Why can't the ARM9 be hacked when running an Original DS game?

Discussion in '3DS - Homebrew Development and Emulators' started by dotqurter_, Oct 21, 2016.

  1. dotqurter_
    OP

    dotqurter_ Advanced Member

    Newcomer
    74
    17
    Oct 21, 2016
    United States
    lost in ARM9
    My question is that if the ARM9 is used for backwards compatibility when loading original DS/DSI games (this is what I understand from the FIRM page on 3dbrew, and a few other websites), why can't a stack/buffer overflow from the original games trigger a stack/buffer overflow in the ARM9, allowing it to be exploited for some homebrew on N3DS/O3DS on >11.1.0?

    I'm just throwing that out there as a question, see if anyone else has thought of that. If so, could someone explain why this couldn't work? I mean, if the ARM9 > ARM11, a stack/buffer on the ARM9 should show at least some type of way to abuse it (maybe even to install unsigned .cia or do a downgrade to it).
     
  2. Mikemk

    Mikemk GBAtemp Advanced Maniac

    Member
    1,529
    535
    Mar 26, 2015
    United States
    It was at one point in time, it was called MSET. It's been patched. Now, all you can crash is yourself, and DS mode doesn't have SD access..
    If we can find a way to run DSi homebrew from a flashcart, we can get free DSi downgrading though.
     
  3. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    You can run code on the ARM9, but all the interesting hardware has been turned off and can't be turned on without a reboot.

    You don't need to exploit anything if you're using a flashcard. You're just plain running ARM9 code.

    We already use that kind of "exploit" for the DSiWare downgrade.
    When DSiWare runs it has complete access to the system NAND. All the interesting keys are already gone from memory though so it's the same as if you got a hardmod - encrypted and impossible to read sensible data to it.
    However if you know what FIRM version is installed to the FIRM partition, you can deduce the keystream (xorpad) that decrypts/encrypts it, and can put your own older FIRM in there.
    Usually the system menu checks if the FIRM matches the version of the rest of the system but for 11.1/11.0 > 10.4 they forgot. So you can then go ahead and downgrade to 9.2 with an ARM11 exploit.
    This only works from DSiWare, not a TWL or NTR cartridge. In those cases, all the cool hardware has been disabled.
     
    Last edited by metroid maniac, Oct 21, 2016
  4. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    The MSET exploit didn't run in DS mode.

    Also, it's unlikely. I'm not aware of any TWL cartridge games that have permission to use the internal NAND, so that hardware would be disabled.
     
  5. Mikemk

    Mikemk GBAtemp Advanced Maniac

    Member
    1,529
    535
    Mar 26, 2015
    United States
    It was installed in DS mode.
     
  6. metroid maniac

    metroid maniac An idiot with an opinion

    Member
    1,800
    718
    May 16, 2009
    But it wasn't executed in DS mode, which is what OP wants to know about.
     
  7. dotqurter_
    OP

    dotqurter_ Advanced Member

    Newcomer
    74
    17
    Oct 21, 2016
    United States
    lost in ARM9
    So, technically it IS possible to downgrade the firmware to at least 10.x.xx (and then from 10.x downwards) using a method from the current 11.1.0-34U (I am running a 11.1.0-33U, using menuhax and stock homebrew, on O3DS. If you must know, its a USA model) using DSIware?
    I would just enjoy someway to downgrade my firmware far enough where bbm (bigbluemenu) or some other custom firmware (and A9LH) without spending 65+$ for a possibly bricked direct downgrade from 11.1.0-33U (or whatever) to 9.5.x-xx.
     
    Last edited by dotqurter_, Oct 22, 2016
  8. Shadow#1

    Shadow#1 Wii & 3DS Softmod Expert

    Member
    3,839
    1,032
    Nov 21, 2005
    United States
    bbm (bigbluemenu) isnt a cfw it is a tool from the sdk to install cia's
     
  9. Mikemk

    Mikemk GBAtemp Advanced Maniac

    Member
    1,529
    535
    Mar 26, 2015
    United States
    No, you need another 3DS with a9lh already, install the dsiware hax on it, then system transfer the hack to the new 3ds.
     
  10. dotqurter_
    OP

    dotqurter_ Advanced Member

    Newcomer
    74
    17
    Oct 21, 2016
    United States
    lost in ARM9
    Ok. Im installing Luma cfw on it rn, brb.

    (Using the .3dsx method, then using the modified boot.3dsx for menuhax)
     
  11. Mikemk

    Mikemk GBAtemp Advanced Maniac

    Member
    1,529
    535
    Mar 26, 2015
    United States
    Has to be the a9lh method.
     
  12. dotqurter_
    OP

    dotqurter_ Advanced Member

    Newcomer
    74
    17
    Oct 21, 2016
    United States
    lost in ARM9
    Ok, I noticed it when it refused to launch.
    I'm going to check out the A9LH 3ds's right now.

    (Dang it Nintendo, why does the easy stuff have to be broken by you all the time?)
     
  13. Roomsaver

    Roomsaver GBAtemp Advanced Fan

    Member
    951
    243
    Sep 7, 2015
    United States
    garfield kart grand prix
    If you're planning to install A9LH follow this guide.
     
  14. gkoelho

    gkoelho GBAtemp Advanced Fan

    Member
    545
    133
    Apr 16, 2015
    Brazil
    This a misconception, SD-access in DSi mode was already achieved. It has no use quite yet but make it work is a doable task.
     
  15. dotqurter_
    OP

    dotqurter_ Advanced Member

    Newcomer
    74
    17
    Oct 21, 2016
    United States
    lost in ARM9
    Quick question:
    If someone were to try to (maybe) find a useful task for DSi mode, where would I look, what would I use (like programming language) to test it, and is there a link I can use to find how the DSi mode SD-access works?