DSi bootrom dumped andnew exploit disclosed @37th CCC

[syrusch]

Hey guys.

I think you ve noticed there's some advancement on dumping the DSi bootrom (ARM9 bootrom) and we have another exploit to run HB.

The replay stream ->
https://streaming.media.ccc.de/37c3/relive/11736

Also there s another thread already for the ARM7 bootrom. Since it's not based on the same exploit and it s the ARM9 bootrom in this case, i ve created a new thread.

I think we re going with separated threads.

 

[SylverReZ]

Uploaded the full talk on my YouTube channel, since there are barely any uploads of this except for this one link.

 

[syrusch]

Thank you more convenience this way

 

[PoroCYon]

fwiw the official recording is up, so maybe you can just link to that instead: https://media.ccc.de/v/37c3-11736-nintendo_hacking_2023_2008 (it has some extra editing because the people running the stream were a bit slow with switching between different camera/video feeds)

 

[HK$]

So the DSi does have ntrboot. Hope there will be a lumaDS CFW for DSi.

 

[RocketRobz]

So the DSi does have ntrboot. Hope there will be a lumaDS CFW for DSi.

hiyaCFW is pretty much that. It's CFW which runs a copy of the DSi NAND from the SD card.

 

[HK$]

hiyaCFW is pretty much that. It's CFW which runs a copy of the DSi NAND from the SD card.

Yes I installed hiyaCFW and it's great. I just wonder what can this new exploit take us. Maybe a firm chainloader so we can load firms like loading open_agb_firm for 3DS?

 

[PoroCYon]

Yes I installed hiyaCFW and it's great. I just wonder what can this new exploit take us. Maybe a firm chainloader so we can load firms like open_agb_firm?

OAF is software for the 3DS, so uh, that obviously won't work. running GBARunner (whatever version) is already possible. this new exploit doesn't give you much, except for bypassing the NAND on consoles where that's worn out/broken

 

[HK$]

OAF is software for the 3DS, so uh, that obviously won't work. running GBARunner (whatever version) is already possible. this new exploit doesn't give you much, except for bypassing the NAND on consoles where that's worn out/broken

Yes I know open_agb_firm is for 3ds, I just make an example.
OK, so with this new exploit we can run codes like running CFW on SD card even if the emmc is broken. sweat.

 

[Kwyjor]

I'm surprised the bootroms weren't dumped before? But then, I suppose the 3DS had a9lh before the bootroms were dumped.

All I really want is cartridge slot access with TWL speed and without having to make persistent changes.

 

[SylverReZ]

OAF is software for the 3DS, so uh, that obviously won't work. running GBARunner (whatever version) is already possible. this new exploit doesn't give you much, except for bypassing the NAND on consoles where that's worn out/broken

Hello, PoroCYon. You did an amazing talk there and I enjoyed watching it. Great job on your findings.

 

[windwakr]

So the DSi does have ntrboot. Hope there will be a lumaDS CFW for DSi.

You're probably not going to see much relating to DSi ntrboot since it requires a signing key from the 2020 leaks.

 

[JORGETECH]

Is the fragile NAND problem similar to what some Wii U users are experiencing or is it every single console? I actually had to install Unlaunch multiple times (assuming all the risk of doing so) since the specific firmware I have (1.4.2E) only works well with Unlaunch 1.8, some other versions give me the infamous black error screen. I haven't experienced any brick so far, but I hope better methods come out from the new discoveries.

 

[PoroCYon]

Is the fragile NAND problem similar to what some Wii U users are experiencing or is it every single console? I actually had to install Unlaunch multiple times (assuming all the risk of doing so) since the specific firmware I have (1.4.2E) only works well with Unlaunch 1.8, some other versions give me the infamous black error screen. I haven't experienced any brick so far, but I hope better methods come out from the new discoveries.

It's most likely similar to the Wii U problem (though I don't know much about how the latter is faulty). It's probably also related to the issue in the Samsung Galaxy S3, as well as some Kindle tablets from that era (Fire 1st gen?).

EDIT: apparently the Wii U NANDs use Hynix eMMC chips, and those get corrupted randomly after a while. Meanwhile, the DSi uses Samsung moviNAND chips (just like the S3 and Kindle), and those seem to break when writing data (though there's much speculation and basically no hard facts on the exact mechanism at play here).

Though, the end result is that, just like the Wii U, you have a brick for which you need a hardmod to get it to work again.

 

[Apache Thunder]

OAF is software for the 3DS, so uh, that obviously won't work. running GBARunner (whatever version) is already possible. this new exploit doesn't give you much, except for bypassing the NAND on consoles where that's worn out/broken

Well the exploit could be useful in some circumstances. For example NoCash's Unlaunch software likes to patch out the menu music so you have to add your own patched launcher/HiyaCFW setup to get around this and once installed you can't really boot stock nand anymore without a risky uninstall.

A modchipped DSi would allow avoiding this. Plus some devs may use this as a means of building a possible replacement to Unlaunch and it's hard to test that exploit if you aren't nand modded. The mod chip end product might be easier to install then a nand mod. I would certainly love to give it a try once the design is finalized and a PCB is available for the DSi XL and even if I don't end up using it for dev purposes it would still be a good stop gap incase something bricks nand down the road. The ntrboot exploit for 3DS did that for me and while not a soft mod like that one, a easy to install modchip PCB thing that uses this exploit would be a good safety agaisnt future bricks.

 

[Kwyjor]

A modchipped DSi would allow avoiding this. Plus some devs may use this as a means of building a possible replacement to Unlaunch and it's hard to test that exploit if you aren't nand modded. The mod chip end product might be easier to install then a nand mod.

Whaa!? I don't think anyone wants to risk messing with modchips. Why would installing a modchip be any easier than NAND mod!?

 

[Apache Thunder]

Whaa!? I don't think anyone wants to risk messing with modchips. Why would installing a modchip be any easier than NAND mod!?

I watched the video from the talk that covered how the initial board design worked. It interfaces between the Wifi board and as I recall may have only required soldering 2 wires somewhere. I forget the dertails but nand mod is way more intensive. You have to drill holes into the case to allow for access to a connector + nand mod typically involves soldering 4+ wires to small test points/smd cap ends in random parts of the board using rather thin wire to avoid issues putting the console back together. I would know, I used to have my n3DS XL nand modded back before the bootrom exploit was a thing.

So yes in this instance a nand mod would be a more complicated install then what I understand how the possible modchip for this would work. This is assuming you buy a pressembled mod chip PCB. So depends on how things end up working out with that.

 

[PoroCYon]

I watched the video from the talk that covered how the initial board design worked. It interfaces between the Wifi board and as I recall may have only required soldering 2 wires somewhere.

Currently it's more complicated than this - you have to manually glue a MOSFET onto the mainboard, then connect the MOSFET both to the power rail of the CPU-TWL chip *and* the modchip. And because the MOSFET used (an IRFHS8342) is rather small, it's pretty difficult to do all the soldering.

I'm planning to design a flex-cable to make this easier (so you can just plug the cable into the modchip, and solder it onto the PCB at the other end, i.e. only 2 connections to solder), but that's still TODO.

EDIT: my guide now has images, which should hopefully make it easier to estimate the feasibility of doing it yourself.

 

[CMDreamer]

Thank you @PoroCYon, really enjoyed your talk.

And while I did understand most of the technical info, would love to read your paper on that matter, would you please share a link to it? Thanks in advance.

 

[PoroCYon]

And while I did understand most of the technical info, would love to read your paper on that matter, would you please share a link to it? Thanks in advance.

Apparently the conference where it was accepted is being really slow with their proceedings, sigh...

Anyway, I've attached a PDF of the proceedings version, enjoy.