Homebrew ARM9Loader -- Technical Details and Discussion

C

ChaosRipple

Well-Known Member
Member
Level 2
Joined
Oct 1, 2015
Messages
272
Trophies
0
Age
29
XP
183
Country
United States
Mrrraou said:
Well, it was read, but not launched. I don't even know if it was decrypted.
Click to expand...

If I understand how A9LH works, then it shouldn't be decrypted since the incorrect key will decrypt the FIRM and read it until it gets to the branch instruction jumping to your payload at the end of the FIRM.
 
Last edited by ChaosRipple, , Reason: grammar
  • Like
Reactions: Mrrraou
Mrrraou

Mrrraou

Well-Known Member
Member
Level 11
Joined
Oct 17, 2015
Messages
1,873
Trophies
0
XP
2,374
Country
France
iCEQB said:
I just rechecked the whole process in the CCC vid.

It goes like this (to my understanding):

We have to keep in mind that FIRM0/1 consists of an ARM9 loader and an encrypted ARM9 binary.

1) Since the 3DS doesn't check the used key in NAND against a test vector to see if the key is valid, we can put in any key we want w/o the 3DS bothering.
2) We take a large FIRM0 (10.2 in the current implementation) and plug in our payload on top of the FIRM0 binary.
3) FIRM0 binary gets loaded into memory on boot and the hash check fails, because of our payload in place -> signature does not match.
4) FIRM1 gets loaded by the 3DS as a fail safe if anything is wrong with FIRM0, like a partition corruption OR if the hash does not match.
5) FIRM1 needs to be smaller than FIRM0 and vulnerable (9.0 - 9.2 in current implementation).
6) The 3DS doesn't clear the memory from the FIRM0 binary, but just puts FIRM1 on top of the FIRM0 binary.
7) This keeps our payload from FIRM0 in tact, because FIRM1 is smaller and therefore doesn't overwrite it in RAM.
8) The ARM9 loader from the FIRM1 binary decrypts our key from point 1).
9) Our decrypted key from NAND (point 1) is then used to decrypt the ARM9 binary of FIRM1 to garbage (since it's not the correct key).
10) ARM9 loader tries to execute this decrypted garbage data and with luck it executes a branch instruction, which jumps to our payload which is still in RAM from the steps where FIRM0 was involved.

Looking at this we see that FIRM0 has to fail in order for FIRM1 to get loaded and executed etc.
So we should probably be able to always use the latest NATIVE_FIRM as FIRM0, even in decrypted form + the payload attached for FIRM1.
Because the has check NEEDS to fail anyway and it only does that because FIRM0 comes with our payload ... so we can even use the latest decrypted NATIVE_FIRM + payload as FIRM0.

So it go like this:

1) Install latest decrypted NATIVE_FIRM + payload as FIRM0
2) Console boots and loads FIRM0
3) Hash check fails just like in the current implementation
4) Read steps 4) - 10) above
5) Payload gains ARM9 kernel execution and then bootstraps our unsigend and decrypted ARM9 binary from FIRM0 which (as we know) is the latest NATIVE_FIRM.
Click to expand...
Okay. But do you have enough space ? And is loading it from a corrupted FIRM partition really worth it?
 
F

FR0ZN

Well-Known Member
Member
Level 13
Joined
Nov 2, 2013
Messages
1,387
Trophies
1
Age
37
XP
3,901
Country
United States
Mrrraou said:
Okay. But do you have enough space ? And is loading it from a corrupted FIRM partition really worth it?
Click to expand...

It's not corrupted, according to the CCC talk, FIRM0 is just "corrupted" because the has check doesn't pass, because our payload is at the end of the FIRM0 binary.
So FIRM0 consists of 1) ARM9 loader 2) ARM9 binary and 3) the payload.

Once FIRM1 gets exploited and our payload gains execution, it could do two things:

1) Skip ARM9 loader from FIRM0 and decrypt the ARM9 binary on its own (because we have the keys) and executes it.

or

2) We just use the decrypted ARM9 binary from FIRM0 (latest NATIVE_FRIM) as our actual FIRM0 image, so it just consists of 1) decrypted ARM9 binary and 2) the payload.
Once the payload gains execution, it just executes FIRM0 (which is the decrypted ARM9 binary) minus the payload.
This should work, because a decrypted ARM9 bianry + payload would also not pass the hash check, just like our current implementation does not.

And then you have the latest NATIVE_FIRM on NAND + the latest FW titles from the corresponding FW as sysNAND.
This way we don't have to boot external NATIVE_FIRM images and don't have to mix up different NATIVE_FIRM version and other titles from the latest FW version.

So we would have 100% latest FW and all it's componends but in sig patched environment.

I wouldn't worry about space in NAND, because the FIRM0/1 will only get bigger when Nintendo release new FW updates and they have them 2 times in there!
So our smaller 9.0 NATIVE_FIRM as FIRM1 will always give us enough space to mess with FIRM0.
 
Last edited by FR0ZN,
  • Like
Reactions: peteruk and RednaxelaNnamtra
dkabot

dkabot

Better With Others' Systems Than Their Own
Member
Level 5
Joined
Sep 9, 2014
Messages
1,042
Trophies
0
XP
626
Country
United States
iCEQB said:
It's not corrupted, according to the CCC talk, FIRM0 is just "corrupted" because the has check doesn't pass, becuase our payload is at the end of the FIRM0 binary.
So FIRM0 consists of 1) ARM9 loader 2) ARM9 binary and 3) the payload.

Once FIRM1 gets exploited and our payload gains execution, it could do two things:

1) Skip ARM9 loader from FIRM0 and decrypt the ARM9 binary on its own (because we have the keys)

or

2) We just use the decrypted ARM9 binary from FIRM0 (latest NATIVE_FRIM) as our actual FIRM0 image, so it just onsists of 1) Decrypted ARM9 binary and 2) the payload.
Once the payload gains execution, it just executes FIRM0 (which is the decrypted ARM9 binary) minus the payload.

And then you have the latest NATIVE_FIRM on NAND + the latest FW titles from the corresponding FW as sysNAND.
This way we don't have to boot external NATIVE_FIRM images and don't have to mix up different NATIVE_FIRM version and other titles from the latest FW version.

So we would have 100% latest FW and all it's componends but in sig patched environment.
Click to expand...
If you want to theorize about this, you might want to join #Cakey on freenode, apparently an SD-less firmlaunch is in the plans.
6:10 PM <Plailect> also we need firmlaunch from nand so we can boot without an SD card
Click to expand...

Edit: Apparently it was a grave mistake to name it. I shall accept my sentence with dignity.
 
Last edited by dkabot,
dark_samus3

dark_samus3

Well-Known Member
Member
Level 10
Joined
May 30, 2015
Messages
2,372
Trophies
0
XP
2,042
Country
United States
Well there is screen init code on my github... you can compile like regular arm9loaderhax and use the installer again, though currently I recommend only people with hardmods test at the moment... I'm currently working on the payload installer and as soon as it stops giving me issues and enough people with hardmods have tested the payloads I'll make a release with the installer, updated stage2 payload, and a few payloads that are able to take advantage of screeninit
 
  • Like
Reactions: Audioboxer, peteruk, Selver and 5 others
RednaxelaNnamtra

RednaxelaNnamtra

Well-Known Member
Member
Level 13
Joined
Dec 8, 2011
Messages
1,210
Trophies
1
XP
3,361
Country
Germany
Here is a alpha alpha version of my bootloader(including the bootloaderloader), were I included the screen init code, I added the "screenEnabled" value to the configuration file, to allow turning screen init on and off for payloads(default is off). 0 means off, 1 means on.
 

Attachments

  • bootloader-screen.zip
    31.7 KB · Views: 787
Last edited by RednaxelaNnamtra,
  • Like
Reactions: Syphurith, Februarysn0w, peteruk and 3 others
roflpwnt

roflpwnt

Well-Known Member
Newcomer
Level 4
Joined
Feb 24, 2016
Messages
70
Trophies
0
XP
451
Country
Canada
RednaxelaNnamtra said:
Here is a alpha alpha version of my bootloader(including the bootloaderloader), were I included the screen init code, I added the "screenEnabled" value to the configuration file, to allow turning screen init on and off for payloads(default is off). 0 means off, 1 means on.
Click to expand...

Just tested and working perfectly.
 
Svaethier

Svaethier

Well-Known Member
Member
Level 3
Joined
Dec 2, 2013
Messages
1,303
Trophies
0
Age
30
Location
Sault Ste. Marie, Michigan
Website
s6.zetaboards.com
XP
384
Country
United States
RednaxelaNnamtra said:
Here is a alpha alpha version of my bootloader(including the bootloaderloader), were I included the screen init code, I added the "screenEnabled" value to the configuration file, to allow turning screen init on and off for payloads(default is off). 0 means off, 1 means on.
Click to expand...
not sure how to get this to work with cakesfw xD i just get a black screen with the a9lh.bin.
 
R

runetoonxx2

GBATemp's Cancer
Member
Level 6
Joined
Jan 15, 2014
Messages
1,502
Trophies
0
Age
24
Location
The GBATemp
XP
763
Country
United States
to test do i just extract that sht to my sd root?

--------------------- MERGED ---------------------------

RednaxelaNnamtra said:
Here is a alpha alpha version of my bootloader(including the bootloaderloader), were I included the screen init code, I added the "screenEnabled" value to the configuration file, to allow turning screen init on and off for payloads(default is off). 0 means off, 1 means on.
Click to expand...
?
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

What's the best 3DS emulator (especially after Citra's shutdown)?

Tutorial  How to fix 007-2001

can't download system files on citra because im "not connected to the internet"

gacube emeleter

So what's the current state of hacking and freeshop?

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: Lol Veho.