Homebrew ARM9Loader -- Technical Details and Discussion

[Shadowtrance]

I'm trying to get some more buddies to help, but people with hard mods and the knowledge needed aren't easy to come by -0-.

I have hard mods As for the knowledge needed, not sure there. haha

 

[cpasjuste]

I have hard mods As for the knowledge needed, not sure there. haha

Same here. I'm a little developer not a hacker, but I have an hardmod if needed ..

 

[AHP_person]

I have hard mods As for the knowledge needed, not sure there. haha

Same here. I'm a little developer not a hacker, but I have an hardmod if needed ..

Just make sure you hold onto those, then ;0

 

[cpasjuste]

Just make sure you hold onto those, then ;0

Don't worry, we are

 

[Reisyukaku]

Well, since the cat is out of the bag (kinda...), my idea (which has yet to be tested), that actually happens to be inspired from an existing xbox360 hack, is to pull the reset line for the ARM SOC for a shorter amount of time than the officially documented/required 5 clock cycles (cf. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3980.html ) in order to clear registers while having the ARM9 still running our code, this could be achieved as an automated and carefully timed process with a bit of soldering skill and an adruino board.

The concept would be to run a loop that would copy ordinarily unmapped locations somewhere else in memory for a later possible retrieval (somewhere that doesn't get overwritten after a reboot), as setting such a state on the CPU could potentially render it (and the whole system) quite unstable.

The idea relies on the fact that on most cpu architectures, one of the first step performed during reset is clearing the registers; assuming the bootrom is a mask rom that is mapped to memory which then later becomes inaccessible when a specific register is set, if said register gets cleared the area should become accessible again (again, this is, at this point, theoretical until proven otherwise)

I wanted to try this first and, should it work, document it in a proper place (like a wiki) rather than on gbatemp. I appears I wasn't given much of a choice in this matter.

P.S. Yes, I am aware of the documented (on 3dbrew) exception vectors vulnerability, the hack referenced in my post however, should it work, would be a lot easier to pull off.

This sounds like a similar idea to what me and friends discussed for our bootrom ideas.

I'm trying to get some more buddies to do the work for me, but people with hard mods and the knowledge needed aren't easy to come by -0-.

(^:

 

[AHP_person]

(^:

y u do dis 2 me

 

[Suiginou]

y u do dis 2 me

Go do your own fucking work, leaker.

 

[AHP_person]

Go do your own fucking work, leaker.

wat

EDIT: Could you please elaborate? I'd like to know where that came from.

 

[laramie]

yeah LEaker! all you do is leak your work that really never gets leaked by you but by some other asshole! how dare you be a dev! you're such a dick!

--------------------- MERGED ---------------------------

He doesn't even go to this school!

 

[OctopusRift]

Go do your own fucking work, leaker.

What hole did you grow out of lol. This is the guy who wrote sig patching. @AHP_person is bae.

 

[Syphurith]

Go do your own fucking work, leaker.

Well please don't be so serious.. would you? I admit he leaked the work of Roxas, and i even recovered some of those from binary before.
To have something claimed should always happen after having it done. I'm not here to offend you, (dont believed? quite sorry) you (might) know.
He has achived arm9loaderhax and checked if it is or not in a werid (and clever) way, orz. You can not say a guy won't change.
Even before reading his tweet I thought something similar about him. And that made me down-looked his ability.

This sounds like a similar idea to what me and friends discussed for our bootrom ideas.
(^:

Hi Rei how about the result of your discussion before? Is that something similar to "1 RESET so no" or some reasons else?
I read quite some representations of CCC about console hacking, and crypto attack, after 32C3 that good talk.
Unfortunately those aren't related to chip attacking much. What i could find is just some DPA(Differential Power Analysis) and MicroProbing.
Thanks for your effort on those keyslots! now this arm9loaderhax might be portable to another console.
--------------------- MERGED ---------------------------
@mathieulh They used to post about details on 3dbrew, yes. And if you wanna keep it for a while, you might post on your own blog? nocash may be interested in such thing.

 

[Reisyukaku]

Well please don't be so serious.. would you? I admit he leaked the work of Roxas, and i even recovered some of those from binary before.
To have something claimed should always happen after having it done. I'm not here to offend you, (dont believed? quite sorry) you (might) know.
He has achived arm9loaderhax and checked if it is or not in a werid (and clever) way, orz. You can not say a guy won't change.
Even before reading his tweet I thought something similar about him. And that made me down-looked his ability.

Hi Rei how about the result of your discussion before? Is that something similar to "1 RESET so no" or some reasons else?
I read quite some representations of CCC about console hacking, and crypto attack, after 32C3 that good talk.
Unfortunately those aren't related to chip attacking much. What i could find is just some DPA(Differential Power Analysis) and MicroProbing.
Thanks for your effort on those keyslots! now this arm9loaderhax might be portable to another console.
--------------------- MERGED ---------------------------
@mathieulh They used to post about details on 3dbrew, yes. And if you wanna keep it for a while, you might post on your own blog? nocash may be interested in such thing.

Well to the first thing, i think Suiginou is talking about more than just rx stuff lol.

Secondly, the idea was built around the hardware fault injection idea, but i dont want to say too much lol

 

[Syphurith]

Well to the first thing, i think Suiginou is talking about more than just rx stuff lol.
Secondly, the idea was built around the hardware fault injection idea, but i dont want to say too much lol

Thanks for reply. I know Suiginou is talking about Roxas.. Hardware fault injection.. Yeah get enough facilities first, I was just speculation..
Still quite pity that i can not have you invited into a chat room yesterday.. Maybe some days after. Hope your developments go well.

 

[Reisyukaku]

Thanks for reply. I know Suiginou is talking about Roxas.. Hardware fault injection.. Yeah get enough facilities first, I was just speculation..
Still quite pity that i can not have you invited into a chat room yesterday.. Maybe some days after. Hope your developments go well.

Chatroom? :x

 

[Syphurith]

Chatroom? :x

Isn't a conversation a chat room that with logs.. So i don't need to find an irc bot or something. You can try open such one on gbatemp too to contact with other..
BTW have you got a copy of leaked IDA pro 6.8? Try find it via Google. Yeah this is some kind of offtopic.
A big problem for arm9loaderhax is now how to load a big payload, the NAND read or what SDMMC sucks.

 

[cpasjuste]

Hi,

Is there more information's around to dump otp ? I'd like to play with @delebile arm9loader but I guess this could be a deal breaker with my knowledge :/

 

[Reisyukaku]

Hi,

Is there more information's around to dump otp ? I'd like to play with @delebile arm9loader but I guess this could be a deal breaker with my knowledge :/

fastest way is to downgrade to 1.0

 

[cpasjuste]

fastest way is to downgrade to 1.0

Yep I understand that, but then I just have to dump the otp memory region (0x10012000-0x10012100) ? It's that "simple" ? If I make a mistake and dump a bad region, is this " dangerous" for the device when executing the hack ?

 

[Reisyukaku]

Yep I understand that, but then I just have to dump the otp memory region ? From arm9 ? It's that "simple" ? If I make a mistake and dump a bad region, is this " dangerous" for the device when executing the hack ?

Yea, its not locked so just dump from arm9. The catch is that proc9 hooks dont seem to work so your best bet is fatfs. Personally i just wrote a payload ontop of 'load.bin' that normmatt's cubic ninja payload runs.

 

[cpasjuste]

Yea, its not locked so just dump from arm9. The catch is that proc9 hooks dont seem to work so your best bet is fatfs. Personally i just wrote a payload ontop of 'load.bin' that normmatt's cubic ninja payload runs.

OK, many thanks for the clarification

I didn't get that I would need cubic, what a shame I gave mine a few weeks ago to a friend (far from me)... stupid me. I guess I'll have to wait to find a cheap one or for another entry.

Thanks again.