Toggle sidebar

Homebrew ARM9Loader -- Technical Details and Discussion

  • Thread starter Thread starter Selver
  • Start date Start date
  • Views Views 570,641
  • Replies Replies 4,025
  • Likes Likes 42
dark_samus3 said:
Actually, you could just not use the OTP data... Change a byte in the secret sector and hope it works, if it doesn't try again and again until you get a jump to the payload (which is more likely than you'd think) once you get the jump to the payload you'd just need a payload to do the unbricking
Click to expand...
Raspberry pie hardmod to nand right? And what does OTP stand for?
 
couldn't we theoretically do the brute forcing for the otp hash directly on the 3ds, by simply simulating the encryption and checking the result?
 
AHP_person said:
The screen won't turn on at all, if that's what you're looking for. If you get something to do a firmlaunch or force a shut down, that's usually a good sign.
Click to expand...
screeninits are not yet public, don't expect them to magically work without a payload
also, an hardmod is not mandatory. I did it on a o3ds without hardmod just fine. on n3ds, instead, it would be better to have it, since you need to edit the header manually and there's an high chance of messing up

RednaxelaNnamtra said:
couldn't we theoretically do the brute forcing for the otp hash directly on the 3ds, by simply simulating the encryption and checking the result?
Click to expand...
yes, someone did it and it took 4 days. you need external hardware anyway
 
Last edited by ketal,
RednaxelaNnamtra said:
Do we realy need to know it? We know how the arm9 loader decrypts the secret sector and what its contend is, can't we use arm9 to bruteforce the hash until the secret sector get decrypted properly?
Click to expand...
I mean if you wanna bruteforce 256 bits then go ahead.... you'll be there awhile though
 
  • Like
Reactions: capito27
So, is this the currently accepted and canon O3DS downgrade-to-2.1 procedure?
  1. Make a sysNAND backup with Decrypt9 or Gateway.
  2. Install the good ol' 4.x mset pasta in mset.
  3. Use Gateway launcher to downgrade to 4.x.
  4. Clone sysNAND to a new emuNAND.
  5. Use sysUpdater to downgrade to 2.1 on the emuNAND.
  6. If the downgrade succeeded, write the emuNAND to sysNAND (after stitching the NCSD header back in). Else, rewrite the emuNAND and retry until you no longer have a partial.
  7. Use ARM9 stuff (Cubic Ninja is public, apparently the cakes guys are working on something based on 2.1 spider with no success) to dump the OTP region to SD card.
  8. Use ARM9 stuff to restore a sysNAND backup to get back to the original firmware. Alternatively, use ARM9 stuff to implement minipasta on 2.1 and run sysUpdater to get back (which must be recompiled to have matching kernel version stuff, and even then it's dubious whether ctrulib things really will work on 2.1).
Did I miss anything?
capito27 said:
if only the hashing algorithm was known....
Click to expand...
SHA-256(buf=0x10012000, size=0x90). So if you wanna brute-force 0x90 bytes of stuff to get the right SHA-256 hash, be my guest. (Pro tip: 16 bytes are currently only feasible with quantum computers, 32 bytes is considered quantum-proof right now)
 
Last edited by Suiginou,
Vappy said:
For anyone who's already got it installed, here's a Very Tiny Payload, essentially just patois' helloARM9 with draw functions taken out. Waits for a button press then powers down. Maybe since it doesn't touch the screen, it'll actually work. :D
Click to expand...
Psi-Hate tested this successfully, which means payloads that don't do anything with the screen should work(?).
 
  • Like
Reactions: Psi-hate
Suiginou said:
So, is this the currently accepted and canon O3DS downgrade-to-2.1 procedure?

  1. Make a sysNAND backup with Decrypt9 or Gateway.
  2. Install the good ol' 4.x mset pasta in mset.
  3. Use Gateway launcher to downgrade to 4.x.
  4. Clone sysNAND to a new emuNAND.
  5. Use sysUpdater to downgrade to 2.1 on the emuNAND.
  6. If the downgrade succeeded, write the emuNAND to sysNAND (after stitching the NCSD header back in). Else, rewrite the emuNAND and retry until you no longer have a partial.
  7. Use ARM9 stuff (Cubic Ninja is public, apparently the cakes guys are working on something based on 2.1 spider with no success) to dump the OTP region to SD card.
  8. Use ARM9 stuff to restore a sysNAND backup to get back to the original firmware. Alternatively, use ARM9 stuff to implement minipasta on 2.1 and run sysUpdater to get back (which must be recompiled to have matching kernel version stuff, and even then it's dubious whether ctrulib things really will work on 2.1).

Did I miss anything?
Click to expand...
It's not necessary to use emunand but I suppose it'd work.
Here's how I did it (Without all the messups and complications inbetween)

1: Create Sysnand backup via decrypt9
2: Downgrade via gateway launcher
3: Load up ninjhax1 and run pasta and downgrade to 2.1 via sysupdater
4: Create a blank OTP.bin file and place it in the root of your SD card and run the QR code with the proper code.bin and load.bin
5: Update back to 4.5 via gamecard and then restore nand backup via decrypt9
 
Psi-hate said:
It's not necessary to use emunand but I suppose it'd work.
Here's how I did it (Without all the messups and complications inbetween)

1: Create Sysnand backup via decrypt9
2: Downgrade via gateway launcher
3: Load up ninjhax1 and run pasta and downgrade to 2.1 via sysupdater
4: Create a blank OTP.bin file and place it in the root of your SD card and run the QR code with the proper code.bin and load.bin
5: Update back to 4.5 via gamecard and then restore nand backup via decrypt9
Click to expand...
I don't know if it can be useful or working but when I looked at arm9loader sources on github I noticed the secondary payload is looking for "NAND.BIN" on SD and if found, write it to NAND.
 
DigitalJosee said:
Have you loaded any homebrew/CFW with this loader?
Or, atm, this's just experimental?
Click to expand...
We're working on getting payloads to work properly. We have payloads that are comfirmed working but that's about it. We are almost getting screeninit and all that good stuff. Once we have that, we're basically set. I think we can get payloads running as long as they don't touch the screen. @Reisyukaku got Reinand working. I'm about to test it rn.
 
Vappy said:
Psi-Hate tested this successfully, which means payloads that don't do anything with the screen should work(?).
Click to expand...
Unfortunately it seems that firmlaunching doesn't work :( we got a ReiNAND payload going, got it booting (as evidenced by it creating a "firmware_patched.bin" file on the SD card, but it wouldn't launch the firm :(
 
  • Like
Reactions: Xenon Hacks and peteruk

Site & Scene News

Go to forum More news

Popular threads in this forum

Help on 3DS prices...

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

GodMode9 wont launch, holding START just goes to home screen

Homebrew  My Secret World DS: is there a way to bypass the password lock?

Homebrew Homebrew app  [Release] GridLauncher Rosalina

please help, wont boot