Homebrew [Question] Cracking the BOOTROM?

[survive9]

This is already theoretically possible, it would require someone to actually build it out though, which isn't trivial. Nintendo's built in OS isn't THAT bad, is it?

No I actually like it, but I also like something fresh.

--------------------- MERGED ---------------------------

A bootROM vulnerability exploitable by the end-user would be both a full system-control exploit and an entrypoint, hardcoded in hardware.
If such a flaw exists, it would literally kill the 3DS's security, in fact the 3DS as a whole.

What about Linux?

I have a 2ds so I don't think it would run that well

 

[Jhyrachy]

Actually i think that a VERY limited linux version would run pretty well.

The point is why should i run a so limited linux version?

 

[Joom]

Actually i think that a VERY limited linux version would run pretty well.

The point is why should i run a so limited linux version?

I agree. Something like Tiny Core Linux or TTYLinux (distributions roughly around 6 - 11 mb in size) would be optimal for the 3DS, but why even bother? There'd have to be a way to use the 3DS's peripherals, and even if that were developed, I still don't understand why anyone would want it other than just to say they have it.

 

[spotanjo3]

Someday Citra will be able to play encrypted ROMs.. Just look at previous no$gba that decrypted NDS games only. Now the encrypted NDS ROMs are playable with No$GBA.

 

[dubbz82]

Someday Citra will be able to play encrypted ROMs.. Just look at previous no$gba that decrypted NDS games only. Now the encrypted NDS ROMs are playable with No$GBA.

And that has exactly what to do with the rest of the thread?

 

[Mazamin]

Someday Citra will be able to play encrypted ROMs.. Just look at previous no$gba that decrypted NDS games only. Now the encrypted NDS ROMs are playable with No$GBA.

Well, now it's a bit different, anyway it's the same thing I hope

 

[Roboman]

you do know that the signing keys are no where on the 3ds, right ? the keys available are only for decryption, all signature would be invalid without the private signing keys in some nintendo bunker

If we can get control early enough it won't matter.
Think of signatures as a key to the lock of Nintendo's sign checks.

If we get control early enough we can just take off the whole door.

 

[FenrirWolf]

Which is more or less what we already do with existing cfw and a9lh. But being able to decrypt stuff on PC would definitely be nice.

 

[Halvorsen]

Bootromhax would be unpatchable, right? A9LH is -almost- unpatchable.

 

[Wolfvak]

I agree. Something like Tiny Core Linux or TTYLinux (distributions roughly around 6 - 11 mb in size) would be optimal for the 3DS, but why even bother? There'd have to be a way to use the 3DS's peripherals, and even if that were developed, I still don't understand why anyone would want it other than just to say they have it.

The PS2 can run Debian 5.0 + X.Org perfectly and it only had 32MB of RAM, and a slower (IMO) CPU. A properly optimized distro with a hardware accelerated TinyX + FLTK + lightweight tools would be quite speedy. Not to mention it's a portable ofc, with WiFi and all that fancy stuff that the PS2 didn't have.

 

[Joom]

The PS2 can run Debian 5.0 + X.Org perfectly and it only had 32MB of RAM, and a slower (IMO) CPU. A properly optimized distro with a hardware accelerated TinyX + FLTK + lightweight tools would be quite speedy. Not to mention it's a portable ofc, with WiFi and all that fancy stuff that the PS2 didn't have.

The reason I mentioned those distributions is because I don't particularly see Debian fitting on the 3DS NAND.

 

[Wolfvak]

The reason I mentioned those distributions is because I don't particularly see Debian fitting on the 3DS NAND.

Why would you want to run it from NAND? Just use the SD, it's ways better.

 

[Deleted member 373223]

Bootromhax would be unpatchable, right? A9LH is -almost- unpatchable.

yes, because the bootrom isn't in a partition that can receive updates.

 

[Mazamin]

yes, because the bootrom isn't in a partition that can receive updates.

Only with a new hardware revision, and it's unlikely that it will be released

 

[zoogie]

Just throwing this out there for fun: isn't a9lh a bootROM exploit itself?

I mean, the bootROM code is responsible for the FIRMX verification. a9lh exploits a flaw in this verification and tricks the bootROM into jumping to the attacker's unsigned code.

Not all bootROM exploits need to be code-takeover within the bootROM code itself, right?
(I know I'm probably mistaken somewhere. Probably the flaw is in a9loader and it jumps to the code)

 

[Bkool999]

EDIT: Disregard this, someone already asked that question...... Whoops...

Wouldn't we be able to theoretically boot up something like linux on 3ds without the system running in the background, allowing us to have more memory to work with? (And of course, I imagine that homebrew would need to be made specifically for this type of environment)

 

[shinyquagsire23]

Just throwing this out there for fun: isn't a9lh a bootROM exploit itself?

I mean, the bootROM code is responsible for the FIRMX verification. a9lh exploits a flaw in this verification and tricks the bootROM into jumping to the attacker's unsigned code.

Not all bootROM exploits need to be code-takeover within the bootROM code itself, right?
(I know I'm probably mistaken somewhere. Probably the flaw is in a9loader and it jumps to the code)

Loading code out to RAM at boot is a bootrom flaw, not a bootrom exploit though.

Also I just feel like clarifying some things, all bootrom would give is:

• Most if not all encryption keys, meaning the ability to encrypt/decrypt on PC. Also would mean being able to possibly decrypt/encrypt NAND partitions without xorpads, among other console-specific stuff.
• No signing keys, you can't sign stuff even given bootrom.
• More answers about console init and where things come from, ie what makes a console specific to itself and what ties it to it's NAND
• Possible bootrom-level exploits, which could make getting OTP easier, but no guarantees.

For the end user, it's not all that interesting, might make things a bit more painless but it mostly benefits emulation users and developers. A bootrom exploit vs k9lhax probably wouldn't be all that noticable in terms of speed.

 

[KazoWAR]

full rom decryption on your computer would be nice.