[WIP] Dumping the bootrom

Discussion in '3DS - Homebrew Development and Emulators' started by bayleef, Jan 5, 2017.

  1. bayleef
    OP

    bayleef Advanced Member

    Newcomer
    83
    147
    Sep 15, 2015
    Gambia, The
    See https://media.ccc.de/v/33c3-8344-nintendo_hacking_2016
    Please do only respond to this thread, if you have to say something that could be helpful in order to dump the bootrom. Please do not discuss about sighax and/or its value here. It is hard to identify the posts that could help us with dumping the bootrom in the other threads about the 33c3 talk, because there is so much discussion about the value of sighax. So I made this thread to promote bootrom dumping.

    At first, writing the a9lh payload for dumping (the protected part of) the bootrom should not be hard.
    It could look like this:
    a9lh payload for dumping the bootrom by fault injection
    Please reply to this thread if you have any improvements, I may update the code in this post.

    How can we do the fault injection? I think, the easiest way for fault injection would be vcc glitching.
    It MAY be sufficient to use a Raspberry Pi for this task, we MAY just need to pull VCC of the battery to GND for some nano seconds we have to pull VCC input of the ARM9 to GND (or even negative voltage?) for some nano seconds, e.g. with the help of a MOSFET controlled by the Raspberry.
    However, according to https://www.3dbrew.org/wiki/3DS_System_Flaws#Hardware we need a very precise timing.
    Hence, we have to synchronise the reset with our vcc glitching hardware. How could we do this?
    1. Via hardmod
      • We could connect to the I2C bus to trigger / capture the reset signal. Which pins of the 3DS board do we need to connect?
      • We may not connect to I2C, but to a button of the 3DS. Then the vcc glitching hardware would "press" that button, telling the 3DS software to trigger reset via I2C.
    2. Could we do it without opening the 3DS? We have to solder a wire to ARM9 VCC coneection. However, maybe we do not need to add any additional wires to the board? We may trigger reboot by writing to the I2C bus by software, but how could we synchronize with the vcc glitching device then?
      • Reset MAY cause a specific fingerprint of power consumption. We may measure the power consumption and trigger vcc glitching when this fingerprint occurs.
      • Could we create an audio signal just before triggering the reboot and connect the vcc glithing device as haedphone? We would have to implement an audio driver for ARM9 mode, which may be complicated (but should be possible). However, would this method be too slow to achieve the synchronization?
    Do you have some helpful comments to the ideas presented above? Which way could be the best? Are there any other ideas to synchronize the reset with the vcc glitching hardware?

    Update: VCC glitching at battery connection does not really seem to work. There may be voltage stabilizers that we need to bypass by glitching VCC at the ARM9 directly.
     
    Last edited by bayleef, Jan 6, 2017
    NCorp., gudenau, Quantumcat and 13 others like this.
  2. proflayton123
    This message by proflayton123 has been removed from public view by Issac, Jan 5, 2017, Reason: off-topic..
    Jan 5, 2017
  3. McWhiters9511
    This message by McWhiters9511 has been removed from public view by Issac, Jan 5, 2017, Reason: reply to deleted comment.
    Jan 5, 2017
  4. zoogie

    zoogie simple pimp tool

    Member
    6,510
    8,386
    Nov 30, 2014
    United States
    I don't know if you're aware, but #cakey on freenode is where the most promising of 3ds bootrom development community meets to discuss things. They're actually getting kinda close; maybe they could use your help or vice-versa.
     
    Last edited by zoogie, Jan 6, 2017
    CaptainSwag101 and m1guelpf like this.
  5. Thunder Hawk

    Thunder Hawk Firefox Master Race

    Member
    582
    371
    Jan 21, 2013
    United States
    Bumping this because you wanted people to reply here with helpful info, but it never happened and the thread went unnoticed.
     
  6. bayleef
    OP

    bayleef Advanced Member

    Newcomer
    83
    147
    Sep 15, 2015
    Gambia, The
    Thank you. However, I guess that I have to wait for hedge's "very in-depth writeup + circuit detailing" to get some really good information.
     
  7. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Maybe you could look into some 360 hacks, they use glitching on them. Is it possible to slow down the clock at all? That should make the window larger right?

    Edit
    Link-ho!
     
    Last edited by gudenau, Mar 7, 2017
  8. Gaming796
    This message by Gaming796 has been removed from public view by BORTZ, Mar 7, 2017, Reason: off topic.
    Mar 7, 2017
  9. Raidern

    Raidern Newbie

    Newcomer
    5
    7
    Jun 2, 2017
    The Island of Plátatree!
    Bump, I thought this may be useful now.
     
  10. daxtsu

    daxtsu GBAtemp Guru

    Member
    5,546
    3,955
    Jun 9, 2007
    Antarctica
    Why though? If you have boot9strap, you can just run godmode9 to dump your OTP and bootroms whenever you want. :unsure:
     
  11. kane159

    kane159 GBAtemp Regular

    Member
    153
    29
    May 28, 2013
    Taiwan
    how? please :) i lost my otp backup and i really wants to get it back....
     
  12. Aletron9000

    Aletron9000 3DS Master

    Member
    1,603
    457
    May 10, 2016
    United States
    3DS ARM9 CPU
    Upgrade to boot9strap and launch godmode9. Then in the memory virtual drive, there is an otp.mem. copy that to your sd and you have dumped your otp