Homebrew The bootroms

[PaiiNSteven]

I dont have a very expansive knowledge on the 3DS software itself, but ill throw something out here.
Is there a difference between bootrom11 and bootrom9? In other words; if we had access to one of the bootroms, then what could we do?

 

[Plailect]

I have a feeling it would be perfectly feasible to do an attack within the timeframe of SYSPROT9 bit 0x00, but we'd need a good feedback loop.
I propose flashing the MCU firmware, or even completely replacing the chip with a dummy clone, just an I2C bus peripheral that does the bare minimum to initialize the system, and pull the /RESET line on the SoC at the right time.
An RGH-style core slowdown wouldn't work, simply because the SoC doesn't (as far as I know) expose the registers to control CPU clocks with such fine granularity.
As for triggering the exception, three letters: NMI.

(information: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/BABBGBEC.html it's for a different chip, but the behavior should be the same for the most part.)

MCU firmware can be found in the MCU sys-module .rodata, and can be uploaded to the MCU by writing to device 3 i2c register 0x05 for width 0x4003 (where the first 0x3 bytes are magic "jhl")

 

[Plailect]

Based on a careful search and analysis by some of us on #Cakey, the (at least old 3DS) MCU appears to be a modified version of the Renesas 78K0/KE2 UPD78F0531AFC-AA1-A.

It is the only 0.5cmx0.5cm BGA 8-bit 64-pin 16kb-ROM MCU that Renesas manufactures. Documentation can be found on that page. It runs a custom ISA (which is why we failed to determine anything from IDA Pro) with opcodes available in the "78K/0 Series for Instructions" manual on the site linked.

There is a metric fuck-ton of information and docs available, including an emulator for the chip.

 

[WeedZ]

Welp, gonna wait for a #SafeInsertNameHereIstaller+SafeHardModInstallerMasterRace

Fixed

 

[Wolfy]

If theory serves right, it runs to the MCU.

I would love to try it, in the interests of science. I don't want to spill my life's story here, but suffice it to say, I don't have the equipment at the moment. I'm trying to find a job, and it's tough.
There's no well-equipped hackerspaces within 70 miles of here (central Long Island), either.
If anyone's local and willing to lend a hand, I can procure a busted 3DS for relatively cheap.

Long Island isn't really a great place for hackers, but hey, we got some Smash tournaments around so its all good :3

 

[WeedZ]

Long Island isn't really a great place for hackers, but hey, we got some Smash tournaments around so its all good :3

And some good tea

 

[dankzegriefer]

We find some of the biggest breakthroughs in the 3DS scene and you people derail the thread immediately. Thanks.

 

[chaosrunner]

rip to all who bought a 3ds when 3ds emulator comes out

 

[dankzegriefer]

rip to all who bought a 3ds when 3ds emulator comes out

What does this have to do with anything?

 

[chaosrunner]

What does this have to do with anything?

cuz bootroms = 3ds emulator i think??? maybe???

oh well yay bootromhax

 

[dankzegriefer]

cuz bootroms = 3ds emulator i think??? maybe???

oh well yay bootromhax

Only a low level emu. A useless-for-consumer one.
And the chip isn't confirmed. Just very very likely.

 

[cearp]

Have you even tried installing it? I have done to over 100 new 3ds systems the past 3 weeks and nothing has ever gone wrong. No bricking what so ever beside the emunand brick you're supposed to cause with 2.1.

100? you have a business doing this or something, if so cool
if not, i'm curious why so many!

 

[Wolfvak]

cuz bootroms = 3ds emulator i think??? maybe???

oh well yay bootromhax

Only thing the bootrom is useful for (from a users perspective) is the game decryption key, making it possible to load encrypted games in Citra.
Other than that, I dunno, unless some vulnerability is found in there.

 

[dankzegriefer]

Only thing the bootrom is useful for (from a users perspective) is the game decryption key, making it possible to load encrypted games in Citra.
Other than that, I dunno, unless some vulnerability is found in there.

You forgot to add "pissing off nintendy". I think we can all agree that is the best benefit.

 

[chaosrunner]

Only thing the bootrom is useful for (from a users perspective) is the game decryption key, making it possible to load encrypted games in Citra.
Other than that, I dunno, unless some vulnerability is found in there.

the vulnerabilities are never ending whant to know why? nintendo never stops with them stability updates

 

[Aether Lion]

Have you even tried installing it? I have done to over 100 new 3ds systems the past 3 weeks and nothing has ever gone wrong. No bricking what so ever beside the emunand brick you're supposed to cause with 2.1.

What in the freakin' shit has given you access to over 100 New 3DS systems into which you are installing A9LH? xD Also, in just the last 3 weeks? How many overall? Over 9000?

 

[Wolfvak]

the vulnerabilities are never ending whant to know why? nintendo never stops with them stability updates

This is one of the few things that can't be fixed by a System Update, but rather with a whole new hardware revision.
I'm amazed at how they haven't hardened it yet against arm9loaderhax (only the new3DS, I believe the old3DS isn't manufactured anymore)

 

[TheReturningVoid]

Bricked an O3DS XL beyond repair (even with a hardmod, one of the NAND's contacts came off the board) recently. I'd be more than happy to try any ideas you guys get for dumping the bootrom.

 

[daxtsu]

This is one of the few things that can't be fixed by a System Update, but rather with a whole new hardware revision.
I'm amazed at how they haven't hardened it yet against arm9loaderhax (only the new3DS, I believe the old3DS isn't manufactured anymore)

The O3DS is sill made in the form of the 2DS, but I doubt they'd bother to secure it. If they bother at all it'll probably be the N3DS (XL), of course.

 

[Xenon Hacks]

Can this be used to brute force anything http://www.research.ibm.com/quantum?