Hacking [Info] eMMChax/bootloaderhax

Status
Not open for further replies.
DSoryu

DSoryu

GBA/NDS Maniac
OP
Member
Level 15
Joined
May 5, 2010
Messages
2,359
Trophies
2
Location
In my house
XP
4,777
Country
Mexico
So, acording to some resources and reads I was taking last nights, I came into this posibility, but I need to know what can be done atm.

The 3DS unique console key is based on a hardware chip known as the eMMc, and acording to this there is a posibility to do something interesting with that information.

Correct me if I'm wrong.
 
Y

yifan_lu

@yifanlu
Member
Level 9
Joined
Apr 28, 2007
Messages
663
Trophies
0
XP
1,671
Country
United States
The IV is generated from the CID (potentially changeable with that hack). The key is the same across all 3ds.

In THEORY this MIGHT be possible: take a hacked 3DS and get an encrypted dump and the CID. Flash the CID onto an unhackable 3DS. Then flash the encrypted NAND dump. You might have just duplicated the original 3DS with a vulnerable fw. Maybe.

I've talked about this theory before--I haven't tested and someone more knowledgable may chime in about why it might not work. Right now every 3DS on latest FW is downgradable and hackable so it's pretty pointless. However, this might become interesting when nintendo fixes the exploits in a newer fw. However, this "hack" would require soldering and maybe hardware (like a RPI).

EDIT: An orthogonal hack: if we ever dump bootrom9 and the KeyX for the various nand partitions, then we may be able to do this even without a CID write hack.
 
Last edited by yifan_lu,
  • Like
Reactions: peteruk and DSoryu
solsolis

solsolis

Well-Known Member
Member
Level 2
Joined
Jan 9, 2016
Messages
153
Trophies
0
Location
Outrealm
XP
156
Country
United States
If I'm not mistaken the samdunk thing affects bootloaders that are stored on the eMMC, where as the 3ds has the bootloader stored in silicon. Also the mentioned vulnerability abuses mechanisms in Samsung's bootloader implementation (which I think is a modification of little kernel?). In summary it's not useful.
 
DSoryu

DSoryu

GBA/NDS Maniac
OP
Member
Level 15
Joined
May 5, 2010
Messages
2,359
Trophies
2
Location
In my house
XP
4,777
Country
Mexico
yifan_lu said:
The IV is generated from the CID (potentially changeable with that hack). The key is the same across all 3ds.

In THEORY this MIGHT be possible: take a hacked 3DS and get an encrypted dump and the CID. Flash the CID onto an unhackable 3DS. Then flash the encrypted NAND dump. You might have just duplicated the original 3DS with a vulnerable fw. Maybe.
Click to expand...

As always, thank you, this was the type of answer I was expecting, specially from you.

This could lead to, maaaybe, unbrick dead 3DS's.
..
The main problem seems to be on how to dump the CID, on the article I linked above they used tools already provided by Samsung itself by mistake, the only way I can think of is the risky hardware method...

Yet, is not really known if that'll work.
 
Y

yifan_lu

@yifanlu
Member
Level 9
Joined
Apr 28, 2007
Messages
663
Trophies
0
XP
1,671
Country
United States
Dartz150 said:
As always, thank you, this was the type of answer I was expecting, specially from you.

This could lead to, maaaybe, unbrick dead 3DS's.
..
The main problem seems to be on how to dump the CID, on the article I linked above they used tools already provided by Samsung itself by mistake, the only way I can think of is the risky hardware method...

Yet, is not really known if that'll work.
Click to expand...
That's all easy to do. Just connect the eMMC pinouts to a raspberry pi and you can read the CID and run those vendor commands and stuff.
 
  • Like
Reactions: DSoryu
solsolis

solsolis

Well-Known Member
Member
Level 2
Joined
Jan 9, 2016
Messages
153
Trophies
0
Location
Outrealm
XP
156
Country
United States
yifan_lu said:
The IV is generated from the CID (potentially changeable with that hack). The key is the same across all 3ds.

In THEORY this MIGHT be possible: take a hacked 3DS and get an encrypted dump and the CID. Flash the CID onto an unhackable 3DS. Then flash the encrypted NAND dump. You might have just duplicated the original 3DS with a vulnerable fw. Maybe.

I've talked about this theory before--I haven't tested and someone more knowledgable may chime in about why it might not work. Right now every 3DS on latest FW is downgradable and hackable so it's pretty pointless. However, this might become interesting when nintendo fixes the exploits in a newer fw. However, this "hack" would require soldering and maybe hardware (like a RPI).

EDIT: An orthogonal hack: if we ever dump bootrom9 and the KeyX for the various nand partitions, then we may be able to do this even without a CID write hack.
Click to expand...
That actually seems like a much more practical idea than what I was getting from the OPs question.
 
Y

yifan_lu

@yifanlu
Member
Level 9
Joined
Apr 28, 2007
Messages
663
Trophies
0
XP
1,671
Country
United States
Okay so I thought of some limitations:
1) Sector 0x96 (the keystore) cannot be transferred--even if encrypted since the key comes from the OTP and not the eMMC CID. So you need to replace the encrypted sector 0x96 with your original one.
2) More importantly, there might be keys used later in the boot process (such as the tickets.db MAC key) that /might/ depend on keys generated from the OTP. That means the console may not boot. However, there might be a way around this...

EDIT: Okay we can shut this down. yellows8 tells me that the CID is used in the IV but KeyX is also console-unique (and not based on the CID). So in short, it won't work.
 
Last edited by yifan_lu,
  • Like
Reactions: DSoryu
Status
Not open for further replies.

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Homebrew  how to link pnid to 3ds/how to use juxtaposition?

Hacking Hardware  New Nintendo 3DS XL Louvre

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

Hardware  Why does my 3DS take so long to turn off?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Translation Project  DQM2SP translation

General chit-chat
Help Users
  • No one is chatting at the moment.
    OctoAori20 @ OctoAori20: Nice nice-