Homebrew SigHax Updates and Discussion Thread

Searinox

Searinox

"Dances" with Dragons
Member
Level 10
Joined
Dec 16, 2007
Messages
2,073
Trophies
1
Age
36
Location
Bucharest
XP
2,203
Country
Romania
What about underclocking the CPU to increase the time window for performing the hardware exception trigger and/or undervolting/fluctuations to encourage the CPU to start making mistakes and either start leaking info, getting false-positive checks or corrupting its init til something jumps somewhere it isn't supposed to?
 
Gaming796

Gaming796

Gaming since 4
Member
Level 4
Joined
Aug 24, 2016
Messages
561
Trophies
0
Location
Your head
Website
gbatemp.net
XP
462
Country
United States
Searinox said:
What about underclocking the CPU to increase the time window for performing the hardware exception trigger and/or undervolting/fluctuations to encourage the CPU to start making mistakes and either start leaking info, getting false-positive checks or corrupting its init til something jumps somewhere it isn't supposed to?
Click to expand...
I think I saw this sort of post before.
 
Starzcream

Starzcream

Well-Known Member
Newcomer
Level 1
Joined
Feb 22, 2017
Messages
84
Trophies
0
Age
37
XP
93
Country
United States
lol it always gets released when we stop paying attention to the threads, well vita is going to get some attention from me now :-D 4 modded 3ds and one bricked one patiently waiting...
 
trainboy2019

trainboy2019

Well-Known Member
Member
Level 7
Joined
Oct 6, 2015
Messages
1,114
Trophies
0
Age
23
Location
GA
XP
1,107
Country
United States
Kind of a noobish question, I'm sure a lot of people here know more about this than me, but if the boot9 physically disables access to the protected part of itself, why not remove the part of the system it uses to block it?
 
adrifcastr

adrifcastr

Well-Known Member
OP
Member
Level 10
Joined
Sep 12, 2016
Messages
2,038
Trophies
0
XP
1,947
Country
Germany
trainboy2019 said:
Kind of a noobish question, I'm sure a lot of people here know more about this than me, but if the boot9 physically disables access to the protected part of itself, why not remove the part of the system it uses to block it?
Click to expand...
boot 9 basically disconnects from the rest of the console, by switching the pins its connected to off
 
adrifcastr

adrifcastr

Well-Known Member
OP
Member
Level 10
Joined
Sep 12, 2016
Messages
2,038
Trophies
0
XP
1,947
Country
Germany
trainboy2019 said:
But if it disconnects itself, it must reconnect itself at some point before the system is turned on again. Would it be possible to intercept it then?
Click to expand...

How the arm9 Bootrom is being dumped:

ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

This requires *very* *precise* timing for triggering the hardware fault.
 
Last edited by adrifcastr,
Oschara

Oschara

Well-Known Member
Member
Level 4
Joined
Jan 4, 2017
Messages
285
Trophies
0
Age
38
XP
503
Country
United States
addi33 said:
How the arm9 Bootrom is being dumped:

ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM.

Since RAM isn't cleared on boot, one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized.

This requires *very* *precise* timing for triggering the hardware fault.
Click to expand...

No sticky fingers with that :)
 
D

Deleted User

Guest
So, what's the deal right now?

A few questions:

Is boot9 publicly dumped, what is with the SafeSigHax installer, and anything else I missed
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Homebrew  A new way to experience StreetPass

Is it possible...?

Hacking Hardware  New Nintendo 3DS XL Louvre

Hardware  Why does my 3DS take so long to turn off?

Emulation  i have citra, i have my aes keys installed, how do i get the home menu

What's the best 3DS emulator (especially after Citra's shutdown)?

Hacking Misc  VCRUNTIME140.dll UCRTBASED.dll Master Thread

Tutorial  How to fix 007-2001

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: https://youtu.be/shdHKa4iBbE?si=Vnb_FMMV54y2aarW lol Mario give me cancer