Hacking A question about the A9LH payload stages

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
I'm looking in to modifying an A9LH CFW which lives in NAND (e.g. shadowNAND) to add a security feature before booting arm9loaderhax.bin from SD card. My intention here is to create an un-circumventable PIN lock.

I'm looking at the source code for shadowNAND (and indeed the @delebile's arm9loaderhax implementation) and they both have two payload stages. The basic function of the first seems to be to jump to the second, so I'm unclear on the purpose of having both. Furthermore, I'm unsure which of the payloads I should modify to add the features I want.

Any ideas would be gratefully received!
 

Davidosky99

Eevee :3
Banned
Joined
Jun 7, 2015
Messages
2,581
Trophies
0
Age
24
Location
Porto
Website
www.davidosky99.xyz
XP
1,159
Country
A nice idea for a priiloader-like PIN security model would be to store the PIN in ctrnand(and of course add a backdoor, which could be toggable or custom).
And IIRC the payload which actually does the functions of a9lh is the stage2 payload, as the stage 1 is (IIRC) jumps to the stage2.
Coudn't hurt looking into the code tho ;)
Correct me if I'm wrong please :)
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
A nice idea for a priiloader-like PIN security model would be to store the PIN in ctrnand(and of course add a backdoor, which could be toggable or custom).
And IIRC the payload which actually does the functions of a9lh is the stage2 payload, as the stage 1 is (IIRC) jumps to the stage2.
Coudn't hurt looking into the code tho ;)
Correct me if I'm wrong please :)
Thanks mate. That makes sense. So I guess stage 2 would be what ultimately loads the payload from SD? So the security would be inserted just before that, in stage 2 if I understand correctly.

My first goal will be to fork arm9loaderhax and get a hard coded PIN working. Once that's done I'll look into a way of storing the PIN in a file in NAND. I'm not so worried about a failsafe or backdoor as I have a hardmod so can restore my NAND if necessary, but I suppose this could be added as an option.
 
  • Like
Reactions: Deleted User

Sonic Angel Knight

Well-Known Member
Member
Joined
May 27, 2016
Messages
14,410
Trophies
1
Location
New York
XP
13,074
Country
United States
Since luma already has pin lock i hope a lumanand can be made soon, boot luma with no sdcard, with region free and then install ntr on the nand? NTR debugger with no sd card required to boot. Such a nice dream.^_^
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
Since luma already has pin lock i hope a lumanand can be made soon, boot luma with no sdcard, with region free and then install ntr on the nand? NTR debugger with no sd card required to boot. Such a nice dream.^_^
If I understand correctly, there is limited space for an SD-less A9LH CFW. That's why my intention is to use the existing A9LH payloads and add the PIN lock feature to that, and then chainload the user's arm9loaderhax.bin if the correct PIN is entered.

Of course I could be completely wrong and a NAND-resident Luma is on its way :D
 

Sonic Angel Knight

Well-Known Member
Member
Joined
May 27, 2016
Messages
14,410
Trophies
1
Location
New York
XP
13,074
Country
United States
If I understand correctly, there is limited space for an SD-less A9LH CFW. That's why my intention is to use the existing A9LH payloads and add the PIN lock feature to that, and then chainload the user's arm9loaderhax.bin if the correct PIN is entered.

Of course I could be completely wrong and a NAND-resident Luma is on its way :D
I dunno ask Developer goddess @Aurora Wright Is her stuff not mine. Im just a dreamer, believer and such hoping for something good :P
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
I dunno ask Developer goddess @Aurora Wright Is her stuff not mine. Im just a dreamer, believer and such hoping for something good :P
Hehe, well in the meantime my priority is to make a more secure PIN lock. This way the only way somebody would be able to circumvent the PIN lock would be to reflash the NAND using a hard mod... and my NAND backup :P
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
Thanks again for the help guys. I've forked ShadowNAND and have been able to modify stage1 to boot directly to stage2 (no alt stage) and then modify stage2 to boot /arm9loaderhax.bin (instead of the bin file ShadowNAND uses). I compiled it and installed it using SafeA9LHInstaller and it worked! So I'm now going to add some basic security with a hardcoded PIN and see if that works.
 

astronautlevel

Well-Known Member
Member
Joined
Jan 26, 2016
Messages
4,131
Trophies
2
Location
Maryland
Website
ataber.pw
XP
5,033
Country
United States
Thanks again for the help guys. I've forked ShadowNAND and have been able to modify stage1 to boot directly to stage2 (no alt stage) and then modify stage2 to boot /arm9loaderhax.bin (instead of the bin file ShadowNAND uses). I compiled it and installed it using SafeA9LHInstaller and it worked! So I'm now going to add some basic security with a hardcoded PIN and see if that works.
If I were you, I'd base it off AW's a9lh fork rather than ShadowNAND, as that supports MiniCFW and is a more standard implementation to build off.
 
  • Like
Reactions: Quantumcat

astronautlevel

Well-Known Member
Member
Joined
Jan 26, 2016
Messages
4,131
Trophies
2
Location
Maryland
Website
ataber.pw
XP
5,033
Country
United States
NEEDS FILLING IN :blink:

Actually just tell me what the difference is. (I'll complain about the names of these later):glare:
AW's fork of a9lh was the first one to add SD-less boot, despite Shadowhand hyping ShadowNAND which was supposed to support it. After AW added it to her fork, Shadowhand copied the code into ShadowNAND.

AW's fork is by a developer who has provided consistent support and updates for her stuff, and has been involved for much longer than shadowhand (and, unlike shadowhand, her projects aren't just minor modifications of existing stuff). ShadowNAND also has a weird path implementation (ie instead of arm9loaderhax.bin there's /homebrew/3ds/boot.bin)
 

Sonic Angel Knight

Well-Known Member
Member
Joined
May 27, 2016
Messages
14,410
Trophies
1
Location
New York
XP
13,074
Country
United States
AW's fork of a9lh was the first one to add SD-less boot, despite Shadowhand hyping ShadowNAND which was supposed to support it. After AW added it to her fork, Shadowhand copied the code into ShadowNAND.

AW's fork is by a developer who has provided consistent support and updates for her stuff, and has been involved for much longer than shadowhand (and, unlike shadowhand, her projects aren't just minor modifications of existing stuff). ShadowNAND also has a weird path implementation (ie instead of arm9loaderhax.bin there's /homebrew/3ds/boot.bin)
So can luma be inserted into 3DS like permernant cfw? I mean my dreams, region free game cards, NTR into nand to use debugger without sd install app. :rolleyes:
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
If I were you, I'd base it off AW's a9lh fork rather than ShadowNAND, as that supports MiniCFW and is a more standard implementation to build off.
Thanks for the tip. Well, I've got it working already using a fork of ShadowNAND. The PIN is hardcoded, but I now have a locked NAND which can't be bypassed unless you re-flash it :D Once I've tidied up and added a way of changing the PIN without building from source, I'll upload to GitHub.
 
  • Like
Reactions: gamesquest1

Roboman

Well-Known Member
Member
Joined
Jan 7, 2016
Messages
313
Trophies
0
Age
28
XP
772
Country
United States
If I understand correctly, there is limited space for an SD-less A9LH CFW.:D

I wonder why. Do they store the entire cfw in FIRM1? Why not just use arbitrarily sized files stored in nand? With well over enough space I wonder why no fully featured nand dwelling cfw exist.
 

Swiftloke

Hwaaaa!
Member
Joined
Jan 26, 2015
Messages
1,772
Trophies
1
Location
Nowhere
XP
1,516
Country
United States
Stage 1 has to be tiny as its stored in the additional space of FIRM1. Once stage1 is loaded, it jumps to the larger stage2 payload.
Correct. Remember, how A9LH works is a key decrypting firm1 to not-garbage, giving a jump instruction to the payload at the end of firm0 still loaded into memory. Stage1 is that payload at the end of firm0. The only thing stage0 does is load arm9loaderhax.bin, or with the beta SD cardless A9LH check if there's an SD card in and if else jump to a payload on the NAND. (I think. I don't know how it works.)
Take notes, @mashers :P:teach:
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
Thanks for the tip. Well, I've got it working already using a fork of ShadowNAND. The PIN is hardcoded, but I now have a locked NAND which can't be bypassed unless you re-flash it :D Once I've tidied up and added a way of changing the PIN without building from source, I'll upload to GitHub.
nice work, always good to know that if someone steals your stuff it would be 90% worthless to them although its still worth something as parts....but i guess explosives being triggered if you enter the pin wrong 3 times is overkill :rofl2:
 

mashers

Stubborn ape
OP
Member
Joined
Jun 10, 2015
Messages
3,837
Trophies
0
Age
40
Location
Kongo Jungle
XP
5,084
Country
nice work, always good to know that if someone steals your stuff it would be 90% worthless to them although its still worth something as parts....but i guess explosives being triggered if you enter the pin wrong 3 times is overkill :rofl2:
Unfortunately I don't think A9LH has access to the 3DS self-destruct mechanism :P
 

gamesquest1

Nabnut
Former Staff
Joined
Sep 23, 2013
Messages
15,153
Trophies
2
XP
12,247
Unfortunately I don't think A9LH has access to the 3DS self-destruct mechanism :P
maybe there is a way to have it display contact info on a incorrect password attempt, so at least anyone who finds it could return it, or if whoever get hold of it tries to sell it then it has contact info
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: Yawn +1