Hacking [WIP] KARL3DS - Kernel access on N3DS via Ninjhax + Loadcode

[motezazer]

1. My friend, 3dbrew says:




If bootrom was dumped, they would know exactly when ARM9 memory get initialized -> this means bootrom is not dumped?

We can't know when its initialized, because we can't know how much time the instructions take to execute.
In the Decaf Fundraiser page, it's clearly stated that the bootrom was dumped.

2. I not talking about disable NAND, I talking 2 physical NAND which can be switched by HW mod. Maybe there are other ways to do it, but this is my simple idea
Can you swap hard disks while the OS is running?

EDIT : excuse me, this was not this flaw that allowed bootrom dumping for core scene members.

 

[guitarheroknight]

I would like to believe that this is still to be released. Karl is several steps above GW and RXTOOLS in terms of features and knowledge. There's so much that they can't throw away.

Funny you should mention it since KARL is the only team with no results so far



Aaanyway is this HW mod something like the RGH on the 360?

 

[motezazer]

Funny you should mention it since KARL is the only team with no results so far



Aaanyway is this HW mod something like the RGH on the 360?

No. It's something like a electromagnetic transmitter (the objective is to inject a fault in the CPU).

To KARL3DS team :
on 3dbrew, yellows8 asks you if you successfully exploited this hax.

 

[proruskii]

To KARL3DS team :
on 3dbrew, yellows8 asks you if you successfully exploited this hax.

Is good question, many people like me would like to know too

 

[InfoFront]

Funny you should mention it since KARL is the only team with no results so far



Aaanyway is this HW mod something like the RGH on the 360?

Indeed. As far as I'm concerned, they've had no success.

 

[tsselle]

Indeed. As far as I'm concerned, they've had no success.

Well good thing that their success has no dependence on how you feel then, Eh?

But otherwise, y'all are doing awesome. I can't wait to see what else you find.

 

[Psi-hate]

If they hadn't had any success, then that'd mean that they didn't break the encryption on the 9.6 demo, which they did.

 

[motezazer]

If they hadn't had any success, then that'd mean that they didn't break the encryption on the 9.6 demo, which they did.

It was not the New 3DS 9.6 encryption...

 

[Psi-hate]

It was not the New 3DS 9.6 encryption...

Well, I thought I was wrong. Thanks for correcting me.

 

[proruskii]

Look here: http://3dbrew.org/wiki/3DS_System_Flaws#arm9loader

Starting with 9.6.0-X a new set of NAND-based keys were introduced. However, they forgot to add a verification block to verify that the new key read from NAND is correct. This was an issue from the very beginning with the original sector+0 keydata, however the below is only possible with the sector+0x10 keydata.
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it.
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code.
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x save, and 7.x NCCH keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset0 and has dumped the OTP area of the Old3DS.

With this trick you can run a9 code with N3DS 9.6 AES keys not cleared! This mean you can decrypt any 9.6 N3DS title... But you can only do it if you have NAND mod. I hope I make sense

 

[motezazer]

Look here: http://3dbrew.org/wiki/3DS_System_Flaws#arm9loader



With this trick you can run a9 code with N3DS 9.6 AES keys not cleared! This mean you can decrypt any 9.6 N3DS title... But you can only do it if you have NAND mod. I hope I make sense

No. You have to replace the true generation key with garbage to make this working, so the 9.6 keys would be garbage and not the true keys.

 

[proruskii]

You are right my friend. How are 9.6 N3DS titles decrypted then?

 

[motezazer]

You are right my friend. How are 9.6 N3DS titles decrypted then?

With another (private) bootrom hax I presume.

 

[zoogie]

If they hadn't had any success, then that'd mean that they didn't break the encryption on the 9.6 demo, which they did.

They've also made some pretty cool videos

 

[Just3DS]

Well it is a good thing that bootrom (or keys) isn't shared publically, because if it is then big N would move on to their next iteration of DS console and we will never be able to see anymore titles on 3DS.

 

[DSpider]

Well it is a good thing that bootrom (or keys) isn't shared publically, because if it is then big N would move on to their next iteration of DS console and we will never be able to see anymore titles on 3DS.

The PS3 private keys were discovered in 2010 and made public at the beginning of 2011, and then the developers continued to release games on the damn thing even 5 years later.

 

[sanni]

They've also made some pretty cool videos

but they didn't paint their fingernails red sooo no points for that.

 

[gamesquest1]

but they didn't paint their fingernails red sooo no points for that.

top 3 3ds hack video's
1. Gateway - for starting it all
2. QQ3DS - for trying so desperately to out shine gateway's red nails
3. SonyUSA - For proving you can still try to paint your nails in an earthquake

....everyone else should be ashamed of themselves

 

[Slushie3DS]

I came back after a month or two and was hoping for a release, dang.

You all are still doing a wonderful job.

 

[DSpider]

So, I heard that the NTR devs are on board with this project and that you've teamed up. Is that true? I hear something about KARL3DS with plugin support.

http://gbatemp.net/threads/release-...eu-us-aus-new-3ds.385142/page-29#post-5485662