Homebrew [33c3] Console Hacking 2016 (3DS/WiiU) talk Dec 27-30: smea, derrek, nedwill, naehrwert

[caitsith2]

No. You'd have to bruteforce a new sig for every new FIRM you make. There is no one sig for all with the type of RSA sig checking bootrom does. Perhaps you can instead make a chainloader that you don't really have to update very often but that's the best you can do without having to make new sigs for every update to your CFW.

[12/27/2016 18:01:27] <guest763> Is the bruteforced sighax sig universal?
[12/27/2016 18:01:42] <guest763> IE, will work for any firm
[12/27/2016 18:02:09] <derrek> yep
[12/27/2016 18:02:14] <guest763> cool

That means one bruteforce attempt is all that is required.

 

[Noroxus]

Sorry for the noob question, but with all this stuff, downgrading is possible?

...man I have a feeling we will see a lot of these questions.
Yes.
With BOOTROM anything is possible so no more need for K9LH/A9LH

 

[Disharmony16]

Sorry for the noob question, but with all this stuff, downgrading is possible?

No free downgrade, sorry.

 

[gamesquest1]

...man I have a feeling we will see a lot of these questions.
Yes.
With BOOTROM anything is possible so no more need for K9LH/A9LH

not really true, with bootrom they could check it for bugs, which they found in the form of sighax, it could have just gone the other way and it could have been bulletproof, but it still doesn't just make everything possible, everything is still dependant on system exploits to get setup

 

[Pokem]

Wow, 2017 will be the year the 3DS is completely broken.

 

[Noroxus]

not really true, with bootrom they could check it for bugs, which they found in the form of sighax, it could have just gone the other way and it could have been bulletproof

well of course but whats the point in looking for bugs now?
They cant change bootrom on the fly or sth. so if it could have been bulletproof or not doesnt matter anymore does it?

 

[gamesquest1]

well of course but whats the point in looking for bugs now?
They cant change bootrom on the fly or sth. so if it could have been bulletproof or not doesnt matter anymore does it?

no I'm just saying that bootrom dump does not necessarily = total system hax (well it did in this case) but it's doesn't just make the system completely broken, you cannot just do anything at all becaise you dumped the bootrom, you still need to have system exploits or a hardmod to actually utilise sighax

 

[CeeDee]

So, if I'm right, you couldn't access NAND (therefore any of the bootrom hax) with ARM11 kernel if you don't have a exploitable DSiWare? Which makes this fairly useless for the average 11.2 user?

 

[Noroxus]

no I'm just saying that bootrom dump does not = has (well it did in this case) but it's doesn't just make the system completely broken, you cannot just do anything at all becaise you dumped the bootrom, you still need to have system exploits or a hardmod to actually utilise sighax

Then let me rephrase my statement:

Anything is possible with the BOOTROM as long as we have some sort of entrypoint and exploit on a brandnew console
Using sighax on a K9LH console and getting a custom signed firmware or whatever would mean that Nintendo can throw as many patches at us as they wont and still be unable to fix anything.

I dont really remember if you need ARM9 code execution or ARM11 execution for downgrading ...?

But yeah you have a point... On a brandnew console you still need some sort of entrypoint..

 

[munchy_cool]

So, if I'm right, you couldn't access NAND (therefore any of the bootrom hax) with ARM11 kernel if you don't have a exploitable DSiWare? Which makes this fairly useless for the average 11.2 user?

this (bootrom exploit) is accessing the bootrom, even before the kernel fires up ..this is way better than a9lh

 

[DarkSynopsis]

So, if I'm right, you couldn't access NAND (therefore any of the bootrom hax) with ARM11 kernel if you don't have a exploitable DSiWare? Which makes this fairly useless for the average 11.2 user?

Correct, right now we can only write FIRM files with dgTool? which is being done with exploited DSiWare, we can't write to FIRM without ARM9 kernel, nothing shown at 33c3 had that exploited on the latest firmware.

So still need the exact same methods to install a Bootromhax as you would A9LH, expect bootrom wouldn't need downgrades.

 

[Thunder Hawk]

Oh boi, I can't wait to see what Ninty is gonna try after seeing their own bootrom dumped.
They can't do anything

Couldn't they put out a new hardware revision?

 

[CeeDee]

this (bootrom exploit) is accessing the bootrom, even before the kernel fires up ..this is way better than a9lh

Yes, but my question is if I'm correct in saying you'd have no way to install it without NAND access (hacked DSiWare or ARM9)

 

[Noroxus]

Wait a sec...
Wouldnt using a custom signed firmware put us at risk for online bans (I mean like implement some sort of signature check like they do with CTCERT)?

 

[munchy_cool]

Yes, but my question is if I'm correct in saying you'd have no way to install it without NAND access (hacked DSiWare or ARM9)

or Soundhax

 

[zoogie]

OP updated with a tl;dr summary of the event.

 

[DarkSynopsis]

or Soundhax

Soundhax is a homebrew launcher entry point, Fasthax will gain ARM11, nothing ARM9

 

[gamesquest1]

Then let me rephrase my statement:

Anything is possible with the BOOTROM as long as we have some sort of entrypoint and exploit on a brandnew console
Using sighax on a K9LH console and getting a custom signed firmware or whatever would mean that Nintendo can throw as many patches at us as they wont and still be unable to fix anything.

I dont really remember if you need ARM9 code execution or ARM11 execution for downgrading ...?

But yeah you have a point... On a brandnew console you still need some sort of entrypoint..

yeah from 11.x the anti downgrade stuff prevents system downgrades without arm9 kernel access, which if you had would mean you could just install sighax or run a normal cfe on 11.x

so for now the only way to potentially use sighax on a stock system is to be on 9.2 for arm9 kernel access to install it

be on 10.7 or lower to downgrade to 9.2 via arm11 hax

or by using dsiware has for direct nand access or via hard mod for direct nand access

 

[zoogie]

Soundhax is a homebrew launcher entry point, Fasthax will gain ARM11, nothing ARM9

Well sighax is arm9, big time.

 

[ForeverEternal]

Now that a bootrom dump is possible, what can be done in regards to system transfers?

Will you be able to perform a system transfer across different regions?
Will you be able to fake a system transfer to generate new movable seed?
Will you be able to bypass the limit of 1 system transfer per week?
Will you be able to use an nnid/eshop on a region changed (n)3ds?