Hacking [question] What ARM11 BootROM is used for?

[Elveman]

So now we almost have an ability to dump ARM9 BootROM which leads us to sighax - ultimate flaw that can be used to run CFW on any 3DS ever. And during 33c3 derrek said that we can use sighax to dump ARM11 BootROM. So my question is, what can we use it for? Is there anything new that dumped ARM11 BootROM does allow?

 

[The Catboy]

Long version

ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

This requires *very* *precise* timing for triggering the hardware fault.

It has been exploited by derrek to dump the ARM9 bootrom as of Summer 2015.

He did not make any Bootrom Public.

hedgeberg and Greg the 2DS are using this method to dump the arm9 Bootrom which is known as boot9

Source: Here

A thread explaining it better than I can right here

I wish I could explain it, but I really don't quite have enough knowledge to break it down.

 

[Tenshi_Okami]

IIRC it can be used to get access to keys we do not have access to, or something like that

 

[Quantumcat]

IIRC it can be used to get access to keys we do not have access to, or something like that

Can I use it to find my post office box key I lost three months ago?

 

[souler92]

it means full custom firmwares on our 3ds. linux system etc.

--------------------- MERGED ---------------------------

and hacking any firmware version console...

 

[Elveman]

Long version

Source: Here

A thread explaining it better than I can right here

I wish I could explain it, but I really don't quite have enough knowledge to break it down.

Yeah,

it means full custom firmwares on our 3ds. linux system etc.

--------------------- MERGED ---------------------------

and hacking any firmware version console...

I know about sighax, I know that dumping ARM9 bootrom allows that. I'm more interested in ARM11 bootrom. Also sighax doesn't mean "full custom firmware" - it's perfectly implementable with arm9loaderhax as well. Read here

 

[souler92]

how does one dump the bootrom . i know there arent public releases. but with some sneaky passages one could upload it and then magic finds its own way.

 

[Tenshi_Okami]

Yeah,

I know about sighax, I know that dumping ARM9 bootrom allows that. I'm more interested in ARM11 bootrom. Also sighax doesn't mean "full custom firmware" - it's perfectly implementable with arm9loaderhax as well. Read here

IIRC it can be used to get access to keys we do not have access to, or something like that

I still stand by this claim. Since I am pretty sure I saw you could dump any 3DS keys from the Boot11(think it was called)

inb4I get laughed at again

 

[munchy_cool]

Can I use it to find my post office box key I lost three months ago?

only if firmware is below 12.0.49

 

[kindacozi]

full custom firmwares

You can make "Full CFW" or "True CFW" on A9LH. It's just nobody decided to make it.

 

[munchy_cool]

read this as well

https://www.reddit.com/r/3dshacks/comments/67f6as/psa_clearing_up_some_misconceptions_about_sighax/

 

[Elveman]

I still stand by this claim. Since I am pretty sure I saw you could dump any 3DS keys from the Boot11(think it was called)

inb4I get laughed at again

Thanks for an answer. Seems interesting, especially if we could use it to de/encrypt ROMs and CIAs right on the PC