Homebrew [33c3] Console Hacking 2016 (3DS/WiiU) talk Dec 27-30: smea, derrek, nedwill, naehrwert

[julian20]

They did in 2015 but I wouldnt call it publicy known although it was known for a minority.

People here on this thread were still doubting it 1 week ago.

Its on 3dbrew since 14 May 2015‎......
https://3dbrew.org/wiki/3DS_System_Flaws

 

[Mrrraou]

Its on 3dbrew since 14 May 2015‎......
https://3dbrew.org/wiki/3DS_System_Flaws

you will need this link https://3dbrew.org/w/index.php?title=3DS_System_Flaws&diff=12601&oldid=12581

 

[Selver]

great but actually you still need a custom firmware (+ that's what it is actually) and that actually doesn't change much from now

Hi Mrrraou,
SigHax does provide a change; The FIRM0 that gets loaded is your own from byte 0.
Which means Kernel9Loader need never be loaded.
Which means OTP is not locked out.

SigHax also makes it much easier to create custom FIRM0 that simplifies bootrom dumps, such as:
0. set up exception vectors
1. set up branch sleds
2. signal via I2C that you're about to reboot
3. reboot with much tighter timing

Of course, step 2 presumes you're automating your glitching attempts, and snooping on the I2C bus to help synchronize timing-related attacks on the CPU during its boot....

 

[Selver]

My concern is that hacking a hard modded dump is going to need something from the donor 3ds besides the dump? or am i wrong to think that with sighax?
smea and other users here have said yes when i asked if we can : factory -> hard mod -> dump -> modify dump -> restore -> boot with no issues. this means we can potentially fix bricks with no prior backups.
I basically want to rebuild the 3ds nand from PC - that is the ultimate hack. then no matter what you do to that 3ds file system, it is always 100% able to be restored with proper hard mod. this is what i need to repair a broken 3ds i own.

You need to know the console's FIRM xorpad.
You can determine the xorpad if you know the version of FIRM that is installed and the FIRM is not corrupted.
That's just for installing sighax, nothing about restoring the filesystem afterwards

you need a localfriendseed, a secureinfo, the otp of the console, etc

As with many things, the answer is complicated by the lack of exactness in the language used. With a hardmod, ....

Goal A: Restore an o3ds/n3ds/2ds to a prior configuration
Requirements: nand image

Goal B: Change firmware from known version A to another version B
Requirements:
[] if major versions of kernel match and FIRM B is smaller:
XOR the two files (both encrypted, or both decrypted) to get a FIRM XORPAD
XOR this XORPAD against the FIRM partition
viola! known-plaintext attack results in FIRM B ....
[] else, you need xorpoad for at least the FIRM partition
(i.e., most of the time, Metroid Maniac's response)

Goal C: Change files on NAND image, but valid only for same 3ds
Requirements:
[] NAND XORPAD + NAND dump (i.e., Metroid Maniac's response)

Goal D: Create a NAND image from system A that can be used on system B
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] See Mrrraou's response... and note that some information cannot be self-generated, even with sighax and bootroms, but must come from a "donor" system.

Goal E: Create a NAND image from scratch that can be used on a system with no NAND image
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] For any online use, see note above ... "donor" system still required for some data due to cryptographic signatures checked by online services...

 

[Mrrraou]

Hi Mrrraou,
SigHax does provide a change; The FIRM0 that gets loaded is your own from byte 0.
Which means Kernel9Loader need never be loaded.
Which means OTP is not locked out.

SigHax also makes it much easier to create custom FIRM0 that simplifies bootrom dumps, such as:
0. set up exception vectors
1. set up branch sleds
2. signal via I2C that you're about to reboot
3. reboot with much tighter timing

Of course, step 2 presumes you're automating your glitching attempts, and snooping on the I2C bus to help synchronize timing-related attacks on the CPU during its boot....

i know about that lol
good luck implementing sighax without a b9 dump btw

--------------------- MERGED ---------------------------

As with many things, the answer is complicated by the lack of exactness in the language used. With a hardmod, ....

Goal A: Restore an o3ds/n3ds/2ds to a prior configuration
Requirements: nand image

Goal B: Change firmware from known version A to another version B
Requirements:
[] if major versions of kernel match and FIRM B is smaller:
XOR the two files (both encrypted, or both decrypted) to get a FIRM XORPAD
XOR this XORPAD against the FIRM partition
viola! known-plaintext attack results in FIRM B ....
[] else, you need xorpoad for at least the FIRM partition
(i.e., most of the time, Metroid Maniac's response)

Goal C: Change files on NAND image, but valid only for same 3ds
Requirements:
[] NAND XORPAD + NAND dump (i.e., Metroid Maniac's response)

Goal D: Create a NAND image from system A that can be used on system B
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] See Mrrraou's response... and note that some information cannot be self-generated, even with sighax and bootroms, but must come from a "donor" system.

Goal E: Create a NAND image from scratch that can be used on a system with no NAND image
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] For any online use, see note above ... "donor" system still required for some data due to cryptographic signatures checked by online services...

if you have your console's otp and a b9 dump you'll likely be able to decrypt it and have the correct keys for nand encryption and stuff

 

[VashTS]

As with many things, the answer is complicated by the lack of exactness in the language used. With a hardmod, ....

Goal A: Restore an o3ds/n3ds/2ds to a prior configuration
Requirements: nand image

Goal B: Change firmware from known version A to another version B
Requirements:
[] if major versions of kernel match and FIRM B is smaller:
XOR the two files (both encrypted, or both decrypted) to get a FIRM XORPAD
XOR this XORPAD against the FIRM partition
viola! known-plaintext attack results in FIRM B ....
[] else, you need xorpoad for at least the FIRM partition
(i.e., most of the time, Metroid Maniac's response)

Goal C: Change files on NAND image, but valid only for same 3ds
Requirements:
[] NAND XORPAD + NAND dump (i.e., Metroid Maniac's response)

Goal D: Create a NAND image from system A that can be used on system B
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] See Mrrraou's response... and note that some information cannot be self-generated, even with sighax and bootroms, but must come from a "donor" system.

Goal E: Create a NAND image from scratch that can be used on a system with no NAND image
Requirements:
[] For offline use (no Nintendo network), it may be possible.
[] For any online use, see note above ... "donor" system still required for some data due to cryptographic signatures checked by online services...

Thanks for the info. Goal C would be me for the most part.

 

[zoogie]

This info is definitely originating from Rumorville, Kentucky, but I think there's a pretty good chance yellows8 is planning some sort of BOSS(spotpass) hax to coincide with 33c3. Praise me if I'm right, don't mind me if I'm wrong.

And Merry Christmas hax fans. : )

Well, I was about two weeks late in my prediction. Can I at least have half a cookie?

edit:
[18:27] <@yellows8> oh btw, these releases were supposed to happen @ c3, but ofc wasn't finished.
damn!

 

[BL4Z3D247]

Well, I was about two weeks late in my prediction. Can I at least have half a cookie?

 

[gamesquest1]

Who complained about the *hax names........
ctpkpwn_tfh

Who is ever going to pull that one off the top of their heads, why no herohax or triforcehax or something nice and catchy

(But yeah I get that it's ctpkpwn (for the spot pass exploit) and _tfh for triforce heroes implementation ......still, I kinda liked the *hax naming scheme

 

[zoogie]

Who complained about the *hax names........
ctpkpwn_tfh

Who is ever going to pull that one off the top of their heads, why no herohax or triforcehax or something nice and catchy

(But yeah I get that it's ctpkpwn (for the spot pass exploit) and _tfh for triforce heroes implementation ......still, I kinda liked the *hax naming scheme

I'm convinced yellows8's brain is nothing but a single oversized left hemisphere.

 

[ShadowOne333]

• WiiU stuff, mostly not interesting given full privilege access on latest firm already.

What?!
What kind of trolling bullshit is this?

The Wii U is in need of a boot1 hack so that it can be on pair with the 3DS in terms of CFW.
The current options make use of the coldboothax which isn't really a hack but a simple modification of a XML file.
Boot1 on the other hand would greatly give an advantage and hopefully flash a permanent CFW into the system, like the 3DS can with a9lh and the upcoming exploits.

 

[zoogie]

This info is definitely originating from Rumorville, Kentucky, but I think there's a pretty good chance yellows8 is planning some sort of BOSS(spotpass) hax to coincide with 33c3. Praise me if I'm right, don't mind me if I'm wrong.

And Merry Christmas hax fans. : )

Actually, it turns out I wasn't wrong technically. @ihaveamac
[18:27] <@yellows8> oh btw, these releases were supposed to happen @ c3, but ofc wasn't finished.

What?!
What kind of trolling bullshit is this?

The Wii U is in need of a boot1 hack so that it can be on pair with the 3DS in terms of CFW.
The current options make use of the coldboothax which isn't really a hack but a simple modification of a XML file.
Boot1 on the other hand would greatly give an advantage and hopefully flash a permanent CFW into the system, like the 3DS can with a9lh and the upcoming exploits.

Eh, you have a point I guess. I still stand by my assertion that the wiiu portion wasn't interesting.



See, even the hackers didn't care. But just to keep this thread from turning into a wiiu shitfest, I removed the offending wiiu summary bullet point. It really didn't belong in a 3ds thread anyway.