At least try to recall what he said and archive that.I hadn't had time sadly...
At least try to recall what he said and archive that.I hadn't had time sadly...
nope, you can't get the otp from the nand, if your system is blue screening I would imagine you have selected the wrong option during the autofirm, I assume you picked o3ds instead of n3ds or something,I thought a bootloader being unlocked would not require the OTP or possibly a trimmed rom that only writes to ctrnand? one can only hope.. i unfortunately dont have the otp but i do have a nand backup that is stuck on black screen after ctr downgrade. I was on version 11.2. When i tried to use autofirm on it it auto bluescreened after i wrote the nand back with error code 00000000 0000000. Can we not extract the otp from a nand backup if the protected partition is decrypted?
I think you're misunderstanding something.... Pretty much impossible, eh? Then how could we get sighax to be implemented with the perfect signature if we only have the unprotected boot9 rom portion?
Ahh. I see. I thought that was one of the only easiest ways to get the protected bootrom. Good to know though.I think you're misunderstanding something.
It's not impossible to get the protected bootrom. It's just pretty much impossible to do it by examining the SoC with an electron microscope.
What about the otp hash on n3ds. Would it be possible to install sighax with only an arm9 exploit?This isn't fully possible. The FIRM0/FIRM1 partitions on NAND are encrypted with a device-specific key stored in the OTP. If you have an OTP dump from the device, sure, you could directly sighax like that. Without the OTP available, it will be necessary for FIRM0/FIRM1 to have a valid NATIVE_FIRM version encrypted to your device, and it will be necessary to know which version it is.
With arm9 exploit we can install arbitrary native firms, so yeah.What about the otp hash on n3ds. Would it be possible to install sighax with only an arm9 exploit?
why is everyone forgetting dsiwarehax?With arm9 exploit we can install arbitrary native firms, so yeah.
cuz the downgrade method got patched in 11.3 due to multiple 3ds modules/apps requiring the latest NFIRM version.why is everyone forgetting dsiwarehax?
downgrade isn't needed for sighax and also its just the homemenu requireing an updated nfirmcuz the downgrade method got patched in 11.3 due to multiple 3ds modules/apps requiring the latest NFIRM version.
downgrade isn't needed for sighax and also its just te homemenu requireing an updated nfirm
ahh. I see. I thought it was just more than the home menudowngrade isn't needed for sighax and also its just te homemenu requireing an updated nfirm
Any news?hedgeberg has streamed today, I have watched and also chatted and stuff, and he explained very well how the vector glitch exactly works (meanwhile he did it) but sadly his streams are not gettin archived so unless somone recorded it, his explanations are gone
basically, you simply need nand read and write access, so simply either:So sighax just needs an arm9 sploit to install
Sent from my iPhone using Tapatalk
he explained how the vector-glitch-hax works, how he access the protected part of the bootrom before it boots, and yeah, meanwhile he did it.Any news?
Can you summarize the stream?
So we are closer to protected bootrom dumping?he explained how the vector-glitch-hax works, how he access the protected part of the bootrom before it boots, and yeah, meanwhile he did it.
But if I remember correcly, this can be done only thanks to the FIRM partitions known-plaintext exploit, but we used this only to downgrade to an older NFIRM version, not to flash the same (signhaxed) NFIRM version...so, maybe...write the firm via hardmod
he almost got it, as the OP says, this is a difficult thing m8So we are closer to protected bootrom dumping?
Because, if he entered in the protected part of the bootrom, why he can't dump it already?
So we are closer to protected bootrom dumping?
Because, if he entered in the protected part of the bootrom, why he can't dump it already?
But if I remember correcly, this can be done only thanks to the FIRM partitions known-plaintext exploit, but we used this only to downgrade to an older NFIRM version, not to flash the same (signhaxed) NFIRM version...so, maybe...
he almost got it, as the OP says, this is a difficult thing m8
ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.
Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.
This requires *very* *precise* timing for triggering the hardware fault.
for short, this is like soft resetting a legendary to Pokémon 4000 times to finally get a Shiny one, you do it over and over and over, until you got it
when we got prot_boot9.binWhen you think that will be work perfectly ?