Hacking [IDEA]arm9loaderhax boot without SD

Is this possible?


  • Total voters
    55

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,386
Country
Uruguay
couldn't they do something "if file is not found, boot from firmware" ?
This is the problem exactly: the firmware (FIRM partitions) have been modded because that's the whole point of A9LH. You can get around it by loading+decrypting FIRM titles within CTRNAND, like what Luma/SaltFW does.

If you try to launch FIRM0, it'd just get stuck in a bootloop (stage1 gets activated, load+launch stage2, which loads and launches FIRM0, which activates stage1, load+launch stage2, ...)
 
Last edited by Wolfvak,

Salamencizer

Cute Hot Whatever
OP
Member
Joined
Oct 3, 2015
Messages
802
Trophies
0
Age
24
Location
In your heart
Website
gbatemp.net
XP
728
Country
India
You'll have to wait a week because I'm contracted irl for the next week and then a bit. After that, I'll start working on ShadowNAND full speed and we'll see how it goes. I'm hopeful.
ShadowNAND HYPE!
I'm gonna sincerely wait, and thanks very much for working on this!
 

Earth97

Well-Known Member
Member
Joined
Aug 18, 2015
Messages
286
Trophies
0
Age
26
XP
397
Country
Italy
This is the problem exactly: the firmware (FIRM partitions) have been modded because that's the whole point of A9LH. You can get around it by loading+decrypting FIRM titles within CTRNAND, like what Luma/SaltFW does.

If you try to launch FIRM0, it'd just get stuck in a bootloop (stage1 gets activated, load+launch stage2, which loads and launches FIRM0, which activates stage1, load+launch stage2, ...)
  1. Bootrom reads FIRM0, but due to our payload presence, the signature check will fail.
  2. It will read FIRM1 on top of FIRM0, and our payload will still be after it.
  3. Check its RSA signature, since it's good it will jump to its arm9loader.
  4. The arm9loader will use our crafted key to decrypt the ARM9 binary as garbage, then jump to the kernel entrypoint.
  5. With our key the garbage kernel entrypoint will make the cpu jump to our payload location. --> Why not jumping to FIRM1's CTRNAND, which is unmodified?
  6. Code execution!
If that is not possible, couldn't you store the cfwpayload near the ASM payload? I mean, we can jump to a SD-located payload, what about a FIRM0-located payload?
 

Shadowhand

Slim, Alternative Dev.
Member
Joined
Feb 27, 2016
Messages
522
Trophies
0
Age
31
XP
1,958
Country
United Kingdom
With our key the garbage kernel entrypoint will make the cpu jump to our payload location. --> Why not jumping to FIRM1's CTRNAND, which is unmodified?

We need to decrypt the CTRNAND, and at that point, it becomes a CFW anyway.

EDIT: reading further, there's no "FIRM1's CTRNAND", so you're wrong on all accounts.
 
Last edited by Shadowhand,
  • Like
Reactions: pbanj and Wolfvak

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,386
Country
Uruguay
  1. Bootrom reads FIRM0, but due to our payload presence, the signature check will fail.
  2. It will read FIRM1 on top of FIRM0, and our payload will still be after it.
  3. Check its RSA signature, since it's good it will jump to its arm9loader.
  4. The arm9loader will use our crafted key to decrypt the ARM9 binary as garbage, then jump to the kernel entrypoint.
  5. With our key the garbage kernel entrypoint will make the cpu jump to our payload location. --> Why not jumping to FIRM1's CTRNAND, which is unmodified?
  6. Code execution!
If that is not possible, couldn't you store the cfwpayload near the ASM payload? I mean, we can jump to a SD-located payload, what about a FIRM0-located payload?
At least you read delebile's writeup - that's some amazing progress right there. The problem is that BOTH FIRM0 AND FIRM1 are modded. Maybe there's some trickery with n3DS, but with o3DS it's outright impossible.

And by the way, do you even know what *the* (not *a*) CTRNAND is?

EDIT: Also, please check out the arm9loaderhax source, it'll all become clear at that point.
 
Last edited by Wolfvak,

Earth97

Well-Known Member
Member
Joined
Aug 18, 2015
Messages
286
Trophies
0
Age
26
XP
397
Country
Italy
At least you read delebile's writeup - that's some amazing progress right there. The problem is that BOTH FIRM0 AND FIRM1 are modded. Maybe there's some trickery with n3DS, but with o3DS it's outright impossible.

And by the way, do you even know what *the* (not *a*) CTRNAND is?

EDIT: Also, please check out the arm9loaderhax source, it'll all become clear at that point.
I'm trying to understand how A9LH works without coding skills, what I write is most likely uncorrect and I would appreciate it if you were so kind to correct me.
You mod FIRM0 to house an ASM payload. In order for the hax to work, FIRM1 must be mods-free, otherwise it won't be validated during hash check. Am I wrong?
I thought CTRNAND was part of the FIRM0/1, isn't it?
 

Shadowhand

Slim, Alternative Dev.
Member
Joined
Feb 27, 2016
Messages
522
Trophies
0
Age
31
XP
1,958
Country
United Kingdom
I'm trying to understand how A9LH works without coding skills, what I write is most likely uncorrect and I would appreciate it if you were so kind to correct me.
You mod FIRM0 to house an ASM payload. In order for the hax to work, FIRM1 must be mods-free, otherwise it won't be validated during hash check. Am I wrong?
I thought CTRNAND was part of the FIRM0/1, isn't it?
Watch this, it'll help you understand things easier.
 

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,386
Country
Uruguay
I'm trying to understand how A9LH works without coding skills, what I write is most likely uncorrect and I would appreciate it if you were so kind to correct me.
You mod FIRM0 to house an ASM payload. In order for the hax to work, FIRM1 must be mods-free, otherwise it won't be validated during hash check. Am I wrong?
I thought CTRNAND was part of the FIRM0/1, isn't it?
CTRNAND is a completely separate partition from FIRM0/1, you can read more here

Yes, FIRM1 stays the same... what doesn't is the key used to decrypt it, it now jumps into our stage1. There's two ways to work around it:
1. Decrypt it with the correct key, which works, but it's even better to just do it the Luma way, simply decrypting FIRM from the CXI content

2. Load a decrypted firmware from the SD card, which in this case is not valid because one of the conditions in this situation is SD card-less boot
 

Earth97

Well-Known Member
Member
Joined
Aug 18, 2015
Messages
286
Trophies
0
Age
26
XP
397
Country
Italy
CTRNAND is a completely separate partition from FIRM0/1, you can read more here

Yes, FIRM1 stays the same... what doesn't is the key used to decrypt it, it now jumps into our stage1. There's two ways to work around it:
1. Decrypt it with the correct key, which works, but it's even better to just do it the Luma way, simply decrypting FIRM from the CXI content

2. Load a decrypted firmware from the SD card, which in this case is not valid because one of the conditions in this situation is SD card-less boot
If 1. is a thing, what is keeping us from loading that decrypted FIRM?
 

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,386
Country
Uruguay
If 1. is a thing, what is keeping us from loading that decrypted FIRM?
Nothing is stopping us, nothing stopped Aurora and as such she implemented it in Luma. Have you kept up with development :wtf:?

EDIT: As a matter of fact, it's SaltLite's only way of loading firmware, since it ditched load from SD support (a good decision IMHO). Its disadvantage is that it breaks NTR support, since most NATIVE_FIRM CIAs installed currently are 10.4, while NTR works on 10.2 in n3DS and 9.6 in o3DS

EDIT 2 : Also check out the first point here https://github.com/AuroraWright/Luma3DS/commit/7dbded99a22cad84772490baee9d4913c4d1987e
 
Last edited by Wolfvak,
  • Like
Reactions: Shadowhand

Earth97

Well-Known Member
Member
Joined
Aug 18, 2015
Messages
286
Trophies
0
Age
26
XP
397
Country
Italy
I've read something but I was not sure I had got it the right way. Does this mean booting without SD is already possible using Luma/will be possible soon?
 

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,386
Country
Uruguay
I've read something but I was not sure I had got it the right way. Does this mean booting without SD is already possible using Luma/will be possible soon?
No, I think that's not Aurora's intention. However it's @Shadowhand's ShadowNAND which is trying to accomplish just that. There's no config and firmware is loaded from CTRNAND directly, so there's no reason to use an SD card. Several fixes have to be made, but the main concept is there.
 

The Catboy

GBAtemp Official Catboy™: Boywife
Member
Joined
Sep 13, 2009
Messages
27,801
Trophies
4
Location
Making a non-binary fuss
XP
38,778
Country
Antarctica
couldn't they do something "if file is not found, boot from firmware" ?

the hability to not using a sd card would be great, so you could use the console with a broken sd card reader
and it would be helpfull to noobs, currently there is a change of blackscreen that a simple fix is ejecting and putting back the sd card, some noobs start the console without the card and think its broken..
and plus it doesn't make sence that you require something to boot the console...
Actually the latest build just shuts down when you turn it on without an SD card.
 

Pikm

Well-Known Member
Member
Joined
Jan 24, 2016
Messages
687
Trophies
0
XP
1,991
Country
United States
So I was thinking, can we just use a SaltFW (SaltLite) payload to load arm9loaderhax without SD? Its size is super small, And it doesn't require any folder/firmware/etc for sigcheckpatching.
Is this possible?
No, because arm9loaderhax is built to run an arm9loaderhax.bin from the SD card on boot. If it doesn't find one, the system turns off.
 

astronautlevel

Well-Known Member
Member
Joined
Jan 26, 2016
Messages
4,128
Trophies
2
Location
Maryland
Website
ataber.pw
XP
4,998
Country
United States
No, because arm9loaderhax is built to run an arm9loaderhax.bin from the SD card on boot. If it doesn't find one, the system turns off.

This is entirely possible, but it's somewhat of a pain.

First of all you need a way to read files off the NAND via arm9 - this definitely possible, but difficult when you consider the space limit of k9lh payloads.

You'd then need a payload that's small enough to fit in the NAND (smaller the better, mainly for DSiWare and stuff). In addition, it would need patches for FIRM write protection at the very least, and would need to be able to load firmware.bin from NAND. SaltFW works perfectly for this, as it is relatively lightweight and contains necessary patches. Another option would be Mizuki.

Like I said, it's possible but a pain. Most developers aren't going to be working on it given that it's relatively low priority as few people boot without an SD card. I would be looking into it if I had a hardmod, but since I don't I'm too afraid to brick :P
 

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,191
Country
Antarctica
This is entirely possible, but it's somewhat of a pain.

First of all you need a way to read files off the NAND via arm9 - this definitely possible, but difficult when you consider the space limit of k9lh payloads.

You'd then need a payload that's small enough to fit in the NAND (smaller the better, mainly for DSiWare and stuff). In addition, it would need patches for FIRM write protection at the very least, and would need to be able to load firmware.bin from NAND. SaltFW works perfectly for this, as it is relatively lightweight and contains necessary patches. Another option would be Mizuki.

Like I said, it's possible but a pain. Most developers aren't going to be working on it given that it's relatively low priority as few people boot without an SD card. I would be looking into it if I had a hardmod, but since I don't I'm too afraid to brick :P

I was actually looking into it before I bricked my N3DS as a result of it. I'm waiting on an N3DS XL compatible USB reader for my hardmod to arrive though, so I'm not going to play with fire until I can put it out, so to speak.
 

Salamencizer

Cute Hot Whatever
OP
Member
Joined
Oct 3, 2015
Messages
802
Trophies
0
Age
24
Location
In your heart
Website
gbatemp.net
XP
728
Country
India
No, because arm9loaderhax is built to run an arm9loaderhax.bin from the SD card on boot. If it doesn't find one, the system turns off.
You didn't get what I meant. The idea was to replace the payload on the FIRM0/FIRM1(which boots a payload on the SD Card) with one of a CFW whose size is Super Small, Like that of SaltLite.
Our Glorious ShadowHand is working on ShadowNAND. Can't wait to test it out.
 

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,191
Country
Antarctica
You didn't get what I meant. The idea was to replace the payload on the FIRM0/FIRM1(which boots a payload on the SD Card) with one of a CFW whose size is Super Small, Like that of SaltLite.
Our Glorious ShadowHand is working on ShadowNAND. Can't wait to test it out.

I don't think there will be enough room to do that with stage2. Fatfs makes up a huge chunk of stage 2, and there's barely much room left to add the crypto stuff to mount CTRNAND and read stuff off it. It would make more sense to have stage 2 do this:

  1. Check SD for an A9LH payload. If it had one, boot it. If not, check NAND.
  2. Mount CTRNAND and set up crypto stuff for reading files.
  3. Check CTRNAND for an A9LH payload. If it has one, great, boot it. If not, shutdown the console.

That would be a simple and relatively safe way of doing it. You'd just stick Salt or Mizuki (or some other CFW, whatever you want) on CTRNAND and then just boot it.
 

Salamencizer

Cute Hot Whatever
OP
Member
Joined
Oct 3, 2015
Messages
802
Trophies
0
Age
24
Location
In your heart
Website
gbatemp.net
XP
728
Country
India
I don't think there will be enough room to do that with stage2. Fatfs makes up a huge chunk of stage 2, and there's barely much room left to add the crypto stuff to mount CTRNAND and read stuff off it. It would make more sense to have stage 2 do this:

  1. Check SD for an A9LH payload. If it had one, boot it. If not, check NAND.
  2. Mount CTRNAND and set up crypto stuff for reading files.
  3. Check CTRNAND for an A9LH payload. If it has one, great, boot it. If not, shutdown the console.

That would be a simple and relatively safe way of doing it. You'd just stick Salt or Mizuki (or some other CFW, whatever you want) on CTRNAND and then just boot it.
Yeah something like this. As I said, ShadowHand is working on it.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Psionic Roshambo @ Psionic Roshambo:
    Batman joined the Trans Justice League
    +2
  • Sicklyboy @ Sicklyboy:
    based af
    +2
  • Sonic Angel Knight @ Sonic Angel Knight:
    Forget the base, get on the roof.
  • K3Nv2 @ K3Nv2:
    Is that a bat in your buckle or are you just happy to have me
  • Psionic Roshambo @ Psionic Roshambo:
    Wonder "Woman" lol you wonder if they are a woman?
  • Psionic Roshambo @ Psionic Roshambo:
    The Riddler has questions...
  • K3Nv2 @ K3Nv2:
    Played a little of snow day glad I didn't spend $30
  • K3Nv2 @ K3Nv2:
    It's asthetic is okay maybe a good $10 grab
  • Psionic Roshambo @ Psionic Roshambo:
    Lol is it a game about doing cocaine?
  • K3Nv2 @ K3Nv2:
    Probably in pvp
  • Psionic Roshambo @ Psionic Roshambo:
    I tried Balders Gate II on the PS2 a few minutes ago, not bad lol
  • Psionic Roshambo @ Psionic Roshambo:
    My back catalog of games is like that scene at the end of Indiana Jones where the arc of the covenant is being stored in a giant ass warehouse
  • K3Nv2 @ K3Nv2:
    At least I can will my game catalog to family members
    +1
  • K3Nv2 @ K3Nv2:
    It's your problem now bitches
  • Psionic Roshambo @ Psionic Roshambo:
    Put it in your will that in order to receive any money they have to beat certain games, hard games and super shitty games...
  • Psionic Roshambo @ Psionic Roshambo:
    Say 20 bucks per Ninja Gaiden on the NES lol 60 bucks for all 3
  • Psionic Roshambo @ Psionic Roshambo:
    People you like "Beat level 1 of Ms Pacman" lol
  • K3Nv2 @ K3Nv2:
    Hello kitty ds is required
    +1
  • Psionic Roshambo @ Psionic Roshambo:
    Beat Celebrity Death Match on the PS1 omg tried it earlier today .... Absolutely trash
  • Psionic Roshambo @ Psionic Roshambo:
    Like -37 out of 10
  • Psionic Roshambo @ Psionic Roshambo:
    One of the worst games I have ever played
  • K3Nv2 @ K3Nv2:
    Make them rank up every cod game out
  • K3Nv2 @ K3Nv2:
    "Now I know why he took his own life"
    K3Nv2 @ K3Nv2: "Now I know why he took his own life"