleared, when it should have been.
This VALID FIRM does all the basework to even load the firmware which the payload then applies patches to.
If you try to apply patches to something not loaded ... well it doesn't work and your device won't boot.
Therefore you need to create something you put into this FIRM partition that does all the necessary initilization (which is a shit ton of work) which is then signed with a spoofed signature (to get ot verified by the bootrom). And then you want it to load up a payload... like before?

You will then still end up only being able to dump otp from THIS EXACT "NEW FIRM" and not ANY FIRM.
Also... FIRM != device firmware.

Wolfvak · Jan 24, 2017

Zan' said:
Well I am not even going to try to explain where you're wrong.

Facts are:
You need a FIRM that is loaded by the bootrom, therefore it needs a signature that checks out to be valid. (Sighax verification exploit)
Then you can run anything that actually does run. You still need to somehow actually do the base load for the firmware, which FIRM does currently.
Then the a9lh payload applies patches.

If you "payload loader", which has a sighax signature only loads your a9lh.bin your device won't boot. Unless it does necessary initilization.
And now we're back to what I said - You can then only dump the otp with this exact FIRM (replaced by whatever you put there)
It can't be dumped from any FIRM. Nor can you inject simply anything into the FIRM partition.

... to be perfectly honest I'm not following your reasoning.

Here's what it'd look like if I were to do it:

1. 3DS boots
2. bootrom kicks in, OUR sighax'd FIRM is loaded and booted (with proper ARM9 and ARM11 sections)
3. our FIRM performs any necessary initialization (like eMMC crap/lcd init, for example)
4. loads a file from SD or CTRNAND or whatever you want as a regular brahma payload (0x23F00000 entrypoint, etc)
5. payload takes over
6. ???
7. idk fam you got full access just do whatever you want lol
please point out where I'm wrong.

RednaxelaNnamtra · Jan 24, 2017

Zan' said:
Well I am not even going to try to explain where you're wrong.

Facts are:
You need a FIRM that is loaded by the bootrom, therefore it needs a signature that checks out to be valid. (Sighax verification exploit)
Then you can run anything that actually does run. You still need to somehow actually do the base load for the firmware, which FIRM does currently.
Then the a9lh payload applies patches.

If you "payload loader", which has a sighax signature only loads your a9lh.bin your device won't boot. Unless it does necessary initilization.
And now we're back to what I said - You can then only dump the otp with this exact FIRM (replaced by whatever you put there)
It can't be dumped from any FIRM. Nor can you inject simply anything into the FIRM partition.

But thats exactly what sighax allows us, to way properly sign our own binarys for usage as firm partion, which the bootrom will accept (because the signature will only be checked partialy).
That we need to have a specific binary layout, a firmheader or need to initialise something the arm9loader (not the real firm itself, only its loader) did before, is something that is part of the implementation itself.

Edit: I know that firm is different from firmware, and thta the firm is split into different sections, but you need to kkep in mind that a9lh exploits an additional loader, added to the new 3DS firm binary, which main pupose is to decrypt the arm9 firm section. this means we are executing code before the real (arm9 ) firm is loaded, but after the arm9loader thinks it jumped to a properly decrypted arm9 firm binary.

Zan' · Jan 24, 2017

Wolfvak said:
... to be perfectly honest I'm not following your reasoning.

Here's what it'd look like if I were to do it:

1. 3DS boots
2. bootrom kicks in, OUR sighax'd FIRM is loaded and booted (with proper ARM9 and ARM11 sections)
3. our FIRM performs any necessary initialization (like eMMC crap/lcd init, for example)
4. loads a file from SD or CTRNAND or whatever you want as a regular brahma payload (0x23F00000 entrypoint, etc)
5. payload takes over
6. ???
7. idk but if its a CFW payload it'll boot without any issues

please point out where I'm wrong.

I'll just stop explaining and accept that you don't understand what I'm saying, which could be related to some of the understandings being incorrect, and that you want what a9lh currently does with sighax - which noone has public work on.
And an utopic idea of a FIRM, which requires a shit ton of REing.
Which will likely not give you better boot times and all it does is keep your backup FIRM intact.

RednaxelaNnamtra said:
But thats exactly what sighax allows us, to way properly sign our own binarys for usage as firm partion, which the bootrom will accept (because the signature will only be checked partialy).
That we need to have a specific binary layout, a firmheader or need to initialise something the arm9loader (not the real firm itself, only its loader) did before, is something that is part of the implementation itself.

Edit: I know that firm is different from firmware, and thta the firm is split into different sections, but you need to kkep in mind that a9lh exploits an additional loader, added to the new 3DS firm binary, which main pupose is to decrypt the arm9 firm section. this means we are executing code before the real (arm9 ) firm is loaded, but after the arm9loader thinks it jumped to a properly decrypted arm9 firm binary.

SigHax does not properly sign anything.
And I do know how A9LH works. However you can't apply A9LH principles straight onto SigHax because you are going from a completely different state of the systems and the exploits itself are fairly dfferent.

SigHax exploits bootrom signature verificaton. It basically is a malformed signature that always checks out.
Therefore any SigHax Signature will allow you to let anything with it be verified by BootROM (doesn't mean it will actually boot your device though)

A9LH also has to do with some verification, shorthand however:
FIRM with added payload is loaded and doesn't checkout. Therefore the backup firm is loaded, but since it's smaller and the payload hasn't been cleared, the payload will stay in memory behind the backup FIRM.
The backup FIRM checks out. FIRM does whatever FIRM does (initilization etc.) and then the payload is loaded, which is currently a loader, loading another payload (a9lh.bin) which then applies whatever patches to the already loaded firmware.

Homebrew SigHax Updates and Discussion Thread

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

An idiot with an opinion

Well-Known Member

An idiot with an opinion

Well-Known Member

2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

Well-Known Member

Well-Known Member

nyaa~

2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

Well-Known Member

nyaa~

2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

nyaa~

Well-Known Member

2F88744FEED717856386400A44BBA4B9CA62E76A32C715D4F

Similar threads

Popular threads in this forum