Can we exploit system updates in general?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Snooli, May 31, 2017.

  1. Snooli
    OP

    Snooli GBAtemp Regular

    Member
    188
    72
    May 25, 2017
    Just a thought for a possible exploit.
    According to this, systems past 11.0 check if version is greater before updating. Could we mod, let's say 9.2, to act as if its version number was 11.5, then emulate a Nintendo update server using our PC and custom DNS to "update" 11.4 to 9.2 (disguised as 11.5) and then proceed on SoundHaxing as usual?
     
  2. Oleboy555

    Oleboy555 Wie dit leest is een zemmel

    Member
    639
    270
    Feb 8, 2017
    Netherlands
    Amsterdam
    But we have b9s?
     
  3. CeeDee

    CeeDee hm?

    Member
    3,805
    5,317
    May 4, 2014
    United States
    somewhere
    Changing a system update so that it'd read as a higher version would ruin the valid signature, which would mean you can't use it on a vanilla 3DS.
     
  4. TheKawaiiDesu

    TheKawaiiDesu Ball of Kawaiiness

    Member
    1,429
    1,497
    Aug 23, 2015
    Korea, North
    Lowee
    This isn't possible because the 3DS uses HTTPS to connect to Nintendo's update servers. If you use a DNS to redirect to another website, its certificate (assuming it uses HTTPS) won't be the same as Nintendo's, and a vanilla 3DS will refuse to connect to it.
    Now that we have the bootroms, wouldn't it be possible to sign our own updates?
     
  5. Snooli
    OP

    Snooli GBAtemp Regular

    Member
    188
    72
    May 25, 2017
    I thought we bruteforced the signatures

    — Posts automatically merged - Please don't double post! —

    But updates are still CIAs. so could we use a user land (freaky or ninja) to install it?
     
  6. TheKawaiiDesu

    TheKawaiiDesu Ball of Kawaiiness

    Member
    1,429
    1,497
    Aug 23, 2015
    Korea, North
    Lowee
    Downgrading requires ARM9 kernel access since Process9 checks the CIAs' version. Even without that, ARM11 kernel access is required to install any CIA.
     
    Last edited by TheKawaiiDesu, May 31, 2017
  7. mikey420

    mikey420 GBAtemp Fan

    Member
    419
    123
    Dec 11, 2015
    United States
    No we couldn't. We can however easily hack all model 3SD regardless of firm version currently using the magnet trick that allows us to boot directly to a ds card. The hack is being worked on and will allow for easy hacking/recovery of any 3SD regardless of firmware.
     
  8. Snooli
    OP

    Snooli GBAtemp Regular

    Member
    188
    72
    May 25, 2017
    I'm not talking about tricking the ARM9 into saying yes, I am talking about midifing the update CIA to act as an 11.5. Then the ARM9 would call it a valid update despite it being a downgrade.
     
  9. TheKawaiiDesu

    TheKawaiiDesu Ball of Kawaiiness

    Member
    1,429
    1,497
    Aug 23, 2015
    Korea, North
    Lowee
    Even admitting we can sign our own updates and make 9.2 "look" like a future version (I'm not too sure we can sign our own updates, even with the bootroms), as I said, userland access is not enough to install any CIA (even legit ones). ARM11 kernel privileges are required.
     
  10. Disco Inferno

    Disco Inferno Advanced Member

    Newcomer
    87
    58
    Feb 25, 2016
    United States
    9.2 isn't a special firmware version any more. There is no need to downgrade. Even if you could do this, it would be wasted effort.
     
  11. Snooli
    OP

    Snooli GBAtemp Regular

    Member
    188
    72
    May 25, 2017
    The idea isn't to downgrade soundhaxable versions, but to downgrade 11.4 or anything that might come in the future. And I didn't choose 9.2 for any particular reason. Any Soundhaxable version will work.