Hacking [IDEA]arm9loaderhax boot without SD

Is this possible?


  • Total voters
    55

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,145
Country
Antarctica
This is rather risky to do so. And stage2 gives us 500kb of work space, to put it in the perspective, SaltFW is about 32kb.

How is it risky, especially if you give first priority to the SD card? Also, where does 500k come from? When I was messing around with this stuff, SafeA9LHInstaller refused to install a stage 2 that was over 20K if I recall..
 
  • Like
Reactions: astronautlevel

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
At least you read delebile's writeup - that's some amazing progress right there. The problem is that BOTH FIRM0 AND FIRM1 are modded. Maybe there's some trickery with n3DS, but with o3DS it's outright impossible.

And by the way, do you even know what *the* (not *a*) CTRNAND is?

EDIT: Also, please check out the arm9loaderhax source, it'll all become clear at that point.
No, FIRM1 is not "modded" otherwise it wouldn't pass the bootrom's signature checks, FIRM1 however contains the Kernel9loader which uses the bogus key (at 0x20 from the start of the nand keystore) to decrypt the rest of the FIRM binary (K9L is part of the FIRM container) it will therefore decrypt to garbage, but the nand keystore key has been especially forged/bruteforced so one of the first instructions of said garbage happens to be a jump instruction which branches to an address where our payload (from the previously modified FIRM0) is in memory.
 

mgrev

Music Addict, Video Game Fanatic
Member
Joined
Apr 13, 2015
Messages
1,916
Trophies
0
Location
Under Tomato Hentai's stairs
XP
1,517
Country
Norway
this is a bad idea. say your 3ds bricks, then you're fucked. saltfw doesnt have other payload loading, which is required for restoring nand. when it loads from system, you have no chance at all to load something else if you brick
 

daxtsu

Well-Known Member
Member
Joined
Jun 9, 2007
Messages
5,627
Trophies
2
XP
5,145
Country
Antarctica
this is a bad idea. say your 3ds bricks, then you're fucked. saltfw doesnt have other payload loading, which is required for restoring nand. when it loads from system, you have no chance at all to load something else if you brick

That's why you'd keep the SD loading functionality of stage2, so you can boot something else in an emergency. Or install a CFW that has basic chainloading capabilities. NAND loading of payloads and SD loading of payloads don't have to be mutually exclusive at all.
 

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,159
Country
Uruguay
No, FIRM1 is not "modded" otherwise it wouldn't pass the bootrom's signature checks, FIRM1 however contains the Kernel9loader which uses the bogus key (at 0x20 from the start of the nand keystore) to decrypt the rest of the FIRM binary (K9L is part of the FIRM container) it will therefore decrypt to garbage, but the nand keystore key has been especially forged/bruteforced so one of the first instructions of said garbage happens to be a jump instruction which branches to an address where our payload (from the previously modified FIRM0) is in memory.
Language barrier, it's hard sometimes to get the idea accross. Already corrected myself here
 

mathieulh

Well-Known Member
Member
Joined
Feb 28, 2008
Messages
378
Trophies
0
Website
keybase.io
XP
897
Country
France
Language barrier, it's hard sometimes to get the idea accross. Already corrected myself here

I have just read your updated post. Decrypting FIRM with the right key seems appealing but you need to remember that for the sake of the exploit, a specific version of FIRM1 is used (not to mention a new FIRM with a fixed Kernel9 Loader could be released someday, in which case we couldn't update it to the latest version, not to mention it's a bad idea to keep updating the FIRM partition in the first place as if anything goes wrong, you can't recover (you broke the a9lh), for these reason FIRM is actually loaded from its CXI "container". (you can be sure the first thing that was thought of was to decrypt the FIRM partition)

Either way, there is plenty of space in FIRM0 to add a whole a9lh payload it could also be added to some unused nand area in RAW format I guess.
 

Wolfvak

nyaa~
Member
Joined
Oct 25, 2015
Messages
918
Trophies
1
XP
3,159
Country
Uruguay
I have just read your updated post. Decrypting FIRM with the right key seems appealing but you need to remember that for the sake of the exploit, a specific version of FIRM1 is used (not to mention a new FIRM with a fixed Kernel9 Loader could be released someday, in which case we couldn't update it to the latest version, not to mention it's a bad idea to keep updating the FIRM partition in the first place as if anything goes wrong, you can't recover (you broke the a9lh), for these reason FIRM is actually loaded from its CXI "container". (you can be sure the first thing that was thought of was to decrypt the FIRM partition)

Either way, there is plenty of space in FIRM0 to add a whole a9lh payload it could also be added to some unused nand area in RAW format I guess.

Exactly why I said somewhere around here (too lazy to find the post now...) that it's *literally* impossible for o3DS users, because you're using a n3DS FIRM, and that you could get it working in n3DS with some trickery, but Luma's approach is way better and works for all systems.

And yeah, I saw AuReiNAND's issues page (it was ARN back then) and some guy was begging for FIRM loading from system...

EDIT: lol the n3ds vs o3ds thing is actually in the first post you replied from me
 
Last edited by Wolfvak,
General chit-chat
Help Users
  • No one is chatting at the moment.
  • JuanMena @ JuanMena:
    Kissing random dudes choking in celery? Really? Need to study for that?
  • K3N1 @ K3N1:
    Yes it requires a degree
  • K3N1 @ K3N1:
    I could also yank out the rest of my teeth but theirs professionals for that
  • x65943 @ x65943:
    If your throat closes, putting oxygen in your mouth will not solve anything - as you will be introducing oxygen prior to the area of obstruction
  • JuanMena @ JuanMena:
    Just kiss me Kyle.
  • x65943 @ x65943:
    You either need to be intubated to bypass obstruction or create a stoma inferior to the the area of obstruction to survive
  • x65943 @ x65943:
    "Just kiss me Kyle." And I thought all the godreborn gay stuff was a smear campaign
  • JuanMena @ JuanMena:
    If I die, tell my momma I won't be carrying Baby Jesus this christmas :sad::cry:
  • K3N1 @ K3N1:
    Smear campaigns are in The political section now?
  • JuanMena @ JuanMena:
    Chary! Chary! Chary, Chary, Chary!
  • Sonic Angel Knight @ Sonic Angel Knight:
    Pork Provolone :P
  • Psionic Roshambo @ Psionic Roshambo:
    Sounds yummy
  • K3N1 @ K3N1:
    Sweet found my Wii u PSU right after I ordered a new one :tpi:
  • JuanMena @ JuanMena:
    It was waiting for you to order another one.
    Seems like, your PSU was waiting for a partner.
  • JuanMena @ JuanMena:
    Keep them both
    separated or you'll have more PSUs each year.
  • K3N1 @ K3N1:
    Well one you insert one PSU into the other one you get power
  • JuanMena @ JuanMena:
    It literally turns it on.
  • K3N1 @ K3N1:
    Yeah power supplies are filthy perverts
  • K3N1 @ K3N1:
    @Psionic Roshambo has a new friend
    +1
  • JuanMena @ JuanMena:
    It's Kyle, the guy that went to school to be a Certified man Kisser.
  • Psionic Roshambo @ Psionic Roshambo:
    Cartmans hand has taco flavored kisses
  • A @ abraarukuk:
    hi guys
  • Iron_Masuku @ Iron_Masuku:
    Hello
    Skelletonike @ Skelletonike: hmm