Hacking Atmosphere-NX - Custom Firmware in development by SciresM

[SciresM]

The development so far is focused on exo (secure monitor). To work on it, you need to run it on Hardware. The visible CFW parts - services and kernel patches will probably (hopefully!) land mostly after the initial release. The initial kernel / service patching should be quite bare-bones. (Assuming EL2 emunand).



As I understand it, the trustzone execution is not patch-able and has been disclosed already (including how to get there on 1.0.).

It is absolutely patchable and Nintendo does not know how it works specifically on firmwares higher than 1.0.0, at the moment.

Once it's patched, that's basically game over for non bootromhax-based TrustZone pwn for the console's lifetime...the Secure Monitor is pretty flawless from a security PoV except for the "running on NV's Tegra platform" thing.

 

[Onibi]

It is absolutely patchable and Nintendo does not know how it works specifically on firmwares higher than 1.0.0, at the moment.

Once it's patched, that's basically game over for non bootromhax-based TrustZone pwn for the console's lifetime...the Secure Monitor is pretty flawless from a security PoV except for the "running on NV's Tegra platform" thing.

Oh, I see. I must have misunderstood the scenario a bit. Your write-up is very nice, but it seems I still don't have a complete grasp on what is completely broken and what is not.

Thanks, sad, but in that case I can see the issue Would have been interesting to contribute. Thanks for clarifying this a bit more.

 

[Earth4Heaven]

Late but congrats on achieving such a milestone. We watch as spectators, never knowing how much hard work goes into developing such a project. So many thanks to you, Tux, and the rest of the crew.

 

[Solid924]

Sadly I think not. Everyone say Nintendo improved the security a lot and won't allow that very easily.

What can appear later is a similar app but that could download locally from other server the backups, but I'm sure Nintendo would close that servers very fast and the owners get jailed, I would never risk making a server like that my self...

Well, the Wii U USB Helper exists and works like a charm. So maybe something like that would be possible.

 

[SciresM]

As of today, Atmosphere's TrustZone re-implementation officially manages to boot to the home menu!

Still work to be done and bugs to fix, but @TuxSH and I have been working super hard on this, and it's great to see stuff working

 

[innercy]

As of today, Atmosphere's TrustZone re-implementation officially manages to boot to the home menu!

Still work to be done and bugs to fix, but @TuxSH and I have been working super hard on this, and it's great to see stuff working

you using 1.0 firmware?

 

[reminon]

you using 1.0 firmware?

He's stated multiple times that 1.0 is the firmware he is focusing on.

 

[Dmafra]

He's stated multiple times that 1.0 is the firmware he is focusing on.

But what is that 2.0.0 on the botton of the screen?

 

[reminon]

But what is that 2.0.0 on the botton of the screen?

Emunand is the best answer imo.

 

[TheCyberQuake]

Emunand is the best answer imo.

He doesn't have emuNAND yet. He only just got a custom trustzone booting, which is exosphere. According to github he hasn't finished exosphere nor started thermosphere, which is where emunand work will be done. Please do some research before just giving answers and assumptions.

 

[Dmafra]

So there is already a Bind of isaac installed on emunand?
Cuz the error appears on botw cartridge

 

[reminon]

He doesn't have emuNAND yet. He only just got a custom trustzone booting, which is exosphere. According to github he hasn't finished exosphere nor started thermosphere, which is where emunand work will be done. Please do some research before just giving answers and assumptions.

I did say it was my opinion..not full verified truth, and I was basing it on their talk of nand dumps earlier in discord. I gave an opinion. I don't see why he would preach 1.0, then tease on 2.0. Not to mention it appears to warmboot into another firmware. Im sorry senpai...I will ask your permission before I post again.

 

[SciresM]

I did say it was my opinion..not full verified truth, and I was basing it on their talk of nand dumps earlier in discord. I gave an opinion. I don't see why he would preach 1.0, then tease on 2.0. Not to mention it appears to warmboot into another firmware. Im sorry senpai...I will ask your permission before I post again.

I'm testing on my 2.0.0 console for my own personal convenience (I like my decals). It's still true 1.0.0 will get stuff earlier than 2.0.0. emuNAND hasn't been implemented or even worked on yet.

In other news, I fixed that gamecart bug, and I can now play BotW with Exosphere running.

That's our first issue closed: https://github.com/SciresM/Atmosphere-NX/issues/5 -- many more to go!

 

[TheCyberQuake]

I'm testing on my 2.0.0 console for my own personal convenience (I like my decals). It's still true 1.0.0 will get stuff earlier than 2.0.0. emuNAND hasn't been implemented or even worked on yet.

In other news, I fixed that gamecart bug, and I can now play BotW with Exosphere running.

That's our first issue closed: https://github.com/SciresM/Atmosphere-NX/issues/5 -- many more to go!

Lol I was just about to reply saying you likely have multiple consoles on different firmwares to test things but now that's verified.

 

[machinoman]

He doesn't have emuNAND yet. He only just got a custom trustzone booting, which is exosphere. According to github he hasn't finished exosphere nor started thermosphere, which is where emunand work will be done. Please do some research before just giving answers and assumptions.

It’s not emunand? But then what is the video showing? Now I am lost.

 

[TheCyberQuake]

It’s not emunand? But then what is the video showing? Now I am lost.

The video is showing that his custom trustzone code now works well enough to boot into the home menu. He hasn't implemented emunand yet but that will be worked on after exosphere gets complete (exosphere is the project name for custom trustzone)

 

[TR_mahmutpek]

First of all, Good work! And I want to ask;
Why we need emunand? I mean in ps3 we can install custom ps3 system (custom pup files). Why we dont do this on switch. We already have master keys. İsnt it easier to make emunand?

 

[TheCyberQuake]

First of all, Good work! And I want to ask;
Why we need emunand? I mean in ps3 we can install custom ps3 system (custom pup files). Why we dont do this on switch. We already have master keys. İsnt it easier to make emunand?

Several reasons why
Simple answer: they don't work the same

Complicated answer:
The only reason we install custom pups on ps3 is because we got the key to sign the firmware files ourself due to kinda broken crypto in one firmware version. It installs as a legitimate ps3 update so it just works.

On switch we don't have those keys, so we can not legit sign firmware files like we can on ps3. We could just patch signatures for the firmware if we had a public bootrom exploit, as that would give us code exec at boot. Because we don't have that publicly yet, we use emunand. In most cases, the main purpose of emunand is to keep your system on a lower firmware sysNAND for security holes, and from there booting an updated emunand for online/new games while still keeping those security holes from your sysNAND open in the newer firmware.

Edit: the main difference is public and private keys. What the switch devs got are the public keys. Nintendo has private keys that sign different things like firmwares. On ps3 we got the private key for one firmware version. That hasn't been obtained on switch, and usually you don't obtain private keys unless someone leaks them from inside the company somehow.

 

[TR_mahmutpek]

Several reasons why
Simple answer: they don't work the same

Complicated answer:
The only reason we install custom pups on ps3 is because we got the key to sign the firmware files ourself due to kinda broken crypto in one firmware version. It installs as a legitimate ps3 update so it just works.

On switch we don't have those keys, so we can not legit sign firmware files like we can on ps3. We could just patch signatures for the firmware if we had a public bootrom exploit, as that would give us code exec at boot. Because we don't have that publicly yet, we use emunand. In most cases, the main purpose of emunand is to keep your system on a lower firmware sysNAND for security holes, and from there booting an updated emunand for online/new games while still keeping those security holes from your sysNAND open in the newer firmware.

Edit: the main difference is public and private keys. What the switch devs got are the public keys. Nintendo has private keys that sign different things like firmwares. On ps3 we got the private key for one firmware version. That hasn't been obtained on switch, and usually you don't obtain private keys unless someone leaks them from inside the company somehow.

Great explain, thx! Understood, off topic but I am thinking that for ps4 but we are low chance for emunand :/ Its just a kernel exploit, not a bootrom, not even a anykey.

 

[TheCyberQuake]

Great explain, thx! Understood, off topic but I am thinking that for ps4 but we are low chance for emunand :/ Its just a kernel exploit, not a bootrom, not even a anykey.

They could probably do emunand if they wanted to. Doesn't require bootrom. Likely kernel would be enough. But in my experience most other consoles devs don't seem interested in emunand