Hacking What stops us from 100% custom Firmware?

[dkabot]

Because GW patches FIRM. Those patches might not be compatible with newer FIRMs.

The FIRM they patch in may not be compatible with the latest system files. (See N3DS 9.5 FIRM leading to 9.5 max)

 

[motezazer]

Thanks for summing this up nicely. One piece is missing IMO, and I'm not sure why no one bothered bringing it up yet: There is a known hardware vulnerability which allows custom code execution while the bootrom is being ran. It allows for dumping all console-unique keys and (effectively) disabling the firmware signature checks.

That said, it requires some manually crafted data to reside in RAM, and hence probably isn't useful for the "convenient" piracy most people here are looking for, I guess. It's incredibly hard to pull off in general, actually. Still, it's the only promising way to obtain all decryption keys, though.

It will NOT disable sig checks permanently.
You will NOT be able to generate private keys, only encryption keys.

 

[neobrain]

It will NOT disable sig checks permanently.

I didn't claim that, although I can see why you thought I was. I'll clarify my post. I mean, actually I suppose if you hooked enough hardware into the thing you could make a hardware mod prepare the RAM in the right way so that you can actually have a permanent exploit setup. I didn't say any of this was easy, just that it's likely possible in one way or another (contrary to brute-forcing keys or something stupid like that, which for all practical purposes is impossible here).

You will NOT be able to generate private keys, only encryption keys.

Didn't claim that either, and this time I'm not sure why you thought I did

I was merely replying to the people who have been crying for bootrom hacks, and said there is a hypothetical vulnerability. The fact that even such a vulnerability is useless for the purposes of the OPs question had been established by the post I replied to already.

 

[motezazer]

The public bootrom flaw is VERY hard to exploit (actually nobody managed to exploit it).

 

[neobrain]

The public bootrom flaw is VERY hard to exploit (actually nobody managed to exploit it).

Look, I'm not saying it's easy nor that the average GBAtemper will find any use for it. Just saying there is a known bootrom vulnerability, because people have been bringing that up in the beginning of this thread.

It doesn't change a dime about the usefulness of such an exploit. I don't think we actually disagree on anything

 

[motezazer]

I didn't claim that, although I can see why you thought I was. I'll clarify my post. I mean, actually I suppose if you hooked enough hardware into the thing you could make a hardware mod prepare the RAM in the right way so that you can actually have a permanent exploit setup. I didn't say any of this was easy, just that it's likely possible in one way or another (contrary to brute-forcing keys or something stupid like that, which for all practical purposes is impossible here).

It's here I disagree. As I said in my previous post :

-The critical processes run into internal CPU memories that are not hard-moddable

 

[Deleted member 282441]

<deleted>

 

[jrebey]

I have absolutely nothing to contribute to this thread except for miscellaneous info that would be quite offtopic.......

If the only chance for the FIRM Private key to be released is from Nintendo themselves.... Then consider that a definite zero chance for the key to get leaked (By their own track record). Nintendo is quite a very Japanese company, and so is hiearchy based, to the point that even key figures like Miyamoto or Reggie would have no info about it even if you interrogated them. If I remember correctly, even prototype versions of their games have never been leaked, except when it's handled by a second/third party. That's quite something. And if the FIRM KEY would get leaked they would know exactly who did it and will probably castrate that person, socially maybe even literally.....

... Or maybe a collusion of 10 to 20 people, but who the heck will collude over something that would never benefit them? It isn't feasible especially on the monetary front.

This has absolutely nothing to do with being a "very Japanese company". Key figures like Miyamoto or Reggie have absolutely ZERO reason to even need to know about it along with the rest of the employees. Like any company, you keep your digital keys secure in an offline signing server. There are likely very few people with access to the offline server and all access is audited. This is security 101.

 

[WhoAmI?]

I know how to disable sig checks on sysNAND!

1. Open the console
2. Attach lots of wet bubble gum
3. Download 3DGum (Google it)
4. Put it on an SD card
5. Slap an SD card on top of the gum
6. Put console back together
7. Turn it on
8. Everything boots via gum connection to the SD

You just learnt how to gum-mod your console! No need to thank me, I know I'm awesome

Edit: If there's a dodgy connection, just piss inside of it, directly onto the SD card - guaranteed to work. Cum might be better, since it has sticky properties.

 

[Kafke]

I know how to disable sig checks on sysNAND!

1. Open the console
2. Attach lots of wet bubble gum
3. Download 3DGum (Google it)
4. Put it on an SD card
5. Slap an SD card on top of the gum
6. Put console back together
7. Turn it on
8. Everything boots via gum connection to the SD

You just learnt how to gum-mod your console! No need to thank me, I know I'm awesome


Edit: If there's a dodgy connection, just piss inside of it, directly onto the SD card - guaranteed to work. Cum might be better, since it has sticky properties.

FFS I literally googled "3DGum". I'm an idiot. First three steps makes it sound like it's gonna be one of those "weird but works" ideas. And then I saw: "Slap an SD card on top of the gum".

 

[WhoAmI?]

FFS I literally googled "3DGum". I'm an idiot. First three steps makes it sound like it's gonna be one of those "weird but works" ideas. And then I saw: "Slap an SD card on top of the gum".

xD

 

[Alkéryn]

It's here I disagree. As I said in my previous post :

But if we could exploit the bootrom flaw then nintendo would not even be able to fix it with an update and with a litle program in that flaw it would be possible to patch sign check and go to the latest firmware$
on sysnand
and it would be patched on boot without needing cbninja but scince it require hardware moding and soldering it would be hard to manage

 

[motezazer]

But if we could exploit the bootrom flaw then nintendo would not even be able to fix it with an update and with a litle program in that flaw it would be possible to patch sign check and go to the latest firmware$
on sysnand
and it would be patched on boot without needing cbninja but scince it require hardware moding and soldering it would be hard to manage

You need to fill ARM9 memory with your payload before so no.

 

[WhoAmI?]

You need to fill ARM9 memory with your payload before so no.

Or, just follow my 3D-Gum tutorial

 

[Alkéryn]

You need to fill ARM9 memory with your payload before so no.

So would it be possible to at least fill the memory with the playload then update the system and finally
lauch this playload at boot made to install an exploit that we still need to find
and/or manually?

 

[motezazer]

So would it be possible to at least fill the memory with the playload then update the system and finally
lauch this playload at boot made to install an exploit that we still need to find
and/or manually?

Power off --> memory cleared

 

[Alkéryn]

Or, just follow my 3D-Gum tutorial

Yeah I did but nit everyone have gum so thinking for the comunity but I prefer a mod that a guy made with a ruber band and a doritos don't find the pic anymore

 

[VashTS]

Even the PS3 isn't fully open yet afaik, people still need either systems on 3.55 or soldering skills and the right mods, there is no softmod available for it that runs from the latest firmware. I'm hoping the 3DS scene comes close to the psp scene of old.

True no CFW, but there is the ability to make a system backup, add cracked content, then re-encrypt it and restore. Its def hacked but its limited.

 

[WhoAmI?]

Yeah I did but nit everyone have gum so thinking for the comunity but I prefer a mod that a guy made with a ruber band and a doritos don't find the pic anymore

Rubber + Doritos = Should work

If I recall correctly, that mod was called "DoritHax"... Can't quite remember...

 

[Alkéryn]

Power off --> memory cleared

"ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized. This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't)."

So if we sold a ship that write the playload to ram at every reboot and another one that inject the fault it would work nuh?