Hacking [Info] eMMChax/bootloaderhax

  • Thread starter Thread starter DSoryu
  • Start date Start date
  • Views Views 1,561
  • Replies Replies 10
Status
Not open for further replies.

DSoryu

GBA/NDS Maniac
Member
Joined
May 5, 2010
Messages
2,522
Reaction score
3,285
Trophies
2
Location
In my house
XP
5,846
Country
Mexico
So, acording to some resources and reads I was taking last nights, I came into this posibility, but I need to know what can be done atm.

The 3DS unique console key is based on a hardware chip known as the eMMc, and acording to this there is a posibility to do something interesting with that information.

Correct me if I'm wrong.
 
The IV is generated from the CID (potentially changeable with that hack). The key is the same across all 3ds.

In THEORY this MIGHT be possible: take a hacked 3DS and get an encrypted dump and the CID. Flash the CID onto an unhackable 3DS. Then flash the encrypted NAND dump. You might have just duplicated the original 3DS with a vulnerable fw. Maybe.

I've talked about this theory before--I haven't tested and someone more knowledgable may chime in about why it might not work. Right now every 3DS on latest FW is downgradable and hackable so it's pretty pointless. However, this might become interesting when nintendo fixes the exploits in a newer fw. However, this "hack" would require soldering and maybe hardware (like a RPI).

EDIT: An orthogonal hack: if we ever dump bootrom9 and the KeyX for the various nand partitions, then we may be able to do this even without a CID write hack.
 
Last edited by yifan_lu,
  • Like
Reactions: peteruk and DSoryu
If I'm not mistaken the samdunk thing affects bootloaders that are stored on the eMMC, where as the 3ds has the bootloader stored in silicon. Also the mentioned vulnerability abuses mechanisms in Samsung's bootloader implementation (which I think is a modification of little kernel?). In summary it's not useful.
 
The IV is generated from the CID (potentially changeable with that hack). The key is the same across all 3ds.

In THEORY this MIGHT be possible: take a hacked 3DS and get an encrypted dump and the CID. Flash the CID onto an unhackable 3DS. Then flash the encrypted NAND dump. You might have just duplicated the original 3DS with a vulnerable fw. Maybe.

As always, thank you, this was the type of answer I was expecting, specially from you.

This could lead to, maaaybe, unbrick dead 3DS's.
..
The main problem seems to be on how to dump the CID, on the article I linked above they used tools already provided by Samsung itself by mistake, the only way I can think of is the risky hardware method...

Yet, is not really known if that'll work.
 
As always, thank you, this was the type of answer I was expecting, specially from you.

This could lead to, maaaybe, unbrick dead 3DS's.
..
The main problem seems to be on how to dump the CID, on the article I linked above they used tools already provided by Samsung itself by mistake, the only way I can think of is the risky hardware method...

Yet, is not really known if that'll work.
That's all easy to do. Just connect the eMMC pinouts to a raspberry pi and you can read the CID and run those vendor commands and stuff.
 
  • Like
Reactions: DSoryu
The IV is generated from the CID (potentially changeable with that hack). The key is the same across all 3ds.

In THEORY this MIGHT be possible: take a hacked 3DS and get an encrypted dump and the CID. Flash the CID onto an unhackable 3DS. Then flash the encrypted NAND dump. You might have just duplicated the original 3DS with a vulnerable fw. Maybe.

I've talked about this theory before--I haven't tested and someone more knowledgable may chime in about why it might not work. Right now every 3DS on latest FW is downgradable and hackable so it's pretty pointless. However, this might become interesting when nintendo fixes the exploits in a newer fw. However, this "hack" would require soldering and maybe hardware (like a RPI).

EDIT: An orthogonal hack: if we ever dump bootrom9 and the KeyX for the various nand partitions, then we may be able to do this even without a CID write hack.
That actually seems like a much more practical idea than what I was getting from the OPs question.
 
Okay so I thought of some limitations:
1) Sector 0x96 (the keystore) cannot be transferred--even if encrypted since the key comes from the OTP and not the eMMC CID. So you need to replace the encrypted sector 0x96 with your original one.
2) More importantly, there might be keys used later in the boot process (such as the tickets.db MAC key) that /might/ depend on keys generated from the OTP. That means the console may not boot. However, there might be a way around this...

EDIT: Okay we can shut this down. yellows8 tells me that the CID is used in the IV but KeyX is also console-unique (and not based on the CID). So in short, it won't work.
 
Last edited by yifan_lu,
  • Like
Reactions: DSoryu
Status
Not open for further replies.

Site & Scene News

Popular threads in this forum