Yes there is a bootrom exploit. But without that release you don't have brick protection. The TZ exploits aren't permanent like a bootrom exploit, you'll need to relaunch the exploit from sysNAND to get back to cfw emuNAND. It's like cfw emuNAND on 3ds before a9lh. SysNAND was not brick protected. If we had brick protection it would negate the need for emuNAND because we would have code execution early enough to just apply cfw to an updated sysNAND.
Wait, hang on... I assumed that TZH would be coldboot and a one-time install thing. Is that not the case?
No its not. It's like 3ds loading cfw with hbl before a9lh. It requires an entry point on sysNAND to enter cfw emuNAND, right now being the browser. Will require reloading the exploit every time you reboot the console, just like the current hbl exploit. I don't know where everyone gets the idea its a one and done thing, which would require coldboot exploit like bootrom.
You don't flash TZ or sysNAND. You would need either nintendo's private keys to resign it afterward to prevent a system panic, or code executing early enough to patch signature checks of those files.
I don't quite understand why you keep using this example, because as far as I'm aware the reason we couldn't coldboot on 3DS is because we didn't have control over anything early enough in the boot process to fakesign boot code. In this case, TrustZone is the hypervisor and in theory should be able to load anything it's told to if it's modified
Also makes me want to get a third one, since I now understand the limits of the softmod fully ... Bootrom bug clearly THE way to go
This isn't a persistent exploit. This is not a boot time exploit. It takes over TZ after boot. You would need to take over the system BEFORE TZ starts in order to take control of TZ at boot, ie a bootrom exploit. Deja vu doesn't install anything to the system. It's even explained in the github that in lieu of a bootrom exploit release, they are using emuNAND. Because without the bootrom exploit we can't control the system at boot.
Ok, THAT was the explanation I was looking for, and I guess after thinking about it that makes sense; modifying TZ would invalidate the key the bootloader is looking for and make the system unbootable
I know you did, I just didn't fully understand what you were talking about
But wait, didn't failoverflow etc. tease that they had cold boot software ability? I think that is why we assumed that TZ would be cold boot able
Yeah, it's confirmed multiple devs have bootrom exploit. Even reswitched (including SciresM) has it. It just won't be released for a while.I think I have to correct myself. It's not the fuses but the BCT (http://switchbrew.org/index.php?title=BCT#bootloader0_info and bct_signature) which is signed and creates the issue. The problem as understood is the same thou. Essentially, as said, the trust chain can not be broken and is provided by the bootloader before the TZ.
--------------------- MERGED ---------------------------
But wait, didn't failoverflow etc. tease that they had cold boot software ability? I think that is why we assumed that TZ would be cold boot able
He does have it. Just won't release it for a while. Unsure why since now we know it's being patched in a hardware revision anyway.Yes, the "fusée gelée" bug and the failoverflow bugs are both claimed to be cold boot software bugs
So I think we where not too far of to have mixed that in with the TZ exploit ... Shouldn't SciresM have access to it and include it into the CFW deployment?
@
RedColoredStars:
@
SylverReZ:
