Because GW patches FIRM. Those patches might not be compatible with newer FIRMs.
The FIRM they patch in may not be compatible with the latest system files. (See N3DS 9.5 FIRM leading to 9.5 max)
Because GW patches FIRM. Those patches might not be compatible with newer FIRMs.
Thanks for summing this up nicely. One piece is missing IMO, and I'm not sure why no one bothered bringing it up yet: There is a known hardware vulnerability which allows custom code execution while the bootrom is being ran. It allows for dumping all console-unique keys and (effectively) disabling the firmware signature checks.
That said, it requires some manually crafted data to reside in RAM, and hence probably isn't useful for the "convenient" piracy most people here are looking for, I guess. It's incredibly hard to pull off in general, actually. Still, it's the only promising way to obtain all decryption keys, though.
I didn't claim that, although I can see why you thought I was. I'll clarify my post. I mean, actually I suppose if you hooked enough hardware into the thing you could make a hardware mod prepare the RAM in the right way so that you can actually have a permanent exploit setup. I didn't say any of this was easy, just that it's likely possible in one way or another (contrary to brute-forcing keys or something stupid like that, which for all practical purposes is impossible here).It will NOT disable sig checks permanently.
Didn't claim that either, and this time I'm not sure why you thought I didYou will NOT be able to generate private keys, only encryption keys.
The public bootrom flaw is VERY hard to exploit (actually nobody managed to exploit it).
I didn't claim that, although I can see why you thought I was. I'll clarify my post. I mean, actually I suppose if you hooked enough hardware into the thing you could make a hardware mod prepare the RAM in the right way so that you can actually have a permanent exploit setup. I didn't say any of this was easy, just that it's likely possible in one way or another (contrary to brute-forcing keys or something stupid like that, which for all practical purposes is impossible here).
-The critical processes run into internal CPU memories that are not hard-moddable
I have absolutely nothing to contribute to this thread except for miscellaneous info that would be quite offtopic.......
If the only chance for the FIRM Private key to be released is from Nintendo themselves.... Then consider that a definite zero chance for the key to get leaked (By their own track record). Nintendo is quite a very Japanese company, and so is hiearchy based, to the point that even key figures like Miyamoto or Reggie would have no info about it even if you interrogated them. If I remember correctly, even prototype versions of their games have never been leaked, except when it's handled by a second/third party. That's quite something. And if the FIRM KEY would get leaked they would know exactly who did it and will probably castrate that person, socially maybe even literally.....
... Or maybe a collusion of 10 to 20 people, but who the heck will collude over something that would never benefit them? It isn't feasible especially on the monetary front.
I know how to disable sig checks on sysNAND!
You just learnt how to gum-mod your console! No need to thank me, I know I'm awesome
- Open the console
- Attach lots of wet bubble gum
- Download 3DGum (Google it)
- Put it on an SD card
- Slap an SD card on top of the gum
- Put console back together
- Turn it on
- Everything boots via gum connection to the SD
Edit: If there's a dodgy connection, just piss inside of it, directly onto the SD card - guaranteed to work. Cum might be better, since it has sticky properties.
FFS I literally googled "3DGum". I'm an idiot. First three steps makes it sound like it's gonna be one of those "weird but works" ideas. And then I saw: "Slap an SD card on top of the gum".
It's here I disagree. As I said in my previous post :
But if we could exploit the bootrom flaw then nintendo would not even be able to fix it with an update and with a litle program in that flaw it would be possible to patch sign check and go to the latest firmware$
on sysnand
and it would be patched on boot without needing cbninja but scince it require hardware moding and soldering it would be hard to manage
You need to fill ARM9 memory with your payload before so no.
You need to fill ARM9 memory with your payload before so no.
So would it be possible to at least fill the memory with the playload then update the system and finally
lauch this playload at boot made to install an exploit that we still need to find
and/or manually?
Or, just follow my 3D-Gum tutorial
Even the PS3 isn't fully open yet afaik, people still need either systems on 3.55 or soldering skills and the right mods, there is no softmod available for it that runs from the latest firmware. I'm hoping the 3DS scene comes close to the psp scene of old.
Yeah I did but nit everyone have gum so thinking for the comunity but I prefer a mod that a guy made with a ruber band and a doritos don't find the pic anymore
Power off --> memory cleared
"ARM9's and ARM11's exception vectors are hardcoded to point at the CPU's internal memory (0x08000000 region for ARM9, AXIWRAM for ARM11). While the bootrom does set them up to point to an endless loop at some point during boot, it does not do so immediately. As such, a carefully-timed fault injection (via hardware) to trigger an exception (such as an invalid instruction) will cause execution to fall into ARM9 RAM. Since RAM isn't cleared on boot (see below), one can immediately start execution of their own code here to dump bootrom, OTP, etc. The ARM9 bootrom does the following at reset: reset vector branches to another instruction, then branches to bootrom+0x8000. Hence, there's no way to know for certain when exactly the ARM9 exception-vector data stored in memory gets initialized. This requires *very* *precise* timing for triggering the hardware fault: it's unknown if anyone actually exploited this successfully at the time of writing(the one who attempted+discovered it *originally* as listed in this wiki section hasn't)."