Hacking [question] What ARM11 BootROM is used for?

Elveman · Apr 25, 2017

So now we almost have an ability to dump ARM9 BootROM which leads us to sighax - ultimate flaw that can be used to run CFW on any 3DS ever. And during 33c3 derrek said that we can use sighax to dump ARM11 BootROM. So my question is, what can we use it for? Is there anything new that dumped ARM11 BootROM does allow?

The Catboy · Apr 25, 2017

Long version

ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

This requires *very* *precise* timing for triggering the hardware fault.

It has been exploited by derrek to dump the ARM9 bootrom as of Summer 2015.

He did not make any Bootrom Public.

hedgeberg and Greg the 2DS are using this method to dump the arm9 Bootrom which is known as boot9

Source: Here

A thread explaining it better than I can right here

I wish I could explain it, but I really don't quite have enough knowledge to break it down.

Tenshi_Okami · Apr 25, 2017

IIRC it can be used to get access to keys we do not have access to, or something like that :rofl2:

Quantumcat · Apr 25, 2017

Tenshi_Okami said:
IIRC it can be used to get access to keys we do not have access to, or something like that

Can I use it to find my post office box key I lost three months ago?

souler92 · Apr 25, 2017

it means full custom firmwares on our 3ds. linux system etc.

--------------------- MERGED ---------------------------

and hacking any firmware version console...

Elveman · Apr 25, 2017

Crystal the Glaceon said:
Long version

Source: Here

A thread explaining it better than I can right here

I wish I could explain it, but I really don't quite have enough knowledge to break it down.

Yeah,

souler92 said:
it means full custom firmwares on our 3ds. linux system etc.

--------------------- MERGED ---------------------------

and hacking any firmware version console...

I know about sighax, I know that dumping ARM9 bootrom allows that. I'm more interested in ARM11 bootrom. Also sighax doesn't mean "full custom firmware" - it's perfectly implementable with arm9loaderhax as well. Read here

souler92 · Apr 25, 2017

how does one dump the bootrom . i know there arent public releases. but with some sneaky passages one could upload it and then magic finds its own way.

Tenshi_Okami · Apr 25, 2017

Elveman said:
Yeah,

I know about sighax, I know that dumping ARM9 bootrom allows that. I'm more interested in ARM11 bootrom. Also sighax doesn't mean "full custom firmware" - it's perfectly implementable with arm9loaderhax as well. Read here

Tenshi_Okami said:
IIRC it can be used to get access to keys we do not have access to, or something like that

I still stand by this claim. Since I am pretty sure I saw you could dump any 3DS keys from the Boot11(think it was called)

inb4I get laughed at again

munchy_cool · Apr 26, 2017

Quantumcat said:
Can I use it to find my post office box key I lost three months ago?

only if firmware is below 12.0.49

kindacozi · Apr 26, 2017

souler92 said:
full custom firmwares

You can make "Full CFW" or "True CFW" on A9LH. It's just nobody decided to make it.

munchy_cool · Apr 26, 2017

read this as well

https://www.reddit.com/r/3dshacks/comments/67f6as/psa_clearing_up_some_misconceptions_about_sighax/

Elveman · Apr 26, 2017

Tenshi_Okami said:
I still stand by this claim. Since I am pretty sure I saw you could dump any 3DS keys from the Boot11(think it was called)

inb4I get laughed at again

Thanks for an answer. Seems interesting, especially if we could use it to de/encrypt ROMs and CIAs right on the PC

Hacking [question] What ARM11 BootROM is used for?

Just passing by

GBAtemp Official Catboy™: Boywife

Well-Known Member

Dead and alive

Well-Known Member

Just passing by

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Just passing by

Similar threads

Popular threads in this forum