Hacking Can we exploit system updates in general?

[Snooli]

Just a thought for a possible exploit.
According to this, systems past 11.0 check if version is greater before updating. Could we mod, let's say 9.2, to act as if its version number was 11.5, then emulate a Nintendo update server using our PC and custom DNS to "update" 11.4 to 9.2 (disguised as 11.5) and then proceed on SoundHaxing as usual?

 

[Oleboy555]

But we have b9s?

 

[CeeDee]

Changing a system update so that it'd read as a higher version would ruin the valid signature, which would mean you can't use it on a vanilla 3DS.

 

[Deleted member 370671]

This isn't possible because the 3DS uses HTTPS to connect to Nintendo's update servers. If you use a DNS to redirect to another website, its certificate (assuming it uses HTTPS) won't be the same as Nintendo's, and a vanilla 3DS will refuse to connect to it.

Changing a system update so that it'd read as a higher version would ruin the valid signature, which would mean you can't use it on a vanilla 3DS.

Now that we have the bootroms, wouldn't it be possible to sign our own updates?

 

[Snooli]

Changing a system update so that it'd read as a higher version would ruin the valid signature, which would mean you can't use it on a vanilla 3DS.

I thought we bruteforced the signatures

--------------------- MERGED ---------------------------

This isn't possible because the 3DS uses HTTPS to connect to Nintendo's update servers. If you use a DNS to redirect to another website, its certificate (assuming it uses HTTPS) won't be the same as Nintendo's, and a vanilla 3DS will refuse to connect to it.

Now that we have the bootroms, wouldn't it be possible to sign our own updates?

But updates are still CIAs. so could we use a user land (freaky or ninja) to install it?

 

[Deleted member 370671]

But updates are still CIAs. so could we use a user land (freaky or ninja) to install it?

Downgrading requires ARM9 kernel access since Process9 checks the CIAs' version. Even without that, ARM11 kernel access is required to install any CIA.

 

[mikey420]

No we couldn't. We can however easily hack all model 3SD regardless of firm version currently using the magnet trick that allows us to boot directly to a ds card. The hack is being worked on and will allow for easy hacking/recovery of any 3SD regardless of firmware.

 

[Snooli]

Downgrading requires ARM9 kernel access since Process9 checks the CIAs' version. Even without that, ARM11 kernel access is required to install any CIA.

I'm not talking about tricking the ARM9 into saying yes, I am talking about midifing the update CIA to act as an 11.5. Then the ARM9 would call it a valid update despite it being a downgrade.

 

[Deleted member 370671]

I'm not talking about tricking the ARM9 into saying yes, I am talking about midifing the update CIA to act as an 11.5. Then the ARM9 would call it a valid update despite it being a downgrade.

Even admitting we can sign our own updates and make 9.2 "look" like a future version (I'm not too sure we can sign our own updates, even with the bootroms), as I said, userland access is not enough to install any CIA (even legit ones). ARM11 kernel privileges are required.

 

[Disco Inferno]

9.2 isn't a special firmware version any more. There is no need to downgrade. Even if you could do this, it would be wasted effort.

 

[Snooli]

9.2 isn't a special firmware version any more. There is no need to downgrade. Even if you could do this, it would be wasted effort.

The idea isn't to downgrade soundhaxable versions, but to downgrade 11.4 or anything that might come in the future. And I didn't choose 9.2 for any particular reason. Any Soundhaxable version will work.