Homebrew Homebrew Development

N

Normmatt

Former AKAIO Programmer
Member
Level 10
Joined
Dec 14, 2004
Messages
2,161
Trophies
1
Age
33
Website
normmatt.com
XP
2,191
Country
New Zealand
json said:
Let's take this apart for a moment.

1. Exploit for 7.x: Nobody has a working exploit for 7.x in ARM9. Even if ssspwn works, it is limited to userland, meaning not ARM9. Not even gateway has updated their support for 7.x exploit, which would surely create a great deal more sales for them if they did, so we can conclude not even gateway has an exploit for 7.x.

2. Pre-calculated NCCH keys: The firmware sets 2 keys, X and Y. The Y is dependent on the app being launched, the X is set at firmware boot. You cannot dump X because even if said exploit for 7.x exists, it would not be exploitable at boot time. So no point in discussing this further.

3. Bootrom: Not something a homebrew person can dump as it is unreadable from within the system. But well in the possibilities of gateway by throwing enough money at it and using million dollar equipment.


So, with these 3 points analysed, do tell how at this point in time, some homebrew hacker will decrypt those 7.x mset and eshop CXI ?
Hint: they can't
Click to expand...


Easy with a hardware RAM dumper you can dump the new arm11 code for those apps :P
 
  • Like
Reactions: Snailface
D

Deleted User

Guest
OK, that is technically possible. Problem solved! Let's start building that hardware RAM dumper then!
 
gamesquest1

gamesquest1

Nabnut
Former Staff
Level 22
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
just wondering isn't the entire ncch partition encrypted........it would be pretty difficult to get the entire partition decrypted without running custom code within 7.x, dumping the main executable would be fairly trivial with a ram dumper i imagine, but if its the entire partition, i cant really imagine the game loading the whole game into ram sequentially to dump the whole game decrypted.............or is it just the arm11 code that's encrypted differently?
 
Qtis

Qtis

Grey Knight Inquisitor
Member
Level 9
Joined
Feb 28, 2010
Messages
3,817
Trophies
2
Location
The Forge
XP
1,737
Country
Antarctica
json said:
The first rule of business is to make a profit. If Gateway doesn't make a profit they will stop, along with all the knowledge and experience that they could have offered in the future.

Or are you saying that even with a free rom loader that people will still buy a gateway card? Of course they won't and that will mean no sales for gateway, and thus no longer profitable for GW. And thus they will pack bags and leave. Is this so hard to understand?

Let's talk the hypothetical situation that a free rom loader appears. GW sales will drop to zero, and every new advancement GW could possibly do, would be copied in a heartbeat, and again sales stay at zero. No matter what the outcome, it will stay unprofitable when there is a free alternative. At which point GW will stop, because anything they could do, would be pointless. And this is the point at which the 3DS scene is dead. Sure you could say, YAY WE CAN PLAY ROMS BELOW 7.x FOR FREE!! Which would be nice, but you basically pissed away the possibility to enjoy later games for "free" (for those that had a GW).
Click to expand...
While this discussion is yet again going towards off topic, I'll mention one thing here. If the paid offering is interesting enough, it's capable of combating a free alternative. Case and point is Spotify compared to music piracy.

Now back on topic :angry:
 
  • Like
Reactions: BortzANATOR
M

mathieulh

Well-Known Member
Member
Level 6
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
json said:
Let's take this apart for a moment.

1. Exploit for 7.x: Nobody has a working exploit for 7.x in ARM9. Even if ssspwn works, it is limited to userland, meaning not ARM9. Not even gateway has updated their support for 7.x exploit, which would surely create a great deal more sales for them if they did, so we can conclude not even gateway has an exploit for 7.x.

2. Pre-calculated NCCH keys: The firmware sets 2 keys, X and Y. The Y is dependent on the app being launched, the X is set at firmware boot. You cannot dump X because even if said exploit for 7.x exists, it would not be exploitable at boot time. So no point in discussing this further.

3. Bootrom: Not something a homebrew person can dump as it is unreadable from within the system. But well in the possibilities of gateway by throwing enough money at it and using million dollar equipment.


So, with these 3 points analysed, do tell how at this point in time, some homebrew hacker will decrypt those 7.x mset and eshop CXI ?
Hint: they can't
Click to expand...


About 2. I am not talking about the generic key used to decrypt flag 3 NCCH (the ones that use the 7.x+ key) that is stored in a keyslot, I am talking about the actual NCCH container key (the one for a specific, unique NCCH container that is indirectly decrypted through this keyslot, that one can (in theory at least, if your timing is right) be dumped from RAM before it is set to a keyslot for decryption of the actual data, (such as ExeFS or RomFS). Or you could just dump the actual decrypted container but then you'd have to "share" it. It'd be more efficient for GW and co to release an update with a dumped key table for said NCCH containers.

And yes that can probably be done using hardware to read the RAM on the fly, assuming keys aren't kept in die (such as the CPU cache), at the very worse, the decrypted containers won't.

As to 3. Forget about multi million USD equipment, although you can hire companies that can decapsulate the chip for you (at a price), it seems more feasible to look into other venues, such as a CPU glitch, to try and exploit the bootrom with less expensive hardware.

Oh! and obviously a company interested in getting a CPU decap does not need to own the equipment or the staff with the skills to operate it, it's much cheaper to just outsource the whole project to a third party specialized in such tasks.
 
D

Deleted User

Guest
mathieulh said:
About 2. I am not talking about the generic key used to decrypt flag 3 NCCH (the ones that use the 7.x+ key) that is stored in a keyslot, I am talking about the actual NCCH container key (the one for a specific, unique NCCH container that is indirectly decrypted through this keyslot, that one can (in theory at least, if your timing is right) be dumped from RAM before it is set to a keyslot for decryption of the actual data, (such as ExeFS or RomFS). Or you could just dump the actual decrypted container but then you'd have to "share" it. It'd be more efficient for GW and co to release an update with a dumped key table for said NCCH containers.
Click to expand...


None of these half-keys can be dumped through FCRAM. Additionally, you need the other half of the key which is set by bootrom. What you are saying is simply false or incorrect. Either that or you are not making yourself very clear enough
 
Mariko

Mariko

Well-Known Member
Member
Level 3
Joined
Oct 13, 2009
Messages
190
Trophies
0
XP
282
Country
BortzANATOR said:
Back on the topic at hand please. If you want to discuss GW's marketing strategy, please take it elsewhere.
Click to expand...

If only moderators spent as much time chasing down zero-content messages, as they do keeping threads on topic. You know that you can actually move posts to new threads instead of removing them completely, right? I thought we had a nice conversation going, and it evolved naturally from the homebrew talk.

If your goal is to discourage from posting the people, who instead of starting flame wars, have some actual and thought out input, you're doing great. Did you even read through the messages you've deleted? Aside from the thoughts and opinions contained within them, it was actually quite a bit of typing, while for you it was just a click.

Think of that the next time you have an itchy mouse finger, and maybe use better judgement, because this homebrew thread contains almost 80 pages of anything from actual homebrew talk, through sheer speculation, to plain mindless spam. Right now Gateway is very much driving the homebrew scene, and speculations about their future aren't as off topic as this, or this, or this, or this, or this. Looking at this, I'll assume you'd much rather have a forum filled with mindless one-liners, rather than actual conversation which evolve within threads.
 
  • Like
Reactions: Alessandro98
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
3,136
Country
Italy
Does anybody know how to check to which service refers a valid handle?

On 3BBrew is listed as SVC 0x29:

GetHandleInfo(s64* out, Handle handle, HandleInfoType type)

but there is no definition for HandleInfoType, and it isn't yet implemented in ctrulib.
 
bunnei

bunnei

Member
Newcomer
Level 5
Joined
Apr 1, 2014
Messages
23
Trophies
0
Age
31
XP
606
Country
United States
nop90 said:
Does anybody know how to check to which service refers a valid handle?

On 3BBrew is listed as SVC 0x29:

GetHandleInfo(s64* out, Handle handle, HandleInfoType type)

but there is no definition for HandleInfoType, and it isn't yet implemented in ctrulib.
Click to expand...

HandleInfoType is an enum. Depending on what integer value you pass to it, you'll get a different field of information about the handle back in "out". Should be easy enough to figure out what the valid values in the enum are.
 
nop90

nop90

Well-Known Member
Member
Level 12
Joined
Jan 11, 2014
Messages
1,556
Trophies
0
Location
Rome
XP
3,136
Country
Italy
Thank you bunmei, I'll experiment with it.

At the moment I'm still bruteforce testing all the valid handle I found, hoping that at least one is related to a useful and working service in arm11.
 
cracker

cracker

Nyah!
Member
Level 10
Joined
Aug 24, 2005
Messages
3,619
Trophies
1
XP
2,213
Country
United States
Does anyone else have problems running anything besides the Mandelbrot Set launcher.dat? I'm on 4.5 US with an XL and using the modified ROP loader (FW's loader soft-bricks DS mode).
 
cracker

cracker

Nyah!
Member
Level 10
Joined
Aug 24, 2005
Messages
3,619
Trophies
1
XP
2,213
Country
United States
I was going to ask that too. He said it was taken down because it was using too much bandwidth and to message him with your email but I haven't gotten a reply from him.
 
Snailface

Snailface

My frothing demand for 3ds homebrew is increasing
Member
Level 10
Joined
Sep 20, 2010
Messages
4,324
Trophies
2
Age
40
Location
Engine Room with Cyan, watching him learn.
XP
2,256
  • Like
Reactions: mocalacace and jacobas92
cracker

cracker

Nyah!
Member
Level 10
Joined
Aug 24, 2005
Messages
3,619
Trophies
1
XP
2,213
Country
United States
Thanks for uploading it. Unfortunately, it is giving a 502 error no matter what browser, system, isp I use. Would you possibly be able to mirror it on another site?
 
Snailface

Snailface

My frothing demand for 3ds homebrew is increasing
Member
Level 10
Joined
Sep 20, 2010
Messages
4,324
Trophies
2
Age
40
Location
Engine Room with Cyan, watching him learn.
XP
2,256
cracker said:
Thanks for uploading it. Unfortunately, it is giving a 502 error no matter what browser, system, isp I use. Would you possibly be able to mirror it on another site?
Click to expand...
It's back on filetrip I think. That upload was by Kane49; it was his file.
 
  • Like
Reactions: mocalacace

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

3DS won't boot into DS Mode, Extended Memory Mode and more

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: https://youtube.com/shorts/sQK1btk8ZUs?si=Z4p2kuM_7fXV7_Ps