SPI flash

Discussion in '3DS - Homebrew Development and Emulators' started by WaterBotttle, Dec 29, 2016.

  1. WaterBotttle
    OP

    WaterBotttle GBAtemp Regular

    Member
    127
    86
    Dec 19, 2014
    So during 33c3 Sighax was unveiled that allows you to bypass the bootrom's signature checks. However what I found the most interesting was the focus put on the ability to boot from the SPI flash.

    I've been browsing 3ds brew but the information seems very limited. So I've got a few interesting questions.

    1. When he is talking about the SPI flash, is it the flash on the wifi dongle ? Or on the game card ?
    2. Under what conditions does the 3DS boot from SPI Flash ?
    3. Is there a software method for flashing the chip ?
    4. Could this be an easier hardware mod ?


    LINK: https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016#video&t=2868
     
    JoshuaDoes likes this.
  2. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    SPI Flash = NVRAM = DS Firmware chip.

    Presumably it boots only in the case of NAND failure. You'll know once bootrom dumps go public.

    It can be written using DS software, like the old MSET exploit. May also be possible in CTR mode but I don't know what privileges it needs.

    Yes. Shorting out NAND temporarily so bootrom instead tries booting SPI Flash is easier than soldering a bunch of wires to NAND.
     
  3. WaterBotttle
    OP

    WaterBotttle GBAtemp Regular

    Member
    127
    86
    Dec 19, 2014
    I'm glad that the SPI could potentially be flashed software wise, do you think non-banned DS flash carts come become a useful tool ?
     
  4. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    I think so, yes. But like I said, much of this is speculation and it's hard to say what can be done while the bootrom is still private.
     
  5. JoshuaDoes

    JoshuaDoes Member

    Newcomer
    37
    76
    Sep 4, 2016
    United States
    Port Huron, MI, USA
    1. He is talking about NVRAM as stated above.
    2. The 3DS will boot from SPI flash if FIRM0 or FIRM1 fails to boot. If the NAND is corrupt and a FIRM is found on SPI flash, chances are you're going to receive a BootROM9 error stating the NAND is corrupt instead of a successful SPI flash firmlaunch. It's for this reason that I believe SPI flash should be used for a backup stock/CFW-patched FIRM in case FIRM0 and FIRM1 fails to boot rather than a complete boot if NAND stops working properly.
    3. As stated above, NDS homebrew can most likely flash the chip. These could potentially be booted from a homebrew app such as TWLoader rather than requiring a DS-mode flash cart.
    4. It would help you possibly load a simplistic custom FIRM that might be able to find keys and such and dump them to your SD card that could potentially be used to re-encrypt someone else's NAND dump, however that's something that will have to wait until a little bit into the year (or possibly next year) and the method also will not save you from a corrupt NAND.