Homebrew The bootroms

[cearp]

D-Waves aren't general-purpose QCs and, in particular, can neither run Shor's algorithm (irrelevant for this, but would mean instant death for the entire elliptic curve cryptosystem) nor Grover's algorithm.

so in a few years, one of these super computers will be able to rip apart ecdsa?
i had no idea about quantum computing, i thought it was just theoretical

 

[Suiginou]

so in a few years, one of these super computers will be able to rip apart ecdsa?
i had no idea about quantum computing, i thought it was just theoretical

D-Waves, as they are, won't be able to do jack shit about any crypto, period.

A quantum computer either dedicated to Shor's algorithm or a general-purpose QC that can run Shor's is still far, far away. I think four qubits is about the best they've managed.

 

[dark_samus3]

Important news! After someone on #Cakey ripped off an MCU from a board, we discovered that there was printing on the bottom of the MCU.... just 3 characters, but it has led to some interesting results.... so, previous speculation said that the MCU was 8 bit, this does not seem to be the case. Rather, it seems to have a 16 bit processor with lots of 8 bit peripherals and a configuration option to have either 8 16-bit registers or 16 8-bit registers, anyone who'd like to check up on this can look here: http://documentation.renesas.com/doc/products/mpumcu/e602095_h83217.pdf

I strongly think this is our culprit, simply repackaged specially for nintendo... most of the chips here are 64 pin/pad and they offer a 16kB EEPROM option, which all matches the 3ds... the block diagram says it supports i2c, which the 3ds supports.... everything looks like it simply matches the 3ds more so than the other MCUs

 

[TheReturningVoid]

Important news! After someone on #Cakey ripped off an MCU from a board, we discovered that there was printing on the bottom of the MCU.... just 3 characters, but it has led to some interesting results.... so, previous speculation said that the MCU was 8 bit, this does not seem to be the case. Rather, it seems to have a 16 bit processor with lots of 8 bit peripherals and a configuration option to have either 8 16-bit registers or 16 8-bit registers, anyone who'd like to check up on this can look here: http://documentation.renesas.com/doc/products/mpumcu/e602095_h83217.pdf

I strongly think this is our culprit, simply repackaged specially for nintendo... most of the chips here are 64 pin/pad and they offer a 16kB EEPROM option, which all matches the 3ds... the block diagram says it supports i2c, which the 3ds supports.... everything looks like it simply matches the 3ds more so than the other MCUs

So, we've pretty much got the MCUs information? Nice! I should stop by #cakey and see how stuff is going and maybe even help out a bit (with my very limited knowledge about this stuff lol)

 

[sirocyl]

I don't personally believe that it's an H8, or a derivative, but I'll see if it checks out.

I'm still somewhat strongly held to my convictions that it's an NEC original part (H8 is Hitachi), considering that it is very likely based on the DSi's MCU chip, which has been decapped, and from the data publicly available, identified from the copyright information in the mask as an NEC chip.
(See: https://chipworks.secure.force.com/catalog/ProductDetails?sku=NIN-BP_TWL-2 via http://4dsdev.org/thread.php?pid=559#559 )

 

[Jayro]

would a dev unit have bootrom access, or are devs locked out of low-level stuff too? (As far as I know, they wouldn't need it... Just Userland and kernel...)

 

[TheReturningVoid]

would a dev unit have bootrom access, or are devs locked out of low-level stuff too? (As far as I know, they wouldn't need it... Just Userland and kernel...)

No, a dev unit wouldn't be able to access it, because the bootloader is the same for all consoles (dev or consumer), and the bootloader locks itself out before the os boots iirc. Luma's UNITINFO patching wouldn't help here, if that's what you're thinking.

 

[Jayro]

I'm still hopeful that underclocking the CPU still gives us a chance to undercut the bootrom locking... I'm not sure what else (if anything) could help. :/

 

[dankzegriefer]

I'm still hopeful that underclocking the CPU still gives us a chance to undercut the bootrom locking... I'm not sure what else (if anything) could help. :/

This is the most insane thing I've ever heard, this makes no damn sense.

 

[DKB]

All of this for a handheld.

 

[Xenon Hacks]

All of this for a handheld.

It's a fun challenge also this is the very last layer of security the 3DS has. I can't wait for a Decrypt9 PC app.

 

[Seriel]

It's a fun challenge also this is the very last layer of security the 3DS has. I can't wait for a Decrypt9 PC app.

Bootroms.
The final frontier.
Will the hackers succeed in entering the mysterious land? Find out next time on:
THE BOOTROMS.

(i dont even know what i just wrote halp)

 

[dankzegriefer]

Bootroms.
The final frontier.
Will the hackers succeed in entering the mysterious land? Find out next time on:
THE BOOTROMS.

(i dont even know what i just wrote halp)

You wrote the future.

 

[Seriel]

You wrote the future.

ok.

 

[Halvorsen]

All of this for a handheld.

When a handheld is the best console of the past two generations there's usually something very right.

 

[SirByte]

It's a fun challenge also this is the very last layer of security the 3DS has. I can't wait for a Decrypt9 PC app.

I'd like a custom loader that doesn't need any 'hax' because to bootrom will accept it as genuine.

 

[Xenon Hacks]

I can see it now a completely custom OS that looks nothing like our current home menu that simply uses the correct expected calls.

 

[dankzegriefer]

I'd like a custom loader that doesn't need any 'hax' because to bootrom will accept it as genuine.

This is overwriting MCU firmware to possibly dump bootrom. Not a bootrom exploit.

 

[Ev1l0rd]

So um... this is just a question out of curiosity, but anyways:

What could we achieve that hasn't been done yet? Aside from decrypting straight from PC, which is useful for convenience, is there anything else we could do?

 

[dark_samus3]

I don't personally believe that it's an H8, or a derivative, but I'll see if it checks out.

I'm still somewhat strongly held to my convictions that it's an NEC original part (H8 is Hitachi), considering that it is very likely based on the DSi's MCU chip, which has been decapped, and from the data publicly available, identified from the copyright information in the mask as an NEC chip.
(See: https://chipworks.secure.force.com/catalog/ProductDetails?sku=NIN-BP_TWL-2 via http://4dsdev.org/thread.php?pid=559#559 )

Heh, H10 is printed on the bottom of the MCU, that's how we got to that datasheet actually