Homebrew The bootroms

dark_samus3 · May 20, 2016

Aether Lion said:
How did you manage to hack something of such great difficulty if you don't even know about it at all?
EDIT: Edited the image; it fits better.

View attachment 50001

OK, this isn't getting us anywhere, if he has it, he has it and we have no clue if it's real or not. Attacking him like this isn't going to make him anymore likely to release it if he really has it, so how about we put this to bed, m'kay?

Aether Lion · May 20, 2016

dark_samus3 said:
OK, this isn't getting us anywhere, if he has it, he has it and we have no clue if it's real or not. Attacking him like this isn't going to make him anymore likely to release it if he really has it, so how about we put this to bed, m'kay?

Alright, agreed.
I just hate when people stir up a community of people for no reason. It's pointless.

mathieulh · May 20, 2016

I haz bootrom! Look!

Ok... I'll stop trolling now xD

Ev1l0rd · May 20, 2016

So somehow a collective effort to find something that would be quite useful has devolved into bad memes. I wish that I was suprised.

Things just grinded to a halt when people learned that whilst a decrypted bootrom exists, the ones that are able to figure it out are not willing to share it. So could we get back on topic? If they figured it out, why can't we?

BurningDesire · May 20, 2016

Anyone want specific pictures of something. I can take a part my 3DS in two hours. What y'all need.

chaoskagami · May 20, 2016

Ev1l0rd said:
So somehow a collective effort to find something that would be quite useful has devolved into bad memes. I wish that I was suprised.

Things just grinded to a halt when people learned that whilst a decrypted bootrom exists, the ones that are able to figure it out are not willing to share it. So could we get back on topic? If they figured it out, why can't we?

I wake up and I see this thread has devolved into a memetrollfest. I'm just as disappointed as you.

BurningDesire said:
Anyone want specific pictures of something. I can take a part my 3DS in two hours. What y'all need.

The 3DS has really already been heavily gutted and pictures are taken of nigh everything. Aside from ripping off components and seeing what's under them (and if I understand properly, that's been done too) so there's not really anything new to take a photo of. If you find something that's not documented on https://www.3dbrew.org/wiki/Hardware, then by all means, take a picture.

SirByte · May 20, 2016

What we need in the short term are the "remaining keys" referenced in the OP so we don't need the 3DS anymore to decrypt/encrypt; as everyone knows the keyscrambler function has been reverse-engineered a while ago.

yifan_lu · May 20, 2016

People need to stop trying to tout decapping as and end-all solution. The 3DS isn't some 20 year old device that uses 60nm gates and is a single layer that can be observed with a high definition optical microscope. By the release date, it is likely 14nm or 20nm. It likely has 8-12 metal layers (each layer is about 1-2nm thick). You likely need an electron microscope to get the right resolution to read the gates. So even if you have the $20,000+ to access the right equipment, good luck finding the right technician! Most people with the skills to do this works for one of the couple large companies that do IP reverse engineering--they've likely spent years learning the right skills and developing the right recipes to each metal layer. The reason you haven't seen a high-def image of any modern chip is because it is very hard to do. Honestly, if you're going to get the bootrom, it'll be magnitudes easier to do with sw or hw attack rather than decapping.

Suiginou · May 20, 2016

yifan_lu said:
People need to stop trying to tout decapping as and end-all solution. The 3DS isn't some 20 year old device that uses 60nm gates and is a single layer that can be observed with a high definition optical microscope. By the release date, it is likely 14nm or 20nm. It likely has 8-12 metal layers (each layer is about 1-2nm thick). You likely need an electron microscope to get the right resolution to read the gates. So even if you have the $20,000+ to access the right equipment, good luck finding the right technician! Most people with the skills to do this works for one of the couple large companies that do IP reverse engineering--they've likely spent years learning the right skills and developing the right recipes to each metal layer. The reason you haven't seen a high-def image of any modern chip is because it is very hard to do. Honestly, if you're going to get the bootrom, it'll be magnitudes easier to do with sw or hw attack rather than decapping.

You say that like there's a feasible way to get code exec. The only thing we have control over that bootrom uses is the NAND, and there it bothers with signature checks first. There's nothing to overflow, use after free and the like aren't a thing without actually allocating memory.

The timing exploit is effectively infeasible, too. Hardware at least sounds feasible to those who have no idea about hardware and can just leave it to the hardware guys.

Vappy · May 20, 2016

yifan_lu said:
People need to stop trying to tout decapping as and end-all solution. The 3DS isn't some 20 year old device that uses 60nm gates and is a single layer that can be observed with a high definition optical microscope. By the release date, it is likely 14nm or 20nm. It likely has 8-12 metal layers (each layer is about 1-2nm thick). You likely need an electron microscope to get the right resolution to read the gates. So even if you have the $20,000+ to access the right equipment, good luck finding the right technician! Most people with the skills to do this works for one of the couple large companies that do IP reverse engineering--they've likely spent years learning the right skills and developing the right recipes to each metal layer. The reason you haven't seen a high-def image of any modern chip is because it is very hard to do. Honestly, if you're going to get the bootrom, it'll be magnitudes easier to do with sw or hw attack rather than decapping.

http://gaasedelen.blogspot.co.uk/2014/03/depackaging-nintendo-3ds-cpu.html This guy made the beginnings of an effort using college equipment. Says the chip uses 45nm with probably 10 layers. Never followed up with any more though.

Suiginou · May 20, 2016

Vappy said:
http://gaasedelen.blogspot.co.uk/2014/03/depackaging-nintendo-3ds-cpu.html This guy made the beginnings of an effort using college equipment. Says the chip uses 45nm with probably 10 layers. Never followed up with any more though.

He got C&D'd is why.

chaoskagami · May 20, 2016

yifan_lu said:
People need to stop trying to tout decapping as and end-all solution. The 3DS isn't some 20 year old device that uses 60nm gates and is a single layer that can be observed with a high definition optical microscope. By the release date, it is likely 14nm or 20nm. It likely has 8-12 metal layers (each layer is about 1-2nm thick). You likely need an electron microscope to get the right resolution to read the gates. So even if you have the $20,000+ to access the right equipment, good luck finding the right technician! Most people with the skills to do this works for one of the couple large companies that do IP reverse engineering--they've likely spent years learning the right skills and developing the right recipes to each metal layer. The reason you haven't seen a high-def image of any modern chip is because it is very hard to do. Honestly, if you're going to get the bootrom, it'll be magnitudes easier to do with sw or hw attack rather than decapping.

Honestly, I've never seen decaps lead to anything with modern hardware. People did it with at least the PSP, the DSi, and the Vita (josh_axey, I think?) Point is, decapping makes pretty pictures but isn't terribly useful for anyone. It also requires some seriously specialized equipment to do properly. Not to mention that interpreting the circuitry and finding possible flaws is VERY hard and even then, likely needs software to exploit.

yifan_lu knows where it's at.

ketal · May 20, 2016

There are well documented reports, x-rays and die photos online. Prices around 950$ according to the cpu (CTR_A, CTR_B). But as yifan_lu has said, they are not that useful

yifan_lu · May 20, 2016

Vappy said:
http://gaasedelen.blogspot.co.uk/2014/03/depackaging-nintendo-3ds-cpu.html This guy made the beginnings of an effort using college equipment. Says the chip uses 45nm with probably 10 layers. Never followed up with any more though.

45nm? That might allow for optical reading but everything else I've said still applies. Also Zonenberg is an expert so if you have access to him, by all means go ahead

I personally would love to work with him. But honestly, sw/hw hacks may seem difficult but all it requires is the right hypothesis (that's really all hacking is: you have a hypothesis like "I think there is a buffer overflow in this code" and you find a way to test it "What if I change the size field?"). Decapping requires a shitload of money, years of experience, tons of trial and error, access to a lab/equipment, and knowledge that is only found in few places--most of which are behind patent walls.

dankzegriefer · May 20, 2016

Nice to see this thread devolve into retardation after being brought from the pits of hell with a possible amazing discovery.

#Cakey should have kept it private seemingly.

BurningDesire · May 20, 2016

Anyways,

@yifan_lu is there anything you need at all? If there is just let me know. I got a N3DS XL waiting for you fam.

Suiginou · May 20, 2016

dankzegriefer said:
Nice to see this thread devolve into retardation after being brought from the pits of hell with a possible amazing discovery.

#Cakey should have kept it private seemingly.

The discovery that MCU firmware is unsigned means nothing without someone to actually make use of it.

dankzegriefer · May 20, 2016

Suiginou said:
The discovery that MCU firmware is unsigned means nothing without someone to actually make use of it.

It proves it CAN be done, and nobody wants to test with MCU because MCU hax can and will brick if you fuck up.

FR0ZN · May 20, 2016

dankzegriefer said:
It proves it CAN be done, and nobody wants to test with MCU because MCU hax can and will brick if you fuck up.

Well if anyone wants to come up with something that makes sense to test I wouldn't mind destroying 4-5 2DS' .... they come cheap you know.

chaoskagami · May 20, 2016

dankzegriefer said:
Nice to see this thread devolve into retardation after being brought from the pits of hell with a possible amazing discovery.

#Cakey should have kept it private seemingly.

In my opinion private info hasn't helped any scene, ever. Any information is important because the more people that have it - even if useless on its own - wll increase the chance of someone finding something. The 3DS has only come so far because pretty much all the devs here seem to like open source. On the opposite, the Vita is basically dead due to lack of documentation and all these 'private exploits.'

Anyways, I need to lurk #cakey.

Homebrew The bootroms

Well-Known Member

GBATemp's Pet Lion

Well-Known Member

(⌐◥▶◀◤) girl - noirscape

Well-Known Member

G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚

Well-Known Member

@yifanlu

(null)

Well-Known Member

(null)

G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚

aiueo

@yifanlu

Banned!

Well-Known Member

(null)

Banned!

Well-Known Member

G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚

Similar threads

Popular threads in this forum