Hacking Is al9h really that secure?

[annoyingcalc]

I've been reading about how Al9h + Luma3DS should be able to survive updates, but what about if Nintendo was really trying to remove it? I mean, it seems to me like the "arm9loaderhax.bin" on the SD card or NAND will run every start up. What stops Nintendo from modifying these files? I heard about there being write protection to the FIRM, but I haven't heard of anything that stops them from modifying files on the SD card. What if they made something that every shutdown deleted arm9loaderhax.bin (Making you have to plugin the SD card to your computer every time you want to boot up) or even worse, replace it with their own file that could delete all "not acceptable" content on the SD including EmuNAND. Of course we could patch this out, but this would require a patch to be made. Everyone who updated (who may or may not have a recent backup) would lose all of their stuff. (Assuming Nintendo wants to take a Gateway approach to things)



Or am I completely wrong and would this not work?

 

[Deleted User]

If Nintendo knew how to get rid of it they wouldn't of made a bug bounty trying to bribe hackers for a solution.

 

[Jayro]

They wouldn't be doing this if they were going to kill off the 3DS, so we might even get another Pokemon gen down the road. Hopefully it will be exclusive to the N3DS, and really take advantage of all the hardware. I feel Sun and Moon almost did that.

 

[wormdood]

i think they have a way to shut it down now just haven't implemented it yet because you would just downgrade and that would be the reason for removing all the dsi downgrade games/the bounty (potentially collecting up all the new hacks) so they can keep you out once they shut you out


#big n is coming for you

 

[Jayro]

I'm surprised they haven't started un-A9LHing systems with 11.0 to be honest. If hackers can do it, Nintendo can eventually undo it.

 

[wormdood]

I'm surprised they haven't started un-A9LHing systems with 11.0 to be honest. If hackers can do it, Nintendo can eventually undo it.

thats what im talking about but if they are gonna do it efficiently they gotta wait until they shut down the new hacks slowhax ect. that most you tempers keep blabbing on about like they don't monitor this site among others

 

[Joom]

If Nintendo knew how to get rid of it they wouldn't of made a bug bounty trying to bribe hackers for a solution.

They're fishing for 33c3 speakers, nothing more. All the other bullshit they posted is just a guise. Think about it. They posted this just a couple weeks before a major ARM11 kexploit is announced as well as other major findings. They're hoping that at least one major speaker is gonna take the bait.

 

[Jayro]

Let's hope the dev's don't take the money and sell us out... And if a dev does sell us out, they should have their GBATemp account perma-banned if they're a member here.

 

[ceelo]

Let's hope the dev's don't take the money and sell us out... And if a dev does sell us out, they should have their GBATemp account perma-banned if they're a member here.

Whoa whoa now, that could be overkill /s.

Anyway if I recall correctly, I think the safe bit about a9lh is that it starts before the payloads load, so Nintendo can't really do anything about it as its there before whatever Nintendo would have to load. Like bootmii on wii.

 

[Gray_Jack]

A9LH exploitation uses flaws in the hardware, it can never be patched without hardware revision. If I'm not mistaken, all we need is the right key to jump to the hax payload write inside the FIRM0 and loaded in the ARM9 memory.

If nintendo modify the arm9loaderhax.bin payload inside the SD to uninstall the A9LH implementation, we can always install it again (although it will not be easy, since we need hardmod, DSi Downgrade or bruteforce to reinstall it) and even if ninty patch hardmode FIRM downgrade and DSi Downgrade, the bruteforce method will always be alive (although it's much, much more complicated than any other method, and that's why it's not in the Plailect guide)

 

[Jayro]

A9LH exploitation uses flaws in the hardware, it can never be patched without hardware revision. If I'm not mistaken, all we need is the right key to jump to the hax payload write inside the FIRM0 and loaded in the ARM9 memory.

If nintendo modify the arm9loaderhax.bin payload inside the SD to uninstall the A9LH implementation, we can always install it again (although it will not be easy, since we need hardmod, DSi Downgrade or bruteforce to reinstall it) and even if ninty patch hardmode FIRM downgrade and DSi Downgrade, the bruteforce method will always be alive (although it's much, much more complicated than any other method, and that's why it's not in the Plailect guide)

I think a major hardware revision would need to be made with e-fuses in the NAND or somewhere for them to block the NAND hardmod downgrades. Like, if a user attempts one, the console would brick, for example.

 

[Goombi]

I'm surprised they haven't started un-A9LHing systems with 11.0 to be honest. If hackers can do it, Nintendo can eventually undo it.

To un-A9LH you need the OTP. And you also need it to detect tempered secret sector. So what's left to detect A9LH'd console? arm9loaderhax.bin is on SD card and an arbitrary name. So we're left with FIRM0 (which is tempered and kept outdated) and FIRM1 (kept outdated). So at best they can detect it by checking FIRM partitions but can't "un-A9LH" (because of the tempered key). And I think bricking consoles is out of question.

 

[Joom]

To un-A9LH you need the OTP.

Wrong. Just overwrite FIRM. Decrypt9 can easily uninstall A9LH with a NAND restore.

 

[Gray_Jack]

I think a major hardware revision would need to be made with e-fuses in the NAND or somewhere for them to block the NAND hardmod downgrades. Like, if a user attempts one, the console would brick, for example.

It's very possible to patch hardmod downgrade, for instance, with the 10.4 update the system won't boot using 9.0 NATIVE_FIRM, it made obligatory to use th 10.4 NATIVE_FIRM or above.
If they do that again, let's say 1.X.X update they do that again, making impossible to the system to boot with 10.4 NATIVE_FIRM (the one we use to be able to downgrade hardmod and DSi) and making mandatory the use of 11.0/11.1/11/2 or above to boot the system, making impossible to do hardmod downgrade and DSi downgrade

 

[ScarletDreamz]

Yeah, keep talking, keep giving nintendo ideas on how to screw us lol.

Let's hope the dev's don't take the money and sell us out... And if a dev does sell us out, they should have their GBATemp account perma-banned if they're a member here.

Why? because he worked his ass off reverse engineering and exploiting, and decided to make some money out of that?

 

[Goombi]

Wrong. Just overwrite FIRM. Decrypt9 can easily uninstall A9LH with a NAND restore.

But doesn't that NAND restore also restore the secret sector? On O3DS you are right since the normal FIRM does not use that sector. I need to check what happens under normal a9l exec with tampered key.

 

[Joom]

But doesn't that NAND restore also restore the secret sector? On O3DS you are right since the normal FIRM does not use that sector. I need to check what happens under normal a9l exec with tampered key.

No. With Hourglass9, yes; A9LH is preserved during a restore. With Decrypt9, it has to be specifically told to retain A9LH after a restore.

 

[Gray_Jack]

Yeah, keep talking, keep giving nintendo ideas on how to screw us lol.

They did it once, it's not like they don't know this, they are just waiting the "right time" to do that (thought ninty was never time wise xD A bunch of failures 'cause they have ideas way ahead of it's time and too much holes in the system because they waited too much to patch it)

 

[Pokem]

Let's all get paid 20 grand by discussing ways to patch A9LH and link this thread to a Nintendo rep

 

[Gray_Jack]

Let's all get paid 20 grand by discussing ways to patch A9LH and link this thread to a Nintendo rep

LOL
As I already said, A9LH is impossible to patch without hardware revision xD