Homebrew SigHax Updates and Discussion Thread

[Gaming796]

I hadn't had time sadly...

At least try to recall what he said and archive that.

 

[gamesquest1]

I thought a bootloader being unlocked would not require the OTP or possibly a trimmed rom that only writes to ctrnand? one can only hope.. i unfortunately dont have the otp but i do have a nand backup that is stuck on black screen after ctr downgrade. I was on version 11.2. When i tried to use autofirm on it it auto bluescreened after i wrote the nand back with error code 00000000 0000000. Can we not extract the otp from a nand backup if the protected partition is decrypted?

nope, you can't get the otp from the nand, if your system is blue screening I would imagine you have selected the wrong option during the autofirm, I assume you picked o3ds instead of n3ds or something,
there would be a way of fixing it by simply inverting the process I. e swapping the 10.4 firm and 11.2 firm around and repeating the process

that said you should have had an original nand backup before you started messing with the nand

 

[Zan']

... Pretty much impossible, eh? Then how could we get sighax to be implemented with the perfect signature if we only have the unprotected boot9 rom portion?

I think you're misunderstanding something.
It's not impossible to get the protected bootrom. It's just pretty much impossible to do it by examining the SoC with an electron microscope.

 

[Deleted member 350372]

I think you're misunderstanding something.
It's not impossible to get the protected bootrom. It's just pretty much impossible to do it by examining the SoC with an electron microscope.

Ahh. I see. I thought that was one of the only easiest ways to get the protected bootrom. Good to know though.

 

[Giodude]

This isn't fully possible. The FIRM0/FIRM1 partitions on NAND are encrypted with a device-specific key stored in the OTP. If you have an OTP dump from the device, sure, you could directly sighax like that. Without the OTP available, it will be necessary for FIRM0/FIRM1 to have a valid NATIVE_FIRM version encrypted to your device, and it will be necessary to know which version it is.

What about the otp hash on n3ds. Would it be possible to install sighax with only an arm9 exploit?

 

[Oschara]

Should of looked through the thread haha. Thanks! Hopefully he will do it again

 

[Roboman]

What about the otp hash on n3ds. Would it be possible to install sighax with only an arm9 exploit?

With arm9 exploit we can install arbitrary native firms, so yeah.

 

[adrifcastr]

With arm9 exploit we can install arbitrary native firms, so yeah.

why is everyone forgetting dsiwarehax?

 

[Deleted member 350372]

why is everyone forgetting dsiwarehax?

cuz the downgrade method got patched in 11.3 due to multiple 3ds modules/apps requiring the latest NFIRM version.

 

[adrifcastr]

cuz the downgrade method got patched in 11.3 due to multiple 3ds modules/apps requiring the latest NFIRM version.

downgrade isn't needed for sighax and also its just the homemenu requireing an updated nfirm

 

[proflayton123]

downgrade isn't needed for sighax and also its just te homemenu requireing an updated nfirm

So sighax just needs an arm9 sploit to install


Sent from my iPhone using Tapatalk

 

[Deleted member 350372]

downgrade isn't needed for sighax and also its just te homemenu requireing an updated nfirm

ahh. I see. I thought it was just more than the home menu

 

[Valery0p]

hedgeberg has streamed today, I have watched and also chatted and stuff, and he explained very well how the vector glitch exactly works (meanwhile he did it) but sadly his streams are not gettin archived so unless somone recorded it, his explanations are gone

Any news?
Can you summarize the stream?

 

[adrifcastr]

So sighax just needs an arm9 sploit to install


Sent from my iPhone using Tapatalk

basically, you simply need nand read and write access, so simply either:
launch the arm9 payload of safesighaxinstaller
write the firm via hardmod
launch a dsiwarehax version of safesighaxinstaller

so all you need on 11.3 is either A9LH, dsiwarehax or a hardmod

--------------------- MERGED ---------------------------

Any news?
Can you summarize the stream?

he explained how the vector-glitch-hax works, how he access the protected part of the bootrom before it boots, and yeah, meanwhile he did it.

 

[Valery0p]

he explained how the vector-glitch-hax works, how he access the protected part of the bootrom before it boots, and yeah, meanwhile he did it.

So we are closer to protected bootrom dumping?
Because, if he entered in the protected part of the bootrom, why he can't dump it already?

write the firm via hardmod

But if I remember correcly, this can be done only thanks to the FIRM partitions known-plaintext exploit, but we used this only to downgrade to an older NFIRM version, not to flash the same (signhaxed) NFIRM version...so, maybe...

 

[adrifcastr]

So we are closer to protected bootrom dumping?
Because, if he entered in the protected part of the bootrom, why he can't dump it already?

he almost got it, as the OP says, this is a difficult thing m8

ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

This requires *very* *precise* timing for triggering the hardware fault.

for short, this is like soft resetting a legendary to Pokémon 4000 times to finally get a Shiny one, you do it over and over and over, until you got it

 

[Roboman]

So we are closer to protected bootrom dumping?
Because, if he entered in the protected part of the bootrom, why he can't dump it already?

But if I remember correcly, this can be done only thanks to the FIRM partitions known-plaintext exploit, but we used this only to downgrade to an older NFIRM version, not to flash the same (signhaxed) NFIRM version...so, maybe...

We can use that exploit to flash an arbitrary native firm.
It just so happened that flashing a lower version ('downgrading') is really handy. Or it was until other parts of the system started demanding 11.3 or higher native firm.

 

[proflayton123]

he almost got it, as the OP says, this is a difficult thing m8

ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

This requires *very* *precise* timing for triggering the hardware fault.

for short, this is like soft resetting a legendary to Pokémon 4000 times to finally get a Shiny one, you do it over and over and over, until you got it

This explanation is very much appreciated, I know have more understanding:3

 

[Xyphoseos]

When you think that will be work perfectly ?

 

[adrifcastr]

When you think that will be work perfectly ?

when we got prot_boot9.bin