No worries I'm on 11.1 arm9lh my friend is on 10.x so that helps he will have to downgrade have you got a link for the files for this?
No. I'm seeing other explanations on why it's not possible on o3DS, but they're not detailed at all and expect you to know everything about the 3DS. Let's fix that.
arm9loader never expects to be run on an old3DS, and Nintendo (obviously) never expected it to be run either. Because of this, there's no new3DS key store (secret store) encrypted with the OTP hash on the old3DS programmed into the console at the factory. Without any kind of key store (a garbage key or not) arm9loader will not be able to decrypt the rest of FIRM, as it will try to do. Putting in an unencrypted key store won't work either. arm9loader never expects an unencrypted key store, so it will try to decrypt it with the OTP. This will result in a garbage key being used to decrypt FIRM, and since the key generated is console unique (OTP, remember) it's not exploitable. Not putting in a key store at all will result in the same thing.
Therefore, the OTP is an absolute must to make arm9loader run at all on the o3DS. Because we have to encrypt the key store as valid, we have to have the OTP to encrypt it so that arm9loader will use it (properly, it expects the key store to be encrypted with the OTP) decrypt the FIRM with our garbage key, and jump to our payload.
It works on new3DS because the key store is already there.
yeah, just downgrade to 9.2 and copy the files to the sd, after that run the homebrew app. That is like a 10 minute installWow, very cool, I sure would have loved this a year ago when I installed A9LH, I have to imagine this process shaves a significant amount of time off the original downgrade to 2.1 and get the OTP method.
i still want the OTP, so as much as I think this will help folks in the future (when its released as a stable build), i'll stick to plailect's guide for getting the OTP
edit: GL to the author and great work
you can't get the actual otp without going to 2.1 (or any pre-3.0 firmware), just the hash. kernel9loader locks it before we get code execution.Reading the technical explanations here by @ihaveamac and others
I think you can get the from within A9LH. So it might still be easier to use this method then dump the OTP from A9LH under 9.2.
heh, no, more than a hardmod is needed, you need to be able to put something in arm9 memory in a location that is out of range of any FIRM. Also, no, 10.0 should run on 11.1. All that's really needed is a way to get things in arm9 memory and a way to write to NAND.If you have a hardmod, I don't think you even have to downgrade to 9.2.
9.2 is only there so you can run a payload to install Kernel9LoaderHax I assume. A 10.0 firm is obviously too old to boot a 11.x console. But once you have Kernel9LoaderHax installed, you can just have your CFW use a different firm anyways.
it'll be applicable once any arm9 exploit comes out for any FW versionhypothetically if we got an 11.x arm9 in the future could this be usable for that too, or is it too early to say? I guess what I'm asking is, does it apply to any arm9 or 9.x specifically?
you can't get the actual otp without going to 2.1 (or any pre-3.0 firmware), just the hash. kernel9loader locks it before we get code execution.
Ahh, my mistake. Thanks for clarifying.you can't get the actual otp without going to 2.1 (or any pre-3.0 firmware), just the hash. kernel9loader locks it before we get code execution.
yes, you can access the hash, as I stated in the postActually I recall there was a security fail where Nintendo forgot to have it clear the OTP hash from the SHA registers. This was fixed in 10.2+ I think? That I don't recall, but I definitely know it was still an issue for 10.0. This could be combined with that flaw to obtain otp hash and thus be able to decrypt OTP.
No. ONLY the OTP hash is recoverable, not the whole thing. The OTP is locked behind config registers the same way bootroms are and a hash is not enough to calculate it EDIT: this flaw still exists in the lastest version of arm9loader as well, afaikActually I recall there was a security fail where Nintendo forgot to have it clear the OTP hash from the SHA registers. This was fixed in 10.2+ I think? That I don't recall, but I definitely know it was still an issue for 10.0. This could be combined with that flaw to obtain otp hash and thus be able to decrypt OTP. So you could obtain a more favorable payload location/size once you get initial pwnage of the system with the 10.0 otpless install.
but how would the hash let you get the actual otp back without going to 2.1?
No. ONLY the OTP hash is recoverable, not the whole thing. The OTP is locked behind config registers the same way bootroms are and a hash is not enough to calculate it EDIT: this flaw still exists in the lastest version of arm9loader as well, afaik
well, yes, but that still didn't explain "decrypting OTP". unless you meant decrypting the secret sector.Gaining OTP hash allows you to decrypt the secret sector. Thus having the same effect as having a otp dump without having to dump OTP. Because normally folks need otp dump to generate the hash the installer needs to decrypt secret sector. if you get the hash instead, you skip all that and can just go right to decrypting secret sector.
Yes, that's what the alpha already does. The point is, the OTP may become useful in the future, for more than just a9lh. So it might be worth getting, at some pointGaining OTP hash allows you to decrypt the secret sector. Thus having the same effect as having a otp dump without having to dump OTP. Because normally folks need otp dump to generate the hash the installer needs to decrypt secret sector. if you get the hash instead, you skip all that and can just go right to decrypting secret sector.