I have hard mods As for the knowledge needed, not sure there. hahaI'm trying to get some more buddies to help, but people with hard mods and the knowledge needed aren't easy to come by -0-.
I have hard mods As for the knowledge needed, not sure there. hahaI'm trying to get some more buddies to help, but people with hard mods and the knowledge needed aren't easy to come by -0-.
Same here. I'm a little developer not a hacker, but I have an hardmod if needed ..I have hard mods As for the knowledge needed, not sure there. haha
I have hard mods As for the knowledge needed, not sure there. haha
Just make sure you hold onto those, then ;0Same here. I'm a little developer not a hacker, but I have an hardmod if needed ..
Don't worry, we areJust make sure you hold onto those, then ;0
This sounds like a similar idea to what me and friends discussed for our bootrom ideas.Well, since the cat is out of the bag (kinda...), my idea (which has yet to be tested), that actually happens to be inspired from an existing xbox360 hack, is to pull the reset line for the ARM SOC for a shorter amount of time than the officially documented/required 5 clock cycles (cf. http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.faqs/ka3980.html ) in order to clear registers while having the ARM9 still running our code, this could be achieved as an automated and carefully timed process with a bit of soldering skill and an adruino board.
The concept would be to run a loop that would copy ordinarily unmapped locations somewhere else in memory for a later possible retrieval (somewhere that doesn't get overwritten after a reboot), as setting such a state on the CPU could potentially render it (and the whole system) quite unstable.
The idea relies on the fact that on most cpu architectures, one of the first step performed during reset is clearing the registers; assuming the bootrom is a mask rom that is mapped to memory which then later becomes inaccessible when a specific register is set, if said register gets cleared the area should become accessible again (again, this is, at this point, theoretical until proven otherwise)
I wanted to try this first and, should it work, document it in a proper place (like a wiki) rather than on gbatemp. I appears I wasn't given much of a choice in this matter.
P.S. Yes, I am aware of the documented (on 3dbrew) exception vectors vulnerability, the hack referenced in my post however, should it work, would be a lot easier to pull off.
(^:I'm trying to get some more buddies to do the work for me, but people with hard mods and the knowledge needed aren't easy to come by -0-.
watGo do your own fucking work, leaker.
What hole did you grow out of lol. This is the guy who wrote sig patching. @AHP_person is bae.Go do your own fucking work, leaker.
Well please don't be so serious.. would you? I admit he leaked the work of Roxas, and i even recovered some of those from binary before.Go do your own fucking work, leaker.
Hi Rei how about the result of your discussion before? Is that something similar to "1 RESET so no" or some reasons else?This sounds like a similar idea to what me and friends discussed for our bootrom ideas.
(^:
Well to the first thing, i think Suiginou is talking about more than just rx stuff lol.Well please don't be so serious.. would you? I admit he leaked the work of Roxas, and i even recovered some of those from binary before.
To have something claimed should always happen after having it done. I'm not here to offend you, (dont believed? quite sorry) you (might) know.
He has achived arm9loaderhax and checked if it is or not in a werid (and clever) way, orz. You can not say a guy won't change.
Even before reading his tweet I thought something similar about him. And that made me down-looked his ability.
Hi Rei how about the result of your discussion before? Is that something similar to "1 RESET so no" or some reasons else?
I read quite some representations of CCC about console hacking, and crypto attack, after 32C3 that good talk.
Unfortunately those aren't related to chip attacking much. What i could find is just some DPA(Differential Power Analysis) and MicroProbing.
Thanks for your effort on those keyslots! now this arm9loaderhax might be portable to another console.
--------------------- MERGED ---------------------------
@mathieulh They used to post about details on 3dbrew, yes. And if you wanna keep it for a while, you might post on your own blog? nocash may be interested in such thing.
Thanks for reply. I know Suiginou is talking about Roxas.. Hardware fault injection.. Yeah get enough facilities first, I was just speculation..Well to the first thing, i think Suiginou is talking about more than just rx stuff lol.
Secondly, the idea was built around the hardware fault injection idea, but i dont want to say too much lol
Chatroom? :xThanks for reply. I know Suiginou is talking about Roxas.. Hardware fault injection.. Yeah get enough facilities first, I was just speculation..
Still quite pity that i can not have you invited into a chat room yesterday.. Maybe some days after.Hope your developments go well.
Isn't a conversation a chat room that with logs.. So i don't need to find an irc bot or something. You can try open such one on gbatemp too to contact with other..Chatroom? :x
fastest way is to downgrade to 1.0Hi,
Is there more information's around to dump otp ? I'd like to play with @delebile arm9loader but I guess this could be a deal breaker with my knowledge :/
Yep I understand that, but then I just have to dump the otp memory region (0x10012000-0x10012100) ? It's that "simple" ? If I make a mistake and dump a bad region, is this " dangerous" for the device when executing the hack ?fastest way is to downgrade to 1.0
Yea, its not locked so just dump from arm9. The catch is that proc9 hooks dont seem to work so your best bet is fatfs. Personally i just wrote a payload ontop of 'load.bin' that normmatt's cubic ninja payload runs.Yep I understand that, but then I just have to dump the otp memory region ? From arm9 ? It's that "simple" ? If I make a mistake and dump a bad region, is this " dangerous" for the device when executing the hack ?
OK, many thanks for the clarificationYea, its not locked so just dump from arm9. The catch is that proc9 hooks dont seem to work so your best bet is fatfs. Personally i just wrote a payload ontop of 'load.bin' that normmatt's cubic ninja payload runs.