Homebrew The bootroms

[Suiginou]

This is the final frontier of 3DS security: The bootroms. Usually dubbed "bootrom", there are actually two of them: one for the ARM9 ("bootrom9") and one for the ARM11 ("bootrom11").

What we know

The lower 0x8000 bytes of each bootrom is readable and they are 0x10000 bytes each; bootrom9 is at 0xFFFF0000 and bootrom11 is at 0x00000000.

During boot, bit 0 of CFG_SYSPROT9/CFG_SYSPROT11 are set. After that, trying to read the upper 0x8000 bytes (i.e., 0xFFFF8000-0xFFFFFFFF for bootrom9 and 0x00008000-0x0000FFFF for bootrom11) causes the system to hang. It's currently unknown if this causes an exception and the CPU exception vectors infinite loop or this is some other kind of hang.

Unlike the OTP region, the bootrom locks itself. For that reason, there's no silly bypassing the bootrom security by downgrading.

The bootroms do not immediately set up the hardware exception vectors, a few cycles are available until the hardware exception vectors are changed to something the bootrom controls. Loading a payload into the top of FCRAM, rebooting the system via I2C/MCU and then causing a hardware exception would permit code execution before the bootrom locks itself. The timing for that is humanly impossible, however. Reliable and safe means of inducing a hardware exception are currently unknown. Given everything so far, this seems infeasible.

So far, the only hopes of dumping the bootroms seem to lie on a decap and then reading the bootrom off the chip. This requires relatively high amounts of money for equipment, as well as skills with handling the hardware. Since the last fundraiser for this exact purpose has ended in the money being taken and the people involved never having been heard of again, it's doubtful that this will ever happen, either.

What can be done with them

The bootroms hold the missing keys. Given that the AES key scrambler is known, physical 3DSes would no longer be required to do any sort of crypto operation, such as decrypting NCCH containers in the CCI/.3ds -> CIA conversion process or decrypting titlekeys. Decrypt9 would lose its use for any crypto-related operation.

Low-level emulators such as XDS will likely benefit from having the bootroms. Similarly, citra would no longer require a round-trip to decrypt the title to be played.

In the unlikely event that an exploit in one of the bootroms can be identified, the 3DS is fully compromised; a fix would require a new hardware revision.

 

[hobbledehoy899]

a fix would require a new hardware revision.

4DS cofirmed.

 

[runetoonxx2]

Nah handheld nx confirmed

 

[hobbledehoy899]

Nah handheld nx confirmed

NAND X?

 

[Ricken]

This is the final frontier of 3DS security: The bootroms. Usually dubbed "bootrom", there are actually two of them: one for the ARM9 ("bootrom9") and one for the ARM11 ("bootrom11").

What we know

The lower 0x8000 bytes of each bootrom is readable and they are 0x10000 bytes each; bootrom9 is at 0xFFFF0000 and bootrom11 is at 0x00000000.

During boot, bit 0 of CFG_SYSPROT9/CFG_SYSPROT11 are set. After that, trying to read the upper 0x8000 bytes (i.e., 0xFFFF8000-0xFFFFFFFF for bootrom9 and 0x00008000-0x0000FFFF for bootrom11) causes the system to hang. It's currently unknown if this causes an exception and the CPU exception vectors infinite loop or this is some other kind of hang.

Unlike the OTP region, the bootrom locks itself. For that reason, there's no silly bypassing the bootrom security by downgrading.

The bootroms do not immediately set up the hardware exception vectors, a few cycles are available until the hardware exception vectors are changed to something the bootrom controls. Loading a payload into the top of FCRAM, rebooting the system via I2C/MCU and then causing a hardware exception would permit code execution before the bootrom locks itself. The timing for that is humanly impossible, however. Reliable and safe means of inducing a hardware exception are currently unknown. Given everything so far, this seems infeasible.

So far, the only hopes of dumping the bootroms seem to lie on a decap and then reading the bootrom off the chip. This requires relatively high amounts of money for equipment, as well as skills with handling the hardware. Since the last fundraiser for this exact purpose has ended in the money being taken and the people involved never having been heard of again, it's doubtful that this will ever happen, either.

What can be done with them

The bootroms hold the missing keys. Given that the AES key scrambler is known, physical 3DSes would no longer be required to do any sort of crypto operation, such as decrypting NCCH containers in the CCI/.3ds -> CIA conversion process or decrypting titlekeys. Decrypt9 would lose its use for any crypto-related operation.

Low-level emulators such as XDS will likely benefit from having the bootroms. Similarly, citra would no longer require a round-trip to decrypt the title to be played.

In the unlikely event that an exploit in one of the bootroms can be identified, the 3DS is fully compromised; a fix would require a new hardware revision.

In other words, there can be something faster than A9LH?

Welp, gonna wait for a SafeInsertNameHereIstaller+SafeHardModInstaller (I wish)

 

[FR0ZN]

This is the final frontier of 3DS security: The bootroms. Usually dubbed "bootrom", there are actually two of them: one for the ARM9 ("bootrom9") and one for the ARM11 ("bootrom11").

The bootroms do not immediately set up the hardware exception vectors, a few cycles are available until the hardware exception vectors are changed to something the bootrom controls. Loading a payload into the top of FCRAM, rebooting the system via I2C/MCU and then causing a hardware exception would permit code execution before the bootrom locks itself. The timing for that is humanly impossible, however. Reliable and safe means of inducing a hardware exception are currently unknown. Given everything so far, this seems infeasible.

What abount underclocking the CPUs ? Thinking about the RGH on 360, the CPU gets underclocked through i2c during boot. Maybe the ARM9/11 can also be locked somewhere in hte kHz area? That would widen the timeframe by alot.

 

[Thee_BaBs]

-snip-

 

[Conn0r]

In other words, there can be something faster than A9LH?

Welp, gonna wait for a SafeInsertNameHereIstaller+SafeHardModInstaller (I wish)

I'm still waiting for kernal time machine. Kek.

 

[Pippin666]

In other words, there can be something faster than A9LH?

Welp, gonna wait for a SafeInsertNameHereIstaller+SafeHardModInstaller (I wish)

Yes, A9LH is very poorly coded anyway.

Pip'

 

[FR0ZN]

Yes, A9LH is very poorly coded anyway.

Pip'

Why do you think that?

 

[Pippin666]

Why do you think that?

by looking at the code and mostly of all the risk that is involve.

Pip'

 

[FR0ZN]

by looking at the code and mostly of all the risk that is involve.

Pip'

The "risk" is in the nature of the exploit + even if something goes south, it's not a lost device, there is always a way back and since you need a NAND dump in the first place anyway, I don't see a real risk here, only another hurdle in case something funny happens.

And what about the code? Are you talking about the installer ? Because that's not realy part of the hack. It just places crafted files in your NAND which actually trigger the exploit ... and once that is done A9LH is has proven to be the most reliable hack in the 3DS, because it works everytime 100% no matter what, due to its nature.

 

[Aurora Wright]

by looking at the code and mostly of all the risk that is involve.

Pip'

Out of curiosity, where's this bad code you talk about?

 

[TR_mahmutpek]

The end of the cfw 'es coming.
(hype)

 

[Ricken]

The end of the cfw 'es coming.
(hype)

Correction; NintyFW will BE the only non obsolete CFW

 

[jerrmy12]

The end of the cfw 'es coming.
(hype)

No, it isn't, this isn't a release or anything

 

[sirocyl]

I have a feeling it would be perfectly feasible to do an attack within the timeframe of SYSPROT9 bit 0x00, but we'd need a good feedback loop.
I propose flashing the MCU firmware, or even completely replacing the chip with a dummy clone, just an I2C bus peripheral that does the bare minimum to initialize the system, and pull the /RESET line on the SoC at the right time.
An RGH-style core slowdown wouldn't work, simply because the SoC doesn't (as far as I know) expose the registers to control CPU clocks with such fine granularity.
As for triggering the exception, three letters: NMI.

(information: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/BABBGBEC.html it's for a different chip, but the behavior should be the same for the most part.)

 

[Suiginou]

I have a feeling it would be perfectly feasible to do an attack within the timeframe of SYSPROT9 bit 0x00, but we'd need a good feedback loop.
I propose flashing the MCU firmware, or even completely replacing the chip with a dummy clone, just an I2C bus peripheral that does the bare minimum to initialize the system, and pull the /RESET line on the SoC at the right time.
An RGH-style core slowdown wouldn't work, simply because the SoC doesn't (as far as I know) expose the registers to control CPU clocks with such fine granularity.
As for triggering the exception, three letters: NMI.

(information: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/BABBGBEC.html it's for a different chip, but the behavior should be the same for the most part.)

Next up: Finding the reset line. Good luck with that, champ.

The rest sounds somewhat promising. Did you actually try this or?

 

[sirocyl]

Next up: Finding the reset line.

If theory serves right, it runs to the MCU.

Did you actually try this or?

I would love to try it, in the interests of science. I don't want to spill my life's story here, but suffice it to say, I don't have the equipment at the moment. I'm trying to find a job, and it's tough.
There's no well-equipped hackerspaces within 70 miles of here (central Long Island), either.
If anyone's local and willing to lend a hand, I can procure a busted 3DS for relatively cheap.

 

[nero99]

by looking at the code and mostly of all the risk that is involve.

Pip'

Have you even tried installing it? I have done to over 100 new 3ds systems the past 3 weeks and nothing has ever gone wrong. No bricking what so ever beside the emunand brick you're supposed to cause with 2.1.