Hacking Atmosphere 0.8 released 6.2.0 working

S

smf

Well-Known Member
Member
Level 16
Joined
Feb 23, 2009
Messages
6,640
Trophies
2
XP
5,854
Country
United Kingdom
x65943 said:
Vanilla atmosphere doesn't support pirated nsps
Click to expand...

These patches may or may not work with 6.2 https://gbatemp.net/threads/i-heard-that-you-guys-need-some-sweet-patches-for-atmosphere.521164/

zoogie said:
I wonder if they've properly pwned TSEC or if it's just dumping the keys.
Click to expand...

It looks like the exploit that mathileu described.

https://github.com/Atmosphere-NX/Atmosphere/commit/ed3770691519f025b5e7ebe353afa0fd3b224fd6

I'm not convinced it's possible to actually hack TSEC any other way, so it will be interesting how Nintendo will block it and whether 6.2 is going to turn out to be the highest we will ever be able to run.
 
Last edited by smf,
  • Like
Reactions: YellowPanda and zoogie
F

Foundforgood89

Member
Newcomer
Level 2
Joined
Nov 19, 2017
Messages
24
Trophies
0
Age
34
XP
147
Country
United States
Error. I have placed all files in root SD and booted fusee primary bin payload. Goes through the black atmosphere welcome and set up, then nintendo logo, then switch logo, then this.

Please help
 

Attachments

  • IMG_20181129_192217.jpg
    IMG_20181129_192217.jpg
    1.9 MB · Views: 661
D

Deleted-471350

Guest
zoogie said:
I wonder if they've properly pwned TSEC or if it's just dumping the keys.

Will be interesting to see Nintendo's stability response to this either way.
Click to expand...

I can answer this, since I fully understand how this sploit works (and wrote it independently myself).

They did not pwn TSEC at all. What the sploit does is fool TSEC into thinking it's running with sole full control of the system (it thinks the CPUs / DMA are halted). Only then will it continue to generate the keys and decrypt the package1. To fool the TSEC, it needs to read the same constant values from MMIO memory space. This can be done by remapping the address space into DRAM by using SMMU translation. If a single bit from this space is different (like say the BPMP CPU is still running, the IO space would reflect that) then the TSEC would detect it. But by mimicing the same values in DRAM, the TSEC is fooled and continues decrypting package1.

To actually pwn TSEC you need to get code execution in the authenticated mode of the TSEC, which can then be used to reveal TSEC secrets. To date, nobody (and I'm pretty sure not even reswitched or switchbrew) has managed to do this.
 
  • Like
Reactions: normal19, peteruk, LunaValeheart and 4 others
sarkwalvein

sarkwalvein

There's hope for a Xenosaga port.
Member
Level 21
Joined
Jun 29, 2007
Messages
8,506
Trophies
2
Age
41
Location
Niedersachsen
XP
11,219
Country
Germany
Foundforgood89 said:
Error. I have placed all files in root SD and booted fusee primary bin payload. Goes through the black atmosphere welcome and set up, then nintendo logo, then switch logo, then this.

Please help
Click to expand...
That's a very pretty picture, good resolution, the text looks great. Perhaps it's that the error reporting code uses good anti-aliasing, or perhaps it is the camera, no idea.
 
  • Like
Reactions: GizmoTheGreen and snails1221
comput3rus3r

comput3rus3r

Well-Known Member
Member
Level 15
Joined
Aug 20, 2016
Messages
3,580
Trophies
1
Age
123
XP
4,919
Country
United States
Well I hope they release version 3.0 including gui changes along with 6.2 compatibility. Maybe they'll even throw in NSP install to hdd. fingers crossed.
 
kamesenin888

kamesenin888

Well-Known Member
Member
Level 10
Joined
Oct 20, 2007
Messages
1,433
Trophies
1
XP
2,060
Country
_Bison_ said:
I can answer this, since I fully understand how this sploit works (and wrote it independently myself).

They did not pwn TSEC at all. What the sploit does is fool TSEC into thinking it's running with sole full control of the system (it thinks the CPUs / DMA are halted). Only then will it continue to generate the keys and decrypt the package1. To fool the TSEC, it needs to read the same constant values from MMIO memory space. This can be done by remapping the address space into DRAM by using SMMU translation. If a single bit from this space is different (like say the BPMP CPU is still running, the IO space would reflect that) then the TSEC would detect it. But by mimicing the same values in DRAM, the TSEC is fooled and continues decrypting package1.

To actually pwn TSEC you need to get code execution in the authenticated mode of the TSEC, which can then be used to reveal TSEC secrets. To date, nobody (and I'm pretty sure not even reswitched or switchbrew) has managed to do this.
Click to expand...
Can nintendo with an update change how this is handled so the TSEC wont give the keys?
 
D

Deleted-471350

Guest
kamesenin888 said:
Can nintendo with an update change how this is handled so the TSEC wont give the keys?
Click to expand...

Yes they can. Mimicing MMIO with exactly the same behavior from a CPU is not trivial. What the TSEC now checks is mostly static data. If they change the TSEC to start to check for dynamic behavior of MMIO memory, well let's say it may not be possible to bypass it. There are also probably more than just one way to detect this hack.
 
Last edited by ,

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
    SylverReZ @ SylverReZ: @NinStar, Who's whipping who?