This thread is intended to spur discussion about whether it would be both feasible and relatively easy to automate ARM9Loader brute-forcing. I'll update the first post as major updates / answers arrive.
It might not be practical at the moment, given progress made in other areas.
However, future units shipping with 10.5+ might exclude other attack vectors.
Here's a set of presumptions I have... basically what I think I understand:
I2C can be used to reboot the unit
GPIO pins can be used to write to the NAND
Homebrew/payloads can send messages via I2C
Homebrew/payloads can write memory with hax instructions
Homebrew/payloads can overwrite exception vectors to point to hax instructions
Reboot does not clear memory
Would the following be an avenue that an attacker could use to automate / brute force Arm9Loader into branching into their own exception vector?
Hardmod to dump NAND
Additional Hardmod to expose I2C externally
Create two custom payloads:
"I2C/OTP" payload, which would send a message via I2C, then dump OTP, then send a second message via I2C
"PrepHax" payload, which would send a message via I2C, overwrite the exception vectors to point to I2C/OTP payload, and then send a second message via I2C
Setup N3DS to auto-boot the "PrepHax" payload, such as via Theme
Have RPI2 setup to write NAND via GPIO
Connect the N3DS I2C to RPI2's I2C
Connect the N3DS DAT0/CLK/CMD to RPI2's GPIO
Initialize I2C in multi-master mode, exposing both slave and master
Set DAT0/CLK/CMD to not interfere with boot (float?)
Reboot via I2C, wait for timeout or an I2C message indicating Hax stage
I2C messages:
PrepHax started -- set another timeout, things are progressing
PrepHax complete -- reboot with sector 150 updated to next test values
I2C/OTP started -- set another timeout, things are progressing
I2C/OTP complete -- HALT! Potentially usable magic value found!
Timeouts (based on last I2C message):
PrepHax started -- memory not reliably set, random hax failure? Just reboot via I2C
PrepHax complete -- not usable special sector, reboot with sector 150 updated
I2C/OTP started -- Log as 'potential' values for sector 150, then reboot with sector 150 updated
If nothing technical prevents this from working, this would seem to reduce
the complexity of the brute-force method.[/SPOILER]
Here's a set of presumptions I have... basically what I think I understand:
I2C can be used to reboot the unit
GPIO pins can be used to write to the NAND
Homebrew/payloads can send messages via I2C
Homebrew/payloads can write memory with hax instructions
Homebrew/payloads can overwrite exception vectors to point to hax instructions
Reboot does not clear memory
Would the following be an avenue that an attacker could use to automate / brute force Arm9Loader into branching into their own exception vector?
Hardmod to dump NAND
Additional Hardmod to expose I2C externally
Create two custom payloads:
"I2C/OTP" payload, which would send a message via I2C, then dump OTP, then send a second message via I2C
"PrepHax" payload, which would send a message via I2C, overwrite the exception vectors to point to I2C/OTP payload, and then send a second message via I2C
Setup N3DS to auto-boot the "PrepHax" payload, such as via Theme
Have RPI2 setup to write NAND via GPIO
Connect the N3DS I2C to RPI2's I2C
Connect the N3DS DAT0/CLK/CMD to RPI2's GPIO
[/SPOLIER]
Initialize I2C in multi-master mode, exposing both slave and master
Set DAT0/CLK/CMD to not interfere with boot (float?)
Reboot via I2C, wait for timeout or an I2C message indicating Hax stage
I2C messages:
PrepHax started -- set another timeout, things are progressing
PrepHax complete -- reboot with sector 150 updated to next test values
I2C/OTP started -- set another timeout, things are progressing
I2C/OTP complete -- HALT! Potentially usable magic value found!
Timeouts (based on last I2C message):
PrepHax started -- memory not reliably set, random hax failure? Just reboot via I2C
PrepHax complete -- not usable special sector, reboot with sector 150 updated
I2C/OTP started -- Log as 'potential' values for sector 150, then reboot with sector 150 updated
If nothing technical prevents this from working, this would seem to reduce
the complexity of the brute-force method.
From a theoretical point of view i don't see anything preventing this. Am i not considering something vital? This seems a really fun task if i wasn't stuck with an o3ds i would try to pursue this way myself
The question is how low the bar actually is, not including initial development time. Can this be done with only RPI2, without additional electronic circuitry (voltage converters, resistors, capacitors, transistors, etc.)?
From a theoretical point of view i don't see anything preventing this. Am i not considering something vital? This seems a really fun task if i wasn't stuck with an o3ds i would try to pursue this way myself
Most eMMC devices also support SPI mode, if the RPI2 isn't easily able to control the device using CMD/CLK/DAT0. Question: Has anyone discovered which test points correspond to the I2C bus on the various 3DS models (2DS, O3DS, O3DS XL, N3DS, N3DS XL)?
A new Nintendo Switch firmware update is here. System software version 18.0.1 has been released. This update offers the typical stability features as all other...
With Apple having recently updated their guidelines for the App Store, iOS users have been left to speculate on specific wording and whether retro emulators as we...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
TheFlow has done it again--a new kernel exploit has been released for PlayStation 4 consoles. This latest exploit is called PPPwn, and works on PlayStation 4 systems...
Nintendo might just as well be a law firm more than a videogame company at this point in time, since they have yet again issued their now almost trademarked usual...
Another video game prototype has been found and preserved, and this time, it's none other than the game that spawned an entire franchise beloved by many, the very...
While rumors had been floating about rampantly as to the future plans of Nintendo, the President of the company, Shuntaro Furukawa, made a brief statement confirming...
Anbernic is back with yet another retro handheld device. The upcoming RG28XX is another console sporting the quad-core H700 chip of the company's recent RG35XX 2024...
Two classic titles join the Nintendo Switch Online Expansion Pack game lineup. Available starting April 24th will be the motorcycle racing game Extreme G and another...
Nintendo has recently announced through their social media accounts that a new Indie World stream will be airing tomorrow, scheduled for April 17th, 2024 at 7 a.m. PT...
Nintendo has officially announced that a successor to the beloved Switch console is on the horizon. As we eagerly anticipate what innovations this new device will...
While rumors had been floating about rampantly as to the future plans of Nintendo, the President of the company, Shuntaro Furukawa, made a brief statement confirming...
Nintendo might just as well be a law firm more than a videogame company at this point in time, since they have yet again issued their now almost trademarked usual...
With Apple having recently updated their guidelines for the App Store, iOS users have been left to speculate on specific wording and whether retro emulators as we...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
A new Nintendo Switch firmware update is here. System software version 18.0.1 has been released. This update offers the typical stability features as all other...
TheFlow has done it again--a new kernel exploit has been released for PlayStation 4 consoles. This latest exploit is called PPPwn, and works on PlayStation 4 systems...
DOOM is well-known for being ported to basically every device with some kind of input, and that list now includes the old retro game console in Persona 5 Royal...
After rumour got out about an upcoming NES Edition release for the famed Nintendo World Championships, Nintendo has officially unveiled the new game, titled "Nintendo...
The number of layoffs and cuts in the videogame industry sadly continue to grow, with the latest huge layoffs coming from Microsoft, due to what MIcrosoft calls a...
My 1500ish games is all hand picked and scraped it's taken me months but zero trash well except MAME.... Tried deleting clones and broke the originals uugghh