Homebrew SigHax Updates and Discussion Thread

[RustInPeace]

It'll be removed in 15 days. Bans come from playing games prior to their release, and genning (not starting that discussion either). Were you using a flashcard (Gateway, Sky3DS)? https://gbatemp.net/threads/error-code-002-0102-have-i-been-banned.380654/

No to flashcards, and I gen all the time, it's not that. This was a second offense, first was December last year, definitely caused by using GW and going online with a Sun ROM at the same time as my Sun cart, both having the same private header. 30 day ban from that. So I just wonder if this is a permanent one. Other than the shiny thing, I don't see what could've caused it.

 

[OrGoN3]

No to flashcards, and I gen all the time, it's not that. This was a second offense, first was December last year, definitely caused by using GW and going online with a Sun ROM at the same time as my Sun cart, both having the same private header. 30 day ban from that. So I just wonder if this is a permanent one. Other than the shiny thing, I don't see what could've caused it.

According to that thread, it's a temporary 15 day ban. Have you been banned for more than 15 days while receiving that exact error code? I mean, rule of thumb is: never call, but that's up to you.

 

[RustInPeace]

According to that thread, it's a temporary 15 day ban. Have you been banned for more than 15 days while receiving that exact error code? I mean, rule of thumb is: never call, but that's up to you.

Yet I got a 30 day one for a first time offense. I called them often during that period to know what was up, and I need some kind of idea from them on why this happened. Eventually they did note that it was due to being online with a "pirated" copy, which pretty much confirmed the Gateway theory. It wouldn't be a big deal if I wasn't actively genning for people.

 

[droople]

Umm....... https://gbatemp.net/threads/twloader-ctr-mode-nds-app.448375/

Thank you very much, some old post suggested this would never happened.

 

[TheCyberQuake]

Help me out. https://sciresm.github.io/33-and-a-half-c3/ "A BLAST FROM THE PAST" slide mentions system firmware 0.14 (1.0.0-0) and on checks against sighax. So are the checks patched via Luma or are we using magic?

Actually if you read the last part of the slide (directly after what you are referring to)
It says 0.13 was different. 0.13 is the original factory firmware.

 

[OrGoN3]

Thank you very much, some old post suggested this would never happened.

No problem. It happened a while ago, but compatibility is lacking. And for some games to work you need a game with the same chip in your system.

--------------------- MERGED ---------------------------

Actually if you read the last part of the slide (directly after what you are referring to)
It says 0.13 was different. 0.13 is the original factory firmware.

That doesn't help at all. My question was how did us, the users on current firmware, install sighax if Ninty implemented a check for it? Or is that check only when the home menu loads up? Another user mentioned it was a different sighax vuln that they were referring to on that slide.

 

[TheCyberQuake]

No problem. It happened a while ago, but compatibility is lacking. And for some games to work you need a game with the same chip in your system.

--------------------- MERGED ---------------------------



That doesn't help at all. My question was how did us, the users on current firmware, install sighax if Ninty implemented a check for it? Or is that check only when the home menu loads up? Another user mentioned it was a different sighax vuln that they were referring to on that slide.

They needed poor rsa checks (that were similar to boot9's) on an older firmware to bruteforce the perfect key. With the perfect key find you can exploit any firmware even with the newer checks

 

[OrGoN3]

They needed poor rsa checks (that were similar to boot9's) on an older firmware to bruteforce the perfect key. With the perfect key find you can exploit any firmware even with the newer checks

Ah, so Ninty patched what they used to bruteforce the perfect key. I got ya. Sorry for being ..... slow on this.

Edit: So wait, how'd they get their hands on the factory firmware and/or downgrade a system to it?

 

[hurrz]

[QUOTE="OrGoN3, post: 7328710, member: 76577"



Doing a system transfer also transfers your NNID (Nintendo Network ID). If you want it back on your source console, you have 2 options. (1) think of a good reason and call Nintendo to have them transfer is back, or (2) transfer your second system back to your first. This is only for retaining your NNID on your first console. Otherwise, there is no need. Transferring doesn't remove B9S.

So yes, you can inject FBI into H&S and go from there. The only reason to transfer back is so that your NNID gets tied to the source console again.[/QUOTE]

Ah OK, thank you very much for the answer! I had not had any NNID on my first console but on my second. So, there might be no problem in reconnecting this second console with my NNID?

 

[OrGoN3]

[QUOTE="OrGoN3, post: 7328710, member: 76577"



Doing a system transfer also transfers your NNID (Nintendo Network ID). If you want it back on your source console, you have 2 options. (1) think of a good reason and call Nintendo to have them transfer is back, or (2) transfer your second system back to your first. This is only for retaining your NNID on your first console. Otherwise, there is no need. Transferring doesn't remove B9S.

So yes, you can inject FBI into H&S and go from there. The only reason to transfer back is so that your NNID gets tied to the source console again.

Ah OK, thank you very much for the answer! I had not had any NNID on my first console but on my second. So, there might be no problem in reconnecting this second console with my NNID?[/QUOTE]

If you didn't set up a NNID on your console, then don't worry about it. Just use your consoles how you normally would.

 

[SciresM]

That doesn't help at all. My question was how did us, the users on current firmware, install sighax if Ninty implemented a check for it? Or is that check only when the home menu loads up? Another user mentioned it was a different sighax vuln that they were referring to on that slide.

Spoilers: the bootrom and firmware are different things. We used code from firmware RSA verification (which the bootrom loads), to figure out how to exploit the bootrom RSA code (which is similar but not patched, and cannot be patched).

 

[OrGoN3]

Spoilers: the bootrom and firmware are different things. We used code from firmware RSA verification (which the bootrom loads), to figure out how to exploit the bootrom RSA code (which is similar but not patched, and cannot be patched).

Why do you always have to spoil all the fun? I know they are different. I'm disconnected from the solution somehow. My mind stays focused on Ninty checking for sighax on 1.0.0-0 and beyond. I know the bootrom itself doesn't change, and cannot. If no dev console was found, this wouldn't be possible, right? You had to have a vulnerable system to brute force? And once you implemented the vulnerability on the old system, you then gained the knowledge you needed to run this on all systems (patched sig).

Also, thanks for replying!

 

[SciresM]

Why do you always have to spoil all the fun? I know they are different. I'm disconnected from the solution somehow. My mind stays focused on Ninty checking for sighax on 1.0.0-0 and beyond. I know the bootrom itself doesn't change, and cannot. If no dev console was found, this wouldn't be possible, right? You had to have a vulnerable system to brute force? And once you implemented the vulnerability on the old system, you then gained the knowledge you needed to run this on all systems (patched sig).

Also, thanks for replying!

...no, the brute force was performed on PC by analyzing code from dumped firmware...

 

[OrGoN3]

...no, the brute force was performed on PC by analyzing code from dumped firmware...

Sorry. I don't know why I wrote dev console. I meant the factory firmware. Without the factory firmware this wouldn't be possible. I have no idea why my brain is so dumb sometimes.

 

[Quantumcat]

2. It's possible for Nintendo to add code in a future firmware update that could detect Luma and/or restore the FIRM partitions, but they haven't done so as of yet. With the Sighax vulnerability, this can always be reverted using a hardmod.

they already did, that's why you would lose a9lh if you booted Gateway in sysNAND on 11.3 or 11.4. Gateway doesn't protect firms from being written to.

 

[SciresM]

they already did, that's why you would lose a9lh if you booted Gateway in sysNAND on 11.3 or 11.4. Gateway doesn't protect firms from being written to.

They didn't "add code".

Gateway is just shitty and doesn't defend against the updating code that's already in place for legitimate fw updates.

 

[mathieulh]

They needed poor rsa checks (that were similar to boot9's) on an older firmware to bruteforce the perfect key. With the perfect key find you can exploit any firmware even with the newer checks

Err...no, you can't. If FIRM isn't vulnerable (which is the case as of 0.14 and onward) having a "perfect key" (there is no such thing as sighax is actually about forging signatures anyway) isn't going to let you do a damn thing and suddenly make 0.14+ vulnerable for you.

 

[TheCyberQuake]

Err...no, you can't. If FIRM isn't vulnerable (which is the case as of 0.14 and onward) having a "perfect key" (there is no such thing as sighax is actually about forging signatures anyway) isn't going to let you do a damn thing and suddenly make 0.14+ vulnerable for you.

I wasn't talking about FIRM, and I was more saying the general premise of sighax and fake signing FIRM gives us access to exploit a system no matter what firmware it's on. i.e. hacking 11.4 consoles without arm9 or arm11 kernel via hardmod.

 

[mathieulh]

Help me out. https://sciresm.github.io/33-and-a-half-c3/ "A BLAST FROM THE PAST" slide mentions system firmware 0.14 (1.0.0-0) and on checks against sighax. So are the checks patched via Luma or are we using magic?

Luma patches FIRM to skip the signature checks, the official unmodified FIRM do check for signatures and (from 0.14) are not vulnerable to Sighax.
Boot9 signature checks are only performed at boot9 runtime and not later, therefore unless you can modify elements parsed by boot9 directly (FIRM, NCSD headers...) you will not be able to make use of the Sighax vulnerability in boot9, this means unless you modify the SPI flash, the NAND or run a FIRM through NTR at boot time, you will not be able to use Sighax to exploit consoles on latest firmwares.

 

[Quantumcat]

They didn't "add code".

Gateway is just shitty and doesn't defend against the updating code that's already in place for legitimate fw updates.

How do you explain Gateway working perfectly fine on every firmware up to 11.2? There was some kind of change in 11.3 that wrote to firm on opening the home menu.