Homebrew SigHax Updates and Discussion Thread

Gnarmagon

Gnarmagon

Noob <3
Member
Level 6
Joined
Dec 12, 2016
Messages
647
Trophies
0
Age
22
XP
794
Country
Germany
addi33 said:
What exactly is SigHax?
SignatureHax, SigHax for short is a Bootrom Exploit revealed by Derrek at the 33c3.

What does that mean?
Since Derrek was able to dump the 3DS Bootroms and and to Exploit them we can now sign our own NAND images.

A bit more accurate?
If a bootrom was made public it could then be used to procede.
Then you'd be able to create a signature that ends up on a pointer to the check, which will compare itself with itself. (The actual sighax part) to sign firmwares with this manipulated signature.

Thats not accurate egnough! What can we do with SigHax then?
SigHax let's you exploit signature verification of the bootrom to basically run "unsigned" (well hax-signed) firmware.
This has to be written to the firm partition.
This means your patches would be done static directly to the FIRM and written to the device. This exploit effectively "skips" the signature checking.
Therefore it can run before otp disable etc.
It runs at pretty much the earliest state you can get it.
This will make it launch slightly faster than A9LH.
It is useful if you want to install stuff like a custom OS on the 3DS.
The disadvantage is, that's not as dynamic is A9LH due to it not being a payload on SD, that can easily be exchanged. (Unless your FIRM would load patches from sd. Which then wouldn't really make a lot of sense to use this exploit)
Therefore it's harder to update - basically like an A9LH update (not the payload but the actual FIRM write).
You risk bricking each time you write to the FIRM

Can this be Patched by Nintendo?
No. Since this is a Bootrom Exploit, it is literally unpatchable. Just a hardware revision could fix that.

So arm9loaderhax is obsolete then?
Basically Yes when SigHax is released. But better keep it, that will make the future Update to SigHax easier for you.

What are we actually doing with arm9loaderhax?
We currently patch the official firmware with A9LH and inject cfw code into it.
Then basically have "cfw".
This is done via a verification exploit of Arm9 and loads a payload AFTER arm9 is ran.

So since there will be SigHax it is safe to Update past 11.X when Nintendo releases System Updates then?
No. if you haven't installed arm9loaderhax to your 3DS System do NOT UPDATE past 11.2

For Now:
We are not yet able to do any of this.
Derrek did dump the bootrom and provided a simple explanation of how he did it.
He did not make the bootrom public though. Nor any of the code he used.

This means someone would have to develop code that exploits the Bootrom pointers and leads them to dumper code to dump the bootrom. Which is unstable and likely needs you to have a hardmod to trigger this very early exception without the chance of killing your device.
Click to expand...
What is Boot9 ???
Do I have to buy smth. like a Hardmod to use this ? :(
 
adrifcastr

adrifcastr

Well-Known Member
OP
Member
Level 10
Joined
Sep 12, 2016
Messages
2,038
Trophies
0
XP
1,947
Country
Germany
Gnarmagon said:
I'm sorry didn't read the "Archive"
so Boot9 is something like a Partition ?
What is this Board on the Picture ?
Click to expand...
You again just read a spoiler, by saying read the whole OP I mean the whole OP, There is Literally a Bold line that tells you that on here it is explained how the arm9 bootrom is being dumped, the spoiler literally says "boot9" and in it it also literally says "the arm9 bootrom which is known as boot9", like when I say read the OP I really mean that you should read it bro
 
BL4Z3D247

BL4Z3D247

GBAtemp Stoner
Member
Level 7
Joined
Oct 22, 2008
Messages
1,942
Trophies
0
Age
39
Location
I'm so high, I don't even know!
XP
1,229
Country
United States
addi33 said:
You again just read a spoiler, by saying read the whole OP I mean the whole OP, There is Literally a Bold line that tells you that on here it is explained how the arm9 bootrom is being dumped, the spoiler literally says "boot9" and in it it also literally says "the arm9 bootrom which is known as boot9", like when I say read the OP I really mean that you should read it bro
Click to expand...
I believe they were trying to understand exactly what the arm9 bootrom is. That's not explained in the OP. All it says is how it works and where it's located in the CPU's internal memory.

Neither is the board Greg is hooked up to, shown in the picture posted below "#Pray4Greg".

Simply reading the entire OP doesn't answer the questions they asked.

@Gnarmagon, check this out if you want to know more about the bootloader/bootrom/ect... http://3dbrew.org/wiki/Bootloader

As for the board Greg is hooked up to in that picture, I'm not quite sure. Maybe someone else can actually answer you.
 
  • Like
Reactions: Victorum, Quantumcat, Oschara and 1 other person
Deleted member 350372

Deleted member 350372

Well-Known Member
Member
Level 4
Joined
Jun 15, 2014
Messages
316
Trophies
0
Age
29
Location
boot.firm, New Jersey
XP
388
Country
United States
jupitteer said:
Is stuff on that shop signed? And if not, are titlekeys downloaded from diet coke 'that shop' used to download stuff from the eshop signed?
Click to expand...
what r u talking about? Lmao.

--------------------- MERGED ---------------------------

Starzcream said:
If you guys are impatient check out the PS4 scene kernel access obtained on firmware 4.xx!
Click to expand...
unrelated, and wrong platform buddy. I don't want to be rude or bossy or anything, but I don't want any unnecessary hype from new or gullible users thinking that prot_boot9.bin has been dumped or any false progress on sighax. We all want sighax and are impatient, but I don't want this thread to multiply in pages with nothing but absolute unrelated insanity.
 
Gaming796

Gaming796

Gaming since 4
Member
Level 4
Joined
Aug 24, 2016
Messages
561
Trophies
0
Location
Your head
Website
gbatemp.net
XP
462
Country
United States
jupitteer said:
Is stuff on that shop signed? And if not, are titlekeys downloaded from diet coke 'that shop' used to download stuff from the eshop signed?
Click to expand...
There's nothing wrong in saying freeShop. It's accepted in GBAtemp. Secondly, anything downloaded from freeShop is unsigned (thus requiring CFW). I don't understand what you mean to ask in the second question. Please elaborate.
 
Grantman20

Grantman20

Well-Known Member
Member
Level 1
Joined
Nov 14, 2016
Messages
124
Trophies
0
Age
23
Location
Littleroot Town
Website
www.pokemon.com
XP
101
Country
United States
Gnarmagon said:
WHAT HAS FREESHOP WITH SIGHAX TO DO ???
(sorry for capslock but I am really confused now -.-)

btw my guess is that the 3DS has for every CPU (Arm7,9 and 11) a Bootrom and Boot9 is the Bootrom for the Arm9 ? (Bootrom = Bios ?)
Click to expand...
i got the transalated version
"WHAT DOES FREESHOP HAVE TO DO WITH SIGHAX?(I'm using caps because it gains more attention thus more people will quote me.)

Some random "knowledge" that is false"
 
Last edited by Grantman20,
Maestrx

Maestrx

Well-Known Member
Newcomer
Level 1
Joined
Mar 8, 2017
Messages
47
Trophies
0
Age
22
XP
57
Country
Canada
Would I be able to inject saves from my old 3ds with sighax? Since the signature or whatever is basically rendered useless?
 
GerbilSoft

GerbilSoft

Well-Known Member
Member
Level 14
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,250
Country
United States
Maestrx said:
Would I be able to inject saves from my old 3ds with sighax? Since the signature or whatever is basically rendered useless?
Click to expand...
Sighax has nothing to do with save injection.

If you backed up the saves using JKSM or similar, you can restore them directly using JKSM.
If all you have are the encrypted files from the Nintendo 3DS directory, you're out of luck, because those are encrypted. However, if you have a NAND dump and the OTP.bin file from the old 3DS, you may be able to use them to decrypt the save files once the BootROM keys are released.
 
Starzcream

Starzcream

Well-Known Member
Newcomer
Level 1
Joined
Feb 22, 2017
Messages
84
Trophies
0
Age
37
XP
93
Country
United States
GerbilSoft said:
Sighax has nothing to do with save injection.

If you backed up the saves using JKSM or similar, you can restore them directly using JKSM.
If all you have are the encrypted files from the Nintendo 3DS directory, you're out of luck, because those are encrypted. However, if you have a NAND dump and the OTP.bin file from the old 3DS, you may be able to use them to decrypt the save files once the BootROM keys are released.
Click to expand...

Will a bootrom key allow us to flash sighax directly to a nand dump? therefore allowing us to boot into a payload(decrypt9) before the os loads? allowing us to dump key files from decrypt9 such as otp.bin if we dont have them now?
 
GerbilSoft

GerbilSoft

Well-Known Member
Member
Level 14
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,250
Country
United States
Starzcream said:
Will a bootrom key allow us to flash sighax directly to a nand dump? therefore allowing us to boot into a payload(decrypt9) before the os loads? allowing us to dump key files from decrypt9 such as otp.bin if we dont have them now?
Click to expand...
BootROM keys won't allow that. What will allow it is reverse-engineering the signature verification code to find its weaknesses. (See the Wii signing bug for an example.) Once that's figured out, a fakesigned FIRM can be installed via hardmod or DSiWare downgrade using the known plaintext attack.

OTP is shut off by FIRM, not BootROM, so this will allow us to dump OTP.bin if it hasn't already been dumped.
 
Starzcream

Starzcream

Well-Known Member
Newcomer
Level 1
Joined
Feb 22, 2017
Messages
84
Trophies
0
Age
37
XP
93
Country
United States
GerbilSoft said:
BootROM keys won't allow that. What will allow it is reverse-engineering the signature verification code to find its weaknesses. (See the Wii signing bug for an example.) Once that's figured out, a fakesigned FIRM can be installed via hardmod or DSiWare downgrade using the known plaintext attack.

OTP is shut off by FIRM, not BootROM, so this will allow us to dump OTP.bin if it hasn't already been dumped.
Click to expand...

Faksigned firm being a universal nand.bin that can be flashed to any device or a faksigned firm like a part of the nand that needs to be injected to a valid dump? Thanks for the answers might help some other nabs like me.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

General chit-chat
Help Users
  • No one is chatting at the moment.
    OctoAori20 @ OctoAori20: Nice nice-