[Question] Cracking the BOOTROM?

Discussion in '3DS - Homebrew Development and Emulators' started by survive9, Apr 8, 2016.

  1. survive9
    OP

    survive9 Advanced Member

    Newcomer
    59
    13
    Dec 13, 2014
    United States
    Let's say someone manages to crack the BOOTROM security someday. What would that allow us to do that we can't do even now? From what I heard it allows us to get the normal keys but idk what all of them would be useful for.
     
  2. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,742
    1,240
    Oct 8, 2015
    Italy
    Hyrule Castle
    otp dumping a coldboot... nothing else.

    — Posts automatically merged - Please don't double post! —

    nothing else that a9lh doesn't already allow us to do.
     
    survive9 and yusuo like this.
  3. julialy

    julialy Homebrewer

    Member
    1,686
    594
    Nov 26, 2012
    United States
    United States
    it would allow us to decrypt games on a PC, instead of requiring a 3DS to decrypt for you
     
    survive9 likes this.
  4. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    Basically it would remove any remaining security allowing us to decrypt content without the 3ds and allowing us to "sign" software to run without the need for an exploit.
     
    peteruk likes this.
  5. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,711
    634
    Sep 4, 2014
    Italy
    No, it won't allow us to sign software, only real coldboot, loading code before the start of sysprot9, allowing us to dump otp at coldboot(thing that we'll not need anymore)
     
    Last edited by DrCrygor07, Apr 8, 2016
    peteruk likes this.
  6. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    How do you expect to dump anything with a coldboot if you can't run code? With the bootrom broken and the keys used to sign the content available we should be able to decrypt abd reencrypt any part of the system modifying it as we please. If the bootrom protection is defeated all signing checks will mean nothing to developers. I'm certain of this statement.
     
  7. capito27

    capito27 GBAtemp Advanced Fan

    Member
    873
    1,006
    Jan 19, 2015
    Swaziland
    depending of how early the bootrom can be broken, it could allow for 100% nand brick proofing (as, depending on wherein the bootrom could be exploited), as you could possbily directly control it before it checks for nand validity, thus code exec to load an emunand at boot, before nand is even accessed, possibly. but it's verry theoric and HIGHLY unlikely
     
    DrCrygor07 likes this.
  8. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,742
    1,240
    Oct 8, 2015
    Italy
    Hyrule Castle
    seriusly you think that the bootrom doesn't contain code?
     
    DrCrygor07 likes this.
  9. DrCrygor07

    DrCrygor07 Italian Wario Ware bootleg©

    Member
    1,711
    634
    Sep 4, 2014
    Italy
    Otherwise how could you load the 3ds kernel and firmware? LOL
     
  10. capito27

    capito27 GBAtemp Advanced Fan

    Member
    873
    1,006
    Jan 19, 2015
    Swaziland
    you do know that the signing keys are no where on the 3ds, right ? the keys available are only for decryption, all signature would be invalid without the private signing keys in some nintendo bunker
     
    Last edited by capito27, Apr 8, 2016
  11. survive9
    OP

    survive9 Advanced Member

    Newcomer
    59
    13
    Dec 13, 2014
    United States
    Thanks for clearing this up guys. I thought it would allow for something cool like running a true cfw that is very different from nintendo's but that seems to not be the case.
     
  12. dubbz82

    dubbz82 GBAtemp Advanced Maniac

    Member
    1,512
    815
    Feb 2, 2014
    United States

    This is already theoretically possible, it would require someone to actually build it out though, which isn't trivial. Nintendo's built in OS isn't THAT bad, is it?
     
  13. zoogie

    zoogie simple pimp tool

    Member
    6,571
    8,457
    Nov 30, 2014
    United States
    Well that is possible you know. Everything besides the bootloader is replaceable.
    It's just a lot of work though when piracy is enough for most people.
     
  14. mikey420

    mikey420 GBAtemp Advanced Fan

    Member
    551
    173
    Dec 11, 2015
    United States
    I'm well aware of this. I'm saying that to defeat the bootrom requires one of 2 things either you must exploit it it's self or manage to pass its signature checks regardless this would ultimately defeat all signature checks allowing us to do as we please to the device.
     
  15. TuxSH

    TuxSH GBAtemp Advanced Fan

    Member
    612
    994
    Oct 19, 2015
    France
    A bootROM vulnerability exploitable by the end-user would be both a full system-control exploit and an entrypoint, hardcoded in hardware.
    If such a flaw exists, it would literally kill the 3DS's security, in fact the 3DS as a whole.

    What about Linux?
     
  16. zoogie

    zoogie simple pimp tool

    Member
    6,571
    8,457
    Nov 30, 2014
    United States
    arm9 control does this. we've had that for a while.
     
  17. Filo97

    Filo97 Zelda's totally my sister! Not lying!

    Member
    3,742
    1,240
    Oct 8, 2015
    Italy
    Hyrule Castle
    no, he does not mean to patch the ckecks, he means to remove the checks from the OS itself.
     
  18. dubbz82

    dubbz82 GBAtemp Advanced Maniac

    Member
    1,512
    815
    Feb 2, 2014
    United States
    Same end result..
     
    Ammako and zoogie like this.
  19. artur3004

    artur3004 GBAtemp Fan

    Member
    486
    124
    Mar 31, 2015
    Gambia, The
    wouldn't it be like a simular situation like with the exploit in the A4 Iphone cpu?
     
  20. linuxares

    linuxares GBAtemp Psycho!

    Member
    3,277
    1,407
    Aug 5, 2007
    Wouldn't the 3DS basically be as the 360 is with the JTAG/RGH ?