Homebrew ARM9Loader -- Technical Details and Discussion

[laramie]

OK, many thanks for the clarification

I didn't get that I would need cubic, what a shame I gave mine a few weeks ago to a friend (far from me)... stupid me. I guess I'll have to wait to find a cheap one or for another entry.

Thanks again.

Umm there are no other ways. Unless someone wants to waste countless hours to make a mset if that's even possible.. Most people won't be bothered because well cn is already there.

 

[Selver]

fastest way is to downgrade to 1.0

But how would one find 1.0 firmware (e.g., search strings of interest)?

The closest I've even seen is 2.0E (which admittedly could work with appropriate secureinfo_a.bin)?
Is there a 1.0U version in a well-known place?

 

[Deleted member 356526]

But how would one find 1.0 firmware (e.g., search strings of interest)?

The closest I've even seen is 2.0E (which admittedly could work with appropriate secureinfo_a.bin)?
Is there a 1.0U version in a well-known place?

Just get a nand dump from 1.0 device. shrug.

 

[Vappy]

But how would one find 1.0 firmware (e.g., search strings of interest)?

The closest I've even seen is 2.0E (which admittedly could work with appropriate secureinfo_a.bin)?
Is there a 1.0U version in a well-known place?

Worth noting that downgrading to 1.0 to dump the OTP requires a copy of Cubic Ninja (and I've heard that the 2.0E pack that's available online is broken). A few people in #cakey on freenode are trying to get ARM9 execution via the browser from 2.0/2.1, mixed results so far, and no-one seems to have a copy of spider v1024 for Europe.

 

[cpasjuste]

Umm there are no other ways. Unless someone wants to waste countless hours to make a mset if that's even possible.. Most people won't be bothered because well cn is already there.

Well, with my very little hacking knowledge and from what I understand (and a nice but very succinct PM), on n3ds we could use the "uncleared otp hash sha flaw" without having to have cn or downgrade. I'm not a bad coder (I think) but unfortunately I do not have enough knowledge to go behong.

That's said, I'm not sure yet why people are still keeping this private. Its like you need this and this but I guess we just need a piece of code to do so... Id really like to play with this but well ... People are still acting like kids on the 3ds scene it seems, I mean keeping things private so you are the one(s) , which is non sense to me at this point.

 

[Vappy]

Well, with my very little hacking knowledge and from what I understand (and a nice but very succinct PM), on n3ds we could use the "uncleared otp hash sha flaw" without having to have cn or downgrade. I'm not a bad coder (I think) but unfortunately I do not have enough knowledge to go behong.

That requires some external hardware, too, connected to the i2c and repeatedly resetting the 3DS, attempting to bruteforce arm9loaderhax with different key data each time. Dazzozo said it took the first 3DS he tried it on several days of running before it worked.

 

[cpasjuste]

That requires some external hardware, too, connected to the i2c and bruteforcing arm9loaderhax by repeatedly resetting the 3DS and attempting to run with different key data each time. Dazzozo said it took the first 3DS he tried it on several days of running before it worked.

Ho, well then I apologize for my last post
That's said the last part of my post is still valid, even the downgrade way should be disclosed so we can all have fun. (This way is maybe possible with my knowledge tough so I may take a try someday, but my time is very limited).

Example :
- downgrade to < 3.0 by trial and errors
- get a copy of cn (arg :x)
- write some arm9 code to get otp hash

The thing is people with knowledge are together, when you are alone (and with limited knowledge) its not the same ...

 

[Vappy]

That's said the last part of my post is still valid, even the downgrade way should be disclosed so we can all have fun.

The downgrade method is effectively already public knowledge. For O3DS it's just a matter of downgrading normally. For N3DS, you have to account for the different crypto between new and old 3DS (as said here http://3dbrew.org/wiki/3DS_System_Flaws#Kernel9, essentially just reencrypting CTRNAND with keyslot 0x4 instead of 0x5 and swapping the NCSD header for that of one taken from an O3DS). Then it's just a "simple" matter of getting ARM9 execution and dumping the region from ARM9 memory. Normmatt's already posted QR codes for running ARM9 code on 1.0-2.1 with Cubic Ninja, and like I said, some devs in 'cakey are trying to get the same on 2.1 using spider (work in progress here https://github.com/b1l1s/2xrsa).

 

[cpasjuste]

The downgrade method is effectively already public knowledge. For O3DS it's just a matter of downgrading normally. For N3DS, you have to account for the different crypto between new and old 3DS (as said here http://3dbrew.org/wiki/3DS_System_Flaws#Kernel9, essentially just reencrypting CTRNAND with keyslot 0x4 instead of 0x5 and swapping the NCSD header for that of one taken from an O3DS). Then it's just a "simple" matter of getting ARM9 execution and dumping the region from ARM9 memory. Normmatt's already posted QR codes for running ARM9 code on 1.0-2.1 with Cubic Ninja, and like I said, some devs in 'cakey are trying to get the same on 2.1 using spider (work in progress here https://github.com/b1l1s/2xrsa).

Yep yep ! Thanks Vappy. For me its the best directions I had here (which should be enough)

Edit: thanks again Vappy, I really appreciate your post

 

[laramie]

But how would one find 1.0 firmware (e.g., search strings of interest)?

The closest I've even seen is 2.0E (which admittedly could work with appropriate secureinfo_a.bin)?
Is there a 1.0U version in a well-known place?

I had a mission to ask gbatempers to help me get 1.0 dumps but that quickly exploded to well an awful thing... Good luck though I mean I have like 10 consoles all with otp's dumped with all different regions but I refuse to help others now good luck with that request haha

 

[BurningDesire]

Didn't they say the arm9loaderhax required hardware? If so would it be un fixable by firmware? Kind of like a bootrom iOS jailbreak that can only get fixed if a new gen of iOS devices get released?

 

[Shadowtrance]

I had a mission to ask gbatempers to help me get 1.0 dumps but that quickly exploded to well an awful thing... Good luck though I mean I have like 10 consoles all with otp's dumped with all different regions but I refuse to help others now good luck with that request haha

Where's the "don't like" button? lol

 

[AHP_person]

Didn't they say the arm9loaderhax required hardware? If so would it be in fixable by firmware? Kind of like a bootrom iOS jailbreak that can only get fixed if a new gen of iOS devices get released?

In reality, you can probably do a risky procedure through software if you can get arm9 exec. It's not recommended, but it's possible.

 

[BurningDesire]

In reality, you can probably do a risky procedure through software if you can get arm9 exec. It's not recommended, but it's possible.

I have multiple 3DSes I'd be happy to help I ain't fraid of no brick

 

[Vappy]

Didn't they say the arm9loaderhax required hardware? If so would it be un fixable by firmware? Kind of like a bootrom iOS jailbreak that can only get fixed if a new gen of iOS devices get released?

Original arm9loaderhax required a hardware mod to bruteforce, but the current implementation can use OTP data to eliminate the need for that. You can downgrade to 1.0/2.x to dump it, no hardware requires, but like AHP_person says, it's not recommended. Far too easy to brick, so having a NAND mod makes it much safer.

 

[AHP_person]

I have multiple 3DSes I'd be happy to help

Well it's not really a project I'm willing to put time into, but It's definitely possible. DG to a low enough firmware for otp, dump it, then restore a nand backup through a simple arm9 payload. Then you can install a9lh with another arm9 payload. On a n3ds, it'd probably be safer to have a hard-mod.

EDIT: Ninja'd

 

[BurningDesire]

Well it's not really a project I'm willing to put time into, but It's definitely possible. DG to a low enough firmware for otp, dump it, then restore a nand backup through a simple arm9 payload. Then you can install a9lh with another arm9 payload. On a n3ds, it'd probably be safer to have a hard-mod.

EDIT: Ninja'd

I'll be doing a hard mod WHEN WILL MY PARTS COME DAMNIT I will try to fix my bricked N3DS with it then downgrade to 1.0 however would the N3DS XL know how to handle the 1.0 firmware since it didn't come with it?

 

[Vappy]

And like I said, if you have a copy of Cubic Ninja, it's pretty possible to pull it off right now. The rest of us are hoping that spider works. And if anyone here does happen to have a copy of spider EUR v1024 (from a console on version x.x.x-4, -5 or -6), would be a big help.

I'll be doing a hard mod WHEN WILL MY PARTS COME DAMNIT I will try to fix my bricked N3DS with it then downgrade to 1.0 however would the N3DS XL know how to handle the 1.0 firmware since it didn't come with it?

There's multiple sources of video evidence of a N3DS booting 1.0.0, on ahp_person's twitter for example. 'All' it takes is some crypto fuckery, as I mentioned above.

 

[BurningDesire]

And like I said, if you have a copy of Cubic Ninja, it's pretty possible to pull it off right now. The rest of us are hoping that spider works. And if anyone here does happen to have a copy of spider EUR v1024 (from a console on version x.x.x-4, -5 or -6), would be a big help.

There's multiple sources of video evidence of a N3DS booting 1.0.0, on ahp_person's twitter for example. 'All' it takes is some crypto fuckery, as I mentioned above.

Yuk crpto. I hate that word.

 

[Vappy]

Yuk crpto. I hate that word.

It's not overly complicated, just requires dumping an extra xorpad with a modified version of decrypt9.