Homebrew [Coming Soon] OTPless A9LH installation on N3DS (no 2.1 downgrade)

[Apache Thunder]

I never intended to answer the question of decrypting OTP....I meant decryption of secret sector which is what a full Kernel9LoaderHax install needs before it can insert custom keys into that sector correctly. So yes, if you want the contents of OTP itself, of coarse you still need to do the 2.1 downgrade.

 

[Arck]

I have 2 N3DS EUR with hard mod, I have dumped almost all possible firmware update to my hard drive
I can test it without risking a brick if you want

 

[Xana]

Gaining OTP hash allows you to decrypt the secret sector. Thus having the same effect as having a otp dump without having to dump OTP. Because normally folks need otp dump to generate the hash the installer needs to decrypt secret sector. if you get the hash instead, you skip all that and can just go right to decrypting secret sector.




Wait, I thought it was the hash that was ultimately used to decrypt secret sector? If you have the hash, you don't need a otp dump. Just use the hash to decrypt the secret sector?

In order for the OTP hash to be generated, you need to be running an N3DS firm > 9.5 (so that arm9loader runs), which you can't do without a properly encrypted secret sector, which you can't do without the OTP hash.

 

[dark_samus3]

In order for the OTP hash to be generated, you need to be running an N3DS firm > 9.5 (so that arm9loader runs), which you can't do without a properly encrypted secret sector, which you can't do without the OTP hash.

This is only true on an old 3ds. New 3ds already has the secret sector in NAND

 

[Apache Thunder]

In order for the OTP hash to be generated, you need to be running an N3DS firm > 9.5 (so that arm9loader runs), which you can't do without a properly encrypted secret sector, which you can't do without the OTP hash.

Err what? A 10.0 firm is used for this. Thus a 10.0 version of Kernel9Loader was used. So the hash definitely is generated. I don't think it matters what state the secret sector is in at that early of a stage.

 

[Xana]

This is only true on an old 3ds. New 3ds already has the secret sector in NAND

Err what? A 10.0 firm is used for this. Thus a 10.0 version of Kernel9Loader was used. So the hash definitely is generated. I don't think it matters what state the secret sector is in at that early of a stage.

I assumed we were still talking about why this won't work on O3DS.

As a side note, 3dbrew says firmlaunchhax wasn't fixed until 9.5, but that it requires ARM11 kernel to exploit. Is there any particular reason that memchunkhax2 wouldn't work for that? That could eliminate the downgrade for people on 9.3/9.4, and would allow Korean New3DS's to use this.

 

[dark_samus3]

Err what? A 10.0 firm is used for this. Thus a 10.0 version of Kernel9Loader was used. So the hash definitely is generated. I don't think it matters what state the secret sector is in at that early of a stage.

it does to an extent. You need to have a valid first key in the secret sector for it to get anywhere

 

[Apache Thunder]

This is only true on an old 3ds. New 3ds already has the secret sector in NAND

Yeah o3DS users would still need to downgrade because Kernel9Loader never existed and thus a initial secret sector encrypted to that console doesn't exist. So you can't get anywhere on a o3DS without OTP from that console.

As for "first key". I think this current implementation doesn't touch it? Which key did you move around to make this work? If not the first one then you can still get the hash then?

 

[dark_samus3]

Yeah o3DS users would still need to downgrade because Kernel9Loader never existed and thus a initial secret sector encrypted to that console doesn't exist. So you can't get anywhere on a o3DS without OTP from that console.

As for "first key". I think this current implementation doesn't touch it? Which key did you move around to make this work? If not the first one then you can still get the hash then?

well, even k9l2 verifies the first key, and won't run if it's invalid. So it's required. As for the key we used, the first key also leads to the jump I found, so again, it's required for it to be valid for this method

 

[ZoNtendo]

"no 2.1 downgrade" ?
it take only a few minute, but that good for noob users

 

[Myria]

Arm9 access? Well, still no for a Korean New 3DS
(Korean New 3DSes started with 9.3...)

This is actually a limitation of the tools, not a fundamental limitation. Firmlaunchhax was fixed in 9.5.0, not 9.3.0.

It should be possible to make this work on 9.3.0 and 9.4.0; we'd just need to update the tools for new addresses and to use memchunkhax 2.1 to get ARM11 kernel instead of memchunkhax 1, since memchunkhax 1 was fixed in 9.3.0.

We really ought to update things so we can make 9.4.0 the ceiling version on the major hacks instead of 9.2.0.

I need to buy a Korean New 3DS and Korean Ocarina of Time.

 

[Xana]

"no 2.1 downgrade" ?
it take only a few minute, but that good for noob users

2.1 is also notoriously unstable on new3ds, so it'll still probably be safer in the end.

 

[VinsCool]

I have a question regarding this.

Assuming there will be a arm9 kernel exploit on more versions, could this theorically work another version than 9.2? Like if someone finds a arm9 kernel exploit on 11.1, would thia mean we would be able to fully hack without any downgrade?

 

[ihaveahax]

I have a question regarding this.

Assuming there will be a arm9 kernel exploit on more versions, could this theorically work another version than 9.2? Like if someone finds a arm9 kernel exploit on 11.1, would thia mean we would be able to fully hack without any downgrade?

yes

 

[VinsCool]

yes

Oh that's awesome.

 

[ihaveahax]

Arm9 access? Well, still no for a Korean New 3DS
(Korean New 3DSes started with 9.3...)

This is actually a limitation of the tools, not a fundamental limitation. Firmlaunchhax was fixed in 9.5.0, not 9.3.0.

It should be possible to make this work on 9.3.0 and 9.4.0; we'd just need to update the tools for new addresses and to use memchunkhax 2.1 to get ARM11 kernel instead of memchunkhax 1, since memchunkhax 1 was fixed in 9.3.0.

We really ought to update things so we can make 9.4.0 the ceiling version on the major hacks instead of 9.2.0.

I need to buy a Korean New 3DS and Korean Ocarina of Time.

but I thought korean New 3DS systems started on 9.6, not 9.3

 

[Mr.ButtButt]

Will it be just as dangerous? I've been wanting to a9lh my girlfriends 3ds but afraid to risk bricking it with the 2.1 downgrade and having to buy a new one : P

 

[Myria]

I have a question regarding this.

Assuming there will be a arm9 kernel exploit on more versions, could this theorically work another version than 9.2? Like if someone finds a arm9 kernel exploit on 11.1, would thia mean we would be able to fully hack without any downgrade?

It depends. Most ARM9 exploits also require an ARM11 kernel exploit--firmlaunchhax being the prototypical example.

But yes, if we could get ARM9 on 11.1.0, a 9.2.0 downgrade would not be necessary anymore for 11.1.0 and below.

By the way, an ARM9 "kernel" exploit is unnecessary. The ARM9 kernel permits the user-mode "Process9" to do svcBackdoor all it likes. Thus a user-mode exploit on ARM9 is just as good as a kernel exploit on ARM9 from a security standpoint. (svcBackdoor was deleted from the ARM11 kernel in 11.0.0, but not the ARM9 kernel.)

 

[LongTimeLurker]

Will it be just as dangerous? I've been wanting to a9lh my girlfriends 3ds but afraid to risk bricking it with the 2.1 downgrade and having to buy a new one : P

Just wait for it to be deemed stable, then you're good to go.

Probably less dangerous, I don't know.

 

[Myria]

Yeah o3DS users would still need to downgrade because Kernel9Loader never existed and thus a initial secret sector encrypted to that console doesn't exist. So you can't get anywhere on a o3DS without OTP from that console.

Yes. However, from users' experience, downgrading an Old 3DS or even a 2DS to 2.1.0 is a lot more reliable than a New 3DS.

As for "first key". I think this current implementation doesn't touch it? Which key did you move around to make this work? If not the first one then you can still get the hash then?

The first key is still used in current versions. It's used to initialize the Secure3 keyslot, which decrypts a few NAND titles and Xenoblade Chronicles.

 

[mathieulh]

Well, it was certainly fun finding my first vuln... Sure it builds off of other stuff, but I found it with less than 4 months experience.... after that it was just waiting for everything to line up properly (which actually happened awhile ago, but it was thought to be un-exploitable). It's still insane to me that I actually found a vuln. Props to everyone who helped (as listed in the credits) and thanks to #Cakey for support and helping me through my noobness

Not to sound like a douche, but pretty much everyone and their grandmother found the aes ecb hack, including the whole #ctrdev channel months back. I personally found it right after the ccc conference, I am pretty sure I wasn't the only one. The vulnerability is plain obvious when you know the slightest thing about AES implementation.

Envoyé de mon SM-G935F en utilisant Tapatalk