Homebrew ARM9Loader -- Technical Details and Discussion

Reisyukaku

Reisyukaku

Onii-sama~
Developer
Level 16
Joined
Feb 11, 2014
Messages
1,534
Trophies
2
Website
reisyukaku.org
XP
5,422
Country
United States
mathieulh said:
Well, since the cat is out of the bag (kinda...), my idea (which has yet to be tested), that actually happens to be inspired from an existing xbox360 hack, is to pull the reset line for the ARM SOC for a shorter amount of time than the officially documented/required 5 clock cycles (cf. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3980.html ) in order to clear registers while having the ARM9 still running our code, this could be achieved as an automated and carefully timed process with a bit of soldering skill and an adruino board.

The concept would be to run a loop that would copy ordinarily unmapped locations somewhere else in memory for a later possible retrieval (somewhere that doesn't get overwritten after a reboot), as setting such a state on the CPU could potentially render it (and the whole system) quite unstable.

The idea relies on the fact that on most cpu architectures, one of the first step performed during reset is clearing the registers; assuming the bootrom is a mask rom that is mapped to memory which then later becomes inaccessible when a specific register is set, if said register gets cleared the area should become accessible again (again, this is, at this point, theoretical until proven otherwise)

I wanted to try this first and, should it work, document it in a proper place (like a wiki) rather than on gbatemp. I appears I wasn't given much of a choice in this matter.

P.S. Yes, I am aware of the documented (on 3dbrew) exception vectors vulnerability, the hack referenced in my post however, should it work, would be a lot easier to pull off.
Click to expand...
This sounds like a similar idea to what me and friends discussed for our bootrom ideas.

AHP_person said:
I'm trying to get some more buddies to do the work for me, but people with hard mods and the knowledge needed aren't easy to come by -0-.
Click to expand...
(^:
 
  • Like
Reactions: kiwiis, Xenon Hacks, Syphurith and 2 others
S

Syphurith

Beginner
Member
Level 3
Joined
Mar 8, 2013
Messages
641
Trophies
0
Location
Xi'an, Shaanxi Province
XP
364
Country
Switzerland
Suiginou said:
Go do your own fucking work, leaker.
Click to expand...
Well please don't be so serious.. would you? I admit he leaked the work of Roxas, and i even recovered some of those from binary before.
To have something claimed should always happen after having it done. I'm not here to offend you, (dont believed? quite sorry) you (might) know.
He has achived arm9loaderhax and checked if it is or not in a werid (and clever) way, orz. You can not say a guy won't change.
Even before reading his tweet I thought something similar about him. And that made me down-looked his ability.
Reisyukaku said:
This sounds like a similar idea to what me and friends discussed for our bootrom ideas.
(^:
Click to expand...
Hi Rei how about the result of your discussion before? Is that something similar to "1 RESET so no" or some reasons else?
I read quite some representations of CCC about console hacking, and crypto attack, after 32C3 that good talk.
Unfortunately those aren't related to chip attacking much. What i could find is just some DPA(Differential Power Analysis) and MicroProbing.
Thanks for your effort on those keyslots! now this arm9loaderhax might be portable to another console.
--------------------- MERGED ---------------------------
@mathieulh They used to post about details on 3dbrew, yes. And if you wanna keep it for a while, you might post on your own blog? nocash may be interested in such thing.
 
Reisyukaku

Reisyukaku

Onii-sama~
Developer
Level 16
Joined
Feb 11, 2014
Messages
1,534
Trophies
2
Website
reisyukaku.org
XP
5,422
Country
United States
Syphurith said:
Well please don't be so serious.. would you? I admit he leaked the work of Roxas, and i even recovered some of those from binary before.
To have something claimed should always happen after having it done. I'm not here to offend you, (dont believed? quite sorry) you (might) know.
He has achived arm9loaderhax and checked if it is or not in a werid (and clever) way, orz. You can not say a guy won't change.
Even before reading his tweet I thought something similar about him. And that made me down-looked his ability.

Hi Rei how about the result of your discussion before? Is that something similar to "1 RESET so no" or some reasons else?
I read quite some representations of CCC about console hacking, and crypto attack, after 32C3 that good talk.
Unfortunately those aren't related to chip attacking much. What i could find is just some DPA(Differential Power Analysis) and MicroProbing.
Thanks for your effort on those keyslots! now this arm9loaderhax might be portable to another console.
--------------------- MERGED ---------------------------
@mathieulh They used to post about details on 3dbrew, yes. And if you wanna keep it for a while, you might post on your own blog? nocash may be interested in such thing.
Click to expand...
Well to the first thing, i think Suiginou is talking about more than just rx stuff lol.

Secondly, the idea was built around the hardware fault injection idea, but i dont want to say too much lol
 
  • Like
Reactions: kiwiis and Syphurith
S

Syphurith

Beginner
Member
Level 3
Joined
Mar 8, 2013
Messages
641
Trophies
0
Location
Xi'an, Shaanxi Province
XP
364
Country
Switzerland
Reisyukaku said:
Well to the first thing, i think Suiginou is talking about more than just rx stuff lol.
Secondly, the idea was built around the hardware fault injection idea, but i dont want to say too much lol
Click to expand...
Thanks for reply. I know Suiginou is talking about Roxas.. Hardware fault injection.. Yeah get enough facilities first, I was just speculation..
Still quite pity that i can not have you invited into a chat room yesterday.. Maybe some days after. Hope your developments go well.
 
Reisyukaku

Reisyukaku

Onii-sama~
Developer
Level 16
Joined
Feb 11, 2014
Messages
1,534
Trophies
2
Website
reisyukaku.org
XP
5,422
Country
United States
Syphurith said:
Thanks for reply. I know Suiginou is talking about Roxas.. Hardware fault injection.. Yeah get enough facilities first, I was just speculation..
Still quite pity that i can not have you invited into a chat room yesterday.. Maybe some days after. Hope your developments go well.
Click to expand...
Chatroom? :x
 
  • Like
Reactions: Syphurith
S

Syphurith

Beginner
Member
Level 3
Joined
Mar 8, 2013
Messages
641
Trophies
0
Location
Xi'an, Shaanxi Province
XP
364
Country
Switzerland
Reisyukaku said:
Chatroom? :x
Click to expand...
Isn't a conversation a chat room that with logs.. So i don't need to find an irc bot or something. You can try open such one on gbatemp too to contact with other..
BTW have you got a copy of leaked IDA pro 6.8? Try find it via Google. Yeah this is some kind of offtopic.
A big problem for arm9loaderhax is now how to load a big payload, the NAND read or what SDMMC sucks.
 
Last edited by Syphurith,
Reisyukaku

Reisyukaku

Onii-sama~
Developer
Level 16
Joined
Feb 11, 2014
Messages
1,534
Trophies
2
Website
reisyukaku.org
XP
5,422
Country
United States
cpasjuste said:
Yep I understand that, but then I just have to dump the otp memory region ? From arm9 ? It's that "simple" ? If I make a mistake and dump a bad region, is this " dangerous" for the device when executing the hack ? :)
Click to expand...
Yea, its not locked so just dump from arm9. The catch is that proc9 hooks dont seem to work so your best bet is fatfs. Personally i just wrote a payload ontop of 'load.bin' that normmatt's cubic ninja payload runs.
 
C

cpasjuste

Well-Known Member
Member
Level 14
Joined
Aug 27, 2015
Messages
1,108
Trophies
1
Age
44
XP
4,483
Country
France
Reisyukaku said:
Yea, its not locked so just dump from arm9. The catch is that proc9 hooks dont seem to work so your best bet is fatfs. Personally i just wrote a payload ontop of 'load.bin' that normmatt's cubic ninja payload runs.
Click to expand...
OK, many thanks for the clarification :)

I didn't get that I would need cubic, what a shame I gave mine a few weeks ago to a friend (far from me)... stupid me. I guess I'll have to wait to find a cheap one or for another entry.

Thanks again.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Hardware  New Nintendo 3DS XL Louvre

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

So what's the current state of hacking and freeshop?

gacube emeleter

Hacking Homebrew  Animal Crossing New Leaf (ACNL) help: data corrupt??

Hacking  Can you install a legit cia and keep the game? + Question about 3ds modding

General chit-chat
Help Users
    BigOnYa @ BigOnYa: Scratch n sniff