Hacking Config Application

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
Note: Please do not attempt to mess around with the Config Menu options without a hardware NAND mod until these functions are confirmed safe.

I noticed that the Config Menu application:

http://3dbrew.org/wiki/3DS_Development_Unit_Software#Config

Has the option to boot into Test Menu (which is a limited alternative to Home Menu):

http://3dbrew.org/wiki/3DS_Development_Unit_GUI#Test_Menu

Allegedly it allows booting from slot1 devices and the Dev Menu (which can be used to launch CIAs). The interesting thing about the Test Menu is that there is alleged screenshot support.

I do not have a NAND mod anymore (I had to remove it to replace my LCD screen), so I was wondering if someone who does could test it out and report back if these features are safe. Since the Home Menu is unloaded I would suspect that the Test Menu would be operating outside of our emunand environment, but I'm not certain. Hell, I don't even know if the Test Menu exists on retail units (is it part of the application or part of the firm)???

Edit: Found some more information regarding it:
http://3dbrew.org/wiki/NS#Alternate_menu

Does anyone know if this title has been dumped? It may still be on the NAND depending on the method of deletion.

Note: Please do not attempt to mess around with the Config Menu options without a hardware NAND mod until these functions are confirmed safe.
 

Link999123

Well-Known Member
Newcomer
Joined
Aug 18, 2014
Messages
54
Trophies
0
Age
24
XP
66
Country
United States
It probably is firmware rooted but if it is able to be booted from nand (I don't see why it wouldn't be possible) this will be a big leap for the community.
 

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
It probably is firmware rooted but if it is able to be booted from nand (I don't see why it wouldn't be possible) this will be a big leap for the community.


Found some more information regarding it:
http://3dbrew.org/wiki/NS#Alternate_menu

Does anyone know if this title has been dumped? It may still be on the NAND depending on the method of deletion.
 
  • Like
Reactions: Link999123

Link999123

Well-Known Member
Newcomer
Joined
Aug 18, 2014
Messages
54
Trophies
0
Age
24
XP
66
Country
United States
"When launching the regular menu fails, NS will then attempt to launch the alternate menu. This title could be used as a recovery process, however it's normally not used after the factory. This title is used at the factory for installing system titles, this title seems to be installed from a factory gamecard. This installer title likely deletes itself from NAND once it's finished installing titles.
On development Units, this is the Test Menu, and isn't deleted after being setup at factory.
.[/quote]


So according to this if someone has a dev unit, they could dump the nand and using a gateway someone could download the menu to the nand or use it with emunand?
 

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
Still think that the crypto needs to be completely reversed before a CFW will 'stick'. :-P


You would have to find an exploit in the bootrom (if there is even any) to get your sig patches to stick. It doesn't really have to do anything with crypto at this point unless they failed on their signature implementation (which is unlikely).

So according to this if someone has a dev unit, they could dump the nand and using a gateway someone could download the menu to the nand or use it with emunand?

Exactly.

Another interesting thought:

"This title could be used as a recovery process" and "this title seems to be installed from a factory gamecard"

I wounder if the card was dumped if it would be possible to use Sky3DS to run it, seeing as it looks like it's signed for retail units. If it could run, this would allow for installing retail signed CIAs (games,dlc,patches) and possibly even downgrading system titles. It of course would not allow unsigned code as FRIM would still be running in the background enforcing signature checks, but if you can downgrade system titles then you can downgrade to exploitable version and gain full controll.
 
  • Like
Reactions: Saxer

gudenau

Largely ignored
Member
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,270
Country
United States
Once crypto is completely reversed (chip decapping to get keyX and keyscrambler algo) downgrading units might be possible. I think you'd still need a hardware exploit to dump the unique per console keys though... However, you would have to find an exploit in the bootrom (if there is even any) to get your sig patches to stick.


True, now to dump the bootrom... :-P
 
  • Like
Reactions: daicon

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
So according to this if someone has a dev unit, they could dump the nand and using a gateway someone could download the menu to the nand or use it with emunand?[/quote]
True, now to dump the bootrom... :-P

Eh, you'd still have to dump unique keyX from the keyslot used to encrypt NAND and moveable.sed from the private filesystem which is used to initalize keyY on the NAND so forget about downgrading. Decapping would just allow doing all the decryption without using a 3DS as a slave.
 

gudenau

Largely ignored
Member
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,270
Country
United States
Eh, you'd still have to dump unique keyX from the keyslot used to encrypt NAND and moveable.sed from the private filesystem which is used to initalize keyY on the NAND so forget about downgrading. Decapping would just allow doing all the decryption without using a 3DS as a slave.

I do have a 4.X dump, I just want custom channels on the NAND for homebrew.
 

Link999123

Well-Known Member
Newcomer
Joined
Aug 18, 2014
Messages
54
Trophies
0
Age
24
XP
66
Country
United States
Once crypto is completely reversed (chip decapping to get keyX and keyscrambler algo) downgrading units would be possible. However, you would have to find an exploit in the bootrom (if there is even any) to get your sig patches to stick.



Exactly.

Another interesting thought:

"This title could be used as a recovery process" and "this title seems to be installed from a factory gamecard"

I wounder if the card was dumped if it would be possible to use Sky3DS to run it, seeing as it looks like it's signed for retail units. If it could run, this would allow for installing retail signed CIAs (games, dlc, patches) and possibly even downgrading system titles. It of course would not allow unsigned code as FRIM would still be running in the background enforcing signature checks.
According to the page it is installed to the NAND so therefore, it would need to have privileges to access the NAND, assuming the privileges are that which a game has, then yes it should work, but this is only theoretically speaking.
 

Relys

^(Software | Hardware) Exploit? Development.$
OP
Member
Joined
Jan 5, 2007
Messages
878
Trophies
1
XP
1,239
Country
United States
On the real NAND? I was not aware.


You not be able to run homebrew without entering exploit to patch signature checks unless there is a bootrom exploit.

Theoretically you should be able to install properly signed retail titles though...
 

gudenau

Largely ignored
Member
Joined
Jul 7, 2010
Messages
3,882
Trophies
2
Location
/dev/random
Website
www.gudenau.net
XP
5,270
Country
United States
You not be able to run homebrew without entering exploit to patch signature checks unless there is a bootrom exploit.

Theoretically you should be able to install properly signed retail titles though...

Oh, I thought I missed some big news. :-P I need to get my SD card adaptor made, I do not have the time though.
 

Link999123

Well-Known Member
Newcomer
Joined
Aug 18, 2014
Messages
54
Trophies
0
Age
24
XP
66
Country
United States
I guess the real question would be at what firmware does that card run at and if it can be used on any firmware. If it can then the simple answer would be that the only limitation would be the 3ds itself.
 

Link999123

Well-Known Member
Newcomer
Joined
Aug 18, 2014
Messages
54
Trophies
0
Age
24
XP
66
Country
United States
It is 16 joints for how I will do it, not much at all.
I'm a little squeamish with soldering systems especially after watching my ds light get mutilated... the L button got sticky so it was taken apart and... yeah... it was not so pretty...
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    K3Nv2 @ K3Nv2: Sorry for accidentally bending over