This thread is intended to spur discussion about whether it would be both feasible and relatively easy to automate ARM9Loader brute-forcing. I'll update the first post as major updates / answers arrive.
It might not be practical at the moment, given progress made in other areas.
However, future units shipping with 10.5+ might exclude other attack vectors.
Here's a set of presumptions I have... basically what I think I understand:
I2C can be used to reboot the unit
GPIO pins can be used to write to the NAND
Homebrew/payloads can send messages via I2C
Homebrew/payloads can write memory with hax instructions
Homebrew/payloads can overwrite exception vectors to point to hax instructions
Reboot does not clear memory
Would the following be an avenue that an attacker could use to automate / brute force Arm9Loader into branching into their own exception vector?
Hardmod to dump NAND
Additional Hardmod to expose I2C externally
Create two custom payloads:
"I2C/OTP" payload, which would send a message via I2C, then dump OTP, then send a second message via I2C
"PrepHax" payload, which would send a message via I2C, overwrite the exception vectors to point to I2C/OTP payload, and then send a second message via I2C
Setup N3DS to auto-boot the "PrepHax" payload, such as via Theme
Have RPI2 setup to write NAND via GPIO
Connect the N3DS I2C to RPI2's I2C
Connect the N3DS DAT0/CLK/CMD to RPI2's GPIO
Initialize I2C in multi-master mode, exposing both slave and master
Set DAT0/CLK/CMD to not interfere with boot (float?)
Reboot via I2C, wait for timeout or an I2C message indicating Hax stage
I2C messages:
PrepHax started -- set another timeout, things are progressing
PrepHax complete -- reboot with sector 150 updated to next test values
I2C/OTP started -- set another timeout, things are progressing
I2C/OTP complete -- HALT! Potentially usable magic value found!
Timeouts (based on last I2C message):
PrepHax started -- memory not reliably set, random hax failure? Just reboot via I2C
PrepHax complete -- not usable special sector, reboot with sector 150 updated
I2C/OTP started -- Log as 'potential' values for sector 150, then reboot with sector 150 updated
If nothing technical prevents this from working, this would seem to reduce
the complexity of the brute-force method.[/SPOILER]
Here's a set of presumptions I have... basically what I think I understand:
I2C can be used to reboot the unit
GPIO pins can be used to write to the NAND
Homebrew/payloads can send messages via I2C
Homebrew/payloads can write memory with hax instructions
Homebrew/payloads can overwrite exception vectors to point to hax instructions
Reboot does not clear memory
Would the following be an avenue that an attacker could use to automate / brute force Arm9Loader into branching into their own exception vector?
Hardmod to dump NAND
Additional Hardmod to expose I2C externally
Create two custom payloads:
"I2C/OTP" payload, which would send a message via I2C, then dump OTP, then send a second message via I2C
"PrepHax" payload, which would send a message via I2C, overwrite the exception vectors to point to I2C/OTP payload, and then send a second message via I2C
Setup N3DS to auto-boot the "PrepHax" payload, such as via Theme
Have RPI2 setup to write NAND via GPIO
Connect the N3DS I2C to RPI2's I2C
Connect the N3DS DAT0/CLK/CMD to RPI2's GPIO
[/SPOLIER]
Initialize I2C in multi-master mode, exposing both slave and master
Set DAT0/CLK/CMD to not interfere with boot (float?)
Reboot via I2C, wait for timeout or an I2C message indicating Hax stage
I2C messages:
PrepHax started -- set another timeout, things are progressing
PrepHax complete -- reboot with sector 150 updated to next test values
I2C/OTP started -- set another timeout, things are progressing
I2C/OTP complete -- HALT! Potentially usable magic value found!
Timeouts (based on last I2C message):
PrepHax started -- memory not reliably set, random hax failure? Just reboot via I2C
PrepHax complete -- not usable special sector, reboot with sector 150 updated
I2C/OTP started -- Log as 'potential' values for sector 150, then reboot with sector 150 updated
If nothing technical prevents this from working, this would seem to reduce
the complexity of the brute-force method.
From a theoretical point of view i don't see anything preventing this. Am i not considering something vital? This seems a really fun task if i wasn't stuck with an o3ds i would try to pursue this way myself
The question is how low the bar actually is, not including initial development time. Can this be done with only RPI2, without additional electronic circuitry (voltage converters, resistors, capacitors, transistors, etc.)?
From a theoretical point of view i don't see anything preventing this. Am i not considering something vital? This seems a really fun task if i wasn't stuck with an o3ds i would try to pursue this way myself
Most eMMC devices also support SPI mode, if the RPI2 isn't easily able to control the device using CMD/CLK/DAT0. Question: Has anyone discovered which test points correspond to the I2C bus on the various 3DS models (2DS, O3DS, O3DS XL, N3DS, N3DS XL)?
It's the first Nintendo Switch firmware update of 2024. Made available as of today is system software version 18.0.0, marking a new milestone. According to the patch...
After a couple days of Nintendo releasing their 18.0.0 firmware update, @SciresM releases a brand new update to his Atmosphere NX custom firmware for the Nintendo...
Today, April 8th, 2024, at 4PM PT, marks the day in which Nintendo permanently ends support for both the 3DS and the Wii U online services, which include co-op play...
Hello, GBAtemp members! After a prolonged absence, I am delighted to announce my return and upgraded form to you today...
Introducing tempBOT AI 🤖
As the embodiment...
With Apple having recently updated their guidelines for the App Store, iOS users have been left to speculate on specific wording and whether retro emulators as we...
Yet another casualty goes down in the never-ending battle of copyright enforcement, and this time, it hit a big website which was the host for many fangames based and...
The highly popular and accurate FPGA hardware, MisterFGPA, has received today a brand new update with a long-awaited feature, or rather, a new core for hardcore...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
The romhacking community is always a source for new ways to play retro games, from completely new levels or stages, characters, quality of life improvements, to flat...
Retro handheld manufacturer Anbernic is releasing a refreshed model of its RG35XX handheld line. This new model, named RG35XX 2024 Edition, features the same...
It's the first Nintendo Switch firmware update of 2024. Made available as of today is system software version 18.0.0, marking a new milestone. According to the patch...
Today, April 8th, 2024, at 4PM PT, marks the day in which Nintendo permanently ends support for both the 3DS and the Wii U online services, which include co-op play...
Hello, GBAtemp members! After a prolonged absence, I am delighted to announce my return and upgraded form to you today...
Introducing tempBOT AI 🤖
As the embodiment...
After a couple days of Nintendo releasing their 18.0.0 firmware update, @SciresM releases a brand new update to his Atmosphere NX custom firmware for the Nintendo...
With Apple having recently updated their guidelines for the App Store, iOS users have been left to speculate on specific wording and whether retro emulators as we...
The time has finally come, and after many, many years (if not decades) of Apple users having to side load emulator apps into their iOS devices through unofficial...
Nintendo might just as well be a law firm more than a videogame company at this point in time, since they have yet again issued their now almost trademarked usual...
A new Nintendo Switch firmware update is here. System software version 18.0.1 has been released. This update offers the typical stability features as all other...
Yet another casualty goes down in the never-ending battle of copyright enforcement, and this time, it hit a big website which was the host for many fangames based and...
The highly popular and accurate FPGA hardware, MisterFGPA, has received today a brand new update with a long-awaited feature, or rather, a new core for hardcore...
@Xdqwerty, to answer your question, they're a fusion Brit-pop/J-pop/electronic band with a woman vocalist. Flamingo is hands down their best known song but they've got a ton of other really good songs