Homebrew ARM9Loader -- Technical Details and Discussion

[Syphurith]

Rei told me he keeps the hack secret for the future use. It's a right decision, I think.
--------------------- MERGED ---------------------------
Hmm, so he really did that. Thanks.

Checked this guy's tweet. https://twitter.com/AppleTinivi/with_replies Even 8.1J is supposed to be the lowest system version it actually isn't.
Well it is said that https://twitter.com/ryanrocks462/status/686996815892189184 However i don't know if there is anyone with that in rxtools team.
Maybe you could ask @motezazer if he has some clues. You might need ROP for CN to do so, i guess?
If without any improvements in salary, the only reasons for most chinese to get a master degree may be to play a little more and .. "XX is now master so i would be" lol.
I've heard the degree is expensive in most developed countries, and life in JPN is hard. Whatever, hope you a better life. Your skill is definitely better than me, yup.

N3DS downgraded to 1.0 allegedly.
Once the OTP has been dumped, is there any other use for it?
EDIT: Especially since multiple people have publicly pulled it off, the information isn't exactly a closely guarded secret at this point.

Yeah it's partially revealed. Some use that for arm9loaderhax, and some for keys. Amusing.

EDIT:: Yes i wanna OTP of my own console be dumped too.

 

[AHP_person]

Checked this guy's tweet. https://twitter.com/AppleTinivi/with_replies Even 8.1J is supposed to be the lowest system version it actually isn't.

That's my twitter

 

[Syphurith]

That's my twitter

I don't know that before~. How about running 1,0 on a N3DS? Have you get it dumped? If the ROP is written by yourself, i would really appreciate it.
Yeah i even saw guy running arm9loaderhax to just shut down the console, so it won't boot then (and it's not bricked either).. lol.

 

[AHP_person]

I don't know that before~. How about running 1,0 on a N3DS? Have you get it dumped? If the ROP is written by yourself, i would really appreciate it.
Yeah i even saw guy running arm9loaderhax to just shut down the console, so it won't boot then (and it's not bricked either).. lol.

Yeah, AlbertoSONIC said shutting it down would the easiest way to verify if it worked. I downgraded to 1.0 and used Normmatt's Cubic Ninja arm9 QR code for simplicity. After that I used the dumped OTP to force a branch instruction out of firm to my code. It's simple as that. Of course, though, downgrading to 1.0 requires some modifications to nand to simulate o3ds.

 

[Torx]

Without a hardmod is it possible to downgrade an emunand img of a n3ds to 1.0 to acquire the OTP of that n3ds?

 

[AHP_person]

Without a hardmod is it possible to downgrade an emunand img of a n3ds to 1.0 to acquire the OTP of that n3ds?

Emunand on 1.0 would be pointless, OTP would have been locked by the initial sysnand boot.

 

[Syphurith]

Yeah, AlbertoSONIC said shutting it down would the easiest way to verify if it worked. I downgraded to 1.0 and used Normmatt's Cubic Ninja arm9 QR code for simplicity. After that I used the dumped OTP to force a branch instruction out of firm to my code. It's simple as that. Of course, though, downgrading to 1.0 requires some modifications to nand to simulate o3ds.

How do you feel about the procedure? It could be better if one want to dump his/her own. BTW that's Normatt (orz)..
Simulate an O3DS.. That sounds weird, but great.. lol. I thought you've have quite some time to copy the titles from decrypted O3DS 1.0 dump to N3DS NAND..

 

[AHP_person]

How do you feel about the procedure? It could be better if one want to dump his/her own. BTW that's Normatt (orz)..
Simulate an O3DS.. That sounds weird, but great.. lol. I thought you've have quite some time to copy the titles from decrypted O3DS 1.0 dump to N3DS NAND..

I just converted a 1.0 nand's contents to cias. A few days after, I got my nand mod done, and I immediately started work from there. SysUpdater did all the title work for me

 

[173210]

I think we already have sufficient information to dump OTP.

 

[Selver]

N3DS downgraded to 1.0 allegedly.

Once the OTP has been dumped, is there any other use for it?
EDIT: Especially since multiple people have publicly pulled it off, the information isn't exactly a closely guarded secret at this point.

The OTP is one of the most closely held secrets on any N3DS. For example, the OTP is the secret used to create all the console-unique values. Therefore, having the OTP area dumped is extremely detrimental to the security of the N3DS. (Arguably, the O3DS was already broken due to firmware < 3.0.0 failing to lock out the OTP from reads...).

The method of dumping the OTP is still fairly well guarded, I think. Moreover, because the actual OTP values are console-unique, the actual OTP values are only directly relevant to a particular console.

 

[MassExplosion213]

The OTP is one of the most closely held secrets on any N3DS. For example, the OTP is the secret used to create all the console-unique values. Therefore, having the OTP area dumped is extremely detrimental to the security of the N3DS. (Arguably, the O3DS was already broken due to firmware < 3.0.0 failing to lock out the OTP from reads...).

The method of dumping the OTP is still fairly well guarded, I think. Moreover, because the actual OTP values are console-unique, the actual OTP values are only directly relevant to a particular console.

The method isn't that well guarded. It's been explained in several places. DG to 1.0, do some trickery with the NAND so it will boot, use CN plus Normmatt's QR to load an OTP dumper.

 

[guitarheroknight]

Pardon my ignorance guys, but what does OTP stand for? What is it used for? Also, now that the crypto keys are leaked, can Nintendo change them or is it in the same basket as the O3DS?

 

[Syphurith]

Pardon my ignorance guys, but what does OTP stand for? What is it used for? Also, now that the crypto keys are leaked, can Nintendo change them or is it in the same basket as the O3DS?

OTP=One Time Programmable (or similar) Memory. Good to use for factory and is a good place to hide those.
To your second question, there isn't much place for them to hide something now, and bootrom can not be updated without a hardware revision.
BTW I doubt if OTP is encrypted, and if that is simply calculated from something related to console, ie console product serial. If that is revealed, good for bricked guys.

 

[Syphurith]

@AHP_person I've seen that video from your twitter minutes ago. So you've achived basic arm9loaderhax (with sigpatch)?
Congrats. However to make it resistance to firmware update thus install new FIRM to another section of NAND might be needed..
--------------------- MERGED ---------------------------
It is still far from a totally stable one. Yeah once you can port that easily it would begin to bloom. @173210
--------------------- MERGED ---------------------------
I wouldn't mention the text here is actually for filling the long blank..lol
Quit pity since you can only fill 'auto' inside a brace of 'MERGED' and those are all case-sensitive.

 

[Earth97]

@AHP_person I've seen that video from your twitter minutes ago. So you've achived basic arm9loaderhax (with sigpatch)?
Congrats. However to make it resistance to firmware update thus install new FIRM to another section of NAND might be needed..
--------------------- MERGED ---------------------------
It is still far from a totally stable one. Yeah once you can port that easily it would begin to bloom. @173210
--------------------- MERGED ---------------------------
I wouldn't mention the text here is actually for filling the long blank..lol
Quit pity since you can only fill 'auto' inside a brace of 'MERGED' and those are all case-sensitive.

If full arm9loaderhax is achieved, could an end-user solution be developed that lets people use arm9hax to boot early into CFW? Would this require a hardmod?

 

[Syphurith]

If full arm9loaderhax is achieved, could an end-user solution be developed that lets people use arm9hax to boot early into CFW? Would this require a hardmod?

I don't know. It would require hard-mod for its beginning stages. And yes having a hardmod and valid nand dump could save your console.
It is said that with ARM9 kernel access you could set those region inside NAND up. But that is not implemented publicly now.

 

[zecoxao]

edited to avoid the rage of the allmighty MATH, maker of all the exploits and owner of all the internal crap

 

[WilliamO7]

would it be possible to dump the bootrom by performing a trick similar to the xbox360 trick? (pulling the reset line on early boot stages)

Probably not likely, but on the topic of the 360...

I was thinking about Freeboot (or hacked Xbox 360 nand to allow homebrews, custom dashes, etc.) and if something similar could come out of this with a hardmodded N3DS or something. it seems possible from what I see lol [emoji1]

 

[AHP_person]

@AHP_person I've seen that video from your twitter minutes ago. So you've achived basic arm9loaderhax (with sigpatch)?
Congrats. However to make it resistance to firmware update thus install new FIRM to another section of NAND might be needed..

It was more of a PoC since a console shutdown was sort of lame. From here on, hopefully I can get some more work done ^^'

 

[Syphurith]

It was more of a PoC since a console shutdown was sort of lame. From here on, hopefully I can get some more work done ^^'

Suggest you to get a list of what should be done for this. IE
1.Startup menu? This could also be triggered when you exit MSET or what.
2.Firmware update modification. This should be necessary if you want to update system version.
3.Living threads for ARM9 and also ARM11. This could be hard.
More to come once you've watched salthax video and read the menu..
Time for me to sleep now.. Don't bother to contact more guys, including 173210 or others you trust to have it developed a little easier.