Arm9loaderhax would get n3ds users CFW on the latest FW
- Status
Well, they would need particular hardware for ntrcardhax. With downgrading, you don't need any.
- Joined
- Aug 30, 2015
- Messages
- 115
- Reaction score
- 32
- Trophies
- 0
- Age
- 23
- Location
- On GBAtemp
- XP
- 112
- Country
Too complicated to setup, it takes really too much time, and has to be bruteforced for each N3DS.
But isn't the ARM9 9.2 exploit reinstalling the old DS Profile thing to exploit the DS Profile Bug?
You have to make the N3DS decrypt random garbage, and hopefully get the first correct instructions that jumps to your payload and run it, without destroying the N3DS.
--------------------- MERGED ---------------------------
No. 9.2 has memchunkhax (which has a higher success rate than memchunkhax2) and firmlaunchhax.
Right, but the garbage should be the same each time (provided ofc that the same firmware version is there and the same key is used to decrypt it)
For arm9loader? The thing that they have to send the SAME firmware image to every console (for each firmware version ofc), already encrypted? Yeah pretty sure it's the same key
Last edited by dark_samus3,
The brute force is not as bad as one might first think. The reason? ARM9 instruction structure:
Bits 31-28 == Condition as to whether to jump or not jump
Bits 27-25 == Must be 101b, so that's a one in eight chance
Bit 24 == Link bit, where 0b is to branch, and 1b is to branch with link (both potentially useful)
Bits 23-0 == Offset to jump to
Therefore, there is approximately a one in 128 chance that the first (garbage decrypted) instruction ARM9loader jumps to would itself be a jump. But, if not a jump, maybe the one following it is a jump (etc.). So, really, only the address bits matter. Thus, 2**24 / (bytes of hax NOP) is the probability of jumping to the hax.
QUESTION: What encryption is used for FIRM0 and FIRM1?
(e.g., using XORPAD? true encryption? other?
IFF they are encrypted by a simple XOR (e.g., similar to XORPAD usage), then arm9loader is much more powerful. Why? It might allow one to seed a known memory location with instructions of choice, because use of XOR creates an "Oracle" and the non-clearing of the memory bypasses signature requirements.
Still a bruteforce? Yes.
Significant reduction in overall system security? It definitely appears to be...
I can't say so for sure since I don't fully know the 3DS. But yes, it would be the same firmware image to every console. It can however, be encrypted afterward with a console specific key before storing it. That's the only way I'd see the bruteforce being required for every console.
I guess if you look at the post above yours the bruteforce isn't in a key, it's more of just a "get lucky with garbage jumping to your payload" kind of bruteforce (I misunderstood this too)
Well, if that's the case then wouldn't that mean we'd only need 1 key? Someone would just need to luckily get the bruteforce so that it would jump to the right location and then share the key he used? Because then if we were to use the same key, we'd get the same decrypted data with the same jump instruction. Unless there's something I don't understand. O:
I'm not sure it's XORpad (one may be able to be generated, not sure) but this is kinda what I was saying, basically we craft a specific key(Y?) For each specific FW image, someone with a hardmod could find the most consistent one and we could probably craft a very specific FW that basically has almost everything we could want in terms of jumping exactly where we want
--------------------- MERGED ---------------------------
We don't want/need a key... We actually REPLACE a key with a bad one, modify firm0 with a payload, arm9loader sees that it's bad and loads the (smaller) firm1 image, leaves the payload at the end of the image, decrypts to garbage (since we replaced the key) garbage jumps to the hax payload and you have super early arm9 execution
Last edited by dark_samus3,
Yes, I understand that part. When I said a key, I meant a randomly generated one to replace the actual one that is being used. If the firmware image is not encrypted with a console specific key, then when someone discovers one randomly generated key that is able to decrypt the image to garbage, then he would be able to share it with everyone, right?
That's what I was trying to say earlier
But that contradicts the entire point of why each console would require its own bruteforce. I need someone who understands the 3DS well to explain that. Lol.
- Status
Site & Scene News
New Hot Discussed
-
-
25K views
Twilight Princess PC port "Dusk" gets its first release
It wasn't too long ago we saw our first glimpse of Courage Reborn, another Twilight Princess PC port in the works based on last year's decompilation efforts. With... -
15K views
Pokemon Platinum PC port gets a surprise release
Seemingly out of nowhere a PC port for Pokemon Platinum has surfaced online, bundled alongside the source code for those interested in building and developing it for... -
13K views
Nintendo announces price increases across the board, set to come into effect from September in western regions
After much speculation, Nintendo has finally followed their competitors in announcing price increases for their hardware. You can find a breakdown of what's changing... -
10K views
Steam Deck gets a major price bump, more than 40% increase for US buyers
With very little in the way of announcement, Valve has today increased the price of the Steam Deck but some fairly considerable margins. Both of the available models... -
9K views
Nintendo president Shuntaro Furukawa explains Switch 2 price increases in recent Financial Results Briefing
As a part of their Financial Results Briefing for the previous year, Nintendo president Shuntaro Furukawa took to the floor to answer key questions around the Switch... -
9K views
Sony announces PlayStation Plus price increase for new customers starting May 20
Earlier this year, Sony announced major price increases for the PS5, PS5 Pro, and PlayStation Portal. Now the company is raising prices again, this time for... -
7K views
Forza Horizon 6 leaks online after Steam preload data was uploaded without encryption
We are once again here to tell you about a game leaking before its release, but for once, it's not one published by Nintendo. The game files for Microsoft's upcoming... -
7K views
Pokémon Crystal gets a PC port titled "suiCune" based on C/C++ language
Continuing with the great news of Pokémon Platinum getting a native unofficial PC port just a few days ago, today, yet another classic title from the franchise has... -
6K views
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
5K views
Low-level 3DS emulator 3Beans released alongside setup tutorial video
When you talk about 3DS emulation, most people would jump to Citra. As the defacto choice since its first release it's seen tremendous success, and even after its...
-
-
-
169 replies
Steam Deck gets a major price bump, more than 40% increase for US buyers
With very little in the way of announcement, Valve has today increased the price of the Steam Deck but some fairly considerable margins. Both of the available models... -
163 replies
Twilight Princess PC port "Dusk" gets its first release
It wasn't too long ago we saw our first glimpse of Courage Reborn, another Twilight Princess PC port in the works based on last year's decompilation efforts. With... -
144 replies
Nintendo announces price increases across the board, set to come into effect from September in western regions
After much speculation, Nintendo has finally followed their competitors in announcing price increases for their hardware. You can find a breakdown of what's changing... -
102 replies
Pokemon Platinum PC port gets a surprise release
Seemingly out of nowhere a PC port for Pokemon Platinum has surfaced online, bundled alongside the source code for those interested in building and developing it for... -
92 replies
Sony announces PlayStation Plus price increase for new customers starting May 20
Earlier this year, Sony announced major price increases for the PS5, PS5 Pro, and PlayStation Portal. Now the company is raising prices again, this time for... -
83 replies
Nintendo president Shuntaro Furukawa explains Switch 2 price increases in recent Financial Results Briefing
As a part of their Financial Results Briefing for the previous year, Nintendo president Shuntaro Furukawa took to the floor to answer key questions around the Switch... -
73 replies
Paper Mario PC recompilation "ReCut" gets its first pre-release build
The latest in a growing number of native PC ports, Paper Mario ReCut got its first pre-release build earlier this week. Based on the N64 recompilation toolchain, the... -
71 replies
PlayStation State of Play June 2, 2026 broadcast - new God of War announced
A whole hour of PlayStation content is on the way, thanks to the latest State of Play showcase. Headlining the stream will be Marvel's Wolverine, alongside a... -
63 replies
Call of Duty: Modern Warfare 4 to launch on Nintendo Switch 2 in October
For the first time in 13 years, the Call of Duty series will again return to Nintendo's consoles. Set to launch on the 23rd of October, the latest release, Modern... -
59 replies
What do you want to see in the next Nintendo Direct?
With rumours circulating about a Nintendo Direct in the coming days and weeks, fans are left speculating and hoping as to what might be included. At the centre of all...
-
