Homebrew [Question] Cracking the BOOTROM?

[survive9]

Let's say someone manages to crack the BOOTROM security someday. What would that allow us to do that we can't do even now? From what I heard it allows us to get the normal keys but idk what all of them would be useful for.

 

[Deleted member 373223]

otp dumping a coldboot... nothing else.

--------------------- MERGED ---------------------------

otp dumping a coldboot... nothing else.

nothing else that a9lh doesn't already allow us to do.

 

[uyjulian]

it would allow us to decrypt games on a PC, instead of requiring a 3DS to decrypt for you

 

[mikey420]

Basically it would remove any remaining security allowing us to decrypt content without the 3ds and allowing us to "sign" software to run without the need for an exploit.

 

[Mazamin]

Basically it would remove any remaining security allowing us to decrypt content without the 3ds and allowing us to "sign" software to run without the need for an exploit.

No, it won't allow us to sign software, only real coldboot, loading code before the start of sysprot9, allowing us to dump otp at coldboot(thing that we'll not need anymore)

 

[mikey420]

How do you expect to dump anything with a coldboot if you can't run code? With the bootrom broken and the keys used to sign the content available we should be able to decrypt abd reencrypt any part of the system modifying it as we please. If the bootrom protection is defeated all signing checks will mean nothing to developers. I'm certain of this statement.

 

[capito27]

depending of how early the bootrom can be broken, it could allow for 100% nand brick proofing (as, depending on wherein the bootrom could be exploited), as you could possbily directly control it before it checks for nand validity, thus code exec to load an emunand at boot, before nand is even accessed, possibly. but it's verry theoric and HIGHLY unlikely

 

[Deleted member 373223]

How do you expect to dump anything with a coldboot if you can't run code? With the bootrom broken and the keys used to sign the content available we should be able to decrypt abd reencrypt any part of the system modifying it as we please. If the bootrom protection is defeated all signing checks will mean nothing to developers. I'm certain of this statement.

seriusly you think that the bootrom doesn't contain code?

 

[Mazamin]

seriusly you think that the bootrom doesn't contain code?

Otherwise how could you load the 3ds kernel and firmware? LOL

 

[capito27]

How do you expect to dump anything with a coldboot if you can't run code? With the bootrom broken and the keys used to sign the content available we should be able to decrypt abd reencrypt any part of the system modifying it as we please. If the bootrom protection is defeated all signing checks will mean nothing to developers. I'm certain of this statement.

you do know that the signing keys are no where on the 3ds, right ? the keys available are only for decryption, all signature would be invalid without the private signing keys in some nintendo bunker

 

[survive9]

Thanks for clearing this up guys. I thought it would allow for something cool like running a true cfw that is very different from nintendo's but that seems to not be the case.

 

[dubbz82]

Thanks for clearing this up guys. I thought it would allow for something cool like running a true cfw that is very different from nintendo's but that seems to not be the case.

This is already theoretically possible, it would require someone to actually build it out though, which isn't trivial. Nintendo's built in OS isn't THAT bad, is it?

 

[zoogie]

Thanks for clearing this up guys. I thought it would allow for something cool like running a true cfw that is very different from nintendo's but that seems to not be the case.

Well that is possible you know. Everything besides the bootloader is replaceable.
It's just a lot of work though when piracy is enough for most people.

 

[mikey420]

I'm well aware of this. I'm saying that to defeat the bootrom requires one of 2 things either you must exploit it it's self or manage to pass its signature checks regardless this would ultimately defeat all signature checks allowing us to do as we please to the device.

 

[TuxSH]

A bootROM vulnerability exploitable by the end-user would be both a full system-control exploit and an entrypoint, hardcoded in hardware.
If such a flaw exists, it would literally kill the 3DS's security, in fact the 3DS as a whole.

Thanks for clearing this up guys. I thought it would allow for something cool like running a true cfw that is very different from nintendo's but that seems to not be the case.

What about Linux?

 

[zoogie]

I'm well aware of this. I'm saying that to defeat the bootrom requires one of 2 things either you must exploit it it's self or manage to pass its signature checks regardless this would ultimately defeat all signature checks allowing us to do as we please to the device.

arm9 control does this. we've had that for a while.

 

[Deleted member 373223]

arm9 control does this. we've had that for a while.

no, he does not mean to patch the ckecks, he means to remove the checks from the OS itself.

 

[dubbz82]

no, he does not mean to patch the ckecks, he means to remove the checks from the OS itself.

Same end result..

 

[artur3004]

wouldn't it be like a simular situation like with the exploit in the A4 Iphone cpu?

 

[linuxares]

Wouldn't the 3DS basically be as the 360 is with the JTAG/RGH ?