Homebrew The bootroms

[Psi-hate]

I have a bootrom. I dumped it from 2.4 and it's pretty nifty. It took a long time to wire and get the timing to redirect the MCU to allow dumping but it was well worth it. I used 2.4 because the MCU firmware was more flexible so it was best to dump it there. Did you do the same method as I did, @blujay ?

 

[proruskii]

Other persons with bootrom can verify sequence, especially protect area 0x8000 and up. My friend not want release. But it show bootrom be dumped.

 

[dankzegriefer]

Other persons with bootrom can verify sequence, especially protect area 0x8000 and up. My friend not want release. But it show bootrom be dumped.

You haven't proven shit, you've regurgitated public stuff at us.

 

[Aurora Wright]

You haven't proven shit, you've regurgitated public stuff at us.

0x8000 is the protected half fyi. And the bytes he posted are legit arm asm (not sure if it's the real deal though)

 

[dankzegriefer]

0x8000 is the protected half fyi. And the bytes he posted are legit arm asm (not sure if it's the real deal though)

woop. misread it.
my my i'm retarded

 

[chaoskagami]

0x8000 is the protected half fyi. And the bytes he posted are legit arm asm (not sure if it's the real deal though)

True, he's most definitely posted something which can be legitimately disassembled.

A clever programmer knows how to write assembly, though, so 0x20 bytes isn't nearly enough to judge.

As for the screenshot by Psi-hate - it appears to be valid thumb code, though again, no way to verify. There's some unknowns mixed in; I assume data. Objdump output:

Spoiler

/arch/ct/dkp/devkitARM/bin/arm-none-eabi-objdump -D -b binary -Mforce-thumb -marm --adjust-vma=0xfffffea0 bootrom0xfea0.bin
bootrom0xfea0.bin: file format binary


Disassembly of section .data:

fffffea0 <.data>:
fffffea0: 449c add ip, r3
fffffea2: 22a3 movs r2, #163 ; 0xa3
fffffea4: 402d ands r5, r5
fffffea6: 6797 str r7, [r2, #120] ; 0x78
fffffea8: abe2 add r3, sp, #904 ; 0x388
fffffeaa: 854c strh r4, [r1, #42] ; 0x2a
fffffeac: 5e8c ldrsh r4, [r1, r2]
fffffeae: f7c4 bf9f b.w 0xfffc4df0
fffffeb2: a64d add r6, pc, #308 ; (adr r6, 0xffffffe8)
fffffeb4: c553 stmia r5!, {r0, r1, r4, r6}
fffffeb6: 56d0 ldrsb r0, [r2, r3]
fffffeb8: a649 add r6, pc, #292 ; (adr r6, 0xffffffe0)
fffffeba: 8665 strh r5, [r4, #50] ; 0x32
fffffebc: b9d6 cbnz r6, 0xfffffef4
fffffebe: 9bfc ldr r3, [sp, #1008] ; 0x3f0
fffffec0: 614e str r6, [r1, #20]
fffffec2: 1501 asrs r1, r0, #20
fffffec4: f8e7 1d49 str??.w r1, [r7, #3401] ; 0xd49
fffffec8: 2020 movs r0, #32
fffffeca: c3bd stmia r3!, {r0, r2, r3, r4, r5, r7}
fffffecc: f2ab a67c bge.w 0x6bbc8
fffffed0: de59 udf #89 ; 0x59
fffffed2: e477 b.n 0xfffff7c4
fffffed4: 4e83 ldr r6, [pc, #524] ; (0xe4)
fffffed6: 86bf strh r7, [r7, #52] ; 0x34
fffffed8: 4ce6 ldr r4, [pc, #920] ; (0x274)
fffffeda: ddf9 ble.n 0xfffffed0
fffffedc: c1ff stmia r1!, {r0, r1, r2, r3, r4, r5, r6, r7}
fffffede: 64cb str r3, [r1, #76] ; 0x4c
fffffee0: 1247 asrs r7, r0, #9
fffffee2: 2b23 cmp r3, #35 ; 0x23
fffffee4: 30ed adds r0, #237 ; 0xed
fffffee6: eba4 59e4 sub.w r9, r4, r4, asr #23
fffffeea: 30b4 adds r0, #180 ; 0xb4
fffffeec: 286b cmp r0, #107 ; 0x6b
fffffeee: 46e2 mov sl, ip
fffffef0: ad64 add r5, sp, #400 ; 0x190
fffffef2: d8a0 bhi.n 0xfffffe36
fffffef4: a610 add r6, pc, #64 ; (adr r6, 0xffffff38)
fffffef6: 6591 str r1, [r2, #88] ; 0x58
fffffef8: 2522 movs r5, #34 ; 0x22
fffffefa: 05eb lsls r3, r5, #23
fffffefc: 2524 movs r5, #36 ; 0x24
fffffefe: 1897 adds r7, r2, r2
ffffff00: e4ac b.n 0xfffff85c
ffffff02: d925 bls.n 0xffffff50
ffffff04: 0ae5 lsrs r5, r4, #11
ffffff06: fbb5 e852 ; <UNDEFINED> instruction: 0xfbb5e852
ffffff0a: bf6a itet vs
ffffff0c: 5ae3 ldrhvs r3, [r4, r3]
ffffff0e: 2b0f cmpvc r3, #15
ffffff10: 22c3 movvs r2, #195 ; 0xc3
ffffff12: 51f5 str r5, [r6, r7]
ffffff14: b965 cbnz r5, 0xffffff30
ffffff16: d447 bmi.n 0xffffffa8
ffffff18: eac3 0b44 pkhbt fp, r3, r4, lsl #1
ffffff1c: c6de stmia r6!, {r1, r2, r3, r4, r6, r7}
ffffff1e: 872b strh r3, [r5, #56] ; 0x38
ffffff20: b7e1 ; <UNDEFINED> instruction: 0xb7e1
ffffff22: c7cb stmia r7!, {r0, r1, r3, r6, r7}
ffffff24: be7a bkpt 0x007a
ffffff26: 66f0 str r0, [r6, #108] ; 0x6c
ffffff28: 3051 adds r0, #81 ; 0x51
ffffff2a: 1439 asrs r1, r7, #16
ffffff2c: 71b0 strb r0, [r6, #6]
ffffff2e: 1cfd adds r5, r7, #3
ffffff30: 88c1 ldrh r1, [r0, #6]
ffffff32: 534c strh r4, [r1, r5]
ffffff34: 89ee ldrh r6, [r5, #14]
ffffff36: a744 add r7, pc, #272 ; (adr r7, 0x48)
ffffff38: 2c52 cmp r4, #82 ; 0x52
ffffff3a: ae30 add r6, sp, #192 ; 0xc0
ffffff3c: 1c4d adds r5, r1, #1
ffffff3e: f133 c092 blx 0xd33064
ffffff42: d279 bcs.n 0x38
ffffff44: 975b str r7, [sp, #364] ; 0x16c
ffffff46: 3c2a subs r4, #42 ; 0x2a
ffffff48: 6c8c ldr r4, [r1, #72] ; 0x48
ffffff4a: 89a0 ldrh r0, [r4, #12]
ffffff4c: eff1 558b vext.8 d21, d17, d11, #5
ffffff50: 7de9 ldrb r1, [r5, #23]
ffffff52: 141b asrs r3, r3, #16
ffffff54: 2a1c cmp r2, #28
ffffff56: a851 add r0, sp, #324 ; 0x144
ffffff58: 4e1e ldr r6, [pc, #120] ; (0xffffffd4)
ffffff5a: 6101 str r1, [r0, #16]
ffffff5c: 2f11 cmp r7, #17
ffffff5e: 0e40 lsrs r0, r0, #25
ffffff60: 86ad strh r5, [r5, #52] ; 0x34
ffffff62: 0b39 lsrs r1, r7, #12
ffffff64: f33b 7f9e ; <UNDEFINED> instruction: 0xf33b7f9e
ffffff68: aa74 add r2, sp, #464 ; 0x1d0
ffffff6a: 2c40 cmp r4, #64 ; 0x40
ffffff6c: e74b b.n 0xfffffe06
ffffff6e: 887d ldrh r5, [r7, #2]
ffffff70: f40b fe80 bl 0xffc0bc74
ffffff74: c564 stmia r5!, {r2, r5, r6}
ffffff76: 949b str r4, [sp, #620] ; 0x26c
ffffff78: 8737 strh r7, [r6, #56] ; 0x38
ffffff7a: 4c2b ldr r4, [pc, #172] ; (0x28)
ffffff7c: 9e52 ldr r6, [sp, #328] ; 0x148
ffffff7e: 07c9 lsls r1, r1, #31
ffffff80: e764 b.n 0xfffffe4c
ffffff82: b6b9 ; <UNDEFINED> instruction: 0xb6b9
ffffff84: 45d1 cmp r9, sl
ffffff86: 27e9 movs r7, #233 ; 0xe9
ffffff88: c93b ldmia r1, {r0, r1, r3, r4, r5}
ffffff8a: bfe2 ittt al
ffffff8c: 01e4 lslal r4, r4, #7
ffffff8e: d77a bvc.n 0x86 ; unpredictable <IT:al>
ffffff90: 323d addal r2, #61 ; 0x3d
ffffff92: b038 add sp, #224 ; 0xe0
ffffff94: 973e str r7, [sp, #248] ; 0xf8
ffffff96: 1bb0 subs r0, r6, r6
ffffff98: e272 b.n 0x480
ffffff9a: 4b47 ldr r3, [pc, #284] ; (0xb8)
ffffff9c: 9ab8 ldr r2, [sp, #736] ; 0x2e0
ffffff9e: 7a25 ldrb r5, [r4, #8]
ffffffa0: 122e asrs r6, r5, #8
ffffffa2: 4c4b ldr r4, [pc, #300] ; (0xd0)
ffffffa4: 13d8 asrs r0, r3, #15
ffffffa6: 200e movs r0, #14
ffffffa8: 80da strh r2, [r3, #6]
ffffffaa: b670 cpsid
ffffffac: 796b ldrb r3, [r5, #5]
ffffffae: da0d bge.n 0xffffffcc
ffffffb0: d3d6 bcc.n 0xffffff60
ffffffb2: fca9 f129 stc2 1, cr15, [r9], #164 ; 0xa4
ffffffb6: e487 b.n 0xfffff8c8
ffffffb8: 406a eors r2, r5
ffffffba: ee12 e972 mrc 9, 0, lr, cr2, cr2, {3}
ffffffbe: 7993 ldrb r3, [r2, #6]
ffffffc0: 8bc5 ldrh r5, [r0, #30]
ffffffc2: 79e4 ldrb r4, [r4, #7]
ffffffc4: fa0f 4774 ; <UNDEFINED> instruction: 0xfa0f4774
ffffffc8: 590b ldr r3, [r1, r4]
ffffffca: 3cf8 subs r4, #248 ; 0xf8
ffffffcc: 1e0d subs r5, r1, #0
ffffffce: 9fa5 ldr r7, [sp, #660] ; 0x294
ffffffd0: c473 stmia r4!, {r0, r1, r4, r5, r6}
ffffffd2: ead9 38a5 ; <UNDEFINED> instruction: 0xead938a5
ffffffd6: 8776 strh r6, [r6, #58] ; 0x3a
ffffffd8: 527c strh r4, [r7, r1]
ffffffda: 776c strb r4, [r5, #29]
ffffffdc: e532 b.n 0xfffffa44
ffffffde: 8c33 ldrh r3, [r6, #32]
ffffffe0: 2c29 cmp r4, #41 ; 0x29
ffffffe2: 1d1f adds r7, r3, #4
ffffffe4: a738 add r7, pc, #224 ; (adr r7, 0xc8)
ffffffe6: 70e3 strb r3, [r4, #3]
ffffffe8: af4e add r7, sp, #312 ; 0x138
ffffffea: 2ead cmp r6, #173 ; 0xad
ffffffec: 557f strb r7, [r7, r5]
ffffffee: a596 add r5, pc, #600 ; (adr r5, 0x248)
fffffff0: 48f5 ldr r0, [pc, #980] ; (0x3c8)
fffffff2: b375 cbz r5, 0x52
fffffff4: e436 b.n 0xfffff864
fffffff6: 913a str r1, [sp, #232] ; 0xe8
fffffff8: a1c9 add r1, pc, #804 ; (adr r1, 0x320)
fffffffa: df5a svc 90 ; 0x5a
fffffffc: 7d2d ldrb r5, [r5, #20]
fffffffe: aa0a add r2, sp, #40 ; 0x28

If anybody wants the file, I'll upload it. Every OCR tool barfed at me and I ended up typing it out and doing a printf "$(cat file)" > bin.

 

[sirocyl]

Let's leave @blujay alone. What's his is his to keep. Since he claims to have done it, the impetus is there; it's now up to us to discover it through our own means.

That said, I will remain skeptical of any claimed accomplishments, but if it has been done, than congratulations.

Now, the attack vectors described earlier, are so far, the most plausible entry points here. It's not a question of if we can get bootrom, anymore - we just need to get it done, describe how, and publish the requisite information.

 

[Psi-hate]

Let's leave @blujay alone. What's his is his to keep. Since he claims to have done it, the impetus is there; it's now up to us to discover it through our own means.

That said, I will remain skeptical of any claimed accomplishments, but if it has been done, than congratulations.

Now, the attack vectors described earlier, are so far, the most plausible entry points here. It's not a question of if we can get bootrom, anymore - we just need to get it done, describe how, and publish the requisite information.

Well I was trying to get a response from blujay to see if they were lying but I think we all know the truth anyway :>

 

[Aether Lion]

I plan on leaving Blujay alone but I typed this up earlier and never posted it. I thought I did lmao whoops
---------------------

*shitpost**shitpost2**shitpost3*

This is going to sound very rude, but, you obviously don't know what you're talking if someone posts code from a totally unprotected bootrom and you back him up saying "See, I'm not the only one!"
THEN, not only do you make yourself look stupid, you alienate people for bashing you for not sharing something you originally said you weren't going to anyway? Seriously? (Any questions I've asked are rhetorical, by the way)

This continues to show how someone making some statement with no background or any proof can cause a whole group of people to go ape shit and derail any thread.
At least proruski is willing to show something (0x8000 code) to this community other than how much of an ass they are.

So a note for future reference: "Tis better to be silent and be thought a fool, than to speak and remove all doubt."​

 

[Deleted User]

I plan on leaving Blujay alone but I typed this up earlier and never posted it. I thought I did lmao whoops
---------------------

This is going to sound very rude, but, you obviously don't know what you're talking if someone posts code from a totally unprotected bootrom and you back him up saying "See, I'm not the only one!"
THEN, not only do you make yourself look stupid, you alienate people for bashing you for not sharing something you originally said you weren't going to anyway? Seriously? (Any questions I've asked are rhetorical, by the way)

This continues to show how someone making some statement with no background or any proof can cause a whole group of people to go ape shit and derail any thread.
At least proruski is willing to show something (0x8000 code) to this community other than how much of an ass they are.

So a note for future reference: "Tis better to be silent and be thought a fool, than to speak and remove all doubt."​

tbh, I really didn't know the public had access to the unprotected bootrom. So I thought it was real. Sorry.

Besides, I really don't care what people think of me. At least I am not trying to get others to say they are fake. Or making fun of the bootrom with star wars (though that was pretty great, kudos to whoever did that). Or attacking others without a respectful manner.

 

[ihaveahax]

tbh, I really didn't know the public had access to the unprotected bootrom. So I thought it was real. Sorry.

Besides, I really don't care what people think of me. At least I am not trying to get others to say they are fake. Or making fun of the bootrom with star wars (though that was pretty great, kudos to whoever did that). Or attacking others without a respectful manner.

I'm sorry I feel you don't know what you're talking about. "unprotected bootrom" would clearly be dump-able by software without anything fancy (aside from ARM9 control), no? GodMode9 does this.

 

[Deleted User]

I'm sorry I feel you don't know what you're talking about. "unprotected bootrom" would clearly be dump-able by software without anything fancy (aside from ARM9 control), no? GodMode9 does this.

You know. I really don't. Shoot me for not knowing anything about bootrom. I just figured it would be a good project. And the fact that no one believes me doesn't stun me. The quiet ones never get recognition. Hell, they don't even reference the Wii U 5.5 kexploit as "MarioNumber1's" just kexploit. So please, wether I do not pay attention to the homebrew of this community because there is too much to comprehend, or not shouldn't make me less able to solder wires. Damn.

Edit: Now realising I referenced it as the unprotected bootrom, I forgot to mention I didn't know there was an unprotected bootrom.

 

[iAqua]

You know. I really don't. Shoot me for not knowing anything about bootrom. I just figured it would be a good project. And the fact that no one believes me doesn't stun me. The quiet ones never get recognition. Hell, they don't even reference the Wii U 5.5 kexploit as "NwPlayer's" just kexploit. So please, wether I do not pay attention to the homebrew of this community because there is too much to comprehend, or not shouldn't make me less able to solder wires. Damn.

It's MarioNumber1's kernel exploit for Wii u

 

[ihaveahax]

You know. I really don't. Shoot me for not knowing anything about bootrom. I just figured it would be a good project. And the fact that no one believes me doesn't stun me. The quiet ones never get recognition. Hell, they don't even reference the Wii U 5.5 kexploit as "NwPlayer's" just kexploit. So please, wether I do not pay attention to the homebrew of this community because there is too much to comprehend, or not shouldn't make me less able to solder wires. Damn.

Edit: Now realising I referenced it as the unprotected bootrom, I forgot to mention I didn't know there was an unprotected bootrom.

I feel that you're pulling something like "because nobody recognizes me nobody believes me", which is not what I'm thinking. I genuinely think you have no idea what you're talking about relating to the bootrom. unprotected bootrom is extremely easy to dump (get GodMode9 and copy "bootrom_unp.mem" to your SD card). but you mentioned that you used hardware to dump the bootrom, so you should surely have things past 0x8000, which apparently is the protected bootrom with all the secrets.

 

[sirocyl]

Hey, don't get your feathers in a tussle @blujay I'm just glad to hear someone is willing to do what needs to be done to get the last few critical bytes out of the system.
That said, you should do some research, and don't be afraid to ask questions when you don't know something. There's a good chance that the community has a good understanding of the way things work.

My main motive, to getting the bootrom data, is for archival - to allow future generations to sample the cultural impact gaming has on modern lifestyle and liveliness. People have done a lot more than just soldering a few wires, for retrieving clean ROM data from arcade machines (especially those with suicide batteries and tamper protections.)

 

[chaoskagami]

I have hidden the bootrom in this logo only master hackers can find it GLHF

PS im not joking its hidden in there

Master hackers? More like...anyone who can use hexdump. The only thing of note here is the string 'Secrethiddennintendobootrom.hax.jpg.png.kapp.lol' cat'd to the end. Expected troll, had a laugh anyways. BTW, you misspelled :kappa:

You know. I really don't. Shoot me for not knowing anything about bootrom. I just figured it would be a good project. And the fact that no one believes me doesn't stun me. The quiet ones never get recognition. Hell, they don't even reference the Wii U 5.5 kexploit as "NwPlayer's" just kexploit. So please, wether I do not pay attention to the homebrew of this community because there is too much to comprehend, or not shouldn't make me less able to solder wires. Damn.

Since you aren't aware, the gist of it is that half of both arm11 and arm9 bootroms can be read via mapped memory. The other half can't be read because a bit is set by the bootrom to disable mapping it. Attempting to read that second half triggers a fault and lockup. All of the important stuff is in that second half.

BTW, pretty sure the bootrom doesn't have a pinout being part of the SOC and all that. That's what makes people question. Keep in mind questioning doesn't mean we're all attacking ya, we're all just curious and all that.

My main motive, to getting the bootrom data, is for archival - to allow future generations to sample the cultural impact gaming has on modern lifestyle and liveliness. People have done a lot more than just soldering a few wires, for retrieving clean ROM data from arcade machines (especially those with suicide batteries and tamper protections.)

You either work for the Internet Archive or you have a very eloquent way with words and getting around saying 'piracy.' I'm not sure if I should be impressed or not.

Anyways, I'm dropping to watch this thread now. I don't expect much. Peace.

 

[sirocyl]

You either work for the Internet Archive or your have a very eloquent way with words and getting around saying 'piracy.' I'm not sure if I should be impressed or not.

The bootrom information would be of less interest to a casual pirate, since they could just pirate pre-decrypted ROMs if necessary. Those would not be considered clean images, though, and if the piracy of "unclean" data and modified dumps continues to plague the 3DS, we could land in a scenario much like Dreamcast archival, where it's difficult to find clean, master-image GD dumps, because all of the piracy centered around Discjugglered ISO's and the MIL-CD exploit, and that one weird loader with the balloon dog.
Piracy is not always beneficial to archival, and vice versa.

 

[chaoskagami]

The bootrom information would be of less interest to a casual pirate, since they could just pirate pre-decrypted ROMs if necessary. Those would not be considered clean images, though, and if the piracy of "unclean" data and modified dumps continues to plague the 3DS, we could land in a scenario much like Dreamcast archival, where it's difficult to find clean, master-image GD dumps, because all of the piracy centered around Discjugglered ISO's and the MIL-CD exploit, and that one weird loader with the balloon dog.
Piracy is not always beneficial to archival, and vice versa.

...I actually think I see eye-to-eye with you on this one. Half of the stuff on the internet for the 3DS isn't properly dumped - the signatures aren't intact on most 3DS files, for example. Many CIA based conversions lack the proper signature info, which even if invalid, should not be zeroed out. The region info has also been tampered with on pretty much everything. At very least it's not nearly as bad as the dreamcast, but certainly the keys would stop the situation from worsening for relevance in 50+ years (or even less.)

A good example I know of is Earthbound on the SNES. Most people don't know the untampered rom has anti-copy checks everywhere, but near every rom on the net has been tampered with to disable that. Sure, it makes it playable, but it isn't clean anymore.

That's part of why I dump everything myself - archival. Most of my own personal dumps are clean, and most of my own cia-converted dumps from my carts have original headers and everything possible aside from the SD flag intact. I don't like piracy, but I do see the archival side of things. I literally have 7+TB of stuff archived - websites, etc. I need to figure out what isn't on the IA because there's some stuff there...

 

[zecoxao]

i believe the russian guy. when it comes to hacking, russians are number 1 at their job

 

[Aether Lion]

You know. I really don't. Shoot me for not knowing anything about bootrom. I just figured it would be a good project. And the fact that no one believes me doesn't stun me. The quiet ones never get recognition.
Edit: Now realising I referenced it as the unprotected bootrom, I forgot to mention I didn't know there was an unprotected bootrom.

How did you manage to hack something of such great difficulty if you don't even know about it at all?
EDIT: Edited the image; it fits better.

Spoiler