Hacking What was patched in 9.3 that prohibits the OoT exploit?

pokemoner2500 · Mar 13, 2015

So I read that it only supports up to 9.2, it doesn't require internet (from what i can tell) so why does it not work on 9.3+?

W4T4R1 · Mar 13, 2015

I think is the kernel exploit used to launch the Gateway mode that has been patched

Ra1d · Mar 13, 2015

Well if Gateway says it doesn't, then it doesn't, they won't lie to you, because they're actually interested in new customers.

Duo8 · Mar 13, 2015

memchunkhax IIRC.

pokemoner2500 · Mar 13, 2015

Ra1d said:
Well if Gateway says it doesn't, then it doesn't, they won't lie to you, because they're actually interested in new customers.

I'm just curious, i'm not saying they're lying...

motezazer · Mar 13, 2015

Because OOT is only the entrypoint. To get full control of the console, Gateway uses 3 more flaws :
-gspwn (not corrected yet)
-memchunkhax, to gain kernel control (corrected in 9.3)
-firmlaunchhax, to take over the security processor (corrected in 9.5)

So as ONE system flaw is fixed in 9.3, it doesn't work

Gadorach · Mar 13, 2015

Think of it this way. This game exploit is a car key, and the kernel is an engine. As it turns out, there's more than one shape of key this car will accept. With each new key we find, we can start the car in different ways.

The problem is, the car only starts because there's a flaw in the key-slot, so all these odd keys are working. Nintendo got mad that the keys were working, but didn't want to make a new lock, so instead, they just made the engine only start when the owners voice was heard. As a result, though the keys themselves work, the engine won't start unless Nintendo asks it to nicely first.

As long as you don't let Nintendo update your engine, the keys will always work to turn on your current engine. If you let Nintendo update your engine, the keys will still open the doors, but the engine wont start.

pokemoner2500 · Mar 13, 2015

Gadorach said:
Think of it this way. This game exploit is a car key, and the kernel is an engine. As it turns out, there's more than one shape of key this car will accept. With each new key we find, we can start the car in different ways.

The problem is, the car only starts because there's a flaw in the key-slot, so all these odd keys are working. Nintendo got mad that the keys were working, but didn't want to make a new lock, so instead, they just made the engine only start when the owners voice was heard. As a result, though the keys themselves work, the engine won't start unless Nintendo asks it to nicely first.

As long as you don't let Nintendo update your engine, the keys will always work to turn on your current engine. If you let Nintendo update you engine, the keys will still open the doors, but the engine wont start.

That actually made sense lol, ok!

Maximilious · Mar 13, 2015

Gadorach said:
Think of it this way. This game exploit is a car key, and the kernel is an engine. As it turns out, there's more than one shape of key this car will accept. With each new key we find, we can start the car in different ways.

The problem is, the car only starts because there's a flaw in the key-slot, so all these odd keys are working. Nintendo got mad that the keys were working, but didn't want to make a new lock, so instead, they just made the engine only start when the owners voice was heard. As a result, though the keys themselves work, the engine won't start unless Nintendo asks it to nicely first.

As long as you don't let Nintendo update your engine, the keys will always work to turn on your current engine. If you let Nintendo update your engine, the keys will still open the doors, but the engine wont start.

This kids going places... In more than one way!!

nl255 · Mar 13, 2015

Or more to the point. The Zelda exploit merely opens the car door. You still need another one to bypass the ignition lock and a third to bypass the engine computer lockout.

Gadorach · Mar 14, 2015

nl255 said:
Or more to the point. The Zelda exploit merely opens the car door. You still need another one to bypass the ignition lock and a third to bypass the engine computer lockout.

As true as that is, the point is to follow the KISS rule. Not everyone on this forum understands the ways in which these exploits work, so making it simple, or more relatable, is the best way to get your point across. Just because something is complex in nature, doesn't mean you need to force that expanded information onto others for them to understand why it works. Plus, if you try, you'll either confuse them due to them not having the technical background, or they simply won't care enough to absorb it, rendering your effort wasted.

Those of us who get it either worked on this stuff for a long time, or we researched it as an enthusiast until our eyes bled. You can't expect the same from anyone who isn't an enthusiast.

tony_2018 · Mar 14, 2015

I believe it was cubic ninja itself that got blocked, Link made an attempt to bypass security checkpoints but the big N said "nah ah bitch".

Gadorach · Mar 14, 2015

tony_2018 said:
I believe it was cubic ninja itself that got blocked, Link made an attempt to bypass security checkpoints but the big N said "nah ah bitch".

Actually, the core exploit in Cubic Ninja still works just fine, even on the latest firmware. However, without access to gspwn through memchunkhax, it cannot do anything with that exploit. The same applies to the OOT entry point. They are just basic code-loaders, they can't really do anything much on their own.

zoogie · Mar 14, 2015

Firmlaunch hax is what is used to get warez to work (arm9 control) on 9.2. You need arm11 kernel (memhunk-patched in 9.3) to even reach it. The Zelda save hax is arm11 userland.

(3dbrew.org)
firmlaunch-hax: FIRM header ToCToU
This can't be exploited from ARM11 userland.
During FIRM launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data. With 9.5.0-22 the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.

Gadorach · Mar 14, 2015

zoogie said:
Firmlaunch hax is what is used to get warez to work (arm9 control) on 9.2. You need arm11 kernel (memhunk-patched in 9.3) to even reach it. The Zelda save hax is arm11 userland.

(3dbrew.org)
firmlaunch-hax: FIRM header ToCToU
This can't be exploited from ARM11 userland.
During FIRM launch, the only FIRM header the ARM9 uses at all is stored in FCRAM, this is 0x200-bytes(the actual used FIRM RSA signature is read to the Process9 stack however). The ARM9 doesn't expect "anything" besides the ARM9 to access this data. With 9.5.0-22 the address of this FIRM header was changed from a FCRAM address, to ARM9-only address 0x01fffc00.

Which is totally accurate, but again, the OP won't understand it. Just dumping intensive information on a person that's not regularly part of the scene isn't going to get you anywhere with them. As far as information is concerned, and questions answered, this thread has been resolved already. No point in dumping programmer-specific information on a novice, it's the same as telling a cat how to cook a hamburger. The cat might like the result, but it certainly won't understand the process in which you took to get there.

Hacking What was patched in 9.3 that prohibits the OoT exploit?

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Electronics Engineering Technologist

Well-Known Member

Whistles a familiar tune

Well-Known Member

Electronics Engineering Technologist

Well-Known Member

Electronics Engineering Technologist

playing around in the end of life

Electronics Engineering Technologist

Similar threads

Popular threads in this forum