ReiNAND special dump?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Syphurith, Jan 14, 2016.

  1. Syphurith
    OP

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    First thanks Rei for this.. Thanks daxtsu for some help. Thanks for every reply.
    As you might already know, that using a nightly build of ReiNAND that supports 10.3..
    With START+X pressed you might get a file named as "BootRom.bin" in your SD card root.
    The address that used for dumping is bootrom mirror, while it should already be locked out after run.
    If you've got something that not full of 00s, try post your SHA256 hash of the file, such as...
    SHA256=bc6627b02afbe8ebfbd340bfd928a9e36fbf3fc4395a881783166a46dc88e732

    I wonder if that is random memory junk (and this is likely to be). So just compare the hash.
    Don't forget to load it into IDA if possible (?), address 0x0 or 0xFFFF0000, to see if any code.
    And.. use hex editor, try to find keyslot 0x39 KeyX inside it, which is supposed to be set by bootrom.
    The key itself is shared as a spreadsheet on docs.google.com, named as "3DS AES Keys" already.
    If found don't hesitate to put it somewhere, or use IDA to have a look.

    EDIT: Solved. The dumped file seems to be different from console to console. Likely to be junk content. So just forget it please.
     
    Last edited by Syphurith, Jan 14, 2016
    kiwiis and daxtsu like this.
  2. zoogie

    zoogie simple pimp tool

    Member
    6,250
    7,918
    Nov 30, 2014
    United States
    Isn't dumping the unprotected region of bootrom not a big deal?
     
    Waffle's likes this.
  3. Syphurith
    OP

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Well.. The dumped content seems just junk. So i don't know if anyone has get a different one.
    BTW i don't know who has ever dumped that correctly, nor do i know how to do so.
     
  4. wsquan171

    wsquan171 GBAtemp Regular

    Member
    GBAtemp Patron
    wsquan171 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    284
    89
    Feb 14, 2015
    China
    Tried twice and got empty file on both times. Tried with JPN as well as USA console, yield same result. BTW, where did you get that SHA256? Is it a legit value generated from valid dump of bootrom or just a random number?
     
  5. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,536
    3,926
    Jun 9, 2007
    Antarctica
    It's the SHA256 of the junk or whatever it dumped from my N3DS.
     
  6. Shadowtrance

    Shadowtrance GBAtemp Addict

    Member
    2,482
    1,513
    May 9, 2014
    Hervey Bay, Queensland
    Just did it on mine...32k file, not all zeros
    SHA256 - AFD7B4D5C64752ABFB305720B2D269C28E2BC67E996C0009F41B560110C8D771
     
  7. Syphurith
    OP

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Thanks for reply. Have you ever taken a look at the binary? For example load that with leaked IDA 6.8 with address 0xFFFF0000.
    Though i doubt that's just another junk dump.. Ha. It is said that using precise timing hardware to inject faults you can dump so..
     
  8. Syphurith
    OP

    Syphurith Beginner

    Member
    641
    222
    Mar 8, 2013
    Switzerland
    Xi'an, Shaanxi Province
    Another different hash get.. b7d8141120d07b9550d8e65e8198b49c499f8a608cc38be4e5caf5feccbf1408
    So i could predict the dumping process actually failed, and produced random content.
    However this could not explain why dumping again would have the same file (orz). Yeah doesn't bother then..