Hacking Can 3DS downgrade to firmware 10.1 max?

Status
Not open for further replies.
CeeDee

CeeDee

fuckin dork
Member
Level 20
Joined
May 4, 2014
Messages
5,361
Trophies
3
XP
9,943
Country
United States
Mrrraou said:
That's right, I think it to sums up everything important
Click to expand...
Awesome! I'm hyped now.

Also I think this means smea wasn't lying - there's no kernel code running and there's no >9.2 kernel but with SVC there is downgrading possible/legit CIAs. Is SVC "privileged code"?
 
smealum

smealum

growing up sucks.
Member
Level 11
Joined
May 1, 2006
Messages
635
Trophies
2
Age
31
Location
SF
Website
www.smealum.net
XP
2,516
Country
United States
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :

Mrrraou said:
As seen twice in the 2.5 payload:
Code: 
ROM:000054D8                 SVC             0x7B ; '{'
And 0x7B is for svcBackdoor
(and this is used)
Click to expand...

if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

upload_2015-11-13_14-6-28.png


upload_2015-11-13_14-6-58.png



and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
 
  • Like
Reactions: gamefan5, NekoMichi, Seriel and 14 others
DiegitusXD

DiegitusXD

Well-Known Member
Member
Level 2
Joined
May 6, 2015
Messages
405
Trophies
0
XP
140
Country
smealum said:
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :



if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

View attachment 29721

View attachment 29722


and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
Click to expand...
Ok :D
 
JustPingo

JustPingo

Well-Known Member
Member
Level 7
Joined
Jan 11, 2015
Messages
497
Trophies
0
Age
24
XP
1,081
Country
France
In the great lord smea we trust.
That's exactly what we were looking for, thank you very much for your time.
I laughed at the secret kernel.
 
CeeDee

CeeDee

fuckin dork
Member
Level 20
Joined
May 4, 2014
Messages
5,361
Trophies
3
XP
9,943
Country
United States
smealum said:
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :



if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

View attachment 29721

View attachment 29722


and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
Click to expand...
Hype train is over, I guess.

Wait, then what's the invalidate_icache in Hans while booting a game?
 
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

General chit-chat
Help Users
  • BakerMan
    I rather enjoy a life of taking it easy. I haven't reached that life yet though.
  • SylverReZ @ SylverReZ:
    @Materia_tofu, We do learn a lot from plenty of talented individuals.
  • Materia_tofu @ Materia_tofu:
    this is true! i learned how to make soundfont remixes from a friend back in 2021
     +1
  • BakerMan @ BakerMan:
    Update on my brother: He's home now, tired and hungry, obviously, but other than that, seems to be doing fine.
     +2
  • Veho @ Veho:
    That's a relief to hear. Do you know what happened?
  • SylverReZ @ SylverReZ:
    @BakerMan, Any idea what happened? I hope that your brother's doing good.
  • BakerMan @ BakerMan:
    Well, from what I've heard from my parents, he had a seizure last night, perhaps an epileptic episode, fucking died, had a near death experience, my dad called the paramedics, they showed up, took him to the hospital, and he woke up covered in tubes, and started complaining.
  • BakerMan @ BakerMan:
    He couldn't eat until after his MRI, when he had a bomb pop.
  • BakerMan @ BakerMan:
    What matters now is that he's doing alright.
  • Veho @ Veho:
    But you still don't know what it was?
  • Veho @ Veho:
    Has he had seizures before?
  • The Real Jdbye @ The Real Jdbye:
    apparently stress can cause seizures, my brother had one during a test once
  • The Real Jdbye @ The Real Jdbye:
    never had one before that, and never had one since
  • Veho @ Veho:
    https://i.imgur.com/bG1pQld.mp4
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=_9PnFJMnYT0
  • Redleviboy123 @ Redleviboy123:
    Question about game texture chanching Do i need an own game id?
  • The Real Jdbye @ The Real Jdbye:
    @Veho for those that want to
    experience being sonic the hedgehog
  • Veho @ Veho:
    Ah, you mean
    furries.
  • The Real Jdbye @ The Real Jdbye:
    well, sonic fans are a whole separate thing from furries
  • The Real Jdbye @ The Real Jdbye:
    like bronys
  • The Real Jdbye @ The Real Jdbye:
    sonic porn is too weird even for me
  • Dumpflam @ Dumpflam:
    bruh
  • Dumpflam @ Dumpflam:
    guys how do i delete a post
  • The Real Jdbye @ The Real Jdbye:
    you don't
  • The Real Jdbye @ The Real Jdbye:
    you can report it and request deletion
  • BakerMan @ BakerMan:
    Also, no, that was his first time having a seizure, and hopefully the last
    BakerMan @ BakerMan: Also, no, that was his first time having a seizure, and hopefully the last