Hacking [WIP] KARL3DS - Kernel access on N3DS via Ninjhax + Loadcode

Status
Not open for further replies.
motezazer

motezazer

Well-Known Member
Member
Level 8
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
proruskii said:
1. My friend, 3dbrew says:




If bootrom was dumped, they would know exactly when ARM9 memory get initialized -> this means bootrom is not dumped?

We can't know when its initialized, because we can't know how much time the instructions take to execute.
In the Decaf Fundraiser page, it's clearly stated that the bootrom was dumped.

2. I not talking about disable NAND, I talking 2 physical NAND which can be switched by HW mod. Maybe there are other ways to do it, but this is my simple idea
Can you swap hard disks while the OS is running?
Click to expand...

EDIT : excuse me, this was not this flaw that allowed bootrom dumping for core scene members.
 
guitarheroknight

guitarheroknight

1.6180339887
Member
Level 14
Joined
Nov 9, 2014
Messages
2,822
Trophies
1
Age
33
Location
Grand Line
XP
4,418
Country
Norway
Psi-hate said:
I would like to believe that this is still to be released. Karl is several steps above GW and RXTOOLS in terms of features and knowledge. There's so much that they can't throw away.
Click to expand...
Funny you should mention it since KARL is the only team with no results so far :rolleyes:



Aaanyway is this HW mod something like the RGH on the 360?
 
  • Like
Reactions: Margen67
motezazer

motezazer

Well-Known Member
Member
Level 8
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
guitarheroknight said:
Funny you should mention it since KARL is the only team with no results so far :rolleyes:



Aaanyway is this HW mod something like the RGH on the 360?
Click to expand...

No. It's something like a electromagnetic transmitter (the objective is to inject a fault in the CPU).

To KARL3DS team :
on 3dbrew, yellows8 asks you if you successfully exploited this hax.
 
  • Like
Reactions: Margen67
Psi-hate

Psi-hate

GBATemp's Official Psi-Hater
Member
Level 13
Joined
Dec 14, 2014
Messages
1,749
Trophies
1
XP
3,399
Country
United States
If they hadn't had any success, then that'd mean that they didn't break the encryption on the 9.6 demo, which they did. :P
 
  • Like
Reactions: Margen67
proruskii

proruskii

Member
Newcomer
Level 1
Joined
May 14, 2015
Messages
15
Trophies
0
Age
42
XP
79
Country
Serbia, Republic of
Look here: http://3dbrew.org/wiki/3DS_System_Flaws#arm9loader

Starting with 9.6.0-X a new set of NAND-based keys were introduced. However, they forgot to add a verification block to verify that the new key read from NAND is correct. This was an issue from the very beginning with the original sector+0 keydata, however the below is only possible with the sector+0x10 keydata.
Thus, by writing an incorrect key to NAND you can make arm9loader decrypt ARM9 kernel as garbage and then jump to it.
This allows an hardware-based NAND-attack where you can boot into an older exploited firmware, fill all memory with NOP sleds/jump-instructions, and then reboot into executing garbage. By automating this process eventually you'll find some garbage that jumps to your code.
This should give you very early ARM9 code execution (pre-ARM9 kernel). For example, you can dump RSA keyslots with this and calculate the 6.x save, and 7.x NCCH keys. This cannot be used to recover keys initialized by arm9loader itself. This is due to it wiping the area used for its stack during NAND sector decryption and keyslot init. Due to FIRMs on both Old and New 3DS using the same RSA data, this can be exploited on Old3DS as well, but only if one already has the actual plaintext normalkey from New3DS NAND sector 0x96 offset0 and has dumped the OTP area of the Old3DS.
Click to expand...

With this trick you can run a9 code with N3DS 9.6 AES keys not cleared! This mean you can decrypt any 9.6 N3DS title... But you can only do it if you have NAND mod. I hope I make sense
 
  • Like
Reactions: Margen67
motezazer

motezazer

Well-Known Member
Member
Level 8
Joined
Feb 6, 2015
Messages
1,214
Trophies
0
Age
24
XP
1,442
Country
France
proruskii said:
Look here: http://3dbrew.org/wiki/3DS_System_Flaws#arm9loader



With this trick you can run a9 code with N3DS 9.6 AES keys not cleared! This mean you can decrypt any 9.6 N3DS title... But you can only do it if you have NAND mod. I hope I make sense
Click to expand...

No. You have to replace the true generation key with garbage to make this working, so the 9.6 keys would be garbage and not the true keys.
 
  • Like
Reactions: Margen67
J

Just3DS

Well-Known Member
Member
Level 3
Joined
Jan 31, 2015
Messages
440
Trophies
0
XP
237
Country
Well it is a good thing that bootrom (or keys) isn't shared publically, because if it is then big N would move on to their next iteration of DS console and we will never be able to see anymore titles on 3DS.
 
D

DSpider

Well-Known Member
Member
Level 8
Joined
Mar 14, 2015
Messages
566
Trophies
0
XP
1,307
Country
Romania
Just3DS said:
Well it is a good thing that bootrom (or keys) isn't shared publically, because if it is then big N would move on to their next iteration of DS console and we will never be able to see anymore titles on 3DS.
Click to expand...

The PS3 private keys were discovered in 2010 and made public at the beginning of 2011, and then the developers continued to release games on the damn thing even 5 years later.
 
  • Like
Reactions: Margen67
gamesquest1

gamesquest1

Nabnut
Former Staff
Level 22
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
sanni said:
but they didn't paint their fingernails red sooo no points for that.
Click to expand...
top 3 3ds hack video's
1. Gateway - for starting it all
2. QQ3DS - for trying so desperately to out shine gateway's red nails
3. SonyUSA - For proving you can still try to paint your nails in an earthquake

....everyone else should be ashamed of themselves
 
  • Like
Reactions: WhoAmI?, MrJason005 and Margen67
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Is it possible...?

After the 8th of April, will it still be possible to create a new NNID (Nintendo Network ID) and/or transfer a NNID from one console to another?

Need help

Hacking Homebrew  A new way to experience StreetPass

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking  New 2ds Refuses to boot

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: It's certainly better than the first but it's not awesome either.