it actually only needs an hash for a portion of the otp for it to be installed
that hash is used as an key to decrypt and encrypt the "secret keysector" which contains k9lh keys for decrypting and encrypting the arm9bin.
there is a vuln in the k9l that makes it not check the keys used for decryption. so you can bruteforce a key in order to make it decrypt into specific instructions that will jump to your payload (in this case, stage1)
that key is then inserted into the "secret keysector", then encrypted with the hash as a key, and finally written to nand.
the otp is unique per console.
that hash is used as an key to decrypt and encrypt the "secret keysector" which contains k9lh keys for decrypting and encrypting the arm9bin.
there is a vuln in the k9l that makes it not check the keys used for decryption. so you can bruteforce a key in order to make it decrypt into specific instructions that will jump to your payload (in this case, stage1)
that key is then inserted into the "secret keysector", then encrypted with the hash as a key, and finally written to nand.
the otp is unique per console.
- Joined
- Jan 13, 2015
- Messages
- 3,825
- Trophies
- 1
- Location
- The State of Denial
- Website
- gbatemp.net
- XP
- 5,677
- Country
From Plailect:
The OTP is a 0x100 byte region of seemingly random data at address 0x10012000. It is presumed that console unique keys are derived from this region, although it is currently unknown exactly how. The region is likely the console unique data store which is decrypted by the bootrom, but we don't know how that is done until somebody dumps the full protected bootrom. It is unknown at this time if anyone has successfully dumped the protected bootrom.
Prior to version 3.0.0-X, the 0x10012000-region (the OTP) was left unprotected and could be dumped by an attacker with sufficient permissions (arm9 code execution).
After version 3.0.0-X, Nintendo switched to locking this region using the register CFG_SYSPROT9, which also locks the bootloader and is set extremely early in boot, long before we are able to gain code execution. This register can be set exactly once, and cannot be switched off until the unit is fully powered off, and therefore it is impossible to dump the full OTP without a version 2.1.0-X or below.
There is, however, a method to dump the hash of the OTP on version 9.6.0-X. Because Kernel9Loader does not clear the SHA_HASH register after it has been used, dumping the SHA_HASH will give the hash of the OTP which was handed over to Kernel9 from Kernel9Loader. In addition, there is a long standing vulnerability where an MCU reboot caused by the i2c will not clear RAM like it's supposed to.
This allows for a hardware based attack where arbitrary data is written to nand_sector96+0x10 in a SysNAND backup and flashed to the device. Afterwards we wire the i2c to MCU reboot on our command, write a payload (which will write 0x1000A040 - 0x1000A060 to a file on the SD card) to arm9 memory somewhere, fill all memory with a NOP sled followed by a JMP instruction pointing to the payload. We can then MCU reboot repeatedly (incrementing nand_sector96+0x10 by 1 each time) until the Kernel9Loader jumps to the payload by random chance.
Because of the complexity and extra hardware involved in the method described above, I have decided to limit the scope of this guide strictly to the software based approach of downgrading to a version below 3.0.0-X. Version 2.1.0-X was selected because it is the only version below 3.0.0-X that contains a fully exploitable browser version (2.0.0-X has a partially exploitable browser, but it won't work for other reasons).
The OTP section of this guide will take you through the process of downgrading your RedNAND to 2.1.0-X to ensure you do not get a partial downgrade (which is when some titles are on one version and others are on a different version) which are difficult to recover from. On the New 3DS you must then decrypt with your console's 0x5 xorpad (which is New 3DS only) and then reencrypt with your console's 0x4 xorpad. Afterwards you overwrite the New 3DS's NAND NCSD (the header that specifies each partition's location) with the NCSD from an Old 3DS and flash the RedNAND to SysNAND. These steps are unneeded on an Old 3DS.
The OTP is a 0x100 byte region of seemingly random data at address 0x10012000. It is presumed that console unique keys are derived from this region, although it is currently unknown exactly how. The region is likely the console unique data store which is decrypted by the bootrom, but we don't know how that is done until somebody dumps the full protected bootrom. It is unknown at this time if anyone has successfully dumped the protected bootrom.
Prior to version 3.0.0-X, the 0x10012000-region (the OTP) was left unprotected and could be dumped by an attacker with sufficient permissions (arm9 code execution).
After version 3.0.0-X, Nintendo switched to locking this region using the register CFG_SYSPROT9, which also locks the bootloader and is set extremely early in boot, long before we are able to gain code execution. This register can be set exactly once, and cannot be switched off until the unit is fully powered off, and therefore it is impossible to dump the full OTP without a version 2.1.0-X or below.
There is, however, a method to dump the hash of the OTP on version 9.6.0-X. Because Kernel9Loader does not clear the SHA_HASH register after it has been used, dumping the SHA_HASH will give the hash of the OTP which was handed over to Kernel9 from Kernel9Loader. In addition, there is a long standing vulnerability where an MCU reboot caused by the i2c will not clear RAM like it's supposed to.
This allows for a hardware based attack where arbitrary data is written to nand_sector96+0x10 in a SysNAND backup and flashed to the device. Afterwards we wire the i2c to MCU reboot on our command, write a payload (which will write 0x1000A040 - 0x1000A060 to a file on the SD card) to arm9 memory somewhere, fill all memory with a NOP sled followed by a JMP instruction pointing to the payload. We can then MCU reboot repeatedly (incrementing nand_sector96+0x10 by 1 each time) until the Kernel9Loader jumps to the payload by random chance.
Because of the complexity and extra hardware involved in the method described above, I have decided to limit the scope of this guide strictly to the software based approach of downgrading to a version below 3.0.0-X. Version 2.1.0-X was selected because it is the only version below 3.0.0-X that contains a fully exploitable browser version (2.0.0-X has a partially exploitable browser, but it won't work for other reasons).
The OTP section of this guide will take you through the process of downgrading your RedNAND to 2.1.0-X to ensure you do not get a partial downgrade (which is when some titles are on one version and others are on a different version) which are difficult to recover from. On the New 3DS you must then decrypt with your console's 0x5 xorpad (which is New 3DS only) and then reencrypt with your console's 0x4 xorpad. Afterwards you overwrite the New 3DS's NAND NCSD (the header that specifies each partition's location) with the NCSD from an Old 3DS and flash the RedNAND to SysNAND. These steps are unneeded on an Old 3DS.
Similar threads
Site & Scene News
New Hot Discussed
-
-
35K views
Nintendo Switch 2 Direct - Launches June 5. $449.99 price
Soon, Nintendo will be bringing us the highly-awaited Nintendo Direct, focused solely on the Switch 2 console. The stream will begin at 6am PT/9am ET/15:00 CEST/1pm... -
25K views
Nintendo delays Switch 2 pre-orders in USA over ongoing tariff situation, release date unaffected
The Nintendo Switch 2 is still releasing on June 5th, but the price might be up in the air, at least for those in the United States. While the Direct earlier this... -
12K views
Nintendo Direct - March 27, 2025 - Nintendo announces Virtual Game Card feature
The Nintendo Switch 2 is just around the corner, but that isn't stopping Nintendo from revealing what they still have in store for the Switch. We're getting 30 full... -
12K views
Billy Mitchell wins defamation lawsuit against YouTuber, owed $240,000 in damages
Billy Mitchell is no newcomer to lawsuits, having already been to court regarding the legitimacy of his Donkey Kong world records. That lawsuit took place over the... -
11K views
Azahar 3DS emulator reaches its first stable public build
The newest challenger in 3DS emulation, Azahar, has finally reached its first stable build this week. Since Yuzu's takedown by Nintendo last year, the eventual... -
11K views
The Switch 2's Joy-Cons will not have Hall Effect sticks
The Nintendo Switch found itself at the center of technical issues throughout its lifespan, thanks to its Joy-Con controllers. Referred to as Joy-Con drift, it led to... -
9K views
Fan-made remake Gamma Emerald gets a release date for its first demo
After more than a year of development, fan-made Pokemon Emerald remake Gamma Emerald is getting its first demo in just over a month. Posted today by developer... -
9K views
After controversy, Assassin's Creed Shadows is reportedly the series' second biggest launch ever
Assassin's Creed Shadows faced a few bumps on its way to launch, ranging from a multitude of delays, to controversy over one of the game's characters, Yasuke, as well... -
8K views
Game Key Cards - an improved digital release or stripped down physical cartridge?
Since the Direct at the start of the month, Nintendo have attracted a lot of ire regarding the Switch 2. I’ve seen comments on either side of the fence when it comes... -
7K views
ROM Hack Pokemon Evolved ROM hack shows a fresh take on Kanto’s original 151 species
Kanto is for many the image of nostalgia when it comes to Pokemon. It’s the region where it all started, and it’s the region where many started their Pokemon...
-
-
-
598 replies
Nintendo Switch 2 Direct - Launches June 5. $449.99 price
Soon, Nintendo will be bringing us the highly-awaited Nintendo Direct, focused solely on the Switch 2 console. The stream will begin at 6am PT/9am ET/15:00 CEST/1pm... -
416 replies
Nintendo delays Switch 2 pre-orders in USA over ongoing tariff situation, release date unaffected
The Nintendo Switch 2 is still releasing on June 5th, but the price might be up in the air, at least for those in the United States. While the Direct earlier this... -
150 replies
Nintendo Direct - March 27, 2025 - Nintendo announces Virtual Game Card feature
The Nintendo Switch 2 is just around the corner, but that isn't stopping Nintendo from revealing what they still have in store for the Switch. We're getting 30 full... -
142 replies
The Switch 2's Joy-Cons will not have Hall Effect sticks
The Nintendo Switch found itself at the center of technical issues throughout its lifespan, thanks to its Joy-Con controllers. Referred to as Joy-Con drift, it led to... -
138 replies
Game Key Cards - an improved digital release or stripped down physical cartridge?
Since the Direct at the start of the month, Nintendo have attracted a lot of ire regarding the Switch 2. I’ve seen comments on either side of the fence when it comes... -
130 replies
After controversy, Assassin's Creed Shadows is reportedly the series' second biggest launch ever
Assassin's Creed Shadows faced a few bumps on its way to launch, ranging from a multitude of delays, to controversy over one of the game's characters, Yasuke, as well... -
108 replies
Billy Mitchell wins defamation lawsuit against YouTuber, owed $240,000 in damages
Billy Mitchell is no newcomer to lawsuits, having already been to court regarding the legitimacy of his Donkey Kong world records. That lawsuit took place over the... -
92 replies
Happy, underwhelmed, and something in between - GBAtemp staff react to the Switch 2 Direct
April 2nd has come and gone, and the cat is truly out of the bag now. Nintendo have announced the Switch 2 is launching in June, alongside notable first and third... -
81 replies
Mario Kart World Direct - April 17 2025 - roundup
Nintendo is bringing us more information about one of the Switch 2 titles, in the form of a Nintendo Direct solely focused on Mario Kart World. This 15-minute video... -
76 replies
Nintendo Switch 2 Edition - not necessarily a definitive release?
During the Direct at the start of the month, Nintendo laid out their plans for breathing new life into a number of Switch games through a series of free and paid...
-
-
-
-
-
-
@
BigOnYa:
Turns out there's ground up and processed Coca leaves in my Cocaine. Nobody ever told me that...I'm switching to Cocaine Light. -
-
-
-
-
-
-
-
@
Veho:
JF "Brainworms" Kennedy has vowed to find a cure for autism by October. I'm taking bets on what he comes up with. -
@
Veho:
According to him, all these autisms are a huge drain on society and someone needs to find a final solution for them.
-
-
-
-
-
-
-
-
-
@
Veho:
Speaking of autism, Glitch studios have a new cartoon out: https://www.youtube.com/watch?v=IC8KsZniulw
-
-
