Hacking So how did we get 10.3 EmuNAND support?

Jiro2

Well-Known Member
OP
Member
Joined
Mar 28, 2011
Messages
776
Trophies
0
XP
577
Country
United States
The "Clarification Thread - What is going on?" thread which describes all the recent findings specifically says that none of them allow greater than 9.5 EmuNAND on N3DS. Yet now we have Gateway providing it, and since other firmwares have it in progress this isn't something special that only Gateway has. Was there some additional exploit, on top of all the ones described in that thread, which allows N3DS EmuNAND? (And is this something that Nintendo could easily block for future firmwares just like they blocked greater than 9.5, or is it something that we'll probably still be able to have in the future, like EmuNAND on old 3DS?)
 
D

Deleted User

Guest
The "Clarification Thread - What is going on?" thread which describes all the recent findings specifically says that none of them allow greater than 9.5 EmuNAND on N3DS. Yet now we have Gateway providing it, and since other firmwares have it in progress this isn't something special that only Gateway has. Was there some additional exploit, on top of all the ones described in that thread, which allows N3DS EmuNAND? (And is this something that Nintendo could easily block for future firmwares just like they blocked greater than 9.5, or is it something that we'll probably still be able to have in the future, like EmuNAND on old 3DS?)
The exploit was likely used to find the keys using the provided algorithm that was demoed at the talk smea and company held. Nintendo can't block it again without a new hardware revision.
 

Memoir

Hi, I'm Cynical!
Member
Joined
Jun 24, 2007
Messages
10,642
Trophies
1
Location
In the Murderbox!
Website
www.twitch.tv
XP
12,068
Country
United States
The "Clarification Thread - What is going on?" thread which describes all the recent findings specifically says that none of them allow greater than 9.5 EmuNAND on N3DS. Yet now we have Gateway providing it, and since other firmwares have it in progress this isn't something special that only Gateway has. Was there some additional exploit, on top of all the ones described in that thread, which allows N3DS EmuNAND? (And is this something that Nintendo could easily block for future firmwares just like they blocked greater than 9.5, or is it something that we'll probably still be able to have in the future, like EmuNAND on old 3DS?)
1. Gateway didn't make it possible, I'll say that tight now.

2. Someone found a way to acquire the keys used to achieve 9.6+ emunand.
 

Vappy

Well-Known Member
Member
Joined
May 23, 2012
Messages
1,508
Trophies
1
XP
2,102
Country
Was there some additional exploit, on top of all the ones described in that thread, which allows N3DS EmuNAND? (And is this something that Nintendo could easily block for future firmwares just like they blocked greater than 9.5, or is it something that we'll probably still be able to have in the future, like EmuNAND on old 3DS?)
There are at least two vulnerabilities that can be used to dump the N3DS keys, they're both detailed here http://3dbrew.org/wiki/3DS_System_Flaws ("Uncleared OTP hash keydata in console-unique 0x11 key-generation" and "CFG_SYSPROT9 bit1 not set by Kernel9"), and no there is nothing Nintendo can do to fix this for any current N3DS.
 

Zidapi

Well-Known Member
Member
Joined
Dec 1, 2002
Messages
3,092
Trophies
1
Age
39
Website
Visit site
XP
2,508
Country
It's already been confirmed by devs that they obtained them by downgrading a new3DS (yes, I do mean new3DS) to firmware 2.0

Firmware 3.0 and lower didn't clear the keys, so they dumped the OTP registers which provided them with the keys they needed.

At least this is my understanding of things.

Source: various posts littered throughout the reiNAND thread.
 

bkifft

avowed Cuthwaldian
Member
Joined
Jun 10, 2010
Messages
613
Trophies
0
XP
624
Country
Gambia, The
the gateway team just annouced that it could be emunannd V10.3 ,But how to do as Nintendo soon be upgarde V10.4 .lol....
You can always update emu using the vanilla (as in no memchunk shenanigans) version of sysupdater.
 

MelonGx

Well-Known Member
Member
Joined
Jan 8, 2009
Messages
1,647
Trophies
0
XP
877
Country
China
BTW, if anyone wants to dump O3DS JPN OTP, he/she can buy a brand new New Love Plus O3DS exclusive pack (2.1.0-4J) for this, since nobody have done this thing before.

(For I know, O3DS USA/EUR OTP have already been dumped but JPN is not.)
 

shinyquagsire23

SALT/Sm4sh Leak Guy
Member
Joined
Nov 18, 2012
Messages
1,970
Trophies
0
Age
23
Location
Las Vegas
XP
3,627
Country
United States
It's already been confirmed by devs that they obtained them by downgrading a new3DS (yes, I do mean new3DS) to firmware 2.0

Firmware 3.0 and lower didn't clear the keys, so they dumped the OTP registers which provided them with the keys they needed.

At least this is my understanding of things.

Source: various posts littered throughout the reiNAND thread.
CFG_SYSPROT9 was unset before 3.0, 3.0 is the version which actually fixed the vulnerability. So the entire OTP can be dumped on any 3DS (including N3DS) at 2.x and below. There's also the fact that the SHA registers which hash OTP weren't cleared before K9L handed off to ARM9 kernel, so that makes two vulnerabilities. I executed k9lhax and exploited that one in May for my N3DS, so I personally find it easier to do this than to downgrade. It doesn't really matter which you get though, the OTP or the hash, because both give you the same result in terms of deriving keys.
 
Last edited by shinyquagsire23,
  • Like
Reactions: Zidapi and Vappy

Zidapi

Well-Known Member
Member
Joined
Dec 1, 2002
Messages
3,092
Trophies
1
Age
39
Website
Visit site
XP
2,508
Country
CFG_SYSPROT9 was unset before 3.0, 3.0 is the version which actually fixed the vulnerability. So the entire OTP can be dumped on any 3DS (including N3DS) at 2.x and below. There's also the fact that the SHA registers which hash OTP weren't cleared before K9L handed off to ARM9 kernel, so that makes two vulnerabilities. I executed k9lhax and exploited that one in May for my N3DS, so I personally find it easier to do this than to downgrade. It doesn't really matter which you get though, the OTP or the hash, because both give you the same result in terms of deriving keys.
Thank you for elaborating further on this topic.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    The Real Jdbye @ The Real Jdbye: 🍆 +3