Hacking freakin magnethax; how does it work???

MaverickWellington

MaverickWellington

No.
OP
Member
Level 6
Joined
Nov 24, 2017
Messages
641
Trophies
0
Age
82
XP
832
Country
United States
I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?
 
zoogie

zoogie

playing around in the end of life
Developer
Level 24
Joined
Nov 30, 2014
Messages
8,560
Trophies
2
XP
15,000
Country
Micronesia, Federated States of
MaverickWellington said:
I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?
Click to expand...
Read this
https://sciresm.github.io/33-and-a-half-c3/
That's your best chance at understanding it.
 
  • Like
Reactions: GilgameshArcher and VinsCool
Hucz

Hucz

Well-Known Member
Newcomer
Level 2
Joined
Feb 28, 2012
Messages
52
Trophies
0
Location
Vancouver Island
XP
218
Country
Canada
"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

:)
 
  • Like
Reactions: x65943 and Lemon_
N

nl255

Well-Known Member
Member
Level 11
Joined
Apr 9, 2004
Messages
3,000
Trophies
2
XP
2,791
Country
Hucz said:
"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

:)
Click to expand...

Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?
 
Hucz

Hucz

Well-Known Member
Newcomer
Level 2
Joined
Feb 28, 2012
Messages
52
Trophies
0
Location
Vancouver Island
XP
218
Country
Canada
nl255 said:
Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?
Click to expand...
Haha that's hilarious if true! If you can find more information on this report, I'd be interested in reading it :P
 
Z

Zaphod77

Well-Known Member
Member
Level 5
Joined
Aug 25, 2015
Messages
665
Trophies
0
Age
48
XP
604
Country
United States
tl:dr;

nintendo put a backdoor in the bootrom to let them unbrick consoles.

they attempted to secure it, by having it do a signature check.

But because the bootrom has a flawed signature check, we can fakesign, running our own code off of a pirate flashcart, instead of nintendo's own signed code that's on their unbricker carts.

PWNed. :)
 
  • Like
Reactions: zfreeman
KHANV1CT

KHANV1CT

Well-Known Member
Member
Level 4
Joined
May 22, 2013
Messages
130
Trophies
1
Age
36
XP
444
Country
United States
  • Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3.
  • Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed.
  • If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.
  • Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution.
  • Nintendo tried to make it not possible to abuse by requiring the shell to be closed...
  • But you can just use a magnet.
Click to expand...

That's so cool, I wish I had the time to learn stuff like that.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hacking Hardware  New Nintendo 3DS XL Louvre

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Hardware  Why does my 3DS take so long to turn off?

Translation Project  DQM2SP translation

General chit-chat
Help Users
    Xdqwerty @ Xdqwerty: i think im a bad person