Hacking NTRCardHax Progress?

[gudenau]

Speaking of which, anyone know how the GW carts work on a protocol level?

 

[Matson25]

Speaking of which, anyone know how the GW carts work on a protocol level?

I think the source is private.

 

[gudenau]

I think the source is private.

It is, but I would like to know if anyone figured it out at all. There is some interesting possibilities available with an FPGA and SD card in that slot.

 

[Logan Pockrus]

(Why aren't you documenting it, then! )

Because I'm extremely lazy!

 

[Normmatt]

It is, but I would like to know if anyone figured it out at all. There is some interesting possibilities available with an FPGA and SD card in that slot.

It's not like we can reprogram the FPGA...

 

[gudenau]

It's not like we can reprogram the FPGA...

If we knew how it worked we could, GW does it after all.

 

[Normmatt]

If we knew how it worked we could, GW does it after all.

They have the encryption keys for their fpga.... we don't...... good luck bruteforcing those

 

[gudenau]

They have the encryption keys for their fpga.... we don't...... good luck bruteforcing those

Do you know that it's encrypted beond the normal for GW?

 

[WulfyStylez]

Do you know that it's encrypted beond the normal for GW?

iirc their FPGA can crypt data with a key that can't (hasn't) been acquired by anyone, including clone companies. Part of how they lock ppl out of their enhanced modes or whatever. Clones would just grab the decrypted data and encrypt it with their own keys in their hacked-up binaries.

Check out Gateway's NATIVE_FIRM as well as their (final stage) arm9 payload to be able to reverse-engineer the business end of their cart and get it working elsewhere. Make sure yr already familiar with CTRCARD protocol tho! I've heard they implement an FS driver of some sort for their cart? I haven't looked into it myself b/c I don't own one and don't have GW payloads/idbs anymore.

 

[Normmatt]

iirc their FPGA can crypt data with a key that can't (hasn't) been acquired by anyone, including clone companies. Part of how they lock ppl out of their enhanced modes or whatever. Clones would just grab the decrypted data and encrypt it with their own keys in their hacked-up binaries.

Check out Gateway's NATIVE_FIRM as well as their (final stage) arm9 payload to be able to reverse-engineer the business end of their cart and get it working elsewhere. Make sure yr already familiar with CTRCARD protocol tho! I've heard they implement an FS driver of some sort for their cart? I haven't looked into it myself b/c I don't own one and don't have GW payloads/idbs anymore.

You need to be very adept at reverse engineering to make much progress on their payloads

 

[gudenau]

iirc their FPGA can crypt data with a key that can't (hasn't) been acquired by anyone, including clone companies. Part of how they lock ppl out of their enhanced modes or whatever. Clones would just grab the decrypted data and encrypt it with their own keys in their hacked-up binaries.

Check out Gateway's NATIVE_FIRM as well as their (final stage) arm9 payload to be able to reverse-engineer the business end of their cart and get it working elsewhere. Make sure yr already familiar with CTRCARD protocol tho! I've heard they implement an FS driver of some sort for their cart? I haven't looked into it myself b/c I don't own one and don't have GW payloads/idbs anymore.

Where did you get this info? Could be an interesting project. Anyone have a GW to spare for tinkering?

 

[WulfyStylez]

Where did you get this info? Could be an interesting project. Anyone have a GW to spare for tinkering?

If you sift thru their some of their very old payloads you'll encounter it eventually, not super interesting tho.

Ironically, taking this thread for a complete 360 - probably the easiest way to get Gateway's most recent arm9-mode code for the uninitiated would be to do ntrcardhax on an exploitable GW version (which is any, i believe, since they don't actually update their FIRM with payload updates any more). Their firm relaunch implementation breaks firmlaunchhax iirc.

 

[Normmatt]

If you sift thru their some of their very old payloads you'll encounter it eventually, not super interesting tho.

Ironically, taking this thread for a complete 360 - probably the easiest way to get Gateway's most recent arm9-mode code for the uninitiated would be to do ntrcardhax on an exploitable GW version (which is any, i believe, since they don't actually update their FIRM with payload updates any more). Their firm relaunch implementation breaks firmlaunchhax iirc.

Nah its easier than that... but I don't want them to fix it

 

[gudenau]

If you sift thru their some of their very old payloads you'll encounter it eventually, not super interesting tho.

Ironically, taking this thread for a complete 360 - probably the easiest way to get Gateway's most recent arm9-mode code for the uninitiated would be to do ntrcardhax on an exploitable GW version (which is any, i believe, since they don't actually update their FIRM with payload updates any more). Their firm relaunch implementation breaks firmlaunchhax iirc.

Why not follow the arm11 stuff for the arm9 stuff? You can so that now.

 

[WulfyStylez]

Why not follow the arm11 stuff for the arm9 stuff? You can so that now.

That's the way they assumed people would try to reverse-engineer their work and it's (extremely) obfuscated due to exactly that. Trying to do so can teach you a lot about RE and obfuscation, though!

 

[gudenau]

That's the way they assumed people would try to reverse-engineer their work and it's (extremely) obfuscated due to exactly that. Trying to do so can teach you a lot about RE and obfuscation, though!

That is half the fun I'm sure!

 

[Normmatt]

That's the way they assumed people would try to reverse-engineer their work and it's (extremely) obfuscated due to exactly that. Trying to do so can teach you a lot about RE and obfuscation, though!

Yeah working through their obfuscation payloads is fun... I wrote an emulator just to make that easier for myself

 

[gudenau]

Yeah working through their obfuscation payloads is fun... I wrote an emulator just to make that easier for myself

Sounds like something I would do.

 

[zoogie]

Bump for a big update on ntrcardhax.

@d3m3vilurr has finally achieved public implementation of ntrcardhax for his korean new3ds. Hopefully, he can provide some instructions on how to install it.



https://github.com/d3m3vilurr/ntrcardhax/tree/more (payload tool and 3dsx exploit launcher)
https://github.com/d3m3vilurr/Decrypt9WIP/releases (payload flasher for ak2i embedded in d9)

People may be asking why do we need this when there's already a9 sploits on 9.2. Because, with this, we can use dgtool potentially to downgrade nfirm to 10.3 and just use ntrcardhax right there on firmware 11.x to install a9lh. In short, we can avoid the risk and trouble of ctrnand downgrades to 9.2 completely.

 

[Wolfvak]

People may be asking why do we need this when there's already a9 sploits on 9.2.

AFAIK there's no pre-9.6 N3DS firmwares for KOR/CHN/TWN as well, so it'll come in handy for them.