Hacking Config Application

Relys · Nov 7, 2014

Note: Please do not attempt to mess around with the Config Menu options without a hardware NAND mod until these functions are confirmed safe.

I noticed that the Config Menu application:

http://3dbrew.org/wiki/3DS_Development_Unit_Software#Config

Has the option to boot into Test Menu (which is a limited alternative to Home Menu):

http://3dbrew.org/wiki/3DS_Development_Unit_GUI#Test_Menu

Allegedly it allows booting from slot1 devices and the Dev Menu (which can be used to launch CIAs). The interesting thing about the Test Menu is that there is alleged screenshot support.

I do not have a NAND mod anymore (I had to remove it to replace my LCD screen), so I was wondering if someone who does could test it out and report back if these features are safe. Since the Home Menu is unloaded I would suspect that the Test Menu would be operating outside of our emunand environment, but I'm not certain. Hell, I don't even know if the Test Menu exists on retail units (is it part of the application or part of the firm)???

Edit: Found some more information regarding it:
http://3dbrew.org/wiki/NS#Alternate_menu

Does anyone know if this title has been dumped? It may still be on the NAND depending on the method of deletion.

Note: Please do not attempt to mess around with the Config Menu options without a hardware NAND mod until these functions are confirmed safe.

Link999123 · Nov 7, 2014

It probably is firmware rooted but if it is able to be booted from nand (I don't see why it wouldn't be possible) this will be a big leap for the community.

Relys · Nov 7, 2014

Link999123 said:
It probably is firmware rooted but if it is able to be booted from nand (I don't see why it wouldn't be possible) this will be a big leap for the community.

Found some more information regarding it:
http://3dbrew.org/wiki/NS#Alternate_menu

Does anyone know if this title has been dumped? It may still be on the NAND depending on the method of deletion.

gudenau · Nov 7, 2014

Still think that the crypto needs to be completely reversed before a CFW will 'stick'. :-P

Link999123 · Nov 7, 2014

"When launching the regular menu fails, NS will then attempt to launch the alternate menu. This title could be used as a recovery process, however it's normally not used after the factory. This title is used at the factory for installing system titles, this title seems to be installed from a factory gamecard. This installer title likely deletes itself from NAND once it's finished installing titles.
On development Units, this is the Test Menu, and isn't deleted after being setup at factory.

.[/quote]

So according to this if someone has a dev unit, they could dump the nand and using a gateway someone could download the menu to the nand or use it with emunand?

Relys · Nov 7, 2014

gudenaurock said:
Still think that the crypto needs to be completely reversed before a CFW will 'stick'. :-P

You would have to find an exploit in the bootrom (if there is even any) to get your sig patches to stick. It doesn't really have to do anything with crypto at this point unless they failed on their signature implementation (which is unlikely).

Link999123 said:
So according to this if someone has a dev unit, they could dump the nand and using a gateway someone could download the menu to the nand or use it with emunand?

Exactly.

Another interesting thought:

"This title could be used as a recovery process" and "this title seems to be installed from a factory gamecard"

I wounder if the card was dumped if it would be possible to use Sky3DS to run it, seeing as it looks like it's signed for retail units. If it could run, this would allow for installing retail signed CIAs (games,dlc,patches) and possibly even downgrading system titles. It of course would not allow unsigned code as FRIM would still be running in the background enforcing signature checks, but if you can downgrade system titles then you can downgrade to exploitable version and gain full controll.

gudenau · Nov 7, 2014

Relys said:
Once crypto is completely reversed (chip decapping to get keyX and keyscrambler algo) downgrading units might be possible. I think you'd still need a hardware exploit to dump the unique per console keys though... However, you would have to find an exploit in the bootrom (if there is even any) to get your sig patches to stick.

True, now to dump the bootrom... :-P

Relys · Nov 7, 2014

So according to this if someone has a dev unit, they could dump the nand and using a gateway someone could download the menu to the nand or use it with emunand?[/quote]

gudenaurock said:
True, now to dump the bootrom... :-P

Eh, you'd still have to dump unique keyX from the keyslot used to encrypt NAND and moveable.sed from the private filesystem which is used to initalize keyY on the NAND so forget about downgrading. Decapping would just allow doing all the decryption without using a 3DS as a slave.

gudenau · Nov 7, 2014

Relys said:
Eh, you'd still have to dump unique keyX from the keyslot used to encrypt NAND and moveable.sed from the private filesystem which is used to initalize keyY on the NAND so forget about downgrading. Decapping would just allow doing all the decryption without using a 3DS as a slave.

I do have a 4.X dump, I just want custom channels on the NAND for homebrew.

Relys · Nov 7, 2014

gudenaurock said:
I do have a 4.X dump, I just want custom channels on the NAND for homebrew.

Um, you can do that now already with the leaked CFW or using Gateway 2.6...

gudenau · Nov 7, 2014

Relys said:
Um, you can do that now already with the leaked CFW or using Gateway 2.6...

On the real NAND? I was not aware.

Link999123 · Nov 7, 2014

Relys said:
Once crypto is completely reversed (chip decapping to get keyX and keyscrambler algo) downgrading units would be possible. However, you would have to find an exploit in the bootrom (if there is even any) to get your sig patches to stick.

Exactly.

Another interesting thought:

"This title could be used as a recovery process" and "this title seems to be installed from a factory gamecard"

I wounder if the card was dumped if it would be possible to use Sky3DS to run it, seeing as it looks like it's signed for retail units. If it could run, this would allow for installing retail signed CIAs (games, dlc, patches) and possibly even downgrading system titles. It of course would not allow unsigned code as FRIM would still be running in the background enforcing signature checks.

According to the page it is installed to the NAND so therefore, it would need to have privileges to access the NAND, assuming the privileges are that which a game has, then yes it should work, but this is only theoretically speaking.

Relys · Nov 7, 2014

gudenaurock said:
On the real NAND? I was not aware.

You not be able to run homebrew without entering exploit to patch signature checks unless there is a bootrom exploit.

Theoretically you should be able to install properly signed retail titles though...

gudenau · Nov 7, 2014

Relys said:
You not be able to run homebrew without entering exploit to patch signature checks unless there is a bootrom exploit.

Theoretically you should be able to install properly signed retail titles though...

Oh, I thought I missed some big news. :-P I need to get my SD card adaptor made, I do not have the time though.

Link999123 · Nov 7, 2014

I guess the real question would be at what firmware does that card run at and if it can be used on any firmware. If it can then the simple answer would be that the only limitation would be the 3ds itself.

Link999123 · Nov 7, 2014

gudenaurock said:
Oh, I thought I missed some big news. :-P I need to get my SD card adaptor made, I do not have the time though.

SD card adapter? Sounds interesting, please go on, I would like to hear more about this...

gudenau · Nov 7, 2014

Basicly this.

Link999123 · Nov 7, 2014

gudenaurock said:
Basicly this.

Oh my... That is a LOT of soldering especially when it is that small, but you will definitely benefit be being able to access NAND and back up or restore it.

gudenau · Nov 7, 2014

Link999123 said:
Oh my... That is a LOT of soldering especially when it is that small, but you will definitely benefit be being able to access NAND and back up or restore it.

It is 16 joints for how I will do it, not much at all.

Link999123 · Nov 7, 2014

gudenaurock said:
It is 16 joints for how I will do it, not much at all.

I'm a little squeamish with soldering systems especially after watching my ds light get mutilated... the L button got sticky so it was taken apart and... yeah... it was not so pretty...

Hacking Config Application

^(Software | Hardware) Exploit? Development.$

Well-Known Member

^(Software | Hardware) Exploit? Development.$

Largely ignored

Well-Known Member

^(Software | Hardware) Exploit? Development.$

Largely ignored

^(Software | Hardware) Exploit? Development.$

Largely ignored

^(Software | Hardware) Exploit? Development.$

Largely ignored

Well-Known Member

^(Software | Hardware) Exploit? Development.$

Largely ignored

Well-Known Member

Well-Known Member

Largely ignored

Well-Known Member

Largely ignored

Well-Known Member

Similar threads

Popular threads in this forum