I'm not trying to recreate the salthax video, although what they had was pretty darn cool. Bigger payloads = better payloads, so that's always a goal.
Try not to share things I tell you in confidence to the whole world.
I don't even know if that hack is viable so far.
Ho no, mathieulh is coming back :/ Well I don't know much about hacking so I don't see the point but if you need some tips I'm in touch with tmbinc and c0z, there's no one who know more about the 360 reset glitch.
Last edited by cpasjuste,
dude i literally already documented the exploitability of fault injection due to uninitialized vectors in bootrom like, 7 months ago. it's nothing new that you need to worry about not disclosing. derrek has already tried this, and rumor has it other people have too.
also mate if you trust people on gbatemp with what you consider valuable information you're gonna have a really really rough time with constant leaks everywhere. wii u hacking has been ravaged by leaks since people aren't making reliable private groups. (pms here aren't safe either btw, mods are known to read them as well as unfinished forum posts.)
Sadly, trying != succeeding; 3dbrew even claims the original discoverer failed to pull it off.
well yeah, if some group were to have pulled it off it'd be quite silly to say so in public. maybe they'd just leave a 'theoretical' exploit description behind instead. wouldn't be the first time.
This has nothing to do or isn't even remotely close to the vector based vulnerability documented on 3dbrew.
Also, this information was shared in a private google hangout discussion, I just thought zecoxao was smarter than that and had the notion of common sense, I was proven wrong.
Finally, what kind of a logic is that ? You, yourself are "on gbatemp" aren't you?
Last edited by mathieulh,
Calm down. Please don't mind that much.. You know what SALT Team is. They seldom release anything (yea mkey is done and bootstrap).
Not publicly discussed - not public proven. However they don't (yea need to) care the public, orz. So the only way would be re-create the wheel - public.
I admit that quite some part of that is still undocumented. Eh.. hope @AHP_person and other guys could have it done.
Even that is still a prototype, that is still a good beginning, no matter how poor it is now. Hope he gets some buddies helping him doing that.
Even i do know my question might likely to be ignored.. Have anyone of you dumped the bootrom? Or, says, some keyslots "set by bootrom" is not a prediction?
What kind of fault injection that is supposed? Optical one? Still thanks for those documents, and congrats to all your work, even if that is proven privately.
I do know about those problems when decided to publish something. If you think there are idoits everywhere (i admit to some extent) you don't need to fight one.
Yeah sometime I would like to quote other instead. To not bother. Yeah no release - don't tell those out of documents - or noob wave.
And. to all. If you feel hurted, sorry for that. Bye (zzzz)
Last edited by Syphurith,
Well, since the cat is out of the bag (kinda...), my idea (which has yet to be tested), that actually happens to be inspired from an existing xbox360 hack, is to pull the reset line for the ARM SOC for a shorter amount of time than the officially documented/required 5 clock cycles (cf. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3980.html ) in order to clear registers while having the ARM9 still running our code, this could be achieved as an automated and carefully timed process with a bit of soldering skill and an adruino board.
The concept would be to run a loop that would copy ordinarily unmapped locations somewhere else in memory for a later possible retrieval (somewhere that doesn't get overwritten after a reboot), as setting such a state on the CPU could potentially render it (and the whole system) quite unstable.
The idea relies on the fact that on most cpu architectures, one of the first step performed during reset is clearing the registers; assuming the bootrom is a mask rom that is mapped to memory which then later becomes inaccessible when a specific register is set, if said register gets cleared the area should become accessible again (again, this is, at this point, theoretical until proven otherwise)
I wanted to try this first and, should it work, document it in a proper place (like a wiki) rather than on gbatemp. I appears I wasn't given much of a choice in this matter.
P.S. Yes, I am aware of the documented (on 3dbrew) exception vectors vulnerability, the hack referenced in my post however, should it work, would be a lot easier to pull off.
The concept would be to run a loop that would copy ordinarily unmapped locations somewhere else in memory for a later possible retrieval (somewhere that doesn't get overwritten after a reboot), as setting such a state on the CPU could potentially render it (and the whole system) quite unstable.
The idea relies on the fact that on most cpu architectures, one of the first step performed during reset is clearing the registers; assuming the bootrom is a mask rom that is mapped to memory which then later becomes inaccessible when a specific register is set, if said register gets cleared the area should become accessible again (again, this is, at this point, theoretical until proven otherwise)
I wanted to try this first and, should it work, document it in a proper place (like a wiki) rather than on gbatemp. I appears I wasn't given much of a choice in this matter.
P.S. Yes, I am aware of the documented (on 3dbrew) exception vectors vulnerability, the hack referenced in my post however, should it work, would be a lot easier to pull off.
Last edited by mathieulh,
I personally have nothing against not releasing (or sometimes even not sharing), I have done so on multiple occasions in the past. To be quite honest, I am very impressed with SALT Team's work so far, they seem very competent and knowledgeable.
As I've always believed, someone's work is their work, it is up to the author of said work to chose whether or not they want to release something to the public, and certainly not up to the masses, while some people keep whining and can't understand the time it takes to actually perform a successful exploitation, or even to write/document/release something comprehensive/accessible to others, I do and I can't help but support developers who do hard work, no matter what they do with it.
Developers have lives and jobs and can't just make console hacking their daily job/activity on a whim, people need to remember that.
Last edited by mathieulh,
So basically you're hoping to pull of an RGH style attack on 3ds like the 360. Interesting indeed.
Would be pretty cool if it actually works, no idea what the reliability would be like as i know it could be a real pain on the 360 with some consoles. Then again there isn't a handful of different models/hardware configs with the 3ds to deal with either unlike the 360.
Look forward to seeing more about your idea to be honest.
That's the idea, except the purpose is different as although the RGH relies on clearing registers, it does so to make a memcmp check pass (branch-if-register-equals-zero), my idea is rather to clear the CFG_SYSPROT9 register so that I can read the bootrom area.
I discussed about how the Wii(U?) RESET failure with others ago. And they told me that 3ds SoC have only 1 RESET, so no such attack.
Yeah but hope yours can do something smart. More thoughts would lead to more ways. Just filter some "That stupid would never work" but no reason replies.
Regarding only having one reset line, I expected as much, it makes more sense to have a single reset for the whole SOC that would reset the ARM9,ARM11 and the VRAM, the thing is, I am not trying to run code on the ARM11 while resetting the ARM9, as such a hack would fail for this very reason.
However, considering there is an external reset line that has to be pulled for a specific amount of time, wouldn't it obviously tied to the actual ARM9 reset and therefore modifying the PLL (to down-clock the CPU and therefore increase the possible timing window) and pulling the reset line for a short amount of time (most likely a 10 to 20ns window) indirectly affect the ARM 9 reset process?
Last edited by mathieulh,
I even thought about giving it a mad clock, driving the PLL mad (even damage it).
But now i would suggest you to find yourself some papers about Fault Injection first. So you are technically equipped.
For example this http://www.rroij.com/open-access/a-review-on-software-fault-injection-methods-and-tools.pdf
--------------------- MERGED ---------------------------
@mathieulh Sorry! I've give you a wrong paper. That's about software type fault injection.
You could find "Hardware Fault Injection". For example this: https://www.ece.cmu.edu/~ece749/docs/faultInjectionSurvey.pdf
And this looks good too: https://homepages.laas.fr/arlat/documents/99513/99513.pdf
BTW it is suggested to search for more yourself, since I could make wrong advices..
EDIT: And don't be afraid to check those special technique names.. Hope something good is for you.
Last edited by Syphurith,
Thanks ! I was wondering about that first document xD
I will definitely give the hardware fault papers a good read.
Have you tried such an exploitation scheme on 3DS by any chance ?
Last edited by mathieulh,
No.. I'm a total noob with hardware. Sorry.
And to mention. the last paper is a good read, but it might be out of date, since that is published in 2003.
Try your luck in finding some more, such as "invasive attack", "semi-invasive attack" or whatever, would lead to a way doing so.
@mathieulh And i have something to add to your list if you don't mind..
This Russian is quite an expert on reversing some chips.. http://www.cl.cam.ac.uk/~sps32/ All hardware way.
There could be more guys if you find a better search term..
Unfortunately most hardward attack is quite expensive? Oh just for invasive/semi-invasive ones.
Hope you can find some good reading about non-invasive too.
This Russian is quite an expert on reversing some chips.. http://www.cl.cam.ac.uk/~sps32/ All hardware way.
There could be more guys if you find a better search term..
Unfortunately most hardward attack is quite expensive? Oh just for invasive/semi-invasive ones.
Hope you can find some good reading about non-invasive too.
Last edited by Syphurith,
I'm trying to get some more buddies to help, but people with hard mods and the knowledge needed aren't easy to come by -0-.
Similar threads
