Hacking freakin magnethax; how does it work???

Joined
Nov 24, 2017
Messages
641
Trophies
0
Age
80
XP
812
Country
United States
I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?
 

zoogie

playing around in the dsiware
Developer
Joined
Nov 30, 2014
Messages
8,457
Trophies
2
XP
14,033
Country
Micronesia, Federated States of
I'm curious about NTRBoothax, specifically in how the hell it even works. I've got a couple questions regarding it and was wondering if anyone could help me find answers for them.

How did anyone find out how this works?
Are there any examples of service carts that Nintendo uses? I'm curious what they look like and if they've leaked online anywhere.
Lastly, why is it this works for DS mode flash carts specifically?
Read this
https://sciresm.github.io/33-and-a-half-c3/
That's your best chance at understanding it.
 

Hucz

Well-Known Member
Newcomer
Joined
Feb 28, 2012
Messages
52
Trophies
0
Location
Vancouver Island
XP
218
Country
Canada
"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

:)
 
  • Like
Reactions: x65943 and Lemon_

nl255

Well-Known Member
Member
Joined
Apr 9, 2004
Messages
2,984
Trophies
0
XP
2,521
Country
"Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3. Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed. If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.

Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution. Nintendo tried to make it not possible to abuse by requiring the shell to be closed... But you can just use a magnet. This, like sighax, is also not fixable. The NTR cartridge was likely meant to be used for either the factory setup or as a means of recovering bricked NANDs. However, we'll never know for sure."

:)

Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?
 

Hucz

Well-Known Member
Newcomer
Joined
Feb 28, 2012
Messages
52
Trophies
0
Location
Vancouver Island
XP
218
Country
Canada
Wasn't there a report quite a while ago about someone who when they got their 3DS back from Nintendo's repair facility found it came with a weird DS style cart that Nintendo was very eager to get back but most people at the time thought it was fake news?
Haha that's hilarious if true! If you can find more information on this report, I'd be interested in reading it :P
 

Zaphod77

Well-Known Member
Member
Joined
Aug 25, 2015
Messages
661
Trophies
0
Age
47
XP
580
Country
United States
tl:dr;

nintendo put a backdoor in the bootrom to let them unbrick consoles.

they attempted to secure it, by having it do a signature check.

But because the bootrom has a flawed signature check, we can fakesign, running our own code off of a pirate flashcart, instead of nintendo's own signed code that's on their unbricker carts.

PWNed. :)
 
  • Like
Reactions: zfreeman

KHANV1CT

Well-Known Member
Member
Joined
May 22, 2013
Messages
130
Trophies
0
Age
35
XP
418
Country
United States
  • Upon disassembling boot9, we notice another huge flaw in the bootrom that wasn't mentioned at 33c3.
  • Before trying to boot from NAND, the bootrom checks to see if a key combination (Start + Select + X) is being held, and whether the shell is closed.
  • If so, it tries to boot from an inserted NTR (Nintendo DS) cartridge.
  • Combined with sighax/boot9strap, this allows one to make a malicious fake DS cartridge, so that holding down a button combination on boot gives you bootrom code execution.
  • Nintendo tried to make it not possible to abuse by requiring the shell to be closed...
  • But you can just use a magnet.

That's so cool, I wish I had the time to learn stuff like that.
 

You may also like...

General chit-chat
Help Users
  • M4x1mumReZ @ M4x1mumReZ:
    Nice to know that
  • K3N1 @ K3N1:
    Cheapest I found $230 tax/s&h
    +1
  • K3N1 @ K3N1:
    Sihuuu Taco Holder Stand set of 2 - Holds up to 3 tacos in each Taco Tray - Sturdy, Dishwasher and Microwave Safe https://a.co/d/6FFlct5 What kind of tacos are even in those racks
  • Veho @ Veho:
    What's that, ham and cheese?
  • Veho @ Veho:
    I often stick some ham and cheese in a tortilla and toast it but I wouldn't dare call it a taco.
  • K3N1 @ K3N1:
    I guess ice cream in a taco is still a taco
  • K3N1 @ K3N1:
    The product placement in the fantasy football movie is werid it starts out with a psp then goes to the series x
  • Veho @ Veho:
    There's a fantasy football movie?
  • K3N1 @ K3N1:
    I bet you can't believe it's about Madden
  • Veho @ Veho:
    I can't believe it's not butter.
  • K3N1 @ K3N1:
    Lebron James did help produce it so it can't be that shit right
  • cearp @ cearp:
    kennie'snewname is now the old name???
    +2
  • M4x1mumReZ @ M4x1mumReZ:
    Woah! Kenny has changed it name?
    +1
  • M4x1mumReZ @ M4x1mumReZ:
    @cearp, Hey there!
    +2
  • K3N1 @ K3N1:
    I prefer it/idiots as my pronouns thank you
    +2
  • K3N1 @ K3N1:
    Lol theirs a cheat code for 30/60fps for new pOKEmoNz for ryujinx
    +1
  • K3N1 @ K3N1:
    So to have echo auto you need your phone connected to BT audio then the echo auto connected to your phone
  • brouh @ brouh:
    Hey, how can i contact the admins to see if there is something blocking the views of my post
  • brouh @ brouh:
    alr thx
  • The Real Jdbye @ The Real Jdbye:
    @brouh if you can see it, then other people can see it too
    The Real Jdbye @ The Real Jdbye: @brouh if you can see it, then other people can see it too