ARM9Loader -- Automated Brute-force Using Raspberry PI2?

Discussion in '3DS - Homebrew Development and Emulators' started by Selver, Feb 15, 2016.

  1. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    This is obviously only for N3DS.

    This thread is intended to spur discussion about whether it would be both feasible and relatively easy to automate ARM9Loader brute-forcing. I'll update the first post as major updates / answers arrive.

    It might not be practical at the moment, given progress made in other areas.

    However, future units shipping with 10.5+ might exclude other attack vectors.
     
  2. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    Would something along these lines work?

    Here's a set of presumptions I have... basically what I think I understand:
    • I2C can be used to reboot the unit
    • GPIO pins can be used to write to the NAND
    • Homebrew/payloads can send messages via I2C
    • Homebrew/payloads can write memory with hax instructions
    • Homebrew/payloads can overwrite exception vectors to point to hax instructions
    • Reboot does not clear memory

    Would the following be an avenue that an attacker could use to automate / brute force Arm9Loader into branching into their own exception vector?

    Initial Setup

    High-level logic on RPI2

    If nothing technical prevents this from working, this would seem to reduce
    the complexity of the brute-force method.[/SPOILER]
     
    Last edited by Selver, Feb 17, 2016
  3. Slashcash

    Slashcash GBAtemp Fan

    Member
    334
    461
    Oct 15, 2015
    Italy
    From a theoretical point of view i don't see anything preventing this. Am i not considering something vital? This seems a really fun task if i wasn't stuck with an o3ds i would try to pursue this way myself
     
  4. DigitalJosee

    DigitalJosee Go your clever boy, and remember me!

    Member
    170
    57
    Jan 15, 2013
    Brazil
    Why this doesn't work with the o3DS?
     
  5. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    I'm not 100% sure it couldn't work this with an O3DS, once that O3DS was already fully rooted. But, there are other options once rooted.

    Rather, can this be generalized in a way to break new N3DS shipping with 10.5+ firmware? Thus, the curiosity:
    • How feasible to automate this process?
    • How long would it have to run to find a usable result? (does it match the theory?)
    Smaller parts that may be needed

    The question is how low the bar actually is, not including initial development time. Can this be done with only RPI2, without additional electronic circuitry (voltage converters, resistors, capacitors, transistors, etc.)?

    For more thoughts on how long to find a usable result, see the ARM9Loader -- Technical Details and Discussion thread, specifically the section titled ARM9Loader v2 (2/3).
     
    peteruk likes this.
  6. Joom

    Joom  ❤❤❤

    Member
    3,897
    2,622
    Jan 8, 2016
    United States
    Wait, rebooting doesn't flush RAM? That seems like an incredibly dangerous flaw on Nintendo's part.
     
  7. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    Correct. See 3dBrew.org for details.
     
  8. Selver
    OP

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    203
    276
    Dec 22, 2015
    Most eMMC devices also support SPI mode, if the RPI2 isn't easily able to control the device using CMD/CLK/DAT0.

    Question: Has anyone discovered which test points correspond to the I2C bus on the various 3DS models (2DS, O3DS, O3DS XL, N3DS, N3DS XL)?
     
  9. Syphurith

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Thanks for your effort. However Hardware related stuffs are merely put on 3dbrew. But yes you can still search for "Pinout" there.