Hacking [Realease] ReiNand Cfw

NyaakoXD · Jul 17, 2015

happydance said:
so finally n3ds got nand emulation?

Gateway already had EmuNAND work on New3DS.

hairyfairy · Jul 17, 2015

Apache Thunder said:
Err what? What does 9.6+ emunand on n3DS have to do with MSET?. There's a very obvious reason why 9.6 emunand for n3DS uses new encryption keys for arm9 binary. You have to find an exploit in arm9 (and presumably in arm11 too) to retrieve them. That or perhaps a hardware based ram dumper. But there isn't many with the skills or financial fortitude to try that.

MSET entry point is a separate issue from 9.6+ emunand on n3DS.

there's no need for keys if you can just let the n3ds arm9 loader run, then dump the decrypted RAM - all from software, no hw trickery required. there's public code

thaikhoa · Jul 17, 2015

happydance said:
so finally n3ds got nand emulation? so how do you get a cia manager installed on emunand?

ninjhax -> FBI -> install FBI CIA on sysnand -> create emunand with FBI??
or old way on injecting FBI on H&S by XOR padding the emunand so wimimage can be used and FBI can be injected on the H&S??

Install FBI/BBM/DM to Sysnand using Pasta. Format emunand will bring all those cia installers with. Load ReiNAND to enter emuNAND and profit.

Apache Thunder · Jul 17, 2015

hairyfairy said:
there's no need for keys if you can just let the n3ds arm9 loader run, then dump the decrypted RAM - all from software, no hw trickery required. there's public code

One problem with that. Arm9 is where the keys live. Arm9 ram is not accessible to anything on arm11. Aka, you can't dump decrypted arm9 ram using exploited games or exploited system menu. You have to exploit Arm9 itself. So no it won't work like that. You either have to attack the hardware, or find an exploit on 9.6+ arm9 (and by proxy arm11 too)

happydance · Jul 17, 2015

LinkmstrYT said:
Gateway already had EmuNAND work on New3DS.

actually I never own a n3ds so I was just kind of curious, never new gateway supported emunand on n3ds
maybe I worded it wrongly, I probably meant for free solution like cfw

thaikhoa said:
Install FBI/BBM/DM to Sysnand using Pasta. Format emunand will bring all those cia installers with. Load ReiNAND to enter emuNAND and profit.

that makes clears it up!, thanks!

hairyfairy · Jul 17, 2015

Apache Thunder said:
One problem with that. Arm9 is where the keys live. Arm9 ram is not accessible to anything on arm11. Aka, you can't dump decrypted arm9 ram using exploited games or exploited system menu. You have to exploit Arm9 itself. So no it won't work like that. You either have to attack the hardware, or find an exploit on 9.6+ arm9 (and by proxy arm11 too)

as i said, there's public code to do just that. you pwn arm9, you load a 9.6+ fw from sd, map it into RAM, let arm9 loader run and then return to your custom arm9 code just before the ninty firmware loads in order to dump/modify RAM.

NyaakoXD · Jul 17, 2015

happydance said:
actually I never own a n3ds so I was just kind of curious, never new gateway supported emunand on n3ds
maybe I worded it wrongly, I probably meant for free solution like cfw

Not exactly "free" either. You still need a Cubic Ninja game.

Apache Thunder · Jul 17, 2015

hairyfairy said:
as i said, there's public code to do just that. you pwn arm9, you load a 9.6+ fw from sd, map it into RAM, let arm9 loader run and then return to your custom arm9 code just before the ninty firmware loads in order to dump/modify RAM.

And how is that supposed to work? Do you have any idea how the n3DS actually works? 9.6+ Arm9 is encrypted with different keys. You can't just throw it into ram and have it load. Because old keys are still being used. You have to tell bootrom to do a hard boot to change them (and thus exploit 9.6 arm9 instead. But alas we know of no exploits for 9.6+ directly) or if you already know the keys, tell an older exploitable arm9 to change them, use the new keys to decrypt new arm9 then soft-reboot into new arm9 (and if you got this far, proceed to add patches). But that's the chicken and the egg problem. We don't know the new keys. So you can't tell the bootloader the correct keys to load the new arm9.

So you're just wasting your time. The only solution is to attack the hardware or find an exploit for new arm9 to gain the possibility of dumping the keys.

Suiginou · Jul 17, 2015

hairyfairy said:
as i said, there's public code to do just that. you pwn arm9, you load a 9.6+ fw from sd, map it into RAM, let arm9 loader run and then return to your custom arm9 code just before the ninty firmware loads in order to dump/modify RAM.

How to not keep up with the scene, doing no research and telling opinion as facts: the post: the experience: /b/ on GBAtemp: on Ice

shinyquagsire23 · Jul 17, 2015

hairyfairy said:
as i said, there's public code to do just that. you pwn arm9, you load a 9.6+ fw from sd, map it into RAM, let arm9 loader run and then return to your custom arm9 code just before the ninty firmware loads in order to dump/modify RAM.

I explained this earlier.

enigma85 · Jul 17, 2015

GBA does work sort of. As I stated in a previous post you have to have the sysnand agb patched, the gba game installed on sysnand and emunand. When you exit from the gba game it exits to sysnand. So basically if you wanna save space just use pasta atm to play gba otherwise you'll have 2 installs. I'm on a 9.0 N3DS with 9.5 emunand. I have mother 1+2, and mother 3 running on mine. Plus others but those are the only ones I play a lot lol

Unless there is an update that idk about of course.

usernametaken · Jul 17, 2015

I noticed when you boot into the Emunand that it still reads retail cards, so I decided to try the gateway blue. Launches and seems to work just fine, but it'll boot you to Sysnand when it closes.

Seems like fairly useless info, but someone might like it.

hairyfairy · Jul 17, 2015

Apache Thunder said:
We don't know the new keys. So you can't tell the bootloader the correct keys to load the new arm9.

So you're just wasting your time. The only solution is to attack the hardware or find an exploit for new arm9 to gain the possibility of dumping the keys.

where's your creativity?

you already have arm9 code execution, you can modify the arm9 loader to your likings and you know what the decrypted arm9 code looks like (more or less).

shinyquagsire23 · Jul 17, 2015

hairyfairy said:
where's your creativity? you already have arm9 code execution, you can modify the arm9 loader to your likings and you know what the decrypted arm9 code looks like (more or less).

Remind me how I'm going to decrypt the arm9 kernel if the key to do that is completely different as of 9.6, based on a part of memory completely disabled after the first boot, and also wiped as of 9.6. It's like trying to decrypt 7.x games on 4.5 without the key. You either have to boot 9.6 to have the keys initialized (and an ARM9 exploit to use them) or the key itself. Neither are likely.

hairyfairy · Jul 17, 2015

shinyquagsire23 said:
Remind me how I'm going to decrypt the arm9 kernel if the key to do that is completely different as of 9.6, based on a part of memory completely disabled after the first boot, and also wiped as of 9.6.

you seem to be questioning my understanding of the issue while i'm questioning your attack vector.

shinyquagsire23 · Jul 17, 2015

hairyfairy said:
you seem to be questioning my understanding of the issue while i'm questioning your attack vector.

The problem with your idea of an attack vector is you completely disregard the idea that some keys are only initialized once at startup from sources we cannot access. You can't redo something designed to run once, unless something stupid happens like the lack of clearing keyslot 0x11.

hairyfairy · Jul 17, 2015

shinyquagsire23 said:
The problem with your idea of an attack vector is you completely disregard the idea that some keys are only initialized once at startup from sources we cannot access. You can't redo something designed to run once, unless something stupid happens like the lack of clearing keyslot 0x11.

you're making assumptions about what you think my idea of an attack vector is

Syphurith · Jul 17, 2015

hairyfairy said:
you're making assumptions about what you think my idea of an attack vector is

Orz, you two. Happy "discussion". I know that you really like it to happen, but what you told is just "funny" for me. Sorry if i assult you.

shinyquagsire23 said:
The problem with your idea of an attack vector is you completely disregard the idea that some keys are only initialized once at startup from sources we cannot access. You can't redo something designed to run once, unless something stupid happens like the lack of clearing keyslot 0x11.

It is said that 0x11 key leaked, but i highly doubt that. Any proof for proving it fake or real, heard?
EDIT: 0x16 key get! So it is not 0x11 but 0x16, and .. maybe .. true?

Xenon Hacks · Jul 17, 2015

Syphurith said:
Orz, you two. Happy "discussion". I know that you really like it to happen, but what you told is just "funny" for me. Sorry if i assult you.

It is said that 0x11 key leaked, but i highly doubt that. Any proof for proving it fake or real, heard?

search google for ryanrocks462 twitter

srwgin · Jul 17, 2015

just find N3DS 9.5 FIRM slot0x16 keys

Hacking [Realease] ReiNand Cfw

( ͡° ͜ʖ ͡°)

Well-Known Member

Well-Known Member

I have cameras in your head!

Well-Known Member

Well-Known Member

( ͡° ͜ʖ ͡°)

I have cameras in your head!

(null)

SALT/Sm4sh Leak Guy

Well-Known Member

Well-Known Member

Well-Known Member

SALT/Sm4sh Leak Guy

Well-Known Member

SALT/Sm4sh Leak Guy

Well-Known Member

Beginner

Well-Known Member

Well-Known Member

Similar threads

Popular threads in this forum