Homebrew [Coming Soon] OTPless A9LH installation on N3DS (no 2.1 downgrade)

[SciresM]

To be honest, I don't think anybody should be sharing steps here. I don't want to sound elitist, but this is alpha software which could brick your 3ds (no disrespect to the devs - but I'm sure they would agree that this is a possibility at this stage). If you can't find the GitHub repo and figure this out without instructions, just wait for a release.

Not only do I agree this is a possibility, I am highly concerned about it, which is why I specifically say not to try it without a hardmod.

 

[Clector]

@dark_samus3 Very good work!
Only bad that it doesn"t works in all models because technical reasons.

 

[Myria]

Well, it was certainly fun finding my first vuln... Sure it builds off of other stuff, but I found it with less than 4 months experience.... after that it was just waiting for everything to line up properly (which actually happened awhile ago, but it was thought to be un-exploitable). It's still insane to me that I actually found a vuln. Props to everyone who helped (as listed in the credits) and thanks to #Cakey for support and helping me through my noobness

Your insight was how to combine existing exploits to accomplish this task, plus the trick with AES-ECB. =^-^=

For others reading this reply, dark_samus's quip about "which actually happened a while ago" needs more context:

With this new exploit, whenever Nintendo released a new NATIVE_FIRM version--which isn't every update--he figuratively got to roll three dice 31 times. If they ever came up 666, he could do the exploit. Otherwise, he had to wait for another NATIVE_FIRM release to get 31 more chances.

With the release of 11.1.0's new NATIVE_FIRM, dark_samus rolled the dice 31 more times, but none came up 666. But then he reviewed his previous dice rolls.

dark_samus noticed that with the NATIVE_FIRM from firmware 10.0.0, one of his dice rolls he wrote down as being a near-miss of 665. Also, he noticed from his "picture" of the dice roll, the 5 was sitting slightly on its edge, jammed into a corner on his desk.

I took a look at his "picture" of the near-miss and noticed that the third die wasn't a 5; it was actually a 6. He had rolled 666 back in 10.0.0 but due to the borderline nature of the result, he had thought he didn't. Thus now OTP-less is possible.

The above description with dice is very figurative, since the true answer is a lot more complicated, involving such loveliness as ARM CPU condition flags and invalid opcodes.

 

[keven3477]

Finally, a good reason to actually change to luma and get a9lh.

 

[dark_samus3]

Your insight was how to combine existing exploits to accomplish this task, plus the trick with AES-ECB. =^-^=

For others reading this reply, dark_samus's quip about "which actually happened a while ago" needs more context:

With this new exploit, whenever Nintendo released a new NATIVE_FIRM version--which isn't every update--he figuratively got to roll three dice 31 times. If they ever came up 666, he could do the exploit. Otherwise, he had to wait for another NATIVE_FIRM release to get 31 more chances.

With the release of 11.1.0's new NATIVE_FIRM, dark_samus rolled the dice 31 more times, but none came up 666. But then he reviewed his previous dice rolls.

dark_samus noticed that with the NATIVE_FIRM from firmware 10.0.0, one of his dice rolls he wrote down as being a near-miss of 665. Also, he noticed from his "picture" of the dice roll, the 5 was sitting slightly on its edge, jammed into a corner on his desk.

I took a look at his "picture" of the near-miss and noticed that the third die wasn't a 5; it was actually a 6. He had rolled 666 back in 10.0.0 but due to the borderline nature of the result, he had thought he didn't. Thus now OTP-less is possible.

The above description with dice is very figurative, since the true answer is a lot more complicated, involving such loveliness as ARM CPU condition flags and invalid opcodes.

I love this explanation... anyways, the trick with ECB is something you told me was possible (after I had asked about it), so in a way, you helped a lot with this... I'm sure with a bit of research I could have figured it out on my own anyways, but whatever I still count it

 

[Quantumcat]

Finally, a good reason to actually change to luma and get a9lh.

Not really. The 2.1 CTR transfer takes like 20 minutes. And this isn't released yet.

 

[DavidRO99]

Not really. The 2.1 CTR transfer takes like 20 minutes. And this isn't released yet.

It is released. On the github page. it is even prebuilt, all you have to do is drag the files to the sd and run the app from the homebrew launcher

 

[ihaveahax]

It is released. On the github page. it is even prebuilt, all you have to do is drag the files to the sd and run the app from the homebrew launcher

it is not "released", it is in a testing state. the releases page even states "Pre-release".

 

[DavidRO99]

it is not "released", it is in a testing state. the releases page even states "Pre-release".

Still, it is available to the public.

 

[ihaveahax]

Still, it is available to the public.

of course it is, but you can't say it's released. noobs who brick using testing software were asking for it pretty much.

 

[DavidRO99]

of course it is, but you can't say it's released. noobs who brick using testing software were asking for it pretty much.

True

 

[retrofan_k]

Finally, a good reason to actually change to luma and get a9lh.

Nope. It's already simple enough right now to switch using the current method and guide.

--------------------- MERGED ---------------------------

of course it is, but you can't say it's released. noobs who brick using testing software were asking for it pretty much.

Your always gonna get some Billy Bob moron without a hardmod who will brick and wonder why.

 

[Myria]

If they know how to navigate GitHub from the hints about its location, hopefully they are competent enough to know the seriousness of the warnings.

 

[Clector]

Now thinking is curious how Nintendo added Arm9 binary Loader in New 3DS as an additional layer of security, but it ended making even more problems to Nintendo.

 

[gamesquest1]

cool i remember reading someone blabbing about this proposed method a while back and people flipping on them for exposing it, nice to see it worked out afterall

 

[Halvorsen]

I'm 90% sure I'm gonna brick on my last working system.

I'm a risktaker and I hate it.

 

[Urbanshadow]

I'm trying to understand the vuln the best I can and from the looks of it, this may be one of the biggest hits to 3ds security yet. And yeah, N shooted in the foot yet again. I bet gateway people will feel stupid once they find this out. And of course they will get this.

 

[mashers]

it is a homebrew app on github releases

No, it's a pre-release alpha. It's clearly marked as such on the releases page.

 

[zoogie]

Just tested on JPN N3DS. It works.

 

[Jayro]

Sounds good. I could just backup all my saves, make a nand backup, and restore my 9.2U nand backup I made.