Hacking Can 3DS downgrade to firmware 10.1 max?

Status
Not open for further replies.
CeeDee

CeeDee

fuckin dork
Member
Level 20
Joined
May 4, 2014
Messages
5,360
Trophies
2
XP
9,911
Country
United States
Mrrraou said:
That's right, I think it to sums up everything important
Click to expand...
Awesome! I'm hyped now.

Also I think this means smea wasn't lying - there's no kernel code running and there's no >9.2 kernel but with SVC there is downgrading possible/legit CIAs. Is SVC "privileged code"?
 
smealum

smealum

growing up sucks.
Member
Level 11
Joined
May 1, 2006
Messages
635
Trophies
2
Age
31
Location
SF
Website
www.smealum.net
XP
2,516
Country
United States
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :

Mrrraou said:
As seen twice in the 2.5 payload:
Code: 
ROM:000054D8                 SVC             0x7B ; '{'
And 0x7B is for svcBackdoor
(and this is used)
Click to expand...

if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

upload_2015-11-13_14-6-28.png


upload_2015-11-13_14-6-58.png



and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
 
  • Like
Reactions: gamefan5, NekoMichi, Seriel and 14 others
DiegitusXD

DiegitusXD

Well-Known Member
Member
Level 2
Joined
May 6, 2015
Messages
405
Trophies
0
XP
140
Country
smealum said:
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :



if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

View attachment 29721

View attachment 29722


and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
Click to expand...
Ok :D
 
JustPingo

JustPingo

Well-Known Member
Member
Level 7
Joined
Jan 11, 2015
Messages
497
Trophies
0
Age
24
XP
1,081
Country
France
In the great lord smea we trust.
That's exactly what we were looking for, thank you very much for your time.
I laughed at the secret kernel.
 
CeeDee

CeeDee

fuckin dork
Member
Level 20
Joined
May 4, 2014
Messages
5,360
Trophies
2
XP
9,911
Country
United States
smealum said:
ok so as entertaining as this is, it doesn't seem nice to let people speculate and possibly get excited over nothing. so, i'll address the big thing i guess :



if you open up any of the payloads in a hex editor, you will indeed find that code. this is apparently significant because this syscall lets processes that have access to it execute arbitrary code in kernel mode. sounds amazing right ? of course the thing is that no process actually has access to it, so you'd need some kind of exploit to use it. therefore, there has to be some kind of exploit hidden away that gives the current process access to it, right ? smea's a liar and thought noone would find his secret kernel exploit, right ?

as you've probably guessed by now, no, that's not what's going on. the truth of the matter is that unlike what Mrrraou claims, this code is not used by anything. sure, the svcBackdoor function exists, and it *is* called by another function... but the function in question is not called by anything, ever. this is just a remnant of some old debugging code in app_bootloader which only ran on 9.2.

here's a screenshot of the actual code, and how it's not called anymore :

View attachment 29721

View attachment 29722


and if you still don't believe me just ask anyone who knows how to read arm disassembly to take a look, and they'll be able to confirm that invalidate_icache isn't called anywhere in app_bootloader. another thing you could do for proof is modify the payload : just replace the svc 0x7b instruction with an undefined instruction (like 0xffffffff); this way, if the funciton *is* called, it'll crash. if it's not, it'll just keep working the way it always does.
Click to expand...
Hype train is over, I guess.

Wait, then what's the invalidate_icache in Hans while booting a game?
 
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: https://m.youtube.com/watch?v=_NTF5_qgH0o