Toggle sidebar

Homebrew Clarification Thread - What is going on?

  • Thread starter Thread starter JustPingo
  • Start date Start date
  • Views Views 647,308
  • Replies Replies 5,356
  • Likes Likes 103
Status
Not open for further replies.
Yes, no ETA for guys donating their effort on free plans. It you do need that, go ahead to ask GW about ETA.
@Mrrraou Sorry i don't know who else to tag for this. I've several questions.
1.What is the timing when arm9loaderhax take place? I mean, the "garbage" is arm9bin IIRC, and this mainly contains the process9.
However I don't know if that is the ARM9 FIRM section, or just Process9.
2.Could bootrom ever been in the memory? The chip executes it, thus I suppose it has ever been loaded into memory.
But it is then wiped out from there. And I don't know when that is supposed to happen.
To my understanding, ARM9 deals with all crypto stuffs. NAND image itself is encrypted with console-unique key, so ARM9 is started ahead ARM11.
It might be? Boot->Init Bootrom Crypto->NAND and peripherl inited->Load Firm ARM9->Call arm9loader->Process9 Loaded->ARM11 launch->Foreground?
Also to note, to drive a NAND as HDD, you need FTL, and 3ds surely implemented this. Well not very relative.
3.The Key#2 that inferred in arm9loaderhax, is said to be "decrypted" in the slides.
I just wanna know if that is just loaded from decrypted NAND image, or is decrypted using another key?
4.It seems current theory is only for N3DS. There doesn't seem to be an arm9loader inside O3DS that with decryption.
Hope my questions could be viewed by some guys that have the ability to answer some.
 
Last edited by Syphurith, , Reason: Missing words
  • Like
Reactions: peteruk
when it comes out i can play Pokemon x or oras romhack with out needing to swap saves and don't need card unless sd gets courrpted
 
thats because is early stage i compared the specs old 3ds has more ram then the psp old 3ds also has dual core cpu and the psp only has one
 
Last edited by hacksn5s4,
the psp can emulate ps1 games and its less powerful then old 3ds we will get stuff running ful speed on old when kernel comes out and devs can make there emulators make use of it
smea showed specs of old 3ds in his talk and there better then psp
 
  • Like
Reactions: BurningDesire
Syphurith said:
Yes, no ETA for guys donating their effort on free plans. It you do need that, go ahead to ask GW about ETA.
@Mrrraou Sorry i don't know who else to tag for this. I've several questions.
1.What is the timing when arm9loaderhax take place? I mean, the "garbage" is arm9bin IIRC, and this mainly contains the process9.
However I don't know if that is the ARM9 FIRM section, or just Process9.
2.Could bootrom ever been in the memory? The chip executes it, thus I suppose it has ever been loaded into memory.
But it is then wiped out from there. And I don't know when that is supposed to happen.
To my understanding, ARM9 deals with all crypto stuffs. NAND image itself is encrypted with console-unique key, so ARM9 is started ahead ARM11.
It might be? Boot->Init Bootrom Crypto->NAND and peripherl inited->Load Firm ARM9->Call arm9loader->Process9 Loaded->ARM11 launch->Foreground?
Also to note, to drive a NAND as HDD, you need FTL, and 3ds surely implemented this. Well not very relative.
3.The Key#2 that inferred in arm9loaderhax, is said to be "decrypted" in the slides.
I just wanna know if that is just loaded from decrypted NAND image, or is decrypted using another key?
4.It seems current theory is only for N3DS. There doesn't seem to be an arm9loader inside O3DS that with decryption.
Hope my questions could be viewed by some guys that have the ability to answer some.
Click to expand...
  1. arm9loaderhax takes place after the firmware decryption keyslot key are cleared, so right when jumping to the decrypted firm data.
  2. No, it is: Powering on -> Bootrom -> arm9loader decryption -> jumps to arm9loader -> FIRM decryption -> keyslot clearing -> ARM9 jumping to ARM9 entrypoint; ARM11 jumping to ARM11 entrypoint -> Kernel9 loaded; Kernel11 loaded -> Running Process9 ; Starting ARM11 services (fs, pxi, am, ldr, pm) -> Running Process9 ; PM runs NS -> Running Process9; NS runs Home Menu
  3. I don't know how you could decrypt it. I don't even know if these keys are publicly known.
  4. There isn't any arm9loader on O3DS. But it would be useless anyway to have that on O3DS since we already have 9.5+ emuNAND.
 
  • Like
Reactions: peteruk and Syphurith
Mrrraou said:
  1. arm9loaderhax takes place after the firmware decryption keyslot key are cleared, so right when jumping to the decrypted firm data.
  2. No, it is: Powering on -> Bootrom -> arm9loader decryption -> jumps to arm9loader -> FIRM decryption -> keyslot clearing -> ARM9 jumping to ARM9 entrypoint; ARM11 jumping to ARM11 entrypoint -> Kernel9 loaded; Kernel11 loaded -> Running Process9 ; Starting ARM11 services (fs, pxi, am, ldr, pm) -> Running Process9 ; PM runs NS -> Running Process9; NS runs Home Menu
  3. I don't know how you could decrypt it. I don't even know if these keys are publicly known.
  4. There isn't any arm9loader on O3DS. But it would be useless anyway to have that on O3DS since we already have 9.5+ emuNAND.
Click to expand...
Thanks for reply. SO, the arm9loader loads a different binary from NAND, and this isn't FIRM? Eh.. And, that isn't included in NAND FAT16 Xorpad section. This makes it harder to implement, doesn't it? You can not decrypt it currently. You can place your own code after the FIRM0 to ensure it isn't decrypted as GARBAGE, however finding a key to generate the garbage to contain a jump and no infinite loop/code with severe damage, needs quite plenty of trails - even you don't know if the key is decrypted again.. Orz.
 
Syphurith said:
Thanks for reply. SO, the arm9loader loads a different binary from NAND, and this isn't FIRM? Eh.. And, that isn't included in NAND FAT16 Xorpad section. This makes it harder to implement, doesn't it? You can not decrypt it currently. You can place your own code after the FIRM0 to ensure it isn't decrypted as GARBAGE, however finding a key to generate the garbage to contain a jump and no infinite loop/code with severe damage, needs quite plenty of trails - even you don't know if the key is decrypted again.. Orz.
Click to expand...
arm9loader loads FIRM from NAND. But arm9loader is decrypted and loaded by the bootloader. And the keyslot is cleared, because the payload is executed after arm9loader. So you can't regenerate the decryption keys. And the problem, is that you have to bruteforce to have something bootable and that does "what you want".
 
  • Like
Reactions: Syphurith
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Problems getting Homebrew to appear outside of the Homebrew Launcher (homebrew won't appear on the HOME menu)

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Website for finding alternative games for 3DS

Gaming  any good rpgs on 3ds?

Hardware  2 Broken 3DSes, need help

Hacking  Modding Reassurance