So how did we get 10.3 EmuNAND support?

Discussion in '3DS - Flashcards & Custom Firmwares' started by Jiro2, Jan 15, 2016.

  1. Jiro2
    OP

    Jiro2 GBAtemp Advanced Fan

    Member
    757
    184
    Mar 28, 2011
    United States
    The "Clarification Thread - What is going on?" thread which describes all the recent findings specifically says that none of them allow greater than 9.5 EmuNAND on N3DS. Yet now we have Gateway providing it, and since other firmwares have it in progress this isn't something special that only Gateway has. Was there some additional exploit, on top of all the ones described in that thread, which allows N3DS EmuNAND? (And is this something that Nintendo could easily block for future firmwares just like they blocked greater than 9.5, or is it something that we'll probably still be able to have in the future, like EmuNAND on old 3DS?)
     
  2. GotKrypto67

    GotKrypto67 That one PHP guy

    Member
    380
    246
    Jul 21, 2015
    Saint Kitts and Nevis
    The Chamber of Kim
    The exploit was likely used to find the keys using the provided algorithm that was demoed at the talk smea and company held. Nintendo can't block it again without a new hardware revision.
     
    Kafke and DesuIsSparta like this.
  3. Memoir

    Memoir A Hero to Zero

    Member
    GBAtemp Patron
    Memoir is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    4,521
    4,054
    Jun 24, 2007
    United States
    Wyoming
    1. Gateway didn't make it possible, I'll say that tight now.

    2. Someone found a way to acquire the keys used to achieve 9.6+ emunand.
     
  4. Vappy

    Vappy GBAtemp Advanced Maniac

    Member
    1,507
    1,154
    May 23, 2012
    There are at least two vulnerabilities that can be used to dump the N3DS keys, they're both detailed here http://3dbrew.org/wiki/3DS_System_Flaws ("Uncleared OTP hash keydata in console-unique 0x11 key-generation" and "CFG_SYSPROT9 bit1 not set by Kernel9"), and no there is nothing Nintendo can do to fix this for any current N3DS.
     
  5. Zidapi

    Zidapi GBAtemp Addict

    Member
    2,979
    1,777
    Dec 1, 2002
    It's already been confirmed by devs that they obtained them by downgrading a new3DS (yes, I do mean new3DS) to firmware 2.0

    Firmware 3.0 and lower didn't clear the keys, so they dumped the OTP registers which provided them with the keys they needed.

    At least this is my understanding of things.

    Source: various posts littered throughout the reiNAND thread.
     
    MelonGx, Cortador and Memoir like this.
  6. Kibido

    Kibido GBAtemp Advanced Fan

    Member
    607
    138
    Apr 3, 2014
    Italy
    I didn't understand jack shit of what you guys just said, but anyways...

    wohoo emu 10.3! ⸜₍๑•⌔•๑ ₎⸝
     
    zoogie and Aman27deep like this.
  7. Thirty3Three

    Thirty3Three Musician Member

    Member
    2,995
    1,521
    Mar 22, 2013
    United States
    Wherever you want me, baby.
    Introducing...
    The New NEW Nintendo 3DS!
     
  8. bkifft

    bkifft avowed Cuthwaldian

    Member
    598
    266
    Jun 10, 2010
    Gambia, The
    You can always update emu using the vanilla (as in no memchunk shenanigans) version of sysupdater.
     
  9. MelonGx

    MelonGx GBAtemp Advanced Maniac

    Member
    1,630
    438
    Jan 8, 2009
    China
    BTW, if anyone wants to dump O3DS JPN OTP, he/she can buy a brand new New Love Plus O3DS exclusive pack (2.1.0-4J) for this, since nobody have done this thing before.

    (For I know, O3DS USA/EUR OTP have already been dumped but JPN is not.)
     
  10. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,961
    3,231
    Nov 18, 2012
    United States
    Las Vegas
    CFG_SYSPROT9 was unset before 3.0, 3.0 is the version which actually fixed the vulnerability. So the entire OTP can be dumped on any 3DS (including N3DS) at 2.x and below. There's also the fact that the SHA registers which hash OTP weren't cleared before K9L handed off to ARM9 kernel, so that makes two vulnerabilities. I executed k9lhax and exploited that one in May for my N3DS, so I personally find it easier to do this than to downgrade. It doesn't really matter which you get though, the OTP or the hash, because both give you the same result in terms of deriving keys.
     
    Last edited by shinyquagsire23, Jan 16, 2016
    Zidapi and Vappy like this.
  11. Zidapi

    Zidapi GBAtemp Addict

    Member
    2,979
    1,777
    Dec 1, 2002
    Thank you for elaborating further on this topic.