A question about the A9LH payload stages

Discussion in '3DS - Flashcards & Custom Firmwares' started by mashers, Sep 6, 2016.

  1. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    I'm looking in to modifying an A9LH CFW which lives in NAND (e.g. shadowNAND) to add a security feature before booting arm9loaderhax.bin from SD card. My intention here is to create an un-circumventable PIN lock.

    I'm looking at the source code for shadowNAND (and indeed the @delebile's arm9loaderhax implementation) and they both have two payload stages. The basic function of the first seems to be to jump to the second, so I'm unclear on the purpose of having both. Furthermore, I'm unsure which of the payloads I should modify to add the features I want.

    Any ideas would be gratefully received!
     
    hobbledehoy899 and Tomato Hentai like this.


  2. Davidosky99

    Davidosky99 Eevee :3

    Banned
    2,582
    1,570
    Jun 7, 2015
    Porto
    A nice idea for a priiloader-like PIN security model would be to store the PIN in ctrnand(and of course add a backdoor, which could be toggable or custom).
    And IIRC the payload which actually does the functions of a9lh is the stage2 payload, as the stage 1 is (IIRC) jumps to the stage2.
    Coudn't hurt looking into the code tho ;)
    Correct me if I'm wrong please :)
     
  3. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    Thanks mate. That makes sense. So I guess stage 2 would be what ultimately loads the payload from SD? So the security would be inserted just before that, in stage 2 if I understand correctly.

    My first goal will be to fork arm9loaderhax and get a hard coded PIN working. Once that's done I'll look into a way of storing the PIN in a file in NAND. I'm not so worried about a failsafe or backdoor as I have a hardmod so can restore my NAND if necessary, but I suppose this could be added as an option.
     
    Tomato Hentai likes this.
  4. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    9,484
    4,693
    May 27, 2016
    United States
    New York
    Since luma already has pin lock i hope a lumanand can be made soon, boot luma with no sdcard, with region free and then install ntr on the nand? NTR debugger with no sd card required to boot. Such a nice dream.^_^
     
  5. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    If I understand correctly, there is limited space for an SD-less A9LH CFW. That's why my intention is to use the existing A9LH payloads and add the PIN lock feature to that, and then chainload the user's arm9loaderhax.bin if the correct PIN is entered.

    Of course I could be completely wrong and a NAND-resident Luma is on its way :D
     
  6. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    9,484
    4,693
    May 27, 2016
    United States
    New York
    I dunno ask Developer goddess @Aurora Wright Is her stuff not mine. Im just a dreamer, believer and such hoping for something good :P
     
  7. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    Hehe, well in the meantime my priority is to make a more secure PIN lock. This way the only way somebody would be able to circumvent the PIN lock would be to reflash the NAND using a hard mod... and my NAND backup :P
     
    Minnow likes this.
  8. astronautlevel

    astronautlevel But he's a guy

    Member
    3,926
    4,620
    Jan 26, 2016
    United States
    That Nightly Site™
    Stage 1 has to be tiny as its stored in the additional space of FIRM0. Once stage1 is loaded, it jumps to the larger stage2 payload.
     
    Last edited by astronautlevel, Sep 7, 2016
    LinkSoraZelda likes this.
  9. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    Thanks again for the help guys. I've forked ShadowNAND and have been able to modify stage1 to boot directly to stage2 (no alt stage) and then modify stage2 to boot /arm9loaderhax.bin (instead of the bin file ShadowNAND uses). I compiled it and installed it using SafeA9LHInstaller and it worked! So I'm now going to add some basic security with a hardcoded PIN and see if that works.
     
  10. astronautlevel

    astronautlevel But he's a guy

    Member
    3,926
    4,620
    Jan 26, 2016
    United States
    That Nightly Site™
    If I were you, I'd base it off AW's a9lh fork rather than ShadowNAND, as that supports MiniCFW and is a more standard implementation to build off.
     
    Quantumcat likes this.
  11. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    9,484
    4,693
    May 27, 2016
    United States
    New York
    NEEDS FILLING IN :blink:

    Actually just tell me what the difference is. (I'll complain about the names of these later):glare:
     
  12. astronautlevel

    astronautlevel But he's a guy

    Member
    3,926
    4,620
    Jan 26, 2016
    United States
    That Nightly Site™
    AW's fork of a9lh was the first one to add SD-less boot, despite Shadowhand hyping ShadowNAND which was supposed to support it. After AW added it to her fork, Shadowhand copied the code into ShadowNAND.

    AW's fork is by a developer who has provided consistent support and updates for her stuff, and has been involved for much longer than shadowhand (and, unlike shadowhand, her projects aren't just minor modifications of existing stuff). ShadowNAND also has a weird path implementation (ie instead of arm9loaderhax.bin there's /homebrew/3ds/boot.bin)
     
    klear and Quantumcat like this.
  13. Sonic Angel Knight

    Sonic Angel Knight GBAtemp Guru

    Member
    9,484
    4,693
    May 27, 2016
    United States
    New York
    So can luma be inserted into 3DS like permernant cfw? I mean my dreams, region free game cards, NTR into nand to use debugger without sd install app. :rolleyes:
     
  14. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    Thanks for the tip. Well, I've got it working already using a fork of ShadowNAND. The PIN is hardcoded, but I now have a locked NAND which can't be bypassed unless you re-flash it :D Once I've tidied up and added a way of changing the PIN without building from source, I'll upload to GitHub.
     
    gamesquest1 likes this.
  15. Roboman

    Roboman GBAtemp Regular

    Member
    281
    68
    Jan 7, 2016
    United States
    I wonder why. Do they store the entire cfw in FIRM1? Why not just use arbitrarily sized files stored in nand? With well over enough space I wonder why no fully featured nand dwelling cfw exist.
     
  16. Swiftloke

    Swiftloke Hwaaaa!

    Member
    1,769
    1,508
    Jan 26, 2015
    United States
    Nowhere
    Correct. Remember, how A9LH works is a key decrypting firm1 to not-garbage, giving a jump instruction to the payload at the end of firm0 still loaded into memory. Stage1 is that payload at the end of firm0. The only thing stage0 does is load arm9loaderhax.bin, or with the beta SD cardless A9LH check if there's an SD card in and if else jump to a payload on the NAND. (I think. I don't know how it works.)
    Take notes, @mashers :P:teach:
     
  17. gamesquest1

    gamesquest1 Nabnut

    Member
    14,089
    9,424
    Sep 23, 2013
    nice work, always good to know that if someone steals your stuff it would be 90% worthless to them although its still worth something as parts....but i guess explosives being triggered if you enter the pin wrong 3 times is overkill :rofl2:
     
  18. mashers
    OP

    mashers Stubborn ape

    Member
    3,837
    5,154
    Jun 10, 2015
    Kongo Jungle
    Unfortunately I don't think A9LH has access to the 3DS self-destruct mechanism :P
     
    klear and gamesquest1 like this.
  19. gamesquest1

    gamesquest1 Nabnut

    Member
    14,089
    9,424
    Sep 23, 2013
    maybe there is a way to have it display contact info on a incorrect password attempt, so at least anyone who finds it could return it, or if whoever get hold of it tries to sell it then it has contact info
     
  20. Thunder Kai

    Thunder Kai #TeamRem

    Member
    1,344
    367
    Sep 4, 2015
    United States
    With Rem
    Like the Vita? :D